Merge remote-tracking branch 'origin/master' into synapse-workers

Also, replace vague FIXME by a proper NOTE on the complete
story of the user_dir endpoints..
This commit is contained in:
Marcel Partap 2020-11-11 21:23:37 +01:00
commit 4678c5d7bd
28 changed files with 453 additions and 45 deletions

View File

@ -1,3 +1,42 @@
# 2020-11-10
## Dynamic DNS support
Thanks to [Scott Crossen](https://github.com/scottcrossen), the playbook can now manage Dynamic DNS for you using [ddclient](https://ddclient.net/).
To learn more, follow our [Dynamic DNS docs page](docs/configuring-playbook-dynamic-dns.md).
# 2020-10-28
## (Compatibility Break) https://matrix.DOMAIN/ now redirects to https://element.DOMAIN/
Until now, we used to serve a static page coming from Synapse at `https://matrix.DOMAIN/`. This page was not very useful to anyone.
Since `matrix.DOMAIN` may be accessed by regular users in certain conditions, it's probably better to redirect them to a better place (e.g. to the [Element](docs/configuring-playbook-client-element.md) client).
If Element is installed (`matrix_client_element_enabled: true`, which it is by default), we now redirect people to it, instead of showing them a Synapse static page.
If you'd like to control where the redirect goes, use the `matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain` variable.
To restore the old behavior of not redirecting anywhere and serving the Synapse static page, set it to an empty value (`matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain: ""`).
# 2020-10-26
## (Compatibility Break) /_synapse/admin is no longer publicly exposed by default
We used to expose the Synapse Admin APIs publicly (at `https://matrix.DOMAIN/_synapse/admin`).
These APIs require authentication with a valid access token, so it's not that big a deal to expose them.
However, following [official Synapse's reverse-proxying recommendations](https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md#synapse-administration-endpoints), we're no longer exposing `/_synapse/admin` by default.
If you'd like to restore restore the old behavior and expose `/_synapse/admin` publicly, you can use the following configuration (in your `vars.yml`):
```yaml
matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: true
```
# 2020-10-02 # 2020-10-02
## Minimum Ansible version raised to v2.7.0 ## Minimum Ansible version raised to v2.7.0

View File

@ -128,7 +128,7 @@ This playbook sets up your server using the following Docker images:
- [instrumentisto/coturn](https://hub.docker.com/r/instrumentisto/coturn/) - the [Coturn](https://github.com/coturn/coturn) STUN/TURN server (optional) - [instrumentisto/coturn](https://hub.docker.com/r/instrumentisto/coturn/) - the [Coturn](https://github.com/coturn/coturn) STUN/TURN server (optional)
- [vectorim/riot-web](https://hub.docker.com/r/vectorim/riot-web/) - the [Element](https://element.io/) web client (optional) - [vectorim/element-web](https://hub.docker.com/r/vectorim/element-web/) - the [Element](https://element.io/) web client (optional)
- [ma1uta/ma1sd](https://hub.docker.com/r/ma1uta/ma1sd/) - the [ma1sd](https://github.com/ma1uta/ma1sd) Matrix Identity server (optional) - [ma1uta/ma1sd](https://hub.docker.com/r/ma1uta/ma1sd/) - the [ma1sd](https://github.com/ma1uta/ma1sd) Matrix Identity server (optional)

View File

@ -34,7 +34,7 @@ DNS records marked with `(*)` above are optional. They refer to services that wi
As the table above illustrates, you need to create 2 subdomains (`matrix.<your-domain>` and `element.<your-domain>`) and point both of them to your new server's IP address (DNS `A` record or `CNAME` record is fine). As the table above illustrates, you need to create 2 subdomains (`matrix.<your-domain>` and `element.<your-domain>`) and point both of them to your new server's IP address (DNS `A` record or `CNAME` record is fine).
The `element.<your-domain>` subdomain is necessary, because this playbook installs the [Element](https://github.com/vector-im/riot-web) web client for you. The `element.<your-domain>` subdomain is necessary, because this playbook installs the [Element](https://github.com/vector-im/element-web) web client for you.
If you'd rather instruct the playbook not to install Element (`matrix_client_element_enabled: false` when [Configuring the playbook](configuring-playbook.md) later), feel free to skip the `element.<your-domain>` DNS record. If you'd rather instruct the playbook not to install Element (`matrix_client_element_enabled: false` when [Configuring the playbook](configuring-playbook.md) later), feel free to skip the `element.<your-domain>` DNS record.
The `dimension.<your-domain>` subdomain may be necessary, because this playbook could install the [Dimension integrations manager](http://dimension.t2bot.io/) for you. Dimension installation is disabled by default, because it's only possible to install it after the other Matrix services are working (see [Setting up Dimension](configuring-playbook-dimension.md) later). If you do not wish to set up Dimension, feel free to skip the `dimension.<your-domain>` DNS record. The `dimension.<your-domain>` subdomain may be necessary, because this playbook could install the [Dimension integrations manager](http://dimension.t2bot.io/) for you. Dimension installation is disabled by default, because it's only possible to install it after the other Matrix services are working (see [Setting up Dimension](configuring-playbook-dimension.md) later). If you do not wish to set up Dimension, feel free to skip the `dimension.<your-domain>` DNS record.

View File

@ -1,6 +1,6 @@
# Configuring Element (optional) # Configuring Element (optional)
By default, this playbook installs the [Element](https://github.com/vector-im/riot-web) Matrix client web application. By default, this playbook installs the [Element](https://github.com/vector-im/element-web) Matrix client web application.
If that's okay, you can skip this document. If that's okay, you can skip this document.

View File

@ -0,0 +1,27 @@
# Dynamic DNS
## Setup
Most cloud providers / ISPs will charge you extra for a static IP address. If you're
not hosting a highly reliable homeserver you can workaround this via dynamic DNS. To
set this up, you'll need to get the username/password from your DNS provider. For
google domains, this process is described [here](https://support.google.com/domains/answer/6147083).
After you've gotten the proper credentials you can add the following config to your `inventory/host_vars/matrix.DOMAIN/vars.yml`:
```yaml
matrix_dynamic_dns_enabled: true
matrix_dynamic_dns_domain_configurations:
- provider: domains.google.com
protocol: dyndn2
username: XXXXXXXXXXXXXXXX
password: XXXXXXXXXXXXXXXX
domain: "{{ matrix_domain }}"
```
## Additional Reading
Additional resources:
- https://matrix.org/docs/guides/free-small-matrix-server

View File

@ -23,3 +23,12 @@ matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses:
- 8.8.8.8 - 8.8.8.8
- 1.1.1.1 - 1.1.1.1
``` ```
## Synapse + OpenID Connect for Single-Sign-On
If you want to use OpenID Connect as an SSO provider (as per the [Synapse OpenID docs](https://github.com/matrix-org/synapse/blob/develop/docs/openid.md)), you need to use the following configuration (in your `vars.yml` file) to instruct nginx to forward `/_synapse/oidc` to Synapse:
```yaml
matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_oidc_api_enabled: true
```

View File

@ -193,3 +193,38 @@ Note that this configuration on its own does **not** redirect traffic on port 80
scheme = "https" scheme = "https"
permanent = true permanent = true
``` ```
You can use the following `docker-compose.yml` as example to launch Traefik.
```yaml
version: "3.3"
services:
traefik:
image: "traefik:v2.3"
restart: always
container_name: "traefik"
networks:
- traefik
command:
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.network=traefik"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web-secure.address=:443"
- "--entrypoints.synapse.address=:8448"
- "--certificatesresolvers.default.acme.tlschallenge=true"
- "--certificatesresolvers.default.acme.email=YOUR EMAIL"
- "--certificatesresolvers.default.acme.storage=/letsencrypt/acme.json"
ports:
- "443:443"
- "8080:8080"
volumes:
- "./letsencrypt:/letsencrypt"
- "/var/run/docker.sock:/var/run/docker.sock:ro"
networks:
traefik:
external: true
```

View File

@ -15,6 +15,8 @@ Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.
matrix_synapse_admin_enabled: true matrix_synapse_admin_enabled: true
``` ```
**Note**: Synapse Admin requires Synapse's [Admin APIs](https://github.com/matrix-org/synapse/tree/master/docs/admin_api) to function. Access to them is restricted with a valid access token, so exposing them publicly should not be a real security concern. Still, for additional security, we normally leave them unexposed, following [official Synapse reverse-proxying recommendations](https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md#synapse-administration-endpoints). Because Synapse Admin needs these APIs to function, when installing Synapse Admin, we **automatically** exposes them publicly for you (equivalent to `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: true`).
## Installing ## Installing

View File

@ -38,3 +38,8 @@ In case any problems occur, make sure to have a look at the [list of synapse iss
## Synapse Admin ## Synapse Admin
Certain Synapse administration tasks (managing users and rooms, etc.) can be performed via a web user-interace, if you install [Synapse Admin](configuring-playbook-synapse-admin.md). Certain Synapse administration tasks (managing users and rooms, etc.) can be performed via a web user-interace, if you install [Synapse Admin](configuring-playbook-synapse-admin.md).
## Synapse + OpenID Connect for Single-Sign-On
If you'd like to use OpenID Connect authentication with Synapse, you'll need some additional reverse-proxy configuration (see [our nginx reverse-proxy doc page](configuring-playbook-nginx.md#synapse-openid-connect-for-single-sign-on)).

View File

@ -33,6 +33,7 @@ When you're done with all the configuration you'd like to do, continue with [Ins
- [Setting up the Jitsi video-conferencing platform](configuring-playbook-jitsi.md) (optional) - [Setting up the Jitsi video-conferencing platform](configuring-playbook-jitsi.md) (optional)
- [Setting Dynamic DNS](configuring-playbook-dynamic-dns.md) (optional)
### Core service adjustments ### Core service adjustments

View File

@ -89,7 +89,7 @@ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key: /matrix/ssl/
If your files are not in `/matrix/ssl` but in some other location, you would need to mount them into the container: If your files are not in `/matrix/ssl` but in some other location, you would need to mount them into the container:
```yaml ```yaml
matrix_synapse_container_extra_arguments: matrix_nginx_proxy_container_extra_arguments:
- "--mount type=bind,src=/some/path/on/the/host,dst=/some/path/inside/the/container,ro" - "--mount type=bind,src=/some/path/on/the/host,dst=/some/path/inside/the/container,ro"
``` ```

View File

@ -43,6 +43,8 @@
AllowEncodedSlashes NoDecode AllowEncodedSlashes NoDecode
ProxyPass /_matrix http://127.0.0.1:8008/_matrix retry=0 nocanon ProxyPass /_matrix http://127.0.0.1:8008/_matrix retry=0 nocanon
ProxyPassReverse /_matrix http://127.0.0.1:8008/_matrix ProxyPassReverse /_matrix http://127.0.0.1:8008/_matrix
ProxyPass /_synapse/client http://127.0.0.1:8008/_synapse/client retry=0 nocanon
ProxyPassReverse /_synapse/client http://127.0.0.1:8008/_synapse/client
# Map /.well-known/matrix/client for client discovery # Map /.well-known/matrix/client for client discovery
Alias /.well-known/matrix/client /matrix/static-files/.well-known/matrix/client Alias /.well-known/matrix/client /matrix/static-files/.well-known/matrix/client

View File

@ -21,9 +21,11 @@ https://matrix.DOMAIN {
} }
# Synapse Client<>Server API # Synapse Client<>Server API
proxy / matrix-synapse:8008 { proxy /_matrix matrix-synapse:8008 {
transparent
except /_matrix/identity/ /_matrix/client/r0/user_directory/search
}
proxy /_synapse/client matrix-synapse:8008 {
transparent transparent
except /.well-known/ /_matrix/identity/ /_matrix/client/r0/user_directory/search
} }
} }

View File

@ -619,6 +619,23 @@ matrix_dimension_homeserver_federationUrl: "http://matrix-synapse:{{ 8048 if mat
###################################################################### ######################################################################
######################################################################
#
# matrix-dynamic-dns
#
######################################################################
matrix_dynamic_dns_enabled: false
######################################################################
#
# /matrix-dynamic-dns
#
######################################################################
###################################################################### ######################################################################
# #
# matrix-email2matrix # matrix-email2matrix
@ -769,6 +786,10 @@ matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container: "{{ 'matrix-corp
matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "{{ '127.0.0.1:41080' if matrix_corporal_enabled else '127.0.0.1:8008' }}" matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "{{ '127.0.0.1:41080' if matrix_corporal_enabled else '127.0.0.1:8008' }}"
matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: "{{ matrix_synapse_max_upload_size_mb }}" matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: "{{ matrix_synapse_max_upload_size_mb }}"
matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: "{{ matrix_synapse_admin_enabled }}"
matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain: "{{ matrix_server_fqn_element if matrix_client_element_enabled else '' }}"
matrix_nginx_proxy_proxy_matrix_enabled: true matrix_nginx_proxy_proxy_matrix_enabled: true
matrix_nginx_proxy_proxy_element_enabled: "{{ matrix_client_element_enabled }}" matrix_nginx_proxy_proxy_element_enabled: "{{ matrix_client_element_enabled }}"
matrix_nginx_proxy_proxy_dimension_enabled: "{{ matrix_dimension_enabled }}" matrix_nginx_proxy_proxy_dimension_enabled: "{{ matrix_dimension_enabled }}"
@ -842,6 +863,8 @@ matrix_ssl_architecture: "{{
}[matrix_architecture] }[matrix_architecture]
}}" }}"
matrix_ssl_pre_obtaining_required_service_name: "{{ 'matrix-dynamic-dns' if matrix_dynamic_dns_enabled else '' }}"
###################################################################### ######################################################################
# #
# /matrix-nginx-proxy # /matrix-nginx-proxy
@ -942,7 +965,7 @@ matrix_client_element_jitsi_preferredDomain: "{{ matrix_server_fqn_jitsi if matr
# #
###################################################################### ######################################################################
matrix_synapse_container_image_self_build: "{{ matrix_architecture != 'amd64'}}" matrix_synapse_container_image_self_build: "{{ matrix_architecture not in ['arm32', 'arm64', 'amd64'] }}"
# When ma1sd is enabled, we can use it to validate email addresses and phone numbers. # When ma1sd is enabled, we can use it to validate email addresses and phone numbers.
# Synapse can validate email addresses by itself as well, but it's probably not what we want by default when we have an identity server. # Synapse can validate email addresses by itself as well, but it's probably not what we want by default when we have an identity server.

View File

@ -2,7 +2,7 @@ matrix_client_element_enabled: true
matrix_client_element_container_image_self_build: false matrix_client_element_container_image_self_build: false
matrix_client_element_docker_image: "vectorim/riot-web:v1.7.10" matrix_client_element_docker_image: "vectorim/element-web:v1.7.13"
matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}" matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}"
matrix_client_element_data_path: "{{ matrix_base_data_path }}/client-element" matrix_client_element_data_path: "{{ matrix_base_data_path }}/client-element"

View File

@ -0,0 +1,43 @@
# Whether dynamic dns is enabled
matrix_dynamic_dns_enabled: true
# The dynamic dns daemon interval
matrix_dynamic_dns_daemon_interval: '300'
# The docker container to use when in mode
matrix_dynamic_dns_docker_image: 'linuxserver/ddclient:v3.9.1-ls45'
# The image to force pull
matrix_dynamic_dns_docker_image_force_pull: "{{ matrix_dynamic_dns_docker_image.endswith(':latest') }}"
# List of extra arguments to pass to the ontainer mode
matrix_dynamic_dns_container_extra_arguments: []
# List of wanted services when running in mode
matrix_dynamic_dns_systemd_wanted_services_list: []
# List of required services when running in mode
matrix_dynamic_dns_systemd_required_services_list: ['docker.service']
# Build the container from source when running in mode
matrix_dynamic_dns_container_image_self_build: false
# Config paths
matrix_dynamic_dns_base_path: "{{ matrix_base_data_path }}/dynamic-dns"
matrix_dynamic_dns_config_path: "{{ matrix_dynamic_dns_base_path }}/config"
matrix_dynamic_dns_docker_src_files_path: "{{ matrix_dynamic_dns_base_path }}/docker-src"
# Holds the configurations (the domains to update DNS for, the providers they use, etc.)
#
# Example:
# matrix_dynamic_dns_domain_configurations:
# - provider: domains.google.com
# protocol: dyndn2
# username: XXXXXXXXXXXXXXXX
# password: XXXXXXXXXXXXXXXX
# domain: "{{ matrix_domain }}"
matrix_dynamic_dns_domain_configurations: []
# Config options
matrix_dynamic_dns_additional_configuration_blocks: []
matrix_dynamic_dns_use: "web"

View File

@ -0,0 +1,3 @@
- set_fact:
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-dynamic-dns'] }}"
when: "matrix_dynamic_dns_enabled|bool"

View File

@ -0,0 +1,59 @@
---
- name: Ensure Dynamic DNS image is pulled
docker_image:
name: "{{ matrix_dynamic_dns_docker_image }}"
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
force_source: "{{ matrix_dynamic_dns_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_dynamic_dns_docker_image_force_pull }}"
when: matrix_dynamic_dns_enabled|bool and not matrix_dynamic_dns_container_image_self_build
- name: Ensure Dynamic DNS paths exist
file:
path: "{{ item.path }}"
state: directory
mode: 0751
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
with_items:
- { path: "{{ matrix_dynamic_dns_base_path }}", when: true }
- { path: "{{ matrix_dynamic_dns_config_path }}", when: true }
- { path: "{{ matrix_dynamic_dns_docker_src_files_path }}", when: "{{ matrix_dynamic_dns_container_image_self_build }}" }
when: matrix_dynamic_dns_enabled|bool and item.when|bool
- name: Ensure Dynamic DNS repository is present on self build
git:
repo: https://github.com/linuxserver/docker-ddclient.git
dest: "{{ matrix_dynamic_dns_docker_src_files_path }}"
force: "yes"
when: "matrix_dynamic_dns_enabled|bool and matrix_dynamic_dns_container_image_self_build"
- name: Ensure Dynamic DNS Docker image is built
docker_image:
name: "{{ matrix_dynamic_dns_docker_image }}"
source: build
build:
dockerfile: Dockerfile
path: "{{ matrix_dynamic_dns_docker_src_files_path }}"
pull: yes
when: "matrix_dynamic_dns_enabled|bool and matrix_dynamic_dns_container_image_self_build"
- name: Ensure Dynamic DNS ddclient.conf installed
template:
src: "{{ role_path }}/templates/ddclient.conf.j2"
dest: "{{ matrix_dynamic_dns_config_path }}/ddclient.conf"
mode: 0644
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
- name: Ensure matrix-dynamic-dns.service installed
template:
src: "{{ role_path }}/templates/systemd/matrix-dynamic-dns.service.j2"
dest: "/etc/systemd/system/matrix-dynamic-dns.service"
mode: 0644
register: matrix_dynamic_dns_systemd_service_result
- name: Ensure systemd reloaded after matrix-dynamic-dns.service installation
service:
daemon_reload: yes
when: "matrix_dynamic_dns_systemd_service_result.changed"

View File

@ -0,0 +1,21 @@
- import_tasks: "{{ role_path }}/tasks/init.yml"
tags:
- always
- import_tasks: "{{ role_path }}/tasks/validate_config.yml"
when: "run_setup|bool and matrix_dynamic_dns_enabled|bool"
tags:
- setup-all
- setup-dynamic-dns
- import_tasks: "{{ role_path }}/tasks/install.yml"
when: "run_setup|bool and matrix_dynamic_dns_enabled|bool"
tags:
- setup-all
- setup-dynamic-dns
- import_tasks: "{{ role_path }}/tasks/uninstall.yml"
when: "run_setup|bool and not matrix_dynamic_dns_enabled|bool"
tags:
- setup-all
- setup-dynamic-dns

View File

@ -0,0 +1,24 @@
---
- name: Check existence of matrix-dynamic-dns service
stat:
path: "{{ matrix_systemd_path }}/matrix-dynamic-dns.service"
register: matrix_dynamic_dns_service_stat
- name: Ensure matrix-dynamic-dns is stopped
service:
name: matrix-dynamic-dns
state: stopped
daemon_reload: yes
when: "matrix_dynamic_dns_service_stat.stat.exists"
- name: Ensure matrix-dynamic-dns.service doesn't exist
file:
path: "{{ matrix_systemd_path }}/matrix-dynamic-dns.service"
state: absent
when: "matrix_dynamic_dns_service_stat.stat.exists"
- name: Ensure systemd reloaded after matrix-dynamic-dns.service removal
service:
daemon_reload: yes
when: "matrix_dynamic_dns_service_stat.stat.exists"

View File

@ -0,0 +1,16 @@
---
- name: Fail if no configurations specified
fail:
msg: >-
You need to define at least one configuration in `matrix_dynamic_dns_domain_configurations` for using matrix-dynamic-dns.
when: "matrix_dynamic_dns_domain_configurations|length == 0"
- name: Fail if required settings not defined in configuration blocks
fail:
msg: >-
One of the configurations in matrix_dynamic_dns_domain_configurations is missing a required key (domain, provider, protocol).
when: "'domain' not in configuration or 'provider' not in configuration or 'protocol' not in configuration"
with_items: "{{ matrix_dynamic_dns_domain_configurations }}"
loop_control:
loop_var: configuration

View File

@ -0,0 +1,26 @@
daemon={{ matrix_dynamic_dns_daemon_interval }}
syslog=no
pid=/var/run/ddclient/ddclient.pid
ssl=yes
use={{ matrix_dynamic_dns_use }}
{% for dynamic_dns_domain_configuration in matrix_dynamic_dns_domain_configurations %}
protocol={{ dynamic_dns_domain_configuration.protocol }}
server={{ dynamic_dns_domain_configuration.provider }} {% if 'username' in dynamic_dns_domain_configuration %}
login='{{ dynamic_dns_domain_configuration.username }}' {% endif %} {% if 'password' in dynamic_dns_domain_configuration %}
password='{{ dynamic_dns_domain_configuration.password }}' {% endif %} {% if 'static' in dynamic_dns_domain_configuration %}
static=yes {% endif %} {% if 'custom' in dynamic_dns_domain_configuration %}
custom=yes {% endif %} {% if 'zone' in dynamic_dns_domain_configuration %}
zone={{ dynamic_dns_domain_configuration.zone }} {% endif %} {% if 'ttl' in dynamic_dns_domain_configuration %}
ttl={{ dynamic_dns_domain_configuration.ttl }} {% endif %} {% if 'mx' in dynamic_dns_domain_configuration %}
mx={{ dynamic_dns_domain_configuration.mx }} {% endif %} {% if 'wildcard' in dynamic_dns_domain_configuration %}
wildcard=yes {% endif %}
{{ dynamic_dns_domain_configuration.domain }}
{% endfor %}
{% for matrix_dynamic_dns_additional_configuration in matrix_dynamic_dns_additional_configuration_blocks %}
{{ matrix_dynamic_dns_additional_configuration }}
{% endfor %}

View File

@ -0,0 +1,34 @@
#jinja2: lstrip_blocks: "True"
[Unit]
Description=Matrix Dynamic DNS
{% for service in matrix_dynamic_dns_systemd_required_services_list %}
Requires={{ service }}
After={{ service }}
{% endfor %}
{% for service in matrix_dynamic_dns_systemd_wanted_services_list %}
Wants={{ service }}
{% endfor %}
[Service]
Type=simple
ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-dynamic-dns
ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-dynamic-dns
ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-dynamic-dns \
--log-driver=none \
--network={{ matrix_docker_network }} \
-e PUID={{ matrix_user_uid }} \
-e PGID={{ matrix_user_gid }} \
-v {{ matrix_dynamic_dns_config_path }}:/config:z \
{% for arg in matrix_dynamic_dns_container_extra_arguments %}
{{ arg }} \
{% endfor %}
{{ matrix_dynamic_dns_docker_image }}
ExecStop=-{{ matrix_host_command_docker }} kill matrix-dynamic-dns
ExecStop=-{{ matrix_host_command_docker }} rm matrix-dynamic-dns
Restart=always
RestartSec=30
SyslogIdentifier=matrix-dynamic-dns
[Install]
WantedBy=multi-user.target

View File

@ -3,7 +3,7 @@ matrix_nginx_proxy_enabled: true
# We use an official nginx image, which we fix-up to run unprivileged. # We use an official nginx image, which we fix-up to run unprivileged.
# An alternative would be an `nginxinc/nginx-unprivileged` image, but # An alternative would be an `nginxinc/nginx-unprivileged` image, but
# that is frequently out of date. # that is frequently out of date.
matrix_nginx_proxy_docker_image: "nginx:1.19.3-alpine" matrix_nginx_proxy_docker_image: "nginx:1.19.4-alpine"
matrix_nginx_proxy_docker_image_force_pull: "{{ matrix_nginx_proxy_docker_image.endswith(':latest') }}" matrix_nginx_proxy_docker_image_force_pull: "{{ matrix_nginx_proxy_docker_image.endswith(':latest') }}"
matrix_nginx_proxy_base_path: "{{ matrix_base_data_path }}/nginx-proxy" matrix_nginx_proxy_base_path: "{{ matrix_base_data_path }}/nginx-proxy"
@ -147,7 +147,39 @@ matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key: ""
matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container: "matrix-synapse:8008" matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container: "matrix-synapse:8008"
matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "127.0.0.1:8008" matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "127.0.0.1:8008"
# This needs to be equal or higher than the maximum upload size accepted by Synapse. # This needs to be equal or higher than the maximum upload size accepted by Synapse.
matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: 25 matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: 50
# Tells whether `/_synapse/client` is forwarded to the Matrix Client API server.
matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_client_api_enabled: true
# Tells whether `/_synapse/oidc` is forwarded to the Matrix Client API server.
# Enable this if you need OpenID Connect authentication support.
matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_oidc_api_enabled: false
# Tells whether `/_synapse/admin` is forwarded to the Matrix Client API server.
# Following these recommendations (https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md), by default, we don't.
matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: false
# `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefixes` holds
# the location prefixes that get forwarded to the Matrix Client API server.
# These locations get combined into a regex like this `^(/_matrix|/_synapse/client)`.
matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefix_regexes: |
{{
(['/_matrix'])
+
(['/_synapse/client'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_client_api_enabled else [])
+
(['/_synapse/oidc'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_oidc_api_enabled else [])
+
(['/_synapse/admin'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled else [])
}}
# Specifies where requests for the root URI (`/`) on the `matrix.` domain should be redirected.
# If this has an empty value, they're just passed to the homeserver, which serves a static page.
# If you'd like to make `https://matrix.DOMAIN` redirect to `https://element.DOMAIN` (or something of that sort), specify the domain name here.
# Example value: `element.DOMAIN` (or `{{ matrix_server_fqn_element }}`).
matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain: ""
# Controls whether proxying for the Matrix Federation API should be done. # Controls whether proxying for the Matrix Federation API should be done.
matrix_nginx_proxy_proxy_matrix_federation_api_enabled: false matrix_nginx_proxy_proxy_matrix_federation_api_enabled: false
@ -243,6 +275,10 @@ matrix_ssl_base_path: "{{ matrix_base_data_path }}/ssl"
matrix_ssl_config_dir_path: "{{ matrix_ssl_base_path }}/config" matrix_ssl_config_dir_path: "{{ matrix_ssl_base_path }}/config"
matrix_ssl_log_dir_path: "{{ matrix_ssl_base_path }}/log" matrix_ssl_log_dir_path: "{{ matrix_ssl_base_path }}/log"
# If you'd like to start some service before a certificate is obtained, specify it here.
# This could be something like `matrix-dynamic-dns`, etc.
matrix_ssl_pre_obtaining_required_service_name: ~
matrix_ssl_pre_obtaining_required_service_start_wait_time_seconds: 60
# nginx status page configurations. # nginx status page configurations.
matrix_nginx_proxy_proxy_matrix_nginx_status_enabled: false matrix_nginx_proxy_proxy_matrix_nginx_status_enabled: false

View File

@ -12,6 +12,19 @@
- set_fact: - set_fact:
domain_name_needs_cert: "{{ not domain_name_certificate_path_stat.stat.exists }}" domain_name_needs_cert: "{{ not domain_name_certificate_path_stat.stat.exists }}"
- block:
- name: Ensure required service for obtaining is started
service:
name: "{{ matrix_ssl_pre_obtaining_required_service_name }}"
state: started
register: matrix_ssl_pre_obtaining_required_service_start_result
- name: Wait some time, so that the required service for obtaining can start
wait_for:
timeout: "{{ matrix_ssl_service_to_start_before_obtaining_start_wait_time_seconds }}"
when: "matrix_ssl_pre_obtaining_required_service_start_result.changed|bool"
when: "domain_name_needs_cert|bool and matrix_ssl_pre_obtaining_required_service_name != ''"
# This will fail if there is something running on port 80 (like matrix-nginx-proxy). # This will fail if there is something running on port 80 (like matrix-nginx-proxy).
# We suppress the error, as we'll try another method below. # We suppress the error, as we'll try another method below.
- name: Attempt initial SSL certificate retrieval with standalone authenticator (directly) - name: Attempt initial SSL certificate retrieval with standalone authenticator (directly)

View File

@ -34,7 +34,7 @@
{% endif %} {% endif %}
{% if matrix_nginx_proxy_proxy_matrix_corporal_api_enabled %} {% if matrix_nginx_proxy_proxy_matrix_corporal_api_enabled %}
location /_matrix/corporal { location ^~ /_matrix/corporal {
{% if matrix_nginx_proxy_enabled %} {% if matrix_nginx_proxy_enabled %}
{# Use the embedded DNS resolver in Docker containers to discover the service #} {# Use the embedded DNS resolver in Docker containers to discover the service #}
resolver 127.0.0.11 valid=5s; resolver 127.0.0.11 valid=5s;
@ -51,7 +51,7 @@
{% endif %} {% endif %}
{% if matrix_nginx_proxy_proxy_matrix_identity_api_enabled %} {% if matrix_nginx_proxy_proxy_matrix_identity_api_enabled %}
location /_matrix/identity { location ^~ /_matrix/identity {
{% if matrix_nginx_proxy_enabled %} {% if matrix_nginx_proxy_enabled %}
{# Use the embedded DNS resolver in Docker containers to discover the service #} {# Use the embedded DNS resolver in Docker containers to discover the service #}
resolver 127.0.0.11 valid=5s; resolver 127.0.0.11 valid=5s;
@ -68,8 +68,10 @@
{% endif %} {% endif %}
{% if matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled %} {% if matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled %}
# FIXME: if this is enabled, user_dir_workers should be disabled # NOTE: This redirects user lookup requests to the identity server instead of
location /_matrix/client/r0/user_directory/search { # synapse, so user_dir_workers endpoints listed further down in this file will
# not be reached and workers of this kind should be disabled for consistency.
location ^~ /_matrix/client/r0/user_directory/search {
{% if matrix_nginx_proxy_enabled %} {% if matrix_nginx_proxy_enabled %}
{# Use the embedded DNS resolver in Docker containers to discover the service #} {# Use the embedded DNS resolver in Docker containers to discover the service #}
resolver 127.0.0.11 valid=5s; resolver 127.0.0.11 valid=5s;
@ -103,7 +105,7 @@
{% endif %} {% endif %}
{% if matrix_nginx_proxy_synapse_workers_enabled %} {% if matrix_nginx_proxy_synapse_workers_enabled %}
# Workers redirects BEGIN {# Workers redirects BEGIN}
{% if generic_workers %} {% if generic_workers %}
# https://github.com/matrix-org/synapse/blob/master/docs/workers.md#synapseappgeneric_worker # https://github.com/matrix-org/synapse/blob/master/docs/workers.md#synapseappgeneric_worker
@ -162,7 +164,7 @@
} }
{% endif %} {% endif %}
{% endif %} {% endif %}
# Workers redirects END {# Workers redirects END}
{% endif %} {% endif %}
@ -170,29 +172,6 @@
{{- configuration_block }} {{- configuration_block }}
{% endfor %} {% endfor %}
{#
This handles the Matrix Client API only.
The Matrix Federation API is handled by a separate vhost.
#}
location /_matrix {
{% if matrix_nginx_proxy_enabled %}
{# Use the embedded DNS resolver in Docker containers to discover the service #}
resolver 127.0.0.11 valid=5s;
set $backend "{{ matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container }}";
proxy_pass http://$backend;
{% else %}
{# Generic configuration for use outside of our container setup #}
proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container }};
{% endif %}
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
client_body_buffer_size 25M;
client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb }}M;
proxy_max_temp_file_size 0;
}
{% if matrix_nginx_proxy_proxy_synapse_metrics %} {% if matrix_nginx_proxy_proxy_synapse_metrics %}
location /_synapse/metrics { location /_synapse/metrics {
{% if matrix_nginx_proxy_enabled %} {% if matrix_nginx_proxy_enabled %}
@ -215,7 +194,11 @@
} }
{% endif %} {% endif %}
location /_synapse { {#
This handles the Matrix Client API only.
The Matrix Federation API is handled by a separate vhost.
#}
location ~* ^({{ matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefix_regexes|join('|') }}) {
{% if matrix_nginx_proxy_enabled %} {% if matrix_nginx_proxy_enabled %}
{# Use the embedded DNS resolver in Docker containers to discover the service #} {# Use the embedded DNS resolver in Docker containers to discover the service #}
resolver 127.0.0.11 valid=5s; resolver 127.0.0.11 valid=5s;
@ -235,7 +218,11 @@
} }
location / { location / {
rewrite ^/$ /_matrix/static/ last; {% if matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain %}
return 302 $scheme://{{ matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain }}$request_uri;
{% else %}
rewrite ^/$ /_matrix/static/ last;
{% endif %}
} }
{% endmacro %} {% endmacro %}

View File

@ -5,7 +5,7 @@ matrix_synapse_enabled: true
matrix_synapse_container_image_self_build: false matrix_synapse_container_image_self_build: false
matrix_synapse_docker_image: "matrixdotorg/synapse:v1.21.2" matrix_synapse_docker_image: "matrixdotorg/synapse:v1.22.1"
matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}"
matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse" matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse"
@ -73,7 +73,7 @@ matrix_synapse_registration_shared_secret: "{{ matrix_synapse_macaroon_secret_ke
matrix_synapse_allow_guest_access: false matrix_synapse_allow_guest_access: false
matrix_synapse_form_secret: "{{ matrix_synapse_macaroon_secret_key }}" matrix_synapse_form_secret: "{{ matrix_synapse_macaroon_secret_key }}"
matrix_synapse_max_upload_size_mb: 10 matrix_synapse_max_upload_size_mb: 50
# The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads. # The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads.
matrix_synapse_tmp_directory_size_mb: "{{ matrix_synapse_max_upload_size_mb * 50 }}" matrix_synapse_tmp_directory_size_mb: "{{ matrix_synapse_max_upload_size_mb * 50 }}"
@ -389,7 +389,7 @@ matrix_synapse_room_list_publication_rules:
room_id: "*" room_id: "*"
action: allow action: allow
matrix_synapse_default_room_version: "5" matrix_synapse_default_room_version: "6"
# Controls the Synapse `spam_checker` setting. # Controls the Synapse `spam_checker` setting.
# #

View File

@ -5,6 +5,7 @@
roles: roles:
- matrix-base - matrix-base
- matrix-dynamic-dns
- matrix-mailer - matrix-mailer
- matrix-postgres - matrix-postgres
- matrix-redis - matrix-redis