Commit Graph

32 Commits

Author SHA1 Message Date
ab59cc50bd Add support for more flexible container port exposing
Fixes #171 (Github Issue).
2019-05-25 07:41:08 +09:00
9c23d877fe Fix docker_image option for ansible < 2.8 2019-05-22 05:43:33 -05:00
db15791819 Add source option to docker_image to fix deprecation warning 2019-05-21 10:29:12 -05:00
3982f114af Fix CONDITIONAL_BARE_VARS deprecation warning in ansible 2.8 2019-05-21 10:25:59 -05:00
ae7c8d1524 Use SyslogIdentifier to improve logging
Reasoning is the same as for matrix-org/synapse#5023.

For us, the journal used to contain `docker` for all services, which
is not very helpful when looking at them all together (`journalctl -f`).
2019-05-16 09:43:46 +09:00
25d3b315de Fix case of the mxisd ldap.connection.baseDNs option in comment 2019-05-14 22:38:21 +02:00
953ae021ba Upgrade mxisd (1.4.2 -> 1.4.3) 2019-05-14 08:22:10 +09:00
5f2f17cb1e Merge pull request #160 from danbob/fix-matrix-mxisd-config
Fix template indentation
2019-05-08 08:01:00 +03:00
c451025134 Fix indentation in templates
Use Jinja2 lstrip_blocks option in templates to ensure consistent
indentation in generated files.
2019-05-07 21:23:35 +02:00
3abed49764 Fix jinja config for indented code blocks 2019-05-07 06:02:38 -05:00
07e7d518d5 Revert "Fix template indentation"
This reverts commit 172d59ba05.
2019-05-07 05:57:20 -05:00
172d59ba05 Fix template indentation 2019-05-03 10:37:14 -05:00
75b1528d13 Add the possibility to pass extra flags to the docker container 2019-04-30 16:35:18 +02:00
00ec22688a Upgrade mxisd (1.4.1 -> 1.4.2)
Looks like we may not have to do this,
since 1.4.2 fixes edge cases for people who used the broken
1.4.0 release.

We jumped straight to 1.4.1, so maybe we're okay.
Still, upgrading anyway, just in case.
2019-04-28 10:15:46 +03:00
ed442af96f Update mxisd (1.3.1 -> 1.4.1) 2019-04-27 16:28:40 -05:00
73af8f7bbb Make self-check not validate self-signed certificates
By default, `--tags=self-check` no longer validates certificates
when `matrix_ssl_retrieval_method` is set to `self-signed`.

Besides this default, people can also enable/disable validation using the
individual role variables manually.

Fixes #124 (Github Issue)
2019-03-22 09:41:08 +02:00
93992f7756 Fix indenting of generators value 2019-03-08 10:50:51 +01:00
f297ff506b Explain how to set the template variables 2019-03-07 13:34:07 +01:00
0cd8b99b00 Add support for custom MXISD templates 2019-03-07 13:28:00 +01:00
45618679f5 Reload systemd services when they get updated
Fixes #69 (Github Issue)
2019-03-03 11:55:15 +02:00
a43bcd81fe Rename some variables 2019-02-28 11:51:09 +02:00
4c512c8e64 Upgrade mxisd (1.3.0 -> 1.3.1) 2019-02-22 15:44:13 +02:00
7a1b5a2024 Update mxisd (1.2.2 -> 1.3.0) 2019-02-10 23:20:05 +02:00
0be7b25c64 Make (most) containers run with a read-only filesystem 2019-01-29 18:52:02 +02:00
b77b967171 Merge branch 'master' into non-root-containers 2019-01-29 18:00:11 +02:00
9830a0871d Fix self-check for mxisd not being enabled 2019-01-28 11:47:31 +02:00
316d653d3e Drop capabilities in containers
We run containers as a non-root user (no effective capabilities).

Still, if a setuid binary is available in a container image, it could
potentially be used to give the user the default capabilities that the
container was started with. For Docker, the default set currently is:
- "CAP_CHOWN"
- "CAP_DAC_OVERRIDE"
- "CAP_FSETID"
- "CAP_FOWNER"
- "CAP_MKNOD"
- "CAP_NET_RAW"
- "CAP_SETGID"
- "CAP_SETUID"
- "CAP_SETFCAP"
- "CAP_SETPCAP"
- "CAP_NET_BIND_SERVICE"
- "CAP_SYS_CHROOT"
- "CAP_KILL"
- "CAP_AUDIT_WRITE"

We'd rather prevent such a potential escalation by dropping ALL
capabilities.

The problem is nicely explained here: https://github.com/projectatomic/atomic-site/issues/203
2019-01-28 11:22:54 +02:00
ba75ab496d Send Host/X-Forwarded-For to mxisd
It worked without it too, but doing this is more consistent with the
mxisd recommendations.
2019-01-17 16:22:49 +02:00
cb11548eec Use mxisd for user directory searches
Implements #77 (Github issue).
2019-01-17 15:55:23 +02:00
df0d465482 Fix typos in some variables (matrix_mxid -> matrix_mxisd) 2019-01-17 14:47:37 +02:00
c10182e5a6 Make roles more independent of one another
With this change, the following roles are now only dependent
on the minimal `matrix-base` role:
- `matrix-corporal`
- `matrix-coturn`
- `matrix-mailer`
- `matrix-mxisd`
- `matrix-postgres`
- `matrix-riot-web`
- `matrix-synapse`

The `matrix-nginx-proxy` role still does too much and remains
dependent on the others.

Wiring up the various (now-independent) roles happens
via a glue variables file (`group_vars/matrix-servers`).
It's triggered for all hosts in the `matrix-servers` group.

According to Ansible's rules of priority, we have the following
chain of inclusion/overriding now:
- role defaults (mostly empty or good for independent usage)
- playbook glue variables (`group_vars/matrix-servers`)
- inventory host variables (`inventory/host_vars/matrix.<your-domain>`)

All roles default to enabling their main component
(e.g. `matrix_mxisd_enabled: true`, `matrix_riot_web_enabled: true`).
Reasoning: if a role is included in a playbook (especially separately,
in another playbook), it should "work" by default.

Our playbook disables some of those if they are not generally useful
(e.g. `matrix_corporal_enabled: false`).
2019-01-16 18:05:48 +02:00
51312b8250 Split playbook into multiple roles
As suggested in #63 (Github issue), splitting the
playbook's logic into multiple roles will be beneficial for
maintainability.

This patch realizes this split. Still, some components
affect others, so the roles are not really independent of one
another. For example:
- disabling mxisd (`matrix_mxisd_enabled: false`), causes Synapse
and riot-web to reconfigure themselves with other (public)
Identity servers.

- enabling matrix-corporal (`matrix_corporal_enabled: true`) affects
how reverse-proxying (by `matrix-nginx-proxy`) is done, in order to
put matrix-corporal's gateway server in front of Synapse

We may be able to move away from such dependencies in the future,
at the expense of a more complicated manual configuration, but
it's probably not worth sacrificing the convenience we have now.

As part of this work, the way we do "start components" has been
redone now to use a loop, as suggested in #65 (Github issue).
This should make restarting faster and more reliable.
2019-01-12 18:01:10 +02:00