Make addons communicate with the homeserver via a new internal Traefik entrypoint

This also adds labels for Synapse. Support for other homeservers and
components will be added later.
This commit is contained in:
Slavi Pantaleev 2024-01-14 10:23:55 +02:00
parent 533dc711ad
commit 39bddefd39
14 changed files with 292 additions and 197 deletions

View File

@ -32,7 +32,7 @@ Refer to the documentation on [how to obtain an access token](obtaining-access-t
You will need to prevent Synapse from rate limiting the bot's account. This is not an optional step. If you do not do this step draupnir will crash. This can be done using Synapse's [admin API](https://matrix-org.github.io/synapse/latest/admin_api/user_admin_api.html#override-ratelimiting-for-users). Please ask for help if you are uncomfortable with these steps or run into issues. You will need to prevent Synapse from rate limiting the bot's account. This is not an optional step. If you do not do this step draupnir will crash. This can be done using Synapse's [admin API](https://matrix-org.github.io/synapse/latest/admin_api/user_admin_api.html#override-ratelimiting-for-users). Please ask for help if you are uncomfortable with these steps or run into issues.
If your Synapse Admin API is exposed to the internet for some reason like running the Synapse Admin Role [Link](/docs/configuring-playbook-synapse-admin.md) or running `matrix_synapse_container_labels_client_synapse_admin_api_enabled: true` in your playbook config. If your API is not externally exposed you should still be able to on the local host for your synapse run these commands. If your Synapse Admin API is exposed to the internet for some reason like running the Synapse Admin Role [Link](/docs/configuring-playbook-synapse-admin.md) or running `matrix_synapse_container_labels_public_client_synapse_admin_api_enabled: true` in your playbook config. If your API is not externally exposed you should still be able to on the local host for your synapse run these commands.
The following command works on semi up to date Windows 10 installs and All Windows 11 installations and other systems that ship curl. `curl --header "Authorization: Bearer <access_token>" -X POST https://matrix.example.com/_synapse/admin/v1/users/@example:example.com/override_ratelimit` Replace `@example:example.com` with the MXID of your Draupnir and example.com with your homeserver domain. You can easily obtain an access token for a homeserver admin account the same way you can obtain an access token for Draupnir it self. If you made Draupnir Admin you can just use the Draupnir token. The following command works on semi up to date Windows 10 installs and All Windows 11 installations and other systems that ship curl. `curl --header "Authorization: Bearer <access_token>" -X POST https://matrix.example.com/_synapse/admin/v1/users/@example:example.com/override_ratelimit` Replace `@example:example.com` with the MXID of your Draupnir and example.com with your homeserver domain. You can easily obtain an access token for a homeserver admin account the same way you can obtain an access token for Draupnir it self. If you made Draupnir Admin you can just use the Draupnir token.

View File

@ -31,7 +31,7 @@ Refer to the documentation on [how to obtain an access token](obtaining-access-t
You will need to prevent Synapse from rate limiting the bot's account. This is not an optional step. If you do not do this step Mjolnir will crash. This can be done using Synapse's [admin API](https://matrix-org.github.io/synapse/latest/admin_api/user_admin_api.html#override-ratelimiting-for-users). Please ask for help if you are uncomfortable with these steps or run into issues. You will need to prevent Synapse from rate limiting the bot's account. This is not an optional step. If you do not do this step Mjolnir will crash. This can be done using Synapse's [admin API](https://matrix-org.github.io/synapse/latest/admin_api/user_admin_api.html#override-ratelimiting-for-users). Please ask for help if you are uncomfortable with these steps or run into issues.
If your Synapse Admin API is exposed to the internet for some reason like running the Synapse Admin Role [Link](/docs/configuring-playbook-synapse-admin.md) or running `matrix_synapse_container_labels_client_synapse_admin_api_enabled: true` in your playbook config. If your API is not externally exposed you should still be able to on the local host for your synapse run these commands. If your Synapse Admin API is exposed to the internet for some reason like running the Synapse Admin Role [Link](/docs/configuring-playbook-synapse-admin.md) or running `matrix_synapse_container_labels_public_client_synapse_admin_api_enabled: true` in your playbook config. If your API is not externally exposed you should still be able to on the local host for your synapse run these commands.
The following command works on semi up to date Windows 10 installs and All Windows 11 installations and other systems that ship curl. `curl --header "Authorization: Bearer <access_token>" -X POST https://matrix.example.com/_synapse/admin/v1/users/@example:example.com/override_ratelimit` Replace `@example:example.com` with the MXID of your Mjolnir and example.com with your homeserver domain. You can easily obtain an access token for a homeserver admin account the same way you can obtain an access token for Mjolnir it self. If you made Mjolnir Admin you can just use the Mjolnir token. The following command works on semi up to date Windows 10 installs and All Windows 11 installations and other systems that ship curl. `curl --header "Authorization: Bearer <access_token>" -X POST https://matrix.example.com/_synapse/admin/v1/users/@example:example.com/override_ratelimit` Replace `@example:example.com` with the MXID of your Mjolnir and example.com with your homeserver domain. You can easily obtain an access token for a homeserver admin account the same way you can obtain an access token for Mjolnir it self. If you made Mjolnir Admin you can just use the Mjolnir token.

View File

@ -48,7 +48,7 @@ For more information about these variables, check the `roles/custom/matrix-nginx
If you want to use OpenID Connect as an SSO provider (as per the [Synapse OpenID docs](https://github.com/matrix-org/synapse/blob/develop/docs/openid.md)), you need to use the following configuration (in your `vars.yml` file) to instruct nginx to forward `/_synapse/oidc` to Synapse: If you want to use OpenID Connect as an SSO provider (as per the [Synapse OpenID docs](https://github.com/matrix-org/synapse/blob/develop/docs/openid.md)), you need to use the following configuration (in your `vars.yml` file) to instruct nginx to forward `/_synapse/oidc` to Synapse:
```yaml ```yaml
matrix_synapse_container_labels_client_synapse_oidc_api_enabled: true matrix_synapse_container_labels_public_client_synapse_oidc_api_enabled: true
``` ```
## Disable Nginx access logs ## Disable Nginx access logs

View File

@ -8,6 +8,8 @@ If that's alright, you can skip this.
[Traefik](https://traefik.io/) is the default reverse-proxy for the playbook since [2023-02-26](../CHANGELOG.md/#2023-02-26). [Traefik](https://traefik.io/) is the default reverse-proxy for the playbook since [2023-02-26](../CHANGELOG.md/#2023-02-26).
Besides serving public traffic, Traefik is also used for internal communication between addon services (briges, bots, etc.) and the homeserver.
There are 2 ways to use Traefik with this playbook, as described below. There are 2 ways to use Traefik with this playbook, as described below.
### Traefik managed by the playbook ### Traefik managed by the playbook
@ -29,7 +31,11 @@ Traefik will manage SSL certificates for all services seamlessly.
```yaml ```yaml
matrix_playbook_reverse_proxy_type: other-traefik-container matrix_playbook_reverse_proxy_type: other-traefik-container
matrix_playbook_reverse_proxyable_services_additional_network: your-traefik-network # Uncomment and adjust if your Traefik container is on another network
# matrix_playbook_reverse_proxy_container_network: traefik
# Adjust to point to your Traefik container
matrix_playbook_reverse_proxy_hostname: name-of-your-traefik-container
devture_traefik_certs_dumper_ssl_dir_path: "/path/to/your/traefiks/acme.json/directory" devture_traefik_certs_dumper_ssl_dir_path: "/path/to/your/traefiks/acme.json/directory"
@ -40,13 +46,18 @@ devture_traefik_certs_dumper_ssl_dir_path: "/path/to/your/traefiks/acme.json/dir
In this mode all roles will still have Traefik labels attached. You will, however, need to configure your Traefik instance and its entrypoints. In this mode all roles will still have Traefik labels attached. You will, however, need to configure your Traefik instance and its entrypoints.
By default, the playbook congiures services use a `web-secure` (443) and `matrix-federation` (8448) entrypoints, as well as a `default` certificate resolver. By default, the playbook configured services use a `web-secure` (443) and `matrix-federation` (8448) entrypoints, as well as a `default` certificate resolver.
You need to configure 3 entrypoints for your Traefik server: `web` (TCP port `80`), `web-secure` (TCP port `443`) and `matrix-federation` (TCP port `8448`). You need to configure 4 entrypoints for your Traefik server:
- `web` (TCP port `80`) - used for redirecting to HTTPS (`web-secure`)
- `web-secure` (TCP port `443`) - used for exposing the Matrix Client-Server API and all other services
- `matrix-federation` (TCP port `8448`) - used for exposing the Matrix Federation API
- `matrix-internal-matrix-client-api` (TCP port `8008`) - used internally for addon services (bridges, bots) to communicate with the homserver
Below is some configuration for running Traefik yourself, although we recommend using [Traefik managed by the playbook](#traefik-managed-by-the-playbook). Below is some configuration for running Traefik yourself, although we recommend using [Traefik managed by the playbook](#traefik-managed-by-the-playbook).
Note that this configuration on its own does **not** redirect traffic on port 80 (plain HTTP) to port 443 for HTTPS, which may cause some issues, since the built-in Nginx proxy usually does this. If you are not already doing this in Traefik, it can be added to Traefik in a [file provider](https://docs.traefik.io/v2.0/providers/file/) as follows: Note that this configuration on its own does **not** redirect traffic on port 80 (plain HTTP) to port 443 for HTTPS. If you are not already doing this in Traefik, it can be added to Traefik in a [file provider](https://docs.traefik.io/v2.0/providers/file/) as follows:
```toml ```toml
[http] [http]
@ -86,6 +97,7 @@ services:
- "--providers.docker.exposedbydefault=false" - "--providers.docker.exposedbydefault=false"
- "--entrypoints.web-secure.address=:443" - "--entrypoints.web-secure.address=:443"
- "--entrypoints.matrix-federation.address=:8448" - "--entrypoints.matrix-federation.address=:8448"
- "--entrypoints.matrix-internal-matrix-client-api.address=:8008"
- "--certificatesresolvers.default.acme.tlschallenge=true" - "--certificatesresolvers.default.acme.tlschallenge=true"
- "--certificatesresolvers.default.acme.email=YOUR EMAIL" - "--certificatesresolvers.default.acme.email=YOUR EMAIL"
- "--certificatesresolvers.default.acme.storage=/letsencrypt/acme.json" - "--certificatesresolvers.default.acme.storage=/letsencrypt/acme.json"
@ -109,9 +121,9 @@ Doing this is possible, but requires manual work.
There are 2 ways to go about it: There are 2 ways to go about it:
- (recommended) [Fronting the integrated reverse-proxy webserver with another reverse-proxy](#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) - using a playbook-managed reverse-proxy (either `matrix-nginx-proxy` or Traefik), disabling SSL termination for it, exposing this reverse-proxy on a few local ports (e.g. `127.0.0.1:81`, etc.) and forwarding traffic from your own webserver to those few ports - (recommended) [Fronting the integrated reverse-proxy webserver with another reverse-proxy](#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) - using the playbook-managed reverse-proxy (Traefik), but disabling SSL termination for it, exposing this reverse-proxy on a few local ports (e.g. `127.0.0.1:81`, etc.) and forwarding traffic from your own webserver to those few ports
- (difficult) [Using no reverse-proxy on the Matrix side at all](#using-no-reverse-proxy-on-the-matrix-side-at-all) disabling all playbook-managed reverse-proxies (no `matrix-nginx-proxy`, no Traefik) - (difficult) [Using no reverse-proxy on the Matrix side at all](#using-no-reverse-proxy-on-the-matrix-side-at-all) disabling the playbook-managed reverse-proxy (Traefik), exposing services one by one using `_host_bind_port` variables and forwarding traffic from your own webserver to those ports
### Fronting the integrated reverse-proxy webserver with another reverse-proxy ### Fronting the integrated reverse-proxy webserver with another reverse-proxy
@ -173,7 +185,7 @@ Instead of [Fronting the integrated reverse-proxy webserver with another reverse
This is more difficult, as you would need to handle the configuration for each service manually. Enabling additional services would come with extra manual work you need to do. This is more difficult, as you would need to handle the configuration for each service manually. Enabling additional services would come with extra manual work you need to do.
If your webserver is on the same machine, sure your web server user (something like `http`, `apache`, `www-data`, `nginx`) is part of the `matrix` group. You should run something like this: `usermod -a -G matrix nginx`. This allows your webserver user to access files owned by the `matrix` group. When using an external nginx webserver, this allows it to read configuration files from `/matrix/nginx-proxy/conf.d`. When using another server, it would make other files, such as `/matrix/static-files/.well-known`, accessible to it. If your webserver is on the same machine, ensure your web server user (something like `http`, `apache`, `www-data`, `nginx`) is part of the `matrix` group. You should run something like this: `usermod -a -G matrix nginx`. This allows your webserver user to access files owned by the `matrix` group, so that it can serve static files from `/matrix/static-files`.
#### Using your own nginx reverse-proxy running on the same machine #### Using your own nginx reverse-proxy running on the same machine

View File

@ -17,7 +17,7 @@ matrix_synapse_admin_enabled: true
**Note**: Synapse Admin requires Synapse's [Admin APIs](https://matrix-org.github.io/synapse/latest/usage/administration/admin_api/index.html) to function. Access to them is restricted with a valid access token, so exposing them publicly should not be a real security concern. Still, for additional security, we normally leave them unexposed, following [official Synapse reverse-proxying recommendations](https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md#synapse-administration-endpoints). Because Synapse Admin needs these APIs to function, when installing Synapse Admin, the playbook **automatically** exposes the Synapse Admin API publicly for you. Depending on the homeserver implementation you're using (Synapse, Dendrite), this is equivalent to: **Note**: Synapse Admin requires Synapse's [Admin APIs](https://matrix-org.github.io/synapse/latest/usage/administration/admin_api/index.html) to function. Access to them is restricted with a valid access token, so exposing them publicly should not be a real security concern. Still, for additional security, we normally leave them unexposed, following [official Synapse reverse-proxying recommendations](https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md#synapse-administration-endpoints). Because Synapse Admin needs these APIs to function, when installing Synapse Admin, the playbook **automatically** exposes the Synapse Admin API publicly for you. Depending on the homeserver implementation you're using (Synapse, Dendrite), this is equivalent to:
- for Synapse (our default homeserver implementation): `matrix_synapse_container_labels_client_synapse_admin_api_enabled: true` - for Synapse (our default homeserver implementation): `matrix_synapse_container_labels_public_client_synapse_admin_api_enabled: true`
- for [Dendrite](./configuring-playbook-dendrite.md): `matrix_dendrite_container_labels_client_synapse_admin_api_enabled: true` - for [Dendrite](./configuring-playbook-dendrite.md): `matrix_dendrite_container_labels_client_synapse_admin_api_enabled: true`

View File

@ -27,7 +27,7 @@ Also, all instructions below are from an older version of the playbook and may n
```yaml ```yaml
# To serve the federation from any domain, as long as the path matches # To serve the federation from any domain, as long as the path matches
matrix_synapse_container_labels_federation_api_traefik_rule: PathPrefix(`/_matrix/federation`) matrix_synapse_container_labels_public_federation_api_traefik_rule: PathPrefix(`/_matrix/federation`)
``` ```
This is because with SRV federation, some servers / tools (one of which being the federation tester) try to access the federation API using the resolved IP address instead of the domain name (or they are not using SNI). This change will make Traefik route all traffic for which the path match this rule go to the federation endpoint. This is because with SRV federation, some servers / tools (one of which being the federation tester) try to access the federation API using the resolved IP address instead of the domain name (or they are not using SNI). This change will make Traefik route all traffic for which the path match this rule go to the federation endpoint.
@ -142,7 +142,7 @@ matrix_playbook_reverse_proxy_type: playbook-managed-traefik
devture_traefik_config_certificatesResolvers_acme_email: redacted@example.com devture_traefik_config_certificatesResolvers_acme_email: redacted@example.com
# To serve the federation from any domain, as long as the path matches # To serve the federation from any domain, as long as the path matches
matrix_synapse_container_labels_federation_api_traefik_rule: PathPrefix(`/_matrix/federation`) matrix_synapse_container_labels_public_federation_api_traefik_rule: PathPrefix(`/_matrix/federation`)
# To let Traefik know which domains' certificates to serve # To let Traefik know which domains' certificates to serve
matrix_synapse_container_labels_additional_labels: | matrix_synapse_container_labels_additional_labels: |

View File

@ -18,7 +18,7 @@ You can use the **[Purge History API](https://github.com/matrix-org/synapse/blob
To make use of this Synapse Admin API, **you'll need an admin access token** first. Refer to the documentation on [how to obtain an access token](obtaining-access-tokens.md). To make use of this Synapse Admin API, **you'll need an admin access token** first. Refer to the documentation on [how to obtain an access token](obtaining-access-tokens.md).
Synapse's Admin API is not exposed to the internet by default, following [official Synapse reverse-proxying recommendations](https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md#synapse-administration-endpoints). To expose it you will need to add `matrix_synapse_container_labels_client_synapse_admin_api_enabled: true` to your `vars.yml` file. Synapse's Admin API is not exposed to the internet by default, following [official Synapse reverse-proxying recommendations](https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md#synapse-administration-endpoints). To expose it you will need to add `matrix_synapse_container_labels_public_client_synapse_admin_api_enabled: true` to your `vars.yml` file.
Follow the [Purge History API](https://github.com/matrix-org/synapse/blob/master/docs/admin_api/purge_history_api.md) documentation page for the actual purging instructions. Follow the [Purge History API](https://github.com/matrix-org/synapse/blob/master/docs/admin_api/purge_history_api.md) documentation page for the actual purging instructions.

View File

@ -24,8 +24,8 @@ matrix_playbook_docker_installation_enabled: true
# yet still use Traefik installed in another way. # yet still use Traefik installed in another way.
matrix_playbook_traefik_labels_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" matrix_playbook_traefik_labels_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}"
# Controls the additional network that reverse-proxyable services will be connected to. matrix_playbook_reverse_proxy_container_network: "{{ devture_traefik_container_network if devture_traefik_enabled else 'traefik' }}"
matrix_playbook_reverse_proxyable_services_additional_network: "{{ devture_traefik_container_network if devture_traefik_enabled else '' }}" matrix_playbook_reverse_proxy_hostname: "{{ devture_traefik_identifier if devture_traefik_enabled else 'traefik' }}"
matrix_playbook_ssl_retrieval_method: "{{ 'lets-encrypt' if devture_traefik_certs_dumper_enabled else matrix_ssl_retrieval_method }}" matrix_playbook_ssl_retrieval_method: "{{ 'lets-encrypt' if devture_traefik_certs_dumper_enabled else matrix_ssl_retrieval_method }}"
@ -192,9 +192,9 @@ matrix_homeserver_app_service_config_files_auto: |
(['/matrix-cactus-comments.yaml'] if matrix_cactus_comments_enabled else []) (['/matrix-cactus-comments.yaml'] if matrix_cactus_comments_enabled else [])
}} }}
matrix_addons_homeserver_container_network: "{{ matrix_homeserver_proxy_container_network if matrix_homeserver_proxy_enabled else matrix_homeserver_container_network }}" matrix_addons_homeserver_container_network: "{{ matrix_playbook_reverse_proxy_container_network if matrix_playbook_internal_matrix_client_api_traefik_entrypoint_enabled else matrix_homeserver_container_network }}"
matrix_addons_homeserver_client_api_url: "{{ matrix_homeserver_proxy_client_api_url if matrix_homeserver_proxy_enabled else matrix_homeserver_container_url }}" matrix_addons_homeserver_client_api_url: "{{ ('http://' + matrix_playbook_reverse_proxy_hostname + ':' + matrix_playbook_internal_matrix_client_api_traefik_entrypoint_port | string) if matrix_playbook_internal_matrix_client_api_traefik_entrypoint_enabled else matrix_homeserver_container_url }}"
matrix_addons_homeserver_systemd_services_list: "{{ ([matrix_homeserver_proxy_identifier + '.service']) if matrix_homeserver_proxy_enabled else matrix_homeserver_systemd_services_list }}" matrix_addons_homeserver_systemd_services_list: "{{ ([devture_traefik_identifier + '.service']) if matrix_playbook_internal_matrix_client_api_traefik_entrypoint_enabled else matrix_homeserver_systemd_services_list }}"
# Starting from version `0.6.0` conduit natively supports some sync v3 (sliding-sync) features. # Starting from version `0.6.0` conduit natively supports some sync v3 (sliding-sync) features.
matrix_homeserver_sliding_sync_url: "{{ matrix_sliding_sync_base_url if matrix_sliding_sync_enabled else (matrix_homeserver_url if matrix_homeserver_implementation in ['conduit'] else '') }}" matrix_homeserver_sliding_sync_url: "{{ matrix_sliding_sync_base_url if matrix_sliding_sync_enabled else (matrix_homeserver_url if matrix_homeserver_implementation in ['conduit'] else '') }}"
@ -3503,7 +3503,7 @@ matrix_nginx_proxy_access_log_syslog_integration_server_port: "{{ (matrix_promet
# The playbook always enables the homeserver proxy for now. # The playbook always enables the homeserver proxy for now.
# TODO - consider not enabling it if not necessary # TODO - consider not enabling it if not necessary
matrix_homeserver_proxy_enabled: true matrix_homeserver_proxy_enabled: false
matrix_homeserver_proxy_access_log_syslog_integration_enabled: "{{ matrix_prometheus_nginxlog_exporter_enabled }}" matrix_homeserver_proxy_access_log_syslog_integration_enabled: "{{ matrix_prometheus_nginxlog_exporter_enabled }}"
matrix_homeserver_proxy_access_log_syslog_integration_server_port: "{{ (matrix_prometheus_nginxlog_exporter_identifier | string +':'+ matrix_prometheus_nginxlog_exporter_container_syslog_port | string) | default('') }}" matrix_homeserver_proxy_access_log_syslog_integration_server_port: "{{ (matrix_prometheus_nginxlog_exporter_identifier | string +':'+ matrix_prometheus_nginxlog_exporter_container_syslog_port | string) | default('') }}"
@ -4213,17 +4213,20 @@ matrix_synapse_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypo
matrix_synapse_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" matrix_synapse_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}"
matrix_synapse_container_labels_traefik_hostname: "{{ matrix_server_fqn_matrix }}" matrix_synapse_container_labels_traefik_hostname: "{{ matrix_server_fqn_matrix }}"
matrix_synapse_container_labels_client_root_redirection_enabled: "{{ matrix_synapse_container_labels_client_root_redirection_url != '' }}"
matrix_synapse_container_labels_client_root_redirection_url: "{{ (('https://' if matrix_playbook_ssl_enabled else 'http://') + matrix_server_fqn_element) if matrix_client_element_enabled else '' }}"
matrix_synapse_container_labels_matrix_labels_enabled: "{{ not matrix_synapse_workers_enabled }}" matrix_synapse_container_labels_matrix_labels_enabled: "{{ not matrix_synapse_workers_enabled }}"
matrix_synapse_container_labels_client_synapse_admin_api_enabled: "{{ matrix_synapse_admin_enabled }}" matrix_synapse_container_labels_public_client_root_redirection_enabled: "{{ matrix_synapse_container_labels_public_client_root_redirection_url != '' }}"
matrix_synapse_container_labels_public_client_root_redirection_url: "{{ (('https://' if matrix_playbook_ssl_enabled else 'http://') + matrix_server_fqn_element) if matrix_client_element_enabled else '' }}"
matrix_synapse_container_labels_federation_api_traefik_entrypoints: "{{ matrix_federation_traefik_entrypoint }}" matrix_synapse_container_labels_public_client_synapse_admin_api_enabled: "{{ matrix_synapse_admin_enabled }}"
matrix_synapse_container_labels_metrics_middleware_basic_auth_enabled: "{{ matrix_metrics_exposure_http_basic_auth_enabled }}" matrix_synapse_container_labels_public_federation_api_traefik_entrypoints: "{{ matrix_federation_traefik_entrypoint }}"
matrix_synapse_container_labels_metrics_middleware_basic_auth_users: "{{ matrix_metrics_exposure_http_basic_auth_users }}"
matrix_synapse_container_labels_public_metrics_middleware_basic_auth_enabled: "{{ matrix_metrics_exposure_http_basic_auth_enabled }}"
matrix_synapse_container_labels_public_metrics_middleware_basic_auth_users: "{{ matrix_metrics_exposure_http_basic_auth_users }}"
matrix_synapse_container_labels_internal_client_api_enabled: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_enabled }}"
matrix_synapse_container_labels_internal_client_api_traefik_entrypoints: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_name }}"
# For exposing the Synapse worker (and metrics) ports to the local host. # For exposing the Synapse worker (and metrics) ports to the local host.
matrix_synapse_workers_container_host_bind_address: "{{ matrix_playbook_service_host_bind_interface_prefix[0:-1] if (matrix_synapse_workers_enabled and matrix_playbook_service_host_bind_interface_prefix) else '' }}" matrix_synapse_workers_container_host_bind_address: "{{ matrix_playbook_service_host_bind_interface_prefix[0:-1] if (matrix_synapse_workers_enabled and matrix_playbook_service_host_bind_interface_prefix) else '' }}"
@ -4375,9 +4378,9 @@ matrix_synapse_reverse_proxy_companion_container_labels_traefik_entrypoints: "{{
matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}"
matrix_synapse_reverse_proxy_companion_container_labels_traefik_hostname: "{{ matrix_server_fqn_matrix }}" matrix_synapse_reverse_proxy_companion_container_labels_traefik_hostname: "{{ matrix_server_fqn_matrix }}"
matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_client_api_enabled: "{{ matrix_synapse_container_labels_client_synapse_client_api_enabled }}" matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_client_api_enabled: "{{ matrix_synapse_container_labels_public_client_synapse_client_api_enabled }}"
matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_oidc_api_enabled: "{{ matrix_synapse_container_labels_client_synapse_oidc_api_enabled }}" matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_oidc_api_enabled: "{{ matrix_synapse_container_labels_public_client_synapse_oidc_api_enabled }}"
matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_admin_api_enabled: "{{ matrix_synapse_container_labels_client_synapse_admin_api_enabled }}" matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_admin_api_enabled: "{{ matrix_synapse_container_labels_public_client_synapse_admin_api_enabled }}"
matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_entrypoints: "{{ matrix_federation_traefik_entrypoint }}" matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_entrypoints: "{{ matrix_federation_traefik_entrypoint }}"
@ -5203,6 +5206,8 @@ devture_traefik_gid: "{{ matrix_user_gid }}"
devture_traefik_additional_entrypoints_auto: | devture_traefik_additional_entrypoints_auto: |
{{ {{
([matrix_playbook_public_matrix_federation_api_traefik_entrypoint_definition] if matrix_playbook_public_matrix_federation_api_traefik_entrypoint_enabled else []) ([matrix_playbook_public_matrix_federation_api_traefik_entrypoint_definition] if matrix_playbook_public_matrix_federation_api_traefik_entrypoint_enabled else [])
+
([matrix_playbook_internal_matrix_client_api_traefik_entrypoint_definition] if matrix_playbook_internal_matrix_client_api_traefik_entrypoint_enabled else [])
}} }}
devture_traefik_additional_domains_to_obtain_certificates_for: "{{ matrix_ssl_additional_domains_to_obtain_certificates_for }}" devture_traefik_additional_domains_to_obtain_certificates_for: "{{ matrix_ssl_additional_domains_to_obtain_certificates_for }}"

View File

@ -239,6 +239,15 @@ matrix_metrics_exposure_http_basic_auth_users: ''
# - it's up to you to expose the ports you want, etc. # - it's up to you to expose the ports you want, etc.
matrix_playbook_reverse_proxy_type: '' matrix_playbook_reverse_proxy_type: ''
# Specifies the network that the reverse-proxy is operating at
matrix_playbook_reverse_proxy_container_network: 'traefik'
# Specifies the hostname that the reverse-proxy is available at
matrix_playbook_reverse_proxy_hostname: 'matrix-traefik'
# Controls the additional network that reverse-proxyable services will be connected to.
matrix_playbook_reverse_proxyable_services_additional_network: "{{ matrix_playbook_reverse_proxy_container_network }}"
matrix_playbook_service_host_bind_interface_prefix: "{{ '' if matrix_playbook_reverse_proxy_type not in ['other-nginx-non-container', 'other-on-same-host', 'other-on-another-host'] else ('0.0.0.0:' if matrix_playbook_reverse_proxy_type == 'other-on-another-host' else '127.0.0.1:') }}" matrix_playbook_service_host_bind_interface_prefix: "{{ '' if matrix_playbook_reverse_proxy_type not in ['other-nginx-non-container', 'other-on-same-host', 'other-on-another-host'] else ('0.0.0.0:' if matrix_playbook_reverse_proxy_type == 'other-on-another-host' else '127.0.0.1:') }}"
# Controls whether to enable an additional Traefik entrypoint for the purpose of serving Matrix Federation. # Controls whether to enable an additional Traefik entrypoint for the purpose of serving Matrix Federation.
@ -258,6 +267,41 @@ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_definition:
host_bind_port: "{{ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_host_bind_port }}" host_bind_port: "{{ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_host_bind_port }}"
config: "{{ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config }}" config: "{{ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config }}"
# Controls whether to enable an additional Traefik entrypoint for the purpose of serving the homeserver's Client-Server API internally.
#
# Homeserver software and other core components which are part of the homeserver's Client-Server API
# may wish to register their routes with this additional entrypoint and provide their services on it for internal (no-public-network and non-TLS) use.
#
# This entrypoint provides local addons (e.g. bridges, bots, etc.) with the ability to easily & quickly communicate with the homeserver and/or related software.
# Such services can reach the homeserver over the public internet (e.g. https://matrix.DOMAIN), but this is slow due to networking and SSL-termination.
# Talking directly to the homeserver (e.g. `http://matrix-synapse:8008`) is another option, but does not allow other homeserver-related software
# (e.g. identity servers like ma1sd, media repository servers like matrix-media-repo, firewalls like matrix-corporal)
# to register itself for certain homeserver routes.
#
# For example: when matrix-media-repo is enabled, it wishes to handle `/_matrix/media` both publicly and internally.
# Bots/bridges that try to upload media should not hit `/_matrix/media` on the homeserver directly, but actually go through matrix-media-repo.
#
# This entrypoint gives us a layer of indirection, so that all these homeserver-related services can register themselves on this entrypoint
# the same way they register themselves for the public (e.g. `web-secure`) entrypoint.
#
# Routers enabled on this entrypoint should use Traefik rules which do NOT do Host-matching (Host/HostRegexp),
# because addon services (e.g. bridges, bots) cannot properly pass a `Host` HTTP header when making
# requests to the endpoint's address (e.g. `http://devture-traefik:8008/`).
# This entrypoint only aims to handle a single "virtual host" - one dealing with the homeserver's Client-Server API.
matrix_playbook_internal_matrix_client_api_traefik_entrypoint_enabled: true
matrix_playbook_internal_matrix_client_api_traefik_entrypoint_name: matrix-internal-matrix-client-api
matrix_playbook_internal_matrix_client_api_traefik_entrypoint_port: 8008
matrix_playbook_internal_matrix_client_api_traefik_entrypoint_host_bind_port: ''
matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_auto | combine(matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_custom, recursive=True) }}"
matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_auto: {}
matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_custom: {}
matrix_playbook_internal_matrix_client_api_traefik_entrypoint_definition:
name: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_name }}"
port: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_port }}"
host_bind_port: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_host_bind_port }}"
config: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config }}"
# Variables to Control which parts of our roles run. # Variables to Control which parts of our roles run.
run_postgres_import: true run_postgres_import: true
run_postgres_upgrade: true run_postgres_upgrade: true

View File

@ -169,100 +169,111 @@ matrix_synapse_container_labels_traefik_hostname: ''
# Controls whether Matrix-related labels will be added. # Controls whether Matrix-related labels will be added.
# #
# When set to false, variables like the following take no effect: # When set to false, variables like the following take no effect:
# - `matrix_synapse_container_labels_client_api_enabled` # - `matrix_synapse_container_labels_public_client_api_enabled`
# - `matrix_synapse_container_labels_client_synapse_client_api_enabled` # - `matrix_synapse_container_labels_public_client_synapse_client_api_enabled`
# - `matrix_synapse_container_labels_client_synapse_oidc_api_enabled` # - `matrix_synapse_container_labels_public_client_synapse_oidc_api_enabled`
# - `matrix_synapse_container_labels_client_synapse_admin_api_enabled` # - `matrix_synapse_container_labels_public_client_synapse_admin_api_enabled`
# - `matrix_synapse_container_labels_federation_api_enabled` # - `matrix_synapse_container_labels_public_federation_api_enabled`
# #
# When workers are enabled, we do not capture these requests, because we can't route them appropriately. # When workers are enabled, we do not capture these requests, because we can't route them appropriately.
matrix_synapse_container_labels_matrix_related_labels_enabled: "{{ not matrix_synapse_workers_enabled }}" matrix_synapse_container_labels_matrix_related_labels_enabled: "{{ not matrix_synapse_workers_enabled }}"
# Controls whether labels will be added for handling the root (/) path. # Controls whether labels will be added for handling the root (/) path on a public Traefik entrypoint.
matrix_synapse_container_labels_client_root_enabled: true matrix_synapse_container_labels_public_client_root_enabled: true
matrix_synapse_container_labels_client_root_traefik_hostname: "{{ matrix_synapse_container_labels_traefik_hostname }}" matrix_synapse_container_labels_public_client_root_traefik_hostname: "{{ matrix_synapse_container_labels_traefik_hostname }}"
matrix_synapse_container_labels_client_root_traefik_rule: "Host(`{{ matrix_synapse_container_labels_client_root_traefik_hostname }}`) && Path(`/`)" matrix_synapse_container_labels_public_client_root_traefik_rule: "Host(`{{ matrix_synapse_container_labels_public_client_root_traefik_hostname }}`) && Path(`/`)"
matrix_synapse_container_labels_client_root_traefik_priority: 0 matrix_synapse_container_labels_public_client_root_traefik_priority: 0
matrix_synapse_container_labels_client_root_traefik_entrypoints: "{{ matrix_synapse_container_labels_traefik_entrypoints }}" matrix_synapse_container_labels_public_client_root_traefik_entrypoints: "{{ matrix_synapse_container_labels_traefik_entrypoints }}"
matrix_synapse_container_labels_client_root_traefik_tls: "{{ matrix_synapse_container_labels_client_root_traefik_entrypoints != 'web' }}" matrix_synapse_container_labels_public_client_root_traefik_tls: "{{ matrix_synapse_container_labels_public_client_root_traefik_entrypoints != 'web' }}"
matrix_synapse_container_labels_client_root_traefik_tls_certResolver: "{{ matrix_synapse_container_labels_traefik_tls_certResolver }}" # noqa var-naming matrix_synapse_container_labels_public_client_root_traefik_tls_certResolver: "{{ matrix_synapse_container_labels_traefik_tls_certResolver }}" # noqa var-naming
matrix_synapse_container_labels_client_root_redirection_enabled: false matrix_synapse_container_labels_public_client_root_redirection_enabled: false
matrix_synapse_container_labels_client_root_redirection_url: "" matrix_synapse_container_labels_public_client_root_redirection_url: ""
# Controls whether labels will be added that expose the Client-Server API. # Controls whether labels will be added that expose the Client-Server API on a public Traefik entrypoint.
# Regardless of whether this is enabled, it may or may not take effect due to the value of other variables. # Regardless of whether this is enabled, it may or may not take effect due to the value of other variables.
# See `matrix_synapse_container_labels_traefik_enabled` or `matrix_synapse_container_labels_matrix_related_labels_enabled` # See `matrix_synapse_container_labels_traefik_enabled` or `matrix_synapse_container_labels_matrix_related_labels_enabled`
matrix_synapse_container_labels_client_api_enabled: true matrix_synapse_container_labels_public_client_api_enabled: true
matrix_synapse_container_labels_client_api_traefik_hostname: "{{ matrix_synapse_container_labels_traefik_hostname }}" matrix_synapse_container_labels_public_client_api_traefik_hostname: "{{ matrix_synapse_container_labels_traefik_hostname }}"
matrix_synapse_container_labels_client_api_traefik_path_prefix: /_matrix matrix_synapse_container_labels_public_client_api_traefik_path_prefix: /_matrix
matrix_synapse_container_labels_client_api_traefik_rule: "Host(`{{ matrix_synapse_container_labels_client_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_container_labels_client_api_traefik_path_prefix }}`)" matrix_synapse_container_labels_public_client_api_traefik_rule: "Host(`{{ matrix_synapse_container_labels_public_client_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_container_labels_public_client_api_traefik_path_prefix }}`)"
matrix_synapse_container_labels_client_api_traefik_priority: 0 matrix_synapse_container_labels_public_client_api_traefik_priority: 0
matrix_synapse_container_labels_client_api_traefik_entrypoints: "{{ matrix_synapse_container_labels_traefik_entrypoints }}" matrix_synapse_container_labels_public_client_api_traefik_entrypoints: "{{ matrix_synapse_container_labels_traefik_entrypoints }}"
matrix_synapse_container_labels_client_api_traefik_tls: "{{ matrix_synapse_container_labels_client_api_traefik_entrypoints != 'web' }}" matrix_synapse_container_labels_public_client_api_traefik_tls: "{{ matrix_synapse_container_labels_public_client_api_traefik_entrypoints != 'web' }}"
matrix_synapse_container_labels_client_api_traefik_tls_certResolver: "{{ matrix_synapse_container_labels_traefik_tls_certResolver }}" # noqa var-naming matrix_synapse_container_labels_public_client_api_traefik_tls_certResolver: "{{ matrix_synapse_container_labels_traefik_tls_certResolver }}" # noqa var-naming
# Controls whether labels will be added that expose the Client-Server API on the internal Traefik entrypoint.
# This is similar to `matrix_synapse_container_labels_public_client_api_enabled`, but the entrypoint and intent is different.
# Regardless of whether this is enabled, it may or may not take effect due to the value of other variables.
# See `matrix_synapse_container_labels_traefik_enabled` or `matrix_synapse_container_labels_matrix_related_labels_enabled`
matrix_synapse_container_labels_internal_client_api_enabled: false
matrix_synapse_container_labels_internal_client_api_traefik_hostname: "{{ matrix_synapse_container_labels_traefik_hostname }}"
matrix_synapse_container_labels_internal_client_api_traefik_path_prefix: /_matrix
matrix_synapse_container_labels_internal_client_api_traefik_rule: "PathPrefix(`{{ matrix_synapse_container_labels_internal_client_api_traefik_path_prefix }}`)"
matrix_synapse_container_labels_internal_client_api_traefik_priority: "{{ matrix_synapse_container_labels_public_client_api_traefik_priority }}"
matrix_synapse_container_labels_internal_client_api_traefik_entrypoints: ""
# Controls whether labels will be added that expose the /_synapse/client paths # Controls whether labels will be added that expose the /_synapse/client paths
# When workers are enabled, we do not capture these requests, because they may be load-balanaced to some specific worker. # When workers are enabled, we do not capture these requests, because they may be load-balanaced to some specific worker.
# Regardless of whether this is enabled, it may or may not take effect due to the value of other variables. # Regardless of whether this is enabled, it may or may not take effect due to the value of other variables.
# See `matrix_synapse_container_labels_traefik_enabled` or `matrix_synapse_container_labels_matrix_related_labels_enabled` # See `matrix_synapse_container_labels_traefik_enabled` or `matrix_synapse_container_labels_matrix_related_labels_enabled`
matrix_synapse_container_labels_client_synapse_client_api_enabled: true matrix_synapse_container_labels_public_client_synapse_client_api_enabled: true
matrix_synapse_container_labels_client_synapse_client_api_traefik_hostname: "{{ matrix_synapse_container_labels_traefik_hostname }}" matrix_synapse_container_labels_public_client_synapse_client_api_traefik_hostname: "{{ matrix_synapse_container_labels_traefik_hostname }}"
matrix_synapse_container_labels_client_synapse_client_api_traefik_path_prefix: /_synapse/client matrix_synapse_container_labels_public_client_synapse_client_api_traefik_path_prefix: /_synapse/client
matrix_synapse_container_labels_client_synapse_client_api_traefik_rule: "Host(`{{ matrix_synapse_container_labels_client_synapse_client_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_container_labels_client_synapse_client_api_traefik_path_prefix }}`)" matrix_synapse_container_labels_public_client_synapse_client_api_traefik_rule: "Host(`{{ matrix_synapse_container_labels_public_client_synapse_client_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_container_labels_public_client_synapse_client_api_traefik_path_prefix }}`)"
matrix_synapse_container_labels_client_synapse_client_api_traefik_priority: 0 matrix_synapse_container_labels_public_client_synapse_client_api_traefik_priority: 0
matrix_synapse_container_labels_client_synapse_client_api_traefik_entrypoints: "{{ matrix_synapse_container_labels_traefik_entrypoints }}" matrix_synapse_container_labels_public_client_synapse_client_api_traefik_entrypoints: "{{ matrix_synapse_container_labels_traefik_entrypoints }}"
matrix_synapse_container_labels_client_synapse_client_api_traefik_tls: "{{ matrix_synapse_container_labels_client_synapse_client_api_traefik_entrypoints != 'web' }}" matrix_synapse_container_labels_public_client_synapse_client_api_traefik_tls: "{{ matrix_synapse_container_labels_public_client_synapse_client_api_traefik_entrypoints != 'web' }}"
matrix_synapse_container_labels_client_synapse_client_api_traefik_tls_certResolver: "{{ matrix_synapse_container_labels_traefik_tls_certResolver }}" # noqa var-naming matrix_synapse_container_labels_public_client_synapse_client_api_traefik_tls_certResolver: "{{ matrix_synapse_container_labels_traefik_tls_certResolver }}" # noqa var-naming
# Controls whether labels will be added that expose the /_synapse/oidc paths # Controls whether labels will be added that expose the /_synapse/oidc paths
# Enable this if you need OpenID Connect authentication support. # Enable this if you need OpenID Connect authentication support.
# Regardless of whether this is enabled, it may or may not take effect due to the value of other variables. # Regardless of whether this is enabled, it may or may not take effect due to the value of other variables.
# See `matrix_synapse_container_labels_traefik_enabled` or `matrix_synapse_container_labels_matrix_related_labels_enabled` # See `matrix_synapse_container_labels_traefik_enabled` or `matrix_synapse_container_labels_matrix_related_labels_enabled`
matrix_synapse_container_labels_client_synapse_oidc_api_enabled: false matrix_synapse_container_labels_public_client_synapse_oidc_api_enabled: false
matrix_synapse_container_labels_client_synapse_oidc_api_traefik_hostname: "{{ matrix_synapse_container_labels_traefik_hostname }}" matrix_synapse_container_labels_public_client_synapse_oidc_api_traefik_hostname: "{{ matrix_synapse_container_labels_traefik_hostname }}"
matrix_synapse_container_labels_client_synapse_oidc_api_traefik_path_prefix: /_synapse/oidc matrix_synapse_container_labels_public_client_synapse_oidc_api_traefik_path_prefix: /_synapse/oidc
matrix_synapse_container_labels_client_synapse_oidc_api_traefik_rule: "Host(`{{ matrix_synapse_container_labels_client_synapse_oidc_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_container_labels_client_synapse_oidc_api_traefik_path_prefix }}`)" matrix_synapse_container_labels_public_client_synapse_oidc_api_traefik_rule: "Host(`{{ matrix_synapse_container_labels_public_client_synapse_oidc_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_container_labels_public_client_synapse_oidc_api_traefik_path_prefix }}`)"
matrix_synapse_container_labels_client_synapse_oidc_api_traefik_priority: 0 matrix_synapse_container_labels_public_client_synapse_oidc_api_traefik_priority: 0
matrix_synapse_container_labels_client_synapse_oidc_api_traefik_entrypoints: "{{ matrix_synapse_container_labels_traefik_entrypoints }}" matrix_synapse_container_labels_public_client_synapse_oidc_api_traefik_entrypoints: "{{ matrix_synapse_container_labels_traefik_entrypoints }}"
matrix_synapse_container_labels_client_synapse_oidc_api_traefik_tls: "{{ matrix_synapse_container_labels_client_synapse_oidc_api_traefik_entrypoints != 'web' }}" matrix_synapse_container_labels_public_client_synapse_oidc_api_traefik_tls: "{{ matrix_synapse_container_labels_public_client_synapse_oidc_api_traefik_entrypoints != 'web' }}"
matrix_synapse_container_labels_client_synapse_oidc_api_traefik_tls_certResolver: "{{ matrix_synapse_container_labels_traefik_tls_certResolver }}" # noqa var-naming matrix_synapse_container_labels_public_client_synapse_oidc_api_traefik_tls_certResolver: "{{ matrix_synapse_container_labels_traefik_tls_certResolver }}" # noqa var-naming
# Controls whether labels will be added that expose the /_synapse/admin paths # Controls whether labels will be added that expose the /_synapse/admin paths
# Following these recommendations (https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md), by default, we don't. # Following these recommendations (https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md), by default, we don't.
# Regardless of whether this is enabled, it may or may not take effect due to the value of other variables. # Regardless of whether this is enabled, it may or may not take effect due to the value of other variables.
# See `matrix_synapse_container_labels_traefik_enabled` or `matrix_synapse_container_labels_matrix_related_labels_enabled` # See `matrix_synapse_container_labels_traefik_enabled` or `matrix_synapse_container_labels_matrix_related_labels_enabled`
matrix_synapse_container_labels_client_synapse_admin_api_enabled: false matrix_synapse_container_labels_public_client_synapse_admin_api_enabled: false
matrix_synapse_container_labels_client_synapse_admin_api_traefik_hostname: "{{ matrix_synapse_container_labels_traefik_hostname }}" matrix_synapse_container_labels_public_client_synapse_admin_api_traefik_hostname: "{{ matrix_synapse_container_labels_traefik_hostname }}"
matrix_synapse_container_labels_client_synapse_admin_api_traefik_path_prefix: /_synapse/admin matrix_synapse_container_labels_public_client_synapse_admin_api_traefik_path_prefix: /_synapse/admin
matrix_synapse_container_labels_client_synapse_admin_api_traefik_rule: "Host(`{{ matrix_synapse_container_labels_client_synapse_admin_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_container_labels_client_synapse_admin_api_traefik_path_prefix }}`)" matrix_synapse_container_labels_public_client_synapse_admin_api_traefik_rule: "Host(`{{ matrix_synapse_container_labels_public_client_synapse_admin_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_container_labels_public_client_synapse_admin_api_traefik_path_prefix }}`)"
matrix_synapse_container_labels_client_synapse_admin_api_traefik_priority: 0 matrix_synapse_container_labels_public_client_synapse_admin_api_traefik_priority: 0
matrix_synapse_container_labels_client_synapse_admin_api_traefik_entrypoints: "{{ matrix_synapse_container_labels_traefik_entrypoints }}" matrix_synapse_container_labels_public_client_synapse_admin_api_traefik_entrypoints: "{{ matrix_synapse_container_labels_traefik_entrypoints }}"
matrix_synapse_container_labels_client_synapse_admin_api_traefik_tls: "{{ matrix_synapse_container_labels_client_synapse_admin_api_traefik_entrypoints != 'web' }}" matrix_synapse_container_labels_public_client_synapse_admin_api_traefik_tls: "{{ matrix_synapse_container_labels_public_client_synapse_admin_api_traefik_entrypoints != 'web' }}"
matrix_synapse_container_labels_client_synapse_admin_api_traefik_tls_certResolver: "{{ matrix_synapse_container_labels_traefik_tls_certResolver }}" # noqa var-naming matrix_synapse_container_labels_public_client_synapse_admin_api_traefik_tls_certResolver: "{{ matrix_synapse_container_labels_traefik_tls_certResolver }}" # noqa var-naming
# Controls whether labels will be added that expose the Server-Server API (Federation API). # Controls whether labels will be added that expose the Server-Server API (Federation API).
# Regardless of whether this is enabled, it may or may not take effect due to the value of other variables. # Regardless of whether this is enabled, it may or may not take effect due to the value of other variables.
# See `matrix_synapse_container_labels_traefik_enabled` or `matrix_synapse_container_labels_matrix_related_labels_enabled` # See `matrix_synapse_container_labels_traefik_enabled` or `matrix_synapse_container_labels_matrix_related_labels_enabled`
matrix_synapse_container_labels_federation_api_enabled: "{{ matrix_synapse_federation_enabled and not matrix_synapse_workers_enabled }}" matrix_synapse_container_labels_public_federation_api_enabled: "{{ matrix_synapse_federation_enabled and not matrix_synapse_workers_enabled }}"
matrix_synapse_container_labels_federation_api_traefik_hostname: "{{ matrix_synapse_container_labels_traefik_hostname }}" matrix_synapse_container_labels_public_federation_api_traefik_hostname: "{{ matrix_synapse_container_labels_traefik_hostname }}"
matrix_synapse_container_labels_federation_api_traefik_path_prefix: /_matrix matrix_synapse_container_labels_public_federation_api_traefik_path_prefix: /_matrix
matrix_synapse_container_labels_federation_api_traefik_rule: "Host(`{{ matrix_synapse_container_labels_federation_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_container_labels_federation_api_traefik_path_prefix }}`)" matrix_synapse_container_labels_public_federation_api_traefik_rule: "Host(`{{ matrix_synapse_container_labels_public_federation_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_container_labels_public_federation_api_traefik_path_prefix }}`)"
matrix_synapse_container_labels_federation_api_traefik_priority: 0 matrix_synapse_container_labels_public_federation_api_traefik_priority: 0
matrix_synapse_container_labels_federation_api_traefik_entrypoints: '' matrix_synapse_container_labels_public_federation_api_traefik_entrypoints: ''
matrix_synapse_container_labels_federation_api_traefik_tls: "{{ matrix_synapse_container_labels_federation_api_traefik_entrypoints != 'web' }}" matrix_synapse_container_labels_public_federation_api_traefik_tls: "{{ matrix_synapse_container_labels_public_federation_api_traefik_entrypoints != 'web' }}"
matrix_synapse_container_labels_federation_api_traefik_tls_certResolver: "{{ matrix_synapse_container_labels_traefik_tls_certResolver }}" # noqa var-naming matrix_synapse_container_labels_public_federation_api_traefik_tls_certResolver: "{{ matrix_synapse_container_labels_traefik_tls_certResolver }}" # noqa var-naming
# Controls whether labels will be added that expose metrics (see `matrix_synapse_metrics_proxying_enabled`) for the main Synapse process # Controls whether labels will be added that expose metrics (see `matrix_synapse_metrics_proxying_enabled`) for the main Synapse process
matrix_synapse_container_labels_metrics_enabled: "{{ matrix_synapse_metrics_enabled and matrix_synapse_metrics_proxying_enabled }}" matrix_synapse_container_labels_public_metrics_enabled: "{{ matrix_synapse_metrics_enabled and matrix_synapse_metrics_proxying_enabled }}"
matrix_synapse_container_labels_metrics_traefik_path: "{{ matrix_synapse_metrics_proxying_path_prefix }}/main-process" matrix_synapse_container_labels_public_metrics_traefik_path: "{{ matrix_synapse_metrics_proxying_path_prefix }}/main-process"
matrix_synapse_container_labels_metrics_traefik_rule: "Host(`{{ matrix_synapse_metrics_proxying_hostname }}`) && Path(`{{ matrix_synapse_container_labels_metrics_traefik_path }}`)" matrix_synapse_container_labels_public_metrics_traefik_rule: "Host(`{{ matrix_synapse_metrics_proxying_hostname }}`) && Path(`{{ matrix_synapse_container_labels_public_metrics_traefik_path }}`)"
matrix_synapse_container_labels_metrics_traefik_priority: 0 matrix_synapse_container_labels_public_metrics_traefik_priority: 0
matrix_synapse_container_labels_metrics_traefik_entrypoints: "{{ matrix_synapse_container_labels_traefik_entrypoints }}" matrix_synapse_container_labels_public_metrics_traefik_entrypoints: "{{ matrix_synapse_container_labels_traefik_entrypoints }}"
matrix_synapse_container_labels_metrics_traefik_tls: "{{ matrix_synapse_container_labels_metrics_traefik_entrypoints != 'web' }}" matrix_synapse_container_labels_public_metrics_traefik_tls: "{{ matrix_synapse_container_labels_public_metrics_traefik_entrypoints != 'web' }}"
matrix_synapse_container_labels_metrics_traefik_tls_certResolver: "{{ matrix_synapse_container_labels_traefik_tls_certResolver }}" # noqa var-naming matrix_synapse_container_labels_public_metrics_traefik_tls_certResolver: "{{ matrix_synapse_container_labels_traefik_tls_certResolver }}" # noqa var-naming
matrix_synapse_container_labels_metrics_middleware_basic_auth_enabled: false matrix_synapse_container_labels_public_metrics_middleware_basic_auth_enabled: false
# See: https://doc.traefik.io/traefik/middlewares/http/basicauth/#users # See: https://doc.traefik.io/traefik/middlewares/http/basicauth/#users
matrix_synapse_container_labels_metrics_middleware_basic_auth_users: '' matrix_synapse_container_labels_public_metrics_middleware_basic_auth_users: ''
# matrix_synapse_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. # matrix_synapse_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
# See `../templates/labels.j2` for details. # See `../templates/labels.j2` for details.
@ -707,11 +718,11 @@ matrix_synapse_worker_container_labels_metrics_traefik_path: "{{ matrix_synapse_
matrix_synapse_worker_container_labels_metrics_traefik_rule: "Host(`{{ matrix_synapse_metrics_proxying_hostname }}`) && Path(`{{ matrix_synapse_worker_container_labels_metrics_traefik_path }}`)" matrix_synapse_worker_container_labels_metrics_traefik_rule: "Host(`{{ matrix_synapse_metrics_proxying_hostname }}`) && Path(`{{ matrix_synapse_worker_container_labels_metrics_traefik_path }}`)"
matrix_synapse_worker_container_labels_metrics_traefik_priority: 0 matrix_synapse_worker_container_labels_metrics_traefik_priority: 0
matrix_synapse_worker_container_labels_metrics_traefik_entrypoints: "{{ matrix_synapse_container_labels_traefik_entrypoints }}" matrix_synapse_worker_container_labels_metrics_traefik_entrypoints: "{{ matrix_synapse_container_labels_traefik_entrypoints }}"
matrix_synapse_worker_container_labels_metrics_traefik_tls: "{{ matrix_synapse_container_labels_metrics_traefik_entrypoints != 'web' }}" matrix_synapse_worker_container_labels_metrics_traefik_tls: "{{ matrix_synapse_container_labels_public_metrics_traefik_entrypoints != 'web' }}"
matrix_synapse_worker_container_labels_metrics_traefik_tls_certResolver: "{{ matrix_synapse_container_labels_traefik_tls_certResolver }}" # noqa var-naming matrix_synapse_worker_container_labels_metrics_traefik_tls_certResolver: "{{ matrix_synapse_container_labels_traefik_tls_certResolver }}" # noqa var-naming
matrix_synapse_worker_container_labels_metrics_middleware_basic_auth_enabled: "{{ matrix_synapse_container_labels_metrics_middleware_basic_auth_enabled }}" matrix_synapse_worker_container_labels_metrics_middleware_basic_auth_enabled: "{{ matrix_synapse_container_labels_public_metrics_middleware_basic_auth_enabled }}"
# See: https://doc.traefik.io/traefik/middlewares/http/basicauth/#users # See: https://doc.traefik.io/traefik/middlewares/http/basicauth/#users
matrix_synapse_worker_container_labels_metrics_middleware_basic_auth_users: "{{ matrix_synapse_container_labels_metrics_middleware_basic_auth_users }}" matrix_synapse_worker_container_labels_metrics_middleware_basic_auth_users: "{{ matrix_synapse_container_labels_public_metrics_middleware_basic_auth_users }}"
# matrix_synapse_worker_container_labels_additional_labels contains a multiline string with additional labels to add to the label files for Synapse worker containers. # matrix_synapse_worker_container_labels_additional_labels contains a multiline string with additional labels to add to the label files for Synapse worker containers.
# See `../templates/labels.j2` for details. # See `../templates/labels.j2` for details.

View File

@ -16,17 +16,19 @@
- {'name': 'matrix_synapse_database_password', when: true} - {'name': 'matrix_synapse_database_password', when: true}
- {'name': 'matrix_synapse_database_database', when: true} - {'name': 'matrix_synapse_database_database', when: true}
- {'name': 'matrix_synapse_container_labels_client_root_traefik_hostname', when: "{{ matrix_synapse_container_labels_client_root_enabled }}"} - {'name': 'matrix_synapse_container_labels_public_client_root_traefik_hostname', when: "{{ matrix_synapse_container_labels_public_client_root_enabled }}"}
- {'name': 'matrix_synapse_container_labels_client_root_redirection_url', when: "{{ matrix_synapse_container_labels_client_root_redirection_enabled }}"} - {'name': 'matrix_synapse_container_labels_public_client_root_redirection_url', when: "{{ matrix_synapse_container_labels_public_client_root_redirection_enabled }}"}
- {'name': 'matrix_synapse_container_labels_client_api_traefik_hostname', when: "{{ matrix_synapse_container_labels_client_api_enabled }}"} - {'name': 'matrix_synapse_container_labels_public_client_api_traefik_hostname', when: "{{ matrix_synapse_container_labels_public_client_api_enabled }}"}
- {'name': 'matrix_synapse_container_labels_client_synapse_client_api_traefik_hostname', when: "{{ matrix_synapse_container_labels_client_synapse_client_api_enabled }}"} - {'name': 'matrix_synapse_container_labels_internal_client_api_traefik_entrypoints', when: "{{ matrix_synapse_container_labels_internal_client_api_enabled }}"}
- {'name': 'matrix_synapse_container_labels_client_synapse_oidc_api_traefik_hostname', when: "{{ matrix_synapse_container_labels_client_synapse_oidc_api_enabled }}"}
- {'name': 'matrix_synapse_container_labels_client_synapse_admin_api_traefik_hostname', when: "{{ matrix_synapse_container_labels_client_synapse_admin_api_enabled }}"}
- {'name': 'matrix_synapse_container_labels_federation_api_traefik_hostname', when: "{{ matrix_synapse_container_labels_federation_api_enabled }}"} - {'name': 'matrix_synapse_container_labels_public_client_synapse_client_api_traefik_hostname', when: "{{ matrix_synapse_container_labels_public_client_synapse_client_api_enabled }}"}
- {'name': 'matrix_synapse_container_labels_federation_api_traefik_entrypoints', when: "{{ matrix_synapse_container_labels_federation_api_enabled }}"} - {'name': 'matrix_synapse_container_labels_public_client_synapse_oidc_api_traefik_hostname', when: "{{ matrix_synapse_container_labels_public_client_synapse_oidc_api_enabled }}"}
- {'name': 'matrix_synapse_container_labels_public_client_synapse_admin_api_traefik_hostname', when: "{{ matrix_synapse_container_labels_public_client_synapse_admin_api_enabled }}"}
- {'name': 'matrix_synapse_container_labels_public_federation_api_traefik_hostname', when: "{{ matrix_synapse_container_labels_public_federation_api_enabled }}"}
- {'name': 'matrix_synapse_container_labels_public_federation_api_traefik_entrypoints', when: "{{ matrix_synapse_container_labels_public_federation_api_enabled }}"}
- {'name': 'matrix_synapse_metrics_proxying_hostname', when: "{{ matrix_synapse_metrics_proxying_enabled }}"} - {'name': 'matrix_synapse_metrics_proxying_hostname', when: "{{ matrix_synapse_metrics_proxying_enabled }}"}
- {'name': 'matrix_synapse_metrics_proxying_path_prefix', when: "{{ matrix_synapse_metrics_proxying_enabled }}"} - {'name': 'matrix_synapse_metrics_proxying_path_prefix', when: "{{ matrix_synapse_metrics_proxying_enabled }}"}

View File

@ -11,40 +11,40 @@ traefik.http.services.matrix-synapse-metrics.loadbalancer.server.port={{ matrix_
{# {#
Root path (/) Public Root path (/)
#} #}
{% if matrix_synapse_container_labels_client_root_enabled %} {% if matrix_synapse_container_labels_public_client_root_enabled %}
{% set client_root_middlewares = [] %} {% set client_root_middlewares = [] %}
{% if matrix_synapse_container_labels_client_root_redirection_enabled %} {% if matrix_synapse_container_labels_public_client_root_redirection_enabled %}
{% set client_root_middlewares = client_root_middlewares + ['matrix-synapse-client-root-redirect'] %} {% set client_root_middlewares = client_root_middlewares + ['matrix-synapse-public-client-root-redirect'] %}
traefik.http.middlewares.matrix-synapse-client-root-redirect.redirectregex.regex=(.*) traefik.http.middlewares.matrix-synapse-public-client-root-redirect.redirectregex.regex=(.*)
traefik.http.middlewares.matrix-synapse-client-root-redirect.redirectregex.replacement={{ matrix_synapse_container_labels_client_root_redirection_url }} traefik.http.middlewares.matrix-synapse-public-client-root-redirect.redirectregex.replacement={{ matrix_synapse_container_labels_public_client_root_redirection_url }}
{% else %} {% else %}
{% set client_root_middlewares = client_root_middlewares + ['matrix-synapse-client-root-replacepath'] %} {% set client_root_middlewares = client_root_middlewares + ['matrix-synapse-public-client-root-replacepath'] %}
traefik.http.middlewares.matrix-synapse-client-root-replacepath.replacepath.path=/_matrix/static/ traefik.http.middlewares.matrix-synapse-public-client-root-replacepath.replacepath.path=/_matrix/static/
{% endif %} {% endif %}
traefik.http.routers.matrix-synapse-client-root.rule={{ matrix_synapse_container_labels_client_root_traefik_rule }} traefik.http.routers.matrix-synapse-public-client-root.rule={{ matrix_synapse_container_labels_public_client_root_traefik_rule }}
traefik.http.routers.matrix-synapse-client-root.middlewares={{ client_root_middlewares | join(',') }} traefik.http.routers.matrix-synapse-public-client-root.middlewares={{ client_root_middlewares | join(',') }}
{% if matrix_synapse_container_labels_client_root_traefik_priority | int > 0 %} {% if matrix_synapse_container_labels_public_client_root_traefik_priority | int > 0 %}
traefik.http.routers.matrix-synapse-client-root.priority={{ matrix_synapse_container_labels_client_root_traefik_priority }} traefik.http.routers.matrix-synapse-public-client-root.priority={{ matrix_synapse_container_labels_public_client_root_traefik_priority }}
{% endif %} {% endif %}
traefik.http.routers.matrix-synapse-client-root.service=matrix-synapse-client-api traefik.http.routers.matrix-synapse-public-client-root.service=matrix-synapse-client-api
traefik.http.routers.matrix-synapse-client-root.entrypoints={{ matrix_synapse_container_labels_client_root_traefik_entrypoints }} traefik.http.routers.matrix-synapse-public-client-root.entrypoints={{ matrix_synapse_container_labels_public_client_root_traefik_entrypoints }}
traefik.http.routers.matrix-synapse-client-root.tls={{ matrix_synapse_container_labels_client_root_traefik_tls | to_json }} traefik.http.routers.matrix-synapse-public-client-root.tls={{ matrix_synapse_container_labels_public_client_root_traefik_tls | to_json }}
{% if matrix_synapse_container_labels_client_root_traefik_tls %} {% if matrix_synapse_container_labels_public_client_root_traefik_tls %}
traefik.http.routers.matrix-synapse-client-root.tls.certResolver={{ matrix_synapse_container_labels_client_root_traefik_tls_certResolver }} traefik.http.routers.matrix-synapse-public-client-root.tls.certResolver={{ matrix_synapse_container_labels_public_client_root_traefik_tls_certResolver }}
{% endif %} {% endif %}
{% endif %} {% endif %}
{# {#
/Root path (/) /Public Root path (/)
#} #}
@ -59,127 +59,148 @@ traefik.http.routers.matrix-synapse-client-root.tls.certResolver={{ matrix_synap
{% if matrix_synapse_container_labels_matrix_related_labels_enabled %} {% if matrix_synapse_container_labels_matrix_related_labels_enabled %}
{# {#
Client-API (/_matrix) Public Client-API (/_matrix)
#} #}
{% if matrix_synapse_container_labels_client_api_enabled %} {% if matrix_synapse_container_labels_public_client_api_enabled %}
traefik.http.routers.matrix-synapse-client-api.rule={{ matrix_synapse_container_labels_client_api_traefik_rule }} traefik.http.routers.matrix-synapse-public-client-api.rule={{ matrix_synapse_container_labels_public_client_api_traefik_rule }}
{% if matrix_synapse_container_labels_client_api_traefik_priority | int > 0 %} {% if matrix_synapse_container_labels_public_client_api_traefik_priority | int > 0 %}
traefik.http.routers.matrix-synapse-client-api.priority={{ matrix_synapse_container_labels_client_api_traefik_priority }} traefik.http.routers.matrix-synapse-public-client-api.priority={{ matrix_synapse_container_labels_public_client_api_traefik_priority }}
{% endif %} {% endif %}
traefik.http.routers.matrix-synapse-client-api.service=matrix-synapse-client-api traefik.http.routers.matrix-synapse-public-client-api.service=matrix-synapse-client-api
traefik.http.routers.matrix-synapse-client-api.entrypoints={{ matrix_synapse_container_labels_client_api_traefik_entrypoints }} traefik.http.routers.matrix-synapse-public-client-api.entrypoints={{ matrix_synapse_container_labels_public_client_api_traefik_entrypoints }}
traefik.http.routers.matrix-synapse-client-api.tls={{ matrix_synapse_container_labels_client_api_traefik_tls | to_json }} traefik.http.routers.matrix-synapse-public-client-api.tls={{ matrix_synapse_container_labels_public_client_api_traefik_tls | to_json }}
{% if matrix_synapse_container_labels_client_api_traefik_tls %} {% if matrix_synapse_container_labels_public_client_api_traefik_tls %}
traefik.http.routers.matrix-synapse-client-api.tls.certResolver={{ matrix_synapse_container_labels_client_api_traefik_tls_certResolver }} traefik.http.routers.matrix-synapse-public-client-api.tls.certResolver={{ matrix_synapse_container_labels_public_client_api_traefik_tls_certResolver }}
{% endif %} {% endif %}
{% endif %} {% endif %}
{# {#
/Client-API (/_matrix) /Public Client-API (/_matrix)
#}
{#
Internal Client-API (/_matrix)
#}
{% if matrix_synapse_container_labels_internal_client_api_enabled %}
traefik.http.routers.matrix-synapse-internal-client-api.rule={{ matrix_synapse_container_labels_internal_client_api_traefik_rule }}
{% if matrix_synapse_container_labels_internal_client_api_traefik_priority | int > 0 %}
traefik.http.routers.matrix-synapse-internal-client-api.priority={{ matrix_synapse_container_labels_internal_client_api_traefik_priority }}
{% endif %}
traefik.http.routers.matrix-synapse-internal-client-api.service=matrix-synapse-client-api
traefik.http.routers.matrix-synapse-internal-client-api.entrypoints={{ matrix_synapse_container_labels_internal_client_api_traefik_entrypoints }}
{% endif %}
{#
/Internal Client-API (/_matrix)
#} #}
{# {#
Synapse Admin API (/_synapse/client) Public Synapse Admin API (/_synapse/client)
#} #}
{% if matrix_synapse_container_labels_client_synapse_client_api_enabled %} {% if matrix_synapse_container_labels_public_client_synapse_client_api_enabled %}
traefik.http.routers.matrix-synapse-client-synapse-client-api.rule={{ matrix_synapse_container_labels_client_synapse_client_api_traefik_rule }} traefik.http.routers.matrix-synapse-public-client-synapse-client-api.rule={{ matrix_synapse_container_labels_public_client_synapse_client_api_traefik_rule }}
{% if matrix_synapse_container_labels_client_synapse_client_api_traefik_priority | int > 0 %} {% if matrix_synapse_container_labels_public_client_synapse_client_api_traefik_priority | int > 0 %}
traefik.http.routers.matrix-synapse-client-synapse-client-api.priority={{ matrix_synapse_container_labels_client_synapse_client_api_traefik_priority }} traefik.http.routers.matrix-synapse-public-client-synapse-client-api.priority={{ matrix_synapse_container_labels_public_client_synapse_client_api_traefik_priority }}
{% endif %} {% endif %}
traefik.http.routers.matrix-synapse-client-synapse-client-api.service=matrix-synapse-client-api traefik.http.routers.matrix-synapse-public-client-synapse-client-api.service=matrix-synapse-client-api
traefik.http.routers.matrix-synapse-client-synapse-client-api.entrypoints={{ matrix_synapse_container_labels_client_synapse_client_api_traefik_entrypoints }} traefik.http.routers.matrix-synapse-public-client-synapse-client-api.entrypoints={{ matrix_synapse_container_labels_public_client_synapse_client_api_traefik_entrypoints }}
traefik.http.routers.matrix-synapse-client-synapse-client-api.tls={{ matrix_synapse_container_labels_client_synapse_client_api_traefik_tls | to_json }} traefik.http.routers.matrix-synapse-public-client-synapse-client-api.tls={{ matrix_synapse_container_labels_public_client_synapse_client_api_traefik_tls | to_json }}
{% if matrix_synapse_container_labels_client_synapse_client_api_traefik_tls %} {% if matrix_synapse_container_labels_public_client_synapse_client_api_traefik_tls %}
traefik.http.routers.matrix-synapse-client-synapse-client-api.tls.certResolver={{ matrix_synapse_container_labels_client_synapse_client_api_traefik_tls_certResolver }} traefik.http.routers.matrix-synapse-public-client-synapse-client-api.tls.certResolver={{ matrix_synapse_container_labels_public_client_synapse_client_api_traefik_tls_certResolver }}
{% endif %} {% endif %}
{% endif %} {% endif %}
{# {#
/Synapse Admin API (/_synapse/client) /Public Synapse Admin API (/_synapse/client)
#} #}
{# {#
Synapse OIDC API (/_synapse/oidc) Public Synapse OIDC API (/_synapse/oidc)
#} #}
{% if matrix_synapse_container_labels_client_synapse_oidc_api_enabled %} {% if matrix_synapse_container_labels_public_client_synapse_oidc_api_enabled %}
traefik.http.routers.matrix-synapse-client-synapse-oidc-api.rule={{ matrix_synapse_container_labels_client_synapse_oidc_api_traefik_rule }} traefik.http.routers.matrix-synapse-public-client-synapse-oidc-api.rule={{ matrix_synapse_container_labels_public_client_synapse_oidc_api_traefik_rule }}
{% if matrix_synapse_container_labels_client_synapse_oidc_api_traefik_priority | int > 0 %} {% if matrix_synapse_container_labels_public_client_synapse_oidc_api_traefik_priority | int > 0 %}
traefik.http.routers.matrix-synapse-client-synapse-oidc-api.priority={{ matrix_synapse_container_labels_client_synapse_oidc_api_traefik_priority }} traefik.http.routers.matrix-synapse-public-client-synapse-oidc-api.priority={{ matrix_synapse_container_labels_public_client_synapse_oidc_api_traefik_priority }}
{% endif %} {% endif %}
traefik.http.routers.matrix-synapse-client-synapse-oidc-api.service=matrix-synapse-client-api traefik.http.routers.matrix-synapse-public-client-synapse-oidc-api.service=matrix-synapse-client-api
traefik.http.routers.matrix-synapse-client-synapse-oidc-api.entrypoints={{ matrix_synapse_container_labels_client_synapse_oidc_api_traefik_entrypoints }} traefik.http.routers.matrix-synapse-public-client-synapse-oidc-api.entrypoints={{ matrix_synapse_container_labels_public_client_synapse_oidc_api_traefik_entrypoints }}
traefik.http.routers.matrix-synapse-client-synapse-oidc-api.tls={{ matrix_synapse_container_labels_client_synapse_oidc_api_traefik_tls | to_json }} traefik.http.routers.matrix-synapse-public-client-synapse-oidc-api.tls={{ matrix_synapse_container_labels_public_client_synapse_oidc_api_traefik_tls | to_json }}
{% if matrix_synapse_container_labels_client_synapse_oidc_api_traefik_tls %} {% if matrix_synapse_container_labels_public_client_synapse_oidc_api_traefik_tls %}
traefik.http.routers.matrix-synapse-client-synapse-oidc-api.tls.certResolver={{ matrix_synapse_container_labels_client_synapse_oidc_api_traefik_tls_certResolver }} traefik.http.routers.matrix-synapse-public-client-synapse-oidc-api.tls.certResolver={{ matrix_synapse_container_labels_public_client_synapse_oidc_api_traefik_tls_certResolver }}
{% endif %} {% endif %}
{% endif %} {% endif %}
{# {#
/Synapse OIDC API (/_synapse/oidc) /Public Synapse OIDC API (/_synapse/oidc)
#} #}
{# {#
Synapse Admin API (/_synapse/admin) Public Synapse Admin API (/_synapse/admin)
#} #}
{% if matrix_synapse_container_labels_client_synapse_admin_api_enabled %} {% if matrix_synapse_container_labels_public_client_synapse_admin_api_enabled %}
traefik.http.routers.matrix-synapse-client-synapse-admin-api.rule={{ matrix_synapse_container_labels_client_synapse_admin_api_traefik_rule }} traefik.http.routers.matrix-synapse-public-client-synapse-admin-api.rule={{ matrix_synapse_container_labels_public_client_synapse_admin_api_traefik_rule }}
{% if matrix_synapse_container_labels_client_synapse_admin_api_traefik_priority | int > 0 %} {% if matrix_synapse_container_labels_public_client_synapse_admin_api_traefik_priority | int > 0 %}
traefik.http.routers.matrix-synapse-client-synapse-admin-api.priority={{ matrix_synapse_container_labels_client_synapse_admin_api_traefik_priority }} traefik.http.routers.matrix-synapse-public-client-synapse-admin-api.priority={{ matrix_synapse_container_labels_public_client_synapse_admin_api_traefik_priority }}
{% endif %} {% endif %}
traefik.http.routers.matrix-synapse-client-synapse-admin-api.service=matrix-synapse-client-api traefik.http.routers.matrix-synapse-public-client-synapse-admin-api.service=matrix-synapse-client-api
traefik.http.routers.matrix-synapse-client-synapse-admin-api.entrypoints={{ matrix_synapse_container_labels_client_synapse_admin_api_traefik_entrypoints }} traefik.http.routers.matrix-synapse-public-client-synapse-admin-api.entrypoints={{ matrix_synapse_container_labels_public_client_synapse_admin_api_traefik_entrypoints }}
traefik.http.routers.matrix-synapse-client-synapse-admin-api.tls={{ matrix_synapse_container_labels_client_synapse_admin_api_traefik_tls | to_json }} traefik.http.routers.matrix-synapse-public-client-synapse-admin-api.tls={{ matrix_synapse_container_labels_public_client_synapse_admin_api_traefik_tls | to_json }}
{% if matrix_synapse_container_labels_client_synapse_admin_api_traefik_tls %} {% if matrix_synapse_container_labels_public_client_synapse_admin_api_traefik_tls %}
traefik.http.routers.matrix-synapse-client-synapse-admin-api.tls.certResolver={{ matrix_synapse_container_labels_client_synapse_admin_api_traefik_tls_certResolver }} traefik.http.routers.matrix-synapse-public-client-synapse-admin-api.tls.certResolver={{ matrix_synapse_container_labels_public_client_synapse_admin_api_traefik_tls_certResolver }}
{% endif %} {% endif %}
{% endif %} {% endif %}
{# {#
/Synapse Admin API (/_synapse/admin) /Public Synapse Admin API (/_synapse/admin)
#} #}
{# {#
Federation-API (/_matrix) Public Federation-API (/_matrix)
#} #}
{% if matrix_synapse_container_labels_federation_api_enabled %} {% if matrix_synapse_container_labels_public_federation_api_enabled %}
traefik.http.routers.matrix-synapse-federation-api.rule={{ matrix_synapse_container_labels_federation_api_traefik_rule }} traefik.http.routers.matrix-synapse-public-federation-api.rule={{ matrix_synapse_container_labels_public_federation_api_traefik_rule }}
{% if matrix_synapse_container_labels_federation_api_traefik_priority | int > 0 %} {% if matrix_synapse_container_labels_public_federation_api_traefik_priority | int > 0 %}
traefik.http.routers.matrix-synapse-federation-api.priority={{ matrix_synapse_container_labels_federation_api_traefik_priority }} traefik.http.routers.matrix-synapse-public-federation-api.priority={{ matrix_synapse_container_labels_public_federation_api_traefik_priority }}
{% endif %} {% endif %}
traefik.http.routers.matrix-synapse-federation-api.service=matrix-synapse-federation-api traefik.http.routers.matrix-synapse-public-federation-api.service=matrix-synapse-federation-api
traefik.http.routers.matrix-synapse-federation-api.entrypoints={{ matrix_synapse_container_labels_federation_api_traefik_entrypoints }} traefik.http.routers.matrix-synapse-public-federation-api.entrypoints={{ matrix_synapse_container_labels_public_federation_api_traefik_entrypoints }}
traefik.http.routers.matrix-synapse-federation-api.tls={{ matrix_synapse_container_labels_federation_api_traefik_tls | to_json }} traefik.http.routers.matrix-synapse-public-federation-api.tls={{ matrix_synapse_container_labels_public_federation_api_traefik_tls | to_json }}
{% if matrix_synapse_container_labels_federation_api_traefik_tls %} {% if matrix_synapse_container_labels_public_federation_api_traefik_tls %}
traefik.http.routers.matrix-synapse-federation-api.tls.certResolver={{ matrix_synapse_container_labels_federation_api_traefik_tls_certResolver }} traefik.http.routers.matrix-synapse-public-federation-api.tls.certResolver={{ matrix_synapse_container_labels_public_federation_api_traefik_tls_certResolver }}
{% endif %} {% endif %}
{% endif %} {% endif %}
{# {#
/Federation-API (/_matrix) /Public Federation-API (/_matrix)
#} #}
{# {#
@ -194,41 +215,41 @@ traefik.http.routers.matrix-synapse-federation-api.tls.certResolver={{ matrix_sy
{# {#
Metrics (e.g. /metrics/synapse/main-process) Public Metrics (e.g. /metrics/synapse/main-process)
#} #}
{% if matrix_synapse_container_labels_metrics_enabled %} {% if matrix_synapse_container_labels_public_metrics_enabled %}
{% set metrics_middlewares = [] %} {% set metrics_middlewares = [] %}
{% if matrix_synapse_container_labels_metrics_middleware_basic_auth_enabled %} {% if matrix_synapse_container_labels_public_metrics_middleware_basic_auth_enabled %}
{% set metrics_middlewares = metrics_middlewares + ['matrix-synapse-metrics-basic-auth'] %} {% set metrics_middlewares = metrics_middlewares + ['matrix-synapse-metrics-basic-auth'] %}
traefik.http.middlewares.matrix-synapse-metrics-basic-auth.basicauth.users={{ matrix_synapse_container_labels_metrics_middleware_basic_auth_users }} traefik.http.middlewares.matrix-synapse-metrics-basic-auth.basicauth.users={{ matrix_synapse_container_labels_public_metrics_middleware_basic_auth_users }}
{% endif %} {% endif %}
{% set metrics_middlewares = metrics_middlewares + ['matrix-synapse-metrics-replacepath'] %} {% set metrics_middlewares = metrics_middlewares + ['matrix-synapse-metrics-replacepath'] %}
traefik.http.middlewares.matrix-synapse-metrics-replacepath.replacepath.path=/_synapse/metrics traefik.http.middlewares.matrix-synapse-metrics-replacepath.replacepath.path=/_synapse/metrics
traefik.http.routers.matrix-synapse-metrics.rule={{ matrix_synapse_container_labels_metrics_traefik_rule }} traefik.http.routers.matrix-synapse-metrics.rule={{ matrix_synapse_container_labels_public_metrics_traefik_rule }}
{% if metrics_middlewares | length > 0 %} {% if metrics_middlewares | length > 0 %}
traefik.http.routers.matrix-synapse-metrics.middlewares={{ metrics_middlewares | join(',') }} traefik.http.routers.matrix-synapse-metrics.middlewares={{ metrics_middlewares | join(',') }}
{% endif %} {% endif %}
{% if matrix_synapse_container_labels_metrics_traefik_priority | int > 0 %} {% if matrix_synapse_container_labels_public_metrics_traefik_priority | int > 0 %}
traefik.http.routers.matrix-synapse-metrics.priority={{ matrix_synapse_container_labels_metrics_traefik_priority }} traefik.http.routers.matrix-synapse-metrics.priority={{ matrix_synapse_container_labels_public_metrics_traefik_priority }}
{% endif %} {% endif %}
traefik.http.routers.matrix-synapse-metrics.service=matrix-synapse-metrics traefik.http.routers.matrix-synapse-metrics.service=matrix-synapse-metrics
traefik.http.routers.matrix-synapse-metrics.entrypoints={{ matrix_synapse_container_labels_metrics_traefik_entrypoints }} traefik.http.routers.matrix-synapse-metrics.entrypoints={{ matrix_synapse_container_labels_public_metrics_traefik_entrypoints }}
traefik.http.routers.matrix-synapse-metrics.tls={{ matrix_synapse_container_labels_metrics_traefik_tls | to_json }} traefik.http.routers.matrix-synapse-metrics.tls={{ matrix_synapse_container_labels_public_metrics_traefik_tls | to_json }}
{% if matrix_synapse_container_labels_metrics_traefik_tls %} {% if matrix_synapse_container_labels_public_metrics_traefik_tls %}
traefik.http.routers.matrix-synapse-metrics.tls.certResolver={{ matrix_synapse_container_labels_metrics_traefik_tls_certResolver }} traefik.http.routers.matrix-synapse-metrics.tls.certResolver={{ matrix_synapse_container_labels_public_metrics_traefik_tls_certResolver }}
{% endif %} {% endif %}
{% endif %} {% endif %}
{# {#
/Metrics (e.g. /metrics/synapse/main-process) /Public Metrics (e.g. /metrics/synapse/main-process)
#} #}

View File

@ -13,7 +13,7 @@ scrape_configs:
- job_name: 'synapse' - job_name: 'synapse'
metrics_path: /metrics/synapse/main-process metrics_path: /metrics/synapse/main-process
scheme: https scheme: https
{% if matrix_synapse_container_labels_metrics_middleware_basic_auth_enabled|default(true) %} {% if matrix_synapse_container_labels_public_metrics_middleware_basic_auth_enabled|default(true) %}
basic_auth: basic_auth:
username: prometheus username: prometheus
password_file: /path/to/your/passwordfile.pwd password_file: /path/to/your/passwordfile.pwd

View File

@ -90,10 +90,10 @@
- {'old': 'matrix_nginx_proxy_base_domain_create_directory', 'new': '<no longer necessary; see matrix_static_files_file_index_html_enabled>'} - {'old': 'matrix_nginx_proxy_base_domain_create_directory', 'new': '<no longer necessary; see matrix_static_files_file_index_html_enabled>'}
- {'old': 'matrix_nginx_proxy_proxy_riot_compat_redirect_enabled', 'new': '<redirecting the riot domain to an element domain is no longer supported - you can implement it yourself using matrix_client_element_container_labels_additional_labels>'} - {'old': 'matrix_nginx_proxy_proxy_riot_compat_redirect_enabled', 'new': '<redirecting the riot domain to an element domain is no longer supported - you can implement it yourself using matrix_client_element_container_labels_additional_labels>'}
- {'old': 'matrix_nginx_proxy_proxy_riot_compat_redirect_hostname', 'new': '<redirecting the riot domain to an element domain is no longer supported - you can implement it yourself using matrix_client_element_container_labels_additional_labels>'} - {'old': 'matrix_nginx_proxy_proxy_riot_compat_redirect_hostname', 'new': '<redirecting the riot domain to an element domain is no longer supported - you can implement it yourself using matrix_client_element_container_labels_additional_labels>'}
- {'old': 'matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain', 'new': '<superseded by matrix_synapse_container_labels_client_root_redirection_* or other equivalent variables based on the homeserver implementation you use>'} - {'old': 'matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain', 'new': '<superseded by matrix_synapse_container_labels_public_client_root_redirection_* or other equivalent variables based on the homeserver implementation you use>'}
- {'old': 'matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_client_api_enabled', 'new': 'matrix_synapse_container_labels_client_synapse_client_api_enabled'} - {'old': 'matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_client_api_enabled', 'new': 'matrix_synapse_container_labels_public_client_synapse_client_api_enabled'}
- {'old': 'matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_oidc_api_enabled', 'new': 'matrix_synapse_container_labels_client_synapse_oidc_api_enabled'} - {'old': 'matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_oidc_api_enabled', 'new': 'matrix_synapse_container_labels_public_client_synapse_oidc_api_enabled'}
- {'old': 'matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled', 'new': 'matrix_synapse_container_labels_client_synapse_admin_api_enabled'} - {'old': 'matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled', 'new': 'matrix_synapse_container_labels_public_client_synapse_admin_api_enabled'}
- {'old': 'matrix_nginx_proxy_proxy_matrix_identity_api_enabled', 'new': '<superseded by matrix_ma1sd_container_labels_traefik_enabled and matrix_ma1sd_container_labels_matrix_identity_enabled>'} - {'old': 'matrix_nginx_proxy_proxy_matrix_identity_api_enabled', 'new': '<superseded by matrix_ma1sd_container_labels_traefik_enabled and matrix_ma1sd_container_labels_matrix_identity_enabled>'}
- {'old': 'matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container', 'new': '<removed>'} - {'old': 'matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container', 'new': '<removed>'}
- {'old': 'matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container', 'new': '<removed>'} - {'old': 'matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container', 'new': '<removed>'}
@ -122,7 +122,7 @@
- {'old': 'matrix_nginx_proxy_proxy_dendrite_federation_api_addr_sans_container', 'new': '<removed>'} - {'old': 'matrix_nginx_proxy_proxy_dendrite_federation_api_addr_sans_container', 'new': '<removed>'}
- {'old': 'matrix_nginx_proxy_proxy_dendrite_additional_server_configuration_blocks', 'new': '<removed>'} - {'old': 'matrix_nginx_proxy_proxy_dendrite_additional_server_configuration_blocks', 'new': '<removed>'}
- {'old': 'matrix_nginx_proxy_proxy_synapse_enabled', 'new': 'matrix_synapse_container_labels_traefik_enabled'} - {'old': 'matrix_nginx_proxy_proxy_synapse_enabled', 'new': 'matrix_synapse_container_labels_traefik_enabled'}
- {'old': 'matrix_nginx_proxy_proxy_synapse_federation_api_enabled', 'new': 'matrix_synapse_container_labels_federation_api_enabled'} - {'old': 'matrix_nginx_proxy_proxy_synapse_federation_api_enabled', 'new': 'matrix_synapse_container_labels_public_federation_api_enabled'}
- {'old': 'matrix_nginx_proxy_proxy_synapse_client_api_addr_with_container', 'new': '<removed>'} - {'old': 'matrix_nginx_proxy_proxy_synapse_client_api_addr_with_container', 'new': '<removed>'}
- {'old': 'matrix_nginx_proxy_proxy_synapse_client_api_addr_sans_container', 'new': '<removed>'} - {'old': 'matrix_nginx_proxy_proxy_synapse_client_api_addr_sans_container', 'new': '<removed>'}
- {'old': 'matrix_nginx_proxy_proxy_synapse_federation_api_addr_with_container', 'new': '<removed>'} - {'old': 'matrix_nginx_proxy_proxy_synapse_federation_api_addr_with_container', 'new': '<removed>'}