Draupnir proxy (#3313)

* Allow redircting abuse-reports to draupnir

* Document redirecting abuse-reports to draupnir via traefik

* Apply suggestions from code review

Co-authored-by: Slavi Pantaleev <slavi@devture.com>

* Rename variable

---------

Co-authored-by: Slavi Pantaleev <slavi@devture.com>

roles/custom/matrix-bot-draupnir/templates/labels.j2

@@ -0,0 +1,53 @@
+{% if matrix_bot_draupnir_container_labels_traefik_enabled %}
+traefik.enable=true
+
+{% if matrix_bot_draupnir_container_labels_traefik_docker_network %}
+traefik.docker.network={{ matrix_bot_draupnir_container_labels_traefik_docker_network }}
+{% endif %}
+
+traefik.http.services.matrix-bot-draupnir.loadbalancer.server.port=8080
+
+############################################################
+#                                                          #
+# Abuse Reports (/_matrix/client/../rooms/../report)       #
+#                                                          #
+############################################################
+
+{% set middlewares = [] %}
+
+traefik.http.middlewares.matrix-bot-draupnir-redirect.replacepathregex.regex=^/_matrix/client/(r0|v3)/rooms/([^/]*)/report/(.*)$
+traefik.http.middlewares.matrix-bot-draupnir-redirect.replacepathregex.replacement=/api/1/report/$2/$3
+
+{% set middlewares = middlewares + ['matrix-bot-draupnir-redirect'] %}
+
+traefik.http.middlewares.matrix-bot-draupnir-cors.headers.accesscontrolalloworiginlist=*
+traefik.http.middlewares.matrix-bot-draupnir-cors.headers.accesscontrolallowheaders=Content-Type,Authorization
+traefik.http.middlewares.matrix-bot-draupnir-cors.headers.accesscontrolallowmethods=POST,OPTIONS
+
+{% set middlewares = middlewares + ['matrix-bot-draupnir-cors'] %}
+
+traefik.http.routers.matrix-bot-draupnir.rule={{ matrix_bot_draupnir_container_labels_traefik_rule }}
+
+{% if matrix_bot_draupnir_container_labels_traefik_priority | int > 0 %}
+traefik.http.routers.matrix-bot-draupnir.priority={{ matrix_bot_draupnir_container_labels_traefik_priority }}
+{% endif %}
+{% if middlewares | length > 0 %}
+traefik.http.routers.matrix-bot-draupnir.middlewares={{ middlewares | join(',') }}
+{% endif %}
+
+traefik.http.routers.matrix-bot-draupnir.service=matrix-bot-draupnir
+traefik.http.routers.matrix-bot-draupnir.entrypoints={{ matrix_bot_draupnir_container_labels_traefik_entrypoints }}
+traefik.http.routers.matrix-bot-draupnir.tls={{ matrix_bot_draupnir_container_labels_traefik_tls | to_json }}
+
+{% if matrix_bot_draupnir_container_labels_traefik_tls %}
+traefik.http.routers.matrix-bot-draupnir.tls.certResolver={{ matrix_bot_draupnir_container_labels_traefik_tls_certResolver }}
+{% endif %}
+
+############################################################
+#                                                          #
+# /Abuse Reports (/_matrix/client/../rooms/../report)      #
+#                                                          #
+############################################################
+{% endif %}
+
+{{ matrix_bot_draupnir_container_labels_traefik_labels_additional_labels }}

roles/custom/matrix-bot-draupnir/templates/production.yaml.j2

@@ -227,32 +227,29 @@ health:
     # Defaults to 418.
     unhealthyStatus: 418
 
+{% if matrix_bot_draupnir_web_enabled %}
 # Options for exposing web APIs.
-#web:
-#  # Whether to enable web APIs.
-#  enabled: false
-#
-#  # The port to expose the webserver on. Defaults to 8080.
-#  port: 8080
-#
-#  # The address to listen for requests on. Defaults to only the current
-#  # computer.
-#  address: localhost
-#
-#  # Alternative setting to open to the entire web. Be careful,
-#  # as this will increase your security perimeter:
-#  #
-#  #  address: "0.0.0.0"
-#
-#  # A web API designed to intercept Matrix API
-#  # POST /_matrix/client/r0/rooms/{roomId}/report/{eventId}
-#  # and display readable abuse reports in the moderation room.
-#  #
-#  # If you wish to take advantage of this feature, you will need
-#  # to configure a reverse proxy, see e.g. test/nginx.conf
-#  abuseReporting:
-#    # Whether to enable this feature.
-#    enabled: false
+web:
+  # Whether to enable web APIs.
+  enabled: true
+
+  # The port to expose the webserver on. Defaults to 8080.
+  port: 8080
+
+  # The address to listen for requests on. Defaults to only the current
+  # computer.
+  address: 0.0.0.0
+
+  # A web API designed to intercept Matrix API
+  # POST /_matrix/client/r0/rooms/{roomId}/report/{eventId}
+  # and display readable abuse reports in the moderation room.
+  #
+  # If you wish to take advantage of this feature, you will need
+  # to configure a reverse proxy, see e.g. test/nginx.conf
+  abuseReporting:
+    # Whether to enable this feature.
+    enabled: {{ matrix_bot_draupnir_abuse_reporting_enabled | to_json }}
+{% endif %}
 
 # Whether or not to actively poll synapse for abuse reports, to be used
 # instead of intercepting client calls to synapse's abuse endpoint, when that
@@ -261,4 +258,4 @@ pollReports: false
 
 # Whether or not new reports, received either by webapi or polling,
 # should be printed to our managementRoom.
-displayReports: false
+displayReports: {{ matrix_bot_draupnir_display_reports | to_json }}

roles/custom/matrix-bot-draupnir/templates/systemd/matrix-bot-draupnir.service.j2

@@ -24,13 +24,17 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
 			--cap-drop=ALL \
 			--read-only \
 			--network={{ matrix_bot_draupnir_container_network }} \
+			{% if matrix_bot_draupnir_container_http_host_bind_port %}
+			-p {{ matrix_bot_draupnir_container_http_host_bind_port }}:8080 \
+			{% endif %}
+			--label-file={{ matrix_bot_draupnir_base_path }}/labels \
 			--mount type=bind,src={{ matrix_bot_draupnir_config_path }},dst=/data/config,ro \
 			--mount type=bind,src={{ matrix_bot_draupnir_data_path }},dst=/data \
 			{% for arg in matrix_bot_draupnir_container_extra_arguments %}
 			{{ arg }} \
 			{% endfor %}
 			{{ matrix_bot_draupnir_docker_image }} \
-			bot --draupnir-config /data/config/production.yaml 
+			bot --draupnir-config /data/config/production.yaml
 
 {% for network in matrix_bot_draupnir_container_additional_networks %}
 ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-bot-draupnir