search

spantaleev / matrix-docker-ansible-deploy

🐳 Matrix (An open network for secure, decentralized communication) server setup using Ansible and Docker
GNU Affero General Public License v3.0
4.85k stars 1.04k forks source link

Fresh install fails: port 80 blocked for matrix-traefik.service by apache #3325

Closed ACCakut closed 5 months ago

ACCakut commented 5 months ago

Describe the bug When I try to install my first own matrix server, I am stuck since the traefik service cannot grab port 80 which is blocked by apache yet. I used fresh server images on Azure and a classic VPS. I chopped my config down to the very basic parts.

To Reproduce My vars.yml file looks like this:

---
# The bare domain name which represents your Matrix identity.
# Matrix user ids for your server will be of the form (`@user:<matrix-domain>`).
#
# Note: this playbook does not touch the server referenced here.
# Installation happens on another server ("matrix.<matrix-domain>").
#
# If you've deployed using the wrong domain, you'll have to run the Uninstalling step,
# because you can't change the Domain after deployment.
#
# Example value: example.com
matrix_domain: my-very-own-domain.com

# The Matrix homeserver software to install.
# See:
#  - `roles/custom/matrix-base/defaults/main.yml` for valid options
# - the `docs/configuring-playbook-IMPLEMENTATION_NAME.md` documentation page, if one is available for your implementation choice
matrix_homeserver_implementation: synapse

# A secret used as a base, for generating various other secrets.
# You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`).
matrix_homeserver_generic_secret_key: 'BJ...'

# By default, the playbook manages its own Traefik (https://doc.traefik.io/traefik/) reverse-proxy server.
# It will retrieve SSL certificates for you on-demand and forward requests to all other components.
# For alternatives, see `docs/configuring-playbook-own-webserver.md`.
matrix_playbook_reverse_proxy_type: playbook-managed-traefik

# This is something which is provided to Let's Encrypt when retrieving SSL certificates for domains.
#
# In case SSL renewal fails at some point, you'll also get an email notification there.
#
# If you decide to use another method for managing SSL certificates (different than the default Let's Encrypt),
# you won't be required to define this variable (see `docs/configuring-playbook-ssl-certificates.md`).
#
# Example value: someone@example.com
devture_traefik_config_certificatesResolvers_acme_email: 'matrix@domain.com'

# A Postgres password to use for the superuser Postgres user (called `matrix` by default).
#
# The playbook creates additional Postgres users and databases (one for each enabled service)
# using this superuser account.
devture_postgres_connection_password: 'Qo...'

# By default, we configure Coturn's external IP address using the value specified for `ansible_host` in your `inventory/hosts` file.
# If this value is an external IP address, you can skip this section.
#
# If `ansible_host` is not the server's external IP address, you have 2 choices:
# 1. Uncomment the line below, to allow IP address auto-detection to happen (more on this below)
# 2. Uncomment and adjust the line below to specify an IP address manually
#
# By default, auto-detection will be attempted using the `https://ifconfig.co/json` API.
# Default values for this are specified in `matrix_coturn_turn_external_ip_address_auto_detection_*` variables in the Coturn role
# (see `roles/custom/matrix-coturn/defaults/main.yml`).
#
# If your server has multiple IP addresses, you may define them in another variable which allows a list of addresses.
# Example: `matrix_coturn_turn_external_ip_addresses: ['1.2.3.4', '4.5.6.7']`
#
# matrix_coturn_turn_external_ip_address: ''

devture_traefik_config_entrypoint_web_secure_enabled: false

Fresh new server image installation, Debian 11 and Alma 9 tested. ssh-copy-id to copy public ssh cert. just roles and just setup-all (or ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,ensure-matrix-users-created,start). Firewall ports open. DNS entries set.

Expected behavior The server should install flawlessly and traefik should be able to get port 80 on a freshly installed Linux.

Matrix Server:

TASK [galaxy/systemd_service_manager : Fail if service isn't detected to be running] ****************************************************************************************************************************
skipping: [matrix.domain.com] => (item=matrix-container-socket-proxy.service)
failed: [matrix.domain.com] (item=matrix-traefik.service) => changed=false
  ansible_loop_var: item
  item: matrix-traefik.service
  msg: matrix-traefik.service was not detected to be running. It's possible that there's a configuration problem or another service on your server interferes with it (uses the same ports, etc.). Try running `systemctl status matrix-traefik.service` and `journalctl -fu matrix-traefik.service` on the server to investigate. If you're on a slow or overloaded server, it may be that services take a longer time to start and that this error is a false-positive. You can consider raising the value of the `devture_systemd_service_manager_up_verification_delay_seconds` variable. See `/home/philipp/ansible_quickstart/matrix-docker-ansible-deploy/roles/galaxy/systemd_service_manager/defaults/main.yml` for more details about that.
skipping: [matrix.domain.com] => (item=matrix-postgres.service)
skipping: [matrix.domain.com] => (item=matrix-exim-relay.service)
skipping: [matrix.domain.com] => (item=matrix-coturn.service)
skipping: [matrix.domain.com] => (item=matrix-synapse.service)
skipping: [matrix.domain.com] => (item=matrix-client-element.service)
skipping: [matrix.domain.com] => (item=matrix-static-files.service)
skipping: [matrix.domain.com] => (item=matrix-coturn-reload.timer)

journalctl -fu matrix-traefik.service

May 18 20:04:33 domain.com systemd[1]: Started Traefik (matrix-traefik).
May 18 20:04:34 domain.com matrix-traefik[14697]: Error response from daemon: driver failed programming external connectivity on endpoint matrix-traefik (e635a98441739574302de3b512f40e49d7d9...): Error starting userland proxy: listen tcp4 0.0.0.0:80: bind: address already in use
May 18 20:04:34 domain.com systemd[1]: matrix-traefik.service: Main process exited, code=exited, status=1/FAILURE
May 18 20:04:34 domain.com systemd[1]: matrix-traefik.service: Failed with result 'exit-code'.

lsof

httpd       414   root    3u  IPv4 2982...     0t0  TCP *:http (LISTEN)
httpd       426 apache    3u  IPv4 2982...      0t0  TCP *:http (LISTEN)
httpd       427 apache    3u  IPv4 2982...      0t0  TCP *:http (LISTEN)
httpd       428 apache    3u  IPv4 2982...     0t0  TCP *:http (LISTEN)
spantaleev commented 5 months ago

You either need to remove Apache and start using Traefik, or to make Traefik not try to use the same ports as Apache (that is, making Traefik not handle public traffic - putting it behind Apache).

You can migrate your existing Apache configuration to Traefik (this may be difficult, depending on what you're using Apache for).

If you'd like to keep Apache around, you can refer to our Using your own webserver, instead of this playbook's Traefik reverse-proxy (optional, advanced) documentation and specifically the Fronting the integrated reverse-proxy webserver with another reverse-proxy section.

ACCakut commented 5 months ago

I did not install apache before, and it was definitely not installed before running the script (apt remove apache said that). When running my original (not minimal) config, I got errors with coturn service not running. As I said, I tested two hosters and different basic distributions so that, IMHO, the playbook should run fine.