diff --git a/docs/prerequisites.md b/docs/prerequisites.md index e678a0bd..8b7e9d00 100644 --- a/docs/prerequisites.md +++ b/docs/prerequisites.md @@ -20,8 +20,6 @@ If your distro runs within an [LXC container](https://linuxcontainers.org/), you - The [Ansible](http://ansible.com/) program being installed on your own computer. It's used to run this playbook and configures your server for you. Take a look at [our guide about Ansible](ansible.md) for more information, as well as [version requirements](ansible.md#supported-ansible-versions) and alternative ways to run Ansible. -- Either the `dig` tool or `python-dns` installed on your own computer. Used later on, by the playbook's [services check](maintenance-checking-services.md) feature. - - An HTTPS-capable web server at the base domain name (``) which is capable of serving static files. Unless you decide to [Serve the base domain from the Matrix server](configuring-playbook-base-domain-serving.md) or alternatively, to use DNS SRV records for [Server Delegation](howto-server-delegation.md). - Properly configured DNS records for `` (details in [Configuring DNS](configuring-dns.md)). diff --git a/roles/matrix-base/tasks/main.yml b/roles/matrix-base/tasks/main.yml index a1bb6754..4af3564c 100644 --- a/roles/matrix-base/tasks/main.yml +++ b/roles/matrix-base/tasks/main.yml @@ -32,10 +32,3 @@ - setup-ma1sd - setup-synapse - setup-nginx-proxy - -- import_tasks: "{{ role_path }}/tasks/self_check_dns.yml" - delegate_to: 127.0.0.1 - become: false - when: run_self_check|bool - tags: - - self-check diff --git a/roles/matrix-base/tasks/self_check_dns.yml b/roles/matrix-base/tasks/self_check_dns.yml deleted file mode 100644 index 57c07b2b..00000000 --- a/roles/matrix-base/tasks/self_check_dns.yml +++ /dev/null @@ -1,23 +0,0 @@ ---- - -- set_fact: - dns_srv_record_checks: [] - -- block: - - set_fact: - dns_srv_record_check_ma1sd: - service_and_protocol: "_matrix-identity._tcp" - domain: "{{ (matrix_domain + '.') }}" - expected_target: "{{ (matrix_server_fqn_matrix + '.') }}" - expected_port: 443 - - - name: Determine domains that we require certificates for (ma1sd) - set_fact: - dns_srv_record_checks: "{{ dns_srv_record_checks + [dns_srv_record_check_ma1sd] }}" - when: matrix_ma1sd_enabled|bool - -- name: Perform DNS SRV checks - include_tasks: "{{ role_path }}/tasks/self_check_dns_srv.yml" - with_items: "{{ dns_srv_record_checks }}" - loop_control: - loop_var: dns_srv_record_check diff --git a/roles/matrix-base/tasks/self_check_dns_srv.yml b/roles/matrix-base/tasks/self_check_dns_srv.yml deleted file mode 100644 index 559d9dba..00000000 --- a/roles/matrix-base/tasks/self_check_dns_srv.yml +++ /dev/null @@ -1,68 +0,0 @@ ---- - -# This requires the dnspython library which is usually unavailable. -- name: Check DNS SRV record for {{ dns_srv_record_check.service_and_protocol }} on {{ dns_srv_record_check.domain }} using Ansible dig lookup - set_fact: - lookup_dig_srv: "{{ lookup('dig', (dns_srv_record_check.service_and_protocol + '.' + dns_srv_record_check.domain + '/SRV'), 'flat=0', wantlist=False) }}" - register: result_lookup_dig_srv - ignore_errors: true - -- name: Fail if DNS SRV check via Ansible dig lookup failed for non-dependency reason - fail: - msg: "DNS SRV record check via Ansible dig lookup plugin (which uses the dnspython package) failed. Error is: {{ result_lookup_dig_srv.msg }}" - when: "result_lookup_dig_srv.failed and 'dnspython' not in result_lookup_dig_srv.msg" - -# Fallback to using the dig CLI tool if dnspython was unavailable. -- name: Check DNS SRV record for {{ dns_srv_record_check.service_and_protocol }} on {{ dns_srv_record_check.domain }} using dig CLI tool - shell: - cmd: "dig -t srv {{ (dns_srv_record_check.service_and_protocol + '.' + dns_srv_record_check.domain)|quote }}" - register: result_cli_dig_srv - changed_when: false - ignore_errors: true - when: "lookup_dig_srv is not defined" - -- name: Fail if dig CLI used and failed - fail: - msg: >- - Failed performing DNS SRV record check. - You neither have the `dnspython` Python package, nor the `dig` program installed locally. - You need to install one of those, so we could perform a DNS SRV record check. - Full error from trying to run `dig`: {{ result_cli_dig_srv }} - when: "lookup_dig_srv is not defined and result_cli_dig_srv.stderr != ''" - -# Some DNS servers may respond with '' (stands for "No Answer"). -# Most usually, a missing record would yield a 'NXDOMAIN' response. -# In any case, we consider any non-mapping response to mean "missing record". -- name: Fail if DNS SRV record missing (Ansible dig lookup) - fail: - msg: >- - It appears the DNS SRV record for {{ dns_srv_record_check.service_and_protocol }} on {{ dns_srv_record_check.domain }} is not set up correctly (the record is missing). - See the 'Configuring DNS' documentation for this playbook. - when: "lookup_dig_srv is defined and lookup_dig_srv is not mapping" - -- name: Fail if DNS SRV record incorrect (Ansible dig lookup) - fail: - msg: >- - It appears the DNS SRV record for {{ dns_srv_record_check.service_and_protocol }} on {{ dns_srv_record_check.domain }} is not set up correctly. - Expected it to point to `{{ dns_srv_record_check.expected_target }}` (port {{ dns_srv_record_check.expected_port }}). - Found it pointing to `{{ lookup_dig_srv.target }}` (port {{ lookup_dig_srv.port }}). - See the 'Configuring DNS' documentation for this playbook. - when: "lookup_dig_srv is defined and (lookup_dig_srv.target != dns_srv_record_check.expected_target or lookup_dig_srv.port != dns_srv_record_check.expected_port)" - -# We expect an answer like this: -# ;; ANSWER SECTION: -# _matrix._tcp.DOMAIN. 10800 IN SRV 10 0 8448 matrix.DOMAIN. -- name: Fail if DNS SRV record missing or incorrect (dig CLI tool) - fail: - msg: >- - It appears the DNS SRV record for {{ dns_srv_record_check.service_and_protocol }} on {{ dns_srv_record_check.domain }} is not set up correctly. - Expected it to point to `{{ dns_srv_record_check.expected_target }}` (port {{ dns_srv_record_check.expected_port }}). - See the 'Configuring DNS' documentation for this playbook. - Full response from the `dig` lookup was: {{ result_cli_dig_srv }} - when: "lookup_dig_srv is not defined and (dns_srv_record_check.expected_port|string + ' ' + dns_srv_record_check.expected_target) not in result_cli_dig_srv.stdout" - -- name: Report correct DNS SRV record - debug: - msg: >- - The DNS SRV record for `{{ dns_srv_record_check.service_and_protocol }}` on `{{ dns_srv_record_check.domain }}` - points to `{{ dns_srv_record_check.expected_target }}` (port {{ dns_srv_record_check.expected_port }}), as expected.