Move matrix-ma1sd to its own container network and add native Traefik support
This commit is contained in:
Slavi Pantaleev
@ -4,6 +4,9 @@
|
||||
|
||||
matrix_ma1sd_enabled: true
|
||||
|
||||
matrix_ma1sd_scheme: https
|
||||
matrix_ma1sd_hostname: ''
|
||||
|
||||
matrix_ma1sd_container_image_self_build: false
|
||||
matrix_ma1sd_container_image_self_build_repo: "https://github.com/ma1uta/ma1sd.git"
|
||||
matrix_ma1sd_container_image_self_build_branch: "{{ matrix_ma1sd_version }}"
|
||||
@ -43,14 +46,65 @@ matrix_ma1sd_systemd_wanted_services_list_auto: []
|
||||
matrix_ma1sd_systemd_wanted_services_list_custom: []
|
||||
|
||||
# The base container network. It will be auto-created by this role if it doesn't exist already.
|
||||
matrix_ma1sd_container_network: "{{ matrix_docker_network }}"
|
||||
matrix_ma1sd_container_network: ""
|
||||
|
||||
# A list of additional container networks that matrix-ma1sd would be connected to.
|
||||
# The playbook does not create these networks, so make sure they already exist.
|
||||
#
|
||||
# Use this to expose matrix-ma1sd to another docker network, that matrix-ma1sd might have to reach for authentication (e.g. an ldap instance)
|
||||
matrix_ma1sd_container_additional_networks: "{{ matrix_ma1sd_container_additional_networks_auto + matrix_ma1sd_container_additional_networks_custom }}"
|
||||
matrix_ma1sd_container_additional_networks_auto: []
|
||||
matrix_ma1sd_container_additional_networks_custom: []
|
||||
|
||||
# matrix_ma1sd_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container.
|
||||
# See `../templates/labels.j2` for details.
|
||||
#
|
||||
matrix_ma1sd_container_additional_networks: []
|
||||
# To inject your own other container labels, see `matrix_ma1sd_container_labels_additional_labels`.
|
||||
matrix_ma1sd_container_labels_traefik_enabled: true
|
||||
matrix_ma1sd_container_labels_traefik_docker_network: "{{ matrix_ma1sd_container_network }}"
|
||||
matrix_ma1sd_container_labels_traefik_entrypoints: web-secure
|
||||
matrix_ma1sd_container_labels_traefik_tls_certResolver: default # noqa var-naming
|
||||
|
||||
# Controls whether labels will be added that expose ma1sd's /_matrix/identity endpoints
|
||||
matrix_ma1sd_container_labels_matrix_identity_enabled: "{{ matrix_ma1sd_container_labels_traefik_enabled }}"
|
||||
matrix_ma1sd_container_labels_matrix_identity_hostname: "{{ matrix_ma1sd_hostname }}"
|
||||
matrix_ma1sd_container_labels_matrix_identity_path_prefix: "/_matrix/identity"
|
||||
matrix_ma1sd_container_labels_matrix_identity_traefik_rule: "Host(`{{ matrix_ma1sd_container_labels_matrix_identity_hostname }}`) && PathPrefix(`{{ matrix_ma1sd_container_labels_matrix_identity_path_prefix }}`)"
|
||||
matrix_ma1sd_container_labels_matrix_identity_traefik_priority: 0
|
||||
matrix_ma1sd_container_labels_matrix_identity_traefik_entrypoints: "{{ matrix_ma1sd_container_labels_traefik_entrypoints }}"
|
||||
matrix_ma1sd_container_labels_matrix_identity_traefik_tls: "{{ matrix_ma1sd_container_labels_matrix_identity_traefik_entrypoints != 'web' }}"
|
||||
matrix_ma1sd_container_labels_matrix_identity_traefik_tls_certResolver: "{{ matrix_ma1sd_container_labels_traefik_tls_certResolver }}" # noqa var-naming
|
||||
|
||||
# Controls whether labels will be added that expose ma1sd's /_matrix/client/VERSION/user_directory/search endpoint
|
||||
matrix_ma1sd_container_labels_matrix_client_user_directory_search_enabled: "{{ matrix_ma1sd_container_labels_traefik_enabled }}"
|
||||
matrix_ma1sd_container_labels_matrix_client_user_directory_search_hostname: "{{ matrix_ma1sd_hostname }}"
|
||||
matrix_ma1sd_container_labels_matrix_client_user_directory_search_path: "/_matrix/client/{version:(r0|v3)}/user_directory/search"
|
||||
matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_rule: "Host(`{{ matrix_ma1sd_container_labels_matrix_client_user_directory_search_hostname }}`) && Path(`{{ matrix_ma1sd_container_labels_matrix_client_user_directory_search_path }}`)"
|
||||
matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_priority: 0
|
||||
matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_entrypoints: "{{ matrix_ma1sd_container_labels_traefik_entrypoints }}"
|
||||
matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_tls: "{{ matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_entrypoints != 'web' }}"
|
||||
matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_tls_certResolver: "{{ matrix_ma1sd_container_labels_traefik_tls_certResolver }}" # noqa var-naming
|
||||
|
||||
# Controls whether labels will be added that expose ma1sd's /_matrix/client/VERSION/register/TYPE/requestToken endpoints
|
||||
# This allows another service to control registrations involving 3PIDs.
|
||||
# To learn more, see: https://github.com/ma1uta/ma1sd/blob/master/docs/features/registration.md
|
||||
matrix_ma1sd_container_labels_matrix_client_3pid_registration_enabled: false
|
||||
matrix_ma1sd_container_labels_matrix_client_3pid_registration_hostname: "{{ matrix_ma1sd_hostname }}"
|
||||
matrix_ma1sd_container_labels_matrix_client_3pid_registration_path: "/_matrix/client/{version:(r0|v3)}/register/{type:(email|msisdn)}/requestToken"
|
||||
matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_rule: "Host(`{{ matrix_ma1sd_container_labels_matrix_client_3pid_registration_hostname }}`) && Path(`{{ matrix_ma1sd_container_labels_matrix_client_3pid_registration_path }}`)"
|
||||
matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_priority: 0
|
||||
matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_entrypoints: "{{ matrix_ma1sd_container_labels_traefik_entrypoints }}"
|
||||
matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_tls: "{{ matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_entrypoints != 'web' }}"
|
||||
matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_tls_certResolver: "{{ matrix_ma1sd_container_labels_traefik_tls_certResolver }}" # noqa var-naming
|
||||
|
||||
# matrix_ma1sd_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
|
||||
# See `../templates/labels.j2` for details.
|
||||
#
|
||||
# Example:
|
||||
# matrix_ma1sd_container_labels_additional_labels: |
|
||||
# my.label=1
|
||||
# another.label="here"
|
||||
matrix_ma1sd_container_labels_additional_labels: ''
|
||||
|
||||
# Your identity server is private by default.
|
||||
# To ensure maximum discovery, you can make your identity server
|
||||
@ -59,7 +113,6 @@ matrix_ma1sd_container_additional_networks: []
|
||||
# Enabling this is discouraged. Learn more here: https://github.com/ma1uta/ma1sd/blob/master/docs/features/identity.md#lookups
|
||||
matrix_ma1sd_matrixorg_forwarding_enabled: false
|
||||
|
||||
|
||||
# Database-related configuration fields.
|
||||
#
|
||||
# To use SQLite, stick to these defaults.
|
||||
@ -130,6 +183,7 @@ matrix_ma1sd_threepid_medium_email_custom_session_unbind_notification_template:
|
||||
# Defaults to: https://github.com/ma1uta/ma1sd/blob/master/src/main/resources/threepids/email/mxid-template.eml
|
||||
matrix_ma1sd_threepid_medium_email_custom_matrixid_template: ""
|
||||
|
||||
matrix_ma1sd_self_check_endpoint_url: "{{ matrix_ma1sd_scheme }}://{{ matrix_ma1sd_hostname }}/_matrix/identity/api/v1"
|
||||
# Controls whether the self-check feature should validate SSL certificates.
|
||||
matrix_ma1sd_self_check_validate_certificates: true
|
||||
|
||||
|
||||
@ -20,6 +20,7 @@
|
||||
|
||||
- tags:
|
||||
- self-check
|
||||
- self-check-ma1sd
|
||||
block:
|
||||
- when: matrix_ma1sd_enabled | bool
|
||||
ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check.yml"
|
||||
|
||||
@ -1,11 +1,8 @@
|
||||
---
|
||||
|
||||
- ansible.builtin.set_fact:
|
||||
ma1sd_url_endpoint_public: "https://{{ matrix_server_fqn_matrix }}/_matrix/identity/api/v1"
|
||||
|
||||
- name: Check ma1sd Identity Service
|
||||
ansible.builtin.uri:
|
||||
url: "{{ ma1sd_url_endpoint_public }}"
|
||||
url: "{{ matrix_ma1sd_self_check_endpoint_url }}"
|
||||
follow_redirects: none
|
||||
validate_certs: "{{ matrix_ma1sd_self_check_validate_certificates }}"
|
||||
check_mode: false
|
||||
@ -16,9 +13,9 @@
|
||||
|
||||
- name: Fail if ma1sd Identity Service not working
|
||||
ansible.builtin.fail:
|
||||
msg: "Failed checking ma1sd is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ ma1sd_url_endpoint_public }}`). Is ma1sd running? Is port 443 open in your firewall? Full error: {{ result_ma1sd }}"
|
||||
msg: "Failed checking ma1sd is up at `{{ matrix_ma1sd_hostname }}` (checked endpoint: `{{ matrix_ma1sd_self_check_endpoint_url }}`). Is ma1sd running? Is port 443 open in your firewall? Full error: {{ result_ma1sd }}"
|
||||
when: "result_ma1sd.failed or 'json' not in result_ma1sd"
|
||||
|
||||
- name: Report working ma1sd Identity Service
|
||||
ansible.builtin.debug:
|
||||
msg: "ma1sd at `{{ matrix_server_fqn_matrix }}` is working (checked endpoint: `{{ ma1sd_url_endpoint_public }}`)"
|
||||
msg: "ma1sd at `{{ matrix_ma1sd_hostname }}` is working (checked endpoint: `{{ matrix_ma1sd_self_check_endpoint_url }}`)"
|
||||
|
||||
@ -122,6 +122,21 @@
|
||||
- {value: "{{ matrix_ma1sd_threepid_medium_email_custom_matrixid_template }}", location: 'mxid-template.eml'}
|
||||
when: "matrix_ma1sd_threepid_medium_email_custom_templates_enabled | bool and item.value"
|
||||
|
||||
- name: Ensure ma1sd support files installed
|
||||
ansible.builtin.template:
|
||||
src: "{{ role_path }}/templates/{{ item }}.j2"
|
||||
dest: "{{ matrix_ma1sd_base_path }}/{{ item }}"
|
||||
mode: 0640
|
||||
owner: "{{ matrix_user_username }}"
|
||||
group: "{{ matrix_user_groupname }}"
|
||||
with_items:
|
||||
- labels
|
||||
|
||||
- name: Ensure ma1sd container network is created
|
||||
community.general.docker_network:
|
||||
name: "{{ matrix_ma1sd_container_network }}"
|
||||
driver: bridge
|
||||
|
||||
- name: Ensure matrix-ma1sd.service installed
|
||||
ansible.builtin.template:
|
||||
src: "{{ role_path }}/templates/systemd/matrix-ma1sd.service.j2"
|
||||
|
||||
@ -45,9 +45,15 @@
|
||||
You need to define a required configuration setting (`{{ item.name }}`).
|
||||
when: "item.when | bool and vars[item.name] == ''"
|
||||
with_items:
|
||||
- {'name': 'matrix_ma1sd_hostname', when: true}
|
||||
- {'name': 'matrix_ma1sd_threepid_medium_email_connectors_smtp_host', when: true}
|
||||
- {'name': 'matrix_ma1sd_dns_overwrite_homeserver_client_value', when: true}
|
||||
- {'name': 'matrix_ma1sd_database_hostname', when: "{{ matrix_ma1sd_database_engine == 'postgres' }}"}
|
||||
- {'name': 'matrix_ma1sd_container_network', when: true}
|
||||
- {'name': 'matrix_ma1sd_container_labels_matrix_identity_hostname', when: "{{ matrix_ma1sd_container_labels_matrix_identity_enabled }}"}
|
||||
- {'name': 'matrix_ma1sd_container_labels_matrix_identity_path_prefix', when: "{{ matrix_ma1sd_container_labels_matrix_identity_enabled }}"}
|
||||
- {'name': 'matrix_ma1sd_container_labels_matrix_client_user_directory_search_hostname', when: "{{ matrix_ma1sd_container_labels_matrix_client_user_directory_search_enabled }}"}
|
||||
- {'name': 'matrix_ma1sd_container_labels_matrix_client_user_directory_search_path', when: "{{ matrix_ma1sd_container_labels_matrix_client_user_directory_search_enabled }}"}
|
||||
|
||||
- name: (Deprecation) Catch and report renamed ma1sd variables
|
||||
ansible.builtin.fail:
|
||||
|
||||
99
roles/custom/matrix-ma1sd/templates/labels.j2
Normal file
99
roles/custom/matrix-ma1sd/templates/labels.j2
Normal file
@ -0,0 +1,99 @@
|
||||
{% if matrix_ma1sd_container_labels_traefik_enabled %}
|
||||
traefik.enable=true
|
||||
|
||||
{% if matrix_ma1sd_container_labels_traefik_docker_network %}
|
||||
traefik.docker.network={{ matrix_ma1sd_container_labels_traefik_docker_network }}
|
||||
{% endif %}
|
||||
|
||||
traefik.http.services.matrix-ma1sd.loadbalancer.server.port={{ matrix_ma1sd_container_port }}
|
||||
|
||||
{#
|
||||
Matrix Identity APIs (/_matrix/identity)
|
||||
#}
|
||||
{% if matrix_ma1sd_container_labels_matrix_identity_enabled %}
|
||||
traefik.http.routers.matrix-ma1sd-matrix-identity.rule={{ matrix_ma1sd_container_labels_matrix_identity_traefik_rule }}
|
||||
|
||||
{% if matrix_ma1sd_container_labels_matrix_identity_traefik_priority | int > 0 %}
|
||||
traefik.http.routers.matrix-ma1sd-matrix-identity.priority={{ matrix_ma1sd_container_labels_matrix_identity_traefik_priority }}
|
||||
{% endif %}
|
||||
|
||||
traefik.http.routers.matrix-ma1sd-matrix-identity.service=matrix-ma1sd
|
||||
traefik.http.routers.matrix-ma1sd-matrix-identity.entrypoints={{ matrix_ma1sd_container_labels_matrix_identity_traefik_entrypoints }}
|
||||
|
||||
traefik.http.routers.matrix-ma1sd-matrix-identity.tls={{ matrix_ma1sd_container_labels_matrix_identity_traefik_tls | to_json }}
|
||||
{% if matrix_ma1sd_container_labels_matrix_identity_traefik_tls %}
|
||||
traefik.http.routers.matrix-ma1sd-matrix-identity.tls.certResolver={{ matrix_ma1sd_container_labels_matrix_identity_traefik_tls_certResolver }}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
{#
|
||||
/Matrix Identity APIs (/_matrix/identity)
|
||||
#}
|
||||
|
||||
|
||||
{#
|
||||
Matrix Client user-directory search API endpoint (/_matrix/client/VERSION/user_directory/search)
|
||||
#}
|
||||
{% if matrix_ma1sd_container_labels_matrix_client_user_directory_search_enabled %}
|
||||
{#
|
||||
ma1sd only supports /_matrix/client/r0/user_directory/search,
|
||||
while we potentially handle /_matrix/client/v3/user_directory/search as well,
|
||||
so we need to transparently reroute.
|
||||
#}
|
||||
traefik.http.middlewares.matrix-ma1sd-matrix-client-user-directory-search-replacepath.replacepath.path=/_matrix/client/r0/user_directory/search
|
||||
|
||||
traefik.http.routers.matrix-ma1sd-matrix-client-user-directory-search.rule={{ matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_rule }}
|
||||
|
||||
traefik.http.routers.matrix-ma1sd-matrix-client-user-directory-search.middlewares=matrix-ma1sd-matrix-client-user-directory-search-replacepath
|
||||
|
||||
{% if matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_priority | int > 0 %}
|
||||
traefik.http.routers.matrix-ma1sd-matrix-client-user-directory-search.priority={{ matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_priority }}
|
||||
{% endif %}
|
||||
|
||||
traefik.http.routers.matrix-ma1sd-matrix-client-user-directory-search.service=matrix-ma1sd
|
||||
traefik.http.routers.matrix-ma1sd-matrix-client-user-directory-search.entrypoints={{ matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_entrypoints }}
|
||||
|
||||
traefik.http.routers.matrix-ma1sd-matrix-client-user-directory-search.tls={{ matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_tls | to_json }}
|
||||
{% if matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_tls %}
|
||||
traefik.http.routers.matrix-ma1sd-matrix-client-user-directory-search.tls.certResolver={{ matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_tls_certResolver }}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
{#
|
||||
/Matrix Client user-directory search API endpoint (/_matrix/client/VERSION/user_directory/search)
|
||||
#}
|
||||
|
||||
|
||||
{#
|
||||
Matrix Client 3pid registration API endpoint (/_matrix/client/VERSION/register/TYPE/requestToken)
|
||||
#}
|
||||
{% if matrix_ma1sd_container_labels_matrix_client_user_directory_search_enabled %}
|
||||
{#
|
||||
ma1sd only supports /_matrix/client/r0/user_directory/search,
|
||||
while we potentially handle /_matrix/client/v3/user_directory/search as well,
|
||||
so we need to transparently reroute.
|
||||
#}
|
||||
traefik.http.middlewares.matrix-ma1sd-matrix-client-3pid-registration-replacepathregex.replacepathregex.regex=^/_matrix/client/([^/]+)/register/([^/]+)/requestToken
|
||||
traefik.http.middlewares.matrix-ma1sd-matrix-client-3pid-registration-replacepathregex.replacepathregex.replacement=/_matrix/client/r0/register/${2}/requestToken
|
||||
|
||||
traefik.http.routers.matrix-ma1sd-matrix-client-3pid-registration.rule={{ matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_rule }}
|
||||
|
||||
traefik.http.routers.matrix-ma1sd-matrix-client-3pid-registration.middlewares=matrix-ma1sd-matrix-client-3pid-registration-replacepathregex
|
||||
|
||||
{% if matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_priority | int > 0 %}
|
||||
traefik.http.routers.matrix-ma1sd-matrix-client-3pid-registration.priority={{ matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_priority }}
|
||||
{% endif %}
|
||||
|
||||
traefik.http.routers.matrix-ma1sd-matrix-client-3pid-registration.service=matrix-ma1sd
|
||||
traefik.http.routers.matrix-ma1sd-matrix-client-3pid-registration.entrypoints={{ matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_entrypoints }}
|
||||
|
||||
traefik.http.routers.matrix-ma1sd-matrix-client-3pid-registration.tls={{ matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_tls | to_json }}
|
||||
{% if matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_tls %}
|
||||
traefik.http.routers.matrix-ma1sd-matrix-client-3pid-registration.tls.certResolver={{ matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_tls_certResolver }}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
{#
|
||||
/Matrix Client 3pid registration API endpoint (/_matrix/client/VERSION/register/TYPE/requestToken)
|
||||
#}
|
||||
|
||||
{% endif %}
|
||||
|
||||
{{ matrix_ma1sd_container_labels_additional_labels }}
|
||||
@ -35,6 +35,7 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
|
||||
{% endif %}
|
||||
--mount type=bind,src={{ matrix_ma1sd_config_path }},dst=/etc/ma1sd,ro \
|
||||
--mount type=bind,src={{ matrix_ma1sd_data_path }},dst=/var/ma1sd \
|
||||
--label-file={{ matrix_ma1sd_base_path }}/labels \
|
||||
{% for arg in matrix_ma1sd_container_extra_arguments %}
|
||||
{{ arg }} \
|
||||
{% endfor %}
|
||||
|
||||
@ -228,37 +228,6 @@ matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: false
|
||||
matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081"
|
||||
matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container: "127.0.0.1:41081"
|
||||
|
||||
# Controls whether proxying for the User Directory Search API (`/_matrix/client/r0/user_directory/search`) should be done (on the matrix domain).
|
||||
# This can be used to forward the API endpoint to another service, augmenting the functionality of Synapse's own User Directory Search.
|
||||
# To learn more, see: https://github.com/ma1uta/ma1sd/blob/master/docs/features/directory.md
|
||||
matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: false
|
||||
matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "matrix-ma1sd:{{ matrix_ma1sd_container_port }}"
|
||||
matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "127.0.0.1:{{ matrix_ma1sd_container_port }}"
|
||||
|
||||
# Controls whether the user directory search API will be URL-rewritten (/_matrix/client/v3/user_directory/search -> /_matrix/client/r0/user_directory/search).
|
||||
# This is to assist identity servers which only handle the r0 endpoints.
|
||||
# The v3 endpoints are the same (spec-wise), so they can usually be redirected without downsides.
|
||||
# If this is disabled, API requests will be forwarded as-is, without any URL rewriting.
|
||||
matrix_nginx_proxy_proxy_matrix_user_directory_search_v3_to_r0_redirect_enabled: true
|
||||
|
||||
# Controls whether proxying for 3PID-based registration (`/_matrix/client/r0/register/(email|msisdn)/requestToken`) should be done (on the matrix domain).
|
||||
# This allows another service to control registrations involving 3PIDs.
|
||||
# To learn more, see: https://github.com/ma1uta/ma1sd/blob/master/docs/features/registration.md
|
||||
matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled: false
|
||||
matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_with_container: "matrix-ma1sd:{{ matrix_ma1sd_container_port }}"
|
||||
matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_sans_container: "127.0.0.1:{{ matrix_ma1sd_container_port }}"
|
||||
|
||||
# Controls whether the user directory search API will be URL-rewritten (/_matrix/client/v3/register/(email|msisdn)/requestToken -> /_matrix/client/r0/register/(email|msisdn)/requestToken).
|
||||
# This is to assist identity servers which only handle the r0 endpoints.
|
||||
# The v3 endpoints are the same (spec-wise), so they can usually be redirected without downsides.
|
||||
# If this is disabled, API requests will be forwarded as-is, without any URL rewriting.
|
||||
matrix_nginx_proxy_proxy_matrix_3pid_registration_v3_to_r0_redirect_enabled: true
|
||||
|
||||
# Controls whether proxying for the Identity API (`/_matrix/identity`) should be done (on the matrix domain)
|
||||
matrix_nginx_proxy_proxy_matrix_identity_api_enabled: false
|
||||
matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-ma1sd:{{ matrix_ma1sd_container_port }}"
|
||||
matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:{{ matrix_ma1sd_container_port }}"
|
||||
|
||||
# Controls whether proxying for the media repo (`/_matrix/media`) should be done (on the matrix domain)
|
||||
matrix_nginx_proxy_proxy_media_repo_enabled: false
|
||||
matrix_nginx_proxy_proxy_media_repo_addr_with_container: "matrix-media-repo:{{ matrix_media_repo_port }}"
|
||||
|
||||
@ -51,24 +51,6 @@
|
||||
}
|
||||
{% endif %}
|
||||
|
||||
{% if matrix_nginx_proxy_proxy_matrix_identity_api_enabled %}
|
||||
location ^~ /_matrix/identity {
|
||||
{% if matrix_nginx_proxy_enabled %}
|
||||
{# Use the embedded DNS resolver in Docker containers to discover the service #}
|
||||
resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s;
|
||||
set $backend "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container }}";
|
||||
proxy_pass http://$backend;
|
||||
{% else %}
|
||||
{# Generic configuration for use outside of our container setup #}
|
||||
proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container }};
|
||||
{% endif %}
|
||||
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }};
|
||||
proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }};
|
||||
}
|
||||
{% endif %}
|
||||
|
||||
{% if matrix_nginx_proxy_proxy_media_repo_enabled %}
|
||||
# Redirect all media endpoints to the media-repo
|
||||
location ^~ /_matrix/media {
|
||||
@ -162,53 +144,6 @@
|
||||
}
|
||||
{% endif %}
|
||||
|
||||
{% if matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled %}
|
||||
location ~ ^/_matrix/client/(r0|v3)/user_directory/search {
|
||||
{% if matrix_nginx_proxy_enabled %}
|
||||
{# Use the embedded DNS resolver in Docker containers to discover the service #}
|
||||
resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s;
|
||||
set $backend "{{ matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container }}";
|
||||
{% if matrix_nginx_proxy_proxy_matrix_user_directory_search_v3_to_r0_redirect_enabled %}
|
||||
rewrite ^(.*?)/v3/(.*?)$ $1/r0/$2 break;
|
||||
{% endif %}
|
||||
proxy_pass http://$backend;
|
||||
{% else %}
|
||||
{% if matrix_nginx_proxy_proxy_matrix_user_directory_search_v3_to_r0_redirect_enabled %}
|
||||
rewrite ^(.*?)/v3/(.*?)$ $1/r0/$2 break;
|
||||
{% endif %}
|
||||
{# Generic configuration for use outside of our container setup #}
|
||||
proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container }};
|
||||
{% endif %}
|
||||
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }};
|
||||
}
|
||||
{% endif %}
|
||||
|
||||
{% if matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled %}
|
||||
location ~ ^/_matrix/client/(r0|v3)/register/(email|msisdn)/requestToken$ {
|
||||
{% if matrix_nginx_proxy_enabled %}
|
||||
{# Use the embedded DNS resolver in Docker containers to discover the service #}
|
||||
resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s;
|
||||
set $backend "{{ matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_with_container }}";
|
||||
{% if matrix_nginx_proxy_proxy_matrix_3pid_registration_v3_to_r0_redirect_enabled %}
|
||||
rewrite ^(.*?)/v3/(.*?)$ $1/r0/$2 break;
|
||||
{% endif %}
|
||||
proxy_pass http://$backend;
|
||||
{% else %}
|
||||
{% if matrix_nginx_proxy_proxy_matrix_3pid_registration_v3_to_r0_redirect_enabled %}
|
||||
rewrite ^(.*?)/v3/(.*?)$ $1/r0/$2 break;
|
||||
{% endif %}
|
||||
{# Generic configuration for use outside of our container setup #}
|
||||
proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_sans_container }};
|
||||
{% endif %}
|
||||
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }};
|
||||
proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }};
|
||||
}
|
||||
{% endif %}
|
||||
|
||||
{% for configuration_block in matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks %}
|
||||
{{- configuration_block }}
|
||||
{% endfor %}
|
||||
|
||||
@ -94,6 +94,17 @@
|
||||
- {'old': 'matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_client_api_enabled', 'new': 'matrix_synapse_container_labels_client_synapse_client_api_enabled'}
|
||||
- {'old': 'matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_oidc_api_enabled', 'new': 'matrix_synapse_container_labels_client_synapse_oidc_api_enabled'}
|
||||
- {'old': 'matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled', 'new': 'matrix_synapse_container_labels_client_synapse_admin_api_enabled'}
|
||||
- {'old': 'matrix_nginx_proxy_proxy_matrix_identity_api_enabled', 'new': '<superseded by matrix_ma1sd_container_labels_traefik_enabled and matrix_ma1sd_container_labels_matrix_identity_enabled>'}
|
||||
- {'old': 'matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container', 'new': '<removed>'}
|
||||
- {'old': 'matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container', 'new': '<removed>'}
|
||||
- {'old': 'matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled', 'new': '<superseded by matrix_ma1sd_container_labels_traefik_enabled and matrix_ma1sd_container_labels_matrix_client_user_directory_search_enabled>'}
|
||||
- {'old': 'matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container', 'new': '<removed>'}
|
||||
- {'old': 'matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container', 'new': '<removed>'}
|
||||
- {'old': 'matrix_nginx_proxy_proxy_matrix_user_directory_search_v3_to_r0_redirect_enabled', 'new': '<superseded by matrix_ma1sd_container_labels_matrix_client_user_directory_search_path>'}
|
||||
- {'old': 'matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled', 'new': 'matrix_ma1sd_container_labels_matrix_client_3pid_registration_enabled'}
|
||||
- {'old': 'matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_with_container', 'new': '<removed>'}
|
||||
- {'old': 'matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_sans_container', 'new': '<removed>'}
|
||||
- {'old': 'matrix_nginx_proxy_proxy_matrix_3pid_registration_v3_to_r0_redirect_enabled', 'new': '<superseded by matrix_ma1sd_container_labels_matrix_client_3pid_registration_path>'}
|
||||
|
||||
- name: (Deprecation) Catch and report matrix_postgres variables
|
||||
ansible.builtin.fail:
|
||||
|
||||
Reference in New Issue
Block a user