From 303de935d509bd2ada44f1a3a620d241ea61dbd8 Mon Sep 17 00:00:00 2001 From: sakkiii Date: Wed, 5 May 2021 22:12:56 +0530 Subject: [PATCH 01/11] grafana CSP backward compatible with older browsers --- roles/matrix-grafana/defaults/main.yml | 5 +++++ roles/matrix-grafana/templates/grafana.ini.j2 | 6 ++++++ 2 files changed, 11 insertions(+) diff --git a/roles/matrix-grafana/defaults/main.yml b/roles/matrix-grafana/defaults/main.yml index 60c9c7f2..4e5064ab 100644 --- a/roles/matrix-grafana/defaults/main.yml +++ b/roles/matrix-grafana/defaults/main.yml @@ -37,6 +37,11 @@ matrix_grafana_default_admin_password: admin # [Content Security Policy](https://grafana.com/docs/grafana/latest/administration/configuration/#content_security_policy) matrix_grafana_content_security_policy: true +# specify content security policy template to customized template +# added 'unsafe-inline' (ignored by browsers supporting nonces/hashes) to be backward compatible with older browsers. +# added https: and http: url schemes (ignored by browsers supporting 'strict-dynamic') to be backward compatible with older browsers. +matrix_grafana_content_security_policy_customized: true + # A list of extra arguments to pass to the container matrix_grafana_container_extra_arguments: [] diff --git a/roles/matrix-grafana/templates/grafana.ini.j2 b/roles/matrix-grafana/templates/grafana.ini.j2 index 38534bc3..f442ed47 100644 --- a/roles/matrix-grafana/templates/grafana.ini.j2 +++ b/roles/matrix-grafana/templates/grafana.ini.j2 @@ -8,6 +8,12 @@ admin_password = """{{ matrix_grafana_default_admin_password }}""" # specify content_security_policy to add the Content-Security-Policy header to your requests content_security_policy = "{{ matrix_grafana_content_security_policy }}" +# specify content security policy template to customized template +{% if matrix_synapse_metrics_enabled %} +content_security_policy_template = """script-src http: https: 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' $NONCE;object-src 'none';font-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data:;base-uri 'self';connect-src 'self' grafana.com;manifest-src 'self';media-src 'none';form-action 'self';""" +{% else %} +{% endif %} + [auth.anonymous] # enable anonymous access enabled = {{ matrix_grafana_anonymous_access }} From 37de7fc96a32ef3fb58b5587acd6171a27bcb6e8 Mon Sep 17 00:00:00 2001 From: sakkiii Date: Wed, 5 May 2021 22:25:38 +0530 Subject: [PATCH 02/11] Updated Reference --- roles/matrix-grafana/defaults/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/matrix-grafana/defaults/main.yml b/roles/matrix-grafana/defaults/main.yml index 4e5064ab..a5d60338 100644 --- a/roles/matrix-grafana/defaults/main.yml +++ b/roles/matrix-grafana/defaults/main.yml @@ -40,6 +40,8 @@ matrix_grafana_content_security_policy: true # specify content security policy template to customized template # added 'unsafe-inline' (ignored by browsers supporting nonces/hashes) to be backward compatible with older browsers. # added https: and http: url schemes (ignored by browsers supporting 'strict-dynamic') to be backward compatible with older browsers. +# [Content Security Policy Browser Test] (https://content-security-policy.com/browser-test/) +# [Content Security Policy Reference](https://content-security-policy.com/script-src/) matrix_grafana_content_security_policy_customized: true # A list of extra arguments to pass to the container From 116bcaa13b171cc16adac089516f3e03d510675b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?B=C3=A9la=20Becker?= Date: Wed, 5 May 2021 19:05:17 +0200 Subject: [PATCH 03/11] Update jitsi to stable-5765-1 Changelog: https://github.com/jitsi/docker-jitsi-meet/blob/stable-5765-1/CHANGELOG.md --- roles/matrix-jitsi/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index 850c456e..7dcff987 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -52,7 +52,7 @@ matrix_jitsi_jibri_recorder_password: '' matrix_jitsi_enable_lobby: false -matrix_jitsi_version: stable-5142 +matrix_jitsi_version: stable-5765-1 matrix_jitsi_container_image_tag: "{{ matrix_jitsi_version }}" # for backward-compatibility matrix_jitsi_web_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/web:{{ matrix_jitsi_container_image_tag }}" From b10655ebb1b5c0d599727ca5373f5fbc193a0cc5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?B=C3=A9la=20Becker?= Date: Wed, 5 May 2021 19:07:17 +0200 Subject: [PATCH 04/11] Jitsi XMPP Websocket support Jitsi-meet enabled websockets by default, claiming better reliability. Matrix-nginx-proxy configuration has been set up according to the Prosody documentation: https://prosody.im/doc/websocket --- roles/matrix-jitsi/templates/prosody/env.j2 | 2 ++ .../nginx/conf.d/matrix-jitsi.conf.j2 | 21 +++++++++++++++++++ 2 files changed, 23 insertions(+) diff --git a/roles/matrix-jitsi/templates/prosody/env.j2 b/roles/matrix-jitsi/templates/prosody/env.j2 index a09fa0f8..0c977d45 100644 --- a/roles/matrix-jitsi/templates/prosody/env.j2 +++ b/roles/matrix-jitsi/templates/prosody/env.j2 @@ -3,6 +3,8 @@ AUTH_TYPE={{ matrix_jitsi_auth_type }} ENABLE_AUTH={{ 1 if matrix_jitsi_enable_auth else 0 }} ENABLE_GUESTS={{ 1 if matrix_jitsi_enable_guests else 0 }} +PUBLIC_URL={{ matrix_jitsi_web_public_url }} + LDAP_URL={{ matrix_jitsi_ldap_url }} LDAP_BASE={{ matrix_jitsi_ldap_base }} LDAP_BINDDN={{ matrix_jitsi_ldap_binddn }} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 index 42d8451d..0b44f44d 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 @@ -49,6 +49,27 @@ tcp_nodelay on; } + + # XMPP websocket + location = /xmpp-websocket { + {% if matrix_nginx_proxy_enabled %} + resolver 127.0.0.11 valid=5s; + set $backend {{ matrix_jitsi_xmpp_bosh_url_base }}; + proxy_pass $backend/xmpp-websocket; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://127.0.0.1:5280; + {% endif %} + proxy_set_header Host $host; + + proxy_http_version 1.1; + proxy_read_timeout 900s; + proxy_set_header Connection "upgrade"; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + tcp_nodelay on; + } {% endmacro %} server { From 0d5fe2d9f71e17551b98a3c5d3bc30d88a595e4e Mon Sep 17 00:00:00 2001 From: sakkiii Date: Thu, 6 May 2021 12:38:40 +0530 Subject: [PATCH 05/11] Update roles/matrix-grafana/templates/grafana.ini.j2 Co-authored-by: Aaron Raimist --- roles/matrix-grafana/templates/grafana.ini.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-grafana/templates/grafana.ini.j2 b/roles/matrix-grafana/templates/grafana.ini.j2 index f442ed47..fb351fe9 100644 --- a/roles/matrix-grafana/templates/grafana.ini.j2 +++ b/roles/matrix-grafana/templates/grafana.ini.j2 @@ -9,7 +9,7 @@ admin_password = """{{ matrix_grafana_default_admin_password }}""" content_security_policy = "{{ matrix_grafana_content_security_policy }}" # specify content security policy template to customized template -{% if matrix_synapse_metrics_enabled %} +{% if matrix_grafana_content_security_policy_customized %} content_security_policy_template = """script-src http: https: 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' $NONCE;object-src 'none';font-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data:;base-uri 'self';connect-src 'self' grafana.com;manifest-src 'self';media-src 'none';form-action 'self';""" {% else %} {% endif %} From 9174448e5ec12828a4cf0ff47a23a781524f4d0d Mon Sep 17 00:00:00 2001 From: sakkiii Date: Thu, 6 May 2021 12:46:17 +0530 Subject: [PATCH 06/11] get rid of this {% else %} --- roles/matrix-grafana/templates/grafana.ini.j2 | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/matrix-grafana/templates/grafana.ini.j2 b/roles/matrix-grafana/templates/grafana.ini.j2 index fb351fe9..42cfcb12 100644 --- a/roles/matrix-grafana/templates/grafana.ini.j2 +++ b/roles/matrix-grafana/templates/grafana.ini.j2 @@ -11,7 +11,6 @@ content_security_policy = "{{ matrix_grafana_content_security_policy }}" # specify content security policy template to customized template {% if matrix_grafana_content_security_policy_customized %} content_security_policy_template = """script-src http: https: 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' $NONCE;object-src 'none';font-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data:;base-uri 'self';connect-src 'self' grafana.com;manifest-src 'self';media-src 'none';form-action 'self';""" -{% else %} {% endif %} [auth.anonymous] From cdaf4695c06ff1768384edbbd2668b21227b62f9 Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Sat, 8 May 2021 15:07:54 -0500 Subject: [PATCH 07/11] Tweak maintenance-synapse.md --- docs/maintenance-synapse.md | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/docs/maintenance-synapse.md b/docs/maintenance-synapse.md index d6c4789d..62bb8b16 100644 --- a/docs/maintenance-synapse.md +++ b/docs/maintenance-synapse.md @@ -14,11 +14,7 @@ Table of contents: ## Purging old data with the Purge History API -You can use the **Purge History API** to delete in-use (but old) data. - -**This is destructive** (especially for non-federated rooms), because it means **people will no longer have access to history past a certain point**. - -Synapse's [Purge History API](https://github.com/matrix-org/synapse/blob/master/docs/admin_api/purge_history_api.rst) can be used to purge on a per-room basis. +You can use the **[Purge History API](https://github.com/matrix-org/synapse/blob/master/docs/admin_api/purge_history_api.rst)** to delete old messages on a per-room basis. **This is destructive** (especially for non-federated rooms), because it means **people will no longer have access to history past a certain point**. To make use of this API, **you'll need an admin access token** first. You can find your access token in the setting of some clients (like Element). Alternatively, you can log in and obtain a new access token like this: @@ -29,6 +25,8 @@ curl \ https://matrix.DOMAIN/_matrix/client/r0/login ``` +Synapse's Admin API is not exposed to the internet by default. To expose it you will need to add `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: true` to your `vars.yml` file. + Follow the [Purge History API](https://github.com/matrix-org/synapse/blob/master/docs/admin_api/purge_history_api.rst) documentation page for the actual purging instructions. After deleting data, you may wish to run a [`FULL` Postgres `VACUUM`](./maintenance-postgres.md#vacuuming-postgresql). @@ -36,7 +34,7 @@ After deleting data, you may wish to run a [`FULL` Postgres `VACUUM`](./maintena ## Compressing state with rust-synapse-compress-state -[rust-synapse-compress-state](https://github.com/matrix-org/rust-synapse-compress-state) can be used to optimize some `_state` tables used by Synapse. +[rust-synapse-compress-state](https://github.com/matrix-org/rust-synapse-compress-state) can be used to optimize some `_state` tables used by Synapse. If your server participates in large rooms this is the most effective way to reduce the size of your database. This tool should be safe to use (even when Synapse is running), but it's always a good idea to [make Postgres backups](./maintenance-postgres.md#backing-up-postgresql) first. @@ -54,7 +52,10 @@ After state compression, you may wish to run a [`FULL` Postgres `VACUUM`](./main ## Browse and manipulate the database -When the [matrix admin API](https://github.com/matrix-org/synapse/tree/master/docs/admin_api) and the other tools do not provide a more convenient way, having a look at synapse's postgresql database can satisfy a lot of admins' needs. +When the [Synapse Admin API](https://github.com/matrix-org/synapse/tree/master/docs/admin_api) and the other tools do not provide a more convenient way, having a look at synapse's postgresql database can satisfy a lot of admins' needs. + +Editing the database manually is not recommended or supported by the Synapse developers. If you are going to do so you should [make a database backup](./maintenance-postgres.md#backing-up-postgresql). + First, set up an SSH tunnel to your matrix server (skip if it is your local machine): ``` From 65035c62c1d8580abc7dd9899a412aa4cbb5686a Mon Sep 17 00:00:00 2001 From: Aaron Raimist Date: Sat, 8 May 2021 15:16:31 -0500 Subject: [PATCH 08/11] Mention updating Nginx --- docs/configuring-playbook-own-webserver.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index 915c2c37..8a827d0d 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -55,6 +55,8 @@ Note that if your nginx version is old, it might not like our default choice of matrix_nginx_proxy_ssl_protocols: "TLSv1.2" ``` +If you are experiencing issues, try updating to a newer version of Nginx. As a data point in May 2021 a user reported that Nginx 1.14.2 was not working for them. They were getting errors about socket leaks. Updating to Nginx 1.19 fixed their issue. + ### Using your own external Apache webserver From a198b874553dba6a6663fb355b095e3b1f04f850 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 10 May 2021 10:05:10 +0300 Subject: [PATCH 09/11] Upgrade synapse-admin (0.7.2 -> 0.8.0) Related to https://github.com/Awesome-Technologies/synapse-admin/issues/132 --- roles/matrix-synapse-admin/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-synapse-admin/defaults/main.yml b/roles/matrix-synapse-admin/defaults/main.yml index 402b8a1d..612b33e3 100644 --- a/roles/matrix-synapse-admin/defaults/main.yml +++ b/roles/matrix-synapse-admin/defaults/main.yml @@ -8,7 +8,7 @@ matrix_synapse_admin_container_self_build_repo: "https://github.com/Awesome-Tech matrix_synapse_admin_docker_src_files_path: "{{ matrix_base_data_path }}/synapse-admin/docker-src" -matrix_synapse_admin_version: 0.7.2 +matrix_synapse_admin_version: 0.8.0 matrix_synapse_admin_docker_image: "{{ matrix_synapse_admin_docker_image_name_prefix }}awesometechnologies/synapse-admin:{{ matrix_synapse_admin_version }}" matrix_synapse_admin_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_self_build else matrix_container_global_registry_prefix }}" matrix_synapse_admin_docker_image_force_pull: "{{ matrix_synapse_admin_docker_image.endswith(':latest') }}" From 33f0074862093915dc004d09ea73f7fd6d3bc027 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 10 May 2021 11:23:08 +0300 Subject: [PATCH 10/11] Upgrade matrix-mailer (4.94-r0 -> 4.94.2-r0) Related to https://github.com/devture/exim-relay/issues/6 --- roles/matrix-mailer/defaults/main.yml | 2 +- roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/roles/matrix-mailer/defaults/main.yml b/roles/matrix-mailer/defaults/main.yml index 62ec9186..c1d2cc67 100644 --- a/roles/matrix-mailer/defaults/main.yml +++ b/roles/matrix-mailer/defaults/main.yml @@ -7,7 +7,7 @@ matrix_mailer_container_image_self_build_repository_url: "https://github.com/dev matrix_mailer_container_image_self_build_src_files_path: "{{ matrix_mailer_base_path }}/docker-src" matrix_mailer_container_image_self_build_version: "{{ matrix_mailer_docker_image.split(':')[1] }}" -matrix_mailer_version: 4.94-r0 +matrix_mailer_version: 4.94.2-r0 matrix_mailer_docker_image: "{{ matrix_mailer_docker_image_name_prefix }}devture/exim-relay:{{ matrix_mailer_version }}" matrix_mailer_docker_image_name_prefix: "{{ 'localhost/' if matrix_mailer_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_mailer_docker_image_force_pull: "{{ matrix_mailer_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 b/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 index 14712935..bf5a2e42 100644 --- a/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 +++ b/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2 @@ -18,7 +18,6 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mailer \ --user={{ matrix_mailer_container_user_uid }}:{{ matrix_mailer_container_user_gid }} \ --cap-drop=ALL \ --read-only \ - --init \ --tmpfs=/var/spool/exim:rw,noexec,nosuid,size=100m \ --network={{ matrix_docker_network }} \ --env-file={{ matrix_mailer_base_path }}/env-mailer \ From 3dcc0069323b7fbe73094a7c7baa6158556653f4 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 10 May 2021 11:35:53 +0300 Subject: [PATCH 11/11] Fix self-building for Coturn 689dcea773409 wasn't enough. The `upstream/..` tags are just upstream sources, without the alpine-based Dockerfile. We need to use the `docker/..` tags for that (or `master`) Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1032 Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1023 Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1009 --- roles/matrix-coturn/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-coturn/defaults/main.yml b/roles/matrix-coturn/defaults/main.yml index 624ab7d0..ad8735fe 100644 --- a/roles/matrix-coturn/defaults/main.yml +++ b/roles/matrix-coturn/defaults/main.yml @@ -2,7 +2,7 @@ matrix_coturn_enabled: true matrix_coturn_container_image_self_build: false matrix_coturn_container_image_self_build_repo: "https://github.com/coturn/coturn" -matrix_coturn_container_image_self_build_repo_version: "upstream/{{ matrix_coturn_version }}" +matrix_coturn_container_image_self_build_repo_version: "docker/{{ matrix_coturn_version }}-r0" matrix_coturn_container_image_self_build_repo_dockerfile_path: "docker/coturn/alpine/Dockerfile" matrix_coturn_version: 4.5.2