Build using custom config.json, add CSP, update to 0.1.53
This commit is contained in:
parent
ca361af616
commit
9437f78c9e
@ -1172,6 +1172,7 @@ matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain: "{{ matrix_s
|
|||||||
|
|
||||||
matrix_nginx_proxy_proxy_matrix_enabled: true
|
matrix_nginx_proxy_proxy_matrix_enabled: true
|
||||||
matrix_nginx_proxy_proxy_element_enabled: "{{ matrix_client_element_enabled }}"
|
matrix_nginx_proxy_proxy_element_enabled: "{{ matrix_client_element_enabled }}"
|
||||||
|
matrix_nginx_proxy_proxy_hydrogen_enabled: "{{ matrix_client_hydrogen_enabled }}"
|
||||||
matrix_nginx_proxy_proxy_dimension_enabled: "{{ matrix_dimension_enabled }}"
|
matrix_nginx_proxy_proxy_dimension_enabled: "{{ matrix_dimension_enabled }}"
|
||||||
matrix_nginx_proxy_proxy_bot_go_neb_enabled: "{{ matrix_bot_go_neb_enabled }}"
|
matrix_nginx_proxy_proxy_bot_go_neb_enabled: "{{ matrix_bot_go_neb_enabled }}"
|
||||||
matrix_nginx_proxy_proxy_jitsi_enabled: "{{ matrix_jitsi_enabled }}"
|
matrix_nginx_proxy_proxy_jitsi_enabled: "{{ matrix_jitsi_enabled }}"
|
||||||
|
@ -1,10 +1,11 @@
|
|||||||
matrix_client_hydrogen_enabled: true
|
matrix_client_hydrogen_enabled: true
|
||||||
|
|
||||||
# as of 2021-05-15 the pre-built images were not working so self building is enabled by default
|
# Self building is used by default because the `config.json` file is only read at build time.
|
||||||
|
# The pre-built images also were not functional as of 2021-05-15.
|
||||||
matrix_client_hydrogen_container_image_self_build: true
|
matrix_client_hydrogen_container_image_self_build: true
|
||||||
matrix_client_hydrogen_container_image_self_build_repo: "https://github.com/vector-im/hydrogen-web.git"
|
matrix_client_hydrogen_container_image_self_build_repo: "https://github.com/vector-im/hydrogen-web.git"
|
||||||
|
|
||||||
matrix_client_hydrogen_version: v0.1.51
|
matrix_client_hydrogen_version: v0.1.53
|
||||||
matrix_client_hydrogen_docker_image: "{{ matrix_client_hydrogen_docker_image_name_prefix }}vectorim/hydrogen-web:{{ matrix_client_hydrogen_version }}"
|
matrix_client_hydrogen_docker_image: "{{ matrix_client_hydrogen_docker_image_name_prefix }}vectorim/hydrogen-web:{{ matrix_client_hydrogen_version }}"
|
||||||
matrix_client_hydrogen_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_hydrogen_container_image_self_build }}"
|
matrix_client_hydrogen_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_hydrogen_container_image_self_build }}"
|
||||||
matrix_client_hydrogen_docker_image_force_pull: "{{ matrix_client_hydrogen_docker_image.endswith(':latest') }}"
|
matrix_client_hydrogen_docker_image_force_pull: "{{ matrix_client_hydrogen_docker_image.endswith(':latest') }}"
|
||||||
|
@ -1,10 +1,10 @@
|
|||||||
|
# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070
|
||||||
|
# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407
|
||||||
|
- name: Fail if trying to self-build on Ansible < 2.8
|
||||||
|
fail:
|
||||||
|
msg: "To self-build the Hydrogen image, you should use Ansible 2.8 or higher. See docs/ansible.md"
|
||||||
|
when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_client_hydrogen_container_image_self_build"
|
||||||
|
|
||||||
- set_fact:
|
- set_fact:
|
||||||
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-client-hydrogen.service'] }}"
|
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-client-hydrogen.service'] }}"
|
||||||
when: matrix_client_hydrogen_enabled|bool
|
when: matrix_client_hydrogen_enabled|bool
|
||||||
|
|
||||||
# ansible lower than 2.8, does not support docker_image build parameters
|
|
||||||
# for self building it is explicitly needed, so we rather fail here
|
|
||||||
- name: Fail if running on Ansible lower than 2.8 and trying self building
|
|
||||||
fail:
|
|
||||||
msg: "To self build the Hydrogen image, you should usa ansible 2.8 or higher. E.g. pip contains such packages."
|
|
||||||
when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_client_hydrogen_container_image_self_build"
|
|
||||||
|
@ -33,6 +33,15 @@
|
|||||||
register: matrix_client_hydrogen_git_pull_results
|
register: matrix_client_hydrogen_git_pull_results
|
||||||
when: "matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_container_image_self_build|bool"
|
when: "matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_container_image_self_build|bool"
|
||||||
|
|
||||||
|
- name: Ensure Hydrogen configuration installed
|
||||||
|
copy:
|
||||||
|
content: "{{ matrix_client_hydrogen_configuration|to_nice_json }}"
|
||||||
|
dest: "{{ matrix_client_hydrogen_docker_src_files_path }}/assets/config.json"
|
||||||
|
mode: 0644
|
||||||
|
owner: "{{ matrix_user_username }}"
|
||||||
|
group: "{{ matrix_user_groupname }}"
|
||||||
|
when: matrix_client_hydrogen_enabled|bool
|
||||||
|
|
||||||
- name: Ensure Hydrogen Docker image is built
|
- name: Ensure Hydrogen Docker image is built
|
||||||
docker_image:
|
docker_image:
|
||||||
name: "{{ matrix_client_hydrogen_docker_image }}"
|
name: "{{ matrix_client_hydrogen_docker_image }}"
|
||||||
@ -44,26 +53,6 @@
|
|||||||
pull: yes
|
pull: yes
|
||||||
when: "matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_container_image_self_build|bool"
|
when: "matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_container_image_self_build|bool"
|
||||||
|
|
||||||
- name: Ensure Hydrogen configuration installed
|
|
||||||
copy:
|
|
||||||
content: "{{ matrix_client_hydrogen_configuration|to_nice_json }}"
|
|
||||||
dest: "{{ matrix_client_hydrogen_data_path }}/config.json"
|
|
||||||
mode: 0644
|
|
||||||
owner: "{{ matrix_user_username }}"
|
|
||||||
group: "{{ matrix_user_groupname }}"
|
|
||||||
when: matrix_client_hydrogen_enabled|bool
|
|
||||||
|
|
||||||
- name: Ensure Hydrogen config files installed
|
|
||||||
template:
|
|
||||||
src: "{{ item.src }}"
|
|
||||||
dest: "{{ matrix_client_hydrogen_data_path }}/{{ item.name }}"
|
|
||||||
mode: 0644
|
|
||||||
owner: "{{ matrix_user_username }}"
|
|
||||||
group: "{{ matrix_user_groupname }}"
|
|
||||||
with_items:
|
|
||||||
- {src: "{{ role_path }}/templates/nginx.conf.j2", name: "nginx.conf"}
|
|
||||||
when: "matrix_client_hydrogen_enabled|bool and item.src is not none"
|
|
||||||
|
|
||||||
- name: Ensure matrix-client-hydrogen.service installed
|
- name: Ensure matrix-client-hydrogen.service installed
|
||||||
template:
|
template:
|
||||||
src: "{{ role_path }}/templates/systemd/matrix-client-hydrogen.service.j2"
|
src: "{{ role_path }}/templates/systemd/matrix-client-hydrogen.service.j2"
|
||||||
|
9
roles/matrix-client-hydrogen/tasks/validate_config.yml
Normal file
9
roles/matrix-client-hydrogen/tasks/validate_config.yml
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
- name: Fail if required Hydrogen settings not defined
|
||||||
|
fail:
|
||||||
|
msg: >
|
||||||
|
You need to define a required configuration setting (`{{ item }}`) to use Hydrogen.
|
||||||
|
when: "vars[item] == '' or vars[item] is none"
|
||||||
|
with_items:
|
||||||
|
- "matrix_client_hydrogen_default_hs_url"
|
@ -1,66 +0,0 @@
|
|||||||
#jinja2: lstrip_blocks: "True"
|
|
||||||
# This is a custom nginx configuration file that we use in the container (instead of the default one),
|
|
||||||
# because it allows us to run nginx with a non-root user.
|
|
||||||
#
|
|
||||||
# For this to work, the default vhost file (`/etc/nginx/conf.d/default.conf`) also needs to be removed.
|
|
||||||
# (mounting `/dev/null` over `/etc/nginx/conf.d/default.conf` works well)
|
|
||||||
#
|
|
||||||
# The following changes have been done compared to a default nginx configuration file:
|
|
||||||
# - default server port is changed (80 -> 8080), so that a non-root user can bind it
|
|
||||||
# - various temp paths are changed to `/tmp`, so that a non-root user can write to them
|
|
||||||
# - the `user` directive was removed, as we don't want nginx to switch users
|
|
||||||
|
|
||||||
worker_processes 1;
|
|
||||||
|
|
||||||
error_log /var/log/nginx/error.log warn;
|
|
||||||
pid /tmp/nginx.pid;
|
|
||||||
|
|
||||||
|
|
||||||
events {
|
|
||||||
worker_connections 1024;
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
http {
|
|
||||||
proxy_temp_path /tmp/proxy_temp;
|
|
||||||
client_body_temp_path /tmp/client_temp;
|
|
||||||
fastcgi_temp_path /tmp/fastcgi_temp;
|
|
||||||
uwsgi_temp_path /tmp/uwsgi_temp;
|
|
||||||
scgi_temp_path /tmp/scgi_temp;
|
|
||||||
|
|
||||||
include /etc/nginx/mime.types;
|
|
||||||
default_type application/octet-stream;
|
|
||||||
|
|
||||||
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
|
||||||
'$status $body_bytes_sent "$http_referer" '
|
|
||||||
'"$http_user_agent" "$http_x_forwarded_for"';
|
|
||||||
|
|
||||||
access_log /var/log/nginx/access.log main;
|
|
||||||
|
|
||||||
sendfile on;
|
|
||||||
#tcp_nopush on;
|
|
||||||
|
|
||||||
keepalive_timeout 65;
|
|
||||||
|
|
||||||
#gzip on;
|
|
||||||
|
|
||||||
server {
|
|
||||||
listen 8080;
|
|
||||||
server_name localhost;
|
|
||||||
|
|
||||||
root /usr/share/nginx/html;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
index index.html index.htm;
|
|
||||||
}
|
|
||||||
|
|
||||||
location ~* ^/(config(.+)?\.json$|(.+)\.html$|i18n) {
|
|
||||||
expires -1;
|
|
||||||
}
|
|
||||||
|
|
||||||
error_page 500 502 503 504 /50x.html;
|
|
||||||
location = /50x.html {
|
|
||||||
root /usr/share/nginx/html;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
@ -7,6 +7,8 @@
|
|||||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||||
add_header X-Content-Type-Options nosniff;
|
add_header X-Content-Type-Options nosniff;
|
||||||
add_header X-Frame-Options SAMEORIGIN;
|
add_header X-Frame-Options SAMEORIGIN;
|
||||||
|
add_header X-XSS-Protection "1; mode=block";
|
||||||
|
add_header Content-Security-Policy "frame-ancestors 'none'";
|
||||||
{% if matrix_nginx_proxy_floc_optout_enabled %}
|
{% if matrix_nginx_proxy_floc_optout_enabled %}
|
||||||
add_header Permissions-Policy interest-cohort=() always;
|
add_header Permissions-Policy interest-cohort=() always;
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
Loading…
Reference in New Issue
Block a user