From b2aeb8cde90ac6c450c8e0751209c80f4267fc56 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 14 Jan 2024 10:29:38 +0200 Subject: [PATCH] Rename label-related variables for homeservers We'd be adding integration with an internal Traefik entrypoint (`matrix_playbook_internal_matrix_client_api_traefik_entrypoint`), so renaming helps disambiguate things. There's no need for deperecation tasks, because the old names have only been part of this `bye-bye-nginx-proxy` branch and not used by anyone publicly. --- docs/configuring-playbook-synapse-admin.md | 2 +- group_vars/matrix_servers | 26 ++-- roles/custom/matrix-conduit/defaults/main.yml | 56 ++++---- .../custom/matrix-conduit/templates/labels.j2 | 64 ++++----- .../custom/matrix-dendrite/defaults/main.yml | 110 +++++++-------- .../matrix-dendrite/templates/labels.j2 | 128 +++++++++--------- .../defaults/main.yml | 80 +++++------ .../tasks/validate_config.yml | 12 +- .../templates/labels.j2 | 100 +++++++------- roles/custom/matrix-synapse/defaults/main.yml | 18 +-- .../external_prometheus.yml.example.j2 | 2 +- .../templates/synapse/worker-labels.j2 | 20 +-- .../tasks/validate_config.yml | 4 +- 13 files changed, 311 insertions(+), 311 deletions(-) diff --git a/docs/configuring-playbook-synapse-admin.md b/docs/configuring-playbook-synapse-admin.md index ffa825614..14bccec1e 100644 --- a/docs/configuring-playbook-synapse-admin.md +++ b/docs/configuring-playbook-synapse-admin.md @@ -18,7 +18,7 @@ matrix_synapse_admin_enabled: true **Note**: Synapse Admin requires Synapse's [Admin APIs](https://matrix-org.github.io/synapse/latest/usage/administration/admin_api/index.html) to function. Access to them is restricted with a valid access token, so exposing them publicly should not be a real security concern. Still, for additional security, we normally leave them unexposed, following [official Synapse reverse-proxying recommendations](https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md#synapse-administration-endpoints). Because Synapse Admin needs these APIs to function, when installing Synapse Admin, the playbook **automatically** exposes the Synapse Admin API publicly for you. Depending on the homeserver implementation you're using (Synapse, Dendrite), this is equivalent to: - for Synapse (our default homeserver implementation): `matrix_synapse_container_labels_public_client_synapse_admin_api_enabled: true` -- for [Dendrite](./configuring-playbook-dendrite.md): `matrix_dendrite_container_labels_client_synapse_admin_api_enabled: true` +- for [Dendrite](./configuring-playbook-dendrite.md): `matrix_dendrite_container_labels_public_client_synapse_admin_api_enabled: true` ## Installing diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 26be1a777..1fc7d3e2a 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -4378,11 +4378,11 @@ matrix_synapse_reverse_proxy_companion_container_labels_traefik_entrypoints: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" matrix_synapse_reverse_proxy_companion_container_labels_traefik_hostname: "{{ matrix_server_fqn_matrix }}" -matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_client_api_enabled: "{{ matrix_synapse_container_labels_public_client_synapse_client_api_enabled }}" -matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_oidc_api_enabled: "{{ matrix_synapse_container_labels_public_client_synapse_oidc_api_enabled }}" -matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_admin_api_enabled: "{{ matrix_synapse_container_labels_public_client_synapse_admin_api_enabled }}" +matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_enabled: "{{ matrix_synapse_container_labels_public_client_synapse_client_api_enabled }}" +matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_oidc_api_enabled: "{{ matrix_synapse_container_labels_public_client_synapse_oidc_api_enabled }}" +matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_enabled: "{{ matrix_synapse_container_labels_public_client_synapse_admin_api_enabled }}" -matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_entrypoints: "{{ matrix_federation_traefik_entrypoint }}" +matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_entrypoints: "{{ matrix_federation_traefik_entrypoint }}" matrix_synapse_reverse_proxy_companion_synapse_workers_enabled: "{{ matrix_synapse_workers_enabled }}" matrix_synapse_reverse_proxy_companion_synapse_workers_list: "{{ matrix_synapse_workers_enabled_list }}" @@ -4896,15 +4896,15 @@ matrix_dendrite_container_labels_traefik_docker_network: "{{ matrix_playbook_rev matrix_dendrite_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" matrix_dendrite_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" -matrix_dendrite_container_labels_client_synapse_admin_api_enabled: "{{ matrix_synapse_admin_enabled }}" +matrix_dendrite_container_labels_public_client_synapse_admin_api_enabled: "{{ matrix_synapse_admin_enabled }}" -matrix_dendrite_container_labels_client_root_redirection_enabled: "{{ matrix_dendrite_container_labels_client_root_redirection_url != '' }}" -matrix_dendrite_container_labels_client_root_redirection_url: "{{ (('https://' if matrix_playbook_ssl_enabled else 'http://') + matrix_server_fqn_element) if matrix_client_element_enabled else '' }}" +matrix_dendrite_container_labels_public_client_root_redirection_enabled: "{{ matrix_dendrite_container_labels_public_client_root_redirection_url != '' }}" +matrix_dendrite_container_labels_public_client_root_redirection_url: "{{ (('https://' if matrix_playbook_ssl_enabled else 'http://') + matrix_server_fqn_element) if matrix_client_element_enabled else '' }}" -matrix_dendrite_container_labels_federation_api_traefik_entrypoints: "{{ matrix_federation_traefik_entrypoint }}" +matrix_dendrite_container_labels_public_federation_api_traefik_entrypoints: "{{ matrix_federation_traefik_entrypoint }}" -matrix_dendrite_container_labels_metrics_middleware_basic_auth_enabled: "{{ matrix_metrics_exposure_http_basic_auth_enabled }}" -matrix_dendrite_container_labels_metrics_middleware_basic_auth_users: "{{ matrix_metrics_exposure_http_basic_auth_users }}" +matrix_dendrite_container_labels_public_metrics_middleware_basic_auth_enabled: "{{ matrix_metrics_exposure_http_basic_auth_enabled }}" +matrix_dendrite_container_labels_public_metrics_middleware_basic_auth_users: "{{ matrix_metrics_exposure_http_basic_auth_users }}" matrix_dendrite_container_extra_arguments_auto: "{{ matrix_homeserver_container_extra_arguments_auto }}" @@ -4987,10 +4987,10 @@ matrix_conduit_container_labels_traefik_docker_network: "{{ matrix_playbook_reve matrix_conduit_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" matrix_conduit_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" -matrix_conduit_container_labels_client_root_redirection_enabled: "{{ matrix_conduit_container_labels_client_root_redirection_url != '' }}" -matrix_conduit_container_labels_client_root_redirection_url: "{{ (('https://' if matrix_playbook_ssl_enabled else 'http://') + matrix_server_fqn_element) if matrix_client_element_enabled else '' }}" +matrix_conduit_container_labels_public_client_root_redirection_enabled: "{{ matrix_conduit_container_labels_public_client_root_redirection_url != '' }}" +matrix_conduit_container_labels_public_client_root_redirection_url: "{{ (('https://' if matrix_playbook_ssl_enabled else 'http://') + matrix_server_fqn_element) if matrix_client_element_enabled else '' }}" -matrix_conduit_container_labels_federation_api_traefik_entrypoints: "{{ matrix_federation_traefik_entrypoint }}" +matrix_conduit_container_labels_public_federation_api_traefik_entrypoints: "{{ matrix_federation_traefik_entrypoint }}" # Even if TURN doesn't support TLS (it does by default), # it doesn't hurt to try a secure connection anyway. diff --git a/roles/custom/matrix-conduit/defaults/main.yml b/roles/custom/matrix-conduit/defaults/main.yml index 8ac432bca..15421dec1 100644 --- a/roles/custom/matrix-conduit/defaults/main.yml +++ b/roles/custom/matrix-conduit/defaults/main.yml @@ -49,36 +49,36 @@ matrix_conduit_container_labels_traefik_docker_network: "{{ matrix_conduit_conta matrix_conduit_container_labels_traefik_entrypoints: web-secure matrix_conduit_container_labels_traefik_tls_certResolver: default # noqa var-naming -# Controls whether labels will be added for handling the root (/) path -matrix_conduit_container_labels_client_root_enabled: true -matrix_conduit_container_labels_client_root_traefik_hostname: "{{ matrix_conduit_hostname }}" -matrix_conduit_container_labels_client_root_traefik_rule: "Host(`{{ matrix_conduit_container_labels_client_root_traefik_hostname }}`) && Path(`/`)" -matrix_conduit_container_labels_client_root_traefik_priority: 0 -matrix_conduit_container_labels_client_root_traefik_entrypoints: "{{ matrix_conduit_container_labels_traefik_entrypoints }}" -matrix_conduit_container_labels_client_root_traefik_tls: "{{ matrix_conduit_container_labels_client_root_traefik_entrypoints != 'web' }}" -matrix_conduit_container_labels_client_root_traefik_tls_certResolver: "{{ matrix_conduit_container_labels_traefik_tls_certResolver }}" # noqa var-naming -matrix_conduit_container_labels_client_root_redirection_enabled: false -matrix_conduit_container_labels_client_root_redirection_url: "" +# Controls whether labels will be added for handling the root (/) path on a public Traefik entrypoint. +matrix_conduit_container_labels_public_client_root_enabled: true +matrix_conduit_container_labels_public_client_root_traefik_hostname: "{{ matrix_conduit_hostname }}" +matrix_conduit_container_labels_public_client_root_traefik_rule: "Host(`{{ matrix_conduit_container_labels_public_client_root_traefik_hostname }}`) && Path(`/`)" +matrix_conduit_container_labels_public_client_root_traefik_priority: 0 +matrix_conduit_container_labels_public_client_root_traefik_entrypoints: "{{ matrix_conduit_container_labels_traefik_entrypoints }}" +matrix_conduit_container_labels_public_client_root_traefik_tls: "{{ matrix_conduit_container_labels_public_client_root_traefik_entrypoints != 'web' }}" +matrix_conduit_container_labels_public_client_root_traefik_tls_certResolver: "{{ matrix_conduit_container_labels_traefik_tls_certResolver }}" # noqa var-naming +matrix_conduit_container_labels_public_client_root_redirection_enabled: false +matrix_conduit_container_labels_public_client_root_redirection_url: "" -# Controls whether labels will be added that expose the Client-Server API. -matrix_conduit_container_labels_client_api_enabled: true -matrix_conduit_container_labels_client_api_traefik_hostname: "{{ matrix_conduit_hostname }}" -matrix_conduit_container_labels_client_api_traefik_path_prefix: /_matrix -matrix_conduit_container_labels_client_api_traefik_rule: "Host(`{{ matrix_conduit_container_labels_client_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_conduit_container_labels_client_api_traefik_path_prefix }}`)" -matrix_conduit_container_labels_client_api_traefik_priority: 0 -matrix_conduit_container_labels_client_api_traefik_entrypoints: "{{ matrix_conduit_container_labels_traefik_entrypoints }}" -matrix_conduit_container_labels_client_api_traefik_tls: "{{ matrix_conduit_container_labels_client_api_traefik_entrypoints != 'web' }}" -matrix_conduit_container_labels_client_api_traefik_tls_certResolver: "{{ matrix_conduit_container_labels_traefik_tls_certResolver }}" # noqa var-naming +# Controls whether labels will be added that expose the Client-Server API on a public Traefik entrypoint. +matrix_conduit_container_labels_public_client_api_enabled: true +matrix_conduit_container_labels_public_client_api_traefik_hostname: "{{ matrix_conduit_hostname }}" +matrix_conduit_container_labels_public_client_api_traefik_path_prefix: /_matrix +matrix_conduit_container_labels_public_client_api_traefik_rule: "Host(`{{ matrix_conduit_container_labels_public_client_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_conduit_container_labels_public_client_api_traefik_path_prefix }}`)" +matrix_conduit_container_labels_public_client_api_traefik_priority: 0 +matrix_conduit_container_labels_public_client_api_traefik_entrypoints: "{{ matrix_conduit_container_labels_traefik_entrypoints }}" +matrix_conduit_container_labels_public_client_api_traefik_tls: "{{ matrix_conduit_container_labels_public_client_api_traefik_entrypoints != 'web' }}" +matrix_conduit_container_labels_public_client_api_traefik_tls_certResolver: "{{ matrix_conduit_container_labels_traefik_tls_certResolver }}" # noqa var-naming -# Controls whether labels will be added that expose the Server-Server API (Federation API). -matrix_conduit_container_labels_federation_api_enabled: "{{ matrix_conduit_allow_federation }}" -matrix_conduit_container_labels_federation_api_traefik_hostname: "{{ matrix_conduit_hostname }}" -matrix_conduit_container_labels_federation_api_traefik_path_prefix: /_matrix -matrix_conduit_container_labels_federation_api_traefik_rule: "Host(`{{ matrix_conduit_container_labels_federation_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_conduit_container_labels_federation_api_traefik_path_prefix }}`)" -matrix_conduit_container_labels_federation_api_traefik_priority: 0 -matrix_conduit_container_labels_federation_api_traefik_entrypoints: '' -matrix_conduit_container_labels_federation_api_traefik_tls: "{{ matrix_conduit_container_labels_federation_api_traefik_entrypoints != 'web' }}" -matrix_conduit_container_labels_federation_api_traefik_tls_certResolver: "{{ matrix_conduit_container_labels_traefik_tls_certResolver }}" # noqa var-naming +# Controls whether labels will be added that expose the Server-Server API (Federation API) on a public Traefik entrypoint. +matrix_conduit_container_labels_public_federation_api_enabled: "{{ matrix_conduit_allow_federation }}" +matrix_conduit_container_labels_public_federation_api_traefik_hostname: "{{ matrix_conduit_hostname }}" +matrix_conduit_container_labels_public_federation_api_traefik_path_prefix: /_matrix +matrix_conduit_container_labels_public_federation_api_traefik_rule: "Host(`{{ matrix_conduit_container_labels_public_federation_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_conduit_container_labels_public_federation_api_traefik_path_prefix }}`)" +matrix_conduit_container_labels_public_federation_api_traefik_priority: 0 +matrix_conduit_container_labels_public_federation_api_traefik_entrypoints: '' +matrix_conduit_container_labels_public_federation_api_traefik_tls: "{{ matrix_conduit_container_labels_public_federation_api_traefik_entrypoints != 'web' }}" +matrix_conduit_container_labels_public_federation_api_traefik_tls_certResolver: "{{ matrix_conduit_container_labels_traefik_tls_certResolver }}" # noqa var-naming # matrix_conduit_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. # See `../templates/labels.j2` for details. diff --git a/roles/custom/matrix-conduit/templates/labels.j2 b/roles/custom/matrix-conduit/templates/labels.j2 index 5f50efb52..7081344a5 100644 --- a/roles/custom/matrix-conduit/templates/labels.j2 +++ b/roles/custom/matrix-conduit/templates/labels.j2 @@ -9,87 +9,87 @@ traefik.http.services.matrix-conduit.loadbalancer.server.port={{ matrix_conduit_ {# - Root path (/) + Public Root path (/) #} -{% if matrix_conduit_container_labels_client_root_enabled %} +{% if matrix_conduit_container_labels_public_client_root_enabled %} {% set client_root_middlewares = [] %} -{% if matrix_conduit_container_labels_client_root_redirection_enabled %} +{% if matrix_conduit_container_labels_public_client_root_redirection_enabled %} {% set client_root_middlewares = client_root_middlewares + ['matrix-conduit-client-root-redirect'] %} traefik.http.middlewares.matrix-conduit-client-root-redirect.redirectregex.regex=(.*) -traefik.http.middlewares.matrix-conduit-client-root-redirect.redirectregex.replacement={{ matrix_conduit_container_labels_client_root_redirection_url }} +traefik.http.middlewares.matrix-conduit-client-root-redirect.redirectregex.replacement={{ matrix_conduit_container_labels_public_client_root_redirection_url }} {% endif %} -traefik.http.routers.matrix-conduit-client-root.rule={{ matrix_conduit_container_labels_client_root_traefik_rule }} +traefik.http.routers.matrix-conduit-client-root.rule={{ matrix_conduit_container_labels_public_client_root_traefik_rule }} traefik.http.routers.matrix-conduit-client-root.middlewares={{ client_root_middlewares | join(',') }} -{% if matrix_conduit_container_labels_client_root_traefik_priority | int > 0 %} -traefik.http.routers.matrix-conduit-client-root.priority={{ matrix_conduit_container_labels_client_root_traefik_priority }} +{% if matrix_conduit_container_labels_public_client_root_traefik_priority | int > 0 %} +traefik.http.routers.matrix-conduit-client-root.priority={{ matrix_conduit_container_labels_public_client_root_traefik_priority }} {% endif %} traefik.http.routers.matrix-conduit-client-root.service=matrix-conduit -traefik.http.routers.matrix-conduit-client-root.entrypoints={{ matrix_conduit_container_labels_client_root_traefik_entrypoints }} -traefik.http.routers.matrix-conduit-client-root.tls={{ matrix_conduit_container_labels_client_root_traefik_tls | to_json }} +traefik.http.routers.matrix-conduit-client-root.entrypoints={{ matrix_conduit_container_labels_public_client_root_traefik_entrypoints }} +traefik.http.routers.matrix-conduit-client-root.tls={{ matrix_conduit_container_labels_public_client_root_traefik_tls | to_json }} -{% if matrix_conduit_container_labels_client_root_traefik_tls %} -traefik.http.routers.matrix-conduit-client-root.tls.certResolver={{ matrix_conduit_container_labels_client_root_traefik_tls_certResolver }} +{% if matrix_conduit_container_labels_public_client_root_traefik_tls %} +traefik.http.routers.matrix-conduit-client-root.tls.certResolver={{ matrix_conduit_container_labels_public_client_root_traefik_tls_certResolver }} {% endif %} {% endif %} {# - /Root path (/) + /Public Root path (/) #} {# - Client-API (/_matrix) + Public Client-API (/_matrix) #} -{% if matrix_conduit_container_labels_client_api_enabled %} +{% if matrix_conduit_container_labels_public_client_api_enabled %} -traefik.http.routers.matrix-conduit-client-api.rule={{ matrix_conduit_container_labels_client_api_traefik_rule }} +traefik.http.routers.matrix-conduit-client-api.rule={{ matrix_conduit_container_labels_public_client_api_traefik_rule }} -{% if matrix_conduit_container_labels_client_api_traefik_priority | int > 0 %} -traefik.http.routers.matrix-conduit-client-api.priority={{ matrix_conduit_container_labels_client_api_traefik_priority }} +{% if matrix_conduit_container_labels_public_client_api_traefik_priority | int > 0 %} +traefik.http.routers.matrix-conduit-client-api.priority={{ matrix_conduit_container_labels_public_client_api_traefik_priority }} {% endif %} traefik.http.routers.matrix-conduit-client-api.service=matrix-conduit -traefik.http.routers.matrix-conduit-client-api.entrypoints={{ matrix_conduit_container_labels_client_api_traefik_entrypoints }} -traefik.http.routers.matrix-conduit-client-api.tls={{ matrix_conduit_container_labels_client_api_traefik_tls | to_json }} +traefik.http.routers.matrix-conduit-client-api.entrypoints={{ matrix_conduit_container_labels_public_client_api_traefik_entrypoints }} +traefik.http.routers.matrix-conduit-client-api.tls={{ matrix_conduit_container_labels_public_client_api_traefik_tls | to_json }} -{% if matrix_conduit_container_labels_client_api_traefik_tls %} -traefik.http.routers.matrix-conduit-client-api.tls.certResolver={{ matrix_conduit_container_labels_client_api_traefik_tls_certResolver }} +{% if matrix_conduit_container_labels_public_client_api_traefik_tls %} +traefik.http.routers.matrix-conduit-client-api.tls.certResolver={{ matrix_conduit_container_labels_public_client_api_traefik_tls_certResolver }} {% endif %} {% endif %} {# - /Client-API (/_matrix) + /Public Client-API (/_matrix) #} {# - Federation-API (/_matrix) + Public Federation-API (/_matrix) #} -{% if matrix_conduit_container_labels_federation_api_enabled %} +{% if matrix_conduit_container_labels_public_federation_api_enabled %} -traefik.http.routers.matrix-conduit-federation-api.rule={{ matrix_conduit_container_labels_federation_api_traefik_rule }} +traefik.http.routers.matrix-conduit-federation-api.rule={{ matrix_conduit_container_labels_public_federation_api_traefik_rule }} -{% if matrix_conduit_container_labels_federation_api_traefik_priority | int > 0 %} -traefik.http.routers.matrix-conduit-federation-api.priority={{ matrix_conduit_container_labels_federation_api_traefik_priority }} +{% if matrix_conduit_container_labels_public_federation_api_traefik_priority | int > 0 %} +traefik.http.routers.matrix-conduit-federation-api.priority={{ matrix_conduit_container_labels_public_federation_api_traefik_priority }} {% endif %} traefik.http.routers.matrix-conduit-federation-api.service=matrix-conduit -traefik.http.routers.matrix-conduit-federation-api.entrypoints={{ matrix_conduit_container_labels_federation_api_traefik_entrypoints }} -traefik.http.routers.matrix-conduit-federation-api.tls={{ matrix_conduit_container_labels_federation_api_traefik_tls | to_json }} +traefik.http.routers.matrix-conduit-federation-api.entrypoints={{ matrix_conduit_container_labels_public_federation_api_traefik_entrypoints }} +traefik.http.routers.matrix-conduit-federation-api.tls={{ matrix_conduit_container_labels_public_federation_api_traefik_tls | to_json }} -{% if matrix_conduit_container_labels_federation_api_traefik_tls %} -traefik.http.routers.matrix-conduit-federation-api.tls.certResolver={{ matrix_conduit_container_labels_federation_api_traefik_tls_certResolver }} +{% if matrix_conduit_container_labels_public_federation_api_traefik_tls %} +traefik.http.routers.matrix-conduit-federation-api.tls.certResolver={{ matrix_conduit_container_labels_public_federation_api_traefik_tls_certResolver }} {% endif %} {% endif %} {# - /Federation-API (/_matrix) + /Public Federation-API (/_matrix) #} {% endif %} diff --git a/roles/custom/matrix-dendrite/defaults/main.yml b/roles/custom/matrix-dendrite/defaults/main.yml index e79f0e2e5..d3fa27d3e 100644 --- a/roles/custom/matrix-dendrite/defaults/main.yml +++ b/roles/custom/matrix-dendrite/defaults/main.yml @@ -69,71 +69,71 @@ matrix_dendrite_container_labels_traefik_docker_network: "{{ matrix_dendrite_con matrix_dendrite_container_labels_traefik_entrypoints: web-secure matrix_dendrite_container_labels_traefik_tls_certResolver: default # noqa var-naming -# Controls whether labels will be added for handling the root (/) path -matrix_dendrite_container_labels_client_root_enabled: true -matrix_dendrite_container_labels_client_root_traefik_hostname: "{{ matrix_dendrite_hostname }}" -matrix_dendrite_container_labels_client_root_traefik_rule: "Host(`{{ matrix_dendrite_container_labels_client_root_traefik_hostname }}`) && Path(`/`)" -matrix_dendrite_container_labels_client_root_traefik_priority: 0 -matrix_dendrite_container_labels_client_root_traefik_entrypoints: "{{ matrix_dendrite_container_labels_traefik_entrypoints }}" -matrix_dendrite_container_labels_client_root_traefik_tls: "{{ matrix_dendrite_container_labels_client_root_traefik_entrypoints != 'web' }}" -matrix_dendrite_container_labels_client_root_traefik_tls_certResolver: "{{ matrix_dendrite_container_labels_traefik_tls_certResolver }}" # noqa var-naming -matrix_dendrite_container_labels_client_root_redirection_enabled: false -matrix_dendrite_container_labels_client_root_redirection_url: "" +# Controls whether labels will be added for handling the root (/) path on a public Traefik entrypoint. +matrix_dendrite_container_labels_public_client_root_enabled: true +matrix_dendrite_container_labels_public_client_root_traefik_hostname: "{{ matrix_dendrite_hostname }}" +matrix_dendrite_container_labels_public_client_root_traefik_rule: "Host(`{{ matrix_dendrite_container_labels_public_client_root_traefik_hostname }}`) && Path(`/`)" +matrix_dendrite_container_labels_public_client_root_traefik_priority: 0 +matrix_dendrite_container_labels_public_client_root_traefik_entrypoints: "{{ matrix_dendrite_container_labels_traefik_entrypoints }}" +matrix_dendrite_container_labels_public_client_root_traefik_tls: "{{ matrix_dendrite_container_labels_public_client_root_traefik_entrypoints != 'web' }}" +matrix_dendrite_container_labels_public_client_root_traefik_tls_certResolver: "{{ matrix_dendrite_container_labels_traefik_tls_certResolver }}" # noqa var-naming +matrix_dendrite_container_labels_public_client_root_redirection_enabled: false +matrix_dendrite_container_labels_public_client_root_redirection_url: "" -# Controls whether labels will be added that expose the Client-Server API. -matrix_dendrite_container_labels_client_api_enabled: true -matrix_dendrite_container_labels_client_api_traefik_hostname: "{{ matrix_dendrite_hostname }}" -matrix_dendrite_container_labels_client_api_traefik_path_prefix: /_matrix -matrix_dendrite_container_labels_client_api_traefik_rule: "Host(`{{ matrix_dendrite_container_labels_client_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_dendrite_container_labels_client_api_traefik_path_prefix }}`)" -matrix_dendrite_container_labels_client_api_traefik_priority: 0 -matrix_dendrite_container_labels_client_api_traefik_entrypoints: "{{ matrix_dendrite_container_labels_traefik_entrypoints }}" -matrix_dendrite_container_labels_client_api_traefik_tls: "{{ matrix_dendrite_container_labels_client_api_traefik_entrypoints != 'web' }}" -matrix_dendrite_container_labels_client_api_traefik_tls_certResolver: "{{ matrix_dendrite_container_labels_traefik_tls_certResolver }}" # noqa var-naming +# Controls whether labels will be added that expose the Client-Server API on a public Traefik entrypoint. +matrix_dendrite_container_labels_public_client_api_enabled: true +matrix_dendrite_container_labels_public_client_api_traefik_hostname: "{{ matrix_dendrite_hostname }}" +matrix_dendrite_container_labels_public_client_api_traefik_path_prefix: /_matrix +matrix_dendrite_container_labels_public_client_api_traefik_rule: "Host(`{{ matrix_dendrite_container_labels_public_client_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_dendrite_container_labels_public_client_api_traefik_path_prefix }}`)" +matrix_dendrite_container_labels_public_client_api_traefik_priority: 0 +matrix_dendrite_container_labels_public_client_api_traefik_entrypoints: "{{ matrix_dendrite_container_labels_traefik_entrypoints }}" +matrix_dendrite_container_labels_public_client_api_traefik_tls: "{{ matrix_dendrite_container_labels_public_client_api_traefik_entrypoints != 'web' }}" +matrix_dendrite_container_labels_public_client_api_traefik_tls_certResolver: "{{ matrix_dendrite_container_labels_traefik_tls_certResolver }}" # noqa var-naming -# Controls whether labels will be added that expose the /_synapse/admin paths. +# Controls whether labels will be added that expose the /_synapse/admin paths on a public Traefik entrypoint. # Following these recommendations (https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md), by default, we don't. # Dendrite exposes some admin APIs under a Synapse-specific prefix. # See: https://matrix-org.github.io/dendrite/administration/adminapi -matrix_dendrite_container_labels_client_synapse_admin_api_enabled: false -matrix_dendrite_container_labels_client_synapse_admin_api_traefik_hostname: "{{ matrix_dendrite_hostname }}" -matrix_dendrite_container_labels_client_synapse_admin_api_traefik_path_prefix: /_synapse/admin -matrix_dendrite_container_labels_client_synapse_admin_api_traefik_rule: "Host(`{{ matrix_dendrite_container_labels_client_synapse_admin_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_dendrite_container_labels_client_synapse_admin_api_traefik_path_prefix }}`)" -matrix_dendrite_container_labels_client_synapse_admin_api_traefik_priority: 0 -matrix_dendrite_container_labels_client_synapse_admin_api_traefik_entrypoints: "{{ matrix_dendrite_container_labels_traefik_entrypoints }}" -matrix_dendrite_container_labels_client_synapse_admin_api_traefik_tls: "{{ matrix_dendrite_container_labels_client_synapse_admin_api_traefik_entrypoints != 'web' }}" -matrix_dendrite_container_labels_client_synapse_admin_api_traefik_tls_certResolver: "{{ matrix_dendrite_container_labels_traefik_tls_certResolver }}" # noqa var-naming +matrix_dendrite_container_labels_public_client_synapse_admin_api_enabled: false +matrix_dendrite_container_labels_public_client_synapse_admin_api_traefik_hostname: "{{ matrix_dendrite_hostname }}" +matrix_dendrite_container_labels_public_client_synapse_admin_api_traefik_path_prefix: /_synapse/admin +matrix_dendrite_container_labels_public_client_synapse_admin_api_traefik_rule: "Host(`{{ matrix_dendrite_container_labels_public_client_synapse_admin_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_dendrite_container_labels_public_client_synapse_admin_api_traefik_path_prefix }}`)" +matrix_dendrite_container_labels_public_client_synapse_admin_api_traefik_priority: 0 +matrix_dendrite_container_labels_public_client_synapse_admin_api_traefik_entrypoints: "{{ matrix_dendrite_container_labels_traefik_entrypoints }}" +matrix_dendrite_container_labels_public_client_synapse_admin_api_traefik_tls: "{{ matrix_dendrite_container_labels_public_client_synapse_admin_api_traefik_entrypoints != 'web' }}" +matrix_dendrite_container_labels_public_client_synapse_admin_api_traefik_tls_certResolver: "{{ matrix_dendrite_container_labels_traefik_tls_certResolver }}" # noqa var-naming -# Controls whether labels will be added that expose the /_dendrite/admin paths. +# Controls whether labels will be added that expose the /_dendrite/admin paths on a public Traefik entrypoint. # See: https://matrix-org.github.io/dendrite/administration/adminapi -matrix_dendrite_container_labels_client_dendrite_admin_api_enabled: false -matrix_dendrite_container_labels_client_dendrite_admin_api_traefik_hostname: "{{ matrix_dendrite_hostname }}" -matrix_dendrite_container_labels_client_dendrite_admin_api_traefik_path_prefix: /_dendrite/admin -matrix_dendrite_container_labels_client_dendrite_admin_api_traefik_rule: "Host(`{{ matrix_dendrite_container_labels_client_dendrite_admin_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_dendrite_container_labels_client_dendrite_admin_api_traefik_path_prefix }}`)" -matrix_dendrite_container_labels_client_dendrite_admin_api_traefik_priority: 0 -matrix_dendrite_container_labels_client_dendrite_admin_api_traefik_entrypoints: "{{ matrix_dendrite_container_labels_traefik_entrypoints }}" -matrix_dendrite_container_labels_client_dendrite_admin_api_traefik_tls: "{{ matrix_dendrite_container_labels_client_dendrite_admin_api_traefik_entrypoints != 'web' }}" -matrix_dendrite_container_labels_client_dendrite_admin_api_traefik_tls_certResolver: "{{ matrix_dendrite_container_labels_traefik_tls_certResolver }}" # noqa var-naming +matrix_dendrite_container_labels_public_client_dendrite_admin_api_enabled: false +matrix_dendrite_container_labels_public_client_dendrite_admin_api_traefik_hostname: "{{ matrix_dendrite_hostname }}" +matrix_dendrite_container_labels_public_client_dendrite_admin_api_traefik_path_prefix: /_dendrite/admin +matrix_dendrite_container_labels_public_client_dendrite_admin_api_traefik_rule: "Host(`{{ matrix_dendrite_container_labels_public_client_dendrite_admin_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_dendrite_container_labels_public_client_dendrite_admin_api_traefik_path_prefix }}`)" +matrix_dendrite_container_labels_public_client_dendrite_admin_api_traefik_priority: 0 +matrix_dendrite_container_labels_public_client_dendrite_admin_api_traefik_entrypoints: "{{ matrix_dendrite_container_labels_traefik_entrypoints }}" +matrix_dendrite_container_labels_public_client_dendrite_admin_api_traefik_tls: "{{ matrix_dendrite_container_labels_public_client_dendrite_admin_api_traefik_entrypoints != 'web' }}" +matrix_dendrite_container_labels_public_client_dendrite_admin_api_traefik_tls_certResolver: "{{ matrix_dendrite_container_labels_traefik_tls_certResolver }}" # noqa var-naming -# Controls whether labels will be added that expose the Server-Server API (Federation API). -matrix_dendrite_container_labels_federation_api_enabled: "{{ matrix_dendrite_federation_enabled }}" -matrix_dendrite_container_labels_federation_api_traefik_hostname: "{{ matrix_dendrite_hostname }}" -matrix_dendrite_container_labels_federation_api_traefik_path_prefix: /_matrix -matrix_dendrite_container_labels_federation_api_traefik_rule: "Host(`{{ matrix_dendrite_container_labels_federation_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_dendrite_container_labels_federation_api_traefik_path_prefix }}`)" -matrix_dendrite_container_labels_federation_api_traefik_priority: 0 -matrix_dendrite_container_labels_federation_api_traefik_entrypoints: '' -matrix_dendrite_container_labels_federation_api_traefik_tls: "{{ matrix_dendrite_container_labels_federation_api_traefik_entrypoints != 'web' }}" -matrix_dendrite_container_labels_federation_api_traefik_tls_certResolver: "{{ matrix_dendrite_container_labels_traefik_tls_certResolver }}" # noqa var-naming +# Controls whether labels will be added that expose the Server-Server API (Federation API) on a public Traefik entrypoint. +matrix_dendrite_container_labels_public_federation_api_enabled: "{{ matrix_dendrite_federation_enabled }}" +matrix_dendrite_container_labels_public_federation_api_traefik_hostname: "{{ matrix_dendrite_hostname }}" +matrix_dendrite_container_labels_public_federation_api_traefik_path_prefix: /_matrix +matrix_dendrite_container_labels_public_federation_api_traefik_rule: "Host(`{{ matrix_dendrite_container_labels_public_federation_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_dendrite_container_labels_public_federation_api_traefik_path_prefix }}`)" +matrix_dendrite_container_labels_public_federation_api_traefik_priority: 0 +matrix_dendrite_container_labels_public_federation_api_traefik_entrypoints: '' +matrix_dendrite_container_labels_public_federation_api_traefik_tls: "{{ matrix_dendrite_container_labels_public_federation_api_traefik_entrypoints != 'web' }}" +matrix_dendrite_container_labels_public_federation_api_traefik_tls_certResolver: "{{ matrix_dendrite_container_labels_traefik_tls_certResolver }}" # noqa var-naming -# Controls whether labels will be added that expose mautrix-facebook's metrics -matrix_dendrite_container_labels_metrics_enabled: "{{ matrix_dendrite_metrics_enabled and matrix_dendrite_metrics_proxying_enabled }}" -matrix_dendrite_container_labels_metrics_traefik_rule: "Host(`{{ matrix_dendrite_metrics_proxying_hostname }}`) && PathPrefix(`{{ matrix_dendrite_metrics_proxying_path_prefix }}`)" -matrix_dendrite_container_labels_metrics_traefik_priority: 0 -matrix_dendrite_container_labels_metrics_traefik_entrypoints: "{{ matrix_dendrite_container_labels_traefik_entrypoints }}" -matrix_dendrite_container_labels_metrics_traefik_tls: "{{ matrix_dendrite_container_labels_metrics_traefik_entrypoints != 'web' }}" -matrix_dendrite_container_labels_metrics_traefik_tls_certResolver: "{{ matrix_dendrite_container_labels_traefik_tls_certResolver }}" # noqa var-naming -matrix_dendrite_container_labels_metrics_middleware_basic_auth_enabled: false +# Controls whether labels will be added that expose Dendrite's metrics on a public Traefik entrypoint. +matrix_dendrite_container_labels_public_metrics_enabled: "{{ matrix_dendrite_metrics_enabled and matrix_dendrite_metrics_proxying_enabled }}" +matrix_dendrite_container_labels_public_metrics_traefik_rule: "Host(`{{ matrix_dendrite_metrics_proxying_hostname }}`) && PathPrefix(`{{ matrix_dendrite_metrics_proxying_path_prefix }}`)" +matrix_dendrite_container_labels_public_metrics_traefik_priority: 0 +matrix_dendrite_container_labels_public_metrics_traefik_entrypoints: "{{ matrix_dendrite_container_labels_traefik_entrypoints }}" +matrix_dendrite_container_labels_public_metrics_traefik_tls: "{{ matrix_dendrite_container_labels_public_metrics_traefik_entrypoints != 'web' }}" +matrix_dendrite_container_labels_public_metrics_traefik_tls_certResolver: "{{ matrix_dendrite_container_labels_traefik_tls_certResolver }}" # noqa var-naming +matrix_dendrite_container_labels_public_metrics_middleware_basic_auth_enabled: false # See: https://doc.traefik.io/traefik/middlewares/http/basicauth/#users -matrix_dendrite_container_labels_metrics_middleware_basic_auth_users: '' +matrix_dendrite_container_labels_public_metrics_middleware_basic_auth_users: '' # matrix_dendrite_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. # See `../templates/labels.j2` for details. diff --git a/roles/custom/matrix-dendrite/templates/labels.j2 b/roles/custom/matrix-dendrite/templates/labels.j2 index ea5945826..626153eb8 100644 --- a/roles/custom/matrix-dendrite/templates/labels.j2 +++ b/roles/custom/matrix-dendrite/templates/labels.j2 @@ -9,175 +9,175 @@ traefik.http.services.matrix-dendrite.loadbalancer.server.port={{ matrix_dendrit {# - Root path (/) + Public Root path (/) #} -{% if matrix_dendrite_container_labels_client_root_enabled %} +{% if matrix_dendrite_container_labels_public_client_root_enabled %} {% set client_root_middlewares = [] %} -{% if matrix_dendrite_container_labels_client_root_redirection_enabled %} +{% if matrix_dendrite_container_labels_public_client_root_redirection_enabled %} {% set client_root_middlewares = client_root_middlewares + ['matrix-dendrite-client-root-redirect'] %} traefik.http.middlewares.matrix-dendrite-client-root-redirect.redirectregex.regex=(.*) -traefik.http.middlewares.matrix-dendrite-client-root-redirect.redirectregex.replacement={{ matrix_dendrite_container_labels_client_root_redirection_url }} +traefik.http.middlewares.matrix-dendrite-client-root-redirect.redirectregex.replacement={{ matrix_dendrite_container_labels_public_client_root_redirection_url }} {% endif %} -traefik.http.routers.matrix-dendrite-client-root.rule={{ matrix_dendrite_container_labels_client_root_traefik_rule }} +traefik.http.routers.matrix-dendrite-client-root.rule={{ matrix_dendrite_container_labels_public_client_root_traefik_rule }} traefik.http.routers.matrix-dendrite-client-root.middlewares={{ client_root_middlewares | join(',') }} -{% if matrix_dendrite_container_labels_client_root_traefik_priority | int > 0 %} -traefik.http.routers.matrix-dendrite-client-root.priority={{ matrix_dendrite_container_labels_client_root_traefik_priority }} +{% if matrix_dendrite_container_labels_public_client_root_traefik_priority | int > 0 %} +traefik.http.routers.matrix-dendrite-client-root.priority={{ matrix_dendrite_container_labels_public_client_root_traefik_priority }} {% endif %} traefik.http.routers.matrix-dendrite-client-root.service=matrix-dendrite -traefik.http.routers.matrix-dendrite-client-root.entrypoints={{ matrix_dendrite_container_labels_client_root_traefik_entrypoints }} -traefik.http.routers.matrix-dendrite-client-root.tls={{ matrix_dendrite_container_labels_client_root_traefik_tls | to_json }} +traefik.http.routers.matrix-dendrite-client-root.entrypoints={{ matrix_dendrite_container_labels_public_client_root_traefik_entrypoints }} +traefik.http.routers.matrix-dendrite-client-root.tls={{ matrix_dendrite_container_labels_public_client_root_traefik_tls | to_json }} -{% if matrix_dendrite_container_labels_client_root_traefik_tls %} -traefik.http.routers.matrix-dendrite-client-root.tls.certResolver={{ matrix_dendrite_container_labels_client_root_traefik_tls_certResolver }} +{% if matrix_dendrite_container_labels_public_client_root_traefik_tls %} +traefik.http.routers.matrix-dendrite-client-root.tls.certResolver={{ matrix_dendrite_container_labels_public_client_root_traefik_tls_certResolver }} {% endif %} {% endif %} {# - /Root path (/) + /Public Root path (/) #} {# - Client-API (/_matrix) + Public Client-API (/_matrix) #} -{% if matrix_dendrite_container_labels_client_api_enabled %} +{% if matrix_dendrite_container_labels_public_client_api_enabled %} -traefik.http.routers.matrix-dendrite-client-api.rule={{ matrix_dendrite_container_labels_client_api_traefik_rule }} +traefik.http.routers.matrix-dendrite-client-api.rule={{ matrix_dendrite_container_labels_public_client_api_traefik_rule }} -{% if matrix_dendrite_container_labels_client_api_traefik_priority | int > 0 %} -traefik.http.routers.matrix-dendrite-client-api.priority={{ matrix_dendrite_container_labels_client_api_traefik_priority }} +{% if matrix_dendrite_container_labels_public_client_api_traefik_priority | int > 0 %} +traefik.http.routers.matrix-dendrite-client-api.priority={{ matrix_dendrite_container_labels_public_client_api_traefik_priority }} {% endif %} traefik.http.routers.matrix-dendrite-client-api.service=matrix-dendrite -traefik.http.routers.matrix-dendrite-client-api.entrypoints={{ matrix_dendrite_container_labels_client_api_traefik_entrypoints }} -traefik.http.routers.matrix-dendrite-client-api.tls={{ matrix_dendrite_container_labels_client_api_traefik_tls | to_json }} +traefik.http.routers.matrix-dendrite-client-api.entrypoints={{ matrix_dendrite_container_labels_public_client_api_traefik_entrypoints }} +traefik.http.routers.matrix-dendrite-client-api.tls={{ matrix_dendrite_container_labels_public_client_api_traefik_tls | to_json }} -{% if matrix_dendrite_container_labels_client_api_traefik_tls %} -traefik.http.routers.matrix-dendrite-client-api.tls.certResolver={{ matrix_dendrite_container_labels_client_api_traefik_tls_certResolver }} +{% if matrix_dendrite_container_labels_public_client_api_traefik_tls %} +traefik.http.routers.matrix-dendrite-client-api.tls.certResolver={{ matrix_dendrite_container_labels_public_client_api_traefik_tls_certResolver }} {% endif %} {% endif %} {# - /Client-API (/_matrix) + /Public Client-API (/_matrix) #} {# - Synapse Admin API (/_synapse/admin) + Public Synapse Admin API (/_synapse/admin) #} -{% if matrix_dendrite_container_labels_client_synapse_admin_api_enabled %} +{% if matrix_dendrite_container_labels_public_client_synapse_admin_api_enabled %} -traefik.http.routers.matrix-dendrite-client-synapse-admin-api.rule={{ matrix_dendrite_container_labels_client_synapse_admin_api_traefik_rule }} +traefik.http.routers.matrix-dendrite-client-synapse-admin-api.rule={{ matrix_dendrite_container_labels_public_client_synapse_admin_api_traefik_rule }} -{% if matrix_dendrite_container_labels_client_synapse_admin_api_traefik_priority | int > 0 %} -traefik.http.routers.matrix-dendrite-client-synapse-admin-api.priority={{ matrix_dendrite_container_labels_client_synapse_admin_api_traefik_priority }} +{% if matrix_dendrite_container_labels_public_client_synapse_admin_api_traefik_priority | int > 0 %} +traefik.http.routers.matrix-dendrite-client-synapse-admin-api.priority={{ matrix_dendrite_container_labels_public_client_synapse_admin_api_traefik_priority }} {% endif %} traefik.http.routers.matrix-dendrite-client-synapse-admin-api.service=matrix-dendrite -traefik.http.routers.matrix-dendrite-client-synapse-admin-api.entrypoints={{ matrix_dendrite_container_labels_client_synapse_admin_api_traefik_entrypoints }} -traefik.http.routers.matrix-dendrite-client-synapse-admin-api.tls={{ matrix_dendrite_container_labels_client_synapse_admin_api_traefik_tls | to_json }} +traefik.http.routers.matrix-dendrite-client-synapse-admin-api.entrypoints={{ matrix_dendrite_container_labels_public_client_synapse_admin_api_traefik_entrypoints }} +traefik.http.routers.matrix-dendrite-client-synapse-admin-api.tls={{ matrix_dendrite_container_labels_public_client_synapse_admin_api_traefik_tls | to_json }} -{% if matrix_dendrite_container_labels_client_synapse_admin_api_traefik_tls %} -traefik.http.routers.matrix-dendrite-client-synapse-admin-api.tls.certResolver={{ matrix_dendrite_container_labels_client_synapse_admin_api_traefik_tls_certResolver }} +{% if matrix_dendrite_container_labels_public_client_synapse_admin_api_traefik_tls %} +traefik.http.routers.matrix-dendrite-client-synapse-admin-api.tls.certResolver={{ matrix_dendrite_container_labels_public_client_synapse_admin_api_traefik_tls_certResolver }} {% endif %} {% endif %} {# - /Synapse Admin API (/_synapse/admin) + /Public Synapse Admin API (/_synapse/admin) #} {# - Dendrite Admin API (/_dendrite/admin) + Public Dendrite Admin API (/_dendrite/admin) #} -{% if matrix_dendrite_container_labels_client_dendrite_admin_api_enabled %} +{% if matrix_dendrite_container_labels_public_client_dendrite_admin_api_enabled %} -traefik.http.routers.matrix-dendrite-client-synapse-admin-api.rule={{ matrix_dendrite_container_labels_client_dendrite_admin_api_traefik_rule }} +traefik.http.routers.matrix-dendrite-client-synapse-admin-api.rule={{ matrix_dendrite_container_labels_public_client_dendrite_admin_api_traefik_rule }} -{% if matrix_dendrite_container_labels_client_dendrite_admin_api_traefik_priority | int > 0 %} -traefik.http.routers.matrix-dendrite-client-synapse-admin-api.priority={{ matrix_dendrite_container_labels_client_dendrite_admin_api_traefik_priority }} +{% if matrix_dendrite_container_labels_public_client_dendrite_admin_api_traefik_priority | int > 0 %} +traefik.http.routers.matrix-dendrite-client-synapse-admin-api.priority={{ matrix_dendrite_container_labels_public_client_dendrite_admin_api_traefik_priority }} {% endif %} traefik.http.routers.matrix-dendrite-client-synapse-admin-api.service=matrix-dendrite -traefik.http.routers.matrix-dendrite-client-synapse-admin-api.entrypoints={{ matrix_dendrite_container_labels_client_dendrite_admin_api_traefik_entrypoints }} -traefik.http.routers.matrix-dendrite-client-synapse-admin-api.tls={{ matrix_dendrite_container_labels_client_dendrite_admin_api_traefik_tls | to_json }} +traefik.http.routers.matrix-dendrite-client-synapse-admin-api.entrypoints={{ matrix_dendrite_container_labels_public_client_dendrite_admin_api_traefik_entrypoints }} +traefik.http.routers.matrix-dendrite-client-synapse-admin-api.tls={{ matrix_dendrite_container_labels_public_client_dendrite_admin_api_traefik_tls | to_json }} -{% if matrix_dendrite_container_labels_client_dendrite_admin_api_traefik_tls %} -traefik.http.routers.matrix-dendrite-client-synapse-admin-api.tls.certResolver={{ matrix_dendrite_container_labels_client_dendrite_admin_api_traefik_tls_certResolver }} +{% if matrix_dendrite_container_labels_public_client_dendrite_admin_api_traefik_tls %} +traefik.http.routers.matrix-dendrite-client-synapse-admin-api.tls.certResolver={{ matrix_dendrite_container_labels_public_client_dendrite_admin_api_traefik_tls_certResolver }} {% endif %} {% endif %} {# - /Dendrite Admin API (/_dendrite/admin) + /Public Dendrite Admin API (/_dendrite/admin) #} {# - Federation-API (/_matrix) + Public Federation-API (/_matrix) #} -{% if matrix_dendrite_container_labels_federation_api_enabled %} +{% if matrix_dendrite_container_labels_public_federation_api_enabled %} -traefik.http.routers.matrix-dendrite-federation-api.rule={{ matrix_dendrite_container_labels_federation_api_traefik_rule }} +traefik.http.routers.matrix-dendrite-federation-api.rule={{ matrix_dendrite_container_labels_public_federation_api_traefik_rule }} -{% if matrix_dendrite_container_labels_federation_api_traefik_priority | int > 0 %} -traefik.http.routers.matrix-dendrite-federation-api.priority={{ matrix_dendrite_container_labels_federation_api_traefik_priority }} +{% if matrix_dendrite_container_labels_public_federation_api_traefik_priority | int > 0 %} +traefik.http.routers.matrix-dendrite-federation-api.priority={{ matrix_dendrite_container_labels_public_federation_api_traefik_priority }} {% endif %} traefik.http.routers.matrix-dendrite-federation-api.service=matrix-dendrite -traefik.http.routers.matrix-dendrite-federation-api.entrypoints={{ matrix_dendrite_container_labels_federation_api_traefik_entrypoints }} -traefik.http.routers.matrix-dendrite-federation-api.tls={{ matrix_dendrite_container_labels_federation_api_traefik_tls | to_json }} +traefik.http.routers.matrix-dendrite-federation-api.entrypoints={{ matrix_dendrite_container_labels_public_federation_api_traefik_entrypoints }} +traefik.http.routers.matrix-dendrite-federation-api.tls={{ matrix_dendrite_container_labels_public_federation_api_traefik_tls | to_json }} -{% if matrix_dendrite_container_labels_federation_api_traefik_tls %} -traefik.http.routers.matrix-dendrite-federation-api.tls.certResolver={{ matrix_dendrite_container_labels_federation_api_traefik_tls_certResolver }} +{% if matrix_dendrite_container_labels_public_federation_api_traefik_tls %} +traefik.http.routers.matrix-dendrite-federation-api.tls.certResolver={{ matrix_dendrite_container_labels_public_federation_api_traefik_tls_certResolver }} {% endif %} {% endif %} {# - /Federation-API (/_matrix) + /Public Federation-API (/_matrix) #} {# - Metrics + Public Metrics #} -{% if matrix_dendrite_container_labels_metrics_enabled %} +{% if matrix_dendrite_container_labels_public_metrics_enabled %} {% set metrics_middlewares = [] %} -{% if matrix_dendrite_container_labels_metrics_middleware_basic_auth_enabled %} +{% if matrix_dendrite_container_labels_public_metrics_middleware_basic_auth_enabled %} {% set metrics_middlewares = metrics_middlewares + ['matrix-dendrite-metrics-basic-auth'] %} -traefik.http.middlewares.matrix-dendrite-metrics-basic-auth.basicauth.users={{ matrix_dendrite_container_labels_metrics_middleware_basic_auth_users }} +traefik.http.middlewares.matrix-dendrite-metrics-basic-auth.basicauth.users={{ matrix_dendrite_container_labels_public_metrics_middleware_basic_auth_users }} {% endif %} {% set metrics_middlewares = metrics_middlewares + ['matrix-dendrite-metrics-replacepath'] %} traefik.http.middlewares.matrix-dendrite-metrics-replacepath.replacepath.path=/metrics -traefik.http.routers.matrix-dendrite-metrics.rule={{ matrix_dendrite_container_labels_metrics_traefik_rule }} +traefik.http.routers.matrix-dendrite-metrics.rule={{ matrix_dendrite_container_labels_public_metrics_traefik_rule }} {% if metrics_middlewares | length > 0 %} traefik.http.routers.matrix-dendrite-metrics.middlewares={{ metrics_middlewares | join(',') }} {% endif %} -{% if matrix_dendrite_container_labels_metrics_traefik_priority | int > 0 %} -traefik.http.routers.matrix-dendrite-metrics.priority={{ matrix_dendrite_container_labels_metrics_traefik_priority }} +{% if matrix_dendrite_container_labels_public_metrics_traefik_priority | int > 0 %} +traefik.http.routers.matrix-dendrite-metrics.priority={{ matrix_dendrite_container_labels_public_metrics_traefik_priority }} {% endif %} traefik.http.routers.matrix-dendrite-metrics.service=matrix-dendrite -traefik.http.routers.matrix-dendrite-metrics.entrypoints={{ matrix_dendrite_container_labels_metrics_traefik_entrypoints }} +traefik.http.routers.matrix-dendrite-metrics.entrypoints={{ matrix_dendrite_container_labels_public_metrics_traefik_entrypoints }} -traefik.http.routers.matrix-dendrite-metrics.tls={{ matrix_dendrite_container_labels_metrics_traefik_tls | to_json }} -{% if matrix_dendrite_container_labels_metrics_traefik_tls %} -traefik.http.routers.matrix-dendrite-metrics.tls.certResolver={{ matrix_dendrite_container_labels_metrics_traefik_tls_certResolver }} +traefik.http.routers.matrix-dendrite-metrics.tls={{ matrix_dendrite_container_labels_public_metrics_traefik_tls | to_json }} +{% if matrix_dendrite_container_labels_public_metrics_traefik_tls %} +traefik.http.routers.matrix-dendrite-metrics.tls.certResolver={{ matrix_dendrite_container_labels_public_metrics_traefik_tls_certResolver }} {% endif %} {% endif %} {# - /Metrics + /Public Metrics #} {% endif %} diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml b/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml index 7f61d58e1..65a15aff9 100644 --- a/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml +++ b/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml @@ -62,56 +62,56 @@ matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver matrix_synapse_reverse_proxy_companion_container_labels_traefik_hostname: '' # Controls whether labels will be added that expose the Client-Server API. -matrix_synapse_reverse_proxy_companion_container_labels_client_api_enabled: true -matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_hostname: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_hostname }}" -matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_path_prefix: /_matrix -matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_rule: "Host(`{{ matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_path_prefix }}`)" -matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_priority: 0 -matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_entrypoints: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_entrypoints }}" -matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_tls: "{{ matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_entrypoints != 'web' }}" -matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_tls_certResolver: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver }}" # noqa var-naming +matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_enabled: true +matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_hostname: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_hostname }}" +matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_path_prefix: /_matrix +matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_rule: "Host(`{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_path_prefix }}`)" +matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_priority: 0 +matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_entrypoints: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_entrypoints }}" +matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_tls: "{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_entrypoints != 'web' }}" +matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_tls_certResolver: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver }}" # noqa var-naming # Controls whether labels will be added that expose the /_synapse/client paths -matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_client_api_enabled: true -matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_client_api_traefik_hostname: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_hostname }}" -matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_client_api_traefik_path_prefix: /_synapse/client -matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_client_api_traefik_rule: "Host(`{{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_client_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_client_api_traefik_path_prefix }}`)" -matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_client_api_traefik_priority: 0 -matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_client_api_traefik_entrypoints: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_entrypoints }}" -matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_client_api_traefik_tls: "{{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_client_api_traefik_entrypoints != 'web' }}" -matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_client_api_traefik_tls_certResolver: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver }}" # noqa var-naming +matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_enabled: true +matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_hostname: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_hostname }}" +matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_path_prefix: /_synapse/client +matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_rule: "Host(`{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_path_prefix }}`)" +matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_priority: 0 +matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_entrypoints: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_entrypoints }}" +matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_tls: "{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_entrypoints != 'web' }}" +matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_tls_certResolver: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver }}" # noqa var-naming # Controls whether labels will be added that expose the /_synapse/oidc paths # Enable this if you need OpenID Connect authentication support. -matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_oidc_api_enabled: false -matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_oidc_api_traefik_hostname: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_hostname }}" -matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_oidc_api_traefik_path_prefix: /_synapse/oidc -matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_oidc_api_traefik_rule: "Host(`{{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_oidc_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_oidc_api_traefik_path_prefix }}`)" -matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_oidc_api_traefik_priority: 0 -matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_oidc_api_traefik_entrypoints: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_entrypoints }}" -matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_oidc_api_traefik_tls: "{{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_oidc_api_traefik_entrypoints != 'web' }}" -matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_oidc_api_traefik_tls_certResolver: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver }}" # noqa var-naming +matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_oidc_api_enabled: false +matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_oidc_api_traefik_hostname: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_hostname }}" +matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_oidc_api_traefik_path_prefix: /_synapse/oidc +matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_oidc_api_traefik_rule: "Host(`{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_oidc_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_oidc_api_traefik_path_prefix }}`)" +matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_oidc_api_traefik_priority: 0 +matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_oidc_api_traefik_entrypoints: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_entrypoints }}" +matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_oidc_api_traefik_tls: "{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_oidc_api_traefik_entrypoints != 'web' }}" +matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_oidc_api_traefik_tls_certResolver: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver }}" # noqa var-naming # Controls whether labels will be added that expose the /_synapse/admin paths # Following these recommendations (https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md), by default, we don't. -matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_admin_api_enabled: false -matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_admin_api_traefik_hostname: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_hostname }}" -matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_admin_api_traefik_path_prefix: /_synapse/admin -matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_admin_api_traefik_rule: "Host(`{{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_admin_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_admin_api_traefik_path_prefix }}`)" -matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_admin_api_traefik_priority: 0 -matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_admin_api_traefik_entrypoints: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_entrypoints }}" -matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_admin_api_traefik_tls: "{{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_admin_api_traefik_entrypoints != 'web' }}" -matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_admin_api_traefik_tls_certResolver: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver }}" # noqa var-naming +matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_enabled: false +matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_hostname: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_hostname }}" +matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_path_prefix: /_synapse/admin +matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_rule: "Host(`{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_path_prefix }}`)" +matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_priority: 0 +matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_entrypoints: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_entrypoints }}" +matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_tls: "{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_entrypoints != 'web' }}" +matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_tls_certResolver: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver }}" # noqa var-naming # Controls whether labels will be added that expose the Server-Server API (Federation API). -matrix_synapse_reverse_proxy_companion_container_labels_federation_api_enabled: "{{ matrix_synapse_reverse_proxy_companion_federation_api_enabled }}" -matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_hostname: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_hostname }}" -matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_path_prefix: /_matrix -matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_rule: "Host(`{{ matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_path_prefix }}`)" -matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_priority: 0 -matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_entrypoints: '' -matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_tls: "{{ matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_entrypoints != 'web' }}" -matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_tls_certResolver: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver }}" # noqa var-naming +matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_enabled: "{{ matrix_synapse_reverse_proxy_companion_federation_api_enabled }}" +matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_hostname: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_hostname }}" +matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_path_prefix: /_matrix +matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_rule: "Host(`{{ matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_path_prefix }}`)" +matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_priority: 0 +matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_entrypoints: '' +matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_tls: "{{ matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_entrypoints != 'web' }}" +matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_tls_certResolver: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver }}" # noqa var-naming # matrix_synapse_reverse_proxy_companion_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. # See `../templates/labels.j2` for details. diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/validate_config.yml b/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/validate_config.yml index 5b5ac0b72..58c885f64 100644 --- a/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/validate_config.yml +++ b/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/validate_config.yml @@ -8,11 +8,11 @@ with_items: - {'name': 'matrix_synapse_reverse_proxy_companion_container_network', when: true} - - {'name': 'matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_hostname', when: "{{ matrix_synapse_reverse_proxy_companion_container_labels_client_api_enabled }}"} + - {'name': 'matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_hostname', when: "{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_enabled }}"} - - {'name': 'matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_client_api_traefik_hostname', when: "{{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_client_api_enabled }}"} - - {'name': 'matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_oidc_api_traefik_hostname', when: "{{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_oidc_api_enabled }}"} - - {'name': 'matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_admin_api_traefik_hostname', when: "{{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_admin_api_enabled }}"} + - {'name': 'matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_hostname', when: "{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_enabled }}"} + - {'name': 'matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_oidc_api_traefik_hostname', when: "{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_oidc_api_enabled }}"} + - {'name': 'matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_hostname', when: "{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_enabled }}"} - - {'name': 'matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_hostname', when: "{{ matrix_synapse_reverse_proxy_companion_container_labels_federation_api_enabled }}"} - - {'name': 'matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_entrypoints', when: "{{ matrix_synapse_reverse_proxy_companion_container_labels_federation_api_enabled }}"} + - {'name': 'matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_hostname', when: "{{ matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_enabled }}"} + - {'name': 'matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_entrypoints', when: "{{ matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_enabled }}"} diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/templates/labels.j2 b/roles/custom/matrix-synapse-reverse-proxy-companion/templates/labels.j2 index aeb837539..2ee5303d9 100644 --- a/roles/custom/matrix-synapse-reverse-proxy-companion/templates/labels.j2 +++ b/roles/custom/matrix-synapse-reverse-proxy-companion/templates/labels.j2 @@ -10,127 +10,127 @@ traefik.http.services.matrix-synapse-reverse-proxy-companion-federation-api.load {# - Client-API (/_matrix) + Public Client-API (/_matrix) #} -{% if matrix_synapse_reverse_proxy_companion_container_labels_client_api_enabled %} +{% if matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_enabled %} -traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-api.rule={{ matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_rule }} +traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-api.rule={{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_rule }} -{% if matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_priority | int > 0 %} -traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-api.priority={{ matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_priority }} +{% if matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_priority | int > 0 %} +traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-api.priority={{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_priority }} {% endif %} traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-api.service=matrix-synapse-reverse-proxy-companion-client-api -traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-api.entrypoints={{ matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_entrypoints }} -traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-api.tls={{ matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_tls | to_json }} +traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-api.entrypoints={{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_entrypoints }} +traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-api.tls={{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_tls | to_json }} -{% if matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_tls %} -traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-api.tls.certResolver={{ matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_tls_certResolver }} +{% if matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_tls %} +traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-api.tls.certResolver={{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_tls_certResolver }} {% endif %} {% endif %} {# - /Client-API (/_matrix) + /Public Client-API (/_matrix) #} {# - Synapse Admin API (/_synapse/client) + Public Synapse Admin API (/_synapse/client) #} -{% if matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_client_api_enabled %} +{% if matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_enabled %} -traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-synapse-client-api.rule={{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_client_api_traefik_rule }} +traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-synapse-client-api.rule={{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_rule }} -{% if matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_client_api_traefik_priority | int > 0 %} -traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-synapse-client-api.priority={{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_client_api_traefik_priority }} +{% if matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_priority | int > 0 %} +traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-synapse-client-api.priority={{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_priority }} {% endif %} traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-synapse-client-api.service=matrix-synapse-reverse-proxy-companion-client-api -traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-synapse-client-api.entrypoints={{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_client_api_traefik_entrypoints }} -traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-synapse-client-api.tls={{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_client_api_traefik_tls | to_json }} +traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-synapse-client-api.entrypoints={{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_entrypoints }} +traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-synapse-client-api.tls={{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_tls | to_json }} -{% if matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_client_api_traefik_tls %} -traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-synapse-client-api.tls.certResolver={{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_client_api_traefik_tls_certResolver }} +{% if matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_tls %} +traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-synapse-client-api.tls.certResolver={{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_tls_certResolver }} {% endif %} {% endif %} {# - /Synapse Admin API (/_synapse/client) + /Public Synapse Admin API (/_synapse/client) #} {# - Synapse OIDC API (/_synapse/oidc) + Public Synapse OIDC API (/_synapse/oidc) #} -{% if matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_oidc_api_enabled %} +{% if matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_oidc_api_enabled %} -traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-synapse-oidc-api.rule={{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_oidc_api_traefik_rule }} +traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-synapse-oidc-api.rule={{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_oidc_api_traefik_rule }} -{% if matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_oidc_api_traefik_priority | int > 0 %} -traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-synapse-oidc-api.priority={{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_oidc_api_traefik_priority }} +{% if matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_oidc_api_traefik_priority | int > 0 %} +traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-synapse-oidc-api.priority={{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_oidc_api_traefik_priority }} {% endif %} traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-synapse-oidc-api.service=matrix-synapse-reverse-proxy-companion-client-api -traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-synapse-oidc-api.entrypoints={{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_oidc_api_traefik_entrypoints }} -traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-synapse-oidc-api.tls={{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_oidc_api_traefik_tls | to_json }} +traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-synapse-oidc-api.entrypoints={{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_oidc_api_traefik_entrypoints }} +traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-synapse-oidc-api.tls={{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_oidc_api_traefik_tls | to_json }} -{% if matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_oidc_api_traefik_tls %} -traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-synapse-oidc-api.tls.certResolver={{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_oidc_api_traefik_tls_certResolver }} +{% if matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_oidc_api_traefik_tls %} +traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-synapse-oidc-api.tls.certResolver={{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_oidc_api_traefik_tls_certResolver }} {% endif %} {% endif %} {# - /Synapse OIDC API (/_synapse/oidc) + /Public Synapse OIDC API (/_synapse/oidc) #} {# - Synapse Admin API (/_synapse/admin) + Public Synapse Admin API (/_synapse/admin) #} -{% if matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_admin_api_enabled %} +{% if matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_enabled %} -traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-synapse-admin-api.rule={{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_admin_api_traefik_rule }} +traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-synapse-admin-api.rule={{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_rule }} -{% if matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_admin_api_traefik_priority | int > 0 %} -traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-synapse-admin-api.priority={{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_admin_api_traefik_priority }} +{% if matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_priority | int > 0 %} +traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-synapse-admin-api.priority={{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_priority }} {% endif %} traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-synapse-admin-api.service=matrix-synapse-reverse-proxy-companion-client-api -traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-synapse-admin-api.entrypoints={{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_admin_api_traefik_entrypoints }} -traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-synapse-admin-api.tls={{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_admin_api_traefik_tls | to_json }} +traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-synapse-admin-api.entrypoints={{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_entrypoints }} +traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-synapse-admin-api.tls={{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_tls | to_json }} -{% if matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_admin_api_traefik_tls %} -traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-synapse-admin-api.tls.certResolver={{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_admin_api_traefik_tls_certResolver }} +{% if matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_tls %} +traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-synapse-admin-api.tls.certResolver={{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_tls_certResolver }} {% endif %} {% endif %} {# - /Synapse Admin API (/_synapse/admin) + /Public Synapse Admin API (/_synapse/admin) #} {# - Federation-API (/_matrix) + Public Federation-API (/_matrix) #} -{% if matrix_synapse_reverse_proxy_companion_container_labels_federation_api_enabled %} +{% if matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_enabled %} -traefik.http.routers.matrix-synapse-reverse-proxy-companion-federation-api.rule={{ matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_rule }} +traefik.http.routers.matrix-synapse-reverse-proxy-companion-federation-api.rule={{ matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_rule }} -{% if matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_priority | int > 0 %} -traefik.http.routers.matrix-synapse-reverse-proxy-companion-federation-api.priority={{ matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_priority }} +{% if matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_priority | int > 0 %} +traefik.http.routers.matrix-synapse-reverse-proxy-companion-federation-api.priority={{ matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_priority }} {% endif %} traefik.http.routers.matrix-synapse-reverse-proxy-companion-federation-api.service=matrix-synapse-reverse-proxy-companion-federation-api -traefik.http.routers.matrix-synapse-reverse-proxy-companion-federation-api.entrypoints={{ matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_entrypoints }} -traefik.http.routers.matrix-synapse-reverse-proxy-companion-federation-api.tls={{ matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_tls | to_json }} +traefik.http.routers.matrix-synapse-reverse-proxy-companion-federation-api.entrypoints={{ matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_entrypoints }} +traefik.http.routers.matrix-synapse-reverse-proxy-companion-federation-api.tls={{ matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_tls | to_json }} -{% if matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_tls %} -traefik.http.routers.matrix-synapse-reverse-proxy-companion-federation-api.tls.certResolver={{ matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_tls_certResolver }} +{% if matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_tls %} +traefik.http.routers.matrix-synapse-reverse-proxy-companion-federation-api.tls.certResolver={{ matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_tls_certResolver }} {% endif %} {% endif %} {# - /Federation-API (/_matrix) + /Public Federation-API (/_matrix) #} {% endif %} diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index 2f9215508..96f581cf0 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -712,17 +712,17 @@ matrix_synapse_worker_container_labels_traefik_tls_certResolver: "{{ matrix_syna matrix_synapse_worker_container_labels_traefik_hostname: "{{ matrix_synapse_container_labels_traefik_hostname }}" # Controls whether labels will be added that expose metrics (see `matrix_synapse_metrics_proxying_enabled`) -matrix_synapse_worker_container_labels_metrics_enabled: "{{ matrix_synapse_metrics_enabled and matrix_synapse_metrics_proxying_enabled }}" +matrix_synapse_worker_container_labels_public_metrics_enabled: "{{ matrix_synapse_metrics_enabled and matrix_synapse_metrics_proxying_enabled }}" # The `__WORKER_ID__` placeholder will be replaced with the actual worker id during label-file generation (see `../templates/worker-labels.j2`). -matrix_synapse_worker_container_labels_metrics_traefik_path: "{{ matrix_synapse_metrics_proxying_path_prefix }}/__WORKER_ID__" -matrix_synapse_worker_container_labels_metrics_traefik_rule: "Host(`{{ matrix_synapse_metrics_proxying_hostname }}`) && Path(`{{ matrix_synapse_worker_container_labels_metrics_traefik_path }}`)" -matrix_synapse_worker_container_labels_metrics_traefik_priority: 0 -matrix_synapse_worker_container_labels_metrics_traefik_entrypoints: "{{ matrix_synapse_container_labels_traefik_entrypoints }}" -matrix_synapse_worker_container_labels_metrics_traefik_tls: "{{ matrix_synapse_container_labels_public_metrics_traefik_entrypoints != 'web' }}" -matrix_synapse_worker_container_labels_metrics_traefik_tls_certResolver: "{{ matrix_synapse_container_labels_traefik_tls_certResolver }}" # noqa var-naming -matrix_synapse_worker_container_labels_metrics_middleware_basic_auth_enabled: "{{ matrix_synapse_container_labels_public_metrics_middleware_basic_auth_enabled }}" +matrix_synapse_worker_container_labels_public_metrics_traefik_path: "{{ matrix_synapse_metrics_proxying_path_prefix }}/__WORKER_ID__" +matrix_synapse_worker_container_labels_public_metrics_traefik_rule: "Host(`{{ matrix_synapse_metrics_proxying_hostname }}`) && Path(`{{ matrix_synapse_worker_container_labels_public_metrics_traefik_path }}`)" +matrix_synapse_worker_container_labels_public_metrics_traefik_priority: 0 +matrix_synapse_worker_container_labels_public_metrics_traefik_entrypoints: "{{ matrix_synapse_container_labels_traefik_entrypoints }}" +matrix_synapse_worker_container_labels_public_metrics_traefik_tls: "{{ matrix_synapse_container_labels_public_metrics_traefik_entrypoints != 'web' }}" +matrix_synapse_worker_container_labels_public_metrics_traefik_tls_certResolver: "{{ matrix_synapse_container_labels_traefik_tls_certResolver }}" # noqa var-naming +matrix_synapse_worker_container_labels_public_metrics_middleware_basic_auth_enabled: "{{ matrix_synapse_container_labels_public_metrics_middleware_basic_auth_enabled }}" # See: https://doc.traefik.io/traefik/middlewares/http/basicauth/#users -matrix_synapse_worker_container_labels_metrics_middleware_basic_auth_users: "{{ matrix_synapse_container_labels_public_metrics_middleware_basic_auth_users }}" +matrix_synapse_worker_container_labels_public_metrics_middleware_basic_auth_users: "{{ matrix_synapse_container_labels_public_metrics_middleware_basic_auth_users }}" # matrix_synapse_worker_container_labels_additional_labels contains a multiline string with additional labels to add to the label files for Synapse worker containers. # See `../templates/labels.j2` for details. diff --git a/roles/custom/matrix-synapse/templates/synapse/prometheus/external_prometheus.yml.example.j2 b/roles/custom/matrix-synapse/templates/synapse/prometheus/external_prometheus.yml.example.j2 index ec0ebd9d7..de39e36fa 100644 --- a/roles/custom/matrix-synapse/templates/synapse/prometheus/external_prometheus.yml.example.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/prometheus/external_prometheus.yml.example.j2 @@ -27,7 +27,7 @@ scrape_configs: - job_name: '{{ worker.name }}' metrics_path: /metrics/synapse/worker/{{ worker.id }} scheme: https -{% if matrix_synapse_worker_container_labels_metrics_middleware_basic_auth_enabled|default(true) %} +{% if matrix_synapse_worker_container_labels_public_metrics_middleware_basic_auth_enabled|default(true) %} basic_auth: username: prometheus password_file: /path/to/your/passwordfile.pwd diff --git a/roles/custom/matrix-synapse/templates/synapse/worker-labels.j2 b/roles/custom/matrix-synapse/templates/synapse/worker-labels.j2 index aa885701f..35ef12da1 100644 --- a/roles/custom/matrix-synapse/templates/synapse/worker-labels.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/worker-labels.j2 @@ -10,34 +10,34 @@ traefik.http.services.{{ matrix_synapse_worker_container_name }}-metrics.loadbal {# Metrics (e.g. /metrics/synapse/__WORKER_ID__) #} -{% if matrix_synapse_worker_container_labels_metrics_enabled %} +{% if matrix_synapse_worker_container_labels_public_metrics_enabled %} {% set metrics_middlewares = [] %} -{% if matrix_synapse_worker_container_labels_metrics_middleware_basic_auth_enabled %} +{% if matrix_synapse_worker_container_labels_public_metrics_middleware_basic_auth_enabled %} {% set metrics_middlewares = metrics_middlewares + [matrix_synapse_worker_container_name + '-metrics-basic-auth'] %} -traefik.http.middlewares.{{ matrix_synapse_worker_container_name }}-metrics-basic-auth.basicauth.users={{ matrix_synapse_worker_container_labels_metrics_middleware_basic_auth_users }} +traefik.http.middlewares.{{ matrix_synapse_worker_container_name }}-metrics-basic-auth.basicauth.users={{ matrix_synapse_worker_container_labels_public_metrics_middleware_basic_auth_users }} {% endif %} {% set metrics_middlewares = metrics_middlewares + [matrix_synapse_worker_container_name + '-metrics-replacepath'] %} traefik.http.middlewares.{{ matrix_synapse_worker_container_name }}-metrics-replacepath.replacepath.path=/_synapse/metrics -traefik.http.routers.{{ matrix_synapse_worker_container_name }}-metrics.rule={{ matrix_synapse_worker_container_labels_metrics_traefik_rule | replace('__WORKER_ID__', matrix_synapse_worker_details.id) }} +traefik.http.routers.{{ matrix_synapse_worker_container_name }}-metrics.rule={{ matrix_synapse_worker_container_labels_public_metrics_traefik_rule | replace('__WORKER_ID__', matrix_synapse_worker_details.id) }} {% if metrics_middlewares | length > 0 %} traefik.http.routers.{{ matrix_synapse_worker_container_name }}-metrics.middlewares={{ metrics_middlewares | join(',') }} {% endif %} -{% if matrix_synapse_worker_container_labels_metrics_traefik_priority | int > 0 %} -traefik.http.routers.{{ matrix_synapse_worker_container_name }}-metrics.priority={{ matrix_synapse_worker_container_labels_metrics_traefik_priority }} +{% if matrix_synapse_worker_container_labels_public_metrics_traefik_priority | int > 0 %} +traefik.http.routers.{{ matrix_synapse_worker_container_name }}-metrics.priority={{ matrix_synapse_worker_container_labels_public_metrics_traefik_priority }} {% endif %} traefik.http.routers.{{ matrix_synapse_worker_container_name }}-metrics.service={{ matrix_synapse_worker_container_name }}-metrics -traefik.http.routers.{{ matrix_synapse_worker_container_name }}-metrics.entrypoints={{ matrix_synapse_worker_container_labels_metrics_traefik_entrypoints }} +traefik.http.routers.{{ matrix_synapse_worker_container_name }}-metrics.entrypoints={{ matrix_synapse_worker_container_labels_public_metrics_traefik_entrypoints }} -traefik.http.routers.{{ matrix_synapse_worker_container_name }}-metrics.tls={{ matrix_synapse_worker_container_labels_metrics_traefik_tls | to_json }} -{% if matrix_synapse_worker_container_labels_metrics_traefik_tls %} -traefik.http.routers.{{ matrix_synapse_worker_container_name }}-metrics.tls.certResolver={{ matrix_synapse_worker_container_labels_metrics_traefik_tls_certResolver }} +traefik.http.routers.{{ matrix_synapse_worker_container_name }}-metrics.tls={{ matrix_synapse_worker_container_labels_public_metrics_traefik_tls | to_json }} +{% if matrix_synapse_worker_container_labels_public_metrics_traefik_tls %} +traefik.http.routers.{{ matrix_synapse_worker_container_name }}-metrics.tls.certResolver={{ matrix_synapse_worker_container_labels_public_metrics_traefik_tls_certResolver }} {% endif %} {% endif %} diff --git a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml index fbb24d543..79c2b3901 100644 --- a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml +++ b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml @@ -107,7 +107,7 @@ - {'old': 'matrix_nginx_proxy_proxy_matrix_3pid_registration_v3_to_r0_redirect_enabled', 'new': ''} - {'old': 'matrix_nginx_proxy_proxy_conduit_enabled', 'new': 'matrix_conduit_container_labels_traefik_enabled'} - {'old': 'matrix_nginx_proxy_proxy_conduit_block_federation_api_on_client_port', 'new': ''} - - {'old': 'matrix_nginx_proxy_proxy_conduit_federation_api_enabled', 'new': 'matrix_conduit_container_labels_federation_api_enabled'} + - {'old': 'matrix_nginx_proxy_proxy_conduit_federation_api_enabled', 'new': 'matrix_conduit_container_labels_public_federation_api_enabled'} - {'old': 'matrix_nginx_proxy_proxy_conduit_client_api_addr_with_container', 'new': ''} - {'old': 'matrix_nginx_proxy_proxy_conduit_client_api_addr_sans_container', 'new': ''} - {'old': 'matrix_nginx_proxy_proxy_conduit_federation_api_addr_with_container', 'new': ''} @@ -115,7 +115,7 @@ - {'old': 'matrix_nginx_proxy_proxy_conduit_additional_server_configuration_blocks', 'new': ''} - {'old': 'matrix_nginx_proxy_proxy_dendrite_enabled', 'new': 'matrix_dendrite_container_labels_traefik_enabled'} - {'old': 'matrix_nginx_proxy_proxy_dendrite_block_federation_api_on_client_port', 'new': ''} - - {'old': 'matrix_nginx_proxy_proxy_dendrite_federation_api_enabled', 'new': 'matrix_dendrite_container_labels_federation_api_enabled'} + - {'old': 'matrix_nginx_proxy_proxy_dendrite_federation_api_enabled', 'new': 'matrix_dendrite_container_labels_public_federation_api_enabled'} - {'old': 'matrix_nginx_proxy_proxy_dendrite_client_api_addr_with_container', 'new': ''} - {'old': 'matrix_nginx_proxy_proxy_dendrite_client_api_addr_sans_container', 'new': ''} - {'old': 'matrix_nginx_proxy_proxy_dendrite_federation_api_addr_with_container', 'new': ''}