Adjust TLS variables for homeservers to follow devture_traefik_config_entrypoint_web_secure_enabled (via matrix_federation_traefik_entrypoint_tls)
This commit is contained in:
Slavi Pantaleev
@ -111,7 +111,13 @@ matrix_federation_public_port: 8448
|
||||
|
||||
# The name of the Traefik entrypoint for handling Matrix Federation
|
||||
# Also see the `matrix_playbook_public_matrix_federation_api_traefik_entrypoint_*` variables.
|
||||
matrix_federation_traefik_entrypoint: matrix-federation
|
||||
matrix_federation_traefik_entrypoint_name: matrix-federation
|
||||
|
||||
# Controls whether the federation entrypoint supports TLS.
|
||||
# TLS is force-enabled here, because the spec (https://spec.matrix.org/v1.9/server-server-api/#tls) says that the federation API must use HTTPS.
|
||||
# This may be changed at the playbook level for setups explicitly disabling TLS.
|
||||
# `matrix_playbook_ssl_enabled` has no influence over this.
|
||||
matrix_federation_traefik_entrypoint_tls: true
|
||||
|
||||
# The architecture that your server runs.
|
||||
# Recognized values by us are 'amd64', 'arm32' and 'arm64'.
|
||||
@ -235,7 +241,8 @@ matrix_playbook_reverse_proxyable_services_additional_network: "{{ matrix_playbo
|
||||
|
||||
# Controls if various services think if SSL is enabled or not.
|
||||
# Disabling this does not actually disable Treafik's web-secure entrypoint and TLS termination settings.
|
||||
# For that, you'd need to use other variables. This one merely serves as an indicator if SSL is used or not.
|
||||
# For that, you'd need to use another variable (`devture_traefik_config_entrypoint_web_secure_enabled`).
|
||||
# This variable merely serves as an indicator if SSL is used or not.
|
||||
matrix_playbook_ssl_enabled: true
|
||||
|
||||
matrix_playbook_service_host_bind_interface_prefix: "{{ '' if matrix_playbook_reverse_proxy_type not in ['other-nginx-non-container', 'other-on-same-host', 'other-on-another-host'] else ('0.0.0.0:' if matrix_playbook_reverse_proxy_type == 'other-on-another-host' else '127.0.0.1:') }}"
|
||||
@ -244,7 +251,7 @@ matrix_playbook_service_host_bind_interface_prefix: "{{ '' if matrix_playbook_re
|
||||
# By default, federation is served on a special port (8448), so a separate entrypoint is necessary.
|
||||
# Group variables may influence whether this is enabled based on the port number and on the default entrypoints of the Traefik reverse-proxy.
|
||||
matrix_playbook_public_matrix_federation_api_traefik_entrypoint_enabled: true
|
||||
matrix_playbook_public_matrix_federation_api_traefik_entrypoint_name: "{{ matrix_federation_traefik_entrypoint }}"
|
||||
matrix_playbook_public_matrix_federation_api_traefik_entrypoint_name: "{{ matrix_federation_traefik_entrypoint_name }}"
|
||||
matrix_playbook_public_matrix_federation_api_traefik_entrypoint_port: "{{ matrix_federation_public_port }}"
|
||||
matrix_playbook_public_matrix_federation_api_traefik_entrypoint_host_bind_port: "{{ matrix_federation_public_port }}"
|
||||
matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config: "{{ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_auto | combine(matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_custom, recursive=True) }}"
|
||||
|
||||
@ -85,7 +85,8 @@ matrix_conduit_container_labels_public_federation_api_traefik_path_prefix: /_mat
|
||||
matrix_conduit_container_labels_public_federation_api_traefik_rule: "Host(`{{ matrix_conduit_container_labels_public_federation_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_conduit_container_labels_public_federation_api_traefik_path_prefix }}`)"
|
||||
matrix_conduit_container_labels_public_federation_api_traefik_priority: 0
|
||||
matrix_conduit_container_labels_public_federation_api_traefik_entrypoints: ''
|
||||
matrix_conduit_container_labels_public_federation_api_traefik_tls: "{{ matrix_conduit_container_labels_public_federation_api_traefik_entrypoints != 'web' }}"
|
||||
# TLS is force-enabled here, because the spec (https://spec.matrix.org/v1.9/server-server-api/#tls) says that the federation API must use HTTPS.
|
||||
matrix_conduit_container_labels_public_federation_api_traefik_tls: true
|
||||
matrix_conduit_container_labels_public_federation_api_traefik_tls_certResolver: "{{ matrix_conduit_container_labels_traefik_tls_certResolver }}" # noqa var-naming
|
||||
|
||||
# matrix_conduit_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
|
||||
|
||||
@ -129,7 +129,8 @@ matrix_dendrite_container_labels_public_federation_api_traefik_path_prefix: /_ma
|
||||
matrix_dendrite_container_labels_public_federation_api_traefik_rule: "Host(`{{ matrix_dendrite_container_labels_public_federation_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_dendrite_container_labels_public_federation_api_traefik_path_prefix }}`)"
|
||||
matrix_dendrite_container_labels_public_federation_api_traefik_priority: 0
|
||||
matrix_dendrite_container_labels_public_federation_api_traefik_entrypoints: ''
|
||||
matrix_dendrite_container_labels_public_federation_api_traefik_tls: "{{ matrix_dendrite_container_labels_public_federation_api_traefik_entrypoints != 'web' }}"
|
||||
# TLS is force-enabled here, because the spec (https://spec.matrix.org/v1.9/server-server-api/#tls) says that the federation API must use HTTPS.
|
||||
matrix_dendrite_container_labels_public_federation_api_traefik_tls: true
|
||||
matrix_dendrite_container_labels_public_federation_api_traefik_tls_certResolver: "{{ matrix_dendrite_container_labels_traefik_tls_certResolver }}" # noqa var-naming
|
||||
|
||||
# Controls whether labels will be added that expose Dendrite's metrics on a public Traefik entrypoint.
|
||||
|
||||
@ -107,7 +107,7 @@ matrix_media_repo_container_labels_traefik_t2bot_tls_certResolver: default # no
|
||||
matrix_media_repo_container_labels_traefik_media_federation_path_prefix: "/_matrix/media"
|
||||
matrix_media_repo_container_labels_traefik_media_federation_rule: "Host(`{{ matrix_server_fqn_matrix }}`) && PathPrefix(`{{ matrix_media_repo_container_labels_traefik_media_path_prefix | quote }}`)"
|
||||
matrix_media_repo_container_labels_traefik_media_federation_priority: 0
|
||||
matrix_media_repo_container_labels_traefik_media_federation_entrypoints: "{{ matrix_federation_traefik_entrypoint }}"
|
||||
matrix_media_repo_container_labels_traefik_media_federation_entrypoints: "{{ matrix_federation_traefik_entrypoint_name }}"
|
||||
matrix_media_repo_container_labels_traefik_media_federation_tls: "{{ matrix_media_repo_container_labels_traefik_media_entrypoints != 'web' }}"
|
||||
matrix_media_repo_container_labels_traefik_media_federation_tls_certResolver: default # noqa var-naming
|
||||
|
||||
@ -116,7 +116,7 @@ matrix_media_repo_container_labels_traefik_media_federation_tls_certResolver: de
|
||||
matrix_media_repo_container_labels_traefik_logout_federation_path_prefix: "/_matrix/client/{version:(r0|v1|v3|unstable)}/{endpoint:(logout|logout/all)}"
|
||||
matrix_media_repo_container_labels_traefik_logout_federation_rule: "Host(`{{ matrix_server_fqn_matrix }}`) && PathPrefix(`{{ matrix_media_repo_container_labels_traefik_logout_path_prefix }}`)"
|
||||
matrix_media_repo_container_labels_traefik_logout_federation_priority: 0
|
||||
matrix_media_repo_container_labels_traefik_logout_federation_entrypoints: "{{ matrix_federation_traefik_entrypoint }}"
|
||||
matrix_media_repo_container_labels_traefik_logout_federation_entrypoints: "{{ matrix_federation_traefik_entrypoint_name }}"
|
||||
matrix_media_repo_container_labels_traefik_logout_federation_tls: "{{ matrix_media_repo_container_labels_traefik_logout_entrypoints != 'web' }}"
|
||||
matrix_media_repo_container_labels_traefik_logout_federation_tls_certResolver: default # noqa var-naming
|
||||
|
||||
@ -125,14 +125,14 @@ matrix_media_repo_container_labels_traefik_logout_federation_tls_certResolver: d
|
||||
matrix_media_repo_container_labels_traefik_admin_federation_path_prefix: "/_matrix/client/{version:(r0|v1|v3|unstable)}/admin/{endpoint:(purge_media_cache|quarantine_media/.*)}"
|
||||
matrix_media_repo_container_labels_traefik_admin_federation_rule: "Host(`{{ matrix_server_fqn_matrix }}`) && PathPrefix(`{{ matrix_media_repo_container_labels_traefik_admin_path_prefix }}`)"
|
||||
matrix_media_repo_container_labels_traefik_admin_federation_priority: 0
|
||||
matrix_media_repo_container_labels_traefik_admin_federation_entrypoints: "{{ matrix_federation_traefik_entrypoint }}"
|
||||
matrix_media_repo_container_labels_traefik_admin_federation_entrypoints: "{{ matrix_federation_traefik_entrypoint_name }}"
|
||||
matrix_media_repo_container_labels_traefik_admin_federation_tls: "{{ matrix_media_repo_container_labels_traefik_admin_entrypoints != 'web' }}"
|
||||
matrix_media_repo_container_labels_traefik_admin_federation_tls_certResolver: default # noqa var-naming
|
||||
|
||||
matrix_media_repo_container_labels_traefik_t2bot_federation_path_prefix: "/_matrix/client/unstable/io.t2bot.media"
|
||||
matrix_media_repo_container_labels_traefik_t2bot_federation_rule: "Host(`{{ matrix_server_fqn_matrix }}`) && PathPrefix(`{{ matrix_media_repo_container_labels_traefik_t2bot_path_prefix | quote }}`)"
|
||||
matrix_media_repo_container_labels_traefik_t2bot_federation_priority: 0
|
||||
matrix_media_repo_container_labels_traefik_t2bot_federation_entrypoints: "{{ matrix_federation_traefik_entrypoint }}"
|
||||
matrix_media_repo_container_labels_traefik_t2bot_federation_entrypoints: "{{ matrix_federation_traefik_entrypoint_name }}"
|
||||
matrix_media_repo_container_labels_traefik_t2bot_federation_tls: "{{ matrix_media_repo_container_labels_traefik_t2bot_entrypoints != 'web' }}"
|
||||
matrix_media_repo_container_labels_traefik_t2bot_federation_tls_certResolver: default # noqa var-naming
|
||||
|
||||
|
||||
@ -114,7 +114,8 @@ matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_tr
|
||||
matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_rule: "Host(`{{ matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_path_prefix }}`)"
|
||||
matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_priority: 0
|
||||
matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_entrypoints: ''
|
||||
matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_tls: "{{ matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_entrypoints != 'web' }}"
|
||||
# TLS is force-enabled here, because the spec (https://spec.matrix.org/v1.9/server-server-api/#tls) says that the federation API must use HTTPS.
|
||||
matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_tls: true
|
||||
matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_tls_certResolver: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver }}" # noqa var-naming
|
||||
|
||||
# matrix_synapse_reverse_proxy_companion_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
|
||||
|
||||
@ -259,7 +259,8 @@ matrix_synapse_container_labels_public_federation_api_traefik_path_prefix: /_mat
|
||||
matrix_synapse_container_labels_public_federation_api_traefik_rule: "Host(`{{ matrix_synapse_container_labels_public_federation_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_container_labels_public_federation_api_traefik_path_prefix }}`)"
|
||||
matrix_synapse_container_labels_public_federation_api_traefik_priority: 0
|
||||
matrix_synapse_container_labels_public_federation_api_traefik_entrypoints: ''
|
||||
matrix_synapse_container_labels_public_federation_api_traefik_tls: "{{ matrix_synapse_container_labels_public_federation_api_traefik_entrypoints != 'web' }}"
|
||||
# TLS is force-enabled here, because the spec (https://spec.matrix.org/v1.9/server-server-api/#tls) says that the federation API must use HTTPS.
|
||||
matrix_synapse_container_labels_public_federation_api_traefik_tls: true
|
||||
matrix_synapse_container_labels_public_federation_api_traefik_tls_certResolver: "{{ matrix_synapse_container_labels_traefik_tls_certResolver }}" # noqa var-naming
|
||||
|
||||
# Controls whether labels will be added that expose metrics (see `matrix_synapse_metrics_proxying_enabled`) for the main Synapse process
|
||||
|
||||
@ -310,6 +310,7 @@
|
||||
- {'old': 'matrix_docker_network', 'new': '<removed in favor of various other variables - matrix_addons_container_network, matrix_monitoring_container_network, matrix_homeserver_container_network, etc.>'}
|
||||
- {'old': 'matrix_playbook_ssl_retrieval_method', 'new': '<removed>'}
|
||||
- {'old': 'matrix_ssl_lets_encrypt_support_email', 'new': 'devture_traefik_config_certificatesResolvers_acme_email'}
|
||||
- {'old': 'matrix_federation_traefik_entrypoint', 'new': 'matrix_federation_traefik_entrypoint_name'}
|
||||
|
||||
- when: matrix_playbook_migration_matrix_nginx_proxy_leftover_variable_validation_checks_enabled | bool
|
||||
block:
|
||||
|
||||
Reference in New Issue
Block a user