Commit Graph
100 Commits
Author SHA1 Message Date
Slavi PantaleevandGitHub 5b736c416b Merge pull request #236 from oleg-fiksel/guest-access
Added possibility to enable guest access on synapse
2019-08-08 13:18:55 +03:00
Slavi Pantaleev 3e57a1463a Serve nginx status page over HTTPS as well
Continuation of #234 (Github Pull Request).

I had unintentionally updated the documentation for the feature,
saying the page is available at `https://matrix.DOMAIN/nginx_status`.

Looks like it wasn't the case, going against my expectations.

I'm correcting this with this patch.
The status page is being made available on both HTTP and HTTPS.
Serving over HTTP is likely necessary for services like
Longview
(https://www.linode.com/docs/platform/longview/longview-app-for-nginx/)
2019-08-07 12:53:53 +03:00
Slavi PantaleevandGitHub 4abca27df7 Merge pull request #234 from ugs9fsy71cb/master
Serve nginx_status to matrix.DOMAIN
2019-08-07 12:36:03 +03:00
Slavi PantaleevandGitHub f97175a1c6 Update configuring-playbook-ngnix.md 2019-08-07 12:35:48 +03:00
Slavi PantaleevandGitHub 949009f254 Merge pull request #233 from thedanbob/riot-web-1.3.2
Update riot-web (1.3.0 -> 1.3.2)
2019-08-06 15:07:19 +03:00
Slavi Pantaleev bce165f247 Do not suggest DEBUG logging when submitting issues
It's been pointed out that DEBUG logs could contain sensitive
information (access tokens, etc.), which makes them unsuitable
for sharing with others. INFO should be enough.
2019-08-06 07:14:52 +03:00
Slavi Pantaleev d222640140 Add firewall notice about email2matrix 2019-08-05 14:10:24 +03:00
Slavi Pantaleev 847f887e1b Update README 2019-08-05 13:12:42 +03:00
Slavi Pantaleev 4be35822dd Add Email2Matrix support 2019-08-05 13:09:49 +03:00
Slavi PantaleevandGitHub 5d1c76f0e3 Merge pull request #232 from jooize/patch-2
Clarify sentence about dedicated user for access token
2019-08-04 08:04:46 +03:00
Slavi Pantaleev 6fe4bafc2a Decrease default Synapse logging level
Also discussed previously in #213 (Github Pull Request).

shared-secret-auth and rest-auth logging is still at `INFO`
intentionally, as user login events seem more important to keep.
Those modules typically don't spam as much.
2019-08-03 07:48:04 +03:00
Slavi Pantaleev 6fc779dc83 Ensure matrix_ssl_retrieval_method value is valid
We recently had someone in the support room who set it to `false`
and the playbook ran without any issues.

This currently seems to yield the same result as 'none', but it's
better to avoid such behavior.
2019-08-02 11:59:10 +03:00
Slavi Pantaleev c40d28a0dc Relocate user-store.db/room-store.db when migrating Discord bridge files
Refer to 524436ebef and #230 (Github Issue).
2019-08-01 14:40:12 +03:00
Slavi Pantaleev 524436ebef Add missing required parameters for Discord bridge
Fixes #230 (Github Issue).

Related to https://github.com/Half-Shot/matrix-appservice-discord/issues/510
2019-08-01 14:36:02 +03:00
Slavi Pantaleev 18f6b29372 Bump matrix-mailer / exim release (4.92.1-r0-0 -> 4.92.1-r0-1)
It adds support for a new `DISABLE_SENDER_VERIFICATION` environment
variable that can be used to disable verification of sender addresses.

It doesn't matter for us, but we upgrade to keep up with latest.
2019-07-31 10:47:57 +03:00
Slavi Pantaleev 0e3b73a612 Upgrade matrix-mailer / exim (4.92 -> 4.92.1) 2019-07-30 20:56:05 +03:00
Slavi Pantaleev d543780e42 Use mautrix-telegram Docker image from new official registry 2019-07-28 19:33:02 +03:00
Slavi Pantaleev 53ab66eef8 Use mautrix-whatsapp Docker image from new official registry 2019-07-28 19:31:42 +03:00
Slavi Pantaleev 82bb55ae7a Use new default port config for mautrix-facebook 2019-07-28 18:42:42 +03:00
Slavi Pantaleev b0162d6f75 Use mautrix-facebook Docker image from new official registry 2019-07-28 18:40:55 +03:00
Slavi PantaleevandGitHub becb9a7b8b Merge pull request #228 from danbob/fix-apt-warning
Fix apt message: docker doesn't support arch 'i386'
2019-07-27 10:30:09 +03:00
Slavi Pantaleev bd99dd05b4 Upgrade Synapse (1.2.0 -> 1.2.1) 2019-07-26 14:17:31 +03:00
Slavi Pantaleev 255b67a0ce Update homeserver.yaml with new options from Synapse v1.2.0
Related to #223 (Github Pull Request)
2019-07-25 22:03:12 +03:00
Slavi PantaleevandGitHub bb9fd41403 Merge pull request #223 from danbob/synapse-1.2.0
Update synapse (1.1.0 -> 1.2.0)
2019-07-25 17:14:41 +03:00
Slavi PantaleevandGitHub 25327abbc3 Merge pull request #222 from danbob/nginx-1.17.2
Update nginx (1.17.1 -> 1.17.2)
2019-07-24 14:27:22 +03:00
Slavi PantaleevandGitHub 11b1de5522 Merge pull request #220 from lpopov/patch-1
Upgrade riot-web (1.2.4 - 1.3.0)
2019-07-19 15:41:46 +03:00
Slavi PantaleevandGitHub 479a5137ca Merge pull request #218 from RedooNetworks/master
introduce configuration to change riot branding / title
2019-07-17 17:07:31 +03:00
Slavi Pantaleev 3a8ed2dd81 Upgrade riot-web (1.2.3 -> 1.2.4) 2019-07-12 13:09:21 +03:00
Slavi Pantaleev 5a6c546d87 Upgrade Telegram bridge (0.5.2 -> 0.6.0) 2019-07-12 13:08:48 +03:00
Slavi Pantaleev 87e3650327 Ensure Discord client id is passed as a string
Looks like these client ids are actually integers,
but unless we pass them as a string, the bridge would complain with
an error like:

    {"field":"data.auth.clientID","message":"is the wrong type","value":123456789012345678,"type":"string","schemaPath":["properties","auth","properties","clientID"]}

Explicitly-casting to a string should fix the problem.

The Discord bridge should probably be improved to handle both ints and
strings though.
2019-07-12 10:15:43 +03:00
Slavi Pantaleev 99283ef684 Add note about SMTPS not being supported
Fixes #216 (Github Issue).
2019-07-10 08:43:27 +03:00
Slavi PantaleevandGitHub 277a6eb7da Merge pull request #215 from danbob/update-riot-web
Update to riot 1.2.3
2019-07-09 15:10:39 +03:00
Slavi Pantaleev 0e4030f05c Add missing word 2019-07-09 09:14:57 +03:00
Slavi Pantaleev 1316d36f8b Fix deprecation warning (using cron module without name) 2019-07-09 09:11:38 +03:00
Slavi Pantaleev 76862f4f2a Suggest running start tag after janitor and Postgres vacuum
We do restart Synapse explicitly, but some other services
(bridges, matrix-corporal, ..) may not restart sometimes.

It's best to restart all services explicitly.
2019-07-08 11:09:23 +03:00
Slavi Pantaleev 9d07aaefbf Fix passkey.pem permissions breaking IRC bridge
Regression since 174a6fcd1b, #204 (Github Pull Request),
which only affects new servers.

Old servers which had their passkey.pem file relocated were okay.
2019-07-08 10:13:45 +03:00
Slavi Pantaleev e317de5ac1 Fix broken link 2019-07-08 09:40:52 +03:00
Slavi Pantaleev 0ca21d80d7 Add Synapse Maintenance docs and synapse-janitor integration 2019-07-08 09:38:36 +03:00
Slavi Pantaleev 631a14bf0c Rename run control variables for consistency 2019-07-08 09:38:36 +03:00
Slavi Pantaleev e805044b80 Delete scripts when uninstalling Postgres 2019-07-08 09:38:36 +03:00
Slavi PantaleevandGitHub 84f5a0fa69 Merge pull request #214 from danbob/update-nginx
Bump nginx version to 1.17.1
2019-07-05 07:16:54 +03:00
Slavi Pantaleev 17cd52ced6 Make Synapse log messages a bit prettier
ef5e4ad061 intentionally makes us conform to
the logging format suggested by the official Docker image.

Reverting this part, because it's uglier.

This likely should be fixed upstream as well though.
2019-07-04 18:19:52 +03:00
Slavi Pantaleev ef5e4ad061 Make Synapse not log to text files
Somewhat related to #213 (Github Pull Request).

We've been moving in the opposite direction for quite a long time.
All services should just leave logging to systemd's journald.
2019-07-04 17:46:31 +03:00
Slavi Pantaleev b84139088c Fix password providers not working on Synapse v1.1.0
Fixes a regression introduced during the upgrade to
Synapse v1.1.0 (in 2b3865ceea).

Since Synapse v1.1.0 upgraded to Python 3.7
(https://github.com/matrix-org/synapse/pull/5546),
we need to use a different modules directory when mounting
password provider modules.
2019-07-04 17:28:38 +03:00
Slavi Pantaleev 73158e6c2f Fix unintentionally inverted boolean
Fixes a problem introduced by da6edc9cba.

Related to #145 (Github Pull Request).
2019-07-04 17:27:42 +03:00
Slavi Pantaleev da6edc9cba Add support for disabling Synapse's local database for user auth
This is a new feature of Synapse v1.1.0.

Discussed in #145 (Github Pull Request).
2019-07-04 17:11:51 +03:00
Slavi Pantaleev 2b3865ceea Upgrade Synapse (1.0.0 -> 1.1.0) 2019-07-04 16:58:45 +03:00
Slavi PantaleevandGitHub 810028c12b Merge pull request #210 from spantaleev/discord-bridge-refactoring
Make Discord bridge configuration playbook-managed
2019-06-27 09:34:23 +03:00
Slavi PantaleevandGitHub 420b46ad2e Update CHANGELOG.md 2019-06-27 09:34:08 +03:00
Slavi Pantaleev bccfd13c7f Fix changelog entry typo 2019-06-26 10:48:19 +03:00
Slavi Pantaleev 8529efcd1c Make Discord bridge configuration playbook-managed
Well, `config.yaml` has been playbook-managed for a long time.
It's now extended to match the default sample config of the Discord
bridge.

With this patch, we also make `registration.yaml` playbook-managed,
which leads us to consistency with all other bridges.

Along with that, we introduce `./config` and `./data` separation,
like we do for the other bridges.
2019-06-26 10:35:00 +03:00
Slavi Pantaleev 782356d421 Use password_hash salts that obey passlib requirements
According to
https://passlib.readthedocs.io/en/stable/lib/passlib.hash.sha512_crypt.html:

> salt (str) – Optional salt string. If not specified, one will be autogenerated (this is recommended).
> If specified, it must be 0-16 characters, drawn from the regexp range [./0-9A-Za-z].

Until now, we were using invalid characters (like `-`). We were also
going over the requested length limit of 16 characters.

This is most likely what was causing `ValueError` exceptions for some people,
as reported in #209 (Github Issue).
Ansible's source code (`lib/ansible/utils/encrypt.py`) shows that Ansible tries
to use passlib if available and falls back to Python's `crypt` module if not.
For Mac, `crypt.crypt` doesn't seem to work, so Ansible always requires passlib.

Looks like crypt is forgiving when length or character requirements are
not obeyed. It would auto-trim a salt string to make it work, which means
that we could end up with the same hash if we call it with salts which aer only
different after their 16th character.

For these reasons (crypt autotriming and passlib downright complaining),
we're now using shorter and more diverse salts.
2019-06-26 09:37:02 +03:00
Slavi Pantaleev 59b56fa504 Update Docker image of Ansible (2.7.0 -> 2.8.1) 2019-06-26 07:40:36 +03:00
Slavi Pantaleev 918526c5fe Update riot-web (1.2.1 -> 1.2.2) 2019-06-25 14:42:54 +03:00
Slavi PantaleevandGitHub 4ec3a5286a Merge pull request #208 from danbob/update-images
Update nginx and postgres images to latest versions
2019-06-25 14:23:20 +03:00
Slavi Pantaleev 37c8b96d06 Use stricter regex in bridges' registration.yaml
I've been thinking of doing before, but haven't.

Now that the Whatsapp bridge does it (since 4797469383),
it makes sense to do it for all other bridges as well.
(Except for the IRC bridge - that one manages most of registration.yaml by itself)
2019-06-24 07:50:51 +03:00
Slavi Pantaleev c876a7df1d Use |regex_escape in Whatsapp registration.yaml
Doesn't matter much, but it makes it consistent with the other bridges.
2019-06-24 07:49:19 +03:00
Slavi Pantaleev 3ff57ed74d Use container network for communication between homeserver and Whatsapp bridge 2019-06-24 07:48:56 +03:00
Slavi PantaleevandGitHub 6e26d286af Merge pull request #207 from tommes0815/whatsapp-config-playbook-managed
Whatsapp config playbook managed
2019-06-24 07:44:26 +03:00
Slavi PantaleevandGitHub 62509e4849 Fix indentation consistency 2019-06-24 07:42:39 +03:00
Slavi PantaleevandGitHub e2d2302475 Merge pull request #206 from verb/appservice-irc-log
Disable appservice-irc log files
2019-06-24 07:40:26 +03:00
Slavi PantaleevandGitHub e585f314b8 Merge pull request #204 from spantaleev/irc-bridge-refactoring
Make IRC bridge configuration entirely managed by the playbook
2019-06-20 17:00:16 +03:00
Slavi PantaleevandGitHub 764feb4d7b Bump changelog entry date 2019-06-20 17:00:05 +03:00
Slavi Pantaleev c98eacdd70 Add BC Break label to old changelog entry 2019-06-20 16:59:16 +03:00
Slavi Pantaleev 174a6fcd1b Make IRC bridge configuration entirely managed by the playbook 2019-06-19 12:29:44 +03:00
Slavi Pantaleev 668f98a2d3 Escape domain in bridge registration regex 2019-06-19 10:40:59 +03:00
Slavi Pantaleev 5002c7edaa Fix broken docs link 2019-06-19 10:30:04 +03:00
Slavi Pantaleev 380714d290 Talk to Telegram bridge over container network 2019-06-19 10:10:17 +03:00
Slavi Pantaleev deeb5a96d5 Disable IRC bridge presence if Synapse presence is disabled 2019-06-19 09:31:09 +03:00
Slavi Pantaleev f994e40bb7 Extend IRC bridge configuration with some additional options 2019-06-19 09:28:41 +03:00
Slavi Pantaleev 6b023d09d4 Use container network address for communication between IRC bridge and homeserver
This means we need to explicitly specify a `media_url` now,
because without it, `url` would be used for building public URLs to
files/images. That doesn't work when `url` is not a public URL.
2019-06-19 09:21:13 +03:00
Slavi Pantaleev 9b97a42ffb Add a note about DNS SRV records not being obsolete 2019-06-15 16:14:14 +03:00
Slavi Pantaleev 169b09f0ed Fix token mismatch error for the Telegram bridge
Regression since 4e8543ce21
2019-06-15 12:01:52 +03:00
Slavi Pantaleev 2a2e7a7f6c Minor changelog clarification 2019-06-15 09:53:01 +03:00
Slavi Pantaleev 4e8543ce21 Make Telegram bridge configuration playbook-managed 2019-06-15 09:43:43 +03:00
Slavi Pantaleev 2902b53267 Minor fixes for consistency 2019-06-15 09:42:40 +03:00
Slavi Pantaleev 00383a73ac Make running --tags=setup-synapse only not fail to register bridges
Until now, if `--tags=setup-synapse` was used, bridge tasks would not
run and bridges would fail to register with the `matrix-synapse` role.
This means that Synapse's configuration would be generated with an empty
list of appservices (`app_service_config_files: []`).

.. and then bridges would fail, because Synapse would not be aware of
there being any bridges.

From now on, bridges always run their init tasks and always register
with Synapse.

For the Telegram bridge, the same applies to registering with
matrix-nginx-proxy. Previously, running `--tags=setup-nginx-proxy` would
get rid of the Telegram endpoint configuration for the same reason.
Not anymore.
2019-06-14 10:19:52 +03:00
Slavi Pantaleev d8a4007220 Upgrade exim (4.91 -> 4.92)
Note: https://www.us-cert.gov/ncas/current-activity/2019/06/13/Exim-Releases-Security-Patches

That said, I don't believe we've been affected.
Not in a bad way at least, because:
- we run exim as non-root and capabilities dropped
- we run exim in a private Docker network with known trusted relayers
(Synapse and mxisd)
2019-06-14 08:07:54 +03:00
Slavi Pantaleev 3956b300ed Disable riot-web's welcome bot
I've not found this welcome bot to work at all in my previous attempts.
It would simply not reply, even though federation works.

It seems like this is also a potential privacy issue, as per
https://gist.github.com/maxidorius/5736fd09c9194b7a6dc03b6b8d7220d0
2019-06-14 07:49:46 +03:00
Slavi Pantaleev 2e16257e50 Do not ask for _matrix._tcp SRV records anymore
With most people on Synapse v0.99+ and Synapse v1.0 now available,
we should no longer try to be backward compatible with Synapse 0.34,
because this just complicates the instructions for no good reason.
2019-06-12 14:51:10 +03:00
Slavi PantaleevandGitHub e39985b04a Merge pull request #199 from wabuMike/master
Added a basic guide on migrating to another server
2019-06-12 09:38:17 +03:00
Slavi PantaleevandGitHub 8a7b3d5bd0 Make instructions simpler and safer
Changes to the original are:
- it tells people to stop and disable services, so that:
   - services won't be running while you are copying files
   - services won't accidentally start again later
- it does the file-copying in 1 step
- it does copying before running `--tags=setup-all`, so that existing files (SSL certificates, etc.) can be reused. Otherwise, the playbook starts from a blank slate, retrieves them anew, generates new signing keys anew, etc. Only to have those replaced by your own old backup later.
- it mentions DNS changes
- combines `--tags=setup-all,start` into a single step, thanks to the files being already copied
2019-06-12 09:36:19 +03:00
Slavi PantaleevandGitHub d8afb241ca Merge pull request #201 from aaronraimist/default-room-version
Allow default room version to be configured
2019-06-12 09:17:45 +03:00
Slavi PantaleevandGitHub f4574961c7 Prevent double-quotes around default room version
Using `|to_json` on a string is expected to correctly wrap it in quotes (e.g. `"4"`).
Wrapping it explicitly in double-quotes results in undesirable double-quoting (`""4""`).
2019-06-12 09:17:35 +03:00
Slavi PantaleevandGitHub 53d9f4df20 Merge pull request #200 from aaronraimist/mxisd-1.4.5
Upgrade mxisd (1.4.4 -> 1.4.5)
2019-06-12 09:02:02 +03:00
Slavi Pantaleev e4068e55ee Upgrade Synapse (0.99.5.2 -> 1.0.0) 2019-06-11 20:30:18 +03:00
Slavi Pantaleev 7d3adc4512 Automatically force-pull :latest images
We do use some `:latest` images by default for the following services:
- matrix-dimension
- Goofys (in the matrix-synapse role)
- matrix-bridge-appservice-irc
- matrix-bridge-appservice-discord
- matrix-bridge-mautrix-facebook
- matrix-bridge-mautrix-whatsapp

It's terribly unfortunate that those software projects don't release
anything other than `:latest`, but that's how it is for now.

Updating that software requires that users manually do `docker pull`
on the server. The playbook didn't force-repull images that it already
had.

With this patch, it starts doing so. Any image tagged `:latest` will be
force re-pulled by the playbook every time it's executed.

It should be noted that even though we ask the `docker_image` module to
force-pull, it only reports "changed" when it actually pulls something
new. This is nice, because it lets people know exactly when something
gets updated, as opposed to giving the indication that it's always
updating the images (even though it isn't).
2019-06-10 14:30:28 +03:00
Slavi PantaleevandGitHub 62ab3cd82e Merge pull request #198 from aaronraimist/access-database
Add config option to be able to access database outside of container
2019-06-10 08:24:49 +03:00
Slavi PantaleevandGitHub 4f87f7e43e Explain matrix_postgres_container_postgres_bind_port a little more
Previously, it only mentioned exposing for psql-usage purposes.

Realistically, it can be used for much more. Especially given that
psql can be easily accessed via our matrix-postgres-cli script,
without exposing the container port.
2019-06-10 08:24:37 +03:00
Slavi PantaleevandGitHub 67a54f4ab5 Merge pull request #196 from aaronraimist/sentry
Enable sentry.io integration
2019-06-08 09:30:21 +03:00
Slavi Pantaleev 44156fe659 Fix Ansible 2.8 deprecation in Dimension role 2019-06-07 17:44:32 +03:00
Slavi Pantaleev 3567d9adba Fix typo 2019-06-07 16:07:01 +03:00
Slavi Pantaleev a9953dd641 Make Facebook/Telegram bridges not log to files
We log to journald anyway. There's no need for double-logging.

It should not that matrix-synapse logs to journald and to files,
but that's likely to change in the future as well.
Because Synapse's logs are insanely verbose right now (and may get
dropped by journald), it's more reliable to have file-logging too.

As Synapse matures and gets more stable, logging should hopefully
get less, we should be able to only use journald and stop writing to
files for it as well.
2019-06-07 15:48:13 +03:00
Slavi Pantaleev 18baeabdf2 Do not create Facebook bridge directories with recurse: true
I'm not sure what I had in mind when I added this earlier,
but I think we'd better go without it.
2019-06-07 15:18:29 +03:00
Slavi Pantaleev 67c13d0a77 Update changelog 2019-06-07 15:11:25 +03:00
Slavi Pantaleev bf446b6e15 Fix double mv command 2019-06-07 15:06:21 +03:00
Slavi Pantaleev 172b0fa88c Separate Facebook bridge configuration and data
Using a separate directory allows easier backups
(only need to back up the Ansible playbook configuration and the
bridge's `./data` directory).

The playbook takes care of migrating an existing database file
from the base directory into the `./data` directory.

In the future, we can also mount the configuration read-only,
to ensure the bridge won't touch it.
For now, mautrix-facebook is keen on rebuilding the `config.yaml`
file on startup though, so this will have to wait.
2019-06-07 14:52:38 +03:00
Slavi Pantaleev 4f0bcc624f Fix typo 2019-06-07 14:29:51 +03:00
Slavi Pantaleev 330648a3e0 Make Facebook bridge configuration playbook-managed
Related to #193, but for the Facebook bridge.
(other bridges can be changed to do the same later).

This patch makes the bridge configuration entirely managed by the
Ansible playbook. The bridge's `config.yaml` and `registration.yaml`
configuration files are regenerated every time the playbook runs.

This allows us to apply updates to those files and to avoid
people having to manage the configuration files manually on the server.

-------------------------------------------------------------

A deficiency of the current approach to dumping YAML configuration in
`config.yaml` is that we strip all comments from it.
Later on, when the bridge actually starts, it will load and redump
(this time with comments), which will make the `config.yaml` file
change.

Subsequent playbook runs will report "changed" for the
"Ensure mautrix-facebook config.yaml installed" task, which is a little
strange.

We might wish to improve this in the future, if possible.

Still, it's better to have a (usually) somewhat meaningless "changed"
task than to what we had -- never rebuilding the configuration.
2019-06-07 14:05:53 +03:00
Slavi Pantaleev 04bc50a282 Make Facebook bridge docs more detailed 2019-06-07 13:51:43 +03:00