Commit Graph

98 Commits

Author SHA1 Message Date
Plailect
3a4a671dd7
Add support for matrix-appservice-irc 2019-01-31 00:37:23 -05:00
Slavi Pantaleev
299a8c4c7c Make (most) containers start as non-root
This makes all containers (except mautrix-telegram and
mautrix-whatsapp), start as a non-root user.

We do this, because we don't trust some of the images.
In any case, we'd rather not trust ALL images and avoid giving
`root` access at all. We can't be sure they would drop privileges
or what they might do before they do it.

Because Postfix doesn't support running as non-root,
it had to be replaced by an Exim mail server.

The matrix-nginx-proxy nginx container image is patched up
(by replacing its main configuration) so that it can work as non-root.
It seems like there's no other good image that we can use and that is up-to-date
(https://hub.docker.com/r/nginxinc/nginx-unprivileged is outdated).

Likewise for riot-web (https://hub.docker.com/r/bubuntux/riot-web/),
we patch it up ourselves when starting (replacing the main nginx
configuration).
Ideally, it would be fixed upstream so we can simplify.
2019-01-27 20:25:13 +02:00
Slavi Pantaleev
c10182e5a6 Make roles more independent of one another
With this change, the following roles are now only dependent
on the minimal `matrix-base` role:
- `matrix-corporal`
- `matrix-coturn`
- `matrix-mailer`
- `matrix-mxisd`
- `matrix-postgres`
- `matrix-riot-web`
- `matrix-synapse`

The `matrix-nginx-proxy` role still does too much and remains
dependent on the others.

Wiring up the various (now-independent) roles happens
via a glue variables file (`group_vars/matrix-servers`).
It's triggered for all hosts in the `matrix-servers` group.

According to Ansible's rules of priority, we have the following
chain of inclusion/overriding now:
- role defaults (mostly empty or good for independent usage)
- playbook glue variables (`group_vars/matrix-servers`)
- inventory host variables (`inventory/host_vars/matrix.<your-domain>`)

All roles default to enabling their main component
(e.g. `matrix_mxisd_enabled: true`, `matrix_riot_web_enabled: true`).
Reasoning: if a role is included in a playbook (especially separately,
in another playbook), it should "work" by default.

Our playbook disables some of those if they are not generally useful
(e.g. `matrix_corporal_enabled: false`).
2019-01-16 18:05:48 +02:00
Aaron Raimist
7716c3b4ae
Update README to link to bubuntux/riot-web 2019-01-11 15:29:45 -06:00
Slavi Pantaleev
d28bdb3258 Add support for 2 more SSL certificate retrieval methods
Adds support for managing certificates manually and for
having the playbook generate self-signed certificates for you.

With this, Let's Encrypt usage is no longer required.

Fixes Github issue #50.
2018-12-23 11:00:12 +02:00
Slavi Pantaleev
97280c7cc1 Change Goofys Docker image (clodproto/goofys -> ewoutp/goofys)
The new image is built in a much better way (2-stage build)
and is 10x smaller.

In terms of Goofys version recency, it's about the same..
Both images (and others alike) seem to not use version tags,
but rather some `:latest` (master), with ewoutp/goofys being a bit
more recent than clodproto/goofys.

Not using version tags is good (in this case),
because the last Goofys release seems to be from about a year ago
and there had been a bunch of bugfixes afterwards.
2018-12-20 14:30:24 +02:00
Slavi Pantaleev
3fec9dfa0e Add LDAP auth password provider documentation and changelog description 2018-11-28 11:21:03 +02:00
Slavi Pantaleev
98b6492a08 Make it clearer that not all components are necessary 2018-11-26 10:35:08 +02:00
Slavi Pantaleev
46bc2a4412 Add information about the IRC support channel 2018-11-23 13:23:01 +02:00
Slavi Pantaleev
230f337315 Update README 2018-10-26 19:48:49 +03:00
Aaron Raimist
39a28e52e8
Fix link to using your own webserver 2018-10-18 18:09:41 -05:00
Aaron Raimist
5ea4917d59
Fix link to using external PostgreSQL in README 2018-09-08 14:38:29 -05:00
Slavi Pantaleev
2c3ce0f726 Update README 2018-09-08 10:21:09 +03:00
Slavi Pantaleev
e2c25bbb02 Update README 2018-08-29 10:12:48 +03:00
Slavi Pantaleev
e9d2e7455b Update README 2018-08-26 18:12:24 +03:00
Slavi Pantaleev
3577a42f61 Update README 2018-08-20 17:30:05 +03:00
Slavi Pantaleev
ea43d46b70 Add matrix-synapse-rest-auth support 2018-08-17 09:02:17 +03:00
Slavi Pantaleev
1a97a30019 Update README 2018-08-15 11:41:53 +03:00
Slavi Pantaleev
74093dfb15 Add mxisd Identity Server support 2018-08-15 10:46:13 +03:00
Slavi Pantaleev
dcf19154b2 Update README 2018-08-15 09:02:29 +03:00
Slavi Pantaleev
f3267479b8 Update README 2018-08-15 09:01:41 +03:00
Slavi Pantaleev
30c53cdea2 Split README into a bunch of files in docs/ 2018-08-08 10:07:02 +03:00
Slavi Pantaleev
336785d1ed Rename Ansible playbook tag (setup-main -> setup-all) 2018-08-08 09:03:37 +03:00
Slavi Pantaleev
776b374f41 Indicate that some distributions require a manual python install 2018-06-21 09:42:27 +03:00
Slavi Pantaleev
be93e97627 Revert "Indicate that Ubuntu Bionic (18.04) is not supported yet"
This reverts commit 8d774db3bc.

Docker is released in the Docker CE stable repository now.

Additionally, it's version 18.03, which doesn't suffer
any of the problems we've observed with 18.05 (edge/nightly).
2018-06-21 09:33:06 +03:00
Slavi Pantaleev
47446a2b26 Fix README typos 2018-06-06 17:21:04 +03:00
Slavi Pantaleev
2fa4ced6a7 Add support information 2018-05-29 09:58:36 +03:00
Slavi Pantaleev
3390165113 Document the Docker images being used 2018-05-29 09:53:01 +03:00
Slavi Pantaleev
8d774db3bc Indicate that Ubuntu Bionic (18.04) is not supported yet
We have 2 blockers that prevent us from adding support:

- the Docker CE repository does not publish a `docker-ce` package
in the `stable` channel. It's still in `edge`
(can be worked around by using `edge`, but we'd better not)

- Docker bind propagation has troubles on Docker CE 18.05,
which breaks matrix-synapse.service from starting, as it wants to do
a `:slave` mount. See https://github.com/moby/moby/issues/37032
2018-05-29 09:25:30 +03:00
Slavi Pantaleev
7527929824 Update README to reflect recent changes 2018-05-28 20:53:02 +03:00
Slavi Pantaleev
d107ab2540 Add support for upgrading Postgres
Since cbee084ac1, this playbook supports Postgres 10.x,
but keeps existing Postgres-9.x installs on 9.x.

This playbook can now also be ran with `--tags=upgrade-postgres`
to make it upgrade from Postgres 9.x to 10.x (or other versions
in the future).
2018-05-28 20:40:42 +03:00
Slavi Pantaleev
efc78fb9d3 Switch from s3fs to Goofys
Improves performance of media store operations.
2018-02-20 21:36:08 +02:00
Slavi Pantaleev
edd97d33c1 Fix README instructions typo about Ansible host_vars 2018-01-17 15:57:01 +02:00
Slavi Pantaleev
bfca91ac1f Switch Matrix Docker images (silviof -> AVENTER-UG)
Silvio announced that he's no longer maintaining his images,
so we're jumping to AVENTER-UG's fork.
2018-01-10 22:11:32 +02:00
Slavi Pantaleev
4e09499286 Fix typo 2018-01-10 12:10:56 +02:00
Slavi Pantaleev
1c2d59ae91 Stop using patched synapse_port_db script
The non-working script is supposed to be fixed
by https://github.com/matrix-org/synapse/pull/2375

To have it work, we'd need an updated Docker image
of `silviof/matrix-riot-docker:latest`, which is not yet available
at the time of this commit.

Still, the previous patched synapse_port_db didn't work well either,
so it's not like we're regressing much by getting rid of it.
2017-10-14 09:58:06 +03:00
Slavi Pantaleev
7133418dc3 Fix README omission related to S3 setup 2017-10-14 09:55:47 +03:00
Slavi Pantaleev
6962bfcc42 Add support for not taking over a server (no matrix-nginx-proxy) and disabling Riot 2017-09-12 12:41:44 +03:00
Slavi Pantaleev
b3a8698734 Update README 2017-09-12 00:37:18 +03:00
Slavi Pantaleev
ded7c274f6 Add support for Debian (9+) and Ubuntu (16.04+) 2017-09-11 23:24:05 +03:00
Slavi Pantaleev
ab1a9fd87e Add support for using an external PostgreSQL server 2017-09-08 17:24:27 +03:00
Slavi Pantaleev
0f43abb91d Do not assume /usr/local/bin is always on the PATH 2017-09-08 10:47:12 +03:00
Slavi Pantaleev
9c68b057b0 Add support for storing Matrix Synapse's media_store to Amazon S3 2017-09-07 18:26:41 +03:00
Slavi Pantaleev
b046052aed Switch from playbook vars to role defaults
By using role defauts, we can have inventory variables
which overide the defaults.
2017-08-30 12:05:13 +03:00
Slavi Pantaleev
91bb06e4be Update README 2017-08-06 19:21:18 +03:00
Slavi Pantaleev
7b980525a4 Fix README anchors 2017-08-01 12:36:54 +03:00
Slavi Pantaleev
81077e6cdf Allow regular users to be created as well (not only admins) 2017-08-01 11:11:29 +03:00
Slavi Pantaleev
87f5883f24 Initial commit 2017-07-31 23:08:20 +03:00