Merge branch 'master' into non-root-containers

roles/matrix-base/tasks/self_check_dns_srv.yml

@@ -1,26 +1,65 @@
 ---
 
-# This requires the dnspython library and will fail with a friendly error when unavailable.
-- name: Check DNS SRV record for {{ dns_srv_record_check.service_and_protocol }} on {{ dns_srv_record_check.domain }}
+# This requires the dnspython library which is usually unavailable.
+- name: Check DNS SRV record for {{ dns_srv_record_check.service_and_protocol }} on {{ dns_srv_record_check.domain }} using Ansible dig lookup
   set_fact:
-    result_dig_srv: "{{ lookup('dig', (dns_srv_record_check.service_and_protocol + '.' + dns_srv_record_check.domain + '/SRV'), 'flat=0', wantlist=False) }}"
+    lookup_dig_srv: "{{ lookup('dig', (dns_srv_record_check.service_and_protocol + '.' + dns_srv_record_check.domain + '/SRV'), 'flat=0', wantlist=False) }}"
+  register: result_lookup_dig_srv
+  ignore_errors: true
 
-- name: Fail if DNS SRV record missing
+- name: Fail if DNS SRV check via Ansible dig lookup failed for non-dependency reason
   fail:
-    msg: "It appears the DNS SRV record for {{ dns_srv_record_check.service_and_protocol }} on {{ dns_srv_record_check.domain }} is not set up correctly (the record is missing). See the 'Configuring DNS' documentation for this playbook."
-  when: "result_dig_srv == 'NXDOMAIN'"
+    msg: "DNS SRV record check via Ansible dig lookup plugin (which uses the dnspython package) failed. Error is: {{ result_lookup_dig_srv.msg }}"
+  when: "result_lookup_dig_srv.failed and 'dnspython' not in result_lookup_dig_srv.msg"
 
-- name: Fail if DNS SRV record incorrect
+# Fallback to using the dig CLI tool if dnspython was unavailable.
+- name: Check DNS SRV record for {{ dns_srv_record_check.service_and_protocol }} on {{ dns_srv_record_check.domain }} using dig CLI tool
+  shell:
+    cmd: "dig -t srv {{ (dns_srv_record_check.service_and_protocol + '.' + dns_srv_record_check.domain)|quote }}"
+  register: result_cli_dig_srv
+  changed_when: false
+  ignore_errors: true
+  when: "lookup_dig_srv is not defined"
+
+- name: Fail if dig CLI used and failed
   fail:
-    msg: >
+    msg: >-
+      Failed performing DNS SRV record check.
+      You neither have the `dnspython` Python package, nor the `dig` program installed locally.
+      You need to install one of those, so we could perform a DNS SRV record check.
+      Full error from trying to run `dig`: {{ result_cli_dig_srv }}
+  when: "lookup_dig_srv is not defined and result_cli_dig_srv.stderr != ''"
+
+- name: Fail if DNS SRV record missing (Ansible dig lookup)
+  fail:
+    msg: >-
+      It appears the DNS SRV record for {{ dns_srv_record_check.service_and_protocol }} on {{ dns_srv_record_check.domain }} is not set up correctly (the record is missing).
+      See the 'Configuring DNS' documentation for this playbook.
+  when: "lookup_dig_srv is defined and lookup_dig_srv == 'NXDOMAIN'"
+
+- name: Fail if DNS SRV record incorrect (Ansible dig lookup)
+  fail:
+    msg: >-
       It appears the DNS SRV record for {{ dns_srv_record_check.service_and_protocol }} on {{ dns_srv_record_check.domain }} is not set up correctly.
       Expected it to point to `{{ dns_srv_record_check.expected_target }}` (port {{ dns_srv_record_check.expected_port }}).
-      Found it pointing to `{{ result_dig_srv.target }}` (port {{ result_dig_srv.port }}).
+      Found it pointing to `{{ lookup_dig_srv.target }}` (port {{ lookup_dig_srv.port }}).
       See the 'Configuring DNS' documentation for this playbook.
-  when: "result_dig_srv.target != dns_srv_record_check.expected_target or result_dig_srv.port != dns_srv_record_check.expected_port"
+  when: "lookup_dig_srv is defined and (lookup_dig_srv.target != dns_srv_record_check.expected_target or lookup_dig_srv.port != dns_srv_record_check.expected_port)"
+
+# We expect an answer like this:
+# ;; ANSWER SECTION:
+# _matrix._tcp.DOMAIN. 10800	IN	SRV	10 0 8448 matrix.DOMAIN.
+- name: Fail if DNS SRV record missing or incorrect (dig CLI tool)
+  fail:
+    msg: >-
+      It appears the DNS SRV record for {{ dns_srv_record_check.service_and_protocol }} on {{ dns_srv_record_check.domain }} is not set up correctly.
+      Expected it to point to `{{ dns_srv_record_check.expected_target }}` (port {{ dns_srv_record_check.expected_port }}).
+      See the 'Configuring DNS' documentation for this playbook.
+      Full response from the `dig` lookup was: {{ result_cli_dig_srv }}
+  when: "lookup_dig_srv is not defined and (dns_srv_record_check.expected_port|string + ' ' + dns_srv_record_check.expected_target) not in result_cli_dig_srv.stdout"
 
 - name: Report correct DNS SRV record
   debug:
-    msg: >
+    msg: >-
       The DNS SRV record for `{{ dns_srv_record_check.service_and_protocol }}` on `{{ dns_srv_record_check.domain }}`
-      points to `{{ result_dig_srv.target }}` (port {{ dns_srv_record_check.expected_port }}), as expected
+      points to `{{ dns_srv_record_check.expected_target }}` (port {{ dns_srv_record_check.expected_port }}), as expected.

roles/matrix-coturn/templates/turnserver.conf.j2

@@ -1,10 +1,6 @@
 use-auth-secret
 static-auth-secret={{ matrix_coturn_turn_static_auth_secret }}
 realm=turn.{{ hostname_matrix }}
-cert=/matrix-config/{{ hostname_matrix }}.tls.crt
-pkey=/matrix-config/{{ hostname_matrix }}.tls.key
-dh-file=/matrix-config/{{ hostname_matrix }}.tls.dh
-cipher-list="HIGH"
 min-port={{ matrix_coturn_turn_udp_min_port }}
 max-port={{ matrix_coturn_turn_udp_max_port }}
 external-ip={{ matrix_coturn_turn_external_ip_address }}
@@ -12,3 +8,4 @@ log-file=stdout
 pidfile=/var/tmp/turnserver.pid
 userdb=/var/tmp/turnserver.db
 no-cli
+prod

roles/matrix-mxisd/tasks/main.yml

@@ -17,3 +17,5 @@
   delegate_to: 127.0.0.1
   become: false
   when: "run_self_check and matrix_mxisd_enabled"
+  tags:
+    - self-check