Build using custom config.json, add CSP, update to 0.1.53

This commit is contained in:
Aaron Raimist 2021-05-21 03:45:21 -05:00
parent ca361af616
commit 9437f78c9e
No known key found for this signature in database
GPG Key ID: 37419210002890EF
7 changed files with 31 additions and 95 deletions

View File

@ -1172,6 +1172,7 @@ matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain: "{{ matrix_s
matrix_nginx_proxy_proxy_matrix_enabled: true matrix_nginx_proxy_proxy_matrix_enabled: true
matrix_nginx_proxy_proxy_element_enabled: "{{ matrix_client_element_enabled }}" matrix_nginx_proxy_proxy_element_enabled: "{{ matrix_client_element_enabled }}"
matrix_nginx_proxy_proxy_hydrogen_enabled: "{{ matrix_client_hydrogen_enabled }}"
matrix_nginx_proxy_proxy_dimension_enabled: "{{ matrix_dimension_enabled }}" matrix_nginx_proxy_proxy_dimension_enabled: "{{ matrix_dimension_enabled }}"
matrix_nginx_proxy_proxy_bot_go_neb_enabled: "{{ matrix_bot_go_neb_enabled }}" matrix_nginx_proxy_proxy_bot_go_neb_enabled: "{{ matrix_bot_go_neb_enabled }}"
matrix_nginx_proxy_proxy_jitsi_enabled: "{{ matrix_jitsi_enabled }}" matrix_nginx_proxy_proxy_jitsi_enabled: "{{ matrix_jitsi_enabled }}"

View File

@ -1,10 +1,11 @@
matrix_client_hydrogen_enabled: true matrix_client_hydrogen_enabled: true
# as of 2021-05-15 the pre-built images were not working so self building is enabled by default # Self building is used by default because the `config.json` file is only read at build time.
# The pre-built images also were not functional as of 2021-05-15.
matrix_client_hydrogen_container_image_self_build: true matrix_client_hydrogen_container_image_self_build: true
matrix_client_hydrogen_container_image_self_build_repo: "https://github.com/vector-im/hydrogen-web.git" matrix_client_hydrogen_container_image_self_build_repo: "https://github.com/vector-im/hydrogen-web.git"
matrix_client_hydrogen_version: v0.1.51 matrix_client_hydrogen_version: v0.1.53
matrix_client_hydrogen_docker_image: "{{ matrix_client_hydrogen_docker_image_name_prefix }}vectorim/hydrogen-web:{{ matrix_client_hydrogen_version }}" matrix_client_hydrogen_docker_image: "{{ matrix_client_hydrogen_docker_image_name_prefix }}vectorim/hydrogen-web:{{ matrix_client_hydrogen_version }}"
matrix_client_hydrogen_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_hydrogen_container_image_self_build }}" matrix_client_hydrogen_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_hydrogen_container_image_self_build }}"
matrix_client_hydrogen_docker_image_force_pull: "{{ matrix_client_hydrogen_docker_image.endswith(':latest') }}" matrix_client_hydrogen_docker_image_force_pull: "{{ matrix_client_hydrogen_docker_image.endswith(':latest') }}"

View File

@ -1,10 +1,10 @@
# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070
# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407
- name: Fail if trying to self-build on Ansible < 2.8
fail:
msg: "To self-build the Hydrogen image, you should use Ansible 2.8 or higher. See docs/ansible.md"
when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_client_hydrogen_container_image_self_build"
- set_fact: - set_fact:
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-client-hydrogen.service'] }}" matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-client-hydrogen.service'] }}"
when: matrix_client_hydrogen_enabled|bool when: matrix_client_hydrogen_enabled|bool
# ansible lower than 2.8, does not support docker_image build parameters
# for self building it is explicitly needed, so we rather fail here
- name: Fail if running on Ansible lower than 2.8 and trying self building
fail:
msg: "To self build the Hydrogen image, you should usa ansible 2.8 or higher. E.g. pip contains such packages."
when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_client_hydrogen_container_image_self_build"

View File

@ -33,6 +33,15 @@
register: matrix_client_hydrogen_git_pull_results register: matrix_client_hydrogen_git_pull_results
when: "matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_container_image_self_build|bool" when: "matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_container_image_self_build|bool"
- name: Ensure Hydrogen configuration installed
copy:
content: "{{ matrix_client_hydrogen_configuration|to_nice_json }}"
dest: "{{ matrix_client_hydrogen_docker_src_files_path }}/assets/config.json"
mode: 0644
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
when: matrix_client_hydrogen_enabled|bool
- name: Ensure Hydrogen Docker image is built - name: Ensure Hydrogen Docker image is built
docker_image: docker_image:
name: "{{ matrix_client_hydrogen_docker_image }}" name: "{{ matrix_client_hydrogen_docker_image }}"
@ -44,26 +53,6 @@
pull: yes pull: yes
when: "matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_container_image_self_build|bool" when: "matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_container_image_self_build|bool"
- name: Ensure Hydrogen configuration installed
copy:
content: "{{ matrix_client_hydrogen_configuration|to_nice_json }}"
dest: "{{ matrix_client_hydrogen_data_path }}/config.json"
mode: 0644
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
when: matrix_client_hydrogen_enabled|bool
- name: Ensure Hydrogen config files installed
template:
src: "{{ item.src }}"
dest: "{{ matrix_client_hydrogen_data_path }}/{{ item.name }}"
mode: 0644
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
with_items:
- {src: "{{ role_path }}/templates/nginx.conf.j2", name: "nginx.conf"}
when: "matrix_client_hydrogen_enabled|bool and item.src is not none"
- name: Ensure matrix-client-hydrogen.service installed - name: Ensure matrix-client-hydrogen.service installed
template: template:
src: "{{ role_path }}/templates/systemd/matrix-client-hydrogen.service.j2" src: "{{ role_path }}/templates/systemd/matrix-client-hydrogen.service.j2"

View File

@ -0,0 +1,9 @@
---
- name: Fail if required Hydrogen settings not defined
fail:
msg: >
You need to define a required configuration setting (`{{ item }}`) to use Hydrogen.
when: "vars[item] == '' or vars[item] is none"
with_items:
- "matrix_client_hydrogen_default_hs_url"

View File

@ -1,66 +0,0 @@
#jinja2: lstrip_blocks: "True"
# This is a custom nginx configuration file that we use in the container (instead of the default one),
# because it allows us to run nginx with a non-root user.
#
# For this to work, the default vhost file (`/etc/nginx/conf.d/default.conf`) also needs to be removed.
# (mounting `/dev/null` over `/etc/nginx/conf.d/default.conf` works well)
#
# The following changes have been done compared to a default nginx configuration file:
# - default server port is changed (80 -> 8080), so that a non-root user can bind it
# - various temp paths are changed to `/tmp`, so that a non-root user can write to them
# - the `user` directive was removed, as we don't want nginx to switch users
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /tmp/nginx.pid;
events {
worker_connections 1024;
}
http {
proxy_temp_path /tmp/proxy_temp;
client_body_temp_path /tmp/client_temp;
fastcgi_temp_path /tmp/fastcgi_temp;
uwsgi_temp_path /tmp/uwsgi_temp;
scgi_temp_path /tmp/scgi_temp;
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
server {
listen 8080;
server_name localhost;
root /usr/share/nginx/html;
location / {
index index.html index.htm;
}
location ~* ^/(config(.+)?\.json$|(.+)\.html$|i18n) {
expires -1;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
}

View File

@ -7,6 +7,8 @@
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Content-Type-Options nosniff; add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options SAMEORIGIN; add_header X-Frame-Options SAMEORIGIN;
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "frame-ancestors 'none'";
{% if matrix_nginx_proxy_floc_optout_enabled %} {% if matrix_nginx_proxy_floc_optout_enabled %}
add_header Permissions-Policy interest-cohort=() always; add_header Permissions-Policy interest-cohort=() always;
{% endif %} {% endif %}