From bbd9493b8f9d6b628bf3906524811f3e0e56c7af Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 3 Jan 2024 17:05:59 +0200 Subject: [PATCH] Handle /_matrix Client-Server and Federation APIs directly at matrix-synapse-reverse-proxy-companion --- group_vars/matrix_servers | 24 ++++++- .../defaults/main.yml | 52 ++++++++++++--- .../tasks/main.yml | 3 + .../tasks/setup_install.yml | 7 +++ .../tasks/validate_config.yml | 13 ++++ .../templates/labels.j2 | 63 +++++++++++++++++++ ...synapse-reverse-proxy-companion.service.j2 | 1 + 7 files changed, 155 insertions(+), 8 deletions(-) create mode 100644 roles/custom/matrix-synapse-reverse-proxy-companion/tasks/validate_config.yml create mode 100644 roles/custom/matrix-synapse-reverse-proxy-companion/templates/labels.j2 diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 229c8aed2..abe30e9e5 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -395,7 +395,7 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': 'matrix-synapse-admin.service', 'priority': 4000, 'groups': ['matrix', 'synapse-admin']}] if matrix_synapse_admin_enabled else []) + - ([{'name': 'matrix-synapse-reverse-proxy-companion.service', 'priority': 1500, 'groups': ['matrix', 'homeservers', 'synapse', 'reverse-proxies']}] if matrix_synapse_reverse_proxy_companion_enabled else []) + ([{'name': 'matrix-synapse-reverse-proxy-companion.service', 'priority': 1500, 'groups': ['matrix', 'homeservers', 'synapse', 'synapse-reverse-proxy-companion', 'reverse-proxies']}] if matrix_synapse_reverse_proxy_companion_enabled else []) + ([{'name': 'matrix-user-verification-service.service', 'priority': 800, 'groups': ['matrix', 'matrix-user-verification-service']}] if matrix_user_verification_service_enabled else []) + @@ -3946,11 +3946,32 @@ matrix_synapse_auto_compressor_systemd_required_services_list: | matrix_synapse_reverse_proxy_companion_enabled: "{{ matrix_synapse_enabled }}" +matrix_synapse_reverse_proxy_companion_container_network: "{{ matrix_synapse_container_network }}" + +matrix_synapse_reverse_proxy_companion_container_additional_networks: | + {{ + ( + ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else []) + + + ([] if matrix_homeserver_container_network in ['', matrix_synapse_reverse_proxy_companion_container_network] else [matrix_homeserver_container_network]) + ) | unique + }} + matrix_synapse_reverse_proxy_companion_client_api_client_max_body_size_mb: "{{ matrix_synapse_max_upload_size_mb }}" matrix_synapse_reverse_proxy_companion_container_client_api_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '8008') if matrix_playbook_service_host_bind_interface_prefix else '' }}" matrix_synapse_reverse_proxy_companion_container_federation_api_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '8048') if matrix_playbook_service_host_bind_interface_prefix else '' }}" +matrix_synapse_reverse_proxy_companion_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" +matrix_synapse_reverse_proxy_companion_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +matrix_synapse_reverse_proxy_companion_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" + +matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_hostname: "{{ matrix_server_fqn_matrix }}" + +matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_hostname: "{{ matrix_server_fqn_matrix }}" +matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_entrypoints: "{{ matrix_federation_traefik_entrypoint }}" + matrix_synapse_reverse_proxy_companion_synapse_workers_enabled: "{{ matrix_synapse_workers_enabled }}" matrix_synapse_reverse_proxy_companion_synapse_workers_list: "{{ matrix_synapse_workers_enabled_list }}" matrix_synapse_reverse_proxy_companion_synapse_generic_worker_client_server_locations: "{{ matrix_synapse_workers_generic_worker_client_server_endpoints }}" @@ -3966,6 +3987,7 @@ matrix_synapse_reverse_proxy_companion_synapse_user_dir_locations: "{{ matrix_sy matrix_synapse_reverse_proxy_companion_access_log_syslog_integration_enabled: "{{ matrix_prometheus_nginxlog_exporter_enabled }}" matrix_synapse_reverse_proxy_companion_access_log_syslog_integration_server_port: "{{ (matrix_prometheus_nginxlog_exporter_container_hostname | string +':'+ matrix_prometheus_nginxlog_exporter_container_syslog_port | string) | default('') }}" + ###################################################################### # # /matrix-synapse-reverse-proxy-companion diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml b/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml index 5cd68f2a3..3678e99a0 100644 --- a/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml +++ b/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml @@ -32,7 +32,10 @@ matrix_synapse_reverse_proxy_companion_base_path: "{{ matrix_synapse_base_path } matrix_synapse_reverse_proxy_companion_confd_path: "{{ matrix_synapse_reverse_proxy_companion_base_path }}/conf.d" # List of systemd services that matrix-synapse-reverse-proxy-companion.service depends on -matrix_synapse_reverse_proxy_companion_systemd_required_services_list: ['docker.service'] +matrix_synapse_reverse_proxy_companion_systemd_required_services_list: "{{ matrix_synapse_reverse_proxy_companion_systemd_required_services_list_default + matrix_synapse_reverse_proxy_companion_systemd_required_services_list_auto + matrix_synapse_reverse_proxy_companion_systemd_required_services_list_custom }}" +matrix_synapse_reverse_proxy_companion_systemd_required_services_list_default: ['docker.service'] +matrix_synapse_reverse_proxy_companion_systemd_required_services_list_auto: [] +matrix_synapse_reverse_proxy_companion_systemd_required_services_list_custom: [] # List of systemd services that matrix-synapse-reverse-proxy-companion.service wants matrix_synapse_reverse_proxy_companion_systemd_wanted_services_list: ['matrix-synapse.service'] @@ -43,15 +46,10 @@ matrix_synapse_reverse_proxy_companion_systemd_wanted_services_list: ['matrix-sy matrix_synapse_reverse_proxy_companion_container_image: "{{ matrix_container_global_registry_prefix }}nginx:{{ matrix_synapse_reverse_proxy_companion_version }}" matrix_synapse_reverse_proxy_companion_container_image_force_pull: "{{ matrix_synapse_reverse_proxy_companion_container_image.endswith(':latest') }}" -matrix_synapse_reverse_proxy_companion_container_network: "{{ matrix_docker_network }}" +matrix_synapse_reverse_proxy_companion_container_network: "" # A list of additional container networks that matrix-synapse-reverse-proxy-companion would be connected to. # The playbook does not create these networks, so make sure they already exist. -# -# Use this to expose matrix-synapse-reverse-proxy-companion to another reverse proxy, which runs in a different container network, -# without exposing all other Matrix services to that other reverse-proxy. -# -# For background, see: https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1498 matrix_synapse_reverse_proxy_companion_container_additional_networks: [] # Controls whether the matrix-synapse-reverse-proxy-companion container exposes its HTTP Client-Server API port (tcp/8008 in the container). @@ -64,6 +62,46 @@ matrix_synapse_reverse_proxy_companion_container_client_api_host_bind_port: '' # Takes an ":" or "" value (e.g. "127.0.0.1:8048"), or empty string to not expose. matrix_synapse_reverse_proxy_companion_container_federation_api_host_bind_port: '' +# matrix_synapse_reverse_proxy_companion_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container. +# See `../templates/labels.j2` for details. +# +# To inject your own other container labels, see `matrix_synapse_reverse_proxy_companion_container_labels_additional_labels`. +matrix_synapse_reverse_proxy_companion_container_labels_traefik_enabled: true +matrix_synapse_reverse_proxy_companion_container_labels_traefik_docker_network: "{{ matrix_synapse_reverse_proxy_companion_container_network }}" +matrix_synapse_reverse_proxy_companion_container_labels_traefik_entrypoints: web-secure +matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver: default + +# Controls whether labels will be added that expose the Client-Server API. +matrix_synapse_reverse_proxy_companion_container_labels_client_api_enabled: true +matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_hostname: '' +matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_path_prefix: /_matrix +matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_rule: "Host(`{{ matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_path_prefix }}`)" +matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_priority: 0 +matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_entrypoints: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_entrypoints }}" +matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_tls: "{{ matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_entrypoints != 'web' }}" +matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_tls_certResolver: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver }}" # noqa var-naming + +# TODO - /_synapse public exposure, etc.? + +# Controls whether labels will be added that expose the Server-Server API (Federation API). +matrix_synapse_reverse_proxy_companion_container_labels_federation_api_enabled: "{{ matrix_synapse_reverse_proxy_companion_federation_api_enabled }}" +matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_hostname: '' +matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_path_prefix: /_matrix +matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_rule: "Host(`{{ matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_path_prefix }}`)" +matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_priority: 0 +matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_entrypoints: '' +matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_tls: "{{ matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_entrypoints != 'web' }}" +matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_tls_certResolver: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver }}" # noqa var-naming + +# matrix_synapse_reverse_proxy_companion_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. +# See `../templates/labels.j2` for details. +# +# Example: +# matrix_synapse_reverse_proxy_companion_container_labels_additional_labels: | +# my.label=1 +# another.label="here" +matrix_synapse_reverse_proxy_companion_container_labels_additional_labels: '' + # The amount of worker processes and connections # Consider increasing these when you are expecting high amounts of traffic # http://nginx.org/en/docs/ngx_core_module.html#worker_connections diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/main.yml b/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/main.yml index 680602672..e4149cbb3 100644 --- a/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/main.yml +++ b/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/main.yml @@ -8,6 +8,9 @@ - install-synapse-reverse-proxy-companion - install-synapse block: + - when: matrix_synapse_reverse_proxy_companion_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + - when: matrix_synapse_reverse_proxy_companion_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/setup_install.yml b/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/setup_install.yml index 83c1e5e3c..ccd4110ee 100644 --- a/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/setup_install.yml +++ b/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/setup_install.yml @@ -25,6 +25,8 @@ dest: "{{ matrix_synapse_reverse_proxy_companion_confd_path }}/nginx-http.conf" - src: "{{ role_path }}/templates/nginx/conf.d/matrix-synapse-reverse-proxy-companion.conf.j2" dest: "{{ matrix_synapse_reverse_proxy_companion_confd_path }}/matrix-synapse-reverse-proxy-companion.conf" + - src: "{{ role_path }}/templates/labels.j2" + dest: "{{ matrix_synapse_reverse_proxy_companion_base_path }}/labels" - name: Ensure matrix-synapse-reverse-proxy-companion nginx container image is pulled community.docker.docker_image: @@ -37,6 +39,11 @@ delay: "{{ devture_playbook_help_container_retries_delay }}" until: result is not failed +- name: Ensure matrix-synapse-reverse-proxy-companion container network is created + community.general.docker_network: + name: "{{ matrix_synapse_reverse_proxy_companion_container_network }}" + driver: bridge + - name: Ensure matrix-synapse-reverse-proxy-companion.service installed ansible.builtin.template: src: "{{ role_path }}/templates/systemd/matrix-synapse-reverse-proxy-companion.service.j2" diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/validate_config.yml b/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/validate_config.yml new file mode 100644 index 000000000..ec87338d3 --- /dev/null +++ b/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/validate_config.yml @@ -0,0 +1,13 @@ +--- + +- name: Fail if required matrix-synapse-reverse-proxy-companion settings not defined + ansible.builtin.fail: + msg: >- + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] == ''" + with_items: + - {'name': 'matrix_synapse_reverse_proxy_companion_container_network', when: true} + - {'name': 'matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_hostname', when: "{{ matrix_synapse_reverse_proxy_companion_container_labels_client_api_enabled }}"} + - {'name': 'matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_hostname', when: "{{ matrix_synapse_reverse_proxy_companion_container_labels_federation_api_enabled }}"} + - {'name': 'matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_entrypoints', when: "{{ matrix_synapse_reverse_proxy_companion_container_labels_federation_api_enabled }}"} + diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/templates/labels.j2 b/roles/custom/matrix-synapse-reverse-proxy-companion/templates/labels.j2 new file mode 100644 index 000000000..9ad96a69a --- /dev/null +++ b/roles/custom/matrix-synapse-reverse-proxy-companion/templates/labels.j2 @@ -0,0 +1,63 @@ +{% if matrix_synapse_reverse_proxy_companion_container_labels_traefik_enabled %} +traefik.enable=true + +{% if matrix_synapse_reverse_proxy_companion_container_labels_traefik_docker_network %} +traefik.docker.network={{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_docker_network }} +{% endif %} + +traefik.http.services.matrix-synapse-reverse-proxy-companion-client-api.loadbalancer.server.port=8008 +traefik.http.services.matrix-synapse-reverse-proxy-companion-federation-api.loadbalancer.server.port=8048 + + +{# + Client-API +#} +{% if matrix_synapse_reverse_proxy_companion_container_labels_client_api_enabled %} + +traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-api.rule={{ matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_rule }} + +{% if matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_priority | int > 0 %} +traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-api.priority={{ matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_priority }} +{% endif %} + +traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-api.service=matrix-synapse-reverse-proxy-companion-client-api +traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-api.entrypoints={{ matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_entrypoints }} +traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-api.tls={{ matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_tls | to_json }} + +{% if matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_tls %} +traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-api.tls.certResolver={{ matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_tls_certResolver }} +{% endif %} + +{% endif %} +{# + /Client-API +#} + + +{# + Federation-API +#} +{% if matrix_synapse_reverse_proxy_companion_container_labels_federation_api_enabled %} + +traefik.http.routers.matrix-synapse-reverse-proxy-companion-federation-api.rule={{ matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_rule }} + +{% if matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_priority | int > 0 %} +traefik.http.routers.matrix-synapse-reverse-proxy-companion-federation-api.priority={{ matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_priority }} +{% endif %} + +traefik.http.routers.matrix-synapse-reverse-proxy-companion-federation-api.service=matrix-synapse-reverse-proxy-companion-federation-api +traefik.http.routers.matrix-synapse-reverse-proxy-companion-federation-api.entrypoints={{ matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_entrypoints }} +traefik.http.routers.matrix-synapse-reverse-proxy-companion-federation-api.tls={{ matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_tls | to_json }} + +{% if matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_tls %} +traefik.http.routers.matrix-synapse-reverse-proxy-companion-federation-api.tls.certResolver={{ matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_tls_certResolver }} +{% endif %} + +{% endif %} +{# + /Federation-API +#} + +{% endif %} + +{{ matrix_synapse_reverse_proxy_companion_container_labels_additional_labels }} diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/templates/systemd/matrix-synapse-reverse-proxy-companion.service.j2 b/roles/custom/matrix-synapse-reverse-proxy-companion/templates/systemd/matrix-synapse-reverse-proxy-companion.service.j2 index abf42196e..1afb81c89 100755 --- a/roles/custom/matrix-synapse-reverse-proxy-companion/templates/systemd/matrix-synapse-reverse-proxy-companion.service.j2 +++ b/roles/custom/matrix-synapse-reverse-proxy-companion/templates/systemd/matrix-synapse-reverse-proxy-companion.service.j2 @@ -36,6 +36,7 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ {% endif %} --mount type=bind,src={{ matrix_synapse_reverse_proxy_companion_base_path }}/nginx.conf,dst=/etc/nginx/nginx.conf,ro \ --mount type=bind,src={{ matrix_synapse_reverse_proxy_companion_confd_path }},dst=/etc/nginx/conf.d,ro \ + --label-file={{ matrix_synapse_reverse_proxy_companion_base_path }}/labels \ {{ matrix_synapse_reverse_proxy_companion_container_image }} {% for network in matrix_synapse_reverse_proxy_companion_container_additional_networks %}