feat: add automatic creation of reverse-proxy routing

This commit is contained in:
transcaffeine 2021-04-18 11:55:40 +02:00 committed by Johanna Dorothea Reichmann
parent 245503ab37
commit 9beed4b804
Signed by: transcaffeine
GPG Key ID: 03624C433676E465
3 changed files with 148 additions and 8 deletions

View File

@ -8,8 +8,10 @@ matrix_nginx_proxy_enabled: false
matrix_base_data_path: "{{ vault_matrix_base_data_path }}"
matrix_server_fqn_element: "chat.{{ matrix_domain }}"
matrix_synapse_docker_image: "{{ matrix_synapse_docker_image_name_prefix }}matrixdotorg/synapse:v1.32.0"
#matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:v1.7.21"
web_user: "web"
revproxy_autoload_dir: "/vault/services/web/sites.d"
#matrix_synapse_docker_image: "{{ matrix_synapse_docker_image_name_prefix }}matrixdotorg/synapse:v1.32.0rc1"
#
# General Synapse config
@ -208,15 +210,16 @@ matrix_mx_puppet_instagram_configuration_extension_yaml: |
# mx-puppet-skype configuration
#
matrix_mx_puppet_skype_enabled: true
matrix_mx_puppet_skype_container_http_monitoring_host_bind_port: 9405
matrix_mx_puppet_skype_container_extra_arguments:
- "-p 127.0.0.1:9405:9405"
- "-p 127.0.0.1:{{ matrix_mx_puppet_skype_container_http_monitoring_host_bind_port }}:{{ matrix_mx_puppet_skype_container_http_monitoring_host_bind_port }}"
matrix_mx_puppet_skype_configuration_extension_yaml: |
bridge:
enableGroupSync: true
avatarUrl: mxc://finallycoffee.eu/jjXDuFqtpFOBOnywoHgzTuYt
metrics:
enabled: true
port: 9405
port: {{ matrix_mx_puppet_skype_container_http_monitoring_host_bind_port }}
path: /metrics
@ -252,15 +255,17 @@ matrix_mx_puppet_slack_enabled: true
matrix_mx_puppet_slack_client_id: "{{ vault_matrix_mx_puppet_slack_client_id }}"
matrix_mx_puppet_slack_client_secret: "{{ vault_matrix_mx_puppet_slack_client_secret }}"
matrix_mx_puppet_slack_redirect_path: '/bridge/slack/oauth'
matrix_mx_puppet_slack_container_http_auth_host_bind_port: 8981
matrix_mx_puppet_slack_container_http_monitoring_host_bind_port: 9406
matrix_mx_puppet_slack_container_extra_arguments:
- "-p 127.0.0.1:9406:9406"
- "-p 127.0.0.1:8981:8008"
- "-p 127.0.0.1:{{ matrix_mx_puppet_slack_container_http_monitoring_host_bind_port }}:{{ matrix_mx_puppet_slack_container_http_monitoring_host_bind_port }}"
- "-p 127.0.0.1:{{ matrix_mx_puppet_slack_container_http_auth_host_bind_port }}:8008"
matrix_mx_puppet_slack_configuration_extension_yaml: |
bridge:
enableGroupSync: true
metrics:
enabled: true
port: 9406
port: {{ matrix_mx_puppet_slack_container_http_monitoring_host_bind_port }}
path: /metrics
limits:
maxAutojoinUsers: 500

View File

@ -55,4 +55,29 @@
- matrix-aux
- matrix-postgres-backup
- matrix-prometheus-postgres-exporter
- matrix-common-after
- matrix-common-after
tasks:
- name: Ensure web-user is present
user:
name: "{{ web_user }}"
state: present
system: yes
register: web_user_res
tags: [ setup-caddy, setup-all, start ]
- name: Ensure directory for revproxy config is present
file:
path: "{{ revproxy_autoload_dir }}/matrix"
state: directory
owner: "{{ web_user_res.uid }}"
group: "{{ web_user_res.group }}"
mode: 0750
tags: [ setup-caddy, setup-all, start ]
- name: Template reverse proxy configuration
template:
src: Caddyfile.j2
dest: "{{ revproxy_autoload_dir }}/matrix/Caddyfile"
owner: "{{ web_user_res.uid }}"
group: "{{ web_user_res.group }}"
mode: 0640
tags: [ setup-caddy, setup-all, start ]

110
templates/Caddyfile.j2 Normal file
View File

@ -0,0 +1,110 @@
https://{{ matrix_server_fqn_matrix }} {
tls /tls_certs/finallycoffee.eu/fullchain.pem /tls_certs/finallycoffee.eu/privkey.pem
encode zstd gzip
header {
Strict-Transport-Security "max-age=31536000;"
X-Frame-Options "DENY"
X-XSS-Protection "1; mode=block"
}
# matrix-ma1sd
reverse_proxy /_matrix/identity/* {{ matrix_ma1sd_container_http_host_bind_port }} {
header_down Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
header_down Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization"
}
reverse_proxy /_matrix/client/r0/user_directory/search/* {{ matrix_ma1sd_container_http_host_bind_port }} {
header_down Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
header_down Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization"
}
reverse_proxy /_matrix/federation/* http://{{ matrix_synapse_container_federation_api_plain_host_bind_port }}
reverse_proxy /_matrix/key/* http://{{ matrix_synapse_container_federation_api_plain_host_bind_port }}
reverse_proxy /_matrix/* {{ matrix_synapse_container_client_api_host_bind_port }} {
import proxyheaders
header_down Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
header_down Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization"
}
route /synapse-admin/* {
uri strip_prefix /synapse-admin
reverse_proxy http://127.0.0.1{{ matrix_synapse_admin_container_http_host_bind_port }}
}
reverse_proxy /_synapse/* http://{{ matrix_synapse_container_client_api_host_bind_port }}
basicauth /metrics/* bcrypt monitoring {
monitoring JDJhJDE0JGdQRlNHVFpSQmRiaWlPem9LdXlkS09HN2E3LklZS05YZmtXTEY1NlFXbkMxd3hBUmwwbVZl
}
route /metrics/synapse {
uri replace /metrics/synapse /_synapse/metrics
reverse_proxy http://{{ matrix_synapse_container_metrics_api_host_bind_port }}
}
route /metrics/synapse/worker/appservice {
uri replace /metrics/synapse/worker/appservice /_synapse/metrics
reverse_proxy http://127.0.0.1:{{ matrix_synapse_workers_appservice_workers_metrics_range_start }}
}
route /metrics/synapse/worker/federation-sender {
uri replace /metrics/synapse/worker/federation-sender /_synapse/metrics
reverse_proxy http://127.0.0.1:{{ matrix_synapse_workers_federation_sender_workers_metrics_range_start }}
}
route /metrics/bridge/* {
uri strip_prefix /metrics/bridge
route /mautrix-telegram {
uri replace /mautrix-telegram /metrics
reverse_proxy http://127.0.0.1:{{ matrix_mautrix_telegram_container_http_monitoring_host_bind_port }}
}
route /mautrix-whatsapp {
uri replace /mautrix-whatsapp /metrics
reverse_proxy http://127.0.0.1:{{ matrix_mautrix_whatsapp_container_http_monitoring_host_bind_port }}
}
route /mautrix-signal {
uri replace /mautrix-signal /metrics
reverse_proxy http://127.0.0.1:{{ matrix_mautrix_signal_container_http_monitoring_host_bind_port }}
}
route /mx-puppet-instagram {
uri replace /mx-puppet-instagram /metrics
reverse_proxy http://127.0.0.1:{{ matrix_mx_puppet_instagram_container_http_monitoring_host_bind_port }}
}
route /mx-puppet-discord {
uri replace /mx-puppet-discord /metrics
reverse_proxy http://127.0.0.1:{{ matrix_mx_puppet_discord_container_http_monitoring_host_bind_port }}
}
route /mx-puppet-skype {
uri replace /mx-puppet-skype /metrics
reverse_proxy http://127.0.0.1:{{ matrix_mx_puppet_skype_container_http_monitoring_host_bind_port }}
}
route /mx-puppet-slack {
uri replace /mx-puppet-slack /metrics
reverse_proxy http://127.0.0.1:{{ matrix_mx_puppet_slack_container_http_monitoring_host_bind_port }}
}
}
reverse_proxy /bridge/telegram/* http://127.0.0.1:{{ matrix_mautrix_telegram_container_http_host_bind_port_public }}
reverse_proxy /bridge/slack/* http://127.0.0.1:{{ matrix_mx_puppet_slack_container_http_auth_host_bind_port }}
}
https://{{ matrix_server_fqn_dimension }} {
tls /tls_certs/finallycoffee.eu/fullchain.pem /tls_certs/finallycoffee.eu/privkey.pem
encode zstd gzip
reverse_proxy http://{{ matrix_dimension_container_http_host_bind_port }} {
#header_up X-Forwarded-For {remote}
import proxyheaders
#header_up Host {host}
}
}
https://{{ matrix_server_fqn_element }} {
tls /tls_certs/chat.finallycoffee.eu/fullchain.pem /tls_certs/chat.finallycoffee.eu/privkey.pem
encode zstd gzip
reverse_proxy http://{{ matrix_client_element_container_http_host_bind_port }}
}
https://{{ matrix_domain }}/.well-known/matrix/* {
tls /tls_certs/finallycoffee.eu/fullchain.pem /tls_certs/finallycoffee.eu/privkey.pem
route {
uri strip_prefix /.well-known/matrix
root * /matrix_static
file_server
}
header {
Content-Type "application/json"
X-Content-Type-Options "nosniff"
Access-Control-Allow-Origin *
Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization"
}
}