diff --git a/docs/howto-srv-server-delegation.md b/docs/howto-srv-server-delegation.md index a1afe59de..a90bc0618 100644 --- a/docs/howto-srv-server-delegation.md +++ b/docs/howto-srv-server-delegation.md @@ -1,6 +1,6 @@ # Server Delegation via a DNS SRV record (advanced) -**Reminder** : unless you are affected by the [Downsides of well-known-based Server Delegation](howto-server-delegation.md#downsides-of-well-known-based-server-delegation), we suggest you **stay on the simple/default path**: [Server Delegation](howto-server-delegation.md) by [configuring well-known files](configuring-well-known.md) at the base domain. +**Reminder** : unless you are affected by the [Downsides of well-known-based Server Delegation](howto-server-delegation.md#downsides-of-well-known-based-server-delegation), we suggest you **stay on the simple/default path**: [Server Delegation](howto-server-delegation.md) by [configuring well-known files](configuring-well-known.md) at the base domain. This guide is about configuring Server Delegation using DNS SRV records (for the [Traefik](https://doc.traefik.io/traefik/) webserver). This method has special requirements when it comes to SSL certificates, so various changes are required. @@ -16,11 +16,18 @@ The up-to-date list can be accessed on [traefik's documentation](https://doc.tra ## The changes +**NOTE**: the changes below instruct you how to do this for a basic Synapse installation. You will need to adapt the variable name and the content of the labels: + +- if you're using another homeserver implementation (e.g. [Conduit](./configuring-playbook-conduit.md) or [Dendrite](./configuring-playbook-dendrite.md)) +- if you're using [Synapse with workers enabled](./configuring-playbook-synapse.md#load-balancing-with-workers) (`matrix_synapse_workers_enabled: true`). In that case, it's actually the `matrix-synapse-reverse-proxy-companion` service which has Traefik labels attached + +Also, all instructions below are from an older version of the playbook and may not work anymore. + ### Federation Endpoint ```yaml -# To serve the federation from any domain, as long as the path match -matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_rule: PathPrefix(`/_matrix`) +# To serve the federation from any domain, as long as the path matches +matrix_synapse_container_labels_federation_api_traefik_rule: PathPrefix(`/_matrix/federation`) ``` This is because with SRV federation, some servers / tools (one of which being the federation tester) try to access the federation API using the resolved IP address instead of the domain name (or they are not using SNI). This change will make Traefik route all traffic for which the path match this rule go to the federation endpoint. @@ -29,13 +36,13 @@ This is because with SRV federation, some servers / tools (one of which being th Now that the federation endpoint is not bound to a domain anymore we need to explicitely tell Traefik to use a wildcard certificate in addition to one containing the base name. -This is because the matrix specification expects the federation endpoint to be served using a certificate comatible with the base domain, however, the other resources on the endpoint still need a valid certificate to work. +This is because the matrix specification expects the federation endpoint to be served using a certificate compatible with the base domain, however, the other resources on the endpoint still need a valid certificate to work. ```yaml # To let Traefik know which domains' certificates to serve -matrix_nginx_proxy_container_labels_additional_labels: | - traefik.http.routers.matrix-nginx-proxy-matrix-federation.tls.domains.main="example.com" - traefik.http.routers.matrix-nginx-proxy-matrix-federation.tls.domains.sans="*.example.com" +matrix_synapse_container_labels_additional_labels: | + traefik.http.routers.matrix-synapse-federation-api.tls.domains.main="example.com" + traefik.http.routers.matrix-synapse-federation-api.tls.domains.sans="*.example.com" ``` ### Configure the DNS-01 challenge for let's encrypt @@ -60,7 +67,7 @@ devture_traefik_configuration_extension_yaml: | email: {{ devture_traefik_config_certificatesResolvers_acme_email | to_json }} dnsChallenge: provider: cloudflare - resolvers: + resolvers: - "1.1.1.1:53" - "8.8.8.8:53" storage: {{ devture_traefik_config_certificatesResolvers_acme_storage | to_json }} @@ -134,13 +141,13 @@ matrix_coturn_container_additional_volumes: | matrix_playbook_reverse_proxy_type: playbook-managed-traefik devture_traefik_config_certificatesResolvers_acme_email: redacted@example.com -# To serve the federation from any domain, as long as the path match -matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_rule: PathPrefix(`/_matrix`) +# To serve the federation from any domain, as long as the path matches +matrix_synapse_container_labels_federation_api_traefik_rule: PathPrefix(`/_matrix/federation`) # To let Traefik know which domains' certificates to serve -matrix_nginx_proxy_container_labels_additional_labels: | - traefik.http.routers.matrix-nginx-proxy-matrix-federation.tls.domains.main="example.com" - traefik.http.routers.matrix-nginx-proxy-matrix-federation.tls.domains.sans="*.example.com" +matrix_synapse_container_labels_additional_labels: | + traefik.http.routers.matrix-synapse-federation-api.tls.domains.main="example.com" + traefik.http.routers.matrix-synapse-federation-api.tls.domains.sans="*.example.com" # Add a new ACME configuration without having to disable the default one, since it would have a wide range of side effects devture_traefik_configuration_extension_yaml: | @@ -152,7 +159,7 @@ devture_traefik_configuration_extension_yaml: | email: {{ devture_traefik_config_certificatesResolvers_acme_email | to_json }} dnsChallenge: provider: cloudflare - resolvers: + resolvers: - "1.1.1.1:53" - "8.8.8.8:53" storage: {{ devture_traefik_config_certificatesResolvers_acme_storage | to_json }} diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 17e8ab282..82bb7f94c 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -3333,12 +3333,6 @@ matrix_nginx_proxy_proxy_grafana_enabled: "{{ grafana_enabled and matrix_playboo matrix_nginx_proxy_proxy_sygnal_enabled: "{{ matrix_sygnal_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" matrix_nginx_proxy_proxy_ntfy_enabled: "{{ ntfy_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" -matrix_nginx_proxy_container_labels_traefik_enabled: "{{ matrix_playbook_traefik_labels_enabled }}" -matrix_nginx_proxy_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" -matrix_nginx_proxy_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" -matrix_nginx_proxy_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" - -matrix_nginx_proxy_container_labels_traefik_proxy_matrix_enabled: true matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: "{{ matrix_corporal_enabled and matrix_corporal_http_api_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081" diff --git a/roles/custom/matrix-nginx-proxy/defaults/main.yml b/roles/custom/matrix-nginx-proxy/defaults/main.yml index fec84c5bf..cb28c6d2e 100644 --- a/roles/custom/matrix-nginx-proxy/defaults/main.yml +++ b/roles/custom/matrix-nginx-proxy/defaults/main.yml @@ -41,34 +41,6 @@ matrix_nginx_proxy_container_additional_networks: [] # Contains definition objects like this: `{"src": "/outside", "dst": "/inside", "options": "rw|ro|slave|.."} matrix_nginx_proxy_container_additional_volumes: [] -# matrix_nginx_proxy_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container. -# See `../templates/labels.j2` for details. -# -# To inject your own other container labels, see `matrix_nginx_proxy_container_labels_additional_labels`. -matrix_nginx_proxy_container_labels_traefik_enabled: false -matrix_nginx_proxy_container_labels_traefik_docker_network: "{{ matrix_nginx_proxy_container_network }}" -matrix_nginx_proxy_container_labels_traefik_entrypoints: web-secure -matrix_nginx_proxy_container_labels_traefik_tls_certResolver: default # noqa var-naming - -matrix_nginx_proxy_container_labels_traefik_proxy_matrix_enabled: false -matrix_nginx_proxy_container_labels_traefik_proxy_matrix_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" -matrix_nginx_proxy_container_labels_traefik_proxy_matrix_client_hostname: "{{ matrix_server_fqn_matrix }}" -matrix_nginx_proxy_container_labels_traefik_proxy_matrix_client_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_client_hostname }}`)" -matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_hostname: "{{ matrix_server_fqn_matrix }}" -matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_hostname }}`)" -matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_entrypoint: "{{ matrix_federation_traefik_entrypoint }}" -matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_entrypoints: "{{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_entrypoint }}" - -# matrix_nginx_proxy_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. -# See `../templates/labels.j2` for details. -# -# Example: -# matrix_nginx_proxy_container_labels_additional_labels: | -# my.label=1 -# another.label="here" -matrix_nginx_proxy_container_labels_additional_labels: '' - - # A list of extra arguments to pass to the container matrix_nginx_proxy_container_extra_arguments: [] diff --git a/roles/custom/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml b/roles/custom/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml index 261bbf207..9e411f59f 100644 --- a/roles/custom/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml +++ b/roles/custom/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml @@ -22,14 +22,6 @@ - "{{ matrix_nginx_proxy_data_path }}" - "{{ matrix_nginx_proxy_confd_path }}" -- name: Ensure Matrix nginx-proxy labels file is created - ansible.builtin.template: - src: "{{ role_path }}/templates/labels.j2" - dest: "{{ matrix_nginx_proxy_base_path }}/labels" - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - mode: 0640 - - name: Ensure Matrix nginx-proxy configured (main config override) ansible.builtin.template: src: "{{ role_path }}/templates/nginx/nginx.conf.j2" diff --git a/roles/custom/matrix-nginx-proxy/templates/labels.j2 b/roles/custom/matrix-nginx-proxy/templates/labels.j2 deleted file mode 100644 index c4add6ba1..000000000 --- a/roles/custom/matrix-nginx-proxy/templates/labels.j2 +++ /dev/null @@ -1,36 +0,0 @@ -{% if matrix_nginx_proxy_container_labels_traefik_enabled %} -traefik.enable=true - -{% if matrix_nginx_proxy_container_labels_traefik_docker_network %} -traefik.docker.network={{ matrix_nginx_proxy_container_labels_traefik_docker_network }} -{% endif %} - -{% if matrix_nginx_proxy_container_labels_traefik_proxy_matrix_enabled %} -# Matrix Client -traefik.http.routers.matrix-nginx-proxy-matrix-client.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_client_rule }} -traefik.http.routers.matrix-nginx-proxy-matrix-client.service=matrix-nginx-proxy-web -traefik.http.routers.matrix-nginx-proxy-matrix-client.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_tls | to_json }} -{% if matrix_nginx_proxy_container_labels_traefik_proxy_matrix_tls %} -traefik.http.routers.matrix-nginx-proxy-matrix-client.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }} -{% endif %} -traefik.http.routers.matrix-nginx-proxy-matrix-client.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }} - -# Matrix Federation -traefik.http.routers.matrix-nginx-proxy-matrix-federation.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_rule }} -traefik.http.routers.matrix-nginx-proxy-matrix-federation.service=matrix-nginx-proxy-federation -traefik.http.routers.matrix-nginx-proxy-matrix-federation.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_tls | to_json }} -{% if matrix_nginx_proxy_container_labels_traefik_proxy_matrix_tls %} -traefik.http.routers.matrix-nginx-proxy-matrix-federation.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }} -{% endif %} -traefik.http.routers.matrix-nginx-proxy-matrix-federation.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_entrypoints }} -{% endif %} - -traefik.http.services.matrix-nginx-proxy-web.loadbalancer.server.port=8080 - -{% if matrix_nginx_proxy_proxy_matrix_federation_api_enabled %} -traefik.http.services.matrix-nginx-proxy-federation.loadbalancer.server.port={{ matrix_nginx_proxy_proxy_matrix_federation_port }} -{% endif %} - -{% endif %} - -{{ matrix_nginx_proxy_container_labels_additional_labels }} diff --git a/roles/custom/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 b/roles/custom/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 index 9ab567343..8c311a6cc 100755 --- a/roles/custom/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 +++ b/roles/custom/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 @@ -24,7 +24,6 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ --cap-drop=ALL \ --read-only \ --tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_nginx_proxy_tmp_directory_size_mb }}m \ - --label-file={{ matrix_nginx_proxy_base_path }}/labels \ --network={{ matrix_nginx_proxy_container_network }} \ {% if matrix_nginx_proxy_container_http_host_bind_port %} -p {{ matrix_nginx_proxy_container_http_host_bind_port }}:8080 \