finallycoffee/matrix-docker-ansible-deploy
5
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge branch 'master' into conduit

Browse Source
This commit is contained in:
Slavi Pantaleev
2022-08-09 10:46:03 +03:00
committed by GitHub
parent e74560c6ef 20775fbe30
commit 04f224e634
559 changed files with 10081 additions and 4434 deletions
Download Patch File Download Diff File Expand all files Collapse all files

97
roles/matrix-nginx-proxy/defaults/main.yml
View File

@ -1,6 +1,7 @@
---
# Project source code URL: https://github.com/nginx/nginx
matrix_nginx_proxy_enabled: true
matrix_nginx_proxy_version: 1.21.6-alpine
matrix_nginx_proxy_version: 1.23.0-alpine
# We use an official nginx image, which we fix-up to run unprivileged.
# An alternative would be an `nginxinc/nginx-unprivileged` image, but
@ -174,6 +175,10 @@ matrix_nginx_proxy_proxy_hydrogen_hostname: "{{ matrix_server_fqn_hydrogen }}"
matrix_nginx_proxy_proxy_cinny_enabled: false
matrix_nginx_proxy_proxy_cinny_hostname: "{{ matrix_server_fqn_cinny }}"
# Controls whether proxying the buscarron domain should be done.
matrix_nginx_proxy_proxy_buscarron_enabled: false
matrix_nginx_proxy_proxy_buscarron_hostname: "{{ matrix_server_fqn_buscarron }}"
# Controls whether proxying the matrix domain should be done.
matrix_nginx_proxy_proxy_matrix_enabled: false
matrix_nginx_proxy_proxy_matrix_hostname: "{{ matrix_server_fqn_matrix }}"
@ -203,6 +208,62 @@ matrix_nginx_proxy_proxy_grafana_hostname: "{{ matrix_server_fqn_grafana }}"
matrix_nginx_proxy_proxy_sygnal_enabled: false
matrix_nginx_proxy_proxy_sygnal_hostname: "{{ matrix_server_fqn_sygnal }}"
# Controls whether proxying the ntfy domain should be done.
matrix_nginx_proxy_proxy_ntfy_enabled: false
matrix_nginx_proxy_proxy_ntfy_hostname: "{{ matrix_server_fqn_ntfy }}"
# Controls whether proxying for (Prometheus) metrics (`/metrics/*`) for the various services should be done (on the matrix domain)
# If the internal Prometheus server (`matrix-prometheus` role) is used, proxying is not necessary, since Prometheus can access each container directly.
# This is only useful when an external Prometheus will be collecting metrics.
#
# To control what kind of metrics are exposed under `/metrics/` (e.g `/metrics/node-exporter`, `/metrics/postgres-exporter`, etc.),
# use `matrix_SERVICE_metrics_proxying_enabled` variables in each respective role.
# Roles inject themselves into the matrix-nginx-proxy configuration.
#
# To protect the metrics endpoints, see `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_enabled`
matrix_nginx_proxy_proxy_matrix_metrics_enabled: false
# Controls whether Basic Auth is enabled for all `/metrics/*` endpoints.
#
# You can provide the Basic Auth credentials in 2 ways:
# 1. A single username/password pair using `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_username` and `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_password`
# 2. Using raw content (`htpasswd`-generated file) provided in `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_raw_content`
matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_enabled: false
# `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_username` and `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_password` specify
# the Basic Auth username/password for protecting `/metrics/*` endpoints.
# Alternatively, use `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_raw_content`.
matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_username: ""
matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_password: ""
# `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_raw_content` value will be written verbatim to the htpasswd file protecting `/metrics/*` endpoints.
# Use this when a single username/password is not enough and you'd like to get more control over credentials.
#
# Read the manpage at `man 1 htpasswd` to learn more, then encrypt your password, and paste the encrypted value here.
# e.g. `htpasswd -c mypass.htpasswd prometheus` and enter `mysecurepw` when prompted yields `prometheus:$apr1$wZhqsn.U$7LC3kMmjUbjNAZjyMyvYv/`
# The whole thing is needed here. matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_raw_content: "prometheus:$apr1$wZhqsn.U$7LC3kMmjUbjNAZjyMyvYv/"
matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_raw_content: ""
# Specifies the path to the htpasswd file holding the htpasswd credentials for protecting `/metrics/*` endpoints
# This is not meant to be modified.
matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_path: "{{ matrix_nginx_proxy_data_path_in_container if matrix_nginx_proxy_enabled else matrix_nginx_proxy_data_path }}/matrix-metrics-htpasswd"
# Specifies the Apache container image to use
# when `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_username` and `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_password` are provided.
# This image provides the `htpasswd` tool which we use for generating the htpasswd file protecting `/metrics/*`.
# To avoid using this, use `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_raw_content` instead of supplying username/password.
# Learn more in: `roles/matrix-nginx-proxy/tasks/nginx-proxy/setup_metrics_auth.yml`.
matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_apache_container_image: "{{ matrix_container_global_registry_prefix }}httpd:{{ matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_apache_container_image_tag }}"
matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_apache_container_image_tag: "2.4.54-alpine3.16"
matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_apache_container_force_pull: "{{ matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_apache_container_image_tag.endswith(':latest') }}"
# A list of strings containing additional configuration blocks to add to the `location /metrics` configuration (matrix-domain.conf).
# Do not modify `matrix_nginx_proxy_proxy_matrix_metrics_additional_location_configuration_blocks` and `matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks`.
# If you'd like to inject your own configuration blocks, use `matrix_nginx_proxy_proxy_matrix_metrics_additional_user_location_configuration_blocks`.
matrix_nginx_proxy_proxy_matrix_metrics_additional_location_configuration_blocks: "{{ matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks + matrix_nginx_proxy_proxy_matrix_metrics_additional_user_location_configuration_blocks }}"
matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks: []
matrix_nginx_proxy_proxy_matrix_metrics_additional_user_location_configuration_blocks: []
# Controls whether proxying for the matrix-corporal API (`/_matrix/corporal`) should be done (on the matrix domain)
matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: false
matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081"
@ -227,16 +288,6 @@ matrix_nginx_proxy_proxy_matrix_identity_api_enabled: false
matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-ma1sd:{{ matrix_ma1sd_container_port }}"
matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:{{ matrix_ma1sd_container_port }}"
# Controls whether proxying for metrics (`/_synapse/metrics`) should be done (on the matrix domain)
matrix_nginx_proxy_proxy_synapse_metrics: false
matrix_nginx_proxy_synapse_workers_enabled_list: []
matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled: false
# The following value will be written verbatim to the htpasswd file that stores the password for nginx to check against and needs to be encoded appropriately.
# Read the manpage at `man 1 htpasswd` to learn more, then encrypt your password, and paste the encrypted value here.
# e.g. `htpasswd -c mypass.htpasswd prometheus` and enter `mysecurepw` when prompted yields `prometheus:$apr1$wZhqsn.U$7LC3kMmjUbjNAZjyMyvYv/`
# The part after `prometheus:` is needed here. matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key: "$apr1$wZhqsn.U$7LC3kMmjUbjNAZjyMyvYv/"
matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key: ""
# The addresses where the Matrix Client API is.
# Certain extensions (like matrix-corporal) may override this in order to capture all traffic.
matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container: "matrix-nginx-proxy:12080"
@ -269,8 +320,6 @@ matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefix_regexes: |
(['/_synapse/oidc'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_oidc_api_enabled else [])
+
(['/_synapse/admin'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled else [])
+
(['/_synapse.*/metrics'] if matrix_nginx_proxy_proxy_synapse_metrics else [])
}}
# Specifies where requests for the root URI (`/`) on the `matrix.` domain should be redirected.
@ -282,7 +331,7 @@ matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain: ""
# Controls whether proxying for the Matrix Federation API should be done.
matrix_nginx_proxy_proxy_matrix_federation_api_enabled: false
matrix_nginx_proxy_proxy_matrix_federation_api_addr_with_container: "matrix-nginx-proxy:12088"
matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container: "localhost:12088"
matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container: "127.0.0.1:12088"
matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb: "{{ (matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb | int) * 3 }}"
matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/fullchain.pem"
matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/privkey.pem"
@ -290,7 +339,7 @@ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_trusted_certificate: "{{ matr
# The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads.
matrix_nginx_proxy_tmp_directory_size_mb: "{{ (matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb | int) * 50 }}"
matrix_nginx_proxy_tmp_cache_directory_size_mb: "{{ (matrix_nginx_proxy_synapse_cache_max_size_mb | int) * 2 }}"
# A list of strings containing additional configuration blocks to add to the nginx server configuration (nginx.conf).
# for big matrixservers to enlarge the number of open files to prevent timeouts
# matrix_nginx_proxy_proxy_additional_configuration_blocks:
@ -318,6 +367,9 @@ matrix_nginx_proxy_proxy_hydrogen_additional_server_configuration_blocks: []
# A list of strings containing additional configuration blocks to add to Cinny's server configuration (matrix-client-cinny.conf).
matrix_nginx_proxy_proxy_cinny_additional_server_configuration_blocks: []
# A list of strings containing additional configuration blocks to add to buscarron's server configuration (matrix-bot-buscarron.conf).
matrix_nginx_proxy_proxy_buscarron_additional_server_configuration_blocks: []
# A list of strings containing additional configuration blocks to add to Dimension's server configuration (matrix-dimension.conf).
matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks: []
@ -333,6 +385,9 @@ matrix_nginx_proxy_proxy_grafana_additional_server_configuration_blocks: []
# A list of strings containing additional configuration blocks to add to Sygnal's server configuration (matrix-sygnal.conf).
matrix_nginx_proxy_proxy_sygnal_additional_server_configuration_blocks: []
# A list of strings containing additional configuration blocks to add to ntfy's server configuration (matrix-ntfy.conf).
matrix_nginx_proxy_proxy_ntfy_additional_server_configuration_blocks: []
# A list of strings containing additional configuration blocks to add to the base domain server configuration (matrix-base-domain.conf).
matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks: []
@ -492,7 +547,7 @@ matrix_ssl_lets_encrypt_staging: false
# Learn more here: https://eff-certbot.readthedocs.io/en/stable/using.html#changing-the-acme-server
matrix_ssl_lets_encrypt_server: ''
matrix_ssl_lets_encrypt_certbot_docker_image: "{{ matrix_container_global_registry_prefix }}certbot/certbot:{{ matrix_ssl_architecture }}-v1.23.0"
matrix_ssl_lets_encrypt_certbot_docker_image: "{{ matrix_container_global_registry_prefix }}certbot/certbot:{{ matrix_ssl_architecture }}-v1.28.0"
matrix_ssl_lets_encrypt_certbot_docker_image_force_pull: "{{ matrix_ssl_lets_encrypt_certbot_docker_image.endswith(':latest') }}"
matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402
matrix_ssl_lets_encrypt_support_email: ~
@ -572,6 +627,16 @@ matrix_nginx_proxy_synapse_media_repository_locations: []
matrix_nginx_proxy_synapse_user_dir_locations: []
matrix_nginx_proxy_synapse_frontend_proxy_locations: []
# synapse content caching
matrix_nginx_proxy_synapse_cache_enabled: false
matrix_nginx_proxy_synapse_cache_path: "{{ '/tmp/synapse-cache' if matrix_nginx_proxy_enabled else matrix_nginx_proxy_data_path+'/synapse-cache' }}"
matrix_nginx_proxy_synapse_cache_keys_zone_name: "STATIC"
matrix_nginx_proxy_synapse_cache_keys_zone_size: "10m"
matrix_nginx_proxy_synapse_cache_inactive_time: "48h"
matrix_nginx_proxy_synapse_cache_max_size_mb: 1024
matrix_nginx_proxy_synapse_cache_proxy_cache_valid_time: "24h"
# The amount of worker processes and connections
# Consider increasing these when you are expecting high amounts of traffic
# http://nginx.org/en/docs/ngx_core_module.html#worker_connections

8
roles/matrix-nginx-proxy/tasks/init.yml
View File

@ -1,9 +1,9 @@
---
- set_fact:
- ansible.builtin.set_fact:
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-nginx-proxy.service'] }}"
when: matrix_nginx_proxy_enabled|bool
when: matrix_nginx_proxy_enabled | bool
- set_fact:
- ansible.builtin.set_fact:
matrix_systemd_services_list: "{{ matrix_systemd_services_list + [item.name] }}"
when: "item.applicable|bool and item.enableable|bool"
when: "item.applicable | bool and item.enableable | bool"
with_items: "{{ matrix_ssl_renewal_systemd_units_list }}"

20
roles/matrix-nginx-proxy/tasks/main.yml
View File

@ -1,39 +1,39 @@
---
- import_tasks: "{{ role_path }}/tasks/init.yml"
- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml"
tags:
- always
# Always validating the configuration, even if `matrix_nginx_proxy: false`.
# This role performs actions even if the role is disabled, so we need
# to ensure there's a valid configuration in any case.
- import_tasks: "{{ role_path }}/tasks/validate_config.yml"
when: run_setup|bool
- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml"
when: run_setup | bool
tags:
- setup-all
- setup-nginx-proxy
- import_tasks: "{{ role_path }}/tasks/ssl/main.yml"
when: run_setup|bool
- ansible.builtin.import_tasks: "{{ role_path }}/tasks/ssl/main.yml"
when: run_setup | bool
tags:
- setup-all
- setup-nginx-proxy
- setup-ssl
- import_tasks: "{{ role_path }}/tasks/setup_nginx_proxy.yml"
when: run_setup|bool
- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_nginx_proxy.yml"
when: run_setup | bool
tags:
- setup-all
- setup-nginx-proxy
- import_tasks: "{{ role_path }}/tasks/self_check_well_known.yml"
- ansible.builtin.import_tasks: "{{ role_path }}/tasks/self_check_well_known.yml"
delegate_to: 127.0.0.1
become: false
when: run_self_check|bool
when: run_self_check | bool
tags:
- self-check
- name: Mark matrix-nginx-proxy role as executed
set_fact:
ansible.builtin.set_fact:
matrix_nginx_proxy_role_executed: true
tags:
- always

60
roles/matrix-nginx-proxy/tasks/nginx-proxy/setup_metrics_auth.yml Normal file
View File

@ -0,0 +1,60 @@
---
# When we're dealing with raw htpasswd content, we just store it in the file directly.
- name: Ensure matrix-metrics-htpasswd is present when generated from raw content (protecting /metrics/* URIs)
ansible.builtin.copy:
content: "{{ matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_raw_content }}"
dest: "{{ matrix_nginx_proxy_data_path }}/matrix-metrics-htpasswd"
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
mode: 0600
when: not matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_username
# Alternatively, we need to use the `htpasswd` tool to generate the htpasswd file.
# There's an Ansible module that helps with that, but it requires passlib (a Python module) to be installed on the server.
# See: https://docs.ansible.com/ansible/2.3/htpasswd_module.html#requirements-on-host-that-executes-module
# We support various distros, with various versions of Python. Installing additional Python modules can be a hassle.
# As a workaround, we run `htpasswd` from an Apache container image.
- block:
- name: Ensure Apache Docker image is pulled for generating matrix-metrics-htpasswd from username/password (protecting /metrics/* URIs)
docker_image:
name: "{{ matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_apache_container_image }}"
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
force_source: "{{ matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_apache_container_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_apache_container_force_pull }}"
register: result
retries: "{{ matrix_container_retries_count }}"
delay: "{{ matrix_container_retries_delay }}"
until: result is not failed
# We store the password in a file and make the `htpasswd` tool read it from there,
# as opposed to passing it directly on stdin (which will expose it to other processes on the server).
- name: Store metrics password in a temporary file
ansible.builtin.copy:
content: "{{ matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_password }}"
dest: "/tmp/matrix-nginx-proxy-metrics-password"
mode: 0400
owner: "{{ matrix_user_uid }}"
group: "{{ matrix_user_gid }}"
- name: Generate matrix-metrics-htpasswd from username/password (protecting /metrics/* URIs)
ansible.builtin.command:
cmd: >-
{{ matrix_host_command_docker }} run
--rm
--user={{ matrix_user_uid }}:{{ matrix_user_gid }}
--cap-drop=ALL
--network=none
--mount type=bind,src={{ matrix_nginx_proxy_data_path }},dst=/data
--mount type=bind,src=/tmp/matrix-nginx-proxy-metrics-password,dst=/password,ro
--entrypoint=/bin/sh
{{ matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_apache_container_image }}
-c
'cat /password | htpasswd -i -c /data/matrix-metrics-htpasswd {{ matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_username }} && chmod 600 /data/matrix-metrics-htpasswd'
changed_when: true
- name: Delete temporary metrics password file
ansible.builtin.file:
path: /tmp/matrix-nginx-proxy-metrics-password
state: absent
when: matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_username != ''

10
roles/matrix-nginx-proxy/tasks/self_check_well_known.yml
View File

@ -1,7 +1,7 @@
---
- name: Determine well-known files to check (Matrix)
set_fact:
ansible.builtin.set_fact:
well_known_file_checks:
- path: /.well-known/matrix/client
purpose: Client Discovery
@ -10,7 +10,7 @@
validate_certs: "{{ matrix_nginx_proxy_self_check_validate_certificates }}"
- block:
- set_fact:
- ansible.builtin.set_fact:
well_known_file_check_matrix_server:
path: /.well-known/matrix/server
purpose: Server Discovery
@ -19,12 +19,12 @@
validate_certs: "{{ matrix_nginx_proxy_self_check_validate_certificates }}"
- name: Determine domains that we require certificates for (ma1sd)
set_fact:
ansible.builtin.set_fact:
well_known_file_checks: "{{ well_known_file_checks + [well_known_file_check_matrix_server] }}"
when: matrix_well_known_matrix_server_enabled|bool
when: matrix_well_known_matrix_server_enabled | bool
- name: Perform well-known checks
include_tasks: "{{ role_path }}/tasks/self_check_well_known_file.yml"
ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check_well_known_file.yml"
with_items: "{{ well_known_file_checks }}"
loop_control:
loop_var: well_known_file_check

28
roles/matrix-nginx-proxy/tasks/self_check_well_known_file.yml
View File

@ -1,13 +1,13 @@
---
- set_fact:
- ansible.builtin.set_fact:
well_known_url_matrix: "https://{{ matrix_server_fqn_matrix }}{{ well_known_file_check.path }}"
well_known_url_identity: "https://{{ matrix_domain }}{{ well_known_file_check.path }}"
# These well-known files may be served without a `Content-Type: application/json` header,
# so we can't rely on the uri module's automatic parsing of JSON.
- name: Check .well-known on the matrix hostname
uri:
ansible.builtin.uri:
url: "{{ well_known_url_matrix }}"
follow_redirects: none
return_content: true
@ -19,25 +19,25 @@
ignore_errors: true
- name: Fail if .well-known not working on the matrix hostname
fail:
ansible.builtin.fail:
msg: "Failed checking that the well-known file for {{ well_known_file_check.purpose }} is configured at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ well_known_url_matrix }}`). Is port 443 open in your firewall? Full error: {{ result_well_known_matrix }}"
when: "result_well_known_matrix.failed"
- name: Parse JSON for well-known payload at the matrix hostname
set_fact:
well_known_matrix_payload: "{{ result_well_known_matrix.content|from_json }}"
ansible.builtin.set_fact:
well_known_matrix_payload: "{{ result_well_known_matrix.content | from_json }}"
- name: Fail if .well-known not CORS-aware on the matrix hostname
fail:
ansible.builtin.fail:
msg: "The well-known file for {{ well_known_file_check.purpose }} on `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ well_known_url_matrix }}`) is not CORS-aware. The file needs to be served with an Access-Control-Allow-Origin header set."
when: "well_known_file_check.cors and 'access_control_allow_origin' not in result_well_known_matrix"
- name: Report working .well-known on the matrix hostname
debug:
ansible.builtin.debug:
msg: "well-known for {{ well_known_file_check.purpose }} is configured correctly for `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ well_known_url_matrix }}`)"
- name: Check .well-known on the identity hostname
uri:
ansible.builtin.uri:
url: "{{ well_known_url_identity }}"
follow_redirects: "{{ well_known_file_check.follow_redirects }}"
return_content: true
@ -49,25 +49,25 @@
ignore_errors: true
- name: Fail if .well-known not working on the identity hostname
fail:
ansible.builtin.fail:
msg: "Failed checking that the well-known file for {{ well_known_file_check.purpose }} is configured at `{{ matrix_domain }}` (checked endpoint: `{{ well_known_url_identity }}`). Is port 443 open in your firewall? Full error: {{ result_well_known_identity }}"
when: "result_well_known_identity.failed"
- name: Parse JSON for well-known payload at the identity hostname
set_fact:
well_known_identity_payload: "{{ result_well_known_identity.content|from_json }}"
ansible.builtin.set_fact:
well_known_identity_payload: "{{ result_well_known_identity.content | from_json }}"
- name: Fail if .well-known not CORS-aware on the identity hostname
fail:
ansible.builtin.fail:
msg: "The well-known file for {{ well_known_file_check.purpose }} on `{{ matrix_domain }}` (checked endpoint: `{{ well_known_url_identity }}`) is not CORS-aware. The file needs to be served with an Access-Control-Allow-Origin header set. See docs/configuring-well-known.md"
when: "well_known_file_check.cors and 'access_control_allow_origin' not in result_well_known_identity"
# For people who manually copy the well-known file, try to detect if it's outdated
- name: Fail if well-known is different on matrix hostname and identity hostname
fail:
ansible.builtin.fail:
msg: "The well-known files for {{ well_known_file_check.purpose }} at `{{ matrix_server_fqn_matrix }}` and `{{ matrix_domain }}` are different. Perhaps you copied the file ({{ well_known_file_check.path }}) manually before and now it's outdated?"
when: "well_known_matrix_payload != well_known_identity_payload"
- name: Report working .well-known on the identity hostname
debug:
ansible.builtin.debug:
msg: "well-known for {{ well_known_file_check.purpose }} ({{ well_known_file_check.path }}) is configured correctly for `{{ matrix_domain }}` (checked endpoint: `{{ well_known_url_identity }}`)"

219
roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml
View File

@ -11,74 +11,62 @@
# to be unnecessary.
#
- name: Ensure Matrix nginx-proxy paths exist
file:
path: "{{ item }}"
ansible.builtin.file:
path: "{{ item.path }}"
state: directory
mode: 0750
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
with_items:
- "{{ matrix_nginx_proxy_base_path }}"
- "{{ matrix_nginx_proxy_data_path }}"
- "{{ matrix_nginx_proxy_confd_path }}"
- {path: "{{ matrix_nginx_proxy_base_path }}", when: true}
- {path: "{{ matrix_nginx_proxy_data_path }}", when: true}
- {path: "{{ matrix_nginx_proxy_confd_path }}", when: true}
- {path: "{{ matrix_nginx_proxy_synapse_cache_path }}", when: "{{ matrix_nginx_proxy_synapse_cache_enabled and not matrix_nginx_proxy_enabled }}"}
when: item.when | bool
- name: Ensure Matrix nginx-proxy configured (main config override)
template:
ansible.builtin.template:
src: "{{ role_path }}/templates/nginx/nginx.conf.j2"
dest: "{{ matrix_nginx_proxy_base_path }}/nginx.conf"
mode: 0644
when: matrix_nginx_proxy_enabled|bool
when: matrix_nginx_proxy_enabled | bool
- name: Ensure matrix-synapse-metrics-htpasswd is present (protecting /_synapse/metrics URI)
template:
src: "{{ role_path }}/templates/nginx/matrix-synapse-metrics-htpasswd.j2"
dest: "{{ matrix_nginx_proxy_data_path }}/matrix-synapse-metrics-htpasswd"
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
mode: 0400
when: "matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled|bool and matrix_nginx_proxy_proxy_synapse_metrics|bool"
- name: Generate sample prometheus.yml for external scraping
template:
src: "{{ role_path }}/templates/prometheus/external_prometheus.yml.example.j2"
dest: "{{ matrix_base_data_path }}/external_prometheus.yml.example"
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
mode: 0644
when: matrix_nginx_proxy_proxy_synapse_metrics|bool
- name: Setup metrics
ansible.builtin.include_tasks: "{{ role_path }}/tasks/nginx-proxy/setup_metrics_auth.yml"
when: matrix_nginx_proxy_proxy_matrix_metrics_enabled | bool and matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_enabled | bool
- name: Ensure Matrix nginx-proxy configured (generic)
template:
ansible.builtin.template:
src: "{{ role_path }}/templates/nginx/conf.d/nginx-http.conf.j2"
dest: "{{ matrix_nginx_proxy_confd_path }}/nginx-http.conf"
mode: 0644
when: matrix_nginx_proxy_enabled|bool
when: matrix_nginx_proxy_enabled | bool
- name: Ensure Matrix nginx-proxy configuration for matrix-synapse exists
template:
ansible.builtin.template:
src: "{{ role_path }}/templates/nginx/conf.d/matrix-synapse.conf.j2"
dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-synapse.conf"
mode: 0644
when: matrix_nginx_proxy_proxy_synapse_enabled|bool
when: matrix_nginx_proxy_proxy_synapse_enabled | bool
- name: Ensure Matrix nginx-proxy configuration for matrix-synapse deleted
file:
ansible.builtin.file:
path: "{{ matrix_nginx_proxy_confd_path }}/matrix-synapse.conf"
state: absent
when: "not matrix_nginx_proxy_proxy_synapse_enabled|bool"
when: "not matrix_nginx_proxy_proxy_synapse_enabled | bool"
- name: Ensure Matrix nginx-proxy configuration for matrix-dendrite exists
template:
ansible.builtin.template:
src: "{{ role_path }}/templates/nginx/conf.d/matrix-dendrite.conf.j2"
dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-dendrite.conf"
mode: 0644
when: matrix_nginx_proxy_proxy_dendrite_enabled|bool
when: matrix_nginx_proxy_proxy_dendrite_enabled | bool
- name: Ensure Matrix nginx-proxy configuration for matrix-dendrite deleted
file:
ansible.builtin.file:
path: "{{ matrix_nginx_proxy_confd_path }}/matrix-dendrite.conf"
state: absent
when: "not matrix_nginx_proxy_proxy_dendrite_enabled|bool"
when: "not matrix_nginx_proxy_proxy_dendrite_enabled | bool"
- name: Ensure Matrix nginx-proxy configuration for matrix-conduit exists
template:
@ -94,98 +82,112 @@
when: "not matrix_nginx_proxy_proxy_conduit_enabled|bool"
- name: Ensure Matrix nginx-proxy configuration for Element domain exists
template:
ansible.builtin.template:
src: "{{ role_path }}/templates/nginx/conf.d/matrix-client-element.conf.j2"
dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-client-element.conf"
mode: 0644
when: matrix_nginx_proxy_proxy_element_enabled|bool
when: matrix_nginx_proxy_proxy_element_enabled | bool
- name: Ensure Matrix nginx-proxy configuration for riot domain exists
template:
ansible.builtin.template:
src: "{{ role_path }}/templates/nginx/conf.d/matrix-riot-web.conf.j2"
dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-riot-web.conf"
mode: 0644
when: matrix_nginx_proxy_proxy_riot_compat_redirect_enabled|bool
when: matrix_nginx_proxy_proxy_riot_compat_redirect_enabled | bool
- name: Ensure Matrix nginx-proxy configuration for Hydrogen domain exists
template:
ansible.builtin.template:
src: "{{ role_path }}/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2"
dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-client-hydrogen.conf"
mode: 0644
when: matrix_nginx_proxy_proxy_hydrogen_enabled|bool
when: matrix_nginx_proxy_proxy_hydrogen_enabled | bool
- name: Ensure Matrix nginx-proxy configuration for Cinny domain exists
template:
ansible.builtin.template:
src: "{{ role_path }}/templates/nginx/conf.d/matrix-client-cinny.conf.j2"
dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-client-cinny.conf"
mode: 0644
when: matrix_nginx_proxy_proxy_cinny_enabled|bool
when: matrix_nginx_proxy_proxy_cinny_enabled | bool
- name: Ensure Matrix nginx-proxy configuration for buscarron domain exists
ansible.builtin.template:
src: "{{ role_path }}/templates/nginx/conf.d/matrix-bot-buscarron.conf.j2"
dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-bot-buscarron.conf"
mode: 0644
when: matrix_nginx_proxy_proxy_buscarron_enabled | bool
- name: Ensure Matrix nginx-proxy configuration for dimension domain exists
template:
ansible.builtin.template:
src: "{{ role_path }}/templates/nginx/conf.d/matrix-dimension.conf.j2"
dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-dimension.conf"
mode: 0644
when: matrix_nginx_proxy_proxy_dimension_enabled|bool
when: matrix_nginx_proxy_proxy_dimension_enabled | bool
- name: Ensure Matrix nginx-proxy configuration for goneb domain exists
template:
ansible.builtin.template:
src: "{{ role_path }}/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2"
dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-bot-go-neb.conf"
mode: 0644
when: matrix_nginx_proxy_proxy_bot_go_neb_enabled|bool
when: matrix_nginx_proxy_proxy_bot_go_neb_enabled | bool
- name: Ensure Matrix nginx-proxy configuration for jitsi domain exists
template:
ansible.builtin.template:
src: "{{ role_path }}/templates/nginx/conf.d/matrix-jitsi.conf.j2"
dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-jitsi.conf"
mode: 0644
when: matrix_nginx_proxy_proxy_jitsi_enabled|bool
when: matrix_nginx_proxy_proxy_jitsi_enabled | bool
- name: Ensure Matrix nginx-proxy configuration for grafana domain exists
template:
ansible.builtin.template:
src: "{{ role_path }}/templates/nginx/conf.d/matrix-grafana.conf.j2"
dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-grafana.conf"
mode: 0644
when: matrix_nginx_proxy_proxy_grafana_enabled|bool
when: matrix_nginx_proxy_proxy_grafana_enabled | bool
- name: Ensure Matrix nginx-proxy configuration for sygnal domain exists
template:
ansible.builtin.template:
src: "{{ role_path }}/templates/nginx/conf.d/matrix-sygnal.conf.j2"
dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-sygnal.conf"
mode: 0644
when: matrix_nginx_proxy_proxy_sygnal_enabled|bool
when: matrix_nginx_proxy_proxy_sygnal_enabled | bool
- name: Ensure Matrix nginx-proxy configuration for ntfy domain exists
ansible.builtin.template:
src: "{{ role_path }}/templates/nginx/conf.d/matrix-ntfy.conf.j2"
dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-ntfy.conf"
mode: 0644
when: matrix_nginx_proxy_proxy_ntfy_enabled | bool
- name: Ensure Matrix nginx-proxy configuration for Matrix domain exists
template:
ansible.builtin.template:
src: "{{ role_path }}/templates/nginx/conf.d/matrix-domain.conf.j2"
dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-domain.conf"
mode: 0644
- name: Ensure Matrix nginx-proxy data directory for base domain exists
file:
ansible.builtin.file:
path: "{{ matrix_nginx_proxy_data_path }}/matrix-domain"
state: directory
mode: 0750
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
when: matrix_nginx_proxy_base_domain_serving_enabled|bool and matrix_nginx_proxy_base_domain_create_directory|bool
when: matrix_nginx_proxy_base_domain_serving_enabled | bool and matrix_nginx_proxy_base_domain_create_directory | bool
- name: Ensure Matrix nginx-proxy homepage for base domain exists
copy:
ansible.builtin.copy:
content: "{{ matrix_nginx_proxy_base_domain_homepage_template }}"
dest: "{{ matrix_nginx_proxy_data_path }}/matrix-domain/index.html"
mode: 0644
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
when: matrix_nginx_proxy_base_domain_serving_enabled|bool and matrix_nginx_proxy_base_domain_homepage_enabled|bool and matrix_nginx_proxy_base_domain_create_directory|bool
when: matrix_nginx_proxy_base_domain_serving_enabled | bool and matrix_nginx_proxy_base_domain_homepage_enabled | bool and matrix_nginx_proxy_base_domain_create_directory | bool
- name: Ensure Matrix nginx-proxy configuration for base domain exists
template:
ansible.builtin.template:
src: "{{ role_path }}/templates/nginx/conf.d/matrix-base-domain.conf.j2"
dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-base-domain.conf"
mode: 0644
when: matrix_nginx_proxy_base_domain_serving_enabled|bool
when: matrix_nginx_proxy_base_domain_serving_enabled | bool
#
# Tasks related to setting up matrix-nginx-proxy
@ -196,22 +198,22 @@
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
force_source: "{{ matrix_nginx_proxy_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_nginx_proxy_docker_image_force_pull }}"
when: matrix_nginx_proxy_enabled|bool
when: matrix_nginx_proxy_enabled | bool
register: result
retries: "{{ matrix_container_retries_count }}"
delay: "{{ matrix_container_retries_delay }}"
until: result is not failed
- name: Ensure matrix-nginx-proxy.service installed
template:
ansible.builtin.template:
src: "{{ role_path }}/templates/systemd/matrix-nginx-proxy.service.j2"
dest: "{{ matrix_systemd_path }}/matrix-nginx-proxy.service"
mode: 0644
register: matrix_nginx_proxy_systemd_service_result
when: matrix_nginx_proxy_enabled|bool
when: matrix_nginx_proxy_enabled | bool
- name: Ensure systemd reloaded after matrix-nginx-proxy.service installation
service:
ansible.builtin.service:
daemon_reload: true
when: "matrix_nginx_proxy_enabled and matrix_nginx_proxy_systemd_service_result.changed"
@ -221,111 +223,128 @@
#
- name: Check existence of matrix-nginx-proxy service
stat:
ansible.builtin.stat:
path: "{{ matrix_systemd_path }}/matrix-nginx-proxy.service"
register: matrix_nginx_proxy_service_stat
when: "not matrix_nginx_proxy_enabled|bool"
when: "not matrix_nginx_proxy_enabled | bool"
- name: Ensure matrix-nginx-proxy is stopped
service:
ansible.builtin.service:
name: matrix-nginx-proxy
state: stopped
enabled: false
daemon_reload: true
register: stopping_result
when: "not matrix_nginx_proxy_enabled|bool and matrix_nginx_proxy_service_stat.stat.exists"
when: "not matrix_nginx_proxy_enabled | bool and matrix_nginx_proxy_service_stat.stat.exists"
- name: Ensure matrix-nginx-proxy.service doesn't exist
file:
ansible.builtin.file:
path: "{{ matrix_systemd_path }}/matrix-nginx-proxy.service"
state: absent
when: "not matrix_nginx_proxy_enabled|bool and matrix_nginx_proxy_service_stat.stat.exists"
when: "not matrix_nginx_proxy_enabled | bool and matrix_nginx_proxy_service_stat.stat.exists"
- name: Ensure systemd reloaded after matrix-nginx-proxy.service removal
service:
ansible.builtin.service:
daemon_reload: true
when: "not matrix_nginx_proxy_enabled|bool and matrix_nginx_proxy_service_stat.stat.exists"
when: "not matrix_nginx_proxy_enabled | bool and matrix_nginx_proxy_service_stat.stat.exists"
- name: Ensure Matrix nginx-proxy configuration for matrix domain deleted
file:
ansible.builtin.file:
path: "{{ matrix_nginx_proxy_confd_path }}/matrix-domain.conf"
state: absent
when: "not matrix_nginx_proxy_proxy_matrix_enabled|bool"
when: "not matrix_nginx_proxy_proxy_matrix_enabled | bool"
- name: Ensure Matrix nginx-proxy configuration for riot domain deleted
file:
ansible.builtin.file:
path: "{{ matrix_nginx_proxy_confd_path }}/matrix-riot-web.conf"
state: absent
when: "not matrix_nginx_proxy_proxy_riot_compat_redirect_enabled|bool"
when: "not matrix_nginx_proxy_proxy_riot_compat_redirect_enabled | bool"
- name: Ensure Matrix nginx-proxy configuration for Hydrogen domain deleted
file:
ansible.builtin.file:
path: "{{ matrix_nginx_proxy_confd_path }}/matrix-client-hydrogen.conf"
state: absent
when: "not matrix_nginx_proxy_proxy_hydrogen_enabled|bool"
when: "not matrix_nginx_proxy_proxy_hydrogen_enabled | bool"
- name: Ensure Matrix nginx-proxy configuration for Cinny domain deleted
file:
ansible.builtin.file:
path: "{{ matrix_nginx_proxy_confd_path }}/matrix-client-cinny.conf"
state: absent
when: "not matrix_nginx_proxy_proxy_cinny_enabled|bool"
when: "not matrix_nginx_proxy_proxy_cinny_enabled | bool"
- name: Ensure Matrix nginx-proxy configuration for buscarron domain deleted
ansible.builtin.file:
path: "{{ matrix_nginx_proxy_confd_path }}/matrix-bot-buscarron.conf"
state: absent
when: "not matrix_nginx_proxy_proxy_buscarron_enabled | bool"
- name: Ensure Matrix nginx-proxy configuration for dimension domain deleted
file:
ansible.builtin.file:
path: "{{ matrix_nginx_proxy_confd_path }}/matrix-dimension.conf"
state: absent
when: "not matrix_nginx_proxy_proxy_dimension_enabled|bool"
when: "not matrix_nginx_proxy_proxy_dimension_enabled | bool"
- name: Ensure Matrix nginx-proxy configuration for goneb domain deleted
file:
ansible.builtin.file:
path: "{{ matrix_nginx_proxy_confd_path }}/matrix-bot-go-neb.conf"
state: absent
when: "not matrix_nginx_proxy_proxy_bot_go_neb_enabled|bool"
when: "not matrix_nginx_proxy_proxy_bot_go_neb_enabled | bool"
- name: Ensure Matrix nginx-proxy configuration for jitsi domain deleted
file:
ansible.builtin.file:
path: "{{ matrix_nginx_proxy_confd_path }}/matrix-jitsi.conf"
state: absent
when: "not matrix_nginx_proxy_proxy_jitsi_enabled|bool"
when: "not matrix_nginx_proxy_proxy_jitsi_enabled | bool"
- name: Ensure Matrix nginx-proxy configuration for grafana domain deleted
file:
ansible.builtin.file:
path: "{{ matrix_nginx_proxy_confd_path }}/matrix-grafana.conf"
state: absent
when: "not matrix_nginx_proxy_proxy_grafana_enabled|bool"
when: "not matrix_nginx_proxy_proxy_grafana_enabled | bool"
- name: Ensure Matrix nginx-proxy configuration for sygnal domain deleted
file:
ansible.builtin.file:
path: "{{ matrix_nginx_proxy_confd_path }}/matrix-sygnal.conf"
state: absent
when: "not matrix_nginx_proxy_proxy_sygnal_enabled|bool"
when: "not matrix_nginx_proxy_proxy_sygnal_enabled | bool"
- name: Ensure Matrix nginx-proxy configuration for ntfy domain deleted
ansible.builtin.file:
path: "{{ matrix_nginx_proxy_confd_path }}/matrix-ntfy.conf"
state: absent
when: "not matrix_nginx_proxy_proxy_ntfy_enabled | bool"
- name: Ensure Matrix nginx-proxy homepage for base domain deleted
file:
ansible.builtin.file:
path: "{{ matrix_nginx_proxy_data_path }}/matrix-domain/index.html"
state: absent
when: "not matrix_nginx_proxy_base_domain_serving_enabled|bool"
when: "not matrix_nginx_proxy_base_domain_serving_enabled | bool"
- name: Ensure Matrix nginx-proxy configuration for base domain deleted
file:
ansible.builtin.file:
path: "{{ matrix_nginx_proxy_confd_path }}/matrix-base-domain.conf"
state: absent
when: "not matrix_nginx_proxy_base_domain_serving_enabled|bool"
when: "not matrix_nginx_proxy_base_domain_serving_enabled | bool"
- name: Ensure Matrix nginx-proxy configuration for main config override deleted
file:
ansible.builtin.file:
path: "{{ matrix_nginx_proxy_base_path }}/nginx.conf"
state: absent
when: "not matrix_nginx_proxy_enabled|bool"
when: "not matrix_nginx_proxy_enabled | bool"
- name: Ensure Matrix nginx-proxy htpasswd is deleted (protecting /_synapse/metrics URI)
file:
ansible.builtin.file:
path: "{{ matrix_nginx_proxy_data_path }}/matrix-synapse-metrics-htpasswd"
state: absent
when: "not matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled|bool or not matrix_nginx_proxy_proxy_synapse_metrics|bool"
- name: Ensure sample prometheus.yml for external scraping is deleted
file:
# This file is now generated by the matrix-synapse role and saved in the Synapse directory
- name: (Cleanup) Ensure old sample prometheus.yml for external scraping is deleted
ansible.builtin.file:
path: "{{ matrix_base_data_path }}/external_prometheus.yml.example"
state: absent
when: "not matrix_nginx_proxy_proxy_synapse_metrics|bool"
- name: Ensure Matrix nginx-proxy htpasswd is deleted (protecting /metrics/* URIs)
ansible.builtin.file:
path: "{{ matrix_nginx_proxy_data_path }}/matrix-metrics-htpasswd"
state: absent
when: "not matrix_nginx_proxy_proxy_matrix_metrics_enabled | bool or not matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_enabled | bool"

6
roles/matrix-nginx-proxy/tasks/setup_well_known.yml
View File

@ -1,5 +1,5 @@
---
- set_fact:
- ansible.builtin.set_fact:
matrix_well_known_file_path: "{{ matrix_static_files_base_path }}/.well-known/matrix/client"
# We need others to be able to read these directories too,
@ -7,7 +7,7 @@
#
# For running with another webserver, we recommend being part of the `matrix` group.
- name: Ensure Matrix static-files path exists
file:
ansible.builtin.file:
path: "{{ item }}"
state: directory
mode: 0755
@ -17,7 +17,7 @@
- "{{ matrix_static_files_base_path }}/.well-known/matrix"
- name: Ensure Matrix /.well-known/matrix/client configured
template:
ansible.builtin.template:
src: "{{ role_path }}/templates/well-known/matrix-client.j2"
dest: "{{ matrix_static_files_base_path }}/.well-known/matrix"
mode: 0644

12
roles/matrix-nginx-proxy/tasks/ssl/main.yml
View File

@ -1,12 +1,12 @@
---
- name: Fail if using unsupported SSL certificate retrieval method
fail:
ansible.builtin.fail:
msg: "The `matrix_ssl_retrieval_method` variable contains an unsupported value"
when: "matrix_ssl_retrieval_method not in ['lets-encrypt', 'self-signed', 'manually-managed', 'none']"
- name: Fail if using unsupported private key type
fail:
ansible.builtin.fail:
msg: "The `matrix_ssl_lets_encrypt_key_type` variable contains an unsupported value"
when: "matrix_ssl_lets_encrypt_key_type not in ['rsa', 'ecdsa']"
@ -14,7 +14,7 @@
# Common tasks, required by almost any method below.
- name: Ensure SSL certificate paths exists
file:
ansible.builtin.file:
path: "{{ item }}"
state: directory
mode: 0770
@ -29,8 +29,8 @@
# Method specific tasks follow
- import_tasks: tasks/ssl/setup_ssl_lets_encrypt.yml
- ansible.builtin.import_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_lets_encrypt.yml"
- import_tasks: tasks/ssl/setup_ssl_self_signed.yml
- ansible.builtin.import_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_self_signed.yml"
- import_tasks: tasks/ssl/setup_ssl_manually_managed.yml
- ansible.builtin.import_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_manually_managed.yml"

16
roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml
View File

@ -3,7 +3,7 @@
# This is a cleanup/migration task, because of to the new way we manage cronjobs (`cron` module) and the new script name.
# This migration task can be removed some time in the future.
- name: (Migration) Remove deprecated Let's Encrypt SSL certificate management files
file:
ansible.builtin.file:
path: "{{ item }}"
state: absent
with_items:
@ -25,23 +25,23 @@
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_ssl_lets_encrypt_certbot_docker_image_force_pull }}"
- name: Obtain Let's Encrypt certificates
include_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml"
ansible.builtin.include_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml"
with_items: "{{ matrix_ssl_domains_to_obtain_certificates_for }}"
loop_control:
loop_var: domain_name
- name: Ensure Let's Encrypt SSL renewal script installed
template:
ansible.builtin.template:
src: "{{ role_path }}/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2"
dest: "{{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew"
mode: 0755
- name: Ensure SSL renewal systemd units installed
template:
ansible.builtin.template:
src: "{{ role_path }}/templates/systemd/{{ item.name }}.j2"
dest: "{{ matrix_systemd_path }}/{{ item.name }}"
mode: 0644
when: "item.applicable|bool"
when: "item.applicable | bool"
with_items: "{{ matrix_ssl_renewal_systemd_units_list }}"
when: "matrix_ssl_retrieval_method == 'lets-encrypt'"
@ -51,14 +51,14 @@
- block:
- name: Ensure matrix-ssl-lets-encrypt-renew cronjob removed
file:
ansible.builtin.file:
path: "{{ matrix_systemd_path }}/{{ item.name }}"
state: absent
when: "not item.applicable|bool"
when: "not item.applicable | bool"
with_items: "{{ matrix_ssl_renewal_systemd_units_list }}"
- name: Ensure Let's Encrypt SSL renewal script removed
file:
ansible.builtin.file:
path: "{{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew"
state: absent
when: "matrix_ssl_retrieval_method != 'lets-encrypt'"

24
roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml
View File

@ -1,35 +1,35 @@
---
- debug:
- ansible.builtin.debug:
msg: "Dealing with SSL certificate retrieval for domain: {{ domain_name }}"
- set_fact:
- ansible.builtin.set_fact:
domain_name_certificate_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/fullchain.pem"
- name: Check if a certificate for the domain already exists
stat:
ansible.builtin.stat:
path: "{{ domain_name_certificate_path }}"
register: domain_name_certificate_path_stat
- set_fact:
- ansible.builtin.set_fact:
domain_name_needs_cert: "{{ not domain_name_certificate_path_stat.stat.exists }}"
- block:
- name: Ensure required service for obtaining is started
service:
ansible.builtin.service:
name: "{{ matrix_ssl_pre_obtaining_required_service_name }}"
state: started
register: matrix_ssl_pre_obtaining_required_service_start_result
- name: Wait some time, so that the required service for obtaining can start
wait_for:
ansible.builtin.wait_for:
timeout: "{{ matrix_ssl_pre_obtaining_required_service_start_wait_time_seconds }}"
when: "matrix_ssl_pre_obtaining_required_service_start_result.changed|bool"
when: "domain_name_needs_cert|bool and matrix_ssl_pre_obtaining_required_service_name != ''"
when: "matrix_ssl_pre_obtaining_required_service_start_result.changed | bool"
when: "domain_name_needs_cert | bool and matrix_ssl_pre_obtaining_required_service_name != ''"
# This will fail if there is something running on port 80 (like matrix-nginx-proxy).
# We suppress the error, as we'll try another method below.
- name: Attempt initial SSL certificate retrieval with standalone authenticator (directly)
shell: >-
ansible.builtin.shell: >-
{{ matrix_host_command_docker }} run
--rm
--name=matrix-certbot
@ -51,14 +51,14 @@
--agree-tos
--email={{ matrix_ssl_lets_encrypt_support_email }}
-d {{ domain_name }}
when: domain_name_needs_cert|bool
when: domain_name_needs_cert | bool
register: result_certbot_direct
ignore_errors: true
# If matrix-nginx-proxy is configured from a previous run of this playbook,
# and it's running now, it may be able to proxy requests to `matrix_ssl_lets_encrypt_certbot_standalone_http_port`.
- name: Attempt initial SSL certificate retrieval with standalone authenticator (via proxy)
shell: >-
ansible.builtin.shell: >-
{{ matrix_host_command_docker }} run
--rm
--name=matrix-certbot
@ -86,7 +86,7 @@
ignore_errors: true
- name: Fail if all SSL certificate retrieval attempts failed
fail:
ansible.builtin.fail:
msg: |
Failed to obtain a certificate directly (by listening on port 80)
and also failed to obtain by relying on the server at port 80 to proxy the request.

2
roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_manually_managed.yml
View File

@ -1,7 +1,7 @@
---
- name: Verify certificates
include_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_manually_managed_verify_for_domain.yml"
ansible.builtin.include_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_manually_managed_verify_for_domain.yml"
with_items: "{{ matrix_ssl_domains_to_obtain_certificates_for }}"
loop_control:
loop_var: domain_name

10
roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_manually_managed_verify_for_domain.yml
View File

@ -1,23 +1,23 @@
---
- set_fact:
- ansible.builtin.set_fact:
matrix_ssl_certificate_verification_cert_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/fullchain.pem"
matrix_ssl_certificate_verification_cert_key_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/privkey.pem"
- name: Check if SSL certificate file exists
stat:
ansible.builtin.stat:
path: "{{ matrix_ssl_certificate_verification_cert_path }}"
register: matrix_ssl_certificate_verification_cert_path_stat_result
- fail:
- ansible.builtin.fail:
msg: "Failed finding a certificate file (for domain `{{ domain_name }}`) at `{{ matrix_ssl_certificate_verification_cert_path }}`"
when: "not matrix_ssl_certificate_verification_cert_path_stat_result.stat.exists"
- name: Check if SSL certificate key file exists
stat:
ansible.builtin.stat:
path: "{{ matrix_ssl_certificate_verification_cert_key_path }}"
register: matrix_ssl_certificate_verification_cert_key_path_stat_result
- fail:
- ansible.builtin.fail:
msg: "Failed finding a certificate key file (for domain `{{ domain_name }}`) at `{{ matrix_ssl_certificate_verification_cert_key_path }}`"
when: "not matrix_ssl_certificate_verification_cert_key_path_stat_result.stat.exists"

4
roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed.yml
View File

@ -1,10 +1,10 @@
---
- import_tasks: "{{ role_path }}/../matrix-base/tasks/util/ensure_openssl_installed.yml"
- ansible.builtin.import_tasks: "{{ role_path }}/../matrix-base/tasks/util/ensure_openssl_installed.yml"
when: "matrix_ssl_retrieval_method == 'self-signed'"
- name: Generate self-signed certificates
include_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml"
ansible.builtin.include_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml"
with_items: "{{ matrix_ssl_domains_to_obtain_certificates_for }}"
loop_control:
loop_var: domain_name

12
roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml
View File

@ -1,19 +1,19 @@
---
- set_fact:
- ansible.builtin.set_fact:
matrix_ssl_certificate_csr_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/csr.csr"
matrix_ssl_certificate_cert_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/fullchain.pem"
matrix_ssl_certificate_cert_key_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/privkey.pem"
- name: Check if SSL certificate file exists
stat:
ansible.builtin.stat:
path: "{{ matrix_ssl_certificate_cert_path }}"
register: matrix_ssl_certificate_cert_path_stat_result
# In order to do any sort of generation (below), we need to ensure the directory exists first
- name: Ensure SSL certificate directory exists
file:
path: "{{ matrix_ssl_certificate_csr_path|dirname }}"
ansible.builtin.file:
path: "{{ matrix_ssl_certificate_csr_path | dirname }}"
state: directory
mode: 0750
owner: "{{ matrix_user_username }}"
@ -28,7 +28,7 @@
#
# We'll do it in a more manual way.
- name: Generate SSL certificate
command: |
ansible.builtin.command: |
openssl req -x509 \
-sha256 \
-newkey rsa:4096 \
@ -40,7 +40,7 @@
when: "not matrix_ssl_certificate_cert_path_stat_result.stat.exists"
- name: Adjust SSL certificate file ownership
file:
ansible.builtin.file:
path: "{{ item }}"
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"

33
roles/matrix-nginx-proxy/tasks/validate_config.yml
View File

@ -1,7 +1,7 @@
---
- name: (Deprecation) Catch and report renamed settings
fail:
ansible.builtin.fail:
msg: >-
Your configuration contains a variable, which now has a different name.
Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`).
@ -16,30 +16,39 @@
- {'old': 'matrix_nginx_proxy_reload_cron_time_definition', 'new': '<not configurable anymore>'}
- name: Fail on unknown matrix_ssl_retrieval_method
fail:
ansible.builtin.fail:
msg: >-
`matrix_ssl_retrieval_method` needs to be set to a known value.
when: "matrix_ssl_retrieval_method not in ['lets-encrypt', 'self-signed', 'manually-managed', 'none']"
- name: Fail on unknown matrix_nginx_proxy_ssl_config
fail:
ansible.builtin.fail:
msg: >-
`matrix_nginx_proxy_ssl_preset` needs to be set to a known value.
when: "matrix_nginx_proxy_ssl_preset not in ['modern', 'intermediate', 'old']"
- name: Fail if Basic Auth enabled for metrics, but no credentials supplied
ansible.builtin.fail:
msg: |
Enabling Basic Auth for metrics (`matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_enabled`) requires:
- either a username/password (provided in `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_username` and `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_password`)
- or raw htpasswd content (provided in `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_raw_content`)
when: "matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_enabled | bool and (matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_raw_content == '' and (matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_username == '' or matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_password == ''))"
- block:
- name: (Deprecation) Catch and report renamed settings
fail:
ansible.builtin.fail:
msg: >-
Your configuration contains a variable, which now has a different name.
Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`).
with_items:
- {'old': 'host_specific_matrix_ssl_support_email', 'new': 'matrix_ssl_lets_encrypt_support_email'}
- {'old': 'host_specific_matrix_ssl_lets_encrypt_support_email', 'new': 'matrix_ssl_lets_encrypt_support_email'}
- {'old': 'matrix_nginx_proxy_proxy_synapse_workers_enabled_list', 'new': '<no longer used>'}
when: "item.old in vars"
- name: Fail if required variables are undefined
fail:
ansible.builtin.fail:
msg: "The `{{ item }}` variable must be defined and have a non-null value"
with_items:
- "matrix_ssl_lets_encrypt_support_email"
@ -49,3 +58,17 @@
- "matrix_nginx_proxy_proxy_synapse_client_api_addr_sans_container"
when: "vars[item] == '' or vars[item] is none"
when: "matrix_ssl_retrieval_method == 'lets-encrypt'"
- name: (Deprecation) Catch and report old metrics usage
ansible.builtin.fail:
msg: >-
Your configuration contains a variable (`{{ item }}`), which refers to the old metrics collection system for Synapse,
which exposed metrics on `https://matrix.DOMAIN/_synapse/metrics` and `https://matrix.DOMAIN/_synapse-worker-TYPE-ID/metrics`.
We now recommend exposing Synapse metrics in another way, from another URL.
Refer to the changelog for more details: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/CHANGELOG.md#2022-06-22
with_items:
- matrix_nginx_proxy_proxy_synapse_metrics
- matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled
- matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key
when: "item in vars"

104
roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-buscarron.conf.j2 Normal file
View File

@ -0,0 +1,104 @@
#jinja2: lstrip_blocks: "True"
{% macro render_vhost_directives() %}
gzip on;
gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
{% if matrix_nginx_proxy_hsts_preload_enabled %}
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
{% else %}
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
{% endif %}
add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options SAMEORIGIN;
add_header Content-Security-Policy "frame-ancestors 'none'";
{% if matrix_nginx_proxy_floc_optout_enabled %}
add_header Permissions-Policy interest-cohort=() always;
{% endif %}
{% for configuration_block in matrix_nginx_proxy_proxy_buscarron_additional_server_configuration_blocks %}
{{- configuration_block }}
{% endfor %}
location / {
{% if matrix_nginx_proxy_enabled %}
{# Use the embedded DNS resolver in Docker containers to discover the service #}
resolver 127.0.0.11 valid=5s;
set $backend "matrix-bot-buscarron:8080";
proxy_pass http://$backend;
{% else %}
{# Generic configuration for use outside of our container setup #}
proxy_pass http://127.0.0.1:8080;
{% endif %}
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }};
}
{% endmacro %}
server {
listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }};
listen [::]:{{ 8080 if matrix_nginx_proxy_enabled else 80 }};
server_name {{ matrix_nginx_proxy_proxy_buscarron_hostname }};
server_tokens off;
root /dev/null;
{% if matrix_nginx_proxy_https_enabled %}
location /.well-known/acme-challenge {
{% if matrix_nginx_proxy_enabled %}
{# Use the embedded DNS resolver in Docker containers to discover the service #}
resolver 127.0.0.11 valid=5s;
set $backend "matrix-certbot:8080";
proxy_pass http://$backend;
{% else %}
{# Generic configuration for use outside of our container setup #}
proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }};
{% endif %}
}
location / {
return 301 https://$http_host$request_uri;
}
{% else %}
{{ render_vhost_directives() }}
{% endif %}
}
{% if matrix_nginx_proxy_https_enabled %}
server {
listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
server_name {{ matrix_nginx_proxy_proxy_buscarron_hostname }};
server_tokens off;
root /dev/null;
ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_buscarron_hostname }}/fullchain.pem;
ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_buscarron_hostname }}/privkey.pem;
ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
{% if matrix_nginx_proxy_ssl_ciphers != "" %}
ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }};
{% endif %}
ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
{% if matrix_nginx_proxy_ocsp_stapling_enabled %}
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_buscarron_hostname }}/chain.pem;
{% endif %}
{% if matrix_nginx_proxy_ssl_session_tickets_off %}
ssl_session_tickets off;
{% endif %}
ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }};
ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }};
{{ render_vhost_directives() }}
}
{% endif %}

13
roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2
View File

@ -45,6 +45,19 @@
{{ render_nginx_status_location_block(matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses) }}
{% endif %}
{% if matrix_nginx_proxy_proxy_matrix_metrics_enabled %}
location /metrics {
{% if matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_enabled %}
auth_basic "protected";
auth_basic_user_file {{ matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_path }};
{% endif %}
{% for configuration_block in matrix_nginx_proxy_proxy_matrix_metrics_additional_location_configuration_blocks %}
{{- configuration_block }}
{% endfor %}
}
{% endif %}
{% if matrix_nginx_proxy_proxy_matrix_corporal_api_enabled %}
location ^~ /_matrix/corporal {
{% if matrix_nginx_proxy_enabled %}

102
roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-ntfy.conf.j2 Normal file
View File

@ -0,0 +1,102 @@
#jinja2: lstrip_blocks: "True"
{% macro render_vhost_directives() %}
gzip on;
gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
{% if matrix_nginx_proxy_hsts_preload_enabled %}
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
{% else %}
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
{% endif %}
add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options DENY;
{% for configuration_block in matrix_nginx_proxy_proxy_ntfy_additional_server_configuration_blocks %}
{{- configuration_block }}
{% endfor %}
location / {
{% if matrix_nginx_proxy_enabled %}
{# Use the embedded DNS resolver in Docker containers to discover the service #}
resolver 127.0.0.11 valid=5s;
set $backend "matrix-ntfy:80";
proxy_pass http://$backend;
{% else %}
{# Generic configuration for use outside of our container setup #}
proxy_pass http://127.0.0.1:2586;
{% endif %}
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }};
proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }};
}
{% endmacro %}
server {
listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }};
listen [::]:{{ 8080 if matrix_nginx_proxy_enabled else 80 }};
server_name {{ matrix_nginx_proxy_proxy_ntfy_hostname }};
server_tokens off;
root /dev/null;
{% if matrix_nginx_proxy_https_enabled %}
location /.well-known/acme-challenge {
{% if matrix_nginx_proxy_enabled %}
{# Use the embedded DNS resolver in Docker containers to discover the service #}
resolver 127.0.0.11 valid=5s;
set $backend "matrix-certbot:8080";
proxy_pass http://$backend;
{% else %}
{# Generic configuration for use outside of our container setup #}
proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }};
{% endif %}
}
location / {
return 301 https://$http_host$request_uri;
}
{% else %}
{{ render_vhost_directives() }}
{% endif %}
}
{% if matrix_nginx_proxy_https_enabled %}
server {
listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
server_name {{ matrix_nginx_proxy_proxy_ntfy_hostname }};
server_tokens off;
root /dev/null;
ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_ntfy_hostname }}/fullchain.pem;
ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_ntfy_hostname }}/privkey.pem;
ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
{% if matrix_nginx_proxy_ssl_ciphers != '' %}
ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }};
{% endif %}
ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
{% if matrix_nginx_proxy_ocsp_stapling_enabled %}
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_ntfy_hostname }}/chain.pem;
{% endif %}
{% if matrix_nginx_proxy_ssl_session_tickets_off %}
ssl_session_tickets off;
{% endif %}
ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }};
ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }};
{{ render_vhost_directives() }}
}
{% endif %}

66
roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2
View File

@ -1,10 +1,13 @@
#jinja2: lstrip_blocks: "True"
{% set generic_workers = matrix_nginx_proxy_synapse_workers_list|selectattr('type', 'equalto', 'generic_worker')|list %}
{% set media_repository_workers = matrix_nginx_proxy_synapse_workers_list|selectattr('type', 'equalto', 'media_repository')|list %}
{% set user_dir_workers = matrix_nginx_proxy_synapse_workers_list|selectattr('type', 'equalto', 'user_dir')|list %}
{% set frontend_proxy_workers = matrix_nginx_proxy_synapse_workers_list|selectattr('type', 'equalto', 'frontend_proxy')|list %}
{% set generic_workers = matrix_nginx_proxy_synapse_workers_list | selectattr('type', 'equalto', 'generic_worker') | list %}
{% set media_repository_workers = matrix_nginx_proxy_synapse_workers_list | selectattr('type', 'equalto', 'media_repository') | list %}
{% set user_dir_workers = matrix_nginx_proxy_synapse_workers_list | selectattr('type', 'equalto', 'user_dir') | list %}
{% set frontend_proxy_workers = matrix_nginx_proxy_synapse_workers_list | selectattr('type', 'equalto', 'frontend_proxy') | list %}
{% if matrix_nginx_proxy_synapse_workers_enabled %}
{% if matrix_nginx_proxy_synapse_cache_enabled %}
proxy_cache_path {{ matrix_nginx_proxy_synapse_cache_path }} levels=1:2 keys_zone={{ matrix_nginx_proxy_synapse_cache_keys_zone_name }}:{{ matrix_nginx_proxy_synapse_cache_keys_zone_size }} inactive={{ matrix_nginx_proxy_synapse_cache_inactive_time }} max_size={{ matrix_nginx_proxy_synapse_cache_max_size_mb }}m;
{% endif %}
# Round Robin "upstream" pools for workers
{% if generic_workers %}
@ -95,6 +98,14 @@ server {
client_body_buffer_size 25M;
client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb }}M;
proxy_max_temp_file_size 0;
{% if matrix_nginx_proxy_synapse_cache_enabled %}
proxy_buffering on;
proxy_cache {{ matrix_nginx_proxy_synapse_cache_keys_zone_name }};
proxy_cache_valid any {{ matrix_nginx_proxy_synapse_cache_proxy_cache_valid_time }};
proxy_force_ranges on;
add_header X-Cache-Status $upstream_cache_status;
{% endif %}
}
{% endfor %}
{% endif %}
@ -134,45 +145,6 @@ server {
{{- configuration_block }}
{% endfor %}
{% if matrix_nginx_proxy_proxy_synapse_metrics %}
location /_synapse/metrics {
{% if matrix_nginx_proxy_enabled %}
{# Use the embedded DNS resolver in Docker containers to discover the service #}
resolver 127.0.0.11 valid=5s;
set $backend "{{ matrix_nginx_proxy_proxy_synapse_metrics_addr_with_container }}";
proxy_pass http://$backend;
{% else %}
{# Generic configuration for use outside of our container setup #}
proxy_pass http://{{ matrix_nginx_proxy_proxy_synapse_metrics_addr_sans_container }};
{% endif %}
proxy_set_header Host $host;
{% if matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled %}
auth_basic "protected";
auth_basic_user_file /nginx-data/matrix-synapse-metrics-htpasswd;
{% endif %}
}
{% endif %}
{% if matrix_nginx_proxy_enabled and matrix_nginx_proxy_proxy_synapse_metrics %}
{% for worker in matrix_nginx_proxy_proxy_synapse_workers_enabled_list %}
{% if worker.metrics_port != 0 %}
location /_synapse-worker-{{ worker.type }}-{{ worker.instanceId }}/metrics {
resolver 127.0.0.11 valid=5s;
set $backend "matrix-synapse-worker-{{ worker.type }}-{{ worker.instanceId }}:{{ worker.metrics_port }}";
proxy_pass http://$backend/_synapse/metrics;
proxy_set_header Host $host;
{% if matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled %}
auth_basic "protected";
auth_basic_user_file /nginx-data/matrix-synapse-metrics-htpasswd;
{% endif %}
}
{% endif %}
{% endfor %}
{% endif %}
{# Everything else just goes to the API server ##}
location / {
{% if matrix_nginx_proxy_enabled %}
@ -227,6 +199,14 @@ server {
client_body_buffer_size 25M;
client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb }}M;
proxy_max_temp_file_size 0;
{% if matrix_nginx_proxy_synapse_cache_enabled %}
proxy_buffering on;
proxy_cache {{ matrix_nginx_proxy_synapse_cache_keys_zone_name }};
proxy_cache_valid any {{ matrix_nginx_proxy_synapse_cache_proxy_cache_valid_time }};
proxy_force_ranges on;
add_header X-Cache-Status $upstream_cache_status;
{% endif %}
}
{% endfor %}
{% endif %}

3
roles/matrix-nginx-proxy/templates/nginx/matrix-synapse-metrics-htpasswd.j2
View File

@ -1,3 +0,0 @@
#jinja2: lstrip_blocks: "True"
# User and password for protecting /_synapse/metrics URI
prometheus:{{ matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key }}

40
roles/matrix-nginx-proxy/templates/prometheus/external_prometheus.yml.example.j2
View File

@ -1,40 +0,0 @@
global:
scrape_interval: 5s
# Attach these labels to any time series or alerts when communicating with
# external systems (federation, remote storage, Alertmanager).
external_labels:
monitor: 'synapse-{{ matrix_domain }}'
rule_files:
- /etc/prometheus/synapse-v2.rules
scrape_configs:
- job_name: 'synapse'
metrics_path: /_synapse/metrics
scheme: {{ 'https' if matrix_nginx_proxy_https_enabled else 'http' }}
{% if matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled %}
basic_auth:
username: prometheus
password_file: /path/to/your/passwordfile.pwd
{% endif %}
static_configs:
- targets: ['{{ matrix_server_fqn_matrix }}:{{ matrix_nginx_proxy_container_https_host_bind_port if matrix_nginx_proxy_https_enabled else matrix_nginx_proxy_container_http_host_bind_port }}']
labels:
job: "master"
index: "0"
{% for worker in matrix_nginx_proxy_proxy_synapse_workers_enabled_list %}
- job_name: 'synapse-{{ worker.type }}-{{ worker.instanceId }}'
metrics_path: /_synapse-worker-{{ worker.type }}-{{ worker.instanceId }}/metrics
scheme: {{ 'https' if matrix_nginx_proxy_https_enabled else 'http' }}
{% if matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled %}
basic_auth:
username: prometheus
password_file: /path/to/your/passwordfile.pwd
{% endif %}
static_configs:
- targets: ['{{ matrix_server_fqn_matrix }}:{{ matrix_nginx_proxy_container_https_host_bind_port if matrix_nginx_proxy_https_enabled else matrix_nginx_proxy_container_http_host_bind_port }}']
labels:
job: "{{ worker.type }}"
index: "{{ worker.instanceId }}"
{% endfor %}

3
roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2
View File

@ -22,6 +22,9 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-nginx-proxy \
--cap-drop=ALL \
--read-only \
--tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_nginx_proxy_tmp_directory_size_mb }}m \
{% if matrix_nginx_proxy_synapse_cache_enabled %}
--tmpfs=/tmp/synapse-cache:rw,noexec,nosuid,size={{ matrix_nginx_proxy_tmp_cache_directory_size_mb }}m\
{% endif %}
--network={{ matrix_docker_network }} \
{% if matrix_nginx_proxy_container_http_host_bind_port %}
-p {{ matrix_nginx_proxy_container_http_host_bind_port }}:8080 \

4
roles/matrix-nginx-proxy/vars/main.yml
View File

@ -11,8 +11,8 @@ matrix_ssl_renewal_systemd_units_list:
applicable: "{{ matrix_ssl_retrieval_method == 'lets-encrypt' }}"
enableable: true
- name: matrix-ssl-nginx-proxy-reload.service
applicable: "{{ matrix_ssl_retrieval_method == 'lets-encrypt' and matrix_nginx_proxy_enabled|bool }}"
applicable: "{{ matrix_ssl_retrieval_method == 'lets-encrypt' and matrix_nginx_proxy_enabled | bool }}"
enableable: false
- name: matrix-ssl-nginx-proxy-reload.timer
applicable: "{{ matrix_ssl_retrieval_method == 'lets-encrypt' and matrix_nginx_proxy_enabled|bool }}"
applicable: "{{ matrix_ssl_retrieval_method == 'lets-encrypt' and matrix_nginx_proxy_enabled | bool }}"
enableable: true