Commit Graph

17 Commits

Author SHA1 Message Date
82989b662a Fix bad network and bad path to postgre env 2020-03-29 23:49:09 +02:00
704d2ff861 Merge pull request from prasket/matrix-change-user-admin-status
Matrix change user admin status
2020-01-23 10:35:28 +02:00
83e7a8d9e6 corrected hardcoded matrix domain and added code to remove old matrix-make-user-admin script per suggestion. 2020-01-21 18:29:17 -08:00
9d3d538a2d Use C collation for Postgres to appease Synapse 2020-01-21 00:13:47 +02:00
e99497bb60 created new file with change admin options and removed make admin file. Updated name references as well throughout the project. 2020-01-19 18:39:56 -08:00
6fce809d10 Add config option to be able to access database outside of container 2019-06-09 20:35:35 -05:00
ae7c8d1524 Use SyslogIdentifier to improve logging
Reasoning is the same as for .

For us, the journal used to contain `docker` for all services, which
is not very helpful when looking at them all together (`journalctl -f`).
2019-05-16 09:43:46 +09:00
c451025134 Fix indentation in templates
Use Jinja2 lstrip_blocks option in templates to ensure consistent
indentation in generated files.
2019-05-07 21:23:35 +02:00
e0b7b4dc61 Merge pull request from TheLastProject/feature/docker_add_hosts
Add the possibility to pass extra flags to the docker container
2019-05-05 10:22:59 +03:00
75b1528d13 Add the possibility to pass extra flags to the docker container 2019-04-30 16:35:18 +02:00
134faa3139 Add the ability to update user passwords with ansible (when using the matrix-postgres container). 2019-04-30 16:30:26 +03:00
a43bcd81fe Rename some variables 2019-02-28 11:51:09 +02:00
0be7b25c64 Make (most) containers run with a read-only filesystem 2019-01-29 18:52:02 +02:00
9438402f61 Drop capabilities in a few more places
Continuation of 316d653d3e
2019-01-28 11:43:32 +02:00
316d653d3e Drop capabilities in containers
We run containers as a non-root user (no effective capabilities).

Still, if a setuid binary is available in a container image, it could
potentially be used to give the user the default capabilities that the
container was started with. For Docker, the default set currently is:
- "CAP_CHOWN"
- "CAP_DAC_OVERRIDE"
- "CAP_FSETID"
- "CAP_FOWNER"
- "CAP_MKNOD"
- "CAP_NET_RAW"
- "CAP_SETGID"
- "CAP_SETUID"
- "CAP_SETFCAP"
- "CAP_SETPCAP"
- "CAP_NET_BIND_SERVICE"
- "CAP_SYS_CHROOT"
- "CAP_KILL"
- "CAP_AUDIT_WRITE"

We'd rather prevent such a potential escalation by dropping ALL
capabilities.

The problem is nicely explained here: https://github.com/projectatomic/atomic-site/issues/203
2019-01-28 11:22:54 +02:00
1a80058a2a Indent (non-YAML) using tabs
Fixes  (Github issue)
2019-01-26 09:37:29 +02:00
51312b8250 Split playbook into multiple roles
As suggested in  (Github issue), splitting the
playbook's logic into multiple roles will be beneficial for
maintainability.

This patch realizes this split. Still, some components
affect others, so the roles are not really independent of one
another. For example:
- disabling mxisd (`matrix_mxisd_enabled: false`), causes Synapse
and riot-web to reconfigure themselves with other (public)
Identity servers.

- enabling matrix-corporal (`matrix_corporal_enabled: true`) affects
how reverse-proxying (by `matrix-nginx-proxy`) is done, in order to
put matrix-corporal's gateway server in front of Synapse

We may be able to move away from such dependencies in the future,
at the expense of a more complicated manual configuration, but
it's probably not worth sacrificing the convenience we have now.

As part of this work, the way we do "start components" has been
redone now to use a loop, as suggested in  (Github issue).
This should make restarting faster and more reliable.
2019-01-12 18:01:10 +02:00