From 50d7209c5be829743655fdea0f773cd3dd04b04e Mon Sep 17 00:00:00 2001 From: Michael-GMH Date: Thu, 22 Apr 2021 11:45:59 +0800 Subject: [PATCH] GMH v04.3 --- CHANGELOG.md | 14 +++++++++ ...guring-playbook-bridge-mautrix-facebook.md | 29 +++++++++++++++---- docs/configuring-playbook-jitsi.md | 2 +- docs/container-images.md | 2 +- docs/prerequisites.md | 3 +- group_vars/matrix_servers | 6 +--- .../surveys/configure_synapse.json.j2 | 4 +-- roles/matrix-awx/tasks/main.yml | 9 ++++++ roles/matrix-awx/tasks/rename_variables.yml | 8 +++++ .../tasks/set_variables_synapse.yml | 2 +- roles/matrix-coturn/defaults/main.yml | 7 +++-- .../systemd/matrix-coturn.service.j2 | 1 + .../templates/turnserver.conf.j2 | 6 ++++ roles/matrix-grafana/defaults/main.yml | 8 ++++- roles/matrix-grafana/templates/grafana.ini.j2 | 3 ++ roles/matrix-nginx-proxy/defaults/main.yml | 10 +++++++ .../nginx/conf.d/matrix-base-domain.conf.j2 | 5 ++++ .../nginx/conf.d/matrix-bot-go-neb.conf.j2 | 2 ++ .../conf.d/matrix-client-element.conf.j2 | 5 ++++ .../nginx/conf.d/matrix-dimension.conf.j2 | 5 ++++ .../nginx/conf.d/matrix-domain.conf.j2 | 4 +++ .../nginx/conf.d/matrix-grafana.conf.j2 | 16 ++++++++-- .../nginx/conf.d/matrix-jitsi.conf.j2 | 5 ++++ .../nginx/conf.d/matrix-riot-web.conf.j2 | 4 +++ .../nginx/conf.d/matrix-sygnal.conf.j2 | 2 ++ .../templates/nginx/nginx.conf.j2 | 2 ++ .../defaults/main.yml | 16 ++++++++-- ...matrix-prometheus-node-exporter.service.j2 | 8 ++--- roles/matrix-prometheus/defaults/main.yml | 3 +- .../matrix-prometheus/tasks/setup_install.yml | 16 ---------- roles/matrix-synapse-admin/defaults/main.yml | 2 +- 31 files changed, 161 insertions(+), 48 deletions(-) create mode 100644 roles/matrix-awx/tasks/rename_variables.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index 326c2103..37988c94 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,17 @@ +# 2021-04-16 + +## Disabling TLSv1 and TLSv1.1 for Coturn + +To improve security, we've [removed TLSv1 and TLSv1.1 support](https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/999) from our default [Coturn](https://github.com/coturn/coturn) configuration. + +If you need to support old clients, you can re-enable both (or whichever one you need) with the following configuration: + +```yaml +matrix_coturn_tls_v1_enabled: true +matrix_coturn_tls_v1_1_enabled: true +``` + + # 2021-04-05 ## Automated local Postgres backup support diff --git a/docs/configuring-playbook-bridge-mautrix-facebook.md b/docs/configuring-playbook-bridge-mautrix-facebook.md index a228f7cb..d07873ae 100644 --- a/docs/configuring-playbook-bridge-mautrix-facebook.md +++ b/docs/configuring-playbook-bridge-mautrix-facebook.md @@ -2,16 +2,37 @@ The playbook can install and configure [mautrix-facebook](https://github.com/tulir/mautrix-facebook) for you. -See the project's [documentation](https://github.com/tulir/mautrix-facebook/wiki#usage) to learn what it does and why it might be useful to you. +See the project's [documentation](https://github.com/tulir/mautrix-facebook/blob/master/ROADMAP.md) to learn what it does and why it might be useful to you. ```yaml matrix_mautrix_facebook_enabled: true ``` +There are some additional things you may wish to configure about the bridge before you continue. + +Encryption support is off by default. If you would like to enable encryption, add the following to your `vars.yml` file: +```yaml +matrix_mautrix_facebook_configuration_extension_yaml: | + bridge: + encryption: + allow: true + default: true +``` + +If you would like to be able to administrate the bridge from your account it can be configured like this: +```yaml +matrix_mautrix_facebook_configuration_extension_yaml: | + bridge: + permissions: + '@YOUR_USERNAME:YOUR_DOMAIN': admin +``` + +You may wish to look at `roles/matrix-bridge-mautrix-facebook/templates/config.yaml.j2` to find other things you would like to configure. + ## Set up Double Puppeting -If you'd like to use [Double Puppeting](https://github.com/tulir/mautrix-facebook/wiki/Authentication#double-puppeting) (hint: you most likely do), you have 2 ways of going about it. +If you'd like to use [Double Puppeting](https://docs.mau.fi/bridges/general/double-puppeting.html) (hint: you most likely do), you have 2 ways of going about it. ### Method 1: automatically, by enabling Shared Secret Auth @@ -42,9 +63,7 @@ https://matrix.DOMAIN/_matrix/client/r0/login You then need to start a chat with `@facebookbot:YOUR_DOMAIN` (where `YOUR_DOMAIN` is your base domain, not the `matrix.` domain). -Send `login YOUR_FACEBOOK_EMAIL_ADDRESS YOUR_FACEBOOK_PASSWORD` to the bridge bot to enable bridging for your Facebook/Messenger account. - -You can learn more here about authentication from the bridge's [official documentation on Authentication](https://github.com/tulir/mautrix-facebook/wiki/Authentication). +Send `login YOUR_FACEBOOK_EMAIL_ADDRESS` to the bridge bot to enable bridging for your Facebook Messenger account. You can learn more here about authentication from the bridge's [official documentation on Authentication](https://docs.mau.fi/bridges/python/facebook/authentication.html). If you run into trouble, check the [Troubleshooting](#troubleshooting) section below. diff --git a/docs/configuring-playbook-jitsi.md b/docs/configuring-playbook-jitsi.md index f72241e1..81ceb9fb 100644 --- a/docs/configuring-playbook-jitsi.md +++ b/docs/configuring-playbook-jitsi.md @@ -13,8 +13,8 @@ Before installing Jitsi, make sure you've created the `jitsi.DOMAIN` DNS record. You may also need to open the following ports to your server: -- `10000/udp` - RTP media over UDP - `4443/tcp` - RTP media fallback over TCP +- `10000/udp` - RTP media over UDP. Depending on your firewall/NAT setup, incoming RTP packets on port `10000` may have the external IP of your firewall as destination address, due to the usage of STUN in JVB (see [`matrix_jitsi_jvb_stun_servers`](../roles/matrix-jitsi/defaults/main.yml)). ## Installation diff --git a/docs/container-images.md b/docs/container-images.md index 7cc7c2f6..f2914488 100644 --- a/docs/container-images.md +++ b/docs/container-images.md @@ -11,7 +11,7 @@ These services are enabled and used by default, but you can turn them off, if yo - [matrixdotorg/synapse](https://hub.docker.com/r/matrixdotorg/synapse/) - the official [Synapse](https://github.com/matrix-org/synapse) Matrix homeserver (optional) -- [instrumentisto/coturn](https://hub.docker.com/r/instrumentisto/coturn/) - the [Coturn](https://github.com/coturn/coturn) STUN/TURN server (optional) +- [coturn/coturn](https://hub.docker.com/r/coturn/coturn/) - the [Coturn](https://github.com/coturn/coturn) STUN/TURN server (optional) - [vectorim/element-web](https://hub.docker.com/r/vectorim/element-web/) - the [Element](https://element.io/) web client (optional) diff --git a/docs/prerequisites.md b/docs/prerequisites.md index 8b7e9d00..39b42ef1 100644 --- a/docs/prerequisites.md +++ b/docs/prerequisites.md @@ -34,7 +34,6 @@ If your distro runs within an [LXC container](https://linuxcontainers.org/), you - `5349/udp`: TURN over UDP (used by Coturn) - `8448/tcp`: Matrix Federation API HTTPS webserver. In some cases, this **may necessary even with federation disabled**. Integration Servers (like Dimension) and Identity Servers (like ma1sd) may need to access `openid` APIs on the federation port. - the range `49152-49172/udp`: TURN over UDP - - `4443/tcp`: Jitsi Harvester fallback - - `10000/udp`: Jitsi video RTP. Depending on your firewall/NAT setup, incoming RTP packets on port `10000` may have the external IP of your firewall as destination address, due to the usage of STUN in JVB (see [`matrix_jitsi_jvb_stun_servers`](../roles/matrix-jitsi/defaults/main.yml)). + - potentially some other ports, depending on the additional (non-default) services that you enable in the **configuring the playbook** step (later on). Consult each service's documentation page in `docs/` for that. When ready to proceed, continue with [Configuring DNS](configuring-dns.md). diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index fb007d92..1f9d5926 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1675,11 +1675,6 @@ matrix_synapse_admin_container_self_build: "{{ matrix_architecture != 'amd64' }} matrix_prometheus_node_exporter_enabled: false -# Normally, matrix-nginx-proxy is enabled and nginx can reach Prometheus Node Exporter over the container network. -# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose -# Prometheus' HTTP port to the local host. -matrix_prometheus_node_exporter_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9200' }}" - ###################################################################### # # /matrix-prometheus-node-exporter @@ -1706,6 +1701,7 @@ matrix_prometheus_scraper_synapse_targets: ['matrix-synapse:{{ matrix_synapse_me matrix_prometheus_scraper_synapse_rules_synapse_tag: "{{ matrix_synapse_docker_image_tag }}" matrix_prometheus_scraper_node_enabled: "{{ matrix_prometheus_node_exporter_enabled }}" +matrix_prometheus_scraper_node_targets: "{{ ['matrix-prometheus-node-exporter:9100'] if matrix_prometheus_node_exporter_enabled else [] }}" ###################################################################### # diff --git a/roles/matrix-awx/surveys/configure_synapse.json.j2 b/roles/matrix-awx/surveys/configure_synapse.json.j2 index e3fca6a2..f8d725da 100755 --- a/roles/matrix-awx/surveys/configure_synapse.json.j2 +++ b/roles/matrix-awx/surveys/configure_synapse.json.j2 @@ -56,10 +56,10 @@ "required": false, "min": null, "max": null, - "default": "{{ matrix_synapse_use_presence | string | lower }}", + "default": "{{ matrix_synapse_presence_enabled | string | lower }}", "choices": "true\nfalse", "new_question": true, - "variable": "matrix_synapse_use_presence", + "variable": "matrix_synapse_presence_enabled", "type": "multiplechoice" }, { diff --git a/roles/matrix-awx/tasks/main.yml b/roles/matrix-awx/tasks/main.yml index 68d8153b..58546d5b 100755 --- a/roles/matrix-awx/tasks/main.yml +++ b/roles/matrix-awx/tasks/main.yml @@ -8,6 +8,15 @@ tags: - always +# Renames the variables if needed +- include_tasks: + file: "rename_variables.yml" + apply: + tags: always + when: run_setup|bool and matrix_awx_enabled|bool + tags: + - always + # Perform a backup of the server - include_tasks: file: "backup_server.yml" diff --git a/roles/matrix-awx/tasks/rename_variables.yml b/roles/matrix-awx/tasks/rename_variables.yml new file mode 100644 index 00000000..e8992bd8 --- /dev/null +++ b/roles/matrix-awx/tasks/rename_variables.yml @@ -0,0 +1,8 @@ + +- name: Rename synapse presence variable + delegate_to: 127.0.0.1 + replace: + path: "/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml" + regexp: 'matrix_synapse_use_presence' + replace: 'matrix_synapse_presence_enabled' + diff --git a/roles/matrix-awx/tasks/set_variables_synapse.yml b/roles/matrix-awx/tasks/set_variables_synapse.yml index e481d399..e1a7312c 100755 --- a/roles/matrix-awx/tasks/set_variables_synapse.yml +++ b/roles/matrix-awx/tasks/set_variables_synapse.yml @@ -21,7 +21,7 @@ 'matrix_synapse_enable_registration': '{{ matrix_synapse_enable_registration }}' 'matrix_synapse_federation_enabled': '{{ matrix_synapse_federation_enabled }}' 'matrix_synapse_enable_group_creation': '{{ matrix_synapse_enable_group_creation }}' - 'matrix_synapse_use_presence': '{{ matrix_synapse_use_presence }}' + 'matrix_synapse_presence_enabled': '{{ matrix_synapse_presence_enabled }}' 'matrix_synapse_max_upload_size_mb': '{{ matrix_synapse_max_upload_size_mb }}' 'matrix_synapse_url_preview_enabled': '{{ matrix_synapse_url_preview_enabled }}' 'matrix_synapse_allow_guest_access': '{{ matrix_synapse_allow_guest_access }}' diff --git a/roles/matrix-coturn/defaults/main.yml b/roles/matrix-coturn/defaults/main.yml index 9eccfde2..de5b7b91 100644 --- a/roles/matrix-coturn/defaults/main.yml +++ b/roles/matrix-coturn/defaults/main.yml @@ -1,10 +1,10 @@ matrix_coturn_enabled: true matrix_coturn_container_image_self_build: false -matrix_coturn_container_image_self_build_repo: "https://github.com/instrumentisto/coturn-docker-image.git" +matrix_coturn_container_image_self_build_repo: "https://github.com/coturn/coturn/tree/master/docker/coturn/alpine.git" matrix_coturn_version: 4.5.2 -matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_name_prefix }}instrumentisto/coturn:{{ matrix_coturn_version }}" +matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_name_prefix }}coturn/coturn:{{ matrix_coturn_version }}" matrix_coturn_docker_image_name_prefix: "{{ 'localhost/' if matrix_coturn_container_image_self_build else matrix_container_global_registry_prefix }}" matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith(':latest') }}" @@ -73,3 +73,6 @@ matrix_coturn_total_quota: null matrix_coturn_tls_enabled: false matrix_coturn_tls_cert_path: ~ matrix_coturn_tls_key_path: ~ + +matrix_coturn_tls_v1_enabled: false +matrix_coturn_tls_v1_1_enabled: false diff --git a/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 b/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 index 930db7c1..a39030af 100644 --- a/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 +++ b/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2 @@ -17,6 +17,7 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-coturn \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ + --cap-add=NET_BIND_SERVICE \ --entrypoint=turnserver \ --read-only \ --tmpfs=/var/tmp:rw,noexec,nosuid,size=100m \ diff --git a/roles/matrix-coturn/templates/turnserver.conf.j2 b/roles/matrix-coturn/templates/turnserver.conf.j2 index 3fcf0b67..ba662587 100644 --- a/roles/matrix-coturn/templates/turnserver.conf.j2 +++ b/roles/matrix-coturn/templates/turnserver.conf.j2 @@ -16,6 +16,12 @@ no-cli {% if matrix_coturn_tls_enabled %} cert={{ matrix_coturn_tls_cert_path }} pkey={{ matrix_coturn_tls_key_path }} +{% if not matrix_coturn_tls_v1_enabled %} +no-tlsv1 +{% endif %} +{% if not matrix_coturn_tls_v1_1_enabled %} +no-tlsv1_1 +{% endif %} {% else %} no-tls no-dtls diff --git a/roles/matrix-grafana/defaults/main.yml b/roles/matrix-grafana/defaults/main.yml index f358608b..958d8ed2 100644 --- a/roles/matrix-grafana/defaults/main.yml +++ b/roles/matrix-grafana/defaults/main.yml @@ -3,7 +3,7 @@ matrix_grafana_enabled: false -matrix_grafana_version: 7.5.2 +matrix_grafana_version: 7.5.4 matrix_grafana_docker_image: "{{ matrix_container_global_registry_prefix }}grafana/grafana:{{ matrix_grafana_version }}" matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith(':latest') }}" @@ -31,6 +31,12 @@ matrix_grafana_anonymous_access_org_name: 'Main Org.' matrix_grafana_default_admin_user: admin matrix_grafana_default_admin_password: admin +# Set to true to add the Content-Security-Policy header to your requests. +# CSP allows to control resources that the user agent can load and helps +# prevent XSS attacks. +# [Content Security Policy](https://grafana.com/docs/grafana/latest/administration/configuration/#content_security_policy) +matrix_grafana_content_security_policy: true + # A list of extra arguments to pass to the container matrix_grafana_container_extra_arguments: [] diff --git a/roles/matrix-grafana/templates/grafana.ini.j2 b/roles/matrix-grafana/templates/grafana.ini.j2 index c7fe1d91..38534bc3 100644 --- a/roles/matrix-grafana/templates/grafana.ini.j2 +++ b/roles/matrix-grafana/templates/grafana.ini.j2 @@ -5,6 +5,9 @@ admin_user = "{{ matrix_grafana_default_admin_user }}" # default admin password, can be changed before first start of grafana, or in profile settings admin_password = """{{ matrix_grafana_default_admin_password }}""" +# specify content_security_policy to add the Content-Security-Policy header to your requests +content_security_policy = "{{ matrix_grafana_content_security_policy }}" + [auth.anonymous] # enable anonymous access enabled = {{ matrix_grafana_anonymous_access }} diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index b814f7c9..fdb76a32 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -269,6 +269,16 @@ matrix_nginx_proxy_proxy_sygnal_additional_server_configuration_blocks: [] # A list of strings containing additional configuration blocks to add to the base domain server configuration (matrix-base-domain.conf). matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks: [] +# Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses for all vhosts meant to be accessed by users. +# +# Learn more about what it is here: +# - https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea +# - https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network +# - https://amifloced.org/ +# +# Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices. +matrix_nginx_proxy_floc_optout_enabled: true + # Specifies the SSL configuration that should be used for the SSL protocols and ciphers # This is based on the Mozilla Server Side TLS Recommended configurations. # diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 index 227747a5..a2d59e86 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 @@ -5,6 +5,11 @@ gzip on; gzip_types text/plain application/json; + + {% if matrix_nginx_proxy_floc_optout_enabled %} + add_header Permissions-Policy interest-cohort=() always; + {% endif %} + {% for configuration_block in matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks %} {{- configuration_block }} {% endfor %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 index 3c3231f4..91cd9e41 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 @@ -3,8 +3,10 @@ {% macro render_vhost_directives() %} gzip on; gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header X-Content-Type-Options nosniff; + {% for configuration_block in matrix_nginx_proxy_proxy_bot_go_neb_additional_server_configuration_blocks %} {{- configuration_block }} {% endfor %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 index f56d7fd5..f3a537da 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 @@ -3,9 +3,14 @@ {% macro render_vhost_directives() %} gzip on; gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header X-Content-Type-Options nosniff; add_header X-Frame-Options SAMEORIGIN; + {% if matrix_nginx_proxy_floc_optout_enabled %} + add_header Permissions-Policy interest-cohort=() always; + {% endif %} + {% for configuration_block in matrix_nginx_proxy_proxy_element_additional_server_configuration_blocks %} {{- configuration_block }} {% endfor %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 index 038d3557..db93be48 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 @@ -3,8 +3,13 @@ {% macro render_vhost_directives() %} gzip on; gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header X-Content-Type-Options nosniff; + {% if matrix_nginx_proxy_floc_optout_enabled %} + add_header Permissions-Policy interest-cohort=() always; + {% endif %} + {% for configuration_block in matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks %} {{- configuration_block }} {% endfor %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 index 1d2470a9..703c490e 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 @@ -17,6 +17,10 @@ gzip on; gzip_types text/plain application/json; + {% if matrix_nginx_proxy_floc_optout_enabled %} + add_header Permissions-Policy interest-cohort=() always; + {% endif %} + location /.well-known/matrix { root {{ matrix_static_files_base_path }}; {# diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 index 0e1f1c2d..c1978563 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 @@ -3,9 +3,19 @@ {% macro render_vhost_directives() %} gzip on; gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - add_header X-Content-Type-Options nosniff; - add_header X-Frame-Options SAMEORIGIN; + + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + # duplicate X-Content-Type-Options & X-Frame-Options header + # Enabled by grafana by default + # add_header X-Content-Type-Options nosniff; + # add_header X-Frame-Options SAMEORIGIN; + add_header Referrer-Policy "strict-origin-when-cross-origin"; + {% if matrix_nginx_proxy_floc_optout_enabled %} + add_header Permissions-Policy interest-cohort=() always; + {% endif %} + + proxy_cookie_path / "/; HTTPOnly; Secure"; + {% for configuration_block in matrix_nginx_proxy_proxy_grafana_additional_server_configuration_blocks %} {{- configuration_block }} {% endfor %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 index a20d8a73..42d8451d 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 @@ -3,8 +3,13 @@ {% macro render_vhost_directives() %} gzip on; gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header X-Content-Type-Options nosniff; + {% if matrix_nginx_proxy_floc_optout_enabled %} + add_header Permissions-Policy interest-cohort=() always; + {% endif %} + {% for configuration_block in matrix_nginx_proxy_proxy_jitsi_additional_server_configuration_blocks %} {{- configuration_block }} {% endfor %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 index a70dcea3..a69424f4 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 @@ -1,6 +1,10 @@ #jinja2: lstrip_blocks: "True" {% macro render_vhost_directives() %} + {% if matrix_nginx_proxy_floc_optout_enabled %} + add_header Permissions-Policy interest-cohort=() always; + {% endif %} + {% for configuration_block in matrix_nginx_proxy_proxy_riot_additional_server_configuration_blocks %} {{- configuration_block }} {% endfor %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 index e4712657..ac0253d5 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 @@ -3,9 +3,11 @@ {% macro render_vhost_directives() %} gzip on; gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header X-Content-Type-Options nosniff; add_header X-Frame-Options DENY; + {% for configuration_block in matrix_nginx_proxy_proxy_sygnal_additional_server_configuration_blocks %} {{- configuration_block }} {% endfor %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 index dae83ab9..9ec7fa56 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 @@ -48,6 +48,8 @@ http { keepalive_timeout 65; + server_tokens off; + #gzip on; {# Map directive needed for proxied WebSocket upgrades #} map $http_upgrade $connection_upgrade { diff --git a/roles/matrix-prometheus-node-exporter/defaults/main.yml b/roles/matrix-prometheus-node-exporter/defaults/main.yml index e4bf7cf7..492d48b1 100644 --- a/roles/matrix-prometheus-node-exporter/defaults/main.yml +++ b/roles/matrix-prometheus-node-exporter/defaults/main.yml @@ -3,7 +3,7 @@ matrix_prometheus_node_exporter_enabled: false -matrix_prometheus_node_exporter_version: v1.1.0 +matrix_prometheus_node_exporter_version: v1.1.2 matrix_prometheus_node_exporter_docker_image: "{{ matrix_container_global_registry_prefix }}prom/node-exporter:{{ matrix_prometheus_node_exporter_version }}" matrix_prometheus_node_exporter_docker_image_force_pull: "{{ matrix_prometheus_node_exporter_docker_image.endswith(':latest') }}" @@ -18,5 +18,17 @@ matrix_prometheus_node_exporter_systemd_wanted_services_list: [] # Controls whether the matrix-prometheus container exposes its HTTP port (tcp/9100 in the container). # -# Takes an ":" or "" value (e.g. "127.0.0.1:9100"), or empty string to not expose. +# Takes an ":" value (e.g. "127.0.0.1:9100"), or empty string to not expose. +# +# Official recommendations are to run this container with `--net=host`, +# but we don't do that, since it: +# - likely exposes the metrics web server way too publicly (before applying https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1008) +# - or listens on a loopback interface only (--net=host and 127.0.0.1:9100), which is not reachable from another container (like `matrix-prometheus`) +# +# Using `--net=host` and binding to Docker's `matrix` bridge network may be a solution to both, +# but that's trickier to accomplish and won't necessarily work (hasn't been tested). +# +# Not using `--net=host` means that our network statistic reports are likely broken (inaccurate), +# because node-exporter can't see all interfaces, etc. +# For now, we'll live with that, until someone develops a better solution. matrix_prometheus_node_exporter_container_http_host_bind_port: '' diff --git a/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 b/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 index 93638c19..210a0d97 100644 --- a/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 +++ b/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2 @@ -22,13 +22,13 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-prometheus-nod --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ --read-only \ - {% if matrix_prometheus_node_exporter_container_http_host_bind_port %} - -p {{ matrix_prometheus_node_exporter_container_http_host_bind_port }}:9100 \ - {% endif %} {% for arg in matrix_prometheus_node_exporter_container_extra_arguments %} {{ arg }} \ {% endfor %} - --net=host \ + --network={{ matrix_docker_network }} \ + {% if matrix_prometheus_node_exporter_container_http_host_bind_port %} + -p {{ matrix_prometheus_node_exporter_container_http_host_bind_port }}:9100 \ + {% endif %} --pid=host \ --mount type=bind,src=/,dst=/host,ro,bind-propagation=rslave \ {{ matrix_prometheus_node_exporter_docker_image }} \ diff --git a/roles/matrix-prometheus/defaults/main.yml b/roles/matrix-prometheus/defaults/main.yml index 3c4acc85..1c9bc144 100644 --- a/roles/matrix-prometheus/defaults/main.yml +++ b/roles/matrix-prometheus/defaults/main.yml @@ -3,7 +3,7 @@ matrix_prometheus_enabled: false -matrix_prometheus_version: v2.24.1 +matrix_prometheus_version: v2.26.0 matrix_prometheus_docker_image: "{{ matrix_container_global_registry_prefix }}prom/prometheus:{{ matrix_prometheus_version }}" matrix_prometheus_docker_image_force_pull: "{{ matrix_prometheus_docker_image.endswith(':latest') }}" @@ -64,4 +64,3 @@ matrix_prometheus_configuration_extension: "{{ matrix_prometheus_configuration_e # Holds the final configuration (a combination of the default and its extension). # You most likely don't need to touch this variable. Instead, see `matrix_prometheus_configuration_yaml`. matrix_prometheus_configuration: "{{ matrix_prometheus_configuration_yaml|from_yaml|combine(matrix_prometheus_configuration_extension, recursive=True) }}" - diff --git a/roles/matrix-prometheus/tasks/setup_install.yml b/roles/matrix-prometheus/tasks/setup_install.yml index 8aee5178..15a69279 100644 --- a/roles/matrix-prometheus/tasks/setup_install.yml +++ b/roles/matrix-prometheus/tasks/setup_install.yml @@ -19,22 +19,6 @@ - "{{ matrix_prometheus_config_path }}" - "{{ matrix_prometheus_data_path }}" -- block: - # Well, this actually creates the network if it doesn't exist, but.. - # The network should have been created by `matrix-base` already. - # We don't rely on that other call and its result, because it runs - # on `--tags=setup-all`, but will get skipped during `--tags=setup-prometheus`. - - name: Fetch Matrix Docker network details - docker_network: - name: "{{ matrix_docker_network }}" - driver: bridge - register: matrix_docker_network_info - - - set_fact: - matrix_prometheus_scraper_node_targets: ["{{ matrix_docker_network_info.network.IPAM.Config[0].Gateway }}:9100"] - when: "matrix_prometheus_scraper_node_enabled|bool and matrix_prometheus_scraper_node_targets|length == 0" - - - name: Download synapse-v2.rules get_url: url: "{{ matrix_prometheus_scraper_synapse_rules_download_url }}" diff --git a/roles/matrix-synapse-admin/defaults/main.yml b/roles/matrix-synapse-admin/defaults/main.yml index c7f128e3..402b8a1d 100644 --- a/roles/matrix-synapse-admin/defaults/main.yml +++ b/roles/matrix-synapse-admin/defaults/main.yml @@ -8,7 +8,7 @@ matrix_synapse_admin_container_self_build_repo: "https://github.com/Awesome-Tech matrix_synapse_admin_docker_src_files_path: "{{ matrix_base_data_path }}/synapse-admin/docker-src" -matrix_synapse_admin_version: 0.7.0 +matrix_synapse_admin_version: 0.7.2 matrix_synapse_admin_docker_image: "{{ matrix_synapse_admin_docker_image_name_prefix }}awesometechnologies/synapse-admin:{{ matrix_synapse_admin_version }}" matrix_synapse_admin_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_self_build else matrix_container_global_registry_prefix }}" matrix_synapse_admin_docker_image_force_pull: "{{ matrix_synapse_admin_docker_image.endswith(':latest') }}"