finallycoffee/matrix-docker-ansible-deploy
5
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity

[WIP] Initial work on matrix-static-files role

Browse Source
This commit is contained in:
Slavi Pantaleev
2024-01-03 13:05:59 +02:00
parent 128a7b82d5
commit 065b70203d
21 changed files with 675 additions and 57 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
roles/custom/matrix-nginx-proxy/tasks/main.yml
View File

@ -29,11 +29,6 @@
- install-all
- install-nginx-proxy
- tags:
- self-check
block:
- ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check_well_known.yml"
- name: Mark matrix-nginx-proxy role as executed
tags:
- always

30
roles/custom/matrix-nginx-proxy/tasks/self_check_well_known.yml
View File

@ -1,30 +0,0 @@
---
- name: Determine well-known files to check (Matrix)
ansible.builtin.set_fact:
well_known_file_checks:
- path: /.well-known/matrix/client
purpose: Client Discovery
cors: true
follow_redirects: "{{ matrix_nginx_proxy_self_check_well_known_matrix_client_follow_redirects }}"
validate_certs: "{{ matrix_nginx_proxy_self_check_validate_certificates }}"
- when: matrix_well_known_matrix_server_enabled | bool
block:
- ansible.builtin.set_fact:
well_known_file_check_matrix_server:
path: /.well-known/matrix/server
purpose: Server Discovery
cors: false
follow_redirects: safe
validate_certs: "{{ matrix_nginx_proxy_self_check_validate_certificates }}"
- name: Determine domains that we require certificates for (ma1sd)
ansible.builtin.set_fact:
well_known_file_checks: "{{ well_known_file_checks + [well_known_file_check_matrix_server] }}"
- name: Perform well-known checks
ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check_well_known_file.yml"
with_items: "{{ well_known_file_checks }}"
loop_control:
loop_var: well_known_file_check

73
roles/custom/matrix-nginx-proxy/tasks/self_check_well_known_file.yml
View File

@ -1,73 +0,0 @@
---
- ansible.builtin.set_fact:
well_known_url_matrix: "https://{{ matrix_server_fqn_matrix }}{{ well_known_file_check.path }}"
well_known_url_identity: "https://{{ matrix_domain }}{{ well_known_file_check.path }}"
# These well-known files may be served without a `Content-Type: application/json` header,
# so we can't rely on the uri module's automatic parsing of JSON.
- name: Check .well-known on the matrix hostname
ansible.builtin.uri:
url: "{{ well_known_url_matrix }}"
follow_redirects: none
return_content: true
validate_certs: "{{ well_known_file_check.validate_certs }}"
headers:
Origin: example.com
check_mode: false
register: result_well_known_matrix
ignore_errors: true
- name: Fail if .well-known not working on the matrix hostname
ansible.builtin.fail:
msg: "Failed checking that the well-known file for {{ well_known_file_check.purpose }} is configured at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ well_known_url_matrix }}`). Is port 443 open in your firewall? Full error: {{ result_well_known_matrix }}"
when: "result_well_known_matrix.failed"
- name: Parse JSON for well-known payload at the matrix hostname
ansible.builtin.set_fact:
well_known_matrix_payload: "{{ result_well_known_matrix.content | from_json }}"
- name: Fail if .well-known not CORS-aware on the matrix hostname
ansible.builtin.fail:
msg: "The well-known file for {{ well_known_file_check.purpose }} on `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ well_known_url_matrix }}`) is not CORS-aware. The file needs to be served with an Access-Control-Allow-Origin header set."
when: "well_known_file_check.cors and 'access_control_allow_origin' not in result_well_known_matrix"
- name: Report working .well-known on the matrix hostname
ansible.builtin.debug:
msg: "well-known for {{ well_known_file_check.purpose }} is configured correctly for `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ well_known_url_matrix }}`)"
- name: Check .well-known on the identity hostname
ansible.builtin.uri:
url: "{{ well_known_url_identity }}"
follow_redirects: "{{ well_known_file_check.follow_redirects }}"
return_content: true
validate_certs: "{{ well_known_file_check.validate_certs }}"
headers:
Origin: example.com
check_mode: false
register: result_well_known_identity
ignore_errors: true
- name: Fail if .well-known not working on the identity hostname
ansible.builtin.fail:
msg: "Failed checking that the well-known file for {{ well_known_file_check.purpose }} is configured at `{{ matrix_domain }}` (checked endpoint: `{{ well_known_url_identity }}`). Is port 443 open in your firewall? Full error: {{ result_well_known_identity }}"
when: "result_well_known_identity.failed"
- name: Parse JSON for well-known payload at the identity hostname
ansible.builtin.set_fact:
well_known_identity_payload: "{{ result_well_known_identity.content | from_json }}"
- name: Fail if .well-known not CORS-aware on the identity hostname
ansible.builtin.fail:
msg: "The well-known file for {{ well_known_file_check.purpose }} on `{{ matrix_domain }}` (checked endpoint: `{{ well_known_url_identity }}`) is not CORS-aware. The file needs to be served with an Access-Control-Allow-Origin header set. See docs/configuring-well-known.md"
when: "well_known_file_check.cors and 'access_control_allow_origin' not in result_well_known_identity"
# For people who manually copy the well-known file, try to detect if it's outdated
- name: Fail if well-known is different on matrix hostname and identity hostname
ansible.builtin.fail:
msg: "The well-known files for {{ well_known_file_check.purpose }} at `{{ matrix_server_fqn_matrix }}` and `{{ matrix_domain }}` are different. Perhaps you copied the file ({{ well_known_file_check.path }}) manually before and now it's outdated?"
when: "well_known_matrix_payload != well_known_identity_payload"
- name: Report working .well-known on the identity hostname
ansible.builtin.debug:
msg: "well-known for {{ well_known_file_check.purpose }} ({{ well_known_file_check.path }}) is configured correctly for `{{ matrix_domain }}` (checked endpoint: `{{ well_known_url_identity }}`)"