From 2082242499bab3c8a91f294eb3aaba451c2b27fc Mon Sep 17 00:00:00 2001 From: Agustin Ferrario Date: Wed, 16 Dec 2020 10:35:37 +0100 Subject: [PATCH 01/84] Add `matrix_nginx_proxy_ssl_config` A new variable called `matrix_nginx_proxy_ssl_config` is created for configuring how the nginx proxy configures SSL. Also a new configuration validation option and other auxiliary variables are created. A new variable configuration called `matrix_nginx_proxy_ssl_config` is created. This allow to set the SSL configuration easily using the default options proposed by Mozilla. The default configuration is set to "Intermediate", removing the weak ciphers used in the old configurations. The new variable can also be set to "Custom" for a more granular control. This allows to set another three variables called: - `matrix_nginx_proxy_ssl_protocols`, - `matrix_nginx_proxy_ssl_prefer_server_ciphers` - `matrix_nginx_proxy_ssl_ciphers` Also a new task is added to validate the SSL configuration variable. --- roles/matrix-nginx-proxy/defaults/main.yml | 28 +++++++++++- .../tasks/validate_config.yml | 6 +++ .../conf.d/matrix-client-element.conf.j2 | 24 ++++++++-- .../nginx/conf.d/matrix-dimension.conf.j2 | 22 ++++++++- .../nginx/conf.d/matrix-domain.conf.j2 | 22 ++++++++- .../nginx/conf.d/matrix-jitsi.conf.j2 | 22 ++++++++- .../nginx/conf.d/matrix-riot-web.conf.j2 | 22 ++++++++- .../nginx/conf.d/matrix-synapse.conf.j2 | 45 +++++++++++++++++-- 8 files changed, 175 insertions(+), 16 deletions(-) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 7331c589..224998c3 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -217,9 +217,35 @@ matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks: [] # a new SSL certificate could go into effect. matrix_nginx_proxy_reload_cron_time_definition: "20 4 */5 * *" -# Specifies which SSL protocols to use when serving all the various vhosts +# Specifies the SSL configuration that should be used for the SSL protocols and ciphers +# This is based on the Mozilla Server Side TLS Recommended configurations. +# +# The posible values are: +# - "Modern" - For Modern clients that support TLS 1.3, with no need for backwards compatibility +# - "Intermediate" - Recommended configuration for a general-purpose server +# - "Old" - Services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8 +# - "Custom" - For defining your own protocols an ciphers +# +# For more information visit: +# - https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations +# - https://ssl-config.mozilla.org/#server=nginx +matrix_nginx_proxy_ssl_config: "Intermediate" + +# Specifies which *SSL protocols* to use when serving all the various vhosts. +# This option is ignored except you specify "Custom" in "matrix_nginx_proxy_ssl_config" matrix_nginx_proxy_ssl_protocols: "TLSv1.2 TLSv1.3" +# Specifies whether to prefer *the client’s choice or the server’s choice* when +# negociating the chipher to serve all the various vhost +# This option is ignored except you specify "Custom" in "matrix_nginx_proxy_ssl_config" +matrix_nginx_proxy_ssl_prefer_server_ciphers: "on" + +# Specifies which *SSL Cipher suites* to use when serving all the various vhosts. +# This option is ignored except you specify "Custom" in "matrix_nginx_proxy_ssl_config" +# To see the full list for suportes ciphers run `openssl ciphers` on your server +# Remember to use '' and "" if you are specified a list of ciphers +matrix_nginx_proxy_ssl_ciphers: '"EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"' + # Controls whether the self-check feature should validate SSL certificates. matrix_nginx_proxy_self_check_validate_certificates: true diff --git a/roles/matrix-nginx-proxy/tasks/validate_config.yml b/roles/matrix-nginx-proxy/tasks/validate_config.yml index 993fc150..0b737662 100644 --- a/roles/matrix-nginx-proxy/tasks/validate_config.yml +++ b/roles/matrix-nginx-proxy/tasks/validate_config.yml @@ -18,3 +18,9 @@ msg: >- `matrix_ssl_retrieval_method` needs to be set to a known value. when: "matrix_ssl_retrieval_method not in ['lets-encrypt', 'self-signed', 'manually-managed', 'none']" + +- name: Fail on unknown matrix_nginx_proxy_ssl_config + fail: + msg: >- + `matrix_nginx_proxy_ssl_config` needs to be set to a known value. + when: "matrix_nginx_proxy_ssl_config not in ['Custom', 'Old', 'Intermediate', 'Modern']" diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 index cbabc9f6..69a61a39 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 @@ -5,7 +5,7 @@ gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header X-Content-Type-Options nosniff; - add_header X-Frame-Options SAMEORIGIN; + add_header X-Frame-Options SAMEORIGIN; {% for configuration_block in matrix_nginx_proxy_proxy_element_additional_server_configuration_blocks %} {{- configuration_block }} {% endfor %} @@ -67,9 +67,27 @@ server { ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_element_hostname }}/fullchain.pem; ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_element_hostname }}/privkey.pem; + + {% if matrix_nginx_proxy_ssl_config == "Modern" %} + ssl_protocols TLSv1.3; + ssl_prefer_server_ciphers off; + + {% elif matrix_nginx_proxy_ssl_config == "Intermediate" %} + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + + {% elif matrix_nginx_proxy_ssl_config == "Old" %} + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA; + ssl_prefer_server_ciphers on; + + {% elif matrix_nginx_proxy_ssl_config == "Custom" %} ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - ssl_prefer_server_ciphers on; - ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + + {% endif %} {{ render_vhost_directives() }} } diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 index b041d3ca..fce652eb 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 @@ -65,9 +65,27 @@ server { ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_dimension_hostname }}/fullchain.pem; ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_dimension_hostname }}/privkey.pem; + + {% if matrix_nginx_proxy_ssl_config == "Modern" %} + ssl_protocols TLSv1.3; + ssl_prefer_server_ciphers off; + + {% elif matrix_nginx_proxy_ssl_config == "Intermediate" %} + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + + {% elif matrix_nginx_proxy_ssl_config == "Old" %} + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA; + ssl_prefer_server_ciphers on; + + {% elif matrix_nginx_proxy_ssl_config == "Custom" %} ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - ssl_prefer_server_ciphers on; - ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + + {% endif %} {{ render_vhost_directives() }} } diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 index 027f2d31..be659305 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 @@ -58,9 +58,27 @@ server { ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/fullchain.pem; ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/privkey.pem; + + {% if matrix_nginx_proxy_ssl_config == "Modern" %} + ssl_protocols TLSv1.3; + ssl_prefer_server_ciphers off; + + {% elif matrix_nginx_proxy_ssl_config == "Intermediate" %} + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + + {% elif matrix_nginx_proxy_ssl_config == "Old" %} + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA; + ssl_prefer_server_ciphers on; + + {% elif matrix_nginx_proxy_ssl_config == "Custom" %} ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - ssl_prefer_server_ciphers on; - ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + + {% endif %} {{ render_vhost_directives() }} } diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 index 500f1943..d08ac7be 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 @@ -86,9 +86,27 @@ server { ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_jitsi_hostname }}/fullchain.pem; ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_jitsi_hostname }}/privkey.pem; + + {% if matrix_nginx_proxy_ssl_config == "Modern" %} + ssl_protocols TLSv1.3; + ssl_prefer_server_ciphers off; + + {% elif matrix_nginx_proxy_ssl_config == "Intermediate" %} + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + + {% elif matrix_nginx_proxy_ssl_config == "Old" %} + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA; + ssl_prefer_server_ciphers on; + + {% elif matrix_nginx_proxy_ssl_config == "Custom" %} ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - ssl_prefer_server_ciphers on; - ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + + {% endif %} {{ render_vhost_directives() }} } diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 index 3ef42815..11b8a0fd 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 @@ -51,9 +51,27 @@ server { ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname }}/fullchain.pem; ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname }}/privkey.pem; + + {% if matrix_nginx_proxy_ssl_config == "Modern" %} + ssl_protocols TLSv1.3; + ssl_prefer_server_ciphers off; + + {% elif matrix_nginx_proxy_ssl_config == "Intermediate" %} + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + + {% elif matrix_nginx_proxy_ssl_config == "Old" %} + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA; + ssl_prefer_server_ciphers on; + + {% elif matrix_nginx_proxy_ssl_config == "Custom" %} ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - ssl_prefer_server_ciphers on; - ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + + {% endif %} {{ render_vhost_directives() }} } diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 index adbee18e..a32b7bad 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 @@ -203,9 +203,27 @@ server { ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/fullchain.pem; ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/privkey.pem; + + {% if matrix_nginx_proxy_ssl_config == "Modern" %} + ssl_protocols TLSv1.3; + ssl_prefer_server_ciphers off; + + {% elif matrix_nginx_proxy_ssl_config == "Intermediate" %} + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + + {% elif matrix_nginx_proxy_ssl_config == "Old" %} + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA; + ssl_prefer_server_ciphers on; + + {% elif matrix_nginx_proxy_ssl_config == "Custom" %} ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - ssl_prefer_server_ciphers on; - ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + + {% endif %} {{ render_vhost_directives() }} } @@ -235,9 +253,28 @@ server { {% if matrix_nginx_proxy_https_enabled %} ssl_certificate {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate }}; ssl_certificate_key {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key }}; - ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; + + {% if matrix_nginx_proxy_ssl_config == "Modern" %} + ssl_protocols TLSv1.3; + ssl_prefer_server_ciphers off; + + {% elif matrix_nginx_proxy_ssl_config == "Intermediate" %} + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + + {% elif matrix_nginx_proxy_ssl_config == "Old" %} + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA; ssl_prefer_server_ciphers on; - ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; + + {% elif matrix_nginx_proxy_ssl_config == "Custom" %} + ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; + ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + + {% endif %} + {% endif %} location / { From ff6db5fd3b212630e4335a30a67a66b615829e2f Mon Sep 17 00:00:00 2001 From: Agustin Ferrario Date: Wed, 16 Dec 2020 10:50:08 +0100 Subject: [PATCH 02/84] Document the new variables for ngingx SSL config The new variables created to the nginx reverse proxy are properly added to the documentation. --- docs/configuring-playbook-nginx.md | 23 ++++++++++++++++++++++ docs/configuring-playbook-own-webserver.md | 3 ++- 2 files changed, 25 insertions(+), 1 deletion(-) diff --git a/docs/configuring-playbook-nginx.md b/docs/configuring-playbook-nginx.md index 945864e9..39a96e40 100644 --- a/docs/configuring-playbook-nginx.md +++ b/docs/configuring-playbook-nginx.md @@ -24,6 +24,29 @@ matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses: - 1.1.1.1 ``` +## Adjusting SSL in your server + +You can adjust how the SSL is served by the nginx server by setting the `matrix_nginx_proxy_ssl_config`. This is based on the Mozilla Server Side TLS +Recommended configurations. It changes the TLS Protocol, the SSL Cipher Suites and the `ssl_prefer_server_ciphers` variable of nginx. +The posible values are: + +- "Modern" - For Modern clients that support TLS 1.3, with no need for backwards compatibility +- "Intermediate" - Recommended configuration for a general-purpose server +- "Old" - Services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8 +- "Custom" - For defining your own protocols an ciphers + +The default is set to `"Intermediate"`. + +**Be really carefull when setting it to "Modern"**. This could break the comunication with other matrix servers, limiting your feration posibilities and the +[Federarion tester](https://federationtester.matrix.org/) won't work. + +If you set `matrix_nginx_proxy_ssl_config` to `"Custom"`, you will get three variables that you will be able to set: + +- `matrix_nginx_proxy_ssl_protocols`: for specifying the supported TLS protocols. +- `matrix_nginx_proxy_ssl_prefer_server_ciphers`: for specifying if the server or the client choice when negociating the chipher. It can set to "on" or "off". +- `matrix_nginx_proxy_ssl_ciphers`: for specifying the SSL Cipher suites used by nginx. + +For more information about this variables, check the `roles/matrix-nginx-proxy/defaults/main.yml` file. ## Synapse + OpenID Connect for Single-Sign-On diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index c930da40..4f0d3591 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -48,10 +48,11 @@ Those configuration files are adapted for use with an external web server (one n You can most likely directly use the config files installed by this playbook at: `/matrix/nginx-proxy/conf.d`. Just include them in your own `nginx.conf` like this: `include /matrix/nginx-proxy/conf.d/*.conf;` -Note that if your nginx version is old, it might not like our default choice of SSL protocols (particularly the fact that the brand new `TLSv1.3` protocol is enabled). You can override the protocol list by redefining the `matrix_nginx_proxy_ssl_protocols` variable. Example: +Note that if your nginx version is old, it might not like our default choice of SSL protocols (particularly the fact that the brand new `TLSv1.3` protocol is enabled). You can override the protocol list by setting `matrix_nginx_proxy_ssl_config` to `"Custom"` redefining the `matrix_nginx_proxy_ssl_protocols` variable. Example: ```yaml # Custom protocol list (removing `TLSv1.3`) to suit your nginx version. +matrix_nginx_proxy_ssl_config: "Custom" matrix_nginx_proxy_ssl_protocols: "TLSv1.2" ``` From 49b3cc024bd4ff8c94f74beacaf3228593e30e5c Mon Sep 17 00:00:00 2001 From: Agustin Ferrario Date: Wed, 16 Dec 2020 10:53:11 +0100 Subject: [PATCH 03/84] Document the SSL changes in the CHANGELOG The breaking changes are properly documented in the CHANGELOG.md file. The date used is specified as XXXX-XX-XX and should be modified at the moment of merge. --- CHANGELOG.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 946ec5b0..8473b4aa 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,15 @@ +# XXXX-XX-XX + +## New SSL Configuration + +A new variable `matrix_nginx_proxy_ssl_config`, bringing some breaking changes. The default configuration is set to `"Intermadiate"`. +This changes `ssl_prefer_server_ciphers` to `off` by default instead of `off`. It also add some more ciphers to the list, this should +give a little better performance for mobile devices and removes weak ciphers. More information in the [documentation](docs/configuring-playbook-nginx.md). +To revert to the old behaviour just set `matrix_nginx_proxy_ssl_config` to `"Custom"` and don't change any of the other variables. + +If you are setting `matrix_nginx_proxy_ssl_protocols` to a custom value, you will need to `matrix_nginx_proxy_ssl_config` to `"Custom"`, +otherwise it this variable will be ignored. + # 2020-12-11 ## synapse-janitor support removed From 25d423e6b62a318f0021c7caa1f653368bb0b49a Mon Sep 17 00:00:00 2001 From: Agustin Ferrario Date: Fri, 8 Jan 2021 11:20:29 +0100 Subject: [PATCH 04/84] Fix errors per spantaleev suggestions The different configurations are now all lower case, for consistent naming. `matrix_nginx_proxy_ssl_config` is now called `matrix_nginx_proxy_ssl_preset`. The different options for "modern", "intermediate" and "old" are stored in the main.yml file, instead of being hardcoded in the configuration files. This will improve the maintainability of the code. The "custom" preset was removed. Now if one of the variables is set, it will use it instead of the preset. This will allow to mix and match more easily, for example using all the intermediate options but only supporting TLSv1.2. This will also provide better backward compatibility. --- CHANGELOG.md | 12 ++-- docs/configuring-playbook-nginx.md | 15 +++-- docs/configuring-playbook-own-webserver.md | 3 +- roles/matrix-nginx-proxy/defaults/main.yml | 45 ++++++++++---- .../tasks/validate_config.yml | 4 +- .../conf.d/matrix-client-element.conf.j2 | 31 +++++----- .../nginx/conf.d/matrix-dimension.conf.j2 | 31 +++++----- .../nginx/conf.d/matrix-domain.conf.j2 | 31 +++++----- .../nginx/conf.d/matrix-jitsi.conf.j2 | 31 +++++----- .../nginx/conf.d/matrix-riot-web.conf.j2 | 31 +++++----- .../nginx/conf.d/matrix-synapse.conf.j2 | 62 +++++++++---------- 11 files changed, 154 insertions(+), 142 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2833b4bb..854156e8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,13 +2,15 @@ ## New SSL Configuration -A new variable `matrix_nginx_proxy_ssl_config`, bringing some breaking changes. The default configuration is set to `"Intermadiate"`. -This changes `ssl_prefer_server_ciphers` to `off` by default instead of `off`. It also add some more ciphers to the list, this should +A new variable `matrix_nginx_proxy_ssl_preset`, bringing some breaking changes. The default configuration is set to `"intermediate"`. +This changes `ssl_prefer_server_ciphers` to `off` by default instead of `on`. It also add some more ciphers to the list, this should give a little better performance for mobile devices and removes weak ciphers. More information in the [documentation](docs/configuring-playbook-nginx.md). -To revert to the old behaviour just set `matrix_nginx_proxy_ssl_config` to `"Custom"` and don't change any of the other variables. +To revert to the old behaviour just set the following variables: -If you are setting `matrix_nginx_proxy_ssl_protocols` to a custom value, you will need to `matrix_nginx_proxy_ssl_config` to `"Custom"`, -otherwise it this variable will be ignored. +```yaml +matrix_nginx_proxy_ssl_ciphers: "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH" +matrix_nginx_proxy_ssl_prefer_server_ciphers: "on" +``` # 2021-01-03 diff --git a/docs/configuring-playbook-nginx.md b/docs/configuring-playbook-nginx.md index dffd962f..a95fbf72 100644 --- a/docs/configuring-playbook-nginx.md +++ b/docs/configuring-playbook-nginx.md @@ -26,21 +26,20 @@ matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses: ## Adjusting SSL in your server -You can adjust how the SSL is served by the nginx server by setting the `matrix_nginx_proxy_ssl_config`. This is based on the Mozilla Server Side TLS +You can adjust how the SSL is served by the nginx server by setting the `matrix_nginx_proxy_ssl_preset`. This is based on the Mozilla Server Side TLS Recommended configurations. It changes the TLS Protocol, the SSL Cipher Suites and the `ssl_prefer_server_ciphers` variable of nginx. The posible values are: -- "Modern" - For Modern clients that support TLS 1.3, with no need for backwards compatibility -- "Intermediate" - Recommended configuration for a general-purpose server -- "Old" - Services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8 -- "Custom" - For defining your own protocols an ciphers +- "modern" - For Modern clients that support TLS 1.3, with no need for backwards compatibility +- "intermediate" - Recommended configuration for a general-purpose server +- "old" - Services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8 -The default is set to `"Intermediate"`. +The default is set to `"intermediate"`. -**Be really carefull when setting it to "Modern"**. This could break the comunication with other matrix servers, limiting your feration posibilities and the +**Be really carefull when setting it to "modern"**. This could break the comunication with other matrix servers, limiting your feration posibilities and the [Federarion tester](https://federationtester.matrix.org/) won't work. -If you set `matrix_nginx_proxy_ssl_config` to `"Custom"`, you will get three variables that you will be able to set: +If you want to override one of the values used by the preset, you can use this three variables: - `matrix_nginx_proxy_ssl_protocols`: for specifying the supported TLS protocols. - `matrix_nginx_proxy_ssl_prefer_server_ciphers`: for specifying if the server or the client choice when negociating the chipher. It can set to "on" or "off". diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index ee4402b3..915c2c37 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -48,11 +48,10 @@ Those configuration files are adapted for use with an external web server (one n You can most likely directly use the config files installed by this playbook at: `/matrix/nginx-proxy/conf.d`. Just include them in your own `nginx.conf` like this: `include /matrix/nginx-proxy/conf.d/*.conf;` -Note that if your nginx version is old, it might not like our default choice of SSL protocols (particularly the fact that the brand new `TLSv1.3` protocol is enabled). You can override the protocol list by setting `matrix_nginx_proxy_ssl_config` to `"Custom"` redefining the `matrix_nginx_proxy_ssl_protocols` variable. Example: +Note that if your nginx version is old, it might not like our default choice of SSL protocols (particularly the fact that the brand new `TLSv1.3` protocol is enabled). You can override the protocol list by redefining the `matrix_nginx_proxy_ssl_protocols` variable. Example: ```yaml # Custom protocol list (removing `TLSv1.3`) to suit your nginx version. -matrix_nginx_proxy_ssl_config: "Custom" matrix_nginx_proxy_ssl_protocols: "TLSv1.2" ``` diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index e2fc107e..f88dbc7e 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -223,30 +223,49 @@ matrix_nginx_proxy_reload_cron_time_definition: "20 4 */5 * *" # This is based on the Mozilla Server Side TLS Recommended configurations. # # The posible values are: -# - "Modern" - For Modern clients that support TLS 1.3, with no need for backwards compatibility -# - "Intermediate" - Recommended configuration for a general-purpose server -# - "Old" - Services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8 -# - "Custom" - For defining your own protocols an ciphers +# - "modern" - For Modern clients that support TLS 1.3, with no need for backwards compatibility +# - "intermediate" - Recommended configuration for a general-purpose server +# - "old" - Services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8 # # For more information visit: # - https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations # - https://ssl-config.mozilla.org/#server=nginx -matrix_nginx_proxy_ssl_config: "Intermediate" +matrix_nginx_proxy_ssl_preset: "intermediate" + +# This are the presets as taken from Mozilla's Server Side TLS Recommended configurations +# DO NOT modify this values and use `matrix_nginx_proxy_ssl_protocols` and `matrix_nginx_proxy_ssl_ciphers` +matrix_nginx_proxy_ssl_presets: + modern: + protocols: TLSv1.3 + ciphers: "" + prefer_server_ciphers: "off" + intermediate: + protocols: TLSv1.2 TLSv1.3 + ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 + prefer_server_ciphers: "off" + old: + protocols: TLSv1 TLSv1.1 TLSv1.2 TLSv1.3 + ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA + prefer_server_ciphers: "on" + # Specifies which *SSL protocols* to use when serving all the various vhosts. -# This option is ignored except you specify "Custom" in "matrix_nginx_proxy_ssl_config" -matrix_nginx_proxy_ssl_protocols: "TLSv1.2 TLSv1.3" +# By default is set to "" and will use the protocols from the preset. If you set it to something different, it will override +# the values from the preset +matrix_nginx_proxy_ssl_protocols: "" # Specifies whether to prefer *the client’s choice or the server’s choice* when -# negociating the chipher to serve all the various vhost -# This option is ignored except you specify "Custom" in "matrix_nginx_proxy_ssl_config" -matrix_nginx_proxy_ssl_prefer_server_ciphers: "on" +# negociating the chipher to serve all the various vhost. +# +# By default is set to "" and will use the protocols from the preset. If you set it to something different, it will override +# the values from the preset +matrix_nginx_proxy_ssl_prefer_server_ciphers: "" # Specifies which *SSL Cipher suites* to use when serving all the various vhosts. -# This option is ignored except you specify "Custom" in "matrix_nginx_proxy_ssl_config" +# By default is set to "" and will use the ciphers from the preset. If you set it to something different, it will override +# the values from the preset. # To see the full list for suportes ciphers run `openssl ciphers` on your server -# Remember to use '' and "" if you are specified a list of ciphers -matrix_nginx_proxy_ssl_ciphers: '"EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"' +matrix_nginx_proxy_ssl_ciphers: "" # Controls whether the self-check feature should validate SSL certificates. matrix_nginx_proxy_self_check_validate_certificates: true diff --git a/roles/matrix-nginx-proxy/tasks/validate_config.yml b/roles/matrix-nginx-proxy/tasks/validate_config.yml index 0b737662..c12017f3 100644 --- a/roles/matrix-nginx-proxy/tasks/validate_config.yml +++ b/roles/matrix-nginx-proxy/tasks/validate_config.yml @@ -22,5 +22,5 @@ - name: Fail on unknown matrix_nginx_proxy_ssl_config fail: msg: >- - `matrix_nginx_proxy_ssl_config` needs to be set to a known value. - when: "matrix_nginx_proxy_ssl_config not in ['Custom', 'Old', 'Intermediate', 'Modern']" + `matrix_nginx_proxy_ssl_preset` needs to be set to a known value. + when: "matrix_nginx_proxy_ssl_preset not in ['modern', 'intermediate', 'old']" diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 index 69a61a39..6d1583fd 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 @@ -68,25 +68,24 @@ server { ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_element_hostname }}/fullchain.pem; ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_element_hostname }}/privkey.pem; - {% if matrix_nginx_proxy_ssl_config == "Modern" %} - ssl_protocols TLSv1.3; - ssl_prefer_server_ciphers off; - - {% elif matrix_nginx_proxy_ssl_config == "Intermediate" %} - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - ssl_prefer_server_ciphers off; - - {% elif matrix_nginx_proxy_ssl_config == "Old" %} - ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA; - ssl_prefer_server_ciphers on; - - {% elif matrix_nginx_proxy_ssl_config == "Custom" %} + {% if matrix_nginx_proxy_ssl_protocols == "" %} + ssl_protocols {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['protocols'] }}; + {% else %} ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; + {% endif %} + + {% if matrix_nginx_proxy_ssl_prefer_server_ciphers == "" %} + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['prefer_server_ciphers'] }}; + {% else %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + {% endif %} + {% if matrix_nginx_proxy_ssl_ciphers == "" %} + {% if matrix_nginx_proxy_ssl_preset == "old" or matrix_nginx_proxy_ssl_preset == "intermediate" %} + ssl_ciphers "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['ciphers'] }}"; + {% endif %} + {% else %} + ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; {% endif %} {{ render_vhost_directives() }} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 index fce652eb..4557ce26 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 @@ -66,25 +66,24 @@ server { ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_dimension_hostname }}/fullchain.pem; ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_dimension_hostname }}/privkey.pem; - {% if matrix_nginx_proxy_ssl_config == "Modern" %} - ssl_protocols TLSv1.3; - ssl_prefer_server_ciphers off; - - {% elif matrix_nginx_proxy_ssl_config == "Intermediate" %} - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - ssl_prefer_server_ciphers off; - - {% elif matrix_nginx_proxy_ssl_config == "Old" %} - ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA; - ssl_prefer_server_ciphers on; - - {% elif matrix_nginx_proxy_ssl_config == "Custom" %} + {% if matrix_nginx_proxy_ssl_protocols == "" %} + ssl_protocols {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['protocols'] }}; + {% else %} ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; + {% endif %} + + {% if matrix_nginx_proxy_ssl_prefer_server_ciphers == "" %} + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['prefer_server_ciphers'] }}; + {% else %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + {% endif %} + {% if matrix_nginx_proxy_ssl_ciphers == "" %} + {% if matrix_nginx_proxy_ssl_preset == "old" or matrix_nginx_proxy_ssl_preset == "intermediate" %} + ssl_ciphers "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['ciphers'] }}"; + {% endif %} + {% else %} + ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; {% endif %} {{ render_vhost_directives() }} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 index be659305..0e07fa9f 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 @@ -59,25 +59,24 @@ server { ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/fullchain.pem; ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/privkey.pem; - {% if matrix_nginx_proxy_ssl_config == "Modern" %} - ssl_protocols TLSv1.3; - ssl_prefer_server_ciphers off; - - {% elif matrix_nginx_proxy_ssl_config == "Intermediate" %} - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - ssl_prefer_server_ciphers off; - - {% elif matrix_nginx_proxy_ssl_config == "Old" %} - ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA; - ssl_prefer_server_ciphers on; - - {% elif matrix_nginx_proxy_ssl_config == "Custom" %} + {% if matrix_nginx_proxy_ssl_protocols == "" %} + ssl_protocols {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['protocols'] }}; + {% else %} ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; + {% endif %} + + {% if matrix_nginx_proxy_ssl_prefer_server_ciphers == "" %} + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['prefer_server_ciphers'] }}; + {% else %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + {% endif %} + {% if matrix_nginx_proxy_ssl_ciphers == "" %} + {% if matrix_nginx_proxy_ssl_preset == "old" or matrix_nginx_proxy_ssl_preset == "intermediate" %} + ssl_ciphers "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['ciphers'] }}"; + {% endif %} + {% else %} + ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; {% endif %} {{ render_vhost_directives() }} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 index d08ac7be..1da48f4d 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 @@ -87,25 +87,24 @@ server { ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_jitsi_hostname }}/fullchain.pem; ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_jitsi_hostname }}/privkey.pem; - {% if matrix_nginx_proxy_ssl_config == "Modern" %} - ssl_protocols TLSv1.3; - ssl_prefer_server_ciphers off; - - {% elif matrix_nginx_proxy_ssl_config == "Intermediate" %} - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - ssl_prefer_server_ciphers off; - - {% elif matrix_nginx_proxy_ssl_config == "Old" %} - ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA; - ssl_prefer_server_ciphers on; - - {% elif matrix_nginx_proxy_ssl_config == "Custom" %} + {% if matrix_nginx_proxy_ssl_protocols == "" %} + ssl_protocols {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['protocols'] }}; + {% else %} ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; + {% endif %} + + {% if matrix_nginx_proxy_ssl_prefer_server_ciphers == "" %} + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['prefer_server_ciphers'] }}; + {% else %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + {% endif %} + {% if matrix_nginx_proxy_ssl_ciphers == "" %} + {% if matrix_nginx_proxy_ssl_preset == "old" or matrix_nginx_proxy_ssl_preset == "intermediate" %} + ssl_ciphers "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['ciphers'] }}"; + {% endif %} + {% else %} + ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; {% endif %} {{ render_vhost_directives() }} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 index 11b8a0fd..f4bf909d 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 @@ -52,25 +52,24 @@ server { ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname }}/fullchain.pem; ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname }}/privkey.pem; - {% if matrix_nginx_proxy_ssl_config == "Modern" %} - ssl_protocols TLSv1.3; - ssl_prefer_server_ciphers off; - - {% elif matrix_nginx_proxy_ssl_config == "Intermediate" %} - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - ssl_prefer_server_ciphers off; - - {% elif matrix_nginx_proxy_ssl_config == "Old" %} - ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA; - ssl_prefer_server_ciphers on; - - {% elif matrix_nginx_proxy_ssl_config == "Custom" %} + {% if matrix_nginx_proxy_ssl_protocols == "" %} + ssl_protocols {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['protocols'] }}; + {% else %} ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; + {% endif %} + + {% if matrix_nginx_proxy_ssl_prefer_server_ciphers == "" %} + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['prefer_server_ciphers'] }}; + {% else %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + {% endif %} + {% if matrix_nginx_proxy_ssl_ciphers == "" %} + {% if matrix_nginx_proxy_ssl_preset == "old" or matrix_nginx_proxy_ssl_preset == "intermediate" %} + ssl_ciphers "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['ciphers'] }}"; + {% endif %} + {% else %} + ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; {% endif %} {{ render_vhost_directives() }} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 index a32b7bad..0455922a 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 @@ -204,25 +204,24 @@ server { ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/fullchain.pem; ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/privkey.pem; - {% if matrix_nginx_proxy_ssl_config == "Modern" %} - ssl_protocols TLSv1.3; - ssl_prefer_server_ciphers off; - - {% elif matrix_nginx_proxy_ssl_config == "Intermediate" %} - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - ssl_prefer_server_ciphers off; - - {% elif matrix_nginx_proxy_ssl_config == "Old" %} - ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA; - ssl_prefer_server_ciphers on; - - {% elif matrix_nginx_proxy_ssl_config == "Custom" %} + {% if matrix_nginx_proxy_ssl_protocols == "" %} + ssl_protocols {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['protocols'] }}; + {% else %} ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; + {% endif %} + + {% if matrix_nginx_proxy_ssl_prefer_server_ciphers == "" %} + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['prefer_server_ciphers'] }}; + {% else %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + {% endif %} + {% if matrix_nginx_proxy_ssl_ciphers == "" %} + {% if matrix_nginx_proxy_ssl_preset == "old" or matrix_nginx_proxy_ssl_preset == "intermediate" %} + ssl_ciphers "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['ciphers'] }}"; + {% endif %} + {% else %} + ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; {% endif %} {{ render_vhost_directives() }} @@ -254,25 +253,24 @@ server { ssl_certificate {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate }}; ssl_certificate_key {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key }}; - {% if matrix_nginx_proxy_ssl_config == "Modern" %} - ssl_protocols TLSv1.3; - ssl_prefer_server_ciphers off; - - {% elif matrix_nginx_proxy_ssl_config == "Intermediate" %} - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - ssl_prefer_server_ciphers off; - - {% elif matrix_nginx_proxy_ssl_config == "Old" %} - ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA; - ssl_prefer_server_ciphers on; - - {% elif matrix_nginx_proxy_ssl_config == "Custom" %} + {% if matrix_nginx_proxy_ssl_protocols == "" %} + ssl_protocols {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['protocols'] }}; + {% else %} ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; + {% endif %} + + {% if matrix_nginx_proxy_ssl_prefer_server_ciphers == "" %} + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['prefer_server_ciphers'] }}; + {% else %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; + {% endif %} + {% if matrix_nginx_proxy_ssl_ciphers == "" %} + {% if matrix_nginx_proxy_ssl_preset == "old" or matrix_nginx_proxy_ssl_preset == "intermediate" %} + ssl_ciphers "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['ciphers'] }}"; + {% endif %} + {% else %} + ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; {% endif %} {% endif %} From 5156c63a76ad963a682a478312b854cea7a02eae Mon Sep 17 00:00:00 2001 From: Agustin Ferrario Date: Fri, 8 Jan 2021 18:35:27 +0100 Subject: [PATCH 05/84] Clean up code Code was clean up and simplified to make it simpler and easier to maintain. No features were modified. --- roles/matrix-nginx-proxy/defaults/main.yml | 6 +-- .../conf.d/matrix-client-element.conf.j2 | 18 +------- .../nginx/conf.d/matrix-dimension.conf.j2 | 18 +------- .../nginx/conf.d/matrix-domain.conf.j2 | 18 +------- .../nginx/conf.d/matrix-jitsi.conf.j2 | 18 +------- .../nginx/conf.d/matrix-riot-web.conf.j2 | 18 +------- .../nginx/conf.d/matrix-synapse.conf.j2 | 42 ++++--------------- 7 files changed, 20 insertions(+), 118 deletions(-) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index f88dbc7e..648779b4 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -252,20 +252,20 @@ matrix_nginx_proxy_ssl_presets: # Specifies which *SSL protocols* to use when serving all the various vhosts. # By default is set to "" and will use the protocols from the preset. If you set it to something different, it will override # the values from the preset -matrix_nginx_proxy_ssl_protocols: "" +matrix_nginx_proxy_ssl_protocols: "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['protocols'] }}" # Specifies whether to prefer *the client’s choice or the server’s choice* when # negociating the chipher to serve all the various vhost. # # By default is set to "" and will use the protocols from the preset. If you set it to something different, it will override # the values from the preset -matrix_nginx_proxy_ssl_prefer_server_ciphers: "" +matrix_nginx_proxy_ssl_prefer_server_ciphers: "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['prefer_server_ciphers'] }}" # Specifies which *SSL Cipher suites* to use when serving all the various vhosts. # By default is set to "" and will use the ciphers from the preset. If you set it to something different, it will override # the values from the preset. # To see the full list for suportes ciphers run `openssl ciphers` on your server -matrix_nginx_proxy_ssl_ciphers: "" +matrix_nginx_proxy_ssl_ciphers: "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['ciphers'] }}" # Controls whether the self-check feature should validate SSL certificates. matrix_nginx_proxy_self_check_validate_certificates: true diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 index 6d1583fd..8e665298 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 @@ -68,25 +68,11 @@ server { ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_element_hostname }}/fullchain.pem; ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_element_hostname }}/privkey.pem; - {% if matrix_nginx_proxy_ssl_protocols == "" %} - ssl_protocols {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['protocols'] }}; - {% else %} ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - {% endif %} - - {% if matrix_nginx_proxy_ssl_prefer_server_ciphers == "" %} - ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['prefer_server_ciphers'] }}; - {% else %} - ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - {% endif %} - - {% if matrix_nginx_proxy_ssl_ciphers == "" %} - {% if matrix_nginx_proxy_ssl_preset == "old" or matrix_nginx_proxy_ssl_preset == "intermediate" %} - ssl_ciphers "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['ciphers'] }}"; - {% endif %} - {% else %} + {% if not matrix_nginx_proxy_ssl_ciphers == "" %} ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; {% endif %} + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; {{ render_vhost_directives() }} } diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 index 4557ce26..abfccbc1 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 @@ -66,25 +66,11 @@ server { ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_dimension_hostname }}/fullchain.pem; ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_dimension_hostname }}/privkey.pem; - {% if matrix_nginx_proxy_ssl_protocols == "" %} - ssl_protocols {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['protocols'] }}; - {% else %} ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - {% endif %} - - {% if matrix_nginx_proxy_ssl_prefer_server_ciphers == "" %} - ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['prefer_server_ciphers'] }}; - {% else %} - ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - {% endif %} - - {% if matrix_nginx_proxy_ssl_ciphers == "" %} - {% if matrix_nginx_proxy_ssl_preset == "old" or matrix_nginx_proxy_ssl_preset == "intermediate" %} - ssl_ciphers "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['ciphers'] }}"; - {% endif %} - {% else %} + {% if not matrix_nginx_proxy_ssl_ciphers == "" %} ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; {% endif %} + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; {{ render_vhost_directives() }} } diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 index 0e07fa9f..1ffd95e5 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 @@ -59,25 +59,11 @@ server { ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/fullchain.pem; ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/privkey.pem; - {% if matrix_nginx_proxy_ssl_protocols == "" %} - ssl_protocols {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['protocols'] }}; - {% else %} ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - {% endif %} - - {% if matrix_nginx_proxy_ssl_prefer_server_ciphers == "" %} - ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['prefer_server_ciphers'] }}; - {% else %} - ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - {% endif %} - - {% if matrix_nginx_proxy_ssl_ciphers == "" %} - {% if matrix_nginx_proxy_ssl_preset == "old" or matrix_nginx_proxy_ssl_preset == "intermediate" %} - ssl_ciphers "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['ciphers'] }}"; - {% endif %} - {% else %} + {% if not matrix_nginx_proxy_ssl_ciphers == "" %} ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; {% endif %} + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; {{ render_vhost_directives() }} } diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 index 1da48f4d..91c94de7 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 @@ -87,25 +87,11 @@ server { ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_jitsi_hostname }}/fullchain.pem; ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_jitsi_hostname }}/privkey.pem; - {% if matrix_nginx_proxy_ssl_protocols == "" %} - ssl_protocols {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['protocols'] }}; - {% else %} ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - {% endif %} - - {% if matrix_nginx_proxy_ssl_prefer_server_ciphers == "" %} - ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['prefer_server_ciphers'] }}; - {% else %} - ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - {% endif %} - - {% if matrix_nginx_proxy_ssl_ciphers == "" %} - {% if matrix_nginx_proxy_ssl_preset == "old" or matrix_nginx_proxy_ssl_preset == "intermediate" %} - ssl_ciphers "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['ciphers'] }}"; - {% endif %} - {% else %} + {% if not matrix_nginx_proxy_ssl_ciphers == "" %} ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; {% endif %} + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; {{ render_vhost_directives() }} } diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 index f4bf909d..87bef2f3 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 @@ -52,25 +52,11 @@ server { ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname }}/fullchain.pem; ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname }}/privkey.pem; - {% if matrix_nginx_proxy_ssl_protocols == "" %} - ssl_protocols {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['protocols'] }}; - {% else %} ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - {% endif %} - - {% if matrix_nginx_proxy_ssl_prefer_server_ciphers == "" %} - ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['prefer_server_ciphers'] }}; - {% else %} - ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - {% endif %} - - {% if matrix_nginx_proxy_ssl_ciphers == "" %} - {% if matrix_nginx_proxy_ssl_preset == "old" or matrix_nginx_proxy_ssl_preset == "intermediate" %} - ssl_ciphers "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['ciphers'] }}"; - {% endif %} - {% else %} + {% if not matrix_nginx_proxy_ssl_ciphers == "" %} ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; {% endif %} + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; {{ render_vhost_directives() }} } diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 index 0455922a..6640054e 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 @@ -204,25 +204,11 @@ server { ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/fullchain.pem; ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/privkey.pem; - {% if matrix_nginx_proxy_ssl_protocols == "" %} - ssl_protocols {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['protocols'] }}; - {% else %} ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; + {% if not matrix_nginx_proxy_ssl_ciphers == "" %} + ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; {% endif %} - - {% if matrix_nginx_proxy_ssl_prefer_server_ciphers == "" %} - ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['prefer_server_ciphers'] }}; - {% else %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - {% endif %} - - {% if matrix_nginx_proxy_ssl_ciphers == "" %} - {% if matrix_nginx_proxy_ssl_preset == "old" or matrix_nginx_proxy_ssl_preset == "intermediate" %} - ssl_ciphers "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['ciphers'] }}"; - {% endif %} - {% else %} - ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; - {% endif %} {{ render_vhost_directives() }} } @@ -253,25 +239,11 @@ server { ssl_certificate {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate }}; ssl_certificate_key {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key }}; - {% if matrix_nginx_proxy_ssl_protocols == "" %} - ssl_protocols {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['protocols'] }}; - {% else %} - ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - {% endif %} - - {% if matrix_nginx_proxy_ssl_prefer_server_ciphers == "" %} - ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['prefer_server_ciphers'] }}; - {% else %} - ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - {% endif %} - - {% if matrix_nginx_proxy_ssl_ciphers == "" %} - {% if matrix_nginx_proxy_ssl_preset == "old" or matrix_nginx_proxy_ssl_preset == "intermediate" %} - ssl_ciphers "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['ciphers'] }}"; - {% endif %} - {% else %} - ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; - {% endif %} + ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; + {% if not matrix_nginx_proxy_ssl_ciphers == "" %} + ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; + {% endif %} + ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; {% endif %} From 4bc8193f698945230d7dd848ce25cb2fe931b438 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 8 Jan 2021 21:13:01 +0200 Subject: [PATCH 06/84] Fix typos and improve wording --- docs/configuring-playbook-nginx.md | 24 +++++++++++------------- 1 file changed, 11 insertions(+), 13 deletions(-) diff --git a/docs/configuring-playbook-nginx.md b/docs/configuring-playbook-nginx.md index a95fbf72..ba6c5c12 100644 --- a/docs/configuring-playbook-nginx.md +++ b/docs/configuring-playbook-nginx.md @@ -26,26 +26,24 @@ matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses: ## Adjusting SSL in your server -You can adjust how the SSL is served by the nginx server by setting the `matrix_nginx_proxy_ssl_preset`. This is based on the Mozilla Server Side TLS -Recommended configurations. It changes the TLS Protocol, the SSL Cipher Suites and the `ssl_prefer_server_ciphers` variable of nginx. -The posible values are: +You can adjust how the SSL is served by the nginx server using the `matrix_nginx_proxy_ssl_preset` variable. We support a few presets, based on the Mozilla Server Side TLS +Recommended configurations. These presets influence the TLS Protocol, the SSL Cipher Suites and the `ssl_prefer_server_ciphers` variable of nginx. +Possible values are: -- "modern" - For Modern clients that support TLS 1.3, with no need for backwards compatibility -- "intermediate" - Recommended configuration for a general-purpose server -- "old" - Services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8 +- `"modern"` - For Modern clients that support TLS 1.3, with no need for backwards compatibility +- `"intermediate"` (**default**) - Recommended configuration for a general-purpose server +- `"old"` - Services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8 -The default is set to `"intermediate"`. +**Be really carefull when setting it to `"modern"`**. This could break comunication with other Matrix servers, limiting your federation posibilities. The +[Federarion tester](https://federationtester.matrix.org/) also won't work. -**Be really carefull when setting it to "modern"**. This could break the comunication with other matrix servers, limiting your feration posibilities and the -[Federarion tester](https://federationtester.matrix.org/) won't work. - -If you want to override one of the values used by the preset, you can use this three variables: +Besides changing the preset (`matrix_nginx_proxy_ssl_preset`), you can also directly override these 3 variables: - `matrix_nginx_proxy_ssl_protocols`: for specifying the supported TLS protocols. -- `matrix_nginx_proxy_ssl_prefer_server_ciphers`: for specifying if the server or the client choice when negociating the chipher. It can set to "on" or "off". +- `matrix_nginx_proxy_ssl_prefer_server_ciphers`: for specifying if the server or the client choice when negotiating the cipher. It can set to `on` or `off`. - `matrix_nginx_proxy_ssl_ciphers`: for specifying the SSL Cipher suites used by nginx. -For more information about this variables, check the `roles/matrix-nginx-proxy/defaults/main.yml` file. +For more information about these variables, check the `roles/matrix-nginx-proxy/defaults/main.yml` file. ## Synapse + OpenID Connect for Single-Sign-On From de6ecd8818db9c49d1e2ef9f4ca0d263802a1672 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 8 Jan 2021 21:15:14 +0200 Subject: [PATCH 07/84] Update inaccurate comments --- roles/matrix-nginx-proxy/defaults/main.yml | 15 ++++----------- 1 file changed, 4 insertions(+), 11 deletions(-) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 648779b4..b02ecf91 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -232,8 +232,9 @@ matrix_nginx_proxy_reload_cron_time_definition: "20 4 */5 * *" # - https://ssl-config.mozilla.org/#server=nginx matrix_nginx_proxy_ssl_preset: "intermediate" -# This are the presets as taken from Mozilla's Server Side TLS Recommended configurations -# DO NOT modify this values and use `matrix_nginx_proxy_ssl_protocols` and `matrix_nginx_proxy_ssl_ciphers` +# Presets are taken from Mozilla's Server Side TLS Recommended configurations +# DO NOT modify these values and use `matrix_nginx_proxy_ssl_protocols`, `matrix_nginx_proxy_ssl_ciphers` and `matrix_nginx_proxy_ssl_ciphers` +# if you wish to use something more custom. matrix_nginx_proxy_ssl_presets: modern: protocols: TLSv1.3 @@ -250,20 +251,12 @@ matrix_nginx_proxy_ssl_presets: # Specifies which *SSL protocols* to use when serving all the various vhosts. -# By default is set to "" and will use the protocols from the preset. If you set it to something different, it will override -# the values from the preset matrix_nginx_proxy_ssl_protocols: "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['protocols'] }}" -# Specifies whether to prefer *the client’s choice or the server’s choice* when -# negociating the chipher to serve all the various vhost. -# -# By default is set to "" and will use the protocols from the preset. If you set it to something different, it will override -# the values from the preset +# Specifies whether to prefer *the client’s choice or the server’s choice* when negotiating ciphers. matrix_nginx_proxy_ssl_prefer_server_ciphers: "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['prefer_server_ciphers'] }}" # Specifies which *SSL Cipher suites* to use when serving all the various vhosts. -# By default is set to "" and will use the ciphers from the preset. If you set it to something different, it will override -# the values from the preset. # To see the full list for suportes ciphers run `openssl ciphers` on your server matrix_nginx_proxy_ssl_ciphers: "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['ciphers'] }}" From 5822ba0c01fbc4bcd06963c29876fdfe620f2e81 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 8 Jan 2021 21:21:33 +0200 Subject: [PATCH 08/84] Use a more natural if statement --- .../templates/nginx/conf.d/matrix-client-element.conf.j2 | 2 +- .../templates/nginx/conf.d/matrix-dimension.conf.j2 | 2 +- .../templates/nginx/conf.d/matrix-domain.conf.j2 | 2 +- .../templates/nginx/conf.d/matrix-jitsi.conf.j2 | 2 +- .../templates/nginx/conf.d/matrix-riot-web.conf.j2 | 2 +- .../templates/nginx/conf.d/matrix-synapse.conf.j2 | 4 ++-- 6 files changed, 7 insertions(+), 7 deletions(-) diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 index 8e665298..29641021 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 @@ -69,7 +69,7 @@ server { ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_element_hostname }}/privkey.pem; ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - {% if not matrix_nginx_proxy_ssl_ciphers == "" %} + {% if matrix_nginx_proxy_ssl_ciphers != "" %} ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; {% endif %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 index abfccbc1..04f0e63d 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 @@ -67,7 +67,7 @@ server { ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_dimension_hostname }}/privkey.pem; ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - {% if not matrix_nginx_proxy_ssl_ciphers == "" %} + {% if matrix_nginx_proxy_ssl_ciphers != '' %} ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; {% endif %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 index 1ffd95e5..3db17292 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 @@ -60,7 +60,7 @@ server { ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/privkey.pem; ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - {% if not matrix_nginx_proxy_ssl_ciphers == "" %} + {% if matrix_nginx_proxy_ssl_ciphers != '' %} ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; {% endif %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 index 91c94de7..ca5d5a22 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 @@ -88,7 +88,7 @@ server { ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_jitsi_hostname }}/privkey.pem; ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - {% if not matrix_nginx_proxy_ssl_ciphers == "" %} + {% if matrix_nginx_proxy_ssl_ciphers != '' %} ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; {% endif %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 index 87bef2f3..1f7c3f97 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 @@ -53,7 +53,7 @@ server { ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname }}/privkey.pem; ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - {% if not matrix_nginx_proxy_ssl_ciphers == "" %} + {% if matrix_nginx_proxy_ssl_ciphers != '' %} ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; {% endif %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 index 6640054e..a6c93268 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 @@ -205,7 +205,7 @@ server { ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/privkey.pem; ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - {% if not matrix_nginx_proxy_ssl_ciphers == "" %} + {% if matrix_nginx_proxy_ssl_ciphers != '' %} ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; {% endif %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; @@ -240,7 +240,7 @@ server { ssl_certificate_key {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key }}; ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - {% if not matrix_nginx_proxy_ssl_ciphers == "" %} + {% if matrix_nginx_proxy_ssl_ciphers != '' %} ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; {% endif %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; From f7ae050eaf9e6169caaec0bf26ffcfbfe4544ae2 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 8 Jan 2021 21:22:44 +0200 Subject: [PATCH 09/84] Remove useless quotes around ssl_ciphers value Not sure if it breaks with them or not, but no other directive uses quotes and the nginx docs show examples without quotes, so we're being consistent with all of that. --- .../templates/nginx/conf.d/matrix-client-element.conf.j2 | 2 +- .../templates/nginx/conf.d/matrix-dimension.conf.j2 | 2 +- .../templates/nginx/conf.d/matrix-domain.conf.j2 | 2 +- .../templates/nginx/conf.d/matrix-jitsi.conf.j2 | 2 +- .../templates/nginx/conf.d/matrix-riot-web.conf.j2 | 2 +- .../templates/nginx/conf.d/matrix-synapse.conf.j2 | 4 ++-- 6 files changed, 7 insertions(+), 7 deletions(-) diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 index 29641021..f56d7fd5 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 @@ -70,7 +70,7 @@ server { ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; {% if matrix_nginx_proxy_ssl_ciphers != "" %} - ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; + ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; {% endif %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 index 04f0e63d..038d3557 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 @@ -68,7 +68,7 @@ server { ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; {% if matrix_nginx_proxy_ssl_ciphers != '' %} - ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; + ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; {% endif %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 index 3db17292..227747a5 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 @@ -61,7 +61,7 @@ server { ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; {% if matrix_nginx_proxy_ssl_ciphers != '' %} - ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; + ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; {% endif %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 index ca5d5a22..eb3d67b1 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 @@ -89,7 +89,7 @@ server { ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; {% if matrix_nginx_proxy_ssl_ciphers != '' %} - ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; + ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; {% endif %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 index 1f7c3f97..a70dcea3 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 @@ -54,7 +54,7 @@ server { ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; {% if matrix_nginx_proxy_ssl_ciphers != '' %} - ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; + ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; {% endif %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 index a6c93268..1b4c0a8d 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 @@ -206,7 +206,7 @@ server { ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; {% if matrix_nginx_proxy_ssl_ciphers != '' %} - ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; + ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; {% endif %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; @@ -241,7 +241,7 @@ server { ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; {% if matrix_nginx_proxy_ssl_ciphers != '' %} - ssl_ciphers "{{ matrix_nginx_proxy_ssl_ciphers }}"; + ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; {% endif %} ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; From 95ebff1ef19fa63b04e44c10fc4b47336bb75909 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 8 Jan 2021 21:30:13 +0200 Subject: [PATCH 10/84] Announce nginx SSL configuration presets --- CHANGELOG.md | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 854156e8..bb60561e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,17 +1,25 @@ -# XXXX-XX-XX +# 2021-01-08 -## New SSL Configuration +## (Breaking Change) New SSL configuration -A new variable `matrix_nginx_proxy_ssl_preset`, bringing some breaking changes. The default configuration is set to `"intermediate"`. -This changes `ssl_prefer_server_ciphers` to `off` by default instead of `on`. It also add some more ciphers to the list, this should -give a little better performance for mobile devices and removes weak ciphers. More information in the [documentation](docs/configuring-playbook-nginx.md). -To revert to the old behaviour just set the following variables: +SSL configuration (protocols, ciphers) can now be more easily controlled thanks to us making use of configuration presets. + +We define a few presets (old, intermediate, modern), following the [Mozilla SSL Configuration Generator](https://ssl-config.mozilla.org/#server=nginx). + +A new variable `matrix_nginx_proxy_ssl_preset` controls which preset is used (defaults to `"intermediate"`). + +Compared to before, this changes nginx's `ssl_prefer_server_ciphers` to `off` (used to default to `on`). It also add some more ciphers to the list, giving better performance on mobile devices, and removes some weak ciphers. More information in the [documentation](docs/configuring-playbook-nginx.md). + +To revert to the old behaviour, set the following variables: ```yaml matrix_nginx_proxy_ssl_ciphers: "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH" matrix_nginx_proxy_ssl_prefer_server_ciphers: "on" ``` +Just like before, you can still use your own custom protocols by specifying them in `matrix_nginx_proxy_ssl_protocols`. Doing so overrides the values coming from the preset. + + # 2021-01-03 ## Signal bridging support via mautrix-signal From 14680101944ef4889036bda92c674119d51c28e7 Mon Sep 17 00:00:00 2001 From: Will <11353590+june07@users.noreply.github.com> Date: Sat, 9 Jan 2021 08:50:34 -0800 Subject: [PATCH 11/84] Update main.yml --- roles/matrix-registration/tasks/main.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/roles/matrix-registration/tasks/main.yml b/roles/matrix-registration/tasks/main.yml index 4fef6abe..3324e083 100644 --- a/roles/matrix-registration/tasks/main.yml +++ b/roles/matrix-registration/tasks/main.yml @@ -24,3 +24,8 @@ when: "run_setup|bool and matrix_registration_enabled|bool" tags: - generate-matrix-registration-token + +- import_tasks: "{{ role_path }}/tasks/list_tokens.yml" + when: "run_setup|bool and matrix_registration_enabled|bool" + tags: + - list-matrix-registration-tokens From 5b0761bf405e098531b2cbb5aa3dd89d0758ab3a Mon Sep 17 00:00:00 2001 From: Will <11353590+june07@users.noreply.github.com> Date: Sat, 9 Jan 2021 08:52:02 -0800 Subject: [PATCH 12/84] Create list_tokens.yml --- .../matrix-registration/tasks/list_tokens.yml | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 roles/matrix-registration/tasks/list_tokens.yml diff --git a/roles/matrix-registration/tasks/list_tokens.yml b/roles/matrix-registration/tasks/list_tokens.yml new file mode 100644 index 00000000..dea3eb31 --- /dev/null +++ b/roles/matrix-registration/tasks/list_tokens.yml @@ -0,0 +1,29 @@ +- name: Call matrix-registration list all tokens API + uri: + url: "{{ matrix_registration_api_token_endpoint }}" + follow_redirects: none + validate_certs: "{{ matrix_registration_api_validate_certs }}" + headers: + Content-Type: application/json + Authorization: "SharedSecret {{ matrix_registration_admin_secret }}" + method: GET + body_format: json + check_mode: no + register: matrix_registration_api_result + +- set_fact: + matrix_registration_api_result_message: >- + matrix-registration result: + + {{ matrix_registration_api_result.json | to_nice_json }} + check_mode: no + +- name: Inject result message into matrix_playbook_runtime_results + set_fact: + matrix_playbook_runtime_results: | + {{ + matrix_playbook_runtime_results|default([]) + + + [matrix_registration_api_result_message] + }} + check_mode: no From 0f9be8321c56bd98ae8f5333a5edb089caa89db7 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 10 Jan 2021 10:33:36 +0200 Subject: [PATCH 13/84] Document --tags=list-matrix-registration-tokens Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/778 --- ...onfiguring-playbook-matrix-registration.md | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/docs/configuring-playbook-matrix-registration.md b/docs/configuring-playbook-matrix-registration.md index 28616945..d6e2ac6f 100644 --- a/docs/configuring-playbook-matrix-registration.md +++ b/docs/configuring-playbook-matrix-registration.md @@ -37,11 +37,14 @@ ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start It provides various [APIs](https://github.com/ZerataX/matrix-registration/wiki/api) - for creating registration tokens, listing tokens, disabling tokens, etc. To make use of all of its capabilities, consider using `curl`. -We make the most common API (the one for creating unique registration tokens) easy to use via the playbook. +We make the most common APIs easy to use via the playbook (see below). -**To create a new user registration token (link)**, use this command: -``` +### Creating registration tokens + +To **create a new user registration token (link)**, use this command: + +```bash ansible-playbook -i inventory/hosts setup.yml \ --tags=generate-matrix-registration-token \ --extra-vars="one_time=yes ex_date=2021-12-31" @@ -51,3 +54,13 @@ The above command creates and returns a **one-time use** token, which **expires* Adjust the `one_time` and `ex_date` variables as you see fit. Share the unique registration link (generated by the command above) with users to let them register on your Matrix server. + + +### Listing registration tokens + +To **list the existing user registration tokens**, use this command: + +```bash +ansible-playbook -i inventory/hosts setup.yml \ +--tags=list-matrix-registration-tokens +``` From 0b260a133f16b89ace38acd5fe1da2f7da28d232 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 11 Jan 2021 22:15:13 +0200 Subject: [PATCH 14/84] Add matrix-aux role to help with managing auxiliary files/directories --- roles/matrix-aux/defaults/main.yml | 72 ++++++++++++++++++++++++++++++ roles/matrix-aux/tasks/main.yml | 5 +++ roles/matrix-aux/tasks/setup.yml | 19 ++++++++ setup.yml | 1 + 4 files changed, 97 insertions(+) create mode 100644 roles/matrix-aux/defaults/main.yml create mode 100644 roles/matrix-aux/tasks/main.yml create mode 100644 roles/matrix-aux/tasks/setup.yml diff --git a/roles/matrix-aux/defaults/main.yml b/roles/matrix-aux/defaults/main.yml new file mode 100644 index 00000000..e4a4e827 --- /dev/null +++ b/roles/matrix-aux/defaults/main.yml @@ -0,0 +1,72 @@ +--- + +# matrix-aux is a role that manages auxiliary files and directories on your Matrix server. +# +# Certain components (like matrix-synapse, etc.) may sometimes require additional templates (email templates, privacy policies, etc.). +# This role allows such files to be managed by the playbook. +# +# Note that files and directories created via this role are not automatically made available for containers to use. +# If you use this role to put files in a directory that's already mounted into a container, +# you can access the files without additional work. +# Otherwise, you'd need to mount the file/directory to the container that needs it. +# Roles usually provide a `matrix_*_additional_volumes` or `matrix_*_container_extra_arguments` variable +# that you can use to mount an additional volume. + +# The default permission mode when creating directories using `matrix_aux_directory_definitions` +matrix_aux_directory_default_mode: '0750' + +# Holds a list of directories to create on the server. +# +# By default, directories are: +# - created with permissions as specified in `matrix_aux_directory_default_mode` +# - owned by the `matrix_user_username` user and `matrix_user_groupname` group (usually `matrix:matrix`) +# +# Example: +# +# matrix_aux_directory_definitions: +# - dest: /matrix/aux +# +# - dest: /matrix/another +# mode: '0700' +# owner: 'some-user' +# group: 'some-group' +matrix_aux_directory_definitions: [] + +# The default permission mode when creating directories using `matrix_aux_directory_definitions` +matrix_aux_file_default_mode: '0640' + +# Holds a list of files to create on the server. +# +# By default, files are: +# - created with permissions as specified in `matrix_aux_file_default_mode` +# - owned by the `matrix_user_username` user and `matrix_user_groupname` group (usually `matrix:matrix`) +# +# You can define the file content inline (in your `vars.yml` file) or as an external file (see the example below). +# Defining the content inline in `vars.yml` has the benefit of not splitting your configuration into multiple files, +# but rather keeping everything inside `vars.yml` (which also gets backed up on the server in `/matrix/vars.yml`). +# +# Note: parent paths for files must exist. +# If you've defined a file with a destination of `/matrix/some/path/file.txt`, +# then you likely need to add `/matrix/some/path` to `matrix_aux_directory_definitions` as well. +# You don't need to do this for directories that the playbook already creates for you. +# +# Example: +# +# matrix_aux_file_definitions: +# - dest: "{{ matrix_synapse_config_dir_path }}/something.html" +# content: | +# +# Something +# +# - dest: /matrix/aux/some-other-file.txt +# content: "Something" +# mode: '0600' +# owner: 'some-user' +# group: 'some-group' +# +# - dest: /matrix/aux/yet-another-file.txt +# content: "{{ lookup('template', '/path/to/file.txt.j2') }}" +# mode: '0600' +# owner: 'some-user' +# group: 'some-group' +matrix_aux_file_definitions: [] diff --git a/roles/matrix-aux/tasks/main.yml b/roles/matrix-aux/tasks/main.yml new file mode 100644 index 00000000..ee93f63a --- /dev/null +++ b/roles/matrix-aux/tasks/main.yml @@ -0,0 +1,5 @@ +- import_tasks: "{{ role_path }}/tasks/setup.yml" + when: run_stop|bool + tags: + - setup-all + - setup-aux-files diff --git a/roles/matrix-aux/tasks/setup.yml b/roles/matrix-aux/tasks/setup.yml new file mode 100644 index 00000000..949c0b4a --- /dev/null +++ b/roles/matrix-aux/tasks/setup.yml @@ -0,0 +1,19 @@ +--- + +- name: Ensure AUX directories are created + file: + dest: "{{ item.dest }}" + state: directory + owner: "{{ item.owner|default(matrix_user_username) }}" + group: "{{ item.group|default(matrix_user_groupname) }}" + mode: "{{ item.mode|default(matrix_aux_directory_default_mode) }}" + with_items: "{{ matrix_aux_directory_definitions }}" + +- name: Ensure AUX files are created + copy: + dest: "{{ item.dest }}" + content: "{{ item.content }}" + owner: "{{ item.owner|default(matrix_user_username) }}" + group: "{{ item.group|default(matrix_user_groupname) }}" + mode: "{{ item.mode|default(matrix_aux_file_default_mode) }}" + with_items: "{{ matrix_aux_file_definitions }}" diff --git a/setup.yml b/setup.yml index cc913b65..d070bcae 100755 --- a/setup.yml +++ b/setup.yml @@ -36,4 +36,5 @@ - matrix-email2matrix - matrix-nginx-proxy - matrix-coturn + - matrix-aux - matrix-common-after From 999fd2596ffd717b86cc0595d248b81b842e2920 Mon Sep 17 00:00:00 2001 From: Panagiotis Georgiadis Date: Tue, 12 Jan 2021 19:29:50 +0100 Subject: [PATCH 15/84] Local rebuild for Telegram --- ...guring-playbook-bridge-mautrix-telegram.md | 11 ++++++++++ .../defaults/main.yml | 4 ++++ .../tasks/setup_install.yml | 20 +++++++++++++++++++ 3 files changed, 35 insertions(+) diff --git a/docs/configuring-playbook-bridge-mautrix-telegram.md b/docs/configuring-playbook-bridge-mautrix-telegram.md index 2e6b4d8c..9246230b 100644 --- a/docs/configuring-playbook-bridge-mautrix-telegram.md +++ b/docs/configuring-playbook-bridge-mautrix-telegram.md @@ -12,6 +12,17 @@ matrix_mautrix_telegram_api_id: YOUR_TELEGRAM_APP_ID matrix_mautrix_telegram_api_hash: YOUR_TELEGRAM_API_HASH ``` +**Note**: For architectures different from `amd64` you need to trigger a local rebuild: + +```yaml +matrix_mautrix_telegram_container_self_build: true +``` + +Lastly, to take these changes into effect, re-run the playbook: + +```yaml +ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start +``` ## Set up Double Puppeting diff --git a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml index 3f81617a..7e072b5a 100644 --- a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml @@ -3,6 +3,10 @@ matrix_mautrix_telegram_enabled: true +matrix_mautrix_telegram_container_self_build: false +matrix_mautrix_telegram_docker_repo: "https://mau.dev/tulir/mautrix-telegram.git" +matrix_mautrix_telegram_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-telegram/docker-src" + # See: https://mau.dev/tulir/mautrix-telegram/container_registry matrix_mautrix_telegram_docker_image: "dock.mau.dev/tulir/mautrix-telegram:v0.9.0" matrix_mautrix_telegram_docker_image_force_pull: "{{ matrix_mautrix_telegram_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml index e9a93c72..0e5d9ae1 100644 --- a/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml @@ -40,6 +40,26 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_mautrix_telegram_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_telegram_docker_image_force_pull }}" + when: "matrix_mautrix_telegram_enabled|bool and not matrix_mautrix_telegram_container_self_build|bool" + +- name: Ensure matrix-mautrix-telegram repository is present when self-building + git: + repo: "{{ matrix_mautrix_telegram_docker_repo }}" + dest: "{{ matrix_mautrix_telegram_docker_src_files_path }}" + force: "yes" + register: matrix_mautrix_telegram_git_pull_results + when: "matrix_mautrix_telegram_enabled|bool and matrix_mautrix_telegram_container_self_build|bool" + +- name: Ensure matrix-mautrix-telegram Docker image is build + docker_image: + name: "{{ matrix_mautrix_telegram_docker_image }}" + source: build + force_source: yes + build: + dockerfile: Dockerfile + path: "{{ matrix_mautrix_telegram_docker_src_files_path }}" + pull: yes + when: "matrix_mautrix_telegram_enabled|bool and matrix_mautrix_telegram_container_self_build|bool and matrix_mautrix_telegram_git_pull_results.changed" - name: Ensure Mautrix Telegram paths exist file: From 018f213c60d7551d2b32a8ea439f9cf12766b4b5 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 12 Jan 2021 22:43:28 +0200 Subject: [PATCH 16/84] Fix URL typo --- docs/configuring-playbook-matrix-registration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-matrix-registration.md b/docs/configuring-playbook-matrix-registration.md index d6e2ac6f..74cdfa01 100644 --- a/docs/configuring-playbook-matrix-registration.md +++ b/docs/configuring-playbook-matrix-registration.md @@ -10,7 +10,7 @@ Use matrix-registration to **create unique registration links**, which people ca - **an API for creating registration tokens** (unique registration links). This API can be used via `curl` or via the playbook (see [Usage](#usage) below) -- **a user registration page**, where people can use these registration tokens. By default, exposed at `https:///matrix.DOMAIN/matrix-registration` +- **a user registration page**, where people can use these registration tokens. By default, exposed at `https://matrix.DOMAIN/matrix-registration` ## Installing From 21d3802ed76bfcd8598c62192ffc943a1e0381f7 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 12 Jan 2021 22:44:55 +0200 Subject: [PATCH 17/84] Fix one more URL typo --- docs/configuring-playbook-matrix-registration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-matrix-registration.md b/docs/configuring-playbook-matrix-registration.md index 74cdfa01..b0240d3f 100644 --- a/docs/configuring-playbook-matrix-registration.md +++ b/docs/configuring-playbook-matrix-registration.md @@ -33,7 +33,7 @@ ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start ## Usage -**matrix-registration** gets exposed at `https:///matrix.DOMAIN/matrix-registration` +**matrix-registration** gets exposed at `https://matrix.DOMAIN/matrix-registration` It provides various [APIs](https://github.com/ZerataX/matrix-registration/wiki/api) - for creating registration tokens, listing tokens, disabling tokens, etc. To make use of all of its capabilities, consider using `curl`. From d5945c6e789752fb952033d95f2d605ab522a733 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 13 Jan 2021 13:02:49 +0200 Subject: [PATCH 18/84] Upgrade Synapse (v1.24.0 -> v1.25.0) for amd64 --- roles/matrix-synapse/defaults/main.yml | 2 +- .../templates/synapse/homeserver.yaml.j2 | 144 ++++++++++++++---- 2 files changed, 113 insertions(+), 33 deletions(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 0dc71646..fddac7aa 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -11,7 +11,7 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont # The if statement below may look silly at times (leading to the same version being returned), # but ARM-compatible container images are only released 1-7 hours after a release, # so we may often be on different versions for different architectures when new Synapse releases come out. -matrix_synapse_docker_image_tag: "{{ 'v1.24.0' if matrix_architecture == 'amd64' else 'v1.24.0' }}" +matrix_synapse_docker_image_tag: "{{ 'v1.25.0' if matrix_architecture == 'amd64' else 'v1.24.0' }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse" diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 41b28c88..fe28779c 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -120,6 +120,47 @@ default_room_version: {{ matrix_synapse_default_room_version|to_json }} # #enable_search: false +# Prevent outgoing requests from being sent to the following blacklisted IP address +# CIDR ranges. If this option is not specified then it defaults to private IP +# address ranges (see the example below). +# +# The blacklist applies to the outbound requests for federation, identity servers, +# push servers, and for checking key validity for third-party invite events. +# +# (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly +# listed here, since they correspond to unroutable addresses.) +# +# This option replaces federation_ip_range_blacklist in Synapse v1.25.0. +# +#ip_range_blacklist: +# - '127.0.0.0/8' +# - '10.0.0.0/8' +# - '172.16.0.0/12' +# - '192.168.0.0/16' +# - '100.64.0.0/10' +# - '192.0.0.0/24' +# - '169.254.0.0/16' +# - '198.18.0.0/15' +# - '192.0.2.0/24' +# - '198.51.100.0/24' +# - '203.0.113.0/24' +# - '224.0.0.0/4' +# - '::1/128' +# - 'fe80::/10' +# - 'fc00::/7' + +# List of IP address CIDR ranges that should be allowed for federation, +# identity servers, push servers, and for checking key validity for +# third-party invite events. This is useful for specifying exceptions to +# wide-ranging blacklisted target IP ranges - e.g. for communication with +# a push server only visible in your network. +# +# This whitelist overrides ip_range_blacklist and defaults to an empty +# list. +# +#ip_range_whitelist: +# - '192.168.1.1' + # List of ports that Synapse should listen on, their purpose and their # configuration. # @@ -633,27 +674,6 @@ acme: federation_domain_whitelist: {{ matrix_synapse_federation_domain_whitelist|to_json }} {% endif %} -# Prevent federation requests from being sent to the following -# blacklist IP address CIDR ranges. If this option is not specified, or -# specified with an empty list, no ip range blacklist will be enforced. -# -# As of Synapse v1.4.0 this option also affects any outbound requests to identity -# servers provided by user input. -# -# (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly -# listed here, since they correspond to unroutable addresses.) -# -federation_ip_range_blacklist: - - '127.0.0.0/8' - - '10.0.0.0/8' - - '172.16.0.0/12' - - '192.168.0.0/16' - - '100.64.0.0/10' - - '169.254.0.0/16' - - '::1/128' - - 'fe80::/64' - - 'fc00::/7' - # Report prometheus metrics on the age of PDUs being sent to and received from # the following domains. This can be used to give an idea of "delay" on inbound # and outbound federation, though be aware that any delay can be due to problems @@ -919,9 +939,15 @@ url_preview_ip_range_blacklist: - '172.16.0.0/12' - '192.168.0.0/16' - '100.64.0.0/10' + - '192.0.0.0/24' - '169.254.0.0/16' + - '198.18.0.0/15' + - '192.0.2.0/24' + - '198.51.100.0/24' + - '203.0.113.0/24' + - '224.0.0.0/4' - '::1/128' - - 'fe80::/64' + - 'fe80::/10' - 'fc00::/7' # List of IP address CIDR ranges that the URL preview spider is allowed @@ -1776,7 +1802,8 @@ oidc_config: # * user: The claims returned by the UserInfo Endpoint and/or in the ID # Token # - # This must be configured if using the default mapping provider. + # If this is not set, the user will be prompted to choose their + # own username. # localpart_template: "{% raw %}{{ user.preferred_username }}{% endraw %}" @@ -1854,11 +1881,8 @@ sso: # - https://my.custom.client/ # Directory in which Synapse will try to find the template files below. - # If not set, default templates from within the Synapse package will be used. - # - # DO NOT UNCOMMENT THIS SETTING unless you want to customise the templates. - # If you *do* uncomment it, you will need to make sure that all the templates - # below are in the directory. + # If not set, or the files named below are not found within the template + # directory, default templates from within the Synapse package will be used. # # Synapse will look for the following templates in this directory: # @@ -1987,6 +2011,56 @@ password_config: # pepper: {{ matrix_synapse_password_config_pepper|string|to_json }} + # Define and enforce a password policy. Each parameter is optional. + # This is an implementation of MSC2000. + # + policy: + # Whether to enforce the password policy. + # Defaults to 'false'. + # + #enabled: true + + # Minimum accepted length for a password. + # Defaults to 0. + # + #minimum_length: 15 + + # Whether a password must contain at least one digit. + # Defaults to 'false'. + # + #require_digit: true + + # Whether a password must contain at least one symbol. + # A symbol is any character that's not a number or a letter. + # Defaults to 'false'. + # + #require_symbol: true + + # Whether a password must contain at least one lowercase letter. + # Defaults to 'false'. + # + #require_lowercase: true + + # Whether a password must contain at least one lowercase letter. + # Defaults to 'false'. + # + #require_uppercase: true + +ui_auth: + # The number of milliseconds to allow a user-interactive authentication + # session to be active. + # + # This defaults to 0, meaning the user is queried for their credentials + # before every action, but this can be overridden to alow a single + # validation to be re-used. This weakens the protections afforded by + # the user-interactive authentication process, by allowing for multiple + # (and potentially different) operations to use the same validation session. + # + # Uncomment below to allow for credential validation to last for 15 + # seconds. + # + #session_timeout: 15000 + {% if matrix_synapse_email_enabled %} # Configuration for sending emails from Synapse. @@ -2061,9 +2135,8 @@ email: #validation_token_lifetime: 15m # Directory in which Synapse will try to find the template files below. - # If not set, default templates from within the Synapse package will be used. - # - # Do not uncomment this setting unless you want to customise the templates. + # If not set, or the files named below are not found within the template + # directory, default templates from within the Synapse package will be used. # # Synapse will look for the following templates in this directory: # @@ -2309,7 +2382,7 @@ enable_group_creation: {{ matrix_synapse_enable_group_creation|to_json }} # If enabled, non server admins can only create groups with local parts # starting with this prefix # -#group_creation_prefix: "unofficial/" +#group_creation_prefix: "unofficial_" @@ -2580,6 +2653,13 @@ opentracing: # #run_background_tasks_on: worker1 +# A shared secret used by the replication APIs to authenticate HTTP requests +# from workers. +# +# By default this is unused and traffic is not authenticated. +# +#worker_replication_secret: "" + # Configuration for Redis when using workers. This *must* be enabled when # using workers (unless using old style direct TCP configuration). From 24100342e149d5cf70741c64ec9478e3c2935472 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 13 Jan 2021 13:47:51 +0200 Subject: [PATCH 19/84] Tell people that federation_ip_range_blacklist is gone Related to d5945c6e789752fb95 --- roles/matrix-synapse/tasks/validate_config.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/roles/matrix-synapse/tasks/validate_config.yml b/roles/matrix-synapse/tasks/validate_config.yml index f39ef3fe..fe3cb2e6 100644 --- a/roles/matrix-synapse/tasks/validate_config.yml +++ b/roles/matrix-synapse/tasks/validate_config.yml @@ -33,3 +33,12 @@ - {'old': 'matrix_synapse_container_expose_metrics_port', 'new': ''} - {'old': 'matrix_synapse_cache_factor', 'new': 'matrix_synapse_caches_global_factor'} - {'old': 'matrix_synapse_trusted_third_party_id_servers', 'new': ''} + +- name: (Deprecation) Catch and report renamed settings in matrix_synapse_configuration_extension_yaml + fail: + msg: >- + Your matrix_synapse_configuration_extension_yaml configuration contains a variable, which now has a different name. + Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). + when: "item.old in matrix_synapse_configuration_extension" + with_items: + - {'old': 'federation_ip_range_blacklist', 'new': 'ip_range_blacklist'} From 568cb3d86f67bab638816f06342aec875fb6fe2e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 13 Jan 2021 17:27:41 +0200 Subject: [PATCH 20/84] Upgrade matrix-mailer (4.93-r0 -> 4.93-r1) This is a bit misleading, because the old Docker image was tagged as `4.93.1`. There hasn't been a `4.93.1` version yet though. Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/792 --- roles/matrix-mailer/defaults/main.yml | 4 +++- roles/matrix-mailer/templates/env-mailer.j2 | 1 + .../matrix-mailer/templates/systemd/matrix-mailer.service.j2 | 2 ++ 3 files changed, 6 insertions(+), 1 deletion(-) diff --git a/roles/matrix-mailer/defaults/main.yml b/roles/matrix-mailer/defaults/main.yml index f396d8ee..18608ef4 100644 --- a/roles/matrix-mailer/defaults/main.yml +++ b/roles/matrix-mailer/defaults/main.yml @@ -7,7 +7,7 @@ matrix_mailer_container_image_self_build_repository_url: "https://github.com/dev matrix_mailer_container_image_self_build_src_files_path: "{{ matrix_mailer_base_path }}/docker-src" matrix_mailer_container_image_self_build_version: "{{ matrix_mailer_docker_image.split(':')[1] }}" -matrix_mailer_docker_image: "{{ matrix_mailer_docker_image_name_prefix }}devture/exim-relay:4.93.1-r0" +matrix_mailer_docker_image: "{{ matrix_mailer_docker_image_name_prefix }}devture/exim-relay:4.93-r1" matrix_mailer_docker_image_name_prefix: "{{ 'localhost/' if matrix_mailer_container_image_self_build else 'docker.io/' }}" matrix_mailer_docker_image_force_pull: "{{ matrix_mailer_docker_image.endswith(':latest') }}" @@ -19,6 +19,8 @@ matrix_mailer_container_user_gid: 101 # A list of extra arguments to pass to the container matrix_mailer_container_extra_arguments: [] +matrix_mailer_hostname: "{{ matrix_server_fqn_matrix }}" + matrix_mailer_sender_address: "matrix@{{ matrix_domain }}" matrix_mailer_relay_use: false matrix_mailer_relay_host_name: "mail.example.com" diff --git a/roles/matrix-mailer/templates/env-mailer.j2 b/roles/matrix-mailer/templates/env-mailer.j2 index 180bc500..eb3f8699 100644 --- a/roles/matrix-mailer/templates/env-mailer.j2 +++ b/roles/matrix-mailer/templates/env-mailer.j2 @@ -6,3 +6,4 @@ SMARTHOST={{ matrix_mailer_relay_host_name }}::{{ matrix_mailer_relay_host_port SMTP_USERNAME={{ matrix_mailer_relay_auth_username }} SMTP_PASSWORD={{ matrix_mailer_relay_auth_password }} {% endif %} +HOSTNAME={{ matrix_mailer_hostname }} diff --git a/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 b/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 index 9345a1d6..a5d48264 100644 --- a/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 +++ b/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 @@ -10,6 +10,8 @@ Type=simple ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mailer ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mailer +# --hostname gives us a friendlier hostname than the default. +# The real hostname is passed via a `HOSTNAME` environment variable though. ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mailer \ --log-driver=none \ --user={{ matrix_mailer_container_user_uid }}:{{ matrix_mailer_container_user_gid }} \ From fd540d859206743a836895cd1d01b7cea24e3704 Mon Sep 17 00:00:00 2001 From: Panagiotis Georgiadis Date: Wed, 13 Jan 2021 16:51:45 +0100 Subject: [PATCH 21/84] Enable Telegram self-building --- docs/configuring-playbook-bridge-mautrix-telegram.md | 12 ------------ group_vars/matrix_servers | 3 +++ 2 files changed, 3 insertions(+), 12 deletions(-) diff --git a/docs/configuring-playbook-bridge-mautrix-telegram.md b/docs/configuring-playbook-bridge-mautrix-telegram.md index 9246230b..693c8168 100644 --- a/docs/configuring-playbook-bridge-mautrix-telegram.md +++ b/docs/configuring-playbook-bridge-mautrix-telegram.md @@ -12,18 +12,6 @@ matrix_mautrix_telegram_api_id: YOUR_TELEGRAM_APP_ID matrix_mautrix_telegram_api_hash: YOUR_TELEGRAM_API_HASH ``` -**Note**: For architectures different from `amd64` you need to trigger a local rebuild: - -```yaml -matrix_mautrix_telegram_container_self_build: true -``` - -Lastly, to take these changes into effect, re-run the playbook: - -```yaml -ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start -``` - ## Set up Double Puppeting If you'd like to use [Double Puppeting](https://github.com/tulir/mautrix-telegram/wiki/Authentication#replacing-telegram-accounts-matrix-puppet-with-matrix-account) (hint: you most likely do), you have 2 ways of going about it. diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 6111600e..6b54029b 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -305,6 +305,9 @@ matrix_mautrix_signal_database_password: "{{ matrix_synapse_macaroon_secret_key # We don't enable bridges by default. matrix_mautrix_telegram_enabled: false +# self-building +matrix_mautrix_telegram_container_self_build: "{{ matrix_architecture != 'amd64'}}" + matrix_mautrix_telegram_systemd_required_services_list: | {{ ['docker.service'] From 105354a0520745fc878640b81950eb1aa2e63eca Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 13 Jan 2021 17:56:10 +0200 Subject: [PATCH 22/84] Remove useless comment --- group_vars/matrix_servers | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 6b54029b..4caf64fa 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -305,8 +305,7 @@ matrix_mautrix_signal_database_password: "{{ matrix_synapse_macaroon_secret_key # We don't enable bridges by default. matrix_mautrix_telegram_enabled: false -# self-building -matrix_mautrix_telegram_container_self_build: "{{ matrix_architecture != 'amd64'}}" +matrix_mautrix_telegram_container_self_build: "{{ matrix_architecture != 'amd64' }}" matrix_mautrix_telegram_systemd_required_services_list: | {{ From 5fa30cdfcb15a2392b1af1074198da50e77aabee Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 13 Jan 2021 17:59:46 +0200 Subject: [PATCH 23/84] Ensure matrix_mautrix_facebook_docker_src_files_path created Before we potentially clone to that path, we'd better make sure it exists. We also simplify `when` statements a bit. Given that we're in `setup_install.yml`, we know that the bridge is enabled, so there's no need to check for that. --- .../tasks/setup_install.yml | 32 ++++++++++--------- 1 file changed, 17 insertions(+), 15 deletions(-) diff --git a/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml index 0e5d9ae1..9743915a 100644 --- a/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml @@ -34,13 +34,27 @@ when: "matrix_mautrix_telegram_sqlite_database_path_local_stat_result.stat.exists|bool" when: "matrix_mautrix_telegram_database_engine == 'postgres'" +- name: Ensure Mautrix Telegram paths exist + file: + path: "{{ item }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - { path: "{{ matrix_mautrix_telegram_base_path }}", when: true } + - { path: "{{ matrix_mautrix_telegram_config_path }}", when: true } + - { path: "{{ matrix_mautrix_telegram_data_path }}", when: true } + - { path: "{{ matrix_mautrix_facebook_docker_src_files_path }}", when: "{{ matrix_mautrix_telegram_container_self_build }}" } + when: item.when|bool + - name: Ensure Mautrix Telegram image is pulled docker_image: name: "{{ matrix_mautrix_telegram_docker_image }}" source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_mautrix_telegram_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_telegram_docker_image_force_pull }}" - when: "matrix_mautrix_telegram_enabled|bool and not matrix_mautrix_telegram_container_self_build|bool" + when: "not matrix_mautrix_telegram_container_self_build|bool" - name: Ensure matrix-mautrix-telegram repository is present when self-building git: @@ -48,7 +62,7 @@ dest: "{{ matrix_mautrix_telegram_docker_src_files_path }}" force: "yes" register: matrix_mautrix_telegram_git_pull_results - when: "matrix_mautrix_telegram_enabled|bool and matrix_mautrix_telegram_container_self_build|bool" + when: "matrix_mautrix_telegram_container_self_build|bool" - name: Ensure matrix-mautrix-telegram Docker image is build docker_image: @@ -59,19 +73,7 @@ dockerfile: Dockerfile path: "{{ matrix_mautrix_telegram_docker_src_files_path }}" pull: yes - when: "matrix_mautrix_telegram_enabled|bool and matrix_mautrix_telegram_container_self_build|bool and matrix_mautrix_telegram_git_pull_results.changed" - -- name: Ensure Mautrix Telegram paths exist - file: - path: "{{ item }}" - state: directory - mode: 0750 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - with_items: - - "{{ matrix_mautrix_telegram_base_path }}" - - "{{ matrix_mautrix_telegram_config_path }}" - - "{{ matrix_mautrix_telegram_data_path }}" + when: "matrix_mautrix_telegram_container_self_build|bool and matrix_mautrix_telegram_git_pull_results.changed" - name: Check if an old database file already exists stat: From 52fa7e576b2686999955597f13526a45c1961a98 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 13 Jan 2021 18:00:32 +0200 Subject: [PATCH 24/84] Fix path typo --- roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml index 9743915a..b564c61b 100644 --- a/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml @@ -45,7 +45,7 @@ - { path: "{{ matrix_mautrix_telegram_base_path }}", when: true } - { path: "{{ matrix_mautrix_telegram_config_path }}", when: true } - { path: "{{ matrix_mautrix_telegram_data_path }}", when: true } - - { path: "{{ matrix_mautrix_facebook_docker_src_files_path }}", when: "{{ matrix_mautrix_telegram_container_self_build }}" } + - { path: "{{ matrix_mautrix_telegram_docker_src_files_path }}", when: "{{ matrix_mautrix_telegram_container_self_build }}" } when: item.when|bool - name: Ensure Mautrix Telegram image is pulled From 789f9b46063d3fde2a2601783b3744994bd37b0a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 13 Jan 2021 18:01:50 +0200 Subject: [PATCH 25/84] Mention matrix-bridge-mautrix-telegram in self-building docs Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/786 --- docs/self-building.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/self-building.md b/docs/self-building.md index fa4db222..da8c24b0 100644 --- a/docs/self-building.md +++ b/docs/self-building.md @@ -20,6 +20,7 @@ List of roles where self-building the Docker image is currently possible: - `matrix-mailer` - `matrix-bridge-mautrix-facebook` - `matrix-bridge-mautrix-hangouts` +- `matrix-bridge-mautrix-telegram` - `matrix-bridge-mx-puppet-skype` Adding self-building support to other roles is welcome. Feel free to contribute! From 88acc98c23ea361191825a7ec3eca51f4f204e58 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 13 Jan 2021 19:39:08 +0200 Subject: [PATCH 26/84] Mention LXC --- docs/prerequisites.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/docs/prerequisites.md b/docs/prerequisites.md index 488f6c6f..40a075b4 100644 --- a/docs/prerequisites.md +++ b/docs/prerequisites.md @@ -6,7 +6,11 @@ - **Ubuntu** (16.04+, although [20.04 may be problematic](ansible.md#supported-ansible-versions)) - **Archlinux** -This playbook doesn't support running on ARM (see [this issue](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/299)), however a minimal subset of the tools can be built on the host, which may result in a working configuration, even on a Raspberry pi (see [Alternative Architectures](alternative-architectures.md)). We only strive to support released stable versions of distributions, not betas or pre-releases. This playbook can take over your whole server or co-exist with other services that you have there. +We only strive to support released stable versions of distributions, not betas or pre-releases. This playbook can take over your whole server or co-exist with other services that you have there. + +This playbook somewhat supports running on non-`amd64` architectures like ARM. See [Alternative Architectures](alternative-architectures.md). + +If your distro runs within an [LXC container](https://linuxcontainers.org/), you may hit [this issue](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/703). It can be worked around, if absolutely necessary, but we suggest that you avoid running from within an LXC container. - `root` access to your server (or a user capable of elevating to `root` via `sudo`). From 2a25b63bb682c1546605bcbfb7ab9e828c4fe678 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 13 Jan 2021 20:14:47 +0200 Subject: [PATCH 27/84] Don't self-build ma1sd every time unless git sources changed --- roles/matrix-ma1sd/tasks/setup_install.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/matrix-ma1sd/tasks/setup_install.yml b/roles/matrix-ma1sd/tasks/setup_install.yml index a4a70ea4..0784b24d 100644 --- a/roles/matrix-ma1sd/tasks/setup_install.yml +++ b/roles/matrix-ma1sd/tasks/setup_install.yml @@ -87,6 +87,7 @@ shell: "./gradlew dockerBuild" args: chdir: "{{ matrix_ma1sd_docker_src_files_path }}" + when: "matrix_ma1sd_git_pull_results.changed|bool" - name: Ensure ma1sd Docker image is tagged correctly docker_image: @@ -97,6 +98,7 @@ repository: "{{ matrix_ma1sd_docker_image }}" force_tag: yes source: local + when: "matrix_ma1sd_git_pull_results.changed|bool" when: "matrix_ma1sd_container_image_self_build|bool" - name: Ensure ma1sd config installed From 48b6487d411ec148d3a0d30384fbc6e01cb0b708 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 13 Jan 2021 22:40:47 +0200 Subject: [PATCH 28/84] Use ready-made image for mautrix-telegram on arm64 Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/793 --- group_vars/matrix_servers | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 4caf64fa..42c2e3af 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -305,7 +305,8 @@ matrix_mautrix_signal_database_password: "{{ matrix_synapse_macaroon_secret_key # We don't enable bridges by default. matrix_mautrix_telegram_enabled: false -matrix_mautrix_telegram_container_self_build: "{{ matrix_architecture != 'amd64' }}" +# Images are multi-arch (amd64 and arm64, but not arm32). +matrix_mautrix_telegram_container_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}" matrix_mautrix_telegram_systemd_required_services_list: | {{ From a66a604e53d4dbc2a3c3434e9ea543600e24d79a Mon Sep 17 00:00:00 2001 From: Panagiotis Georgiadis Date: Thu, 14 Jan 2021 01:29:11 +0100 Subject: [PATCH 29/84] Selfbuild appservice-slack bridge --- docs/self-building.md | 1 + group_vars/matrix_servers | 2 ++ .../defaults/main.yml | 4 +++ .../tasks/setup_install.yml | 27 ++++++++++++++++--- 4 files changed, 31 insertions(+), 3 deletions(-) diff --git a/docs/self-building.md b/docs/self-building.md index da8c24b0..d8dc03e0 100644 --- a/docs/self-building.md +++ b/docs/self-building.md @@ -18,6 +18,7 @@ List of roles where self-building the Docker image is currently possible: - `matrix-corporal` - `matrix-ma1sd` - `matrix-mailer` +- `matrix-bridge-appservice-slack` - `matrix-bridge-mautrix-facebook` - `matrix-bridge-mautrix-hangouts` - `matrix-bridge-mautrix-telegram` diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 42c2e3af..b43ed11f 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -110,6 +110,8 @@ matrix_appservice_webhooks_systemd_required_services_list: | # We don't enable bridges by default. matrix_appservice_slack_enabled: false +matrix_appservice_slack_container_self_build: "{{ matrix_architecture != 'amd64' }}" + # Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-appservice-slack over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # matrix-appservice-slack's client-server port to the local host. diff --git a/roles/matrix-bridge-appservice-slack/defaults/main.yml b/roles/matrix-bridge-appservice-slack/defaults/main.yml index 28646a3c..997cfa5e 100644 --- a/roles/matrix-bridge-appservice-slack/defaults/main.yml +++ b/roles/matrix-bridge-appservice-slack/defaults/main.yml @@ -3,6 +3,10 @@ matrix_appservice_slack_enabled: true +matrix_appservice_slack_container_self_build: false +matrix_appservice_slack_docker_repo: "https://github.com/matrix-org/matrix-appservice-slack.git" +matrix_appservice_slack_docker_src_files_path: "{{ matrix_base_data_path }}/appservice-slack/docker-src" + matrix_appservice_slack_docker_image: "docker.io/matrixdotorg/matrix-appservice-slack:release-1.5.0" matrix_appservice_slack_docker_image_force_pull: "{{ matrix_appservice_slack_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-bridge-appservice-slack/tasks/setup_install.yml b/roles/matrix-bridge-appservice-slack/tasks/setup_install.yml index 29b0f39e..bcf6297a 100644 --- a/roles/matrix-bridge-appservice-slack/tasks/setup_install.yml +++ b/roles/matrix-bridge-appservice-slack/tasks/setup_install.yml @@ -8,9 +8,11 @@ owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" with_items: - - "{{ matrix_appservice_slack_base_path }}" - - "{{ matrix_appservice_slack_config_path }}" - - "{{ matrix_appservice_slack_data_path }}" + - { path: "{{ matrix_appservice_slack_base_path }}", when: true } + - { path: "{{ matrix_appservice_slack_config_path }}", when: true } + - { path: "{{ matrix_appservice_slack_data_path }}", when: true } + - { path: "{{ matrix_appservice_slack_docker_src_files_path }}", when: "{{ matrix_appservice_slack_container_self_build }}" } + when: item.when|bool - set_fact: matrix_appservice_slack_requires_restart: false @@ -36,6 +38,25 @@ force_source: "{{ matrix_appservice_slack_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_appservice_slack_docker_image_force_pull }}" +- name: Ensure matrix-appservice-slack repository is present when self-building + git: + repo: "{{ matrix_appservice_slack_docker_repo }}" + dest: "{{ matrix_appservice_slack_docker_src_files_path }}" + force: "yes" + register: matrix_appservice_slack_git_pull_results + when: "matrix_appservice_slack_container_self_build|bool" + +- name: Ensure matrix-appservice-slack Docker image is build + docker_image: + name: "{{ matrix_appservice_slack_docker_image }}" + source: build + force_source: yes + build: + dockerfile: Dockerfile + path: "{{ matrix_appservice_slack_docker_src_files_path }}" + pull: yes + when: "matrix_appservice_slack_container_self_build|bool and matrix_appservice_slack_git_pull_results.changed" + - name: Ensure Matrix Appservice Slack config installed copy: content: "{{ matrix_appservice_slack_configuration|to_nice_yaml }}" From b15da29ebbf0474ed79dcc9725edaf5e019290fc Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 14 Jan 2021 10:41:47 +0200 Subject: [PATCH 30/84] Bump Synapse to v1.25.0 for ARM --- roles/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index fddac7aa..0e7cf987 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -11,7 +11,7 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont # The if statement below may look silly at times (leading to the same version being returned), # but ARM-compatible container images are only released 1-7 hours after a release, # so we may often be on different versions for different architectures when new Synapse releases come out. -matrix_synapse_docker_image_tag: "{{ 'v1.25.0' if matrix_architecture == 'amd64' else 'v1.24.0' }}" +matrix_synapse_docker_image_tag: "{{ 'v1.25.0' if matrix_architecture == 'amd64' else 'v1.25.0' }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse" From 862a6276a037f820f3218688fafae16eaaafd8da Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 14 Jan 2021 10:47:23 +0200 Subject: [PATCH 31/84] Do not pull appservice-slack when self-building --- roles/matrix-bridge-appservice-slack/tasks/setup_install.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/matrix-bridge-appservice-slack/tasks/setup_install.yml b/roles/matrix-bridge-appservice-slack/tasks/setup_install.yml index bcf6297a..721a5d6b 100644 --- a/roles/matrix-bridge-appservice-slack/tasks/setup_install.yml +++ b/roles/matrix-bridge-appservice-slack/tasks/setup_install.yml @@ -37,6 +37,7 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_appservice_slack_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_appservice_slack_docker_image_force_pull }}" + when: "not matrix_appservice_slack_container_self_build|bool" - name: Ensure matrix-appservice-slack repository is present when self-building git: @@ -46,7 +47,7 @@ register: matrix_appservice_slack_git_pull_results when: "matrix_appservice_slack_container_self_build|bool" -- name: Ensure matrix-appservice-slack Docker image is build +- name: Ensure matrix-appservice-slack Docker image is built docker_image: name: "{{ matrix_appservice_slack_docker_image }}" source: build From 7a90eb6d4fa0c4c26dcb7998946ff8e2fddefa67 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 14 Jan 2021 17:00:46 +0200 Subject: [PATCH 32/84] Relocate some validation tasks --- .../tasks/ssl/setup_ssl_lets_encrypt.yml | 18 ------------------ .../tasks/validate_config.yml | 19 +++++++++++++++++++ 2 files changed, 19 insertions(+), 18 deletions(-) diff --git a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml index 2946c111..cc84d207 100644 --- a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml +++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml @@ -11,28 +11,10 @@ - "{{ matrix_cron_path }}/matrix-ssl-certificate-renewal" - "{{ matrix_cron_path }}/matrix-nginx-proxy-periodic-restarter" - # # Tasks related to setting up Let's Encrypt's management of certificates # -- name: (Deprecation) Catch and report renamed settings - fail: - msg: >- - Your configuration contains a variable, which now has a different name. - Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). - with_items: - - {'old': 'host_specific_matrix_ssl_support_email', 'new': 'matrix_ssl_lets_encrypt_support_email'} - - {'old': 'host_specific_matrix_ssl_lets_encrypt_support_email', 'new': 'matrix_ssl_lets_encrypt_support_email'} - when: "matrix_ssl_retrieval_method == 'lets-encrypt' and item.old in vars" - -- name: Fail if required variables are undefined - fail: - msg: "Detected an undefined required variable" - with_items: - - "matrix_ssl_lets_encrypt_support_email" - when: "matrix_ssl_retrieval_method == 'lets-encrypt' and vars[item] is none" - - name: Ensure certbot Docker image is pulled docker_image: name: "{{ matrix_ssl_lets_encrypt_certbot_docker_image }}" diff --git a/roles/matrix-nginx-proxy/tasks/validate_config.yml b/roles/matrix-nginx-proxy/tasks/validate_config.yml index c12017f3..974df308 100644 --- a/roles/matrix-nginx-proxy/tasks/validate_config.yml +++ b/roles/matrix-nginx-proxy/tasks/validate_config.yml @@ -24,3 +24,22 @@ msg: >- `matrix_nginx_proxy_ssl_preset` needs to be set to a known value. when: "matrix_nginx_proxy_ssl_preset not in ['modern', 'intermediate', 'old']" + +- block: + - name: (Deprecation) Catch and report renamed settings + fail: + msg: >- + Your configuration contains a variable, which now has a different name. + Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). + with_items: + - {'old': 'host_specific_matrix_ssl_support_email', 'new': 'matrix_ssl_lets_encrypt_support_email'} + - {'old': 'host_specific_matrix_ssl_lets_encrypt_support_email', 'new': 'matrix_ssl_lets_encrypt_support_email'} + when: "item.old in vars" + + - name: Fail if required variables are undefined + fail: + msg: "Detected an undefined required variable" + with_items: + - "matrix_ssl_lets_encrypt_support_email" + when: "vars[item] is none" + when: "matrix_ssl_retrieval_method == 'lets-encrypt'" From 57ea43d8b0250c0a9c76bba5dd9768fc1ab81fe0 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 14 Jan 2021 17:47:13 +0200 Subject: [PATCH 33/84] Remove unused variable This variable has been useless since 2019-01-08. We probably don't need to check for its usage anymore, given how much time has passed since then, but .. --- roles/matrix-nginx-proxy/defaults/main.yml | 4 ---- roles/matrix-nginx-proxy/tasks/validate_config.yml | 2 ++ 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index b02ecf91..7c383383 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -215,10 +215,6 @@ matrix_nginx_proxy_proxy_jitsi_additional_server_configuration_blocks: [] # A list of strings containing additional configuration blocks to add to the base domain server configuration. matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks: [] -# Specifies when to reload the matrix-nginx-proxy service so that -# a new SSL certificate could go into effect. -matrix_nginx_proxy_reload_cron_time_definition: "20 4 */5 * *" - # Specifies the SSL configuration that should be used for the SSL protocols and ciphers # This is based on the Mozilla Server Side TLS Recommended configurations. # diff --git a/roles/matrix-nginx-proxy/tasks/validate_config.yml b/roles/matrix-nginx-proxy/tasks/validate_config.yml index 974df308..3197bd97 100644 --- a/roles/matrix-nginx-proxy/tasks/validate_config.yml +++ b/roles/matrix-nginx-proxy/tasks/validate_config.yml @@ -12,6 +12,8 @@ # People who configured this to disable Riot, would now wish to be disabling Element. # We now also have `matrix_nginx_proxy_proxy_riot_compat_redirect_`, but that's something else and is disabled by default. - {'old': 'matrix_nginx_proxy_proxy_riot_enabled', 'new': 'matrix_nginx_proxy_proxy_element_enabled'} + - {'old': 'matrix_ssl_lets_encrypt_renew_cron_time_definition', 'new': ''} + - {'old': 'matrix_nginx_proxy_reload_cron_time_definition', 'new': ''} - name: Fail on unknown matrix_ssl_retrieval_method fail: From 6f5aaad48d15ed9d5537f6dc1d5540ca14602831 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 14 Jan 2021 22:11:38 +0200 Subject: [PATCH 34/84] Split install/uninstall tasks in matrix-coturn --- roles/matrix-coturn/tasks/main.yml | 10 ++- .../{setup_coturn.yml => setup_install.yml} | 65 +++---------------- roles/matrix-coturn/tasks/setup_uninstall.yml | 44 +++++++++++++ 3 files changed, 60 insertions(+), 59 deletions(-) rename roles/matrix-coturn/tasks/{setup_coturn.yml => setup_install.yml} (59%) create mode 100644 roles/matrix-coturn/tasks/setup_uninstall.yml diff --git a/roles/matrix-coturn/tasks/main.yml b/roles/matrix-coturn/tasks/main.yml index 007a7ede..9794bcb3 100644 --- a/roles/matrix-coturn/tasks/main.yml +++ b/roles/matrix-coturn/tasks/main.yml @@ -8,8 +8,14 @@ - setup-all - setup-coturn -- import_tasks: "{{ role_path }}/tasks/setup_coturn.yml" - when: run_setup|bool +- import_tasks: "{{ role_path }}/tasks/setup_install.yml" + when: "run_setup|bool and matrix_coturn_enabled|bool" + tags: + - setup-all + - setup-coturn + +- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + when: "run_setup|bool and not matrix_coturn_enabled|bool" tags: - setup-all - setup-coturn diff --git a/roles/matrix-coturn/tasks/setup_coturn.yml b/roles/matrix-coturn/tasks/setup_install.yml similarity index 59% rename from roles/matrix-coturn/tasks/setup_coturn.yml rename to roles/matrix-coturn/tasks/setup_install.yml index f3c1048f..2fe66221 100644 --- a/roles/matrix-coturn/tasks/setup_coturn.yml +++ b/roles/matrix-coturn/tasks/setup_install.yml @@ -1,9 +1,5 @@ --- -# -# Tasks related to setting up Coturn -# - - name: Ensure Matrix Coturn path exists file: path: "{{ item.path }}" @@ -13,7 +9,7 @@ group: "{{ matrix_user_groupname }}" with_items: - { path: "{{ matrix_coturn_docker_src_files_path }}", when: "{{ matrix_coturn_container_image_self_build }}"} - when: matrix_coturn_enabled|bool and item.when + when: "item.when|bool" - name: Ensure Coturn image is pulled docker_image: @@ -21,7 +17,7 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_coturn_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_coturn_docker_image_force_pull }}" - when: matrix_coturn_enabled|bool and not matrix_coturn_container_image_self_build + when: "not matrix_coturn_container_image_self_build|bool" - name: Ensure Coturn repository is present on self-build git: @@ -30,7 +26,7 @@ version: "{{ matrix_coturn_docker_image.split(':')[1] }}" force: "yes" register: matrix_coturn_git_pull_results - when: "matrix_coturn_enabled|bool and matrix_coturn_container_image_self_build" + when: "matrix_coturn_container_image_self_build|bool" - name: Ensure Coturn Docker image is built docker_image: @@ -41,7 +37,7 @@ dockerfile: Dockerfile path: "{{ matrix_coturn_docker_src_files_path }}" pull: yes - when: "matrix_coturn_enabled|bool and matrix_coturn_container_image_self_build|bool" + when: "matrix_coturn_container_image_self_build|bool" - name: Ensure Coturn configuration path exists file: @@ -50,20 +46,17 @@ mode: 0750 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" - when: matrix_coturn_enabled|bool - name: Ensure turnserver.conf installed template: src: "{{ role_path }}/templates/turnserver.conf.j2" dest: "{{ matrix_coturn_config_path }}" mode: 0644 - when: matrix_coturn_enabled|bool - name: Ensure Coturn network is created in Docker docker_network: name: "{{ matrix_coturn_docker_network }}" driver: bridge - when: matrix_coturn_enabled|bool - name: Ensure matrix-coturn.service installed template: @@ -71,12 +64,11 @@ dest: "{{ matrix_systemd_path }}/matrix-coturn.service" mode: 0644 register: matrix_coturn_systemd_service_result - when: matrix_coturn_enabled|bool - name: Ensure systemd reloaded after matrix-coturn.service installation service: daemon_reload: yes - when: "matrix_coturn_enabled|bool and matrix_coturn_systemd_service_result.changed" + when: "matrix_coturn_systemd_service_result.changed" # This may be unnecessary when more long-lived certificates are used. # We optimize for the common use-case though (short-lived Let's Encrypt certificates). @@ -86,52 +78,11 @@ src: "{{ role_path }}/templates/cron.d/matrix-coturn-ssl-reload.j2" dest: /etc/cron.d/matrix-coturn-ssl-reload mode: 0644 - when: "matrix_coturn_enabled|bool and matrix_coturn_tls_enabled|bool" - - -# -# Tasks related to getting rid of Coturn (if it was previously enabled) -# + when: "matrix_coturn_tls_enabled|bool" +# A similar task exists in `setup_uninstall.yml` - name: Ensure matrix-coturn-ssl-reload cronjob removed file: path: /etc/cron.d/matrix-coturn-ssl-reload state: absent - when: "not matrix_coturn_enabled|bool or not matrix_coturn_tls_enabled|bool" - -- name: Check existence of matrix-coturn service - stat: - path: "{{ matrix_systemd_path }}/matrix-coturn.service" - register: matrix_coturn_service_stat - when: "not matrix_coturn_enabled|bool" - -- name: Ensure matrix-coturn is stopped - service: - name: matrix-coturn - state: stopped - daemon_reload: yes - register: stopping_result - when: "not matrix_coturn_enabled|bool and matrix_coturn_service_stat.stat.exists" - -- name: Ensure matrix-coturn.service doesn't exist - file: - path: "{{ matrix_systemd_path }}/matrix-coturn.service" - state: absent - when: "not matrix_coturn_enabled|bool and matrix_coturn_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-coturn.service removal - service: - daemon_reload: yes - when: "not matrix_coturn_enabled|bool and matrix_coturn_service_stat.stat.exists" - -- name: Ensure Matrix coturn paths don't exist - file: - path: "{{ matrix_coturn_base_path }}" - state: absent - when: "not matrix_coturn_enabled|bool" - -- name: Ensure coturn Docker image doesn't exist - docker_image: - name: "{{ matrix_coturn_docker_image }}" - state: absent - when: "not matrix_coturn_enabled|bool" + when: "not matrix_coturn_tls_enabled|bool" diff --git a/roles/matrix-coturn/tasks/setup_uninstall.yml b/roles/matrix-coturn/tasks/setup_uninstall.yml new file mode 100644 index 00000000..c083c568 --- /dev/null +++ b/roles/matrix-coturn/tasks/setup_uninstall.yml @@ -0,0 +1,44 @@ +--- + +# A similar task exists in `setup_install.yml` +- name: Ensure matrix-coturn-ssl-reload cronjob removed + file: + path: /etc/cron.d/matrix-coturn-ssl-reload + state: absent + +- name: Check existence of matrix-coturn service + stat: + path: "{{ matrix_systemd_path }}/matrix-coturn.service" + register: matrix_coturn_service_stat + when: "not matrix_coturn_enabled|bool" + +- name: Ensure matrix-coturn is stopped + service: + name: matrix-coturn + state: stopped + daemon_reload: yes + register: stopping_result + when: "not matrix_coturn_enabled|bool and matrix_coturn_service_stat.stat.exists" + +- name: Ensure matrix-coturn.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-coturn.service" + state: absent + when: "not matrix_coturn_enabled|bool and matrix_coturn_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-coturn.service removal + service: + daemon_reload: yes + when: "not matrix_coturn_enabled|bool and matrix_coturn_service_stat.stat.exists" + +- name: Ensure Matrix coturn paths don't exist + file: + path: "{{ matrix_coturn_base_path }}" + state: absent + when: "not matrix_coturn_enabled|bool" + +- name: Ensure coturn Docker image doesn't exist + docker_image: + name: "{{ matrix_coturn_docker_image }}" + state: absent + when: "not matrix_coturn_enabled|bool" From 653d1d7924d78847498b71597cd645fc2a2575f8 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 14 Jan 2021 22:20:51 +0200 Subject: [PATCH 35/84] Revert "Don't self-build ma1sd every time unless git sources changed" This reverts commit 2a25b63bb682c1546605bcbfb7ab9e828c4fe678. Looking at other roles, we trigger building regardless of this. It's better to always trigger it, because it's less fragile. If the build fails and we only trigger it on "git changes" then we won't trigger it for a while. That's not good. Triggering it each and every time may seem like a waste, but it supposedly runs quickly due to Docker caching. --- roles/matrix-ma1sd/tasks/setup_install.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/roles/matrix-ma1sd/tasks/setup_install.yml b/roles/matrix-ma1sd/tasks/setup_install.yml index 0784b24d..a4a70ea4 100644 --- a/roles/matrix-ma1sd/tasks/setup_install.yml +++ b/roles/matrix-ma1sd/tasks/setup_install.yml @@ -87,7 +87,6 @@ shell: "./gradlew dockerBuild" args: chdir: "{{ matrix_ma1sd_docker_src_files_path }}" - when: "matrix_ma1sd_git_pull_results.changed|bool" - name: Ensure ma1sd Docker image is tagged correctly docker_image: @@ -98,7 +97,6 @@ repository: "{{ matrix_ma1sd_docker_image }}" force_tag: yes source: local - when: "matrix_ma1sd_git_pull_results.changed|bool" when: "matrix_ma1sd_container_image_self_build|bool" - name: Ensure ma1sd config installed From 05ca9357a8fc20ade1ed5f190cc75a18d8676512 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 14 Jan 2021 23:02:10 +0200 Subject: [PATCH 36/84] Add .service suffix to systemd units list We'll be adding `.timer` units later on, so it's good to be more explicit. --- roles/matrix-bot-matrix-reminder-bot/tasks/init.yml | 2 +- roles/matrix-bridge-appservice-discord/tasks/init.yml | 2 +- roles/matrix-bridge-appservice-irc/tasks/init.yml | 2 +- roles/matrix-bridge-appservice-slack/tasks/init.yml | 2 +- roles/matrix-bridge-appservice-webhooks/tasks/init.yml | 2 +- roles/matrix-bridge-mautrix-facebook/tasks/init.yml | 2 +- roles/matrix-bridge-mautrix-hangouts/tasks/init.yml | 2 +- roles/matrix-bridge-mautrix-signal/tasks/init.yml | 2 +- roles/matrix-bridge-mautrix-telegram/tasks/init.yml | 2 +- roles/matrix-bridge-mautrix-whatsapp/tasks/init.yml | 2 +- roles/matrix-bridge-mx-puppet-discord/tasks/init.yml | 2 +- roles/matrix-bridge-mx-puppet-instagram/tasks/init.yml | 2 +- roles/matrix-bridge-mx-puppet-skype/tasks/init.yml | 2 +- roles/matrix-bridge-mx-puppet-slack/tasks/init.yml | 2 +- roles/matrix-bridge-mx-puppet-steam/tasks/init.yml | 2 +- roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml | 2 +- roles/matrix-bridge-sms/tasks/init.yml | 2 +- roles/matrix-client-element/tasks/init.yml | 2 +- roles/matrix-common-after/tasks/start.yml | 2 +- roles/matrix-corporal/tasks/init.yml | 2 +- roles/matrix-coturn/tasks/init.yml | 2 +- roles/matrix-dimension/tasks/init.yml | 2 +- roles/matrix-dynamic-dns/tasks/init.yml | 2 +- roles/matrix-email2matrix/tasks/init.yml | 2 +- roles/matrix-jitsi/tasks/init.yml | 2 +- roles/matrix-ma1sd/tasks/init.yml | 2 +- roles/matrix-mailer/tasks/init.yml | 2 +- roles/matrix-nginx-proxy/tasks/init.yml | 2 +- roles/matrix-postgres/tasks/init.yml | 2 +- roles/matrix-registration/tasks/init.yml | 2 +- roles/matrix-synapse-admin/tasks/init.yml | 2 +- roles/matrix-synapse/tasks/init.yml | 4 ++-- 32 files changed, 33 insertions(+), 33 deletions(-) diff --git a/roles/matrix-bot-matrix-reminder-bot/tasks/init.yml b/roles/matrix-bot-matrix-reminder-bot/tasks/init.yml index 9bc471de..7fd12524 100644 --- a/roles/matrix-bot-matrix-reminder-bot/tasks/init.yml +++ b/roles/matrix-bot-matrix-reminder-bot/tasks/init.yml @@ -1,3 +1,3 @@ - set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-bot-matrix-reminder-bot'] }}" + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-bot-matrix-reminder-bot.service'] }}" when: matrix_bot_matrix_reminder_bot_enabled|bool diff --git a/roles/matrix-bridge-appservice-discord/tasks/init.yml b/roles/matrix-bridge-appservice-discord/tasks/init.yml index 1f492526..ef64e78a 100644 --- a/roles/matrix-bridge-appservice-discord/tasks/init.yml +++ b/roles/matrix-bridge-appservice-discord/tasks/init.yml @@ -7,7 +7,7 @@ when: "matrix_appservice_discord_enabled and matrix_synapse_role_executed|default(False)" - set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-appservice-discord'] }}" + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-appservice-discord.service'] }}" when: matrix_appservice_discord_enabled|bool # If the matrix-synapse role is not used, these variables may not exist. diff --git a/roles/matrix-bridge-appservice-irc/tasks/init.yml b/roles/matrix-bridge-appservice-irc/tasks/init.yml index 0f5a2787..ddf1b031 100644 --- a/roles/matrix-bridge-appservice-irc/tasks/init.yml +++ b/roles/matrix-bridge-appservice-irc/tasks/init.yml @@ -7,7 +7,7 @@ when: "matrix_appservice_irc_enabled|bool and matrix_synapse_role_executed|default(False)" - set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-appservice-irc'] }}" + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-appservice-irc.service'] }}" when: matrix_appservice_irc_enabled|bool # If the matrix-synapse role is not used, these variables may not exist. diff --git a/roles/matrix-bridge-appservice-slack/tasks/init.yml b/roles/matrix-bridge-appservice-slack/tasks/init.yml index 5f9fe866..045b6b73 100644 --- a/roles/matrix-bridge-appservice-slack/tasks/init.yml +++ b/roles/matrix-bridge-appservice-slack/tasks/init.yml @@ -7,7 +7,7 @@ when: "matrix_synapse_role_executed|default(False)" - set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-appservice-slack'] }}" + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-appservice-slack.service'] }}" when: matrix_appservice_slack_enabled|bool # If the matrix-synapse role is not used, these variables may not exist. diff --git a/roles/matrix-bridge-appservice-webhooks/tasks/init.yml b/roles/matrix-bridge-appservice-webhooks/tasks/init.yml index bc275f78..53e2cce8 100644 --- a/roles/matrix-bridge-appservice-webhooks/tasks/init.yml +++ b/roles/matrix-bridge-appservice-webhooks/tasks/init.yml @@ -7,7 +7,7 @@ when: "matrix_synapse_role_executed|default(False)" - set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-appservice-webhooks'] }}" + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-appservice-webhooks.service'] }}" when: matrix_appservice_webhooks_enabled|bool # If the matrix-synapse role is not used, these variables may not exist. diff --git a/roles/matrix-bridge-mautrix-facebook/tasks/init.yml b/roles/matrix-bridge-mautrix-facebook/tasks/init.yml index c9688cf0..9e127316 100644 --- a/roles/matrix-bridge-mautrix-facebook/tasks/init.yml +++ b/roles/matrix-bridge-mautrix-facebook/tasks/init.yml @@ -1,5 +1,5 @@ - set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-facebook'] }}" + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-facebook.service'] }}" when: matrix_mautrix_facebook_enabled|bool # If the matrix-synapse role is not used, these variables may not exist. diff --git a/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml b/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml index 9dd09d81..9209fa40 100644 --- a/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml +++ b/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml @@ -1,5 +1,5 @@ - set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-hangouts'] }}" + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-hangouts.service'] }}" when: matrix_mautrix_hangouts_enabled|bool # If the matrix-synapse role is not used, these variables may not exist. diff --git a/roles/matrix-bridge-mautrix-signal/tasks/init.yml b/roles/matrix-bridge-mautrix-signal/tasks/init.yml index c2b37841..6133e865 100644 --- a/roles/matrix-bridge-mautrix-signal/tasks/init.yml +++ b/roles/matrix-bridge-mautrix-signal/tasks/init.yml @@ -1,5 +1,5 @@ - set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-signal', 'matrix-mautrix-signal-daemon'] }}" + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-signal.service', 'matrix-mautrix-signal-daemon.service'] }}" when: matrix_mautrix_signal_enabled|bool # If the matrix-synapse role is not used, these variables may not exist. diff --git a/roles/matrix-bridge-mautrix-telegram/tasks/init.yml b/roles/matrix-bridge-mautrix-telegram/tasks/init.yml index a95c9416..721e98da 100644 --- a/roles/matrix-bridge-mautrix-telegram/tasks/init.yml +++ b/roles/matrix-bridge-mautrix-telegram/tasks/init.yml @@ -1,5 +1,5 @@ - set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-telegram'] }}" + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-telegram.service'] }}" when: matrix_mautrix_telegram_enabled|bool # If the matrix-synapse role is not used, these variables may not exist. diff --git a/roles/matrix-bridge-mautrix-whatsapp/tasks/init.yml b/roles/matrix-bridge-mautrix-whatsapp/tasks/init.yml index fa42bfce..f320bc74 100644 --- a/roles/matrix-bridge-mautrix-whatsapp/tasks/init.yml +++ b/roles/matrix-bridge-mautrix-whatsapp/tasks/init.yml @@ -1,5 +1,5 @@ - set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-whatsapp'] }}" + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-whatsapp.service'] }}" when: matrix_mautrix_whatsapp_enabled|bool # If the matrix-synapse role is not used, these variables may not exist. diff --git a/roles/matrix-bridge-mx-puppet-discord/tasks/init.yml b/roles/matrix-bridge-mx-puppet-discord/tasks/init.yml index 5d461931..4d8444e1 100644 --- a/roles/matrix-bridge-mx-puppet-discord/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-discord/tasks/init.yml @@ -1,5 +1,5 @@ - set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-discord'] }}" + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-discord.service'] }}" when: matrix_mx_puppet_discord_enabled|bool # If the matrix-synapse role is not used, these variables may not exist. diff --git a/roles/matrix-bridge-mx-puppet-instagram/tasks/init.yml b/roles/matrix-bridge-mx-puppet-instagram/tasks/init.yml index dafa59c0..0d319bc8 100644 --- a/roles/matrix-bridge-mx-puppet-instagram/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-instagram/tasks/init.yml @@ -1,5 +1,5 @@ - set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-instagram'] }}" + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-instagram.service'] }}" when: matrix_mx_puppet_instagram_enabled|bool # If the matrix-synapse role is not used, these variables may not exist. diff --git a/roles/matrix-bridge-mx-puppet-skype/tasks/init.yml b/roles/matrix-bridge-mx-puppet-skype/tasks/init.yml index 801c71c2..605ea492 100644 --- a/roles/matrix-bridge-mx-puppet-skype/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-skype/tasks/init.yml @@ -1,5 +1,5 @@ - set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-skype'] }}" + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-skype.service'] }}" when: matrix_mx_puppet_skype_enabled|bool # If the matrix-synapse role is not used, these variables may not exist. diff --git a/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml b/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml index dac04b9b..16afef20 100644 --- a/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml @@ -1,5 +1,5 @@ - set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-slack'] }}" + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-slack.service'] }}" when: matrix_mx_puppet_slack_enabled|bool # If the matrix-synapse role is not used, these variables may not exist. diff --git a/roles/matrix-bridge-mx-puppet-steam/tasks/init.yml b/roles/matrix-bridge-mx-puppet-steam/tasks/init.yml index 60b66074..9687944f 100644 --- a/roles/matrix-bridge-mx-puppet-steam/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-steam/tasks/init.yml @@ -1,5 +1,5 @@ - set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-steam'] }}" + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-steam.service'] }}" when: matrix_mx_puppet_steam_enabled|bool # If the matrix-synapse role is not used, these variables may not exist. diff --git a/roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml b/roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml index 8f4aca6c..86f30237 100644 --- a/roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml @@ -1,5 +1,5 @@ - set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-twitter'] }}" + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-twitter.service'] }}" when: matrix_mx_puppet_twitter_enabled|bool # If the matrix-synapse role is not used, these variables may not exist. diff --git a/roles/matrix-bridge-sms/tasks/init.yml b/roles/matrix-bridge-sms/tasks/init.yml index cca4d4c5..5979d132 100644 --- a/roles/matrix-bridge-sms/tasks/init.yml +++ b/roles/matrix-bridge-sms/tasks/init.yml @@ -7,7 +7,7 @@ when: "matrix_sms_bridge_enabled and matrix_synapse_role_executed|default(False)" - set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-sms-bridge'] }}" + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-sms-bridge.service'] }}" when: matrix_sms_bridge_enabled|bool # If the matrix-synapse role is not used, these variables may not exist. diff --git a/roles/matrix-client-element/tasks/init.yml b/roles/matrix-client-element/tasks/init.yml index a8b64854..a42e3143 100644 --- a/roles/matrix-client-element/tasks/init.yml +++ b/roles/matrix-client-element/tasks/init.yml @@ -1,5 +1,5 @@ - set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-client-element'] }}" + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-client-element.service'] }}" when: matrix_client_element_enabled|bool # ansible lower than 2.8, does not support docker_image build parameters diff --git a/roles/matrix-common-after/tasks/start.yml b/roles/matrix-common-after/tasks/start.yml index bad84d92..0798341c 100644 --- a/roles/matrix-common-after/tasks/start.yml +++ b/roles/matrix-common-after/tasks/start.yml @@ -46,7 +46,7 @@ Try running `systemctl status {{ item }}` and `journalctl -fu {{ item }}` on the server to investigate. with_items: "{{ matrix_systemd_services_list }}" when: - - "ansible_facts.services[item + '.service']|default(none) is none or ansible_facts.services[item + '.service'].state != 'running'" + - "ansible_facts.services[item]|default(none) is none or ansible_facts.services[item].state != 'running'" when: " ansible_distribution != 'Archlinux'" - block: diff --git a/roles/matrix-corporal/tasks/init.yml b/roles/matrix-corporal/tasks/init.yml index e2001844..ffe5d5da 100644 --- a/roles/matrix-corporal/tasks/init.yml +++ b/roles/matrix-corporal/tasks/init.yml @@ -1,3 +1,3 @@ - set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-corporal'] }}" + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-corporal.service'] }}" when: matrix_corporal_enabled|bool diff --git a/roles/matrix-coturn/tasks/init.yml b/roles/matrix-coturn/tasks/init.yml index b59feebd..95fbf247 100644 --- a/roles/matrix-coturn/tasks/init.yml +++ b/roles/matrix-coturn/tasks/init.yml @@ -1,5 +1,5 @@ - set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-coturn'] }}" + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-coturn.service'] }}" when: matrix_coturn_enabled|bool # ansible lower than 2.8, does not support docker_image build parameters diff --git a/roles/matrix-dimension/tasks/init.yml b/roles/matrix-dimension/tasks/init.yml index e1d94683..85ca04ea 100644 --- a/roles/matrix-dimension/tasks/init.yml +++ b/roles/matrix-dimension/tasks/init.yml @@ -1,3 +1,3 @@ - set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-dimension'] }}" + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-dimension.service'] }}" when: matrix_dimension_enabled|bool diff --git a/roles/matrix-dynamic-dns/tasks/init.yml b/roles/matrix-dynamic-dns/tasks/init.yml index 7b87fdb1..1a0f1b3d 100644 --- a/roles/matrix-dynamic-dns/tasks/init.yml +++ b/roles/matrix-dynamic-dns/tasks/init.yml @@ -1,3 +1,3 @@ - set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-dynamic-dns'] }}" + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-dynamic-dns.service'] }}" when: "matrix_dynamic_dns_enabled|bool" diff --git a/roles/matrix-email2matrix/tasks/init.yml b/roles/matrix-email2matrix/tasks/init.yml index 007a5476..0c8ffc0c 100644 --- a/roles/matrix-email2matrix/tasks/init.yml +++ b/roles/matrix-email2matrix/tasks/init.yml @@ -1,3 +1,3 @@ - set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-email2matrix'] }}" + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-email2matrix.service'] }}" when: matrix_email2matrix_enabled|bool diff --git a/roles/matrix-jitsi/tasks/init.yml b/roles/matrix-jitsi/tasks/init.yml index 328a3a25..1f7a2d1c 100644 --- a/roles/matrix-jitsi/tasks/init.yml +++ b/roles/matrix-jitsi/tasks/init.yml @@ -1,3 +1,3 @@ - set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-jitsi-web', 'matrix-jitsi-prosody', 'matrix-jitsi-jicofo', 'matrix-jitsi-jvb'] }}" + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-jitsi-web.service', 'matrix-jitsi-prosody.service', 'matrix-jitsi-jicofo.service', 'matrix-jitsi-jvb.service'] }}" when: matrix_jitsi_enabled|bool diff --git a/roles/matrix-ma1sd/tasks/init.yml b/roles/matrix-ma1sd/tasks/init.yml index 31a2e28f..89283a1f 100644 --- a/roles/matrix-ma1sd/tasks/init.yml +++ b/roles/matrix-ma1sd/tasks/init.yml @@ -1,5 +1,5 @@ - set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-ma1sd'] }}" + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-ma1sd.service'] }}" when: matrix_ma1sd_enabled|bool # ansible lower than 2.8, does not support docker_image build parameters diff --git a/roles/matrix-mailer/tasks/init.yml b/roles/matrix-mailer/tasks/init.yml index 1557bc64..e48e2a85 100644 --- a/roles/matrix-mailer/tasks/init.yml +++ b/roles/matrix-mailer/tasks/init.yml @@ -1,3 +1,3 @@ - set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mailer'] }}" + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mailer.service'] }}" when: matrix_mailer_enabled|bool diff --git a/roles/matrix-nginx-proxy/tasks/init.yml b/roles/matrix-nginx-proxy/tasks/init.yml index c968d093..1d5794c0 100644 --- a/roles/matrix-nginx-proxy/tasks/init.yml +++ b/roles/matrix-nginx-proxy/tasks/init.yml @@ -1,3 +1,3 @@ - set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-nginx-proxy'] }}" + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-nginx-proxy.service'] }}" when: matrix_nginx_proxy_enabled|bool diff --git a/roles/matrix-postgres/tasks/init.yml b/roles/matrix-postgres/tasks/init.yml index 6b8e40ba..a0f2ae60 100644 --- a/roles/matrix-postgres/tasks/init.yml +++ b/roles/matrix-postgres/tasks/init.yml @@ -1,3 +1,3 @@ - set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-postgres'] }}" + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-postgres.service'] }}" when: matrix_postgres_enabled|bool diff --git a/roles/matrix-registration/tasks/init.yml b/roles/matrix-registration/tasks/init.yml index bdb3928e..158ad605 100644 --- a/roles/matrix-registration/tasks/init.yml +++ b/roles/matrix-registration/tasks/init.yml @@ -1,5 +1,5 @@ - set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-registration'] }}" + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-registration.service'] }}" when: matrix_registration_enabled|bool - block: diff --git a/roles/matrix-synapse-admin/tasks/init.yml b/roles/matrix-synapse-admin/tasks/init.yml index c8d74e04..36bdb611 100644 --- a/roles/matrix-synapse-admin/tasks/init.yml +++ b/roles/matrix-synapse-admin/tasks/init.yml @@ -1,5 +1,5 @@ - set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-synapse-admin'] }}" + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-synapse-admin.service'] }}" when: matrix_synapse_admin_enabled|bool - block: diff --git a/roles/matrix-synapse/tasks/init.yml b/roles/matrix-synapse/tasks/init.yml index 004a2a92..bdb62476 100644 --- a/roles/matrix-synapse/tasks/init.yml +++ b/roles/matrix-synapse/tasks/init.yml @@ -1,9 +1,9 @@ - set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-synapse'] }}" + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-synapse.service'] }}" when: matrix_synapse_enabled|bool - set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-goofys'] }}" + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-goofys.service'] }}" when: matrix_s3_media_store_enabled|bool # ansible lower than 2.8, does not support docker_image build parameters From e1690722f7f5a0bb23edbcfbb9666c092a2b3cad Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 14 Jan 2021 23:23:46 +0200 Subject: [PATCH 37/84] Replace cronjobs with systemd timers Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/756 Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/737 I feel like timers are somewhat more complicated and dirty (compared to cronjobs), but they come with these benefits: - log output goes to journald - on newer systemd distros, you can see when the timer fired, when it will fire, etc. - we don't need to rely on cron (reducing our dependencies to just systemd + Docker) Cronjobs work well, but it's one more dependency that needs to be installed. We were even asking people to install it manually (in `docs/prerequisites.md`), which could have gone unnoticed. Once in a while someone says "my SSL certificates didn't renew" and it's likely because they forgot to install a cron daemon. Switching to systemd timers means that installation is simpler and more unified. --- CHANGELOG.md | 11 +++ docs/prerequisites.md | 2 - docs/uninstalling.md | 6 +- roles/matrix-base/defaults/main.yml | 4 ++ .../usr-local-bin/matrix-remove-all.j2 | 2 - roles/matrix-common-after/tasks/start.yml | 4 +- roles/matrix-coturn/tasks/init.yml | 4 ++ roles/matrix-coturn/tasks/setup_install.yml | 72 +++++++++++-------- roles/matrix-coturn/tasks/setup_uninstall.yml | 33 +++++---- .../cron.d/matrix-coturn-ssl-reload.j2 | 1 - .../systemd/matrix-coturn-reload.service.j2 | 6 ++ .../systemd/matrix-coturn-reload.timer.j2 | 10 +++ roles/matrix-nginx-proxy/tasks/init.yml | 5 ++ .../tasks/ssl/setup_ssl_lets_encrypt.yml | 71 +++++++++--------- .../cron.d/matrix-ssl-lets-encrypt.j2 | 5 -- ...lets-encrypt-certificates-renew.service.j2 | 6 ++ ...l-lets-encrypt-certificates-renew.timer.j2 | 10 +++ .../matrix-ssl-nginx-proxy-reload.service.j2 | 6 ++ .../matrix-ssl-nginx-proxy-reload.timer.j2 | 10 +++ ...rix-ssl-lets-encrypt-certificates-renew.j2 | 1 - roles/matrix-nginx-proxy/vars/main.yml | 16 ++++- 21 files changed, 190 insertions(+), 95 deletions(-) delete mode 100644 roles/matrix-coturn/templates/cron.d/matrix-coturn-ssl-reload.j2 create mode 100644 roles/matrix-coturn/templates/systemd/matrix-coturn-reload.service.j2 create mode 100644 roles/matrix-coturn/templates/systemd/matrix-coturn-reload.timer.j2 delete mode 100644 roles/matrix-nginx-proxy/templates/cron.d/matrix-ssl-lets-encrypt.j2 create mode 100644 roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-lets-encrypt-certificates-renew.service.j2 create mode 100644 roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-lets-encrypt-certificates-renew.timer.j2 create mode 100644 roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-nginx-proxy-reload.service.j2 create mode 100644 roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-nginx-proxy-reload.timer.j2 diff --git a/CHANGELOG.md b/CHANGELOG.md index bb60561e..aa5c2270 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,14 @@ +# 2021-01-14 + +## Moving from cronjobs to systemd timers + +We no longer use cronjobs for Let's Encrypt SSL renewal and `matrix-nginx-proxy`/`matrix-coturn` reloading. Instead, we've switched to systemd timers. + +The largest benefit of this is that we no longer require you to install a cron daemon, thus simplifying our install procedure. + +The playbook will migrate you from cronjobs to systemd timers automatically. This is just a heads up. + + # 2021-01-08 ## (Breaking Change) New SSL configuration diff --git a/docs/prerequisites.md b/docs/prerequisites.md index 40a075b4..ae9a992f 100644 --- a/docs/prerequisites.md +++ b/docs/prerequisites.md @@ -16,8 +16,6 @@ If your distro runs within an [LXC container](https://linuxcontainers.org/), you - [Python](https://www.python.org/) being installed on the server. Most distributions install Python by default, but some don't (e.g. Ubuntu 18.04) and require manual installation (something like `apt-get install python3`). On some distros, Ansible may incorrectly [detect the Python version](https://docs.ansible.com/ansible/latest/reference_appendices/interpreter_discovery.html) (2 vs 3) and you may need to explicitly specify the interpreter path in `inventory/hosts` during installation (e.g. `ansible_python_interpreter=/usr/bin/python3`) -- A `cron`-like tool installed on the server such as `cron` or `anacron` to automatically schedule the Let's Encrypt SSL certificates's renewal. *This can be ignored if you use your own SSL certificates.* - - The [Ansible](http://ansible.com/) program being installed on your own computer. It's used to run this playbook and configures your server for you. Take a look at [our guide about Ansible](ansible.md) for more information, as well as [version requirements](ansible.md#supported-ansible-versions) and alternative ways to run Ansible. - Either the `dig` tool or `python-dns` installed on your own computer. Used later on, by the playbook's [services check](maintenance-checking-services.md) feature. diff --git a/docs/uninstalling.md b/docs/uninstalling.md index cb55a7b5..73af01d9 100644 --- a/docs/uninstalling.md +++ b/docs/uninstalling.md @@ -23,15 +23,13 @@ If you prefer to uninstall manually, run these commands (most are meant to be ex - ensure all Matrix services are stopped: `ansible-playbook -i inventory/hosts setup.yml --tags=stop` (if you can't get Ansible working to run this command, you can run `systemctl stop 'matrix*'` manually on the server) -- delete the Matrix-related systemd `.service` files (`rm -f /etc/systemd/system/matrix*.service`) and reload systemd (`systemctl daemon-reload`) - -- delete all Matrix-related cronjobs (`rm -f /etc/cron.d/matrix*`) +- delete the Matrix-related systemd `.service` and `.timer` files (`rm -f /etc/systemd/system/matrix*.{service,timer}`) and reload systemd (`systemctl daemon-reload`) - delete some helper scripts (`rm -f /usr/local/bin/matrix*`) - delete some cached Docker images (`docker system prune -a`) or just delete them all (`docker rmi $(docker images -aq)`) -- delete the Docker network: `docker network rm matrix` (might have been deleted already if you ran the `docker system prune` command) +- delete the Docker networks: `docker network rm matrix matrix-coturn` (might have been deleted already if you ran the `docker system prune` command) - uninstall Docker itself, if necessary diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index 2cc4b42f..601a0f83 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -48,7 +48,11 @@ matrix_base_data_path_mode: "750" matrix_static_files_base_path: "{{ matrix_base_data_path }}/static-files" matrix_systemd_path: "/etc/systemd/system" + +# This is now unused. We keep it so that cleanup tasks can use it. +# To be removed in the future. matrix_cron_path: "/etc/cron.d" + matrix_local_bin_path: "/usr/local/bin" matrix_host_command_docker: "/usr/bin/env docker" diff --git a/roles/matrix-base/templates/usr-local-bin/matrix-remove-all.j2 b/roles/matrix-base/templates/usr-local-bin/matrix-remove-all.j2 index 2a2314a5..2a647aba 100644 --- a/roles/matrix-base/templates/usr-local-bin/matrix-remove-all.j2 +++ b/roles/matrix-base/templates/usr-local-bin/matrix-remove-all.j2 @@ -20,8 +20,6 @@ else rm -f {{ matrix_systemd_path }}/$s done systemctl daemon-reload - echo "Remove matrix cronjobs" - find /etc/cron.d/ -name "matrix-*" -delete echo "Remove matrix scripts" find {{ matrix_local_bin_path }}/ -name "matrix-*" -delete echo "Remove unused Docker images and resources" diff --git a/roles/matrix-common-after/tasks/start.yml b/roles/matrix-common-after/tasks/start.yml index 0798341c..b1477cf6 100644 --- a/roles/matrix-common-after/tasks/start.yml +++ b/roles/matrix-common-after/tasks/start.yml @@ -1,6 +1,6 @@ --- -- name: Deterimne whether we should make services autostart +- name: Determine whether we should make services autostart set_fact: matrix_services_autostart_enabled_bool: "{{ true if matrix_services_autostart_enabled|default('') == '' else matrix_services_autostart_enabled|bool }}" @@ -46,7 +46,7 @@ Try running `systemctl status {{ item }}` and `journalctl -fu {{ item }}` on the server to investigate. with_items: "{{ matrix_systemd_services_list }}" when: - - "ansible_facts.services[item]|default(none) is none or ansible_facts.services[item].state != 'running'" + - "item.endswith('.service') and (ansible_facts.services[item]|default(none) is none or ansible_facts.services[item].state != 'running')" when: " ansible_distribution != 'Archlinux'" - block: diff --git a/roles/matrix-coturn/tasks/init.yml b/roles/matrix-coturn/tasks/init.yml index 95fbf247..be011b7f 100644 --- a/roles/matrix-coturn/tasks/init.yml +++ b/roles/matrix-coturn/tasks/init.yml @@ -2,6 +2,10 @@ matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-coturn.service'] }}" when: matrix_coturn_enabled|bool +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-coturn-reload.timer'] }}" + when: "matrix_coturn_enabled|bool and matrix_coturn_tls_enabled|bool" + # ansible lower than 2.8, does not support docker_image build parameters # for self buildig it is explicitly needed, so we rather fail here - name: Fail if running on Ansible lower than 2.8 and trying self building diff --git a/roles/matrix-coturn/tasks/setup_install.yml b/roles/matrix-coturn/tasks/setup_install.yml index 2fe66221..2f3664f1 100644 --- a/roles/matrix-coturn/tasks/setup_install.yml +++ b/roles/matrix-coturn/tasks/setup_install.yml @@ -1,5 +1,11 @@ --- +# This is a cleanup/migration task. It can be removed some time in the future. +- name: (Migration) Remove deprecated cronjob + file: + path: "{{ matrix_cron_path }}/matrix-coturn-ssl-reload" + state: absent + - name: Ensure Matrix Coturn path exists file: path: "{{ item.path }}" @@ -19,24 +25,24 @@ force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_coturn_docker_image_force_pull }}" when: "not matrix_coturn_container_image_self_build|bool" -- name: Ensure Coturn repository is present on self-build - git: - repo: "{{ matrix_coturn_container_image_self_build_repo }}" - dest: "{{ matrix_coturn_docker_src_files_path }}" - version: "{{ matrix_coturn_docker_image.split(':')[1] }}" - force: "yes" - register: matrix_coturn_git_pull_results - when: "matrix_coturn_container_image_self_build|bool" +- block: + - name: Ensure Coturn repository is present on self-build + git: + repo: "{{ matrix_coturn_container_image_self_build_repo }}" + dest: "{{ matrix_coturn_docker_src_files_path }}" + version: "{{ matrix_coturn_docker_image.split(':')[1] }}" + force: "yes" + register: matrix_coturn_git_pull_results -- name: Ensure Coturn Docker image is built - docker_image: - name: "{{ matrix_coturn_docker_image }}" - source: build - force_source: "{{ matrix_coturn_git_pull_results.changed }}" - build: - dockerfile: Dockerfile - path: "{{ matrix_coturn_docker_src_files_path }}" - pull: yes + - name: Ensure Coturn Docker image is built + docker_image: + name: "{{ matrix_coturn_docker_image }}" + source: build + force_source: "{{ matrix_coturn_git_pull_results.changed }}" + build: + dockerfile: Dockerfile + path: "{{ matrix_coturn_docker_src_files_path }}" + pull: yes when: "matrix_coturn_container_image_self_build|bool" - name: Ensure Coturn configuration path exists @@ -52,6 +58,8 @@ src: "{{ role_path }}/templates/turnserver.conf.j2" dest: "{{ matrix_coturn_config_path }}" mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" - name: Ensure Coturn network is created in Docker docker_network: @@ -63,26 +71,34 @@ src: "{{ role_path }}/templates/systemd/matrix-coturn.service.j2" dest: "{{ matrix_systemd_path }}/matrix-coturn.service" mode: 0644 - register: matrix_coturn_systemd_service_result - -- name: Ensure systemd reloaded after matrix-coturn.service installation - service: - daemon_reload: yes - when: "matrix_coturn_systemd_service_result.changed" + register: matrix_coturn_systemd_service_change_results # This may be unnecessary when more long-lived certificates are used. # We optimize for the common use-case though (short-lived Let's Encrypt certificates). # Reloading doesn't hurt anyway, so there's no need to make this more flexible. -- name: Ensure periodic reloading of matrix-coturn is configured for SSL renewal (matrix-coturn-reload) +- name: Ensure reloading systemd units installed, if necessary template: - src: "{{ role_path }}/templates/cron.d/matrix-coturn-ssl-reload.j2" - dest: /etc/cron.d/matrix-coturn-ssl-reload + src: "{{ role_path }}/templates/systemd/{{ item }}.j2" + dest: "{{ matrix_systemd_path }}/{{ item }}" mode: 0644 + register: "matrix_coturn_systemd_service_change_results" when: "matrix_coturn_tls_enabled|bool" + with_items: + - matrix-coturn-reload.service + - matrix-coturn-reload.timer # A similar task exists in `setup_uninstall.yml` -- name: Ensure matrix-coturn-ssl-reload cronjob removed +- name: Ensure reloading systemd units uninstalled, if unnecessary file: - path: /etc/cron.d/matrix-coturn-ssl-reload + path: "{{ item }}" state: absent + register: "matrix_coturn_systemd_service_change_results" when: "not matrix_coturn_tls_enabled|bool" + with_items: + - matrix-coturn-reload.service + - matrix-coturn-reload.timer + +- name: Ensure systemd reloaded if systemd units changed + service: + daemon_reload: yes + when: "matrix_coturn_systemd_service_change_results.changed" diff --git a/roles/matrix-coturn/tasks/setup_uninstall.yml b/roles/matrix-coturn/tasks/setup_uninstall.yml index c083c568..99a7080e 100644 --- a/roles/matrix-coturn/tasks/setup_uninstall.yml +++ b/roles/matrix-coturn/tasks/setup_uninstall.yml @@ -1,11 +1,5 @@ --- -# A similar task exists in `setup_install.yml` -- name: Ensure matrix-coturn-ssl-reload cronjob removed - file: - path: /etc/cron.d/matrix-coturn-ssl-reload - state: absent - - name: Check existence of matrix-coturn service stat: path: "{{ matrix_systemd_path }}/matrix-coturn.service" @@ -17,28 +11,37 @@ name: matrix-coturn state: stopped daemon_reload: yes - register: stopping_result - when: "not matrix_coturn_enabled|bool and matrix_coturn_service_stat.stat.exists" + when: "matrix_coturn_service_stat.stat.exists|bool" -- name: Ensure matrix-coturn.service doesn't exist +- name: Ensure matrix-coturn-reload.timer is stopped + service: + name: matrix-coturn + state: stopped + daemon_reload: yes + failed_when: false + when: "matrix_coturn_service_stat.stat.exists|bool" + +- name: Ensure systemd units don't exist file: - path: "{{ matrix_systemd_path }}/matrix-coturn.service" + path: "{{ matrix_systemd_path }}/{{ item }}" state: absent - when: "not matrix_coturn_enabled|bool and matrix_coturn_service_stat.stat.exists" + register: matrix_coturn_systemd_unit_uninstallation_result + with_items: + - matrix-coturn.service + - matrix-coturn-reload.service + - matrix-coturn-reload.timer -- name: Ensure systemd reloaded after matrix-coturn.service removal +- name: Ensure systemd reloaded after unit removal service: daemon_reload: yes - when: "not matrix_coturn_enabled|bool and matrix_coturn_service_stat.stat.exists" + when: "matrix_coturn_systemd_unit_uninstallation_result.changed|bool" - name: Ensure Matrix coturn paths don't exist file: path: "{{ matrix_coturn_base_path }}" state: absent - when: "not matrix_coturn_enabled|bool" - name: Ensure coturn Docker image doesn't exist docker_image: name: "{{ matrix_coturn_docker_image }}" state: absent - when: "not matrix_coturn_enabled|bool" diff --git a/roles/matrix-coturn/templates/cron.d/matrix-coturn-ssl-reload.j2 b/roles/matrix-coturn/templates/cron.d/matrix-coturn-ssl-reload.j2 deleted file mode 100644 index 1076f539..00000000 --- a/roles/matrix-coturn/templates/cron.d/matrix-coturn-ssl-reload.j2 +++ /dev/null @@ -1 +0,0 @@ -20 4 */5 * * root {{ matrix_host_command_systemctl }} reload matrix-coturn.service diff --git a/roles/matrix-coturn/templates/systemd/matrix-coturn-reload.service.j2 b/roles/matrix-coturn/templates/systemd/matrix-coturn-reload.service.j2 new file mode 100644 index 00000000..e006e5a0 --- /dev/null +++ b/roles/matrix-coturn/templates/systemd/matrix-coturn-reload.service.j2 @@ -0,0 +1,6 @@ +[Unit] +Description=Reloads matrix-coturn so that new SSL certificates can kick in + +[Service] +Type=oneshot +ExecStart={{ matrix_host_command_systemctl }} reload matrix-coturn.service diff --git a/roles/matrix-coturn/templates/systemd/matrix-coturn-reload.timer.j2 b/roles/matrix-coturn/templates/systemd/matrix-coturn-reload.timer.j2 new file mode 100644 index 00000000..622cd80a --- /dev/null +++ b/roles/matrix-coturn/templates/systemd/matrix-coturn-reload.timer.j2 @@ -0,0 +1,10 @@ +[Unit] +Description=Reloads matrix-coturn periodically so that new SSL certificates can kick in + +[Timer] +Unit=matrix-coturn-reload.service +OnCalendar=Sunday *-*-* 13:00:00 +RandomizedDelaySec=3h + +[Install] +WantedBy=timers.target diff --git a/roles/matrix-nginx-proxy/tasks/init.yml b/roles/matrix-nginx-proxy/tasks/init.yml index 1d5794c0..0161da23 100644 --- a/roles/matrix-nginx-proxy/tasks/init.yml +++ b/roles/matrix-nginx-proxy/tasks/init.yml @@ -1,3 +1,8 @@ - set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-nginx-proxy.service'] }}" when: matrix_nginx_proxy_enabled|bool + +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + [item.name] }}" + when: "item.applicable|bool and item.enableable|bool" + with_items: "{{ matrix_ssl_renewal_systemd_units_list }}" diff --git a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml index cc84d207..b976923f 100644 --- a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml +++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml @@ -10,53 +10,56 @@ - "{{ matrix_local_bin_path }}/matrix-ssl-certificates-renew" - "{{ matrix_cron_path }}/matrix-ssl-certificate-renewal" - "{{ matrix_cron_path }}/matrix-nginx-proxy-periodic-restarter" + - "/etc/cron.d/matrix-ssl-lets-encrypt" + - "{{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew" # # Tasks related to setting up Let's Encrypt's management of certificates # -- name: Ensure certbot Docker image is pulled - docker_image: - name: "{{ matrix_ssl_lets_encrypt_certbot_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_ssl_lets_encrypt_certbot_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_ssl_lets_encrypt_certbot_docker_image_force_pull }}" - when: "matrix_ssl_retrieval_method == 'lets-encrypt'" +- block: + - name: Ensure certbot Docker image is pulled + docker_image: + name: "{{ matrix_ssl_lets_encrypt_certbot_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_ssl_lets_encrypt_certbot_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_ssl_lets_encrypt_certbot_docker_image_force_pull }}" -- name: Obtain Let's Encrypt certificates - include_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml" - with_items: "{{ matrix_ssl_domains_to_obtain_certificates_for }}" - loop_control: - loop_var: domain_name - when: "matrix_ssl_retrieval_method == 'lets-encrypt'" + - name: Obtain Let's Encrypt certificates + include_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml" + with_items: "{{ matrix_ssl_domains_to_obtain_certificates_for }}" + loop_control: + loop_var: domain_name -- name: Ensure Let's Encrypt SSL renewal script installed - template: - src: "{{ role_path }}/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2" - dest: "{{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew" - mode: 0750 - when: "matrix_ssl_retrieval_method == 'lets-encrypt'" + - name: Ensure Let's Encrypt SSL renewal script installed + template: + src: "{{ role_path }}/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2" + dest: "{{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew" + mode: 0750 -- name: Ensure periodic SSL renewal cronjob configured - template: - src: "{{ role_path }}/templates/cron.d/matrix-ssl-lets-encrypt.j2" - dest: /etc/cron.d/matrix-ssl-lets-encrypt - mode: 0644 + - name: Ensure SSL renewal systemd units installed + template: + src: "{{ role_path }}/templates/systemd/{{ item.name }}.j2" + dest: "{{ matrix_systemd_path }}/{{ item.name }}" + mode: 0644 + when: "item.applicable|bool" + with_items: "{{ matrix_ssl_renewal_systemd_units_list }}" when: "matrix_ssl_retrieval_method == 'lets-encrypt'" - # # Tasks related to getting rid of Let's Encrypt's management of certificates # -- name: Ensure matrix-ssl-lets-encrypt-renew cronjob removed - file: - path: /etc/cron.d/matrix-ssl-lets-encrypt - state: absent - when: "matrix_ssl_retrieval_method != 'lets-encrypt'" +- block: + - name: Ensure matrix-ssl-lets-encrypt-renew cronjob removed + file: + path: "{{ matrix_systemd_path }}/{{ item.name }}" + state: absent + when: "{{ not item.applicable }}" + with_items: "{{ matrix_ssl_renewal_systemd_units_list }}" -- name: Ensure Let's Encrypt SSL renewal script removed - file: - path: "{{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew" - state: absent + - name: Ensure Let's Encrypt SSL renewal script removed + file: + path: "{{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew" + state: absent when: "matrix_ssl_retrieval_method != 'lets-encrypt'" diff --git a/roles/matrix-nginx-proxy/templates/cron.d/matrix-ssl-lets-encrypt.j2 b/roles/matrix-nginx-proxy/templates/cron.d/matrix-ssl-lets-encrypt.j2 deleted file mode 100644 index f58e37d4..00000000 --- a/roles/matrix-nginx-proxy/templates/cron.d/matrix-ssl-lets-encrypt.j2 +++ /dev/null @@ -1,5 +0,0 @@ -MAILTO="{{ matrix_ssl_lets_encrypt_support_email }}" -15 4 * * * root {{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew -{% if matrix_nginx_proxy_enabled %} -20 5 * * * root {{ matrix_host_command_systemctl }} reload matrix-nginx-proxy.service -{% endif %} diff --git a/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-lets-encrypt-certificates-renew.service.j2 b/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-lets-encrypt-certificates-renew.service.j2 new file mode 100644 index 00000000..e95740da --- /dev/null +++ b/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-lets-encrypt-certificates-renew.service.j2 @@ -0,0 +1,6 @@ +[Unit] +Description=Renews Let's Encrypt SSL certificates + +[Service] +Type=oneshot +ExecStart={{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew diff --git a/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-lets-encrypt-certificates-renew.timer.j2 b/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-lets-encrypt-certificates-renew.timer.j2 new file mode 100644 index 00000000..91b13b29 --- /dev/null +++ b/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-lets-encrypt-certificates-renew.timer.j2 @@ -0,0 +1,10 @@ +[Unit] +Description=Renews Let's Encrypt SSL certificates periodically + +[Timer] +Unit=matrix-ssl-lets-encrypt-certificates-renew.service +OnCalendar=Sunday *-*-* 05:00:00 +RandomizedDelaySec=3h + +[Install] +WantedBy=timers.target diff --git a/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-nginx-proxy-reload.service.j2 b/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-nginx-proxy-reload.service.j2 new file mode 100644 index 00000000..851655ba --- /dev/null +++ b/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-nginx-proxy-reload.service.j2 @@ -0,0 +1,6 @@ +[Unit] +Description=Reloads matrix-nginx-proxy so that new SSL certificates can kick in + +[Service] +Type=oneshot +ExecStart={{ matrix_host_command_systemctl }} reload matrix-nginx-proxy.service diff --git a/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-nginx-proxy-reload.timer.j2 b/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-nginx-proxy-reload.timer.j2 new file mode 100644 index 00000000..73c1848e --- /dev/null +++ b/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-nginx-proxy-reload.timer.j2 @@ -0,0 +1,10 @@ +[Unit] +Description=Reloads matrix-nginx-proxy periodically so that new SSL certificates can kick in + +[Timer] +Unit=matrix-ssl-nginx-proxy-reload.service +OnCalendar=Sunday *-*-* 13:00:00 +RandomizedDelaySec=3h + +[Install] +WantedBy=timers.target diff --git a/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 b/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 index 39366abf..40cab22a 100644 --- a/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 +++ b/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 @@ -24,7 +24,6 @@ docker run \ {% if matrix_ssl_lets_encrypt_staging %} --staging \ {% endif %} - --quiet \ --standalone \ --preferred-challenges http \ --agree-tos \ diff --git a/roles/matrix-nginx-proxy/vars/main.yml b/roles/matrix-nginx-proxy/vars/main.yml index 4d0235cb..5c51fe5b 100644 --- a/roles/matrix-nginx-proxy/vars/main.yml +++ b/roles/matrix-nginx-proxy/vars/main.yml @@ -1,4 +1,18 @@ --- # Tells whether this role had executed or not. Toggled to `true` during runtime. -matrix_nginx_proxy_role_executed: false \ No newline at end of file +matrix_nginx_proxy_role_executed: false + +matrix_ssl_renewal_systemd_units_list: + - name: matrix-ssl-lets-encrypt-certificates-renew.service + applicable: "{{ matrix_ssl_retrieval_method == 'lets-encrypt' }}" + enableable: false + - name: matrix-ssl-lets-encrypt-certificates-renew.timer + applicable: "{{ matrix_ssl_retrieval_method == 'lets-encrypt' }}" + enableable: true + - name: matrix-ssl-nginx-proxy-reload.service + applicable: "{{ matrix_ssl_retrieval_method == 'lets-encrypt' and matrix_nginx_proxy_enabled|bool }}" + enableable: false + - name: matrix-ssl-nginx-proxy-reload.timer + applicable: "{{ matrix_ssl_retrieval_method == 'lets-encrypt' and matrix_nginx_proxy_enabled|bool }}" + enableable: true From 9e936e45ad85ad775eb9de483b5a6dcbd92b99d2 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 14 Jan 2021 23:48:30 +0200 Subject: [PATCH 38/84] Use BuildKit for ma1sd Docker building Newer versions (`master`) use things like `--platform=...`, which are not supported unless we enable the new BuildKit building backend. --- roles/matrix-ma1sd/tasks/setup_install.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-ma1sd/tasks/setup_install.yml b/roles/matrix-ma1sd/tasks/setup_install.yml index a4a70ea4..7decaa2e 100644 --- a/roles/matrix-ma1sd/tasks/setup_install.yml +++ b/roles/matrix-ma1sd/tasks/setup_install.yml @@ -84,7 +84,7 @@ register: matrix_ma1sd_git_pull_results - name: Ensure ma1sd Docker image is built - shell: "./gradlew dockerBuild" + shell: "DOCKER_BUILDKIT=1 ./gradlew dockerBuild" args: chdir: "{{ matrix_ma1sd_docker_src_files_path }}" From 26f0bbfdef5c8a87e616f7b8c00cb85fa991bee5 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 14 Jan 2021 23:57:38 +0200 Subject: [PATCH 39/84] Fix self-building for matrix-ma1sd on non-version tag/branch Building `master` or something like this was failing. --- roles/matrix-ma1sd/defaults/main.yml | 5 ++++- roles/matrix-ma1sd/tasks/setup_install.yml | 13 ++++++++----- 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/roles/matrix-ma1sd/defaults/main.yml b/roles/matrix-ma1sd/defaults/main.yml index 28e3405c..62828d95 100644 --- a/roles/matrix-ma1sd/defaults/main.yml +++ b/roles/matrix-ma1sd/defaults/main.yml @@ -5,10 +5,13 @@ matrix_ma1sd_enabled: true matrix_ma1sd_container_image_self_build: false matrix_ma1sd_container_image_self_build_repo: "https://github.com/ma1uta/ma1sd.git" +matrix_ma1sd_container_image_self_build_branch: "{{ matrix_ma1sd_version }}" matrix_ma1sd_architecture: "amd64" -matrix_ma1sd_docker_image: "{{ matrix_ma1sd_docker_image_name_prefix }}ma1uta/ma1sd:2.4.0-{{ matrix_ma1sd_architecture }}" +matrix_ma1sd_version: "2.4.0" + +matrix_ma1sd_docker_image: "{{ matrix_ma1sd_docker_image_name_prefix }}ma1uta/ma1sd:{{ matrix_ma1sd_version }}-{{ matrix_ma1sd_architecture }}" matrix_ma1sd_docker_image_name_prefix: "{{ 'localhost/' if matrix_ma1sd_container_image_self_build else 'docker.io/' }}" matrix_ma1sd_docker_image_force_pull: "{{ matrix_ma1sd_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-ma1sd/tasks/setup_install.yml b/roles/matrix-ma1sd/tasks/setup_install.yml index 7decaa2e..3f319eef 100644 --- a/roles/matrix-ma1sd/tasks/setup_install.yml +++ b/roles/matrix-ma1sd/tasks/setup_install.yml @@ -79,7 +79,7 @@ git: repo: "{{ matrix_ma1sd_container_image_self_build_repo }}" dest: "{{ matrix_ma1sd_docker_src_files_path }}" - version: "{{ matrix_ma1sd_docker_image.split(':')[1].split('-')[0] }}" + version: "{{ matrix_ma1sd_container_image_self_build_branch }}" force: "yes" register: matrix_ma1sd_git_pull_results @@ -90,10 +90,13 @@ - name: Ensure ma1sd Docker image is tagged correctly docker_image: - # The build script always tags the image with something like `ma1uta/ma1sd:2.4.0`. - # Remove the `-{{ matrix_ma1sd_architecture }}` suffix and our `localhost/` prefix (applied when self-building) - # to get to what has actually been built, so we can retag it as `{{ matrix_ma1sd_docker_image }}`. - name: "{{ matrix_ma1sd_docker_image.split('-')[0].replace('localhost/', '') }}" + # The build script always tags the image with 2 tags: + # - based on the branch/version: e.g. `ma1uta/ma1sd:2.4.0` (when on `2.4.0`) + # or `ma1uta/ma1sd:2.4.0-19-ga71d32b` (when on a given commit for a pre-release) + # - generic one: `ma1uta/ma1sd:latest-dev` + # + # It's hard to predict the first one, so we'll use the latter. + name: "ma1uta/ma1sd:latest-dev" repository: "{{ matrix_ma1sd_docker_image }}" force_tag: yes source: local From 1692a28fe4f3246b986d5d71966d592928a4fa19 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 15 Jan 2021 00:21:55 +0200 Subject: [PATCH 40/84] Work around annoying Docker warning about undefined $HOME > WARNING: Error loading config file: .dockercfg: $HOME is not defined .. which appeared in Docker 20.10. --- roles/matrix-base/defaults/main.yml | 5 +++++ .../systemd/matrix-bot-matrix-reminder-bot.service.j2 | 1 + .../templates/systemd/matrix-appservice-discord.service.j2 | 1 + .../templates/systemd/matrix-appservice-irc.service.j2 | 1 + .../templates/systemd/matrix-appservice-slack.service.j2 | 1 + .../templates/systemd/matrix-appservice-webhooks.service.j2 | 1 + .../templates/systemd/matrix-mautrix-facebook.service.j2 | 1 + .../templates/systemd/matrix-mautrix-hangouts.service.j2 | 1 + .../systemd/matrix-mautrix-signal-daemon.service.j2 | 1 + .../templates/systemd/matrix-mautrix-signal.service.j2 | 1 + .../templates/systemd/matrix-mautrix-telegram.service.j2 | 1 + .../templates/systemd/matrix-mautrix-whatsapp.service.j2 | 1 + .../templates/systemd/matrix-mx-puppet-discord.service.j2 | 1 + .../templates/systemd/matrix-mx-puppet-instagram.service.j2 | 1 + .../templates/systemd/matrix-mx-puppet-skype.service.j2 | 1 + .../templates/systemd/matrix-mx-puppet-slack.service.j2 | 1 + .../templates/systemd/matrix-mx-puppet-steam.service.j2 | 1 + .../templates/systemd/matrix-mx-puppet-twitter.service.j2 | 1 + .../templates/systemd/matrix-sms-bridge.service.j2 | 1 + .../templates/systemd/matrix-client-element.service.j2 | 1 + .../templates/systemd/matrix-corporal.service.j2 | 1 + .../matrix-coturn/templates/systemd/matrix-coturn.service.j2 | 1 + .../templates/systemd/matrix-dimension.service.j2 | 1 + .../templates/systemd/matrix-dynamic-dns.service.j2 | 1 + .../templates/systemd/matrix-email2matrix.service.j2 | 1 + .../templates/jicofo/matrix-jitsi-jicofo.service.j2 | 1 + roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 | 1 + .../templates/prosody/matrix-jitsi-prosody.service.j2 | 1 + roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 | 1 + roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 | 1 + .../matrix-mailer/templates/systemd/matrix-mailer.service.j2 | 1 + .../templates/systemd/matrix-nginx-proxy.service.j2 | 1 + .../matrix-ssl-lets-encrypt-certificates-renew.service.j2 | 1 + .../templates/systemd/matrix-postgres.service.j2 | 1 + .../templates/systemd/matrix-registration.service.j2 | 1 + .../templates/systemd/matrix-synapse-admin.service.j2 | 1 + .../templates/goofys/systemd/matrix-goofys.service.j2 | 1 + .../templates/synapse/systemd/matrix-synapse.service.j2 | 1 + 38 files changed, 42 insertions(+) diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index 601a0f83..d8285e1c 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -49,6 +49,11 @@ matrix_base_data_path_mode: "750" matrix_static_files_base_path: "{{ matrix_base_data_path }}/static-files" matrix_systemd_path: "/etc/systemd/system" +# Specifies the path to use for the `HOME` environment variable for systemd unit files. +# Docker 20.10 complains with `WARNING: Error loading config file: .dockercfg: $HOME is not defined` +# if `$HOME` is not defined, so we define something to make it happy. +matrix_systemd_unit_home_path: /root + # This is now unused. We keep it so that cleanup tasks can use it. # To be removed in the future. matrix_cron_path: "/etc/cron.d" diff --git a/roles/matrix-bot-matrix-reminder-bot/templates/systemd/matrix-bot-matrix-reminder-bot.service.j2 b/roles/matrix-bot-matrix-reminder-bot/templates/systemd/matrix-bot-matrix-reminder-bot.service.j2 index 950242e5..825072e8 100644 --- a/roles/matrix-bot-matrix-reminder-bot/templates/systemd/matrix-bot-matrix-reminder-bot.service.j2 +++ b/roles/matrix-bot-matrix-reminder-bot/templates/systemd/matrix-bot-matrix-reminder-bot.service.j2 @@ -12,6 +12,7 @@ DefaultDependencies=no [Service] Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-bot-matrix-reminder-bot ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-bot-matrix-reminder-bot diff --git a/roles/matrix-bridge-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2 b/roles/matrix-bridge-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2 index 7ec15752..412b4a3d 100644 --- a/roles/matrix-bridge-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2 +++ b/roles/matrix-bridge-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2 @@ -12,6 +12,7 @@ DefaultDependencies=no [Service] Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-appservice-discord ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-appservice-discord diff --git a/roles/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 b/roles/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 index c86eb835..2287a774 100644 --- a/roles/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 +++ b/roles/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 @@ -12,6 +12,7 @@ DefaultDependencies=no [Service] Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-appservice-irc ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-appservice-irc diff --git a/roles/matrix-bridge-appservice-slack/templates/systemd/matrix-appservice-slack.service.j2 b/roles/matrix-bridge-appservice-slack/templates/systemd/matrix-appservice-slack.service.j2 index b16b2fed..bf7a12ed 100644 --- a/roles/matrix-bridge-appservice-slack/templates/systemd/matrix-appservice-slack.service.j2 +++ b/roles/matrix-bridge-appservice-slack/templates/systemd/matrix-appservice-slack.service.j2 @@ -12,6 +12,7 @@ DefaultDependencies=no [Service] Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-appservice-slack ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-appservice-slack diff --git a/roles/matrix-bridge-appservice-webhooks/templates/systemd/matrix-appservice-webhooks.service.j2 b/roles/matrix-bridge-appservice-webhooks/templates/systemd/matrix-appservice-webhooks.service.j2 index 2049ee65..667cfd73 100644 --- a/roles/matrix-bridge-appservice-webhooks/templates/systemd/matrix-appservice-webhooks.service.j2 +++ b/roles/matrix-bridge-appservice-webhooks/templates/systemd/matrix-appservice-webhooks.service.j2 @@ -12,6 +12,7 @@ DefaultDependencies=no [Service] Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-appservice-webhooks ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-appservice-webhooks diff --git a/roles/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2 b/roles/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2 index caa52eb5..52e28859 100644 --- a/roles/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2 +++ b/roles/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2 @@ -12,6 +12,7 @@ DefaultDependencies=no [Service] Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mautrix-facebook ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mautrix-facebook ExecStartPre={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-facebook-db \ diff --git a/roles/matrix-bridge-mautrix-hangouts/templates/systemd/matrix-mautrix-hangouts.service.j2 b/roles/matrix-bridge-mautrix-hangouts/templates/systemd/matrix-mautrix-hangouts.service.j2 index 39559190..f6b16bea 100644 --- a/roles/matrix-bridge-mautrix-hangouts/templates/systemd/matrix-mautrix-hangouts.service.j2 +++ b/roles/matrix-bridge-mautrix-hangouts/templates/systemd/matrix-mautrix-hangouts.service.j2 @@ -12,6 +12,7 @@ DefaultDependencies=no [Service] Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mautrix-hangouts matrix-mautrix-hangouts-db ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mautrix-hangouts matrix-mautrix-hangouts-db ExecStartPre={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-hangouts-db \ diff --git a/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal-daemon.service.j2 b/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal-daemon.service.j2 index d8952992..35120317 100644 --- a/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal-daemon.service.j2 +++ b/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal-daemon.service.j2 @@ -13,6 +13,7 @@ Wants={{ service }} [Service] Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mautrix-signal-daemon ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mautrix-signal-daemon diff --git a/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal.service.j2 b/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal.service.j2 index c1c835a2..223f6dac 100644 --- a/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal.service.j2 +++ b/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal.service.j2 @@ -13,6 +13,7 @@ Wants={{ service }} [Service] Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mautrix-signal ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mautrix-signal diff --git a/roles/matrix-bridge-mautrix-telegram/templates/systemd/matrix-mautrix-telegram.service.j2 b/roles/matrix-bridge-mautrix-telegram/templates/systemd/matrix-mautrix-telegram.service.j2 index d61cdaa4..ef4440bc 100644 --- a/roles/matrix-bridge-mautrix-telegram/templates/systemd/matrix-mautrix-telegram.service.j2 +++ b/roles/matrix-bridge-mautrix-telegram/templates/systemd/matrix-mautrix-telegram.service.j2 @@ -12,6 +12,7 @@ DefaultDependencies=no [Service] Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mautrix-telegram ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mautrix-telegram ExecStartPre={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-telegram-db \ diff --git a/roles/matrix-bridge-mautrix-whatsapp/templates/systemd/matrix-mautrix-whatsapp.service.j2 b/roles/matrix-bridge-mautrix-whatsapp/templates/systemd/matrix-mautrix-whatsapp.service.j2 index 972d4e01..22384fbd 100644 --- a/roles/matrix-bridge-mautrix-whatsapp/templates/systemd/matrix-mautrix-whatsapp.service.j2 +++ b/roles/matrix-bridge-mautrix-whatsapp/templates/systemd/matrix-mautrix-whatsapp.service.j2 @@ -12,6 +12,7 @@ DefaultDependencies=no [Service] Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mautrix-whatsapp ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mautrix-whatsapp diff --git a/roles/matrix-bridge-mx-puppet-discord/templates/systemd/matrix-mx-puppet-discord.service.j2 b/roles/matrix-bridge-mx-puppet-discord/templates/systemd/matrix-mx-puppet-discord.service.j2 index 36a4da8b..4f195ef6 100644 --- a/roles/matrix-bridge-mx-puppet-discord/templates/systemd/matrix-mx-puppet-discord.service.j2 +++ b/roles/matrix-bridge-mx-puppet-discord/templates/systemd/matrix-mx-puppet-discord.service.j2 @@ -12,6 +12,7 @@ DefaultDependencies=no [Service] Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mx-puppet-discord ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mx-puppet-discord diff --git a/roles/matrix-bridge-mx-puppet-instagram/templates/systemd/matrix-mx-puppet-instagram.service.j2 b/roles/matrix-bridge-mx-puppet-instagram/templates/systemd/matrix-mx-puppet-instagram.service.j2 index 4c94c84a..6eb28da0 100644 --- a/roles/matrix-bridge-mx-puppet-instagram/templates/systemd/matrix-mx-puppet-instagram.service.j2 +++ b/roles/matrix-bridge-mx-puppet-instagram/templates/systemd/matrix-mx-puppet-instagram.service.j2 @@ -12,6 +12,7 @@ DefaultDependencies=no [Service] Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mx-puppet-instagram ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mx-puppet-instagram diff --git a/roles/matrix-bridge-mx-puppet-skype/templates/systemd/matrix-mx-puppet-skype.service.j2 b/roles/matrix-bridge-mx-puppet-skype/templates/systemd/matrix-mx-puppet-skype.service.j2 index cd958662..e61a369c 100644 --- a/roles/matrix-bridge-mx-puppet-skype/templates/systemd/matrix-mx-puppet-skype.service.j2 +++ b/roles/matrix-bridge-mx-puppet-skype/templates/systemd/matrix-mx-puppet-skype.service.j2 @@ -12,6 +12,7 @@ DefaultDependencies=no [Service] Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mx-puppet-skype ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mx-puppet-skype diff --git a/roles/matrix-bridge-mx-puppet-slack/templates/systemd/matrix-mx-puppet-slack.service.j2 b/roles/matrix-bridge-mx-puppet-slack/templates/systemd/matrix-mx-puppet-slack.service.j2 index 2b1456f5..b564c3b3 100644 --- a/roles/matrix-bridge-mx-puppet-slack/templates/systemd/matrix-mx-puppet-slack.service.j2 +++ b/roles/matrix-bridge-mx-puppet-slack/templates/systemd/matrix-mx-puppet-slack.service.j2 @@ -12,6 +12,7 @@ DefaultDependencies=no [Service] Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mx-puppet-slack ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mx-puppet-slack diff --git a/roles/matrix-bridge-mx-puppet-steam/templates/systemd/matrix-mx-puppet-steam.service.j2 b/roles/matrix-bridge-mx-puppet-steam/templates/systemd/matrix-mx-puppet-steam.service.j2 index e263154b..498b6ad3 100644 --- a/roles/matrix-bridge-mx-puppet-steam/templates/systemd/matrix-mx-puppet-steam.service.j2 +++ b/roles/matrix-bridge-mx-puppet-steam/templates/systemd/matrix-mx-puppet-steam.service.j2 @@ -12,6 +12,7 @@ DefaultDependencies=no [Service] Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mx-puppet-steam ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mx-puppet-steam diff --git a/roles/matrix-bridge-mx-puppet-twitter/templates/systemd/matrix-mx-puppet-twitter.service.j2 b/roles/matrix-bridge-mx-puppet-twitter/templates/systemd/matrix-mx-puppet-twitter.service.j2 index 8d7898eb..77424bfa 100644 --- a/roles/matrix-bridge-mx-puppet-twitter/templates/systemd/matrix-mx-puppet-twitter.service.j2 +++ b/roles/matrix-bridge-mx-puppet-twitter/templates/systemd/matrix-mx-puppet-twitter.service.j2 @@ -12,6 +12,7 @@ DefaultDependencies=no [Service] Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mx-puppet-twitter ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mx-puppet-twitter diff --git a/roles/matrix-bridge-sms/templates/systemd/matrix-sms-bridge.service.j2 b/roles/matrix-bridge-sms/templates/systemd/matrix-sms-bridge.service.j2 index 0eb0eb58..46c3463f 100644 --- a/roles/matrix-bridge-sms/templates/systemd/matrix-sms-bridge.service.j2 +++ b/roles/matrix-bridge-sms/templates/systemd/matrix-sms-bridge.service.j2 @@ -12,6 +12,7 @@ DefaultDependencies=no [Service] Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-/usr/bin/docker kill matrix-sms-bridge ExecStartPre=-/usr/bin/docker rm matrix-sms-bridge diff --git a/roles/matrix-client-element/templates/systemd/matrix-client-element.service.j2 b/roles/matrix-client-element/templates/systemd/matrix-client-element.service.j2 index e0dd2e7e..f1f9eb3f 100644 --- a/roles/matrix-client-element/templates/systemd/matrix-client-element.service.j2 +++ b/roles/matrix-client-element/templates/systemd/matrix-client-element.service.j2 @@ -9,6 +9,7 @@ DefaultDependencies=no [Service] Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-client-element ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-client-element diff --git a/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 b/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 index e8ce8c0a..cc9c4587 100644 --- a/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 +++ b/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 @@ -9,6 +9,7 @@ DefaultDependencies=no [Service] Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-corporal ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-corporal diff --git a/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 b/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 index 16ca5d2a..f8550e36 100644 --- a/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 +++ b/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 @@ -9,6 +9,7 @@ DefaultDependencies=no [Service] Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-coturn ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-coturn diff --git a/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 b/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 index ff10224a..30d78d0d 100644 --- a/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 +++ b/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 @@ -12,6 +12,7 @@ DefaultDependencies=no [Service] Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-dimension ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-dimension diff --git a/roles/matrix-dynamic-dns/templates/systemd/matrix-dynamic-dns.service.j2 b/roles/matrix-dynamic-dns/templates/systemd/matrix-dynamic-dns.service.j2 index df7d810a..8dc2443d 100644 --- a/roles/matrix-dynamic-dns/templates/systemd/matrix-dynamic-dns.service.j2 +++ b/roles/matrix-dynamic-dns/templates/systemd/matrix-dynamic-dns.service.j2 @@ -12,6 +12,7 @@ DefaultDependencies=no [Service] Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-dynamic-dns ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-dynamic-dns ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-dynamic-dns \ diff --git a/roles/matrix-email2matrix/templates/systemd/matrix-email2matrix.service.j2 b/roles/matrix-email2matrix/templates/systemd/matrix-email2matrix.service.j2 index 1577877b..1b9d6642 100644 --- a/roles/matrix-email2matrix/templates/systemd/matrix-email2matrix.service.j2 +++ b/roles/matrix-email2matrix/templates/systemd/matrix-email2matrix.service.j2 @@ -7,6 +7,7 @@ DefaultDependencies=no [Service] Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-email2matrix ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-email2matrix diff --git a/roles/matrix-jitsi/templates/jicofo/matrix-jitsi-jicofo.service.j2 b/roles/matrix-jitsi/templates/jicofo/matrix-jitsi-jicofo.service.j2 index 6b5cc941..3d093795 100644 --- a/roles/matrix-jitsi/templates/jicofo/matrix-jitsi-jicofo.service.j2 +++ b/roles/matrix-jitsi/templates/jicofo/matrix-jitsi-jicofo.service.j2 @@ -9,6 +9,7 @@ DefaultDependencies=no [Service] Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-jitsi-jicofo ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-jitsi-jicofo diff --git a/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 b/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 index 2931133f..c109b600 100644 --- a/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 +++ b/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 @@ -9,6 +9,7 @@ DefaultDependencies=no [Service] Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-jitsi-jvb ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-jitsi-jvb diff --git a/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 b/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 index 4f532d89..c1cd32bc 100644 --- a/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 +++ b/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2 @@ -9,6 +9,7 @@ DefaultDependencies=no [Service] Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-jitsi-prosody ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-jitsi-prosody diff --git a/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 b/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 index 1978fb0e..63535f91 100644 --- a/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 +++ b/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2 @@ -9,6 +9,7 @@ DefaultDependencies=no [Service] Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-jitsi-web ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-jitsi-web diff --git a/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 b/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 index 95f15254..697b5aba 100644 --- a/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 +++ b/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 @@ -12,6 +12,7 @@ DefaultDependencies=no [Service] Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-ma1sd ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-ma1sd diff --git a/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 b/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 index a5d48264..d773d698 100644 --- a/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 +++ b/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 @@ -7,6 +7,7 @@ DefaultDependencies=no [Service] Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mailer ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mailer diff --git a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 index 58f5c953..2dd2619e 100644 --- a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 +++ b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 @@ -12,6 +12,7 @@ DefaultDependencies=no [Service] Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-nginx-proxy ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-nginx-proxy diff --git a/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-lets-encrypt-certificates-renew.service.j2 b/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-lets-encrypt-certificates-renew.service.j2 index e95740da..c14905ce 100644 --- a/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-lets-encrypt-certificates-renew.service.j2 +++ b/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-lets-encrypt-certificates-renew.service.j2 @@ -3,4 +3,5 @@ Description=Renews Let's Encrypt SSL certificates [Service] Type=oneshot +Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStart={{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew diff --git a/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 b/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 index 0a935fb0..13df99a4 100644 --- a/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 +++ b/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2 @@ -7,6 +7,7 @@ DefaultDependencies=no [Service] Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_docker }} stop matrix-postgres ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-postgres diff --git a/roles/matrix-registration/templates/systemd/matrix-registration.service.j2 b/roles/matrix-registration/templates/systemd/matrix-registration.service.j2 index 3744c2de..f0b50030 100644 --- a/roles/matrix-registration/templates/systemd/matrix-registration.service.j2 +++ b/roles/matrix-registration/templates/systemd/matrix-registration.service.j2 @@ -12,6 +12,7 @@ DefaultDependencies=no [Service] Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-registration ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-registration diff --git a/roles/matrix-synapse-admin/templates/systemd/matrix-synapse-admin.service.j2 b/roles/matrix-synapse-admin/templates/systemd/matrix-synapse-admin.service.j2 index 7b1e40de..d376238a 100644 --- a/roles/matrix-synapse-admin/templates/systemd/matrix-synapse-admin.service.j2 +++ b/roles/matrix-synapse-admin/templates/systemd/matrix-synapse-admin.service.j2 @@ -12,6 +12,7 @@ DefaultDependencies=no [Service] Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-synapse-admin ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-synapse-admin diff --git a/roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 b/roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 index 0bbfde99..d96ab4a6 100644 --- a/roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 +++ b/roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 @@ -7,6 +7,7 @@ DefaultDependencies=no [Service] Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_docker }} kill %n ExecStartPre=-{{ matrix_host_command_docker }} rm %n diff --git a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 index 30c85b99..88789908 100644 --- a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 +++ b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 @@ -12,6 +12,7 @@ DefaultDependencies=no [Service] Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-synapse ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-synapse {% if matrix_s3_media_store_enabled %} From 8549926395de16e26e8208622b9979b31ac2aa74 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 15 Jan 2021 17:13:47 +0200 Subject: [PATCH 41/84] Attempt to fix mautrix-whatsapp DB migration user table conflict Discussed in https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/791 --- roles/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml index 1cfa60f8..9691a58f 100644 --- a/roles/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml @@ -26,6 +26,7 @@ engine_variable_name: 'matrix_mautrix_whatsapp_database_engine' engine_old: 'sqlite' systemd_services_to_stop: ['matrix-mautrix-whatsapp.service'] + pgloader_options: ['--with "quote identifiers"'] - import_tasks: "{{ role_path }}/../matrix-postgres/tasks/util/migrate_db_to_postgres.yml" From 6f51c1ed9640cfb50d6c6468948ca3ba5a496a5e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 16 Jan 2021 00:25:51 +0200 Subject: [PATCH 42/84] Fix Docker image link for matrix-registration Related to 69f71f48 --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 5a9278f3..b195a7f8 100644 --- a/README.md +++ b/README.md @@ -146,7 +146,7 @@ This playbook sets up your server using the following Docker images: - [devture/matrix-corporal](https://hub.docker.com/r/devture/matrix-corporal/) - [Matrix Corporal](https://github.com/devture/matrix-corporal): reconciliator and gateway for a managed Matrix server (optional) -- [devture/zeratax-matrix-registration](https://hub.docker.com/r/devture/zeratax-matrix-registration/) - [matrix-registration](https://github.com/ZerataX/matrix-registration): a simple python application to have a token based matrix registration (optional) +- [zeratax/matrix-registration](https://hub.docker.com/r/devture/zeratax-matrix-registration/) - [matrix-registration](https://github.com/ZerataX/matrix-registration): a simple python application to have a token based matrix registration (optional) - [nginx](https://hub.docker.com/_/nginx/) - the [nginx](http://nginx.org/) web server (optional) From 28d86e3aaa9cb314fa41eff70548c2ffb8fcd5a0 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 16 Jan 2021 23:47:14 +0200 Subject: [PATCH 43/84] Initial work on support for matrix-corporal v2 --- docs/configuring-playbook-matrix-corporal.md | 17 ++++++++++++++--- group_vars/matrix_servers | 3 +++ roles/matrix-corporal/defaults/main.yml | 10 ++++++++-- roles/matrix-corporal/tasks/validate_config.yml | 2 +- roles/matrix-corporal/templates/config.json.j2 | 10 ++++++++-- 5 files changed, 34 insertions(+), 8 deletions(-) diff --git a/docs/configuring-playbook-matrix-corporal.md b/docs/configuring-playbook-matrix-corporal.md index 6d7faad0..15de634e 100644 --- a/docs/configuring-playbook-matrix-corporal.md +++ b/docs/configuring-playbook-matrix-corporal.md @@ -11,7 +11,9 @@ The playbook can install and configure [matrix-corporal](https://github.com/devt In short, it's a sort of automation and firewalling service, which is helpful if you're instaling Matrix services in a controlled corporate environment. See that project's documentation to learn what it does and why it might be useful to you. -If you decide that you'd like to let this playbook install it for you, you'd need to also [set up the Shared Secret Auth password provider module](configuring-playbook-shared-secret-auth.md). +If you decide that you'd like to let this playbook install it for you, you'd need to also: +- (required) [set up the Shared Secret Auth password provider module](configuring-playbook-shared-secret-auth.md) +- (optional, but encouraged) [set up the REST authentication password provider module](configuring-playbook-rest-auth.md) ## Playbook configuration @@ -24,6 +26,15 @@ You would then need some configuration like this: matrix_synapse_ext_password_provider_shared_secret_auth_enabled: true matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret: YOUR_SHARED_SECRET_GOES_HERE +# When matrix-corporal is acting as the primary authentication provider, +# you need to set up the REST authentication password provider module +# to make Interactive User Authentication work. +# This is necessary for certain user actions (like E2EE, device management, etc). +# +# See configuring-playbook-rest-auth.md +matrix_synapse_ext_password_provider_rest_auth_enabled: true +matrix_synapse_ext_password_provider_rest_auth_endpoint: "http://matrix-corporal:41080/_matrix/corporal" + matrix_corporal_enabled: true matrix_corporal_policy_provider_config: | @@ -40,9 +51,9 @@ matrix_corporal_policy_provider_config: | matrix_corporal_http_api_enabled: true matrix_corporal_http_api_auth_token: "AUTH_TOKEN_HERE" -# If you need to change the reconciliator user's id from the default (matrix-corporal).. +# If you need to change matrix-corporal's user id from the default (matrix-corporal). # In any case, you need to make sure this Matrix user is created on your server. -matrix_corporal_reconciliation_user_id_local_part: "matrix-corporal" +matrix_corporal_corporal_user_id_local_part: "matrix-corporal" # Because Corporal peridoically performs lots of user logins from the same IP, # you may need raise Synapse's ratelimits. diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index b43ed11f..e5517084 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -674,6 +674,9 @@ matrix_corporal_matrix_homeserver_api_endpoint: "http://matrix-synapse:8008" matrix_corporal_matrix_auth_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret }}" +# This is only useful if there's REST auth provider to make use of it. +matrix_corporal_http_gateway_internal_rest_auth_enabled: "{{ matrix_synapse_ext_password_provider_rest_auth_enabled }}" + matrix_corporal_matrix_registration_shared_secret: "{{ matrix_synapse_registration_shared_secret }}" ###################################################################### diff --git a/roles/matrix-corporal/defaults/main.yml b/roles/matrix-corporal/defaults/main.yml index cccaadd0..9e73f1f1 100644 --- a/roles/matrix-corporal/defaults/main.yml +++ b/roles/matrix-corporal/defaults/main.yml @@ -24,7 +24,7 @@ matrix_corporal_systemd_required_services_list: ['docker.service'] matrix_corporal_docker_image: "{{ matrix_corporal_docker_image_name_prefix }}devture/matrix-corporal:{{ matrix_corporal_docker_image_tag }}" matrix_corporal_docker_image_name_prefix: "{{ 'localhost/' if matrix_corporal_container_image_self_build else 'docker.io/' }}" -matrix_corporal_docker_image_tag: "1.11.0" +matrix_corporal_docker_image_tag: "2.0.0" matrix_corporal_docker_image_force_pull: "{{ matrix_corporal_docker_image.endswith(':latest') }}" matrix_corporal_base_path: "{{ matrix_base_data_path }}/corporal" @@ -50,10 +50,16 @@ matrix_corporal_matrix_registration_shared_secret: "" matrix_corporal_matrix_timeout_milliseconds: 45000 matrix_corporal_reconciliation_retry_interval_milliseconds: 30000 -matrix_corporal_reconciliation_user_id_local_part: "matrix-corporal" +matrix_corporal_corporal_user_id_local_part: "matrix-corporal" matrix_corporal_http_gateway_timeout_milliseconds: 60000 +# If enabled, matrix-corporal exposes a `POST /_matrix/corporal/_matrix-internal/identity/v1/check_credentials` API +# on the gateway (Client-Server API) server. +# This API can then be used together with the REST Auth password provider by pointing it to matrix-corporal (e.g. `http://matrix-corporal:41080/_matrix/corporal`). +# Doing so allows Interactive Authentication to work. +matrix_corporal_http_gateway_internal_rest_auth_enabled: false + matrix_corporal_http_api_enabled: false matrix_corporal_http_api_auth_token: "" matrix_corporal_http_api_timeout_milliseconds: 15000 diff --git a/roles/matrix-corporal/tasks/validate_config.yml b/roles/matrix-corporal/tasks/validate_config.yml index 9c6b295e..a8930e7e 100644 --- a/roles/matrix-corporal/tasks/validate_config.yml +++ b/roles/matrix-corporal/tasks/validate_config.yml @@ -16,7 +16,6 @@ msg: "The Matrix Corporal HTTP API is enabled (`matrix_corporal_http_api_enabled`), but no auth token has been set in `matrix_corporal_http_api_auth_token`" when: "matrix_corporal_http_api_enabled|bool and matrix_corporal_http_api_auth_token == ''" - - name: (Deprecation) Catch and report renamed corporal variables fail: msg: >- @@ -25,3 +24,4 @@ when: "item.old in vars" with_items: - {'old': 'matrix_corporal_container_expose_ports', 'new': ''} + - {'old': 'matrix_corporal_reconciliation_user_id_local_part', 'new': 'matrix_corporal_corporal_user_id_local_part'} diff --git a/roles/matrix-corporal/templates/config.json.j2 b/roles/matrix-corporal/templates/config.json.j2 index dff73830..d8d22f66 100644 --- a/roles/matrix-corporal/templates/config.json.j2 +++ b/roles/matrix-corporal/templates/config.json.j2 @@ -7,14 +7,20 @@ "TimeoutMilliseconds": {{ matrix_corporal_matrix_timeout_milliseconds }} }, + "Corporal": { + "UserId": "@{{ matrix_corporal_corporal_user_id_local_part }}:{{ matrix_domain }}" + }, + "Reconciliation": { - "UserId": "@{{ matrix_corporal_reconciliation_user_id_local_part }}:{{ matrix_domain }}", "RetryIntervalMilliseconds": {{ matrix_corporal_reconciliation_retry_interval_milliseconds }} }, "HttpGateway": { "ListenAddress": "0.0.0.0:41080", - "TimeoutMilliseconds": {{ matrix_corporal_http_gateway_timeout_milliseconds }} + "TimeoutMilliseconds": {{ matrix_corporal_http_gateway_timeout_milliseconds }}, + "InternalRESTAuth": { + "Enabled": {{ matrix_corporal_http_gateway_internal_rest_auth_enabled|to_json }} + } }, "HttpApi": { From d95cbe38d704c9f2bc507fdf7444ee4fb8520538 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 17 Jan 2021 18:29:26 +0200 Subject: [PATCH 44/84] Rename configuration setting --- roles/matrix-corporal/templates/config.json.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-corporal/templates/config.json.j2 b/roles/matrix-corporal/templates/config.json.j2 index d8d22f66..9b4c7414 100644 --- a/roles/matrix-corporal/templates/config.json.j2 +++ b/roles/matrix-corporal/templates/config.json.j2 @@ -8,7 +8,7 @@ }, "Corporal": { - "UserId": "@{{ matrix_corporal_corporal_user_id_local_part }}:{{ matrix_domain }}" + "UserID": "@{{ matrix_corporal_corporal_user_id_local_part }}:{{ matrix_domain }}" }, "Reconciliation": { From ef64c88dc7f5cf41f7513a9624338aecdaa784a8 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 17 Jan 2021 18:48:21 +0200 Subject: [PATCH 45/84] Announce matrix-corporal v2 --- CHANGELOG.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index aa5c2270..8452d2d7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,14 @@ +# 2021-01-17 + +## matrix-corporal goes 2.0 + +[matrix-corporal v2 has been released](https://github.com/devture/matrix-corporal/releases/tag/2.0.0) and the playbook also supports it now. + +No manual intervention is required in the common case. + +The new [matrix-corporal](https://github.com/devture/matrix-corporal) version is also the first one to support Interactive Authentication. If you wish to enable that (hint: you should), you'll need to set up the [REST auth password provider](docs/configuring-playbook-rest-auth.md). There's more information in [our matrix-corporal docs](docs/configuring-playbook-matrix-corporal.md). + + # 2021-01-14 ## Moving from cronjobs to systemd timers From cf06f846087709e6e39619d6aaf039bd4f63f908 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 17 Jan 2021 22:05:26 +0200 Subject: [PATCH 46/84] Upgrade matrix-corporal (2.0.0 -> 2.0.1) --- roles/matrix-corporal/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-corporal/defaults/main.yml b/roles/matrix-corporal/defaults/main.yml index 9e73f1f1..adf77423 100644 --- a/roles/matrix-corporal/defaults/main.yml +++ b/roles/matrix-corporal/defaults/main.yml @@ -24,7 +24,7 @@ matrix_corporal_systemd_required_services_list: ['docker.service'] matrix_corporal_docker_image: "{{ matrix_corporal_docker_image_name_prefix }}devture/matrix-corporal:{{ matrix_corporal_docker_image_tag }}" matrix_corporal_docker_image_name_prefix: "{{ 'localhost/' if matrix_corporal_container_image_self_build else 'docker.io/' }}" -matrix_corporal_docker_image_tag: "2.0.0" +matrix_corporal_docker_image_tag: "2.0.1" matrix_corporal_docker_image_force_pull: "{{ matrix_corporal_docker_image.endswith(':latest') }}" matrix_corporal_base_path: "{{ matrix_base_data_path }}/corporal" From c1008fde44fbfaf7141562b6f32150607e47c0df Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 18 Jan 2021 00:41:47 +0200 Subject: [PATCH 47/84] Upgrade matrix-coturn (4.5.1.3 -> 4.5.2) --- roles/matrix-coturn/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-coturn/defaults/main.yml b/roles/matrix-coturn/defaults/main.yml index 8cbb3e3f..8e781306 100644 --- a/roles/matrix-coturn/defaults/main.yml +++ b/roles/matrix-coturn/defaults/main.yml @@ -3,7 +3,7 @@ matrix_coturn_enabled: true matrix_coturn_container_image_self_build: false matrix_coturn_container_image_self_build_repo: "https://github.com/instrumentisto/coturn-docker-image.git" -matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_name_prefix }}instrumentisto/coturn:4.5.1.3" +matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_name_prefix }}instrumentisto/coturn:4.5.2" matrix_coturn_docker_image_name_prefix: "{{ 'localhost/' if matrix_coturn_container_image_self_build else 'docker.io/' }}" matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith(':latest') }}" From 56c54d5cc73790046bfbf34c20c145f9b4a300e0 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 18 Jan 2021 18:23:17 +0200 Subject: [PATCH 48/84] Upgrade matrix-corporal (2.0.1 -> 2.1.0) --- roles/matrix-corporal/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-corporal/defaults/main.yml b/roles/matrix-corporal/defaults/main.yml index adf77423..4b4c46c9 100644 --- a/roles/matrix-corporal/defaults/main.yml +++ b/roles/matrix-corporal/defaults/main.yml @@ -24,7 +24,7 @@ matrix_corporal_systemd_required_services_list: ['docker.service'] matrix_corporal_docker_image: "{{ matrix_corporal_docker_image_name_prefix }}devture/matrix-corporal:{{ matrix_corporal_docker_image_tag }}" matrix_corporal_docker_image_name_prefix: "{{ 'localhost/' if matrix_corporal_container_image_self_build else 'docker.io/' }}" -matrix_corporal_docker_image_tag: "2.0.1" +matrix_corporal_docker_image_tag: "2.1.0" matrix_corporal_docker_image_force_pull: "{{ matrix_corporal_docker_image.endswith(':latest') }}" matrix_corporal_base_path: "{{ matrix_base_data_path }}/corporal" From c9d96d8135eb622570ed8084d3e411b2d4445516 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 19 Jan 2021 09:15:34 +0200 Subject: [PATCH 49/84] Fix mautrix-telegram paths creation bug --- roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml index b564c61b..04267161 100644 --- a/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml @@ -36,7 +36,7 @@ - name: Ensure Mautrix Telegram paths exist file: - path: "{{ item }}" + path: "{{ item.path }}" state: directory mode: 0750 owner: "{{ matrix_user_username }}" From 39ea3496a4a74d52f991cba1dd52993eee97b286 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 19 Jan 2021 18:44:15 +0200 Subject: [PATCH 50/84] Downgrade/lock mautrix-facebook to pre-mobile times The `mobile` branch got merged to `master`, which ends up becoming `:latest`. It's a "rewrite" of the bridge's backend and only supports a Postgres database. We'd like to go back (well, forward) to `:latest`, but that will take a little longer, because: - we need to handle and document things for people still on SQLite (especially those with external Postgres, who are likely on SQLite for bridges) - I'd rather test the new builds (and migration) a bit before releasing it to others and possibly breaking their bridge Brave ones who are already using the bridge with Postgres can jump on `:latest` and report their experience. --- roles/matrix-bridge-mautrix-facebook/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml index da9b1889..04a81c75 100644 --- a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml @@ -7,7 +7,7 @@ matrix_mautrix_facebook_container_image_self_build: false matrix_mautrix_facebook_container_image_self_build_repo: "https://github.com/tulir/mautrix-facebook.git" # See: https://mau.dev/tulir/mautrix-facebook/container_registry -matrix_mautrix_facebook_docker_image: "{{ matrix_mautrix_facebook_docker_image_name_prefix }}tulir/mautrix-facebook:latest" +matrix_mautrix_facebook_docker_image: "{{ matrix_mautrix_facebook_docker_image_name_prefix }}tulir/mautrix-facebook:da1b4ec596e334325a1589e70829dea46e73064b" matrix_mautrix_facebook_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_facebook_container_image_self_build else 'dock.mau.dev/' }}" matrix_mautrix_facebook_docker_image_force_pull: "{{ matrix_mautrix_facebook_docker_image.endswith(':latest') }}" From d51ea252193672cb81a41f968dfb77359cc980e8 Mon Sep 17 00:00:00 2001 From: pushytoxin Date: Tue, 19 Jan 2021 18:41:45 +0100 Subject: [PATCH 51/84] When validating LE certs, do not wait for a random time While administering we will occasionally invoke this script interactively with the "non-interactive" switch still there, yet still sit at the desk waiting for 300 seconds for this timer to run out. The systemd-timer already uses a 3h randomized delay for automatic renewals, which serves this purpose well. --- .../matrix-ssl-lets-encrypt-certificates-renew.j2 | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 b/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 index 40cab22a..bc45e85e 100644 --- a/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 +++ b/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 @@ -27,4 +27,5 @@ docker run \ --standalone \ --preferred-challenges http \ --agree-tos \ - --email={{ matrix_ssl_lets_encrypt_support_email }} + --email={{ matrix_ssl_lets_encrypt_support_email }} \ + --no-random-sleep-on-renew From 024a23ed1754a414c738022f664716ad7c9d2ba9 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 20 Jan 2021 10:12:51 +0200 Subject: [PATCH 52/84] Upgrade mautrix-facebook to the new Postgres-only version I had intentionally held it back in 39ea3496a4a74d52 until: - it received more testing (there were a few bugs during the migration, but now it seems OK) - this migration guide was written --- CHANGELOG.md | 60 +++++++++++++++++++ group_vars/matrix_servers | 3 +- .../defaults/main.yml | 11 ++-- .../tasks/validate_config.yml | 21 +++++++ .../templates/config.yaml.j2 | 42 ++++++++++--- 5 files changed, 123 insertions(+), 14 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8452d2d7..7a592bba 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,63 @@ +# 2021-01-20 + +## (Breaking Change) The mautrix-facebook bridge now requires a Postgres database + +A new version of the [mautrix-facebook](https://github.com/tulir/mautrix-facebook) bridge has been released. It's a full rewrite of its backend and the bridge now requires Postgres. New versions of the bridge can no longer run on SQLite. + +**TLDR**: if you're NOT using an [external Postgres server](docs/configuring-playbook-external-postgres.md) and have NOT forcefully kept the bridge on SQLite during [The big move to all-on-Postgres (potentially dangerous)](#the-big-move-to-all-on-postgres-potentially-dangerous), you will be automatically upgraded without manual intervention. All you need to do is send a `login` message to the Facebook bridge bot again. + +Whether this change requires your intervention depends mostly on: +- whether you're using an [external Postgres server](docs/configuring-playbook-external-postgres.md). If yes, then [you need to do something](#upgrade-path-for-people-running-an-external-postgres-server). +- or whether you've force-changed the bridge's database engine to SQLite (`matrix_mautrix_facebook_database_engine: 'sqlite'` in your `vars.yml`) some time in the past (likely during [The big move to all-on-Postgres (potentially dangerous)](#the-big-move-to-all-on-postgres-potentially-dangerous)). + +As already mentioned above, you most likely don't need to do anything. If you rerun the playbook and don't get an error, you've been automatically upgraded. Just send a `login` message to the Facebook bridge bot again. Otherwise, read below for a solution. + +### Upgrade path for people NOT running an external Postgres server (default for the playbook) + +If you're **not running an external Postgres server**, then this bridge either already works Postgres for you, or you've intentionally kept it back on SQLite with custom configuration (`matrix_mautrix_facebook_database_engine: 'sqlite'` in your `vars.yml`) . + +Simply remove that custom configuration from your `vars.yml` file (if it's there) and re-run the playbook. It should upgrade you automatically. +You'll need to send a `login` message to the Facebook bridge bot again. + +Alternatively, [you can stay on SQLite for a little longer](#staying-on-sqlite-for-a-little-longer-temporary-solution). + +### Upgrade path for people running an external Postgres server + +For people using the internal Postgres server (the default for the playbook): +- we automatically create an additional `matrix_mautrix_facebook` Postgres database and credentials to access it +- we automatically adjust the bridge's `matrix_mautrix_facebook_database_*` variables to point the bridge to that Postgres database +- we use [pgloader](https://pgloader.io/) to automatically import the existing SQLite data for the bridge into the `matrix_mautrix_facebook` Postgres database + +If you are using an [external Postgres server](docs/configuring-playbook-external-postgres.md), unfortunately we currently can't do any of that for you. + +You have 3 ways to proceed: + +- contribute to the playbook to make this possible (difficult) +- or, do the above "steps" manually: + - stop the bridge (`systemctl stop matrix-mautrix-facebook`) + - create a new `matrix_mautrix_facebook` Postgres database for it + - run pgloader manually (we run it with default settings for this bridge) + - adjust the `matrix_mautrix_facebook_database_*` database variables (credentials, etc.) + - switch the bridge to use Postgres (`matrix_mautrix_facebook_database_engine: 'postgres'`) + - re-run the playbook (`--tags=setup-all,start`) and ensure the bridge works (`systemctl status matrix-mautrix-facebook` and `journalctl -fu matrix-mautrix-facebook`) + - send a `login` message to the Facebook bridge bot again +- or, [stay on SQLite for a little longer (temporary solution)](#staying-on-sqlite-for-a-little-longer-temporary-solution) + +### Staying on SQLite for a little longer (temporary solution) + +To keep using this bridge with SQLite for a little longer (**not recommended**), use the following configuration in your `vars.yml` file: + +```yaml +# Force-change the database engine to SQLite. +matrix_mautrix_facebook_database_engine: 'sqlite' + +# Force-downgrade to the last bridge version which supported SQLite. +matrix_mautrix_facebook_docker_image: "{{ matrix_mautrix_facebook_docker_image_name_prefix }}tulir/mautrix-facebook:da1b4ec596e334325a1589e70829dea46e73064b" +``` + +If you do this, keep in mind that **you can't run this forever**. This SQLite-supporting bridge version is not getting any updates and will break sooner or later. The playbook will also drop support for SQLite at some point in the future. + + # 2021-01-17 ## matrix-corporal goes 2.0 diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index e5517084..4ec0e8e9 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -208,7 +208,8 @@ matrix_mautrix_facebook_login_shared_secret: "{{ matrix_synapse_ext_password_pro matrix_mautrix_facebook_bridge_presence: "{{ matrix_synapse_use_presence if matrix_synapse_enabled else true }}" -# Postgres is the default, except if not using `matrix_postgres` (internal postgres) +# We'd like to force-set people with external Postgres to SQLite, so the bridge role can complain +# and point them to a migration path. matrix_mautrix_facebook_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}" matrix_mautrix_facebook_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mau.fb.db') | to_uuid }}" diff --git a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml index 04a81c75..e99514e0 100644 --- a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml @@ -7,7 +7,7 @@ matrix_mautrix_facebook_container_image_self_build: false matrix_mautrix_facebook_container_image_self_build_repo: "https://github.com/tulir/mautrix-facebook.git" # See: https://mau.dev/tulir/mautrix-facebook/container_registry -matrix_mautrix_facebook_docker_image: "{{ matrix_mautrix_facebook_docker_image_name_prefix }}tulir/mautrix-facebook:da1b4ec596e334325a1589e70829dea46e73064b" +matrix_mautrix_facebook_docker_image: "{{ matrix_mautrix_facebook_docker_image_name_prefix }}tulir/mautrix-facebook:latest" matrix_mautrix_facebook_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_facebook_container_image_self_build else 'dock.mau.dev/' }}" matrix_mautrix_facebook_docker_image_force_pull: "{{ matrix_mautrix_facebook_docker_image.endswith(':latest') }}" @@ -35,12 +35,15 @@ matrix_mautrix_facebook_homeserver_token: '' # Database-related configuration fields. # -# To use SQLite, stick to these defaults. +# To use SQLite: +# - change the engine (`matrix_mautrix_facebook_database_engine: 'sqlite'`) +# - change to the last bridge version that supported SQLite: +# `matrix_mautrix_facebook_docker_image: "{{ matrix_mautrix_facebook_docker_image_name_prefix }}tulir/mautrix-facebook:da1b4ec596e334325a1589e70829dea46e73064b"` +# - plan your migration to Postgres, as this bridge does not support SQLite anymore (and neither will the playbook in the future). # # To use Postgres: -# - change the engine (`matrix_mautrix_facebook_database_engine: 'postgres'`) # - adjust your database credentials via the `matrix_mautrix_facebook_postgres_*` variables -matrix_mautrix_facebook_database_engine: 'sqlite' +matrix_mautrix_facebook_database_engine: 'postgres' matrix_mautrix_facebook_sqlite_database_path_local: "{{ matrix_mautrix_facebook_data_path }}/mautrix-facebook.db" matrix_mautrix_facebook_sqlite_database_path_in_container: "/data/mautrix-facebook.db" diff --git a/roles/matrix-bridge-mautrix-facebook/tasks/validate_config.yml b/roles/matrix-bridge-mautrix-facebook/tasks/validate_config.yml index dfbe072b..0879bad9 100644 --- a/roles/matrix-bridge-mautrix-facebook/tasks/validate_config.yml +++ b/roles/matrix-bridge-mautrix-facebook/tasks/validate_config.yml @@ -8,3 +8,24 @@ with_items: - "matrix_mautrix_facebook_appservice_token" - "matrix_mautrix_facebook_homeserver_token" + +- block: + - name: Fail if on SQLite, unless on the last version supporting SQLite + fail: + msg: >- + You're trying to use the mautrix-facebook bridge with an SQLite database. + Going forward, this bridge only supports Postgres. + To learn more about this, see our changelog: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/CHANGELOG.md#breaking-change-the-mautrix-facebook-bridge-now-requires-a-postgres-database + when: "not matrix_mautrix_facebook_docker_image.endswith(':da1b4ec596e334325a1589e70829dea46e73064b')" + + - name: Inject warning if still on SQLite + set_fact: + matrix_playbook_runtime_results: | + {{ + matrix_playbook_runtime_results|default([]) + + + [ + "NOTE: Your mautrix-facebook bridge setup is still on SQLite. Your bridge is not getting any updates and will likely stop working at some point. To learn more about this, see our changelog: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/CHANGELOG.md#breaking-change-the-mautrix-facebook-bridge-now-requires-a-postgres-database" + ] + }} + when: "matrix_mautrix_facebook_database_engine == 'sqlite'" diff --git a/roles/matrix-bridge-mautrix-facebook/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-facebook/templates/config.yaml.j2 index 09287362..6fe3254d 100644 --- a/roles/matrix-bridge-mautrix-facebook/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-facebook/templates/config.yaml.j2 @@ -8,6 +8,10 @@ homeserver: # Whether or not to verify the SSL certificate of the homeserver. # Only applies if address starts with https:// verify_ssl: true + # Whether or not the homeserver supports asmux-specific endpoints, + # such as /_matrix/client/unstable/net.maunium.asmux/dms for atomically + # updating m.direct. + asmux: false # Application service host/registration related details # Changing these values requires regeneration of the registration. @@ -22,11 +26,7 @@ appservice: # Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s max_body_size: 1 - # The full URI to the database. SQLite and Postgres are fully supported. - # Other DBMSes supported by SQLAlchemy may or may not work. - # Format examples: - # SQLite: sqlite:///filename.db - # Postgres: postgres://username:password@hostname/dbname + # The full URI to the database. Only Postgres is currently supported. database: {{ matrix_mautrix_facebook_appservice_database|to_json }} # Public part of web server for out-of-Matrix interaction with the bridge. @@ -38,6 +38,10 @@ appservice: # The base URL where the public-facing endpoints are available. The prefix is not added # implicitly. external: https://example.com/public + # Shared secret for integration managers such as mautrix-manager. + # If set to "generate", a random string will be generated on the next startup. + # If null, integration manager access to the API will not be possible. + shared_secret: generate # The unique ID of this appservice. id: facebook @@ -46,12 +50,17 @@ appservice: # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty # to leave display name/avatar as-is. bot_displayname: Facebook bridge bot - bot_avatar: mxc://maunium.net/ddtNPZSKMNqaUzqrHuWvUADv + bot_avatar: mxc://maunium.net/ygtkteZsXnGJLJHRchUwYWak # Authentication tokens for AS <-> HS communication. as_token: "{{ matrix_mautrix_facebook_appservice_token }}" hs_token: "{{ matrix_mautrix_facebook_homeserver_token }}" +# Prometheus telemetry config. Requires prometheus-client to be installed. +metrics: + enabled: false + listen_port: 8000 + # Bridge config bridge: # Localpart template of MXIDs for Facebook users. @@ -76,6 +85,7 @@ bridge: # "own_nickname" (user-specific!) displayname_preference: - name + - first_name # The prefix for commands. Only required in non-management rooms. command_prefix: "!fb" @@ -120,6 +130,18 @@ bridge: # Default to encryption, force-enable encryption in all portals the bridge creates # This will cause the bridge bot to be in private chats for the encryption to work properly. default: false + # Options for automatic key sharing. + key_sharing: + # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled. + # You must use a client that supports requesting keys from other users to use this feature. + allow: false + # Require the requesting device to have a valid cross-signing signature? + # This doesn't require that the bridge has verified the device, only that the user has verified it. + # Not yet implemented. + require_cross_signing: false + # Require devices to be verified by the bridge? + # Verification by the bridge is not yet implemented. + require_verification: true # Whether or not the bridge should send a read receipt from the bridge bot when a message has # been sent to Facebook. delivery_receipts: false @@ -161,6 +183,10 @@ bridge: # Whether or not the bridge should try to "refresh" the connection if a normal reconnection # attempt fails. refresh_on_reconnection_fail: false + # Set this to true to tell the bridge to re-send m.bridge events to all rooms on the next run. + # This field will automatically be changed back to false after it, + # except if the config file is not writable. + resend_bridge_info: false # Permissions for using the bridge. # Permitted values: @@ -192,9 +218,7 @@ logging: loggers: mau: level: DEBUG - fbchat: - level: DEBUG - hbmqtt: + paho: level: INFO aiohttp: level: INFO From f6861e3c659d0900aaa311421376e90558bfe580 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 20 Jan 2021 10:19:39 +0200 Subject: [PATCH 53/84] Improve wording a bit --- CHANGELOG.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7a592bba..02bc926f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,7 +14,7 @@ As already mentioned above, you most likely don't need to do anything. If you re ### Upgrade path for people NOT running an external Postgres server (default for the playbook) -If you're **not running an external Postgres server**, then this bridge either already works Postgres for you, or you've intentionally kept it back on SQLite with custom configuration (`matrix_mautrix_facebook_database_engine: 'sqlite'` in your `vars.yml`) . +If you're **not running an external Postgres server**, then this bridge either already works on Postgres for you, or you've intentionally kept it back on SQLite with custom configuration (`matrix_mautrix_facebook_database_engine: 'sqlite'` in your `vars.yml`) . Simply remove that custom configuration from your `vars.yml` file (if it's there) and re-run the playbook. It should upgrade you automatically. You'll need to send a `login` message to the Facebook bridge bot again. @@ -33,12 +33,12 @@ If you are using an [external Postgres server](docs/configuring-playbook-externa You have 3 ways to proceed: - contribute to the playbook to make this possible (difficult) -- or, do the above "steps" manually: +- or, do the migration "steps" manually: - stop the bridge (`systemctl stop matrix-mautrix-facebook`) - create a new `matrix_mautrix_facebook` Postgres database for it - - run pgloader manually (we run it with default settings for this bridge) - - adjust the `matrix_mautrix_facebook_database_*` database variables (credentials, etc.) - - switch the bridge to use Postgres (`matrix_mautrix_facebook_database_engine: 'postgres'`) + - run [pgloader](https://pgloader.io/) manually (we import this bridge's data using default settings and it works well) + - define `matrix_mautrix_facebook_database_*` variables in your `vars.yml` file (credentials, etc.) - you can find their defaults in `roles/matrix-mautrix-facebook/defaults/main.yml` + - switch the bridge to Postgres (`matrix_mautrix_facebook_database_engine: 'postgres'` in your `vars.yml` file) - re-run the playbook (`--tags=setup-all,start`) and ensure the bridge works (`systemctl status matrix-mautrix-facebook` and `journalctl -fu matrix-mautrix-facebook`) - send a `login` message to the Facebook bridge bot again - or, [stay on SQLite for a little longer (temporary solution)](#staying-on-sqlite-for-a-little-longer-temporary-solution) From a30ef0cc29ea466898b62726569fb4ffc16fde83 Mon Sep 17 00:00:00 2001 From: throwawayay Date: Wed, 20 Jan 2021 08:35:07 -0500 Subject: [PATCH 54/84] Update element-web (1.7.16 -> 1.7.17) --- roles/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-client-element/defaults/main.yml b/roles/matrix-client-element/defaults/main.yml index d0297193..96116b1a 100644 --- a/roles/matrix-client-element/defaults/main.yml +++ b/roles/matrix-client-element/defaults/main.yml @@ -3,7 +3,7 @@ matrix_client_element_enabled: true matrix_client_element_container_image_self_build: false matrix_client_element_container_image_self_build_repo: "https://github.com/vector-im/riot-web.git" -matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:v1.7.16" +matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:v1.7.17" matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else 'docker.io/' }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" From fb28f59f8c6e1b022141afd124a36a2b3aa1709b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 21 Jan 2021 12:39:03 +0200 Subject: [PATCH 55/84] Initial work on a FAQ document --- docs/README.md | 4 +- docs/faq.md | 357 ++++++++++++++++++++++++++++++++++++++++++ docs/prerequisites.md | 4 +- 3 files changed, 363 insertions(+), 2 deletions(-) create mode 100644 docs/faq.md diff --git a/docs/README.md b/docs/README.md index 8c95eff3..77c5099d 100644 --- a/docs/README.md +++ b/docs/README.md @@ -1,6 +1,8 @@ # Table of Contents -- [Prerequisites](prerequisites.md) +- [FAQ](faq.md) - lots of questions and answers. Jump to [Prerequisites](prerequisites.md) to avoid reading too much and to just start a guided installation. + +- [Prerequisites](prerequisites.md) - go here to a guided installation using this Ansible playbook - [Configuring your DNS server](configuring-dns.md) diff --git a/docs/faq.md b/docs/faq.md new file mode 100644 index 00000000..b4cdac64 --- /dev/null +++ b/docs/faq.md @@ -0,0 +1,357 @@ +# Frequently Asked Questions + +This documentation page tries to answer various Frequently Asked Questions about all things [Matrix](https://matrix.org/), with a focus on this [Ansible](https://www.ansible.com/) playbook ([What is Ansible? How does it work?](#what-is-ansible-how-does-it-work)). + +This FAQ page does not intend to replace the [matrix.org FAQ](https://matrix.org/faq/) (please see that one too). + +We've only started this FAQ recently, so it's still somewhat empty. + +Also, we encourage you to not dig yourself into a hole by reading way too much. When you've heard enough, proceed to [Prerequisites](prerequisites.md) to get guided into installing Matrix. + + +## Introductory + +## Where do I find more questions and answers about Matrix? + +This is a Frequently Asked Questions page focused on this [Ansible](https://www.ansible.com/) playbook ([What is Ansible? How does it work?](#what-is-ansible-how-does-it-work)) for deploying a [Matrix](https://matrix.org/) server. + +For a lot more generic questions and answers, see the [matrix.org FAQ](https://matrix.org/faq/). + +## What is Matrix? What is Element? What is Synapse? Why are you confusing me with so many terms? + +[Matrix](https://matrix.org/) is a new type of realtime communication (chat) network, the closest analogy to which is probably "email". + +You don't just use the "email" protocols (SMTP, POP3, IMAP) directly though. There's a some *server* somewhere which stores your data (`@gmail.com`, `@yahoo.com`, `@hotmail.com`, `@your-company.com`) and you access using these "email" protocol using use some *client* program (Outlook, Thunderbird, some website, etc). + +In the world of the Matrix chat protocol, there are various client programs. The first and currently most full-featured one is called [Element](https://element.io/) (used to be called Riot.im and Vector.im in the past). There are [many other clients](https://matrix.org/clients/). You can switch clients as much as you want until you find the one that is right for you on a given platform (you may use Element on your desktop, but Fluffychat on your phone, etc). + +Matrix is also like email due to the fact that are many servers around the world which can all talk to each other (you can send email from `@gmail.com` addresses to `@yahoo.com` and `@hotmail.com` addresses). It's the same with Matrix (`@bob:his-domain.com` can talk to `@alice:her-domain.org`). + +If someone else is hosting your Matrix server (you being `@user:matrix.org` or some other public server like this), all you need is a Matrix client program, like Element. + +If you'd like to host your own server (you being `@user:your-own-domain.com`), you'd need to set up a Matrix server program, like Synapse. + +In short: + +- Matrix is the protocol - a set of rules about how the chat network operates +- Element is a client program you can use to participate on the Matrix chat network via some server (yours or someone else's). There are also [many other client programs](https://matrix.org/clients/). +- Synapse is a server program you can use to host your very own Matrix server. + +This FAQ here mostly focuses on installing Matrix services using the Ansible automation tool. You can learn much more about Matrix in the [matrix.org FAQ](https://matrix.org/faq/). + +## People I wish to talk to are not on Matrix. Can I talk to them? + +You most likely can. Besides Matrix-native chats, Matrix also supports this concept of "bridging", which allows you to plug other networks into it. + +This Ansible playbook can help you install [tens of bridges for various networks](configuring-playbook.md#bridging-other-networks). + +Besides setting up your own bridges (preferable), you can also use some [public bridges hosted by others](https://publiclist.anchel.nl/#bridges). + +## How do I get started with Matrix? + +One of [Matrix](https://matrix.org/)'s distinguishing strengths (compared to other chat networks) is its decentralized nature. There's not just one entity (company, organization) controlling the servers. Rather there's thousands of servers operated by different people - one server being insecure, slow or disrespective toward its users does not affect the rest of the network. To participate in that decentralization in its fullest, consider hosting your own server or using some public server other than the largest/default one (`matrix.org`). + +There are 3 ways to get into Martix, depending on your technical ability and needs: + +- **using the existing default server** - the easiest way is to use an existing server. The largest public Matrix server is `matrix.org` and it's configured as a default server in clients such as [Element](https://element.io) and many others. Just use Element on the browser via that link (or download the Element app on a smartphone), create an account and start chatting. + +- **using some other server** - instead of using the largest public server (`matrix.org`), you can use another public one. Here's a [list of public Matrix servers](https://publiclist.anchel.nl/) to choose from. Again, you download [Element](https://element.io) or [some other client](https://matrix.org/clients/) of your choosing and adjust the homeserver URL during login. + +- **using your own server** - running your own server puts you in ultimate control of your data. It also lets you have your own user identifiers (e.g. `@bob:your-domain.com`). See [How do I set up my own Matrix server](#how-do-i-set-up-my-own-matrix-server). + +### How do I set up my own Matrix server? + +Normally, you'd first choose the [Matrix](https://matrix.org/) server software you'd like to run. At the time of this writing (January/2021), there's only one fully-featured server program, so there's only one reasonable choice. That's [Synapse](https://github.com/matrix-org/synapse). + +There are [many guides about installing Synapse](https://matrix.org/docs/guides/#installing-synapse). Using this Ansible playbook is just one way of doing it. + +Naturally, we're biased, so our usual recommendation is to go with this [Ansible](https://www.ansible.com/) playbook, instead of installing Synapse (and many many other things around it) manually. +To get started with the playbook, start at the [Prerequisites](prerequisites.md) page. + +### What is Ansible? How does it work? + +[Ansible](https://www.ansible.com/) is an automation program. This "playbook" is a collection of tasks/scripts that will set up a [Matrix](https://matrix.org/) server for you, so you don't have to perform these tasks manually. + +We have written these automated tasks for you and all you need to do is execute them using the Ansible program. + +You can install Ansible and this playbook code repository on your own computer and tell it to install Matrix services at the server living at `matrix.DOMAIN`. We recommend installing Ansible on your own computer. + +Alternatively, you can download Ansible and the playbook itself directly on the `matrix.DOMAIN` server. + +To learn more, see our [dedicated Ansible documentation page](ansible.md). + +### Why use this playbook and not install Synapse and other things manually? + +There's various guides telling you how easy it is to install [Synapse](https://github.com/matrix-org/synapse). + +Reading this Ansible playbook's documentation, you may also be thinking: + +> I don't know what [Ansible](https://www.ansible.com/) is. I don't know what [Docker](https://www.docker.com/) is. This looks more complicated. + +.. so you may be leaning toward [installing Synapse manually](https://github.com/matrix-org/synapse/blob/master/INSTALL.md). + +The problem with a manual installation is: + +- Synapse is written in Python. If not packaged for your distribution, you'd need to install various Python modules, etc., and keep them updated. +- Synapse requires a [Postgres](https://www.postgresql.org/) database (it can run on SQLite, but that's very much discouraged). So you'd need to install Postgres as well. +- you may also need a reverse-proxy server in front of it (nginx, Apache), so you'd need to be familiar with that +- SSL is required, so you'd need to obtain Let's Encrypt (or other free or non-free) certificates for one or more domain names. You'd need to be familiar with [certbot](https://certbot.eff.org/) (when using Let's Encrypt) or similar software. +- for each additional component you'd like to add (client like [Element](https://element.io), bridge to some other chat network, Integration Manager (sitckers, other services), Identity Manager, etc.), you'll need to spend extra time installing and wiring it with the rest of the system in a way that works. +- you'll likely get slower updates for all of these components, depending on your distro packaging or your own time and ability + +The playbook, on the other hand, installs a bunch of components for you by default, obtains SSL certificates for you, etc. If you'd like, you can enable various bridges and other services with very little effort. All the components are wired to work together. + +All services run in Docker containers (most being officially provided by each component's developers), so we're not at the mercy of distro packaging. + +### Why use this playbook and not just use the Docker image directly? + +Reasons are similar to the reasons for not installing manually. + +Besides Synapse, you'd need other things - a Postgres database, likely the [Element](https://element.io) client, etc., etc. + +Using the playbook, you get all these components in a way that works well together out of the box. + + +## Server-related + +### What kind of server do I need to install Matrix using this Ansible playbook? + +We list our server requirements in [Prerequisites](prerequisites.md). + +### Why not run Matrix on Kubernetes? + +There's no reason not to run Matrix on [Kubernetes](https://kubernetes.io/). + +However, that's overly complicated for thousands of us who just want to run a single small (and sometimes not so small) Matrix server, either using "cloud" servers or even a [Raspberry Pi](https://www.raspberrypi.org/) at home. + +For us, a Kubernetes-based setup which requires a cluster of multiple computers and is more technically-involved is a no-go. + +There are others working on automating a Matrix-on-Kubernetes setup, such as this [Helm](https://helm.sh/) chart: https://github.com/dacruz21/matrix-chart. + +### Why don't you use Podman instead of Docker? + +We like the philosophy of a daemonless container runtime, but [Podman](https://podman.io) is just not ready for our use case yet. + +Learn more about our past experiences/attempts to give Podman a chance, by reading [this issue](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/520). + +In short, `alias podman=docker` is a lie (for us). + +### Why use Docker? + +[Docker](https://www.docker.com/) is one of our 2 hard dependencies (the other one being [systemd](https://systemd.io/)). + +It lets us run services in an isolated manner and independently of the (usually old) packages available for distributions. + +It also lets us have a unified setup which runs the same across various supported distros (see them on [Prerequisites](prerequisites.md)). + +### Is Docker a hard requirement? + +Yes. See [Why don't you use Podman instead of Docker?](#is-docker-a-hard-requirement) for why we're not using another container runtime. + +All of our services run in containers. It's how we achieve predictability and also how we support tens of different services across lots of distros. + +The only thing we need on the distro is systemd and Python (we install Docker ourselves, unless you ask us not to). + +### Why don't you use docker-compose? + +Instead of using [docker-compose](https://docs.docker.com/compose/), we prefer installing systemd services and scheduling those independently. + +There are people who have worked on turning this setup into a docker-compose-based one. See these experiments [here](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/64#issuecomment-603164625). + +### Can I run this on a distro without systemd? + +No. [systemd](https://systemd.io/) is one of our 2 hard dependencies (the other one being [Docker](https://www.docker.com/)). + +### Can I install this on a Raspberry Pi? + +Yes, you can. See our [Alternative Architectures](alternative-architectures.md) documentation page. + +Whether a Raspberry Pi has enough power to give you a good experience is another question. It depends on your use case. + +Also see: [What kind of server specs do I need?](#what-kind-of-server-specs-do-i-need). + +### What kind of server specs do I need? + +This largely depends on your use case. It's not so much the number of users that you plan to host, but rather the number of large rooms they will join. + +Federated rooms with lots of history and containing hundreds of other servers are very heavy CPU-wise and memory-wise. + +You can probably use a 1 CPU + 1GB memory server to host hundreds of local users just fine, but as soon as of them joins a federated room like `#matrix:matrix.org` (Matrix HQ) or some IRC-bridged room (say `##linux`), your server will get the need for a lot more power (at least 2GB RAM, etc). + +Running Matrix on a server with 1GB of memory is possible (especially if you disable some not-so-important services). See [How do I optimize this setup for a low-power server?](#how-do-i-optimize-this-setup-for-a-low-power-server). + +**We recommend starting with a server having at least 2GB of memory** and even then using it sparingly. If you know for sure you'll be joining various large rooms, etc., then going for 4GB of memory or more is a good idea. + +Besides the regular Matrix stuff, we also support things like video-conferencing using [Jitsi](configuring-playbook-jitsi.md) and other additional services which (when installed) may use up a lot of memory. Things do add up. Besides the Synapse Matrix server, Jitsi is especially notorious for consuming a lot of resources. If you plan on running Jitsi, we recommend a server with at least 2GB of memory (preferrably more). See our [Jitsi documentation page](configuring-playbook-jitsi.md) to learn how to optimize its memory/CPU usage. + +### Can I run this in an LXC container? + +If your distro runs within an [LXC container](https://linuxcontainers.org/), you may hit [this issue](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/703). It can be worked around, if absolutely necessary, but we suggest that you avoid running from within an LXC container. + + +## Configuration + +### Why install my server at matrix.DOMAIN and not at the base DOMAIN? + +It's the same with email servers. Your email address is likely `name@company.com`, not `name@mail.company.com`, even though it's really `mail.company.com` that is really handling your data for `@company.com` email to work. + +Using a separate domain name is easier to manage (although it's a little hard to get right at first) and keeps your Matrix server isolated from your website (if you have one), from your email server (if you have one), etc. + +We allow `matrix.DOMAIN` to be the Matrix server handling Matrix stuff for `DOMAIN` by [Server Delegation](howto-server-delegation.md). During the installation procedure, we recommend that you set up server delegation using the [.well-known](configuring-well-known.md) method. + +If you'd really like to install Matrix services directly on the base domain, see [How do I install on matrix.DOMAIN without involving the base DOMAIN?](#how-do-i-install-on-matrixdomain-without-involving-the-base-domain). + +### I don't control anything on the base domain and can't set up delegation to matrix.DOMAIN. What do I do? + +If you're not in control of your base domain (or server handling it) at all, you can take a look at [How do I install on matrix.DOMAIN without involving the base DOMAIN?](#how-do-i-install-on-matrixdomain-without-involving-the-base-domain) + +### I can't set up HTTPS on the base domain. How will I get Matrix federating? + +If you really can't obtain an HTTPS certificate for your base domain, you can take a look at [How do I install on matrix.DOMAIN without involving the base DOMAIN?](#how-do-i-install-on-matrixdomain-without-involving-the-base-domain) + +### How do I install on matrix.DOMAIN without involving the base DOMAIN? + +This Ansible playbook guides you into installing a server for `DOMAIN` (user identifiers are like this: `@user:DOMAIN`), while the server is at `matrix.DOMAIN`. + +We allow `matrix.DOMAIN` to be the Matrix server handling Matrix stuff for `DOMAIN` by [Server Delegation](howto-server-delegation.md). During the installation procedure, we recommend that you set up server delegation using the [.well-known](configuring-well-known.md) method. + +If you're fine with uglier identifiers (`@user:matrix.DOMAIN`, which is the equivalent of having an email address like `bob@mail.company.com`, instead of just `bob@company.com`), you can do that as well using the following configuration in your `vars.yml` file: + +```yaml +# This is what your identifiers are like (e.g. `@bob:matrix.YOUR_BASE_DOMAIN`). +matrix_domain: "matrix.YOUR_BASE_DOMAIN" + +# This is where Matrix services +matrix_server_fqn_matrix: "matrix.YOUR_BASE_DOMAIN" + +# This is where you access the Element web UI from (if enabled via `matrix_client_element_enabled: true`; enabled by default). +# This and the Matrix FQN (see above) are expected to be on the same server. +# +# Feel free to use `element.matrix.YOUR_BASE_DOMAIN`, if you'd prefer that. +matrix_server_fqn_element: "element.YOUR_BASE_DOMAIN" + +# This is where you access Dimension (if enabled via `matrix_dimension_enabled: true`; NOT enabled by default). +# +# Feel free to use `dimension.matrix.YOUR_BASE_DOMAIN`, if you'd prefer that. +matrix_server_fqn_dimension: "dimension.YOUR_BASE_DOMAIN" + +# This is where you access Jitsi (if enabled via `matrix_jitsi_enabled: true`; NOT enabled by default). +# +# Feel free to use `jitsi.matrix.YOUR_BASE_DOMAIN`, if you'd prefer that. +matrix_server_fqn_jitsi: "jitsi.YOUR_BASE_DOMAIN" +``` + +### I don't use the base domain for anything. How am I supposed to set up Server Delegation for Matrix services? + +If you don't use your base domain for anything, then it's hard for you to "serve files over HTTPS" on it -- something we ask you to do for the [.well-known](configuring-well-known.md) setup (needed for [Server Delegation](howto-server-delegation.md)). + +Luckily, the playbook can set up your Matrix server (at `matrix.DOMAIN`) to also handle traffic for the base domain (`DOMAIN`). + +See [Serving the base domain](configuring-playbook-base-domain-serving.md). + +### How do I optimize this setup for a low-power server? + +You can disable some not-so-important services to save on memory. + +```yaml +# An identity server is not a must. +matrix_ma1sd_enabled: false + +# Disabling this will prevent email-notifications and other such things from working. +matrix_mailer_enabled: false + +# You can also disable this to save more RAM, +# at the expense of audio/video calls being unreliable. +matrix_coturn_enabled: true + +# This makes Synapse not keep track of who is online/offline. +# +# Keeping track of this and announcing such online-status in federated rooms with +# hundreds of servers inside is insanely heavy (https://github.com/matrix-org/synapse/issues/3971). +# +# If your server does not federate with hundreds of others, enabling this doesn't hurt much. +matrix_synapse_use_presence: false +``` + +You can also consider implementing a restriction on room complexity, in order to prevent users from joining very heavy rooms: + +```yaml +matrix_synapse_configuration_extension_yaml: | + limit_remote_rooms: + enabled: true + complexity: 1.0 # this limits joining complex (~large) rooms, can be + # increased, but larger values can require more RAM +``` + +If you've installed [Jitsi](configuring-playbook-jitsi.md) (not installed by default), there are additional optimizations listed on its documentation page that you can perform. + +### I already have Docker on my server. Can you stop installing Docker via the playbook? + +Yes, we can stop installing Docker ourselves. Just use this in your `vars.yml` file: + +```yaml +matrix_docker_installation_enabled: true +``` + +### I run another webserver on the same server where I wish to install Matrix. What now? + +By default, we install a webserver for you (nginx), but you can also use [your own webserver](configuring-playbook-own-webserver.md). + + +## Installation + +### How do I run the installation? + +See [Installing](installing.md) to learn how to use Ansible to install Matrix services. + +Of course, don't just jump straight to Installing. Rather, start at [Prerequisites](prerequisites.md) and get guided from there (into [setting up DNS](configuring-dns.md), [configuring the playbook](configuring-playbook.md), etc). + +### I installed Synapse some other way. Can I migrate such a setup to the playbook? + +Yes, you can. + +You generally need to do a playbook installation (start at the [Prerequisites](prerequisites.md) page), followed by importing your existing data into it. + +This Ansible playbook guides you into installing a server for `DOMAIN` (user identifiers are like this: `@user:DOMAIN`), while the server is at `matrix.DOMAIN`. If your existing setup has a server name (`server_name` configuration setting in Synapse's `homeserver.yaml` file) other than the base `DOMAIN`, you may need to tweak some additional variables. This FAQ entry may be of use if you're dealing with a more complicated setup - [How do I install on matrix.DOMAIN without involving the base DOMAIN?](#how-do-i-install-on-matrixdomain-without-involving-the-base-domain) + +After configuring the playbook and installing and **before starting** services (done with `ansible-playbook ... --tags=start`) you'd import [your SQLite](importing-synapse-sqlite.md) (or [Postgres](importing-postgres.md)) database and also [import your media store](importing-synapse-media-store.md). + +### I've downloaded Ansible and the playbook on the server. It can't connect using SSH. + +If you're using the playbook directly on the server, then Ansible doesn't need to connect using SSH. + +It can perform a local connection instead. Just set `ansible_connection=local` at the end of the server line in `inventory/hosts` and re-run the playbook. + +If you're running Ansible from within a container (one of the possibilities we list on our [dedicated Ansible documentation page](ansible.md)), then using `ansible_connection=local` is not possible. + + +## Maintenance + +### Do I need to do anything to keep my Matrix server updated? + +Yes. We don't update anything for you automatically. + +See our [documentation page about upgrading services](maintenance-upgrading-services.md). + +### How do I move my existing installation to another (VM) server? + +If you have an existing installation done using this Ansible playbook, you can easily migrate that to another server using [our dedicated server migration guide](maintenance-migrating.md). + +If your previous installation is done in some other way (not using this Ansible playbook), see [I installed Synapse some other way. Can I migrate such a setup to the playbook?](#i-installed-synapse-some-other-way-can-i-migrate-such-a-setup-to-the-playbook). + +### How do I back up the data on my server? + +We haven't document this properly yet, but the general advice is to: + +- back up Postgres by making a database dump. See [Backing up PostgreSQL](maintenance-postgres.md#backing-up-postgresql) + +- back up all `/matrix` files, except for `/matrix/postgres/data` (you already have a dump) and `/matrix/postgres/data-auto-upgrade-backup` (this directory may exist and contain your old data if you've [performed a major Postgres upgrade](maintenance-postgres.md#upgrading-postgresql)). + +You can later restore these roughly like this: + +- restore the `/matrix` directory and files on the new server manually +- run the playbook again (see [Installing](installing.md)), but **don't** start services yet (**don't run** `... --tags=start`). This step will fix any file permission mismatches and will also set up additional software (Docker, etc.) and files on the server (systemd service, etc.). +- perform a Postgres database import (see [Importing Postgres](importing-postgres.md)) to restore your database backup +- start services (see [Starting the services](installing.md#starting-the-services)) + +If your server's IP address has changed, you may need to [set up DNS](configuring-dns.md) again. diff --git a/docs/prerequisites.md b/docs/prerequisites.md index ae9a992f..28afeb94 100644 --- a/docs/prerequisites.md +++ b/docs/prerequisites.md @@ -1,6 +1,8 @@ # Prerequisites -- An **x86** server running one of these operating systems: +To install Matrix services using this Ansible playbook, you need: + +- (Recommended) An **x86** server running one of these operating systems: - **CentOS** (7 only for now; [8 is not yet supported](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/300)) - **Debian** (9/Stretch+) - **Ubuntu** (16.04+, although [20.04 may be problematic](ansible.md#supported-ansible-versions)) From 3b5907d83d47b7c948f22d0f2bcbd6ba79a43fc5 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 21 Jan 2021 13:01:20 +0200 Subject: [PATCH 56/84] Update FAQ with details about /matrix/postgres/data-auto-upgrade-backup --- docs/faq.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/faq.md b/docs/faq.md index b4cdac64..6f5123bf 100644 --- a/docs/faq.md +++ b/docs/faq.md @@ -355,3 +355,9 @@ You can later restore these roughly like this: - start services (see [Starting the services](installing.md#starting-the-services)) If your server's IP address has changed, you may need to [set up DNS](configuring-dns.md) again. + +### What is this `/matrix/postgres/data-auto-upgrade-backup` directory that is taking up so much space? + +When you [perform a major Postgres upgrade](maintenance-postgres.md#upgrading-postgresql), we save the the old data files in `/matrix/postgres/data-auto-upgrade-backup`, just so you could easily restore them should something have gone wrong. + +After verifying that everything still works after the Postgres upgrade, you can safely delete `/matrix/postgres/data-auto-upgrade-backup` From a47813585d033eac83dda764bb96cc177e936b4c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 21 Jan 2021 19:24:05 +0200 Subject: [PATCH 57/84] Rename file to prevent common mistake Prompted by this: https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/779#issuecomment-764807507 --- docs/configuring-playbook.md | 2 +- examples/{host-vars.yml => vars.yml} | 0 2 files changed, 1 insertion(+), 1 deletion(-) rename examples/{host-vars.yml => vars.yml} (100%) diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 3bb28c3f..11b801a7 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -10,7 +10,7 @@ You can then follow these steps inside the playbook directory: - create a directory to hold your configuration (`mkdir inventory/host_vars/matrix.`) -- copy the sample configuration file (`cp examples/host-vars.yml inventory/host_vars/matrix./vars.yml`) +- copy the sample configuration file (`cp examples/vars.yml inventory/host_vars/matrix./vars.yml`) - edit the configuration file (`inventory/host_vars/matrix./vars.yml`) to your liking. You may also take a look at the various `roles/ROLE_NAME_HERE/defaults/main.yml` files and see if there's something you'd like to copy over and override in your `vars.yml` configuration file. diff --git a/examples/host-vars.yml b/examples/vars.yml similarity index 100% rename from examples/host-vars.yml rename to examples/vars.yml From 703f1b1a04dcd1dc66184ea0ac8f208a964fd33d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 21 Jan 2021 22:07:50 +0200 Subject: [PATCH 58/84] Add some more questions/answers to the FAQ --- docs/faq.md | 70 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 70 insertions(+) diff --git a/docs/faq.md b/docs/faq.md index 6f5123bf..4e63784b 100644 --- a/docs/faq.md +++ b/docs/faq.md @@ -297,6 +297,36 @@ matrix_docker_installation_enabled: true By default, we install a webserver for you (nginx), but you can also use [your own webserver](configuring-playbook-own-webserver.md). +### How is the effective configuration determined? + +Configuration variables are defined in multiple places in this playbook and are considered in this order: + +- there are defaults coming from each role's defaults file (`role/matrix*/defaults/main.yml`). These variable values aim to be good defaults for when the role is used standalone (outside of this collection of roles, also called playbook). + +- then, there are overrides in `group_vars/matrix_servers`, which aim to adjust these "standalone role defaults" to something which better fits the playbook in its entirety. + +- finally, there's your `inventory/host_vars/matrix.DOMAIN/vars.yml` file, which is the ultimate override + +### What configuration variables are available? + +You can discover the variables you can override in each role (`role/matrix*/defaults/main.yml`). + +As described in [How is the effective configuration determined?](#how-is-the-effective-configuration-determined), these role-defaults may be overriden by values defined in `group_vars/matrix_servers`. + +Refer to both of these for inspiration. Still, as mentioned in [Configuring the playbook](configuring-playbook.md), you're only ever supposed to edit your own `inventory/host_vars/matrix.DOMAIN/vars.yml` file and nothing else inside the playbook (unless you're meaning to contribute new features). + +### I'd like to adjust some configuration which doesn't have a corresponding variable. How do I do it? + +The playbook doesn't aim to expose all configuration settings for all services using variables. +Doing so would amount is to hundreds of variables that we have to create and maintain. + +Instead, we only try to make some important basics configurable using dedicated variables you can see in each role. +See [What configuration variables are available?](#what-configuration-variables-are-available). + +Besides that, each role (component) aims to provide a `matrix_SOME_COMPONENT_configuration_extension_yaml` (or `matrix_SOME_COMPONENT_configuration_extension_json`) variable, which can be used to override the configuration. + +Check each role's `role/matrix*/defaults/main.yml` for the corresponding variable and an example for how use it. + ## Installation @@ -325,6 +355,46 @@ It can perform a local connection instead. Just set `ansible_connection=local` a If you're running Ansible from within a container (one of the possibilities we list on our [dedicated Ansible documentation page](ansible.md)), then using `ansible_connection=local` is not possible. +## Troubleshooting + +### I get "Error response from daemon: configured logging driver does not support reading" when I do `docker logs matrix-synapse`. + +See [How can I see the logs?](#how-can-i-see-the-logs). + +### How can I see the logs? + +We utilize [systemd/journald](https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html#Description) for logging. + +To see logs for Synapse, run `journalctl -fu matrix-synapse.service`. You may wish to see the [manual page for journalctl](https://www.commandlinux.com/man-page/man1/journalctl.1.html). + +Available service names can be seen by doing `ls /etc/systemd/system/matrix*.service` on the server. + +Some services also log to files in `/matrix/*/data/..`, but we're slowly moving away from that. + +We also disable Docker logging, so you can't use `docker logs matrix-*` either. We do this to prevent useless double (or even tripple) logging and to avoid having to rotate log files. + +We just simply delegate logging to journald and it takes care of persistenec and expiring old data. + +Also see: [How long do systemd/journald logs persist for?](#how-long-do-systemdjournald-logs-persist-for) + +### How long do systemd/journald logs persist for? + +On some distros, the journald logs are just in-memory and not persisted to disk. + +Consult (and feel free to adjust) your distro's journald logging configuration in `/etc/systemd/journald.conf`. + +To enable persistence and put some limits on how large the journal log files can become, adjust your configuration like this: + +```ini +[Journal] +RuntimeMaxUse=200M +SystemMaxUse=1G +RateLimitInterval=0 +RateLimitBurst=0 +Storage=persistent +``` + + ## Maintenance ### Do I need to do anything to keep my Matrix server updated? From 95346f3117f2a3a67a5287a5d75e487f7bf4cefb Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 22 Jan 2021 12:23:00 +0200 Subject: [PATCH 59/84] Reorganize Postgres access (breaking change) In short, this makes Synapse a 2nd class citizen, preparing for a future where it's just one-of-many homeserver software options. We also no longer have a default Postgres superuser password, which improves security. The changelog explains more as to why this was done and how to proceed from here. --- CHANGELOG.md | 82 +++++++++++++++++++ .../configuring-playbook-external-postgres.md | 1 + docs/maintenance-postgres.md | 11 +++ examples/vars.yml | 14 +++- group_vars/matrix_servers | 19 +++-- roles/matrix-postgres/defaults/main.yml | 7 +- .../matrix-postgres/tasks/validate_config.yml | 16 +++- roles/matrix-synapse/defaults/main.yml | 6 +- .../matrix-synapse/tasks/validate_config.yml | 4 + 9 files changed, 139 insertions(+), 21 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 02bc926f..82d66157 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,85 @@ +# 2021-01-22 + +## (Breaking Change) Postgres changes that require manual intervention + +We've made a lot of changes to our Postgres setup and some manual action is required (described below). Sorry about the hassle. + +**TLDR**: people running an [external Postgres server](docs/configuring-playbook-external-postgres.md) don't need to change anything for now. Everyone else (the common/default case) is affected and manual intervention is required. + +### Why? + +- we had a default Postgres password (`matrix_postgres_connection_password: synapse-password`), which we think is **not ideal for security anymore**. We now ask you to generate/provide a strong password yourself. Postgres is normally not exposed outside the container network, making it relatively secure, but still: + - by tweaking the configuration, you may end up intentionally or unintentionally exposing your Postgres server to the local network (or even publicly), while still using the default default credentials (`synapse` + `synapse-password`) + - we can't be sure we trust all these services (bridges, etc). Some of them may try to talk to or attack `matrix-postgres` using the default credentials (`synapse` + `synapse-password`) + - you may have other containers running on the same Docker network, which may try to talk to or attack `matrix-postgres` using the default credentials (`synapse` + `synapse-password`) +- our Postgres usage **was overly-focused on Synapse** (default username of `synapse` and default/main database of `homeserver`). Additional homeserver options are likely coming in the future ([Dendrite](https://matrix.org/docs/projects/server/dendrite), [Conduit](https://matrix.org/docs/projects/server/conduit), [The Construct](https://matrix.org/docs/projects/server/construct)), so being too focused on `matrix-synapse` is not great. From now on, Synapse is just another component of this playbook, which happens to have an *additional database* (called `synapse`) on the Postgres server. +- we try to reorganize things a bit, to make the playbook even friendlier to people running an [external Postgres server](docs/configuring-playbook-external-postgres.md). Work on this will proceed in the future. + +So, this is some **effort to improve security** and to **prepare for a brighter future of having more homeserver options** than just Synapse. + +### What has really changed? + +- the default superuser Postgres username is now `matrix` (used to be `synapse`) +- the default Postgres database is now `matrix` (used to be `homeserver`) +- Synapse's database is now `synapse` (used to be `homeserver`). This is now just another "additional database" that the playbook manages for you +- Synapse's user called `synapse` is just a regular user that can only use the `synapse` database (not a superuser anymore) + +### What do I do if I'm using the integrated Postgres server (default)? + +By default, the playbook runs an integrated Postgres server for you in a container (`matrix-postgres`). Unless you've explicitly configured an [external Postgres server](docs/configuring-playbook-external-postgres.md), these steps are meant for you. + +To migrate to the new setup, expect a few minutes of downtime, while you follow these steps: + +1. Generate a strong password to be used for your superuser Postgres user (called `matrix`). You can use `pwgen -s 64 1` to generate it, or some other tool. + +2. Update your playbook's `inventory/host_vars/matrix.DOMAIN/vars.yml` file, adding a line like this: +```yaml +matrix_postgres_connection_password: YOUR_POSTGRES_PASSWORD_HERE +``` + +.. where `YOUR_POSTGRES_PASSWORD_HERE` is to be replaced with the password you generated during step #1. + +3. Stop all services: `ansible-playbook -i inventory/hosts setup.yml --tags=stop` +4. Log in to the server via SSH. The next commands will be performed there. +5. Start the Postgres database server: `systemctl start matrix-postgres` +6. Open a Postgres shell: `/usr/local/bin/matrix-postgres-cli` +7. Execute the following query, while making sure to **change the password inside**: + +```sql +CREATE ROLE matrix LOGIN SUPERUSER PASSWORD 'YOUR_POSTGRES_PASSWORD_HERE'; +``` + +.. where `YOUR_POSTGRES_PASSWORD_HERE` is to be replaced with the password you generated during step #1. + +8. Execute the following queries as you see them (no modifications necessary, so you can just paste them): + +```sql +CREATE DATABASE matrix OWNER matrix; + +ALTER DATABASE postgres OWNER TO matrix; +ALTER DATABASE template0 OWNER TO matrix; +ALTER DATABASE template1 OWNER TO matrix; + +\c matrix; + +ALTER DATABASE homeserver RENAME TO synapse; + +ALTER ROLE synapse NOSUPERUSER NOCREATEDB NOCREATEROLE; + +\quit +``` + +You may need to press *Enter* after pasting the lines above. + +1. Re-run the playbook normally: `ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start` + +### What do I do if I'm using an external Postgres server? + +If you've explicitly configured an [external Postgres server](docs/configuring-playbook-external-postgres.md), there are changes that you need to do at this time. + +The fact that we've renamed Synapse's database from `homeserver` to `synapse` (in our defaults) should not affect you, as you're already explicitly defining `matrix_synapse_database_database` (if you've followed our guide, that is). If you're not explicitly defining this variable, you may wish to do so (`matrix_synapse_database_database: homeserver`), to avoid the new `synapse` default and keep things as they were. + + # 2021-01-20 ## (Breaking Change) The mautrix-facebook bridge now requires a Postgres database diff --git a/docs/configuring-playbook-external-postgres.md b/docs/configuring-playbook-external-postgres.md index f3671a64..0becc8ff 100644 --- a/docs/configuring-playbook-external-postgres.md +++ b/docs/configuring-playbook-external-postgres.md @@ -4,6 +4,7 @@ By default, this playbook would set up a PostgreSQL database server on your mach If that's alright, you can skip this. If you'd like to use an external PostgreSQL server that you manage, you can edit your configuration file (`inventory/host_vars/matrix./vars.yml`). + It should be something like this: ```yaml diff --git a/docs/maintenance-postgres.md b/docs/maintenance-postgres.md index 7c936479..14ac5d8e 100644 --- a/docs/maintenance-postgres.md +++ b/docs/maintenance-postgres.md @@ -19,6 +19,17 @@ You can use the `/usr/local/bin/matrix-postgres-cli` tool to get interactive ter If you are using an [external Postgres server](configuring-playbook-external-postgres.md), the above tool will not be available. +By default, this tool puts you in the `matrix` database, which contains nothing. + +To see the available databases, run `\list` (or just `\l`). + +To change to another database (for example `synapse`), run `\connect synapse` (or just `\c synapse`). + +You can then proceed to write queries. Example: `SELECT COUNT(*) FROM users;` + +**Be careful**. Modifying the database directly (especially as services are running) is dangerous and may lead to irreversible database corruption. +When in doubt, consider [making a backup](#backing-up-postgresql). + ## Vacuuming PostgreSQL diff --git a/examples/vars.yml b/examples/vars.yml index 409f344a..eb355744 100644 --- a/examples/vars.yml +++ b/examples/vars.yml @@ -4,7 +4,7 @@ # Note: this playbook does not touch the server referenced here. # Installation happens on another server ("matrix."). # -# If you've deployed using the wrong domain, you'll have to run the Uninstalling step, +# If you've deployed using the wrong domain, you'll have to run the Uninstalling step, # because you can't change the Domain after deployment. # # Example value: example.com @@ -18,12 +18,18 @@ matrix_domain: YOUR_BARE_DOMAIN_NAME_HERE # you won't be required to define this variable (see `docs/configuring-playbook-ssl-certificates.md`). # # Example value: someone@example.com -matrix_ssl_lets_encrypt_support_email: YOUR_EMAIL_ADDRESS_HERE +matrix_ssl_lets_encrypt_support_email: '' # A shared secret (between Coturn and Synapse) used for authentication. # You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`). -matrix_coturn_turn_static_auth_secret: "" +matrix_coturn_turn_static_auth_secret: '' # A secret used to protect access keys issued by the server. # You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`). -matrix_synapse_macaroon_secret_key: "" +matrix_synapse_macaroon_secret_key: '' + +# A Postgres password to used for the superuser Postgres user (called `matrix` by default). +# +# The playbook creates additional Postgres users and databases (one for each enabled service) +# using this superuser account. +matrix_postgres_connection_password: '' diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 4ec0e8e9..77876e33 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1021,16 +1021,20 @@ matrix_ssl_pre_obtaining_required_service_name: "{{ 'matrix-dynamic-dns' if matr matrix_postgres_enabled: true -matrix_postgres_connection_hostname: "matrix-postgres" -matrix_postgres_connection_username: "synapse" -# Please note that the max length of the password is 99 characters -matrix_postgres_connection_password: "synapse-password" -matrix_postgres_db_name: "homeserver" +# We unset this if internal Postgres disabled, which will cascade to some other variables +# and tell users they need to set it (either here or in those variables). +matrix_postgres_connection_hostname: "{{ 'matrix-postgres' if matrix_postgres_enabled else '' }}" matrix_postgres_pgloader_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" matrix_postgres_additional_databases: | {{ + ([{ + 'name': matrix_synapse_database_database, + 'username': matrix_synapse_database_user, + 'password': matrix_synapse_database_password, + }] if (matrix_synapse_enabled and matrix_synapse_database_database != matrix_postgres_db_name and matrix_synapse_database_host == 'matrix-postgres') else []) + + ([{ 'name': matrix_ma1sd_database_name, 'username': matrix_ma1sd_database_username, @@ -1243,10 +1247,7 @@ matrix_synapse_container_metrics_api_host_bind_port: "{{ '127.0.0.1:9100' if (ma # For exposing the Synapse Manhole port (plain HTTP) to the local host. matrix_synapse_container_manhole_api_host_bind_port: "{{ '127.0.0.1:9000' if matrix_synapse_manhole_enabled else '' }}" -matrix_synapse_database_host: "{{ matrix_postgres_connection_hostname }}" -matrix_synapse_database_user: "{{ matrix_postgres_connection_username }}" -matrix_synapse_database_password: "{{ matrix_postgres_connection_password }}" -matrix_synapse_database_database: "{{ matrix_postgres_db_name }}" +matrix_synapse_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'synapse.db') | to_uuid }}" # We do not enable TLS in Synapse by default. # TLS is handled by the matrix-nginx-proxy, which proxies the requests to Synapse. diff --git a/roles/matrix-postgres/defaults/main.yml b/roles/matrix-postgres/defaults/main.yml index 8f1d0d78..07eeffad 100644 --- a/roles/matrix-postgres/defaults/main.yml +++ b/roles/matrix-postgres/defaults/main.yml @@ -1,9 +1,10 @@ matrix_postgres_enabled: true -matrix_postgres_connection_hostname: "" -matrix_postgres_connection_username: "" +matrix_postgres_connection_hostname: "matrix-postgres" +matrix_postgres_connection_port: 5432 +matrix_postgres_connection_username: "matrix" matrix_postgres_connection_password: "" -matrix_postgres_db_name: "" +matrix_postgres_db_name: "matrix" matrix_postgres_base_path: "{{ matrix_base_data_path }}/postgres" matrix_postgres_data_path: "{{ matrix_postgres_base_path }}/data" diff --git a/roles/matrix-postgres/tasks/validate_config.yml b/roles/matrix-postgres/tasks/validate_config.yml index 6ff5adb0..9158e926 100644 --- a/roles/matrix-postgres/tasks/validate_config.yml +++ b/roles/matrix-postgres/tasks/validate_config.yml @@ -6,17 +6,29 @@ The `matrix_postgres_use_external` variable defined in your configuration is not used by this playbook anymore! You'll need to adapt to the new way of using an external Postgres server. It's a combination of `matrix_postgres_enabled: false` and specifying Postgres connection - details in a few `matrix_synapse_database_` variables. + details in a few `matrix_postgres_connection_` variables. See the "Using an external PostgreSQL server (optional)" documentation page. when: "'matrix_postgres_use_external' in vars" +# This is separate (from the other required variables below), +# because we'd like to have a friendlier message for our existing users. +- name: Fail if matrix_postgres_connection_password not defined + fail: + msg: >- + The playbook no longer has a default Postgres password defined in the `matrix_postgres_connection_password` variable, among lots of other Postgres changes. + You need to perform multiple manual steps to resolve this. + See our changelog for more details: + https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/CHANGELOG.md#breaking-change-postgres-changes-that-require-manual-intervention + when: "matrix_postgres_connection_password == ''" + - name: Fail if required Postgres settings not defined fail: - msg: > + msg: >- You need to define a required configuration setting (`{{ item }}`). when: "vars[item] == ''" with_items: - "matrix_postgres_connection_hostname" + - "matrix_postgres_connection_port" - "matrix_postgres_connection_username" - "matrix_postgres_connection_password" - "matrix_postgres_db_name" diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 0e7cf987..985b86bb 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -294,10 +294,10 @@ matrix_synapse_manhole_enabled: false matrix_synapse_sentry_dsn: "" # Postgres database information -matrix_synapse_database_host: "" -matrix_synapse_database_user: "" +matrix_synapse_database_host: "matrix-postgres" +matrix_synapse_database_user: "synapse" matrix_synapse_database_password: "" -matrix_synapse_database_database: "" +matrix_synapse_database_database: "synapse" matrix_synapse_turn_uris: [] matrix_synapse_turn_shared_secret: "" diff --git a/roles/matrix-synapse/tasks/validate_config.yml b/roles/matrix-synapse/tasks/validate_config.yml index fe3cb2e6..b2c1f3a7 100644 --- a/roles/matrix-synapse/tasks/validate_config.yml +++ b/roles/matrix-synapse/tasks/validate_config.yml @@ -7,6 +7,10 @@ when: "vars[item] == ''" with_items: - "matrix_synapse_macaroon_secret_key" + - "matrix_synapse_database_host" + - "matrix_synapse_database_user" + - "matrix_synapse_database_password" + - "matrix_synapse_database_database" - name: (Deprecation) Catch and report renamed settings fail: From f9c1d624351f88c9dd0e7b869bb8c3ebd62741d8 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 22 Jan 2021 13:52:55 +0200 Subject: [PATCH 60/84] Fix Postgres database (-alpine) failing to start on ARM32 --- group_vars/matrix_servers | 2 ++ roles/matrix-postgres/defaults/main.yml | 18 +++++++++++++----- 2 files changed, 15 insertions(+), 5 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 77876e33..4415c86c 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1021,6 +1021,8 @@ matrix_ssl_pre_obtaining_required_service_name: "{{ 'matrix-dynamic-dns' if matr matrix_postgres_enabled: true +matrix_postgres_architecture: "{{ matrix_architecture }}" + # We unset this if internal Postgres disabled, which will cascade to some other variables # and tell users they need to set it (either here or in those variables). matrix_postgres_connection_hostname: "{{ 'matrix-postgres' if matrix_postgres_enabled else '' }}" diff --git a/roles/matrix-postgres/defaults/main.yml b/roles/matrix-postgres/defaults/main.yml index 07eeffad..21891583 100644 --- a/roles/matrix-postgres/defaults/main.yml +++ b/roles/matrix-postgres/defaults/main.yml @@ -9,11 +9,19 @@ matrix_postgres_db_name: "matrix" matrix_postgres_base_path: "{{ matrix_base_data_path }}/postgres" matrix_postgres_data_path: "{{ matrix_postgres_base_path }}/data" -matrix_postgres_docker_image_v9: "docker.io/postgres:9.6.20-alpine" -matrix_postgres_docker_image_v10: "docker.io/postgres:10.15-alpine" -matrix_postgres_docker_image_v11: "docker.io/postgres:11.10-alpine" -matrix_postgres_docker_image_v12: "docker.io/postgres:12.5-alpine" -matrix_postgres_docker_image_v13: "docker.io/postgres:13.1-alpine" +matrix_postgres_architecture: amd64 + +# matrix_postgres_docker_image_suffix controls whether we use Alpine-based images (`-alpine`) or the normal Debian-based images. +# Alpine-based Postgres images are smaller and we usually prefer them, but they don't work on ARM32 (tested on a Raspberry Pi 3 running Raspbian 10.7). +# On ARM32, `-alpine` images fail with the following error: +# > LOG: startup process (PID 37) was terminated by signal 11: Segmentation fault +matrix_postgres_docker_image_suffix: "{{ '-alpine' if matrix_postgres_architecture in ['amd64', 'arm64'] else '' }}" + +matrix_postgres_docker_image_v9: "docker.io/postgres:9.6.20{{ matrix_postgres_docker_image_suffix }}" +matrix_postgres_docker_image_v10: "docker.io/postgres:10.15{{ matrix_postgres_docker_image_suffix }}" +matrix_postgres_docker_image_v11: "docker.io/postgres:11.10{{ matrix_postgres_docker_image_suffix }}" +matrix_postgres_docker_image_v12: "docker.io/postgres:12.5{{ matrix_postgres_docker_image_suffix }}" +matrix_postgres_docker_image_v13: "docker.io/postgres:13.1{{ matrix_postgres_docker_image_suffix }}" matrix_postgres_docker_image_latest: "{{ matrix_postgres_docker_image_v13 }}" # This variable is assigned at runtime. Overriding its value has no effect. From e88dcfa252252c7f17aa5762757411847d4a6eb6 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 22 Jan 2021 13:58:55 +0200 Subject: [PATCH 61/84] Mention Postgres backup --- CHANGELOG.md | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 82d66157..0cdddd27 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -30,20 +30,22 @@ By default, the playbook runs an integrated Postgres server for you in a contain To migrate to the new setup, expect a few minutes of downtime, while you follow these steps: -1. Generate a strong password to be used for your superuser Postgres user (called `matrix`). You can use `pwgen -s 64 1` to generate it, or some other tool. +1. We believe the steps below are safe and you won't encounter any data loss, but consider [making a Postgres backup](docs/maintenance-postgres.md#backing-up-postgresql) anyway. If you've never backed up Postgres, now would be a good time to try it. -2. Update your playbook's `inventory/host_vars/matrix.DOMAIN/vars.yml` file, adding a line like this: +2. Generate a strong password to be used for your superuser Postgres user (called `matrix`). You can use `pwgen -s 64 1` to generate it, or some other tool. + +3. Update your playbook's `inventory/host_vars/matrix.DOMAIN/vars.yml` file, adding a line like this: ```yaml matrix_postgres_connection_password: YOUR_POSTGRES_PASSWORD_HERE ``` .. where `YOUR_POSTGRES_PASSWORD_HERE` is to be replaced with the password you generated during step #1. -3. Stop all services: `ansible-playbook -i inventory/hosts setup.yml --tags=stop` -4. Log in to the server via SSH. The next commands will be performed there. -5. Start the Postgres database server: `systemctl start matrix-postgres` -6. Open a Postgres shell: `/usr/local/bin/matrix-postgres-cli` -7. Execute the following query, while making sure to **change the password inside**: +4. Stop all services: `ansible-playbook -i inventory/hosts setup.yml --tags=stop` +5. Log in to the server via SSH. The next commands will be performed there. +6. Start the Postgres database server: `systemctl start matrix-postgres` +7. Open a Postgres shell: `/usr/local/bin/matrix-postgres-cli` +8. Execute the following query, while making sure to **change the password inside**: ```sql CREATE ROLE matrix LOGIN SUPERUSER PASSWORD 'YOUR_POSTGRES_PASSWORD_HERE'; @@ -51,7 +53,7 @@ CREATE ROLE matrix LOGIN SUPERUSER PASSWORD 'YOUR_POSTGRES_PASSWORD_HERE'; .. where `YOUR_POSTGRES_PASSWORD_HERE` is to be replaced with the password you generated during step #1. -8. Execute the following queries as you see them (no modifications necessary, so you can just paste them): +9. Execute the following queries as you see them (no modifications necessary, so you can just paste them): ```sql CREATE DATABASE matrix OWNER matrix; @@ -71,7 +73,7 @@ ALTER ROLE synapse NOSUPERUSER NOCREATEDB NOCREATEROLE; You may need to press *Enter* after pasting the lines above. -1. Re-run the playbook normally: `ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start` +10. Re-run the playbook normally: `ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start` ### What do I do if I'm using an external Postgres server? From d3aea8f4b84b1cba414f51b9d1583f389ceee9fd Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 22 Jan 2021 14:04:36 +0200 Subject: [PATCH 62/84] Update Postgres backup docs for ARM32 --- docs/maintenance-postgres.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/maintenance-postgres.md b/docs/maintenance-postgres.md index 14ac5d8e..50f5a55d 100644 --- a/docs/maintenance-postgres.md +++ b/docs/maintenance-postgres.md @@ -64,6 +64,8 @@ pg_dumpall -h matrix-postgres \ If you are using an [external Postgres server](configuring-playbook-external-postgres.md), the above command will not work, because the credentials file (`/matrix/postgres/env-postgres-psql`) is not available. +If your server is on the ARM32 [architecture](alternative-architectures.md), you may need to remove the `-alpine` suffix from the image name in the command above. + Restoring a backup made this way can be done by [importing it](importing-postgres.md). From 1a3034b0c876d91e1a9b2e18e0d396ea39d83c53 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 22 Jan 2021 14:13:56 +0200 Subject: [PATCH 63/84] Fix typo --- examples/vars.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/vars.yml b/examples/vars.yml index eb355744..f79e5e3c 100644 --- a/examples/vars.yml +++ b/examples/vars.yml @@ -28,7 +28,7 @@ matrix_coturn_turn_static_auth_secret: '' # You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`). matrix_synapse_macaroon_secret_key: '' -# A Postgres password to used for the superuser Postgres user (called `matrix` by default). +# A Postgres password to use for the superuser Postgres user (called `matrix` by default). # # The playbook creates additional Postgres users and databases (one for each enabled service) # using this superuser account. From 89db6be5682b4702b32bcb219654c815cd96a7de Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 22 Jan 2021 14:33:02 +0200 Subject: [PATCH 64/84] Fix typo --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0cdddd27..05548cc0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -77,7 +77,7 @@ You may need to press *Enter* after pasting the lines above. ### What do I do if I'm using an external Postgres server? -If you've explicitly configured an [external Postgres server](docs/configuring-playbook-external-postgres.md), there are changes that you need to do at this time. +If you've explicitly configured an [external Postgres server](docs/configuring-playbook-external-postgres.md), there are **no changes** that you need to do at this time. The fact that we've renamed Synapse's database from `homeserver` to `synapse` (in our defaults) should not affect you, as you're already explicitly defining `matrix_synapse_database_database` (if you've followed our guide, that is). If you're not explicitly defining this variable, you may wish to do so (`matrix_synapse_database_database: homeserver`), to avoid the new `synapse` default and keep things as they were. From d95f16070545247251529ae4754b2ce2e1108f6c Mon Sep 17 00:00:00 2001 From: Dan Arnfield Date: Fri, 22 Jan 2021 06:48:25 -0600 Subject: [PATCH 65/84] Fix typos --- CHANGELOG.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 05548cc0..9ab6bccc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -39,7 +39,7 @@ To migrate to the new setup, expect a few minutes of downtime, while you follow matrix_postgres_connection_password: YOUR_POSTGRES_PASSWORD_HERE ``` -.. where `YOUR_POSTGRES_PASSWORD_HERE` is to be replaced with the password you generated during step #1. +.. where `YOUR_POSTGRES_PASSWORD_HERE` is to be replaced with the password you generated during step #2. 4. Stop all services: `ansible-playbook -i inventory/hosts setup.yml --tags=stop` 5. Log in to the server via SSH. The next commands will be performed there. @@ -51,7 +51,7 @@ matrix_postgres_connection_password: YOUR_POSTGRES_PASSWORD_HERE CREATE ROLE matrix LOGIN SUPERUSER PASSWORD 'YOUR_POSTGRES_PASSWORD_HERE'; ``` -.. where `YOUR_POSTGRES_PASSWORD_HERE` is to be replaced with the password you generated during step #1. +.. where `YOUR_POSTGRES_PASSWORD_HERE` is to be replaced with the password you generated during step #2. 9. Execute the following queries as you see them (no modifications necessary, so you can just paste them): From 3273f023dce6c499d287f55e512af9b7814354d7 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 22 Jan 2021 15:50:24 +0200 Subject: [PATCH 66/84] Fix Postgres importing guide This fixes things to make them compatible with the changes done in 95346f3117f2a3 --- docs/importing-postgres.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/importing-postgres.md b/docs/importing-postgres.md index 0dd75cb2..0e2d3fe7 100644 --- a/docs/importing-postgres.md +++ b/docs/importing-postgres.md @@ -7,8 +7,8 @@ Run this if you'd like to import your database from a previous installation. ## Prerequisites For this to work, **the database name in Postgres must match** what this playbook uses. -This playbook uses a Postgres database name of `homeserver` by default (controlled by the `matrix_postgres_db_name` variable). -If your database name differs, be sure to change `matrix_postgres_db_name` to your desired name and to re-run the playbook before proceeding. +This playbook uses a Postgres database name of `synapse` by default (controlled by the `matrix_synapse_database_database` variable). +If your database name differs, be sure to change `matrix_synapse_database_database` to your desired name and to re-run the playbook before proceeding. The playbook supports importing Postgres dump files in **text** (e.g. `pg_dump > dump.sql`) or **gzipped** formats (e.g. `pg_dump | gzip -c > dump.sql.gz`). From bef0702feaeae2836ccc40c29337cffc165a86a3 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 22 Jan 2021 16:21:30 +0200 Subject: [PATCH 67/84] Wait some more when starting Postgres during setup on ARM --- roles/matrix-postgres/defaults/main.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/roles/matrix-postgres/defaults/main.yml b/roles/matrix-postgres/defaults/main.yml index 21891583..d96a3ce8 100644 --- a/roles/matrix-postgres/defaults/main.yml +++ b/roles/matrix-postgres/defaults/main.yml @@ -72,7 +72,10 @@ matrix_postgres_import_databases_ignore_regex: "^CREATE DATABASE ({{ matrix_post # and before trying to run queries for creating additional databases/users against it. # # For most (subsequent) runs, Postgres would already be running, so no waiting will be happening at all. -matrix_postgres_additional_databases_postgres_start_wait_timeout_seconds: 15 +# +# On ARM, we wait some more. ARM32 devices are especially known for being slow. +# ARM64 likely don't need such a long delay, but it doesn't hurt too much having it. +matrix_postgres_additional_databases_postgres_start_wait_timeout_seconds: "{{ 45 if matrix_postgres_architecture in ['arm32', 'arm64'] else 15 }}" matrix_postgres_pgloader_container_image_self_build: false From 88addd71fc31d4c245b05a2c00d820e05a94e7d3 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 22 Jan 2021 17:39:08 +0200 Subject: [PATCH 68/84] Fix Postgres imports going to the matrix DB by default Well, they still do go to that DB by default, but our docs give a better command to users, which would do the right thing. --- docs/importing-postgres.md | 9 ++++++++- roles/matrix-postgres/tasks/import_postgres.yml | 9 ++++++++- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/docs/importing-postgres.md b/docs/importing-postgres.md index 0e2d3fe7..b905ba7b 100644 --- a/docs/importing-postgres.md +++ b/docs/importing-postgres.md @@ -21,10 +21,17 @@ Before doing the actual import, **you need to upload your Postgres dump file to To import, run this command (make sure to replace `` with a file path on your server): - ansible-playbook -i inventory/hosts setup.yml --extra-vars='server_path_postgres_dump=' --tags=import-postgres +```sh +ansible-playbook -i inventory/hosts setup.yml \ +--extra-vars='postgres_default_import_database=synapse server_path_postgres_dump=' \ +--tags=import-postgres +``` + +We specify the `synapse` database as the default import database. If your dump is a single-database dump (`pg_dump`), then we need to tell it where to go to. If you're redefining `matrix_synapse_database_database` to something other than `synapse`, please adjust it here too. For database dumps spanning multiple databases (`pg_dumpall`), you can remove the `postgres_default_import_database` definition (but it doesn't hurt to keep it too). **Note**: `` must be a file path to a Postgres dump file on the server (not on your local machine!). + ## Troubleshooting A table ownership issue can occur if you are importing from a Synapse installation which was both: diff --git a/roles/matrix-postgres/tasks/import_postgres.yml b/roles/matrix-postgres/tasks/import_postgres.yml index c26affbb..b8e93219 100644 --- a/roles/matrix-postgres/tasks/import_postgres.yml +++ b/roles/matrix-postgres/tasks/import_postgres.yml @@ -35,6 +35,13 @@ postgres_import_wait_time: "{{ 7 * 86400 }}" when: "postgres_import_wait_time|default('') == ''" +# By default, we connect and import into the main (`matrix`) database. +# Single-database dumps for Synapse may wish to import into `synapse` instead. +- name: Set postgres_default_import_database, if not provided + set_fact: + postgres_default_import_database: "{{ matrix_postgres_db_name }}" + when: "postgres_default_import_database|default('') == ''" + # Actual import work - name: Ensure matrix-postgres is started @@ -76,7 +83,7 @@ {{ 'gunzip |' if server_path_postgres_dump.endswith('.gz') else '' }} grep -vE '{{ matrix_postgres_import_roles_ignore_regex }}' | grep -vE '{{ matrix_postgres_import_databases_ignore_regex }}' | - psql -v ON_ERROR_STOP=1 -h matrix-postgres" + psql -v ON_ERROR_STOP=1 -h matrix-postgres --dbname={{ postgres_default_import_database }}" # This is a hack. # See: https://ansibledaily.com/print-to-standard-output-without-escaping/ From 37909aa7a9c4834b8cb21f082d48a60448413db7 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 22 Jan 2021 18:40:51 +0200 Subject: [PATCH 69/84] Create signald/{avatars,attachments,data} and rename config dir --- roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml | 3 +++ .../templates/systemd/matrix-mautrix-signal.service.j2 | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml index 29555116..d6c3c24d 100644 --- a/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml @@ -35,6 +35,9 @@ - "{{ matrix_mautrix_signal_base_path }}" - "{{ matrix_mautrix_signal_config_path }}" - "{{ matrix_mautrix_signal_daemon_path }}" + - "{{ matrix_mautrix_signal_daemon_path }}/avatars" + - "{{ matrix_mautrix_signal_daemon_path }}/attachments" + - "{{ matrix_mautrix_signal_daemon_path }}/data" - name: Ensure mautrix-signal config.yaml installed copy: diff --git a/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal.service.j2 b/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal.service.j2 index 223f6dac..f9ab7324 100644 --- a/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal.service.j2 +++ b/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal.service.j2 @@ -27,12 +27,12 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-signal -p {{ matrix_mautrix_signal_container_http_host_bind_port }}:29328 \ {% endif %} -v {{ matrix_mautrix_signal_daemon_path }}:/signald:z \ - -v {{ matrix_mautrix_signal_config_path }}:/data:z \ + -v {{ matrix_mautrix_signal_config_path }}:/config:z \ {% for arg in matrix_mautrix_signal_container_extra_arguments %} {{ arg }} \ {% endfor %} {{ matrix_mautrix_signal_docker_image }} \ - python3 -m mautrix_signal -c /data/config.yaml + python3 -m mautrix_signal -c /config/config.yaml ExecStop=-{{ matrix_host_command_docker }} kill matrix-mautrix-signal ExecStop=-{{ matrix_host_command_docker }} rm matrix-mautrix-signal From 8ec975e3c81e006e720b6d29fca50a7651d799fc Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 22 Jan 2021 18:52:20 +0200 Subject: [PATCH 70/84] Use matrix:matrix for Signal bridge (not root) --- .../templates/systemd/matrix-mautrix-signal.service.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal.service.j2 b/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal.service.j2 index f9ab7324..e88ec15c 100644 --- a/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal.service.j2 +++ b/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal.service.j2 @@ -23,6 +23,7 @@ ExecStartPre={{ matrix_host_command_sleep }} 5 ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-signal \ --log-driver=none \ --network={{ matrix_docker_network }} \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ {% if matrix_mautrix_signal_container_http_host_bind_port %} -p {{ matrix_mautrix_signal_container_http_host_bind_port }}:29328 \ {% endif %} From f3dd34672416e48692e158a45b27b1d1b3089b0c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 22 Jan 2021 18:56:08 +0200 Subject: [PATCH 71/84] Try to tighten Signal bridge security --- .../templates/systemd/matrix-mautrix-signal-daemon.service.j2 | 2 ++ .../templates/systemd/matrix-mautrix-signal.service.j2 | 2 ++ 2 files changed, 4 insertions(+) diff --git a/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal-daemon.service.j2 b/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal-daemon.service.j2 index 35120317..e3e11a6d 100644 --- a/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal-daemon.service.j2 +++ b/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal-daemon.service.j2 @@ -21,9 +21,11 @@ ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mautrix-signal-daemon # Intentional delay, so that the homeserver (we likely depend on) can manage to start. ExecStartPre={{ matrix_host_command_sleep }} 5 +# We can't use `--read-only` for this bridge. ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-signal-daemon \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ --network={{ matrix_docker_network }} \ -v {{ matrix_mautrix_signal_daemon_path }}:/signald:z \ {{ matrix_mautrix_signal_daemon_docker_image }} diff --git a/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal.service.j2 b/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal.service.j2 index e88ec15c..ec6f5159 100644 --- a/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal.service.j2 +++ b/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal.service.j2 @@ -24,6 +24,8 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-signal --log-driver=none \ --network={{ matrix_docker_network }} \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --read-only \ {% if matrix_mautrix_signal_container_http_host_bind_port %} -p {{ matrix_mautrix_signal_container_http_host_bind_port }}:29328 \ {% endif %} From 2997a7fc3e83a71e0e778d30347b20ec17c7bbb4 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 22 Jan 2021 19:22:26 +0200 Subject: [PATCH 72/84] Make mx-puppet-* bridges not log to files We log everything in systemd/journald for every service already, so there's no need for double-logging, bridges rotating log files manually and other such nonsense. --- .../templates/config.yaml.j2 | 18 +------------ .../templates/config.yaml.j2 | 18 +------------ .../templates/config.yaml.j2 | 25 +------------------ .../templates/config.yaml.j2 | 18 +------------ .../templates/config.yaml.j2 | 18 +------------ .../templates/config.yaml.j2 | 18 +------------ 6 files changed, 6 insertions(+), 109 deletions(-) diff --git a/roles/matrix-bridge-mx-puppet-discord/templates/config.yaml.j2 b/roles/matrix-bridge-mx-puppet-discord/templates/config.yaml.j2 index 1f4548d8..93c0a491 100644 --- a/roles/matrix-bridge-mx-puppet-discord/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mx-puppet-discord/templates/config.yaml.j2 @@ -122,20 +122,4 @@ logging: lineDateFormat: MMM-D HH:mm:ss.SSS # Logging files # Log files are rotated daily by default - files: - # Log file path - - file: "/data/bridge.log" - # Log level for this file - # Allowed values starting with most verbose: - # silly, debug, verbose, info, warn, error - level: info - # Date and time formatting - datePattern: YYYY-MM-DD - # Maximum number of logs to keep. - # This can be a number of files or number of days. - # If using days, add 'd' as a suffix - maxFiles: 14d - # Maximum size of the file after which it will rotate. This can be a - # number of bytes, or units of kb, mb, and gb. If using the units, add - # 'k', 'm', or 'g' as the suffix - maxSize: 50m + files: [] diff --git a/roles/matrix-bridge-mx-puppet-instagram/templates/config.yaml.j2 b/roles/matrix-bridge-mx-puppet-instagram/templates/config.yaml.j2 index b830da2b..1c4bb1bd 100644 --- a/roles/matrix-bridge-mx-puppet-instagram/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mx-puppet-instagram/templates/config.yaml.j2 @@ -66,20 +66,4 @@ logging: lineDateFormat: MMM-D HH:mm:ss.SSS # Logging files # Log files are rotated daily by default - files: - # Log file path - - file: "/data/bridge.log" - # Log level for this file - # Allowed values starting with most verbose: - # silly, debug, verbose, info, warn, error - level: info - # Date and time formatting - datePattern: YYYY-MM-DD - # Maximum number of logs to keep. - # This can be a number of files or number of days. - # If using days, add 'd' as a suffix - maxFiles: 14d - # Maximum size of the file after which it will rotate. This can be a - # number of bytes, or units of kb, mb, and gb. If using the units, add - # 'k', 'm', or 'g' as the suffix - maxSize: 50m + files: [] diff --git a/roles/matrix-bridge-mx-puppet-skype/templates/config.yaml.j2 b/roles/matrix-bridge-mx-puppet-skype/templates/config.yaml.j2 index d41d3a23..1d6d4828 100644 --- a/roles/matrix-bridge-mx-puppet-skype/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mx-puppet-skype/templates/config.yaml.j2 @@ -42,30 +42,7 @@ logging: lineDateFormat: MMM-D HH:mm:ss.SSS # Logging files # Log files are rotated daily by default - files: - # Log file path - - file: "/data/bridge.log" - # Log level for this file - # Allowed values starting with most verbose: - # silly, debug, verbose, info, warn, error - level: info - # Date and time formatting - datePattern: YYYY-MM-DD - # Maximum number of logs to keep. - # This can be a number of files or number of days. - # If using days, add 'd' as a suffix - maxFiles: 14d - # Maximum size of the file after which it will rotate. This can be a - # number of bytes, or units of kb, mb, and gb. If using the units, add - # 'k', 'm', or 'g' as the suffix - maxSize: 50m - # Optionally enable/disable logging for certain modules - #disabled: - # - PresenceHandler - # - module: bot-sdk-MatrixLiteClient - # regex: /_matrix/client/r0/presence/ # this regex needs to match to disable the log - #enabled: - # - Store + files: [] database: {% if matrix_mx_puppet_skype_database_engine == 'postgres' %} diff --git a/roles/matrix-bridge-mx-puppet-slack/templates/config.yaml.j2 b/roles/matrix-bridge-mx-puppet-slack/templates/config.yaml.j2 index af6b5cb8..01714cb3 100644 --- a/roles/matrix-bridge-mx-puppet-slack/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mx-puppet-slack/templates/config.yaml.j2 @@ -80,20 +80,4 @@ logging: lineDateFormat: MMM-D HH:mm:ss.SSS # Logging files # Log files are rotated daily by default - files: - # Log file path - - file: "/data/bridge.log" - # Log level for this file - # Allowed values starting with most verbose: - # silly, debug, verbose, info, warn, error - level: info - # Date and time formatting - datePattern: YYYY-MM-DD - # Maximum number of logs to keep. - # This can be a number of files or number of days. - # If using days, add 'd' as a suffix - maxFiles: 14d - # Maximum size of the file after which it will rotate. This can be a - # number of bytes, or units of kb, mb, and gb. If using the units, add - # 'k', 'm', or 'g' as the suffix - maxSize: 50m + files: [] diff --git a/roles/matrix-bridge-mx-puppet-steam/templates/config.yaml.j2 b/roles/matrix-bridge-mx-puppet-steam/templates/config.yaml.j2 index 149e08b6..fd59471d 100644 --- a/roles/matrix-bridge-mx-puppet-steam/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mx-puppet-steam/templates/config.yaml.j2 @@ -83,20 +83,4 @@ logging: lineDateFormat: MMM-D HH:mm:ss.SSS # Logging files # Log files are rotated daily by default - files: - # Log file path - - file: "/data/bridge.log" - # Log level for this file - # Allowed values starting with most verbose: - # silly, debug, verbose, info, warn, error - level: info - # Date and time formatting - datePattern: YYYY-MM-DD - # Maximum number of logs to keep. - # This can be a number of files or number of days. - # If using days, add 'd' as a suffix - maxFiles: 14d - # Maximum size of the file after which it will rotate. This can be a - # number of bytes, or units of kb, mb, and gb. If using the units, add - # 'k', 'm', or 'g' as the suffix - maxSize: 50m + files: [] diff --git a/roles/matrix-bridge-mx-puppet-twitter/templates/config.yaml.j2 b/roles/matrix-bridge-mx-puppet-twitter/templates/config.yaml.j2 index bdecf1dc..1d269057 100644 --- a/roles/matrix-bridge-mx-puppet-twitter/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mx-puppet-twitter/templates/config.yaml.j2 @@ -76,20 +76,4 @@ logging: lineDateFormat: MMM-D HH:mm:ss.SSS # Logging files # Log files are rotated daily by default - files: - # Log file path - - file: "/data/bridge.log" - # Log level for this file - # Allowed values starting with most verbose: - # silly, debug, verbose, info, warn, error - level: info - # Date and time formatting - datePattern: YYYY-MM-DD - # Maximum number of logs to keep. - # This can be a number of files or number of days. - # If using days, add 'd' as a suffix - maxFiles: 14d - # Maximum size of the file after which it will rotate. This can be a - # number of bytes, or units of kb, mb, and gb. If using the units, add - # 'k', 'm', or 'g' as the suffix - maxSize: 50m + files: [] From 49c0e254db27733237e2478fc49a0cb15e3866f0 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 22 Jan 2021 20:21:22 +0200 Subject: [PATCH 73/84] Add some warning about ; in SQL statements I got at least a few reports of people pasting these statements one by one and missing the `;`. --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9ab6bccc..c567cc70 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -53,7 +53,7 @@ CREATE ROLE matrix LOGIN SUPERUSER PASSWORD 'YOUR_POSTGRES_PASSWORD_HERE'; .. where `YOUR_POSTGRES_PASSWORD_HERE` is to be replaced with the password you generated during step #2. -9. Execute the following queries as you see them (no modifications necessary, so you can just paste them): +9. Execute the following queries as you see them (no modifications necessary, so you can just **paste them all at once** and **don't forget the sneaky `;`**): ```sql CREATE DATABASE matrix OWNER matrix; From 3647b23628cb58e2f3a383c846e9addde8b633dd Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 22 Jan 2021 20:23:35 +0200 Subject: [PATCH 74/84] Add some warning about ; in SQL statements (take 2) --- CHANGELOG.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c567cc70..e8e82899 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -45,7 +45,7 @@ matrix_postgres_connection_password: YOUR_POSTGRES_PASSWORD_HERE 5. Log in to the server via SSH. The next commands will be performed there. 6. Start the Postgres database server: `systemctl start matrix-postgres` 7. Open a Postgres shell: `/usr/local/bin/matrix-postgres-cli` -8. Execute the following query, while making sure to **change the password inside**: +8. Execute the following query, while making sure to **change the password inside** (**don't forget the ending `;`**): ```sql CREATE ROLE matrix LOGIN SUPERUSER PASSWORD 'YOUR_POSTGRES_PASSWORD_HERE'; @@ -53,7 +53,7 @@ CREATE ROLE matrix LOGIN SUPERUSER PASSWORD 'YOUR_POSTGRES_PASSWORD_HERE'; .. where `YOUR_POSTGRES_PASSWORD_HERE` is to be replaced with the password you generated during step #2. -9. Execute the following queries as you see them (no modifications necessary, so you can just **paste them all at once** and **don't forget the sneaky `;`**): +1. Execute the following queries as you see them (no modifications necessary, so you can just **paste them all at once**): ```sql CREATE DATABASE matrix OWNER matrix; From f9968b6981448f21bf886d405dd0c4d32dc75164 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 22 Jan 2021 21:22:58 +0200 Subject: [PATCH 75/84] Fix matrix_postgres_connection_password length check --- CHANGELOG.md | 2 +- roles/matrix-postgres/tasks/validate_config.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e8e82899..f3c821f4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -32,7 +32,7 @@ To migrate to the new setup, expect a few minutes of downtime, while you follow 1. We believe the steps below are safe and you won't encounter any data loss, but consider [making a Postgres backup](docs/maintenance-postgres.md#backing-up-postgresql) anyway. If you've never backed up Postgres, now would be a good time to try it. -2. Generate a strong password to be used for your superuser Postgres user (called `matrix`). You can use `pwgen -s 64 1` to generate it, or some other tool. +2. Generate a strong password to be used for your superuser Postgres user (called `matrix`). You can use `pwgen -s 64 1` to generate it, or some other tool. The **maximum length** for a Postgres password is 100 bytes (characters). Don't go crazy! 3. Update your playbook's `inventory/host_vars/matrix.DOMAIN/vars.yml` file, adding a line like this: ```yaml diff --git a/roles/matrix-postgres/tasks/validate_config.yml b/roles/matrix-postgres/tasks/validate_config.yml index 9158e926..eac4dd5b 100644 --- a/roles/matrix-postgres/tasks/validate_config.yml +++ b/roles/matrix-postgres/tasks/validate_config.yml @@ -36,4 +36,4 @@ - name: Fail if Postgres password length exceeded fail: msg: "The maximum `matrix_postgres_connection_password` length is 99 characters" - when: "matrix_postgres_connection_hostname|length > 99" + when: "matrix_postgres_connection_password|length > 99" From 0f64f4dc4bf22e236bc414e099fa8c644fa85caf Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 22 Jan 2021 22:05:48 +0200 Subject: [PATCH 76/84] Stop using + to mean "or newer" --- docs/prerequisites.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/prerequisites.md b/docs/prerequisites.md index 28afeb94..f7db27f5 100644 --- a/docs/prerequisites.md +++ b/docs/prerequisites.md @@ -4,11 +4,11 @@ To install Matrix services using this Ansible playbook, you need: - (Recommended) An **x86** server running one of these operating systems: - **CentOS** (7 only for now; [8 is not yet supported](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/300)) - - **Debian** (9/Stretch+) - - **Ubuntu** (16.04+, although [20.04 may be problematic](ansible.md#supported-ansible-versions)) + - **Debian** (9/Stretch or newer) + - **Ubuntu** (16.04 or newer, although [20.04 may be problematic](ansible.md#supported-ansible-versions)) - **Archlinux** -We only strive to support released stable versions of distributions, not betas or pre-releases. This playbook can take over your whole server or co-exist with other services that you have there. +Generally, newer is better. We only strive to support released stable versions of distributions, not betas or pre-releases. This playbook can take over your whole server or co-exist with other services that you have there. This playbook somewhat supports running on non-`amd64` architectures like ARM. See [Alternative Architectures](alternative-architectures.md). From e502ee33da38502bbef0c65b833b823c553f14f2 Mon Sep 17 00:00:00 2001 From: Panagiotis Georgiadis Date: Fri, 22 Jan 2021 21:28:53 +0100 Subject: [PATCH 77/84] Selfbuild appservice-irc bridge --- docs/self-building.md | 2 ++ group_vars/matrix_servers | 2 ++ .../defaults/main.yml | 4 ++++ .../tasks/setup_install.yml | 20 +++++++++++++++++++ 4 files changed, 28 insertions(+) diff --git a/docs/self-building.md b/docs/self-building.md index da8c24b0..fb53f25f 100644 --- a/docs/self-building.md +++ b/docs/self-building.md @@ -18,6 +18,8 @@ List of roles where self-building the Docker image is currently possible: - `matrix-corporal` - `matrix-ma1sd` - `matrix-mailer` +- `matrix-bridge-appservice-slack` +- `matrix-bridge-appservice-irc` - `matrix-bridge-mautrix-facebook` - `matrix-bridge-mautrix-hangouts` - `matrix-bridge-mautrix-telegram` diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 42c2e3af..1d989c5d 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -147,6 +147,8 @@ matrix_appservice_slack_database_password: "{{ matrix_synapse_macaroon_secret_ke # We don't enable bridges by default. matrix_appservice_irc_enabled: false +matrix_appservice_irc_container_self_build: "{{ matrix_architecture != 'amd64' }}" + # Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-appservice-irc over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # matrix-appservice-irc's client-server port to the local host. diff --git a/roles/matrix-bridge-appservice-irc/defaults/main.yml b/roles/matrix-bridge-appservice-irc/defaults/main.yml index 0b671e76..ba4e1e1b 100644 --- a/roles/matrix-bridge-appservice-irc/defaults/main.yml +++ b/roles/matrix-bridge-appservice-irc/defaults/main.yml @@ -3,6 +3,10 @@ matrix_appservice_irc_enabled: true +matrix_appservice_irc_container_self_build: false +matrix_appservice_irc_docker_repo: "https://github.com/matrix-org/matrix-appservice-irc.git" +matrix_appservice_irc_docker_src_files_path: "{{ matrix_base_data_path }}/appservice-irc/docker-src" + matrix_appservice_irc_docker_image: "docker.io/matrixdotorg/matrix-appservice-irc:release-0.17.1" matrix_appservice_irc_docker_image_force_pull: "{{ matrix_appservice_irc_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml b/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml index 00568c0d..856cde1c 100644 --- a/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml +++ b/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml @@ -59,6 +59,26 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_appservice_irc_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_appservice_irc_docker_image_force_pull }}" + when: "matrix_appservice_irc_enabled|bool and not matrix_appservice_irc_container_self_build|bool" + +- name: Ensure matrix-appservice-irc repository is present when self-building + git: + repo: "{{ matrix_appservice_irc_docker_repo }}" + dest: "{{ matrix_appservice_irc_docker_src_files_path }}" + force: "yes" + register: matrix_appservice_irc_git_pull_results + when: "matrix_appservice_irc_enabled|bool and matrix_appservice_irc_container_self_build|bool" + +- name: Ensure matrix-appservice-irc Docker image is build + docker_image: + name: "{{ matrix_appservice_irc_docker_image }}" + source: build + force_source: yes + build: + dockerfile: Dockerfile + path: "{{ matrix_appservice_irc_docker_src_files_path }}" + pull: yes + when: "matrix_appservice_irc_enabled|bool and matrix_appservice_irc_container_self_build|bool and matrix_appservice_irc_git_pull_results.changed" - name: Ensure Matrix Appservice IRC config installed copy: From 3051655d21403de36c0cdb4c5ef9a6b53802d5b5 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 22 Jan 2021 22:42:40 +0200 Subject: [PATCH 78/84] Ensure matrix_appservice_irc_docker_src_files_path created when self-building The git module will create it anyway, but that would likely use `root:root`. --- .../tasks/setup_install.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml b/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml index 856cde1c..09e1d4ba 100644 --- a/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml +++ b/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml @@ -2,15 +2,17 @@ - name: Ensure Appservice IRC paths exist file: - path: "{{ item }}" + path: "{{ item.path }}" state: directory mode: 0750 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" with_items: - - "{{ matrix_appservice_irc_base_path }}" - - "{{ matrix_appservice_irc_config_path }}" - - "{{ matrix_appservice_irc_data_path }}" + - { path: "{{ matrix_appservice_irc_base_path }}", when: true } + - { path: "{{ matrix_appservice_irc_config_path }}", when: true } + - { path: "{{ matrix_appservice_irc_data_path }}", when: true } + - { path: "{{ matrix_appservice_irc_docker_src_files_path }}", when: "{{ matrix_appservice_irc_container_self_build }}" } + when: item.when|bool - name: Check if an old passkey file already exists stat: From b61c8a7e72baebf503f066008e4b01dfc233049b Mon Sep 17 00:00:00 2001 From: Prasiddh Pooskur Date: Fri, 22 Jan 2021 16:38:27 -0800 Subject: [PATCH 79/84] fixed typo --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index b195a7f8..17036a1e 100644 --- a/README.md +++ b/README.md @@ -170,7 +170,7 @@ This playbook sets up your server using the following Docker images: - [turt2live/matrix-appservice-webhooks](https://hub.docker.com/r/turt2live/matrix-appservice-webhooks) - the [Appservice Webhooks](https://github.com/turt2live/matrix-appservice-webhooks) bridge (optional) -- [folivonet/matrix-sms-bridge](https://hub.docker.com/repository/docker/folivonet/matrix-sms-bridge) - the [matrix-sms-brdige](https://github.com/benkuly/matrix-sms-bridge) (optional) +- [folivonet/matrix-sms-bridge](https://hub.docker.com/repository/docker/folivonet/matrix-sms-bridge) - the [matrix-sms-bridge](https://github.com/benkuly/matrix-sms-bridge) (optional) - [sorunome/mx-puppet-skype](https://hub.docker.com/r/sorunome/mx-puppet-skype) - the [mx-puppet-skype](https://github.com/Sorunome/mx-puppet-skype) bridge to [Skype](https://www.skype.com) (optional) From acf7866442ec32002269b7e90995becb120605db Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 23 Jan 2021 09:23:49 +0200 Subject: [PATCH 80/84] Fix step number --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f3c821f4..2c8888f2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -53,7 +53,7 @@ CREATE ROLE matrix LOGIN SUPERUSER PASSWORD 'YOUR_POSTGRES_PASSWORD_HERE'; .. where `YOUR_POSTGRES_PASSWORD_HERE` is to be replaced with the password you generated during step #2. -1. Execute the following queries as you see them (no modifications necessary, so you can just **paste them all at once**): +9. Execute the following queries as you see them (no modifications necessary, so you can just **paste them all at once**): ```sql CREATE DATABASE matrix OWNER matrix; From f085362149745626141d4154841c3306ed3b1a5f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 23 Jan 2021 11:38:34 +0200 Subject: [PATCH 81/84] Fix some Postgres CLI scripts to target the correct database Fixes a regression introduced in 95346f3117f2a3a67a52. Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/814 Using `matrix_synapse_` variables in the `matrix-postgres` role is not ideal, but.. this script belongs neither here, nor there. We'll have it be like that for now. --- .../templates/usr-local-bin/matrix-change-user-admin-status.j2 | 2 +- .../usr-local-bin/matrix-postgres-update-user-password-hash.j2 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-postgres/templates/usr-local-bin/matrix-change-user-admin-status.j2 b/roles/matrix-postgres/templates/usr-local-bin/matrix-change-user-admin-status.j2 index e9c76674..6c3082ef 100644 --- a/roles/matrix-postgres/templates/usr-local-bin/matrix-change-user-admin-status.j2 +++ b/roles/matrix-postgres/templates/usr-local-bin/matrix-change-user-admin-status.j2 @@ -16,4 +16,4 @@ docker run \ --env-file={{ matrix_postgres_base_path }}/env-postgres-psql \ --network {{ matrix_docker_network }} \ {{ matrix_postgres_docker_image_to_use }} \ - psql -h {{ matrix_postgres_connection_hostname }} -c "UPDATE users set admin=$2 WHERE name like '@$1:{{ matrix_domain }}'" + psql -h {{ matrix_postgres_connection_hostname }} --dbname={{ matrix_synapse_database_database }} -c "UPDATE users set admin=$2 WHERE name like '@$1:{{ matrix_domain }}'" diff --git a/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2 b/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2 index e546b2c5..0fbf4f21 100644 --- a/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2 +++ b/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2 @@ -13,4 +13,4 @@ docker run \ --env-file={{ matrix_postgres_base_path }}/env-postgres-psql \ --network {{ matrix_docker_network }} \ {{ matrix_postgres_docker_image_to_use }} \ - psql -h {{ matrix_postgres_connection_hostname }} -c "UPDATE users set password_hash='$2' WHERE name = '@$1:{{ matrix_domain }}'" + psql -h {{ matrix_postgres_connection_hostname }} --dbname={{ matrix_synapse_database_database }} -c "UPDATE users set password_hash='$2' WHERE name = '@$1:{{ matrix_domain }}'" From 1cd251ed7840791a24a29b7705d2a429bc9b84a9 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 23 Jan 2021 14:01:27 +0200 Subject: [PATCH 82/84] Don't delete Docker images which may have been pulled by another Some people run Coturn or Jitsi, etc., by themselves and disable it in the playbook. Because the playbook is trying to be nice and clean up after itself, it was deleting these Docker images. However, people wish to pull and use them separately and would rather they don't get deleted. We could make this configurable for the sake of this special case, but it's simpler to just avoid deleting these images. It's not like this "cleaning things up" thing works anyway. As time goes on, the playbook gets updated with newer image tags and we leave so many images behind. If one doesn't run `docker system prune -a` manually once in a while, they'd get swamped with images anyway. Whether we leave a few images behind due to the lack of this cleanup now is pretty much irrelevant. --- roles/matrix-coturn/tasks/setup_uninstall.yml | 6 ++---- roles/matrix-dynamic-dns/tasks/uninstall.yml | 3 +++ roles/matrix-jitsi/tasks/setup_jitsi_jicofo.yml | 7 ++----- roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml | 7 ++----- roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml | 7 ++----- roles/matrix-jitsi/tasks/setup_jitsi_web.yml | 8 +++----- 6 files changed, 14 insertions(+), 24 deletions(-) diff --git a/roles/matrix-coturn/tasks/setup_uninstall.yml b/roles/matrix-coturn/tasks/setup_uninstall.yml index 99a7080e..4674903f 100644 --- a/roles/matrix-coturn/tasks/setup_uninstall.yml +++ b/roles/matrix-coturn/tasks/setup_uninstall.yml @@ -41,7 +41,5 @@ path: "{{ matrix_coturn_base_path }}" state: absent -- name: Ensure coturn Docker image doesn't exist - docker_image: - name: "{{ matrix_coturn_docker_image }}" - state: absent +# Intentionally not removing the Docker image when uninstalling. +# We can't be sure it had been pulled by us in the first place. diff --git a/roles/matrix-dynamic-dns/tasks/uninstall.yml b/roles/matrix-dynamic-dns/tasks/uninstall.yml index 98dca0e8..f3caba25 100644 --- a/roles/matrix-dynamic-dns/tasks/uninstall.yml +++ b/roles/matrix-dynamic-dns/tasks/uninstall.yml @@ -22,3 +22,6 @@ service: daemon_reload: yes when: "matrix_dynamic_dns_service_stat.stat.exists" + +# Intentionally not removing the Docker image when uninstalling. +# We can't be sure it had been pulled by us in the first place. diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_jicofo.yml b/roles/matrix-jitsi/tasks/setup_jitsi_jicofo.yml index 63da7fcf..dd2a7bd2 100644 --- a/roles/matrix-jitsi/tasks/setup_jitsi_jicofo.yml +++ b/roles/matrix-jitsi/tasks/setup_jitsi_jicofo.yml @@ -89,8 +89,5 @@ state: absent when: "not matrix_jitsi_enabled|bool" -- name: Ensure jitsi-jicofo Docker image doesn't exist - docker_image: - name: "{{ matrix_jitsi_jicofo_docker_image }}" - state: absent - when: "not matrix_jitsi_enabled|bool" +# Intentionally not removing the Docker image when uninstalling. +# We can't be sure it had been pulled by us in the first place. diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml b/roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml index e4c7f277..b73426db 100644 --- a/roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml +++ b/roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml @@ -89,8 +89,5 @@ state: absent when: "not matrix_jitsi_enabled|bool" -- name: Ensure jitsi-jvb Docker image doesn't exist - docker_image: - name: "{{ matrix_jitsi_jvb_docker_image }}" - state: absent - when: "not matrix_jitsi_enabled|bool" +# Intentionally not removing the Docker image when uninstalling. +# We can't be sure it had been pulled by us in the first place. diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml b/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml index 66299f64..fd051fda 100644 --- a/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml +++ b/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml @@ -80,8 +80,5 @@ state: absent when: "not matrix_jitsi_enabled|bool" -- name: Ensure jitsi-prosody Docker image doesn't exist - docker_image: - name: "{{ matrix_jitsi_prosody_docker_image }}" - state: absent - when: "not matrix_jitsi_enabled|bool" +# Intentionally not removing the Docker image when uninstalling. +# We can't be sure it had been pulled by us in the first place. diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_web.yml b/roles/matrix-jitsi/tasks/setup_jitsi_web.yml index 3dd6f30c..2b8a2cd2 100644 --- a/roles/matrix-jitsi/tasks/setup_jitsi_web.yml +++ b/roles/matrix-jitsi/tasks/setup_jitsi_web.yml @@ -90,8 +90,6 @@ state: absent when: "not matrix_jitsi_enabled|bool" -- name: Ensure jitsi-web Docker image doesn't exist - docker_image: - name: "{{ matrix_jitsi_web_docker_image }}" - state: absent - when: "not matrix_jitsi_enabled|bool" +# Intentionally not removing the Docker image when uninstalling. +# We can't be sure it had been pulled by us in the first place. + From a2422c458a3a0d87e9a3b580821ab12dd36724e6 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 23 Jan 2021 14:04:51 +0200 Subject: [PATCH 83/84] Notify of remaining matrix-postgres local data in a better way --- roles/matrix-postgres/tasks/setup_postgres.yml | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/roles/matrix-postgres/tasks/setup_postgres.yml b/roles/matrix-postgres/tasks/setup_postgres.yml index 518d1a5f..3f1d4fbe 100644 --- a/roles/matrix-postgres/tasks/setup_postgres.yml +++ b/roles/matrix-postgres/tasks/setup_postgres.yml @@ -155,9 +155,17 @@ when: "not matrix_postgres_enabled|bool" # We just want to notify the user. Deleting data is too destructive. -- name: Notify if matrix-postgres local data remains - debug: - msg: "Note: You are not using a local PostgreSQL database, but some old data remains from before in `{{ matrix_postgres_data_path }}`. Feel free to delete it." + +- name: Inject warning if matrix-postgres local data remains + set_fact: + matrix_playbook_runtime_results: | + {{ + matrix_playbook_runtime_results|default([]) + + + [ + "NOTE: You are not using a local PostgreSQL database, but some old data remains from before in `{{ matrix_postgres_data_path }}`. Feel free to delete it." + ] + }} when: "not matrix_postgres_enabled|bool and matrix_postgres_data_path_stat.stat.exists" - name: Remove Postgres scripts From a56cb34850ddf542948b914ad06636388d15c8d8 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 23 Jan 2021 14:14:45 +0200 Subject: [PATCH 84/84] Notify people if /matrix/postgres/data-auto-upgrade-backup exists --- .../matrix-postgres/tasks/setup_postgres.yml | 20 ++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/roles/matrix-postgres/tasks/setup_postgres.yml b/roles/matrix-postgres/tasks/setup_postgres.yml index 3f1d4fbe..c072b2ea 100644 --- a/roles/matrix-postgres/tasks/setup_postgres.yml +++ b/roles/matrix-postgres/tasks/setup_postgres.yml @@ -120,6 +120,25 @@ - always when: "matrix_postgres_enabled|bool and matrix_postgres_additional_databases|length > 0" +- name: Check existence of matrix-postgres backup data path + stat: + path: "{{ matrix_postgres_data_path }}-auto-upgrade-backup" + register: matrix_postgres_data_backup_path_stat + when: "matrix_postgres_enabled|bool" + +- name: Inject warning if backup data remains + set_fact: + matrix_playbook_runtime_results: | + {{ + matrix_playbook_runtime_results|default([]) + + + [ + "NOTE: You have some Postgres backup data in `{{ matrix_postgres_data_path }}-auto-upgrade-backup`, which was created during the last major Postgres update you ran. If your setup works well after this upgrade, feel free to delete this whole directory." + ] + }} + when: "matrix_postgres_enabled|bool and matrix_postgres_data_backup_path_stat.stat.exists" + + # # Tasks related to getting rid of the internal postgres server (if it was previously enabled) # @@ -155,7 +174,6 @@ when: "not matrix_postgres_enabled|bool" # We just want to notify the user. Deleting data is too destructive. - - name: Inject warning if matrix-postgres local data remains set_fact: matrix_playbook_runtime_results: |