Handle /_matrix Client-Server and Federation APIs directly at matrix-synapse-reverse-proxy-companion
This commit is contained in:
parent
97f40a95fb
commit
bbd9493b8f
@ -395,7 +395,7 @@ devture_systemd_service_manager_services_list_auto: |
|
||||
+
|
||||
([{'name': 'matrix-synapse-admin.service', 'priority': 4000, 'groups': ['matrix', 'synapse-admin']}] if matrix_synapse_admin_enabled else [])
|
||||
+
|
||||
([{'name': 'matrix-synapse-reverse-proxy-companion.service', 'priority': 1500, 'groups': ['matrix', 'homeservers', 'synapse', 'reverse-proxies']}] if matrix_synapse_reverse_proxy_companion_enabled else [])
|
||||
([{'name': 'matrix-synapse-reverse-proxy-companion.service', 'priority': 1500, 'groups': ['matrix', 'homeservers', 'synapse', 'synapse-reverse-proxy-companion', 'reverse-proxies']}] if matrix_synapse_reverse_proxy_companion_enabled else [])
|
||||
+
|
||||
([{'name': 'matrix-user-verification-service.service', 'priority': 800, 'groups': ['matrix', 'matrix-user-verification-service']}] if matrix_user_verification_service_enabled else [])
|
||||
+
|
||||
@ -3946,11 +3946,32 @@ matrix_synapse_auto_compressor_systemd_required_services_list: |
|
||||
|
||||
matrix_synapse_reverse_proxy_companion_enabled: "{{ matrix_synapse_enabled }}"
|
||||
|
||||
matrix_synapse_reverse_proxy_companion_container_network: "{{ matrix_synapse_container_network }}"
|
||||
|
||||
matrix_synapse_reverse_proxy_companion_container_additional_networks: |
|
||||
{{
|
||||
(
|
||||
([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else [])
|
||||
+
|
||||
([] if matrix_homeserver_container_network in ['', matrix_synapse_reverse_proxy_companion_container_network] else [matrix_homeserver_container_network])
|
||||
) | unique
|
||||
}}
|
||||
|
||||
matrix_synapse_reverse_proxy_companion_client_api_client_max_body_size_mb: "{{ matrix_synapse_max_upload_size_mb }}"
|
||||
|
||||
matrix_synapse_reverse_proxy_companion_container_client_api_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '8008') if matrix_playbook_service_host_bind_interface_prefix else '' }}"
|
||||
matrix_synapse_reverse_proxy_companion_container_federation_api_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '8048') if matrix_playbook_service_host_bind_interface_prefix else '' }}"
|
||||
|
||||
matrix_synapse_reverse_proxy_companion_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}"
|
||||
matrix_synapse_reverse_proxy_companion_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
|
||||
matrix_synapse_reverse_proxy_companion_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}"
|
||||
matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}"
|
||||
|
||||
matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_hostname: "{{ matrix_server_fqn_matrix }}"
|
||||
|
||||
matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_hostname: "{{ matrix_server_fqn_matrix }}"
|
||||
matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_entrypoints: "{{ matrix_federation_traefik_entrypoint }}"
|
||||
|
||||
matrix_synapse_reverse_proxy_companion_synapse_workers_enabled: "{{ matrix_synapse_workers_enabled }}"
|
||||
matrix_synapse_reverse_proxy_companion_synapse_workers_list: "{{ matrix_synapse_workers_enabled_list }}"
|
||||
matrix_synapse_reverse_proxy_companion_synapse_generic_worker_client_server_locations: "{{ matrix_synapse_workers_generic_worker_client_server_endpoints }}"
|
||||
@ -3966,6 +3987,7 @@ matrix_synapse_reverse_proxy_companion_synapse_user_dir_locations: "{{ matrix_sy
|
||||
matrix_synapse_reverse_proxy_companion_access_log_syslog_integration_enabled: "{{ matrix_prometheus_nginxlog_exporter_enabled }}"
|
||||
matrix_synapse_reverse_proxy_companion_access_log_syslog_integration_server_port: "{{ (matrix_prometheus_nginxlog_exporter_container_hostname | string +':'+ matrix_prometheus_nginxlog_exporter_container_syslog_port | string) | default('') }}"
|
||||
|
||||
|
||||
######################################################################
|
||||
#
|
||||
# /matrix-synapse-reverse-proxy-companion
|
||||
|
@ -32,7 +32,10 @@ matrix_synapse_reverse_proxy_companion_base_path: "{{ matrix_synapse_base_path }
|
||||
matrix_synapse_reverse_proxy_companion_confd_path: "{{ matrix_synapse_reverse_proxy_companion_base_path }}/conf.d"
|
||||
|
||||
# List of systemd services that matrix-synapse-reverse-proxy-companion.service depends on
|
||||
matrix_synapse_reverse_proxy_companion_systemd_required_services_list: ['docker.service']
|
||||
matrix_synapse_reverse_proxy_companion_systemd_required_services_list: "{{ matrix_synapse_reverse_proxy_companion_systemd_required_services_list_default + matrix_synapse_reverse_proxy_companion_systemd_required_services_list_auto + matrix_synapse_reverse_proxy_companion_systemd_required_services_list_custom }}"
|
||||
matrix_synapse_reverse_proxy_companion_systemd_required_services_list_default: ['docker.service']
|
||||
matrix_synapse_reverse_proxy_companion_systemd_required_services_list_auto: []
|
||||
matrix_synapse_reverse_proxy_companion_systemd_required_services_list_custom: []
|
||||
|
||||
# List of systemd services that matrix-synapse-reverse-proxy-companion.service wants
|
||||
matrix_synapse_reverse_proxy_companion_systemd_wanted_services_list: ['matrix-synapse.service']
|
||||
@ -43,15 +46,10 @@ matrix_synapse_reverse_proxy_companion_systemd_wanted_services_list: ['matrix-sy
|
||||
matrix_synapse_reverse_proxy_companion_container_image: "{{ matrix_container_global_registry_prefix }}nginx:{{ matrix_synapse_reverse_proxy_companion_version }}"
|
||||
matrix_synapse_reverse_proxy_companion_container_image_force_pull: "{{ matrix_synapse_reverse_proxy_companion_container_image.endswith(':latest') }}"
|
||||
|
||||
matrix_synapse_reverse_proxy_companion_container_network: "{{ matrix_docker_network }}"
|
||||
matrix_synapse_reverse_proxy_companion_container_network: ""
|
||||
|
||||
# A list of additional container networks that matrix-synapse-reverse-proxy-companion would be connected to.
|
||||
# The playbook does not create these networks, so make sure they already exist.
|
||||
#
|
||||
# Use this to expose matrix-synapse-reverse-proxy-companion to another reverse proxy, which runs in a different container network,
|
||||
# without exposing all other Matrix services to that other reverse-proxy.
|
||||
#
|
||||
# For background, see: https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1498
|
||||
matrix_synapse_reverse_proxy_companion_container_additional_networks: []
|
||||
|
||||
# Controls whether the matrix-synapse-reverse-proxy-companion container exposes its HTTP Client-Server API port (tcp/8008 in the container).
|
||||
@ -64,6 +62,46 @@ matrix_synapse_reverse_proxy_companion_container_client_api_host_bind_port: ''
|
||||
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8048"), or empty string to not expose.
|
||||
matrix_synapse_reverse_proxy_companion_container_federation_api_host_bind_port: ''
|
||||
|
||||
# matrix_synapse_reverse_proxy_companion_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container.
|
||||
# See `../templates/labels.j2` for details.
|
||||
#
|
||||
# To inject your own other container labels, see `matrix_synapse_reverse_proxy_companion_container_labels_additional_labels`.
|
||||
matrix_synapse_reverse_proxy_companion_container_labels_traefik_enabled: true
|
||||
matrix_synapse_reverse_proxy_companion_container_labels_traefik_docker_network: "{{ matrix_synapse_reverse_proxy_companion_container_network }}"
|
||||
matrix_synapse_reverse_proxy_companion_container_labels_traefik_entrypoints: web-secure
|
||||
matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver: default
|
||||
|
||||
# Controls whether labels will be added that expose the Client-Server API.
|
||||
matrix_synapse_reverse_proxy_companion_container_labels_client_api_enabled: true
|
||||
matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_hostname: ''
|
||||
matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_path_prefix: /_matrix
|
||||
matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_rule: "Host(`{{ matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_path_prefix }}`)"
|
||||
matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_priority: 0
|
||||
matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_entrypoints: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_entrypoints }}"
|
||||
matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_tls: "{{ matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_entrypoints != 'web' }}"
|
||||
matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_tls_certResolver: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver }}" # noqa var-naming
|
||||
|
||||
# TODO - /_synapse public exposure, etc.?
|
||||
|
||||
# Controls whether labels will be added that expose the Server-Server API (Federation API).
|
||||
matrix_synapse_reverse_proxy_companion_container_labels_federation_api_enabled: "{{ matrix_synapse_reverse_proxy_companion_federation_api_enabled }}"
|
||||
matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_hostname: ''
|
||||
matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_path_prefix: /_matrix
|
||||
matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_rule: "Host(`{{ matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_path_prefix }}`)"
|
||||
matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_priority: 0
|
||||
matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_entrypoints: ''
|
||||
matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_tls: "{{ matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_entrypoints != 'web' }}"
|
||||
matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_tls_certResolver: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver }}" # noqa var-naming
|
||||
|
||||
# matrix_synapse_reverse_proxy_companion_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
|
||||
# See `../templates/labels.j2` for details.
|
||||
#
|
||||
# Example:
|
||||
# matrix_synapse_reverse_proxy_companion_container_labels_additional_labels: |
|
||||
# my.label=1
|
||||
# another.label="here"
|
||||
matrix_synapse_reverse_proxy_companion_container_labels_additional_labels: ''
|
||||
|
||||
# The amount of worker processes and connections
|
||||
# Consider increasing these when you are expecting high amounts of traffic
|
||||
# http://nginx.org/en/docs/ngx_core_module.html#worker_connections
|
||||
|
@ -8,6 +8,9 @@
|
||||
- install-synapse-reverse-proxy-companion
|
||||
- install-synapse
|
||||
block:
|
||||
- when: matrix_synapse_reverse_proxy_companion_enabled | bool
|
||||
ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
|
||||
|
||||
- when: matrix_synapse_reverse_proxy_companion_enabled | bool
|
||||
ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
|
||||
|
||||
|
@ -25,6 +25,8 @@
|
||||
dest: "{{ matrix_synapse_reverse_proxy_companion_confd_path }}/nginx-http.conf"
|
||||
- src: "{{ role_path }}/templates/nginx/conf.d/matrix-synapse-reverse-proxy-companion.conf.j2"
|
||||
dest: "{{ matrix_synapse_reverse_proxy_companion_confd_path }}/matrix-synapse-reverse-proxy-companion.conf"
|
||||
- src: "{{ role_path }}/templates/labels.j2"
|
||||
dest: "{{ matrix_synapse_reverse_proxy_companion_base_path }}/labels"
|
||||
|
||||
- name: Ensure matrix-synapse-reverse-proxy-companion nginx container image is pulled
|
||||
community.docker.docker_image:
|
||||
@ -37,6 +39,11 @@
|
||||
delay: "{{ devture_playbook_help_container_retries_delay }}"
|
||||
until: result is not failed
|
||||
|
||||
- name: Ensure matrix-synapse-reverse-proxy-companion container network is created
|
||||
community.general.docker_network:
|
||||
name: "{{ matrix_synapse_reverse_proxy_companion_container_network }}"
|
||||
driver: bridge
|
||||
|
||||
- name: Ensure matrix-synapse-reverse-proxy-companion.service installed
|
||||
ansible.builtin.template:
|
||||
src: "{{ role_path }}/templates/systemd/matrix-synapse-reverse-proxy-companion.service.j2"
|
||||
|
@ -0,0 +1,13 @@
|
||||
---
|
||||
|
||||
- name: Fail if required matrix-synapse-reverse-proxy-companion settings not defined
|
||||
ansible.builtin.fail:
|
||||
msg: >-
|
||||
You need to define a required configuration setting (`{{ item.name }}`).
|
||||
when: "item.when | bool and vars[item.name] == ''"
|
||||
with_items:
|
||||
- {'name': 'matrix_synapse_reverse_proxy_companion_container_network', when: true}
|
||||
- {'name': 'matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_hostname', when: "{{ matrix_synapse_reverse_proxy_companion_container_labels_client_api_enabled }}"}
|
||||
- {'name': 'matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_hostname', when: "{{ matrix_synapse_reverse_proxy_companion_container_labels_federation_api_enabled }}"}
|
||||
- {'name': 'matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_entrypoints', when: "{{ matrix_synapse_reverse_proxy_companion_container_labels_federation_api_enabled }}"}
|
||||
|
@ -0,0 +1,63 @@
|
||||
{% if matrix_synapse_reverse_proxy_companion_container_labels_traefik_enabled %}
|
||||
traefik.enable=true
|
||||
|
||||
{% if matrix_synapse_reverse_proxy_companion_container_labels_traefik_docker_network %}
|
||||
traefik.docker.network={{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_docker_network }}
|
||||
{% endif %}
|
||||
|
||||
traefik.http.services.matrix-synapse-reverse-proxy-companion-client-api.loadbalancer.server.port=8008
|
||||
traefik.http.services.matrix-synapse-reverse-proxy-companion-federation-api.loadbalancer.server.port=8048
|
||||
|
||||
|
||||
{#
|
||||
Client-API
|
||||
#}
|
||||
{% if matrix_synapse_reverse_proxy_companion_container_labels_client_api_enabled %}
|
||||
|
||||
traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-api.rule={{ matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_rule }}
|
||||
|
||||
{% if matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_priority | int > 0 %}
|
||||
traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-api.priority={{ matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_priority }}
|
||||
{% endif %}
|
||||
|
||||
traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-api.service=matrix-synapse-reverse-proxy-companion-client-api
|
||||
traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-api.entrypoints={{ matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_entrypoints }}
|
||||
traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-api.tls={{ matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_tls | to_json }}
|
||||
|
||||
{% if matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_tls %}
|
||||
traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-api.tls.certResolver={{ matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_tls_certResolver }}
|
||||
{% endif %}
|
||||
|
||||
{% endif %}
|
||||
{#
|
||||
/Client-API
|
||||
#}
|
||||
|
||||
|
||||
{#
|
||||
Federation-API
|
||||
#}
|
||||
{% if matrix_synapse_reverse_proxy_companion_container_labels_federation_api_enabled %}
|
||||
|
||||
traefik.http.routers.matrix-synapse-reverse-proxy-companion-federation-api.rule={{ matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_rule }}
|
||||
|
||||
{% if matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_priority | int > 0 %}
|
||||
traefik.http.routers.matrix-synapse-reverse-proxy-companion-federation-api.priority={{ matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_priority }}
|
||||
{% endif %}
|
||||
|
||||
traefik.http.routers.matrix-synapse-reverse-proxy-companion-federation-api.service=matrix-synapse-reverse-proxy-companion-federation-api
|
||||
traefik.http.routers.matrix-synapse-reverse-proxy-companion-federation-api.entrypoints={{ matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_entrypoints }}
|
||||
traefik.http.routers.matrix-synapse-reverse-proxy-companion-federation-api.tls={{ matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_tls | to_json }}
|
||||
|
||||
{% if matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_tls %}
|
||||
traefik.http.routers.matrix-synapse-reverse-proxy-companion-federation-api.tls.certResolver={{ matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_tls_certResolver }}
|
||||
{% endif %}
|
||||
|
||||
{% endif %}
|
||||
{#
|
||||
/Federation-API
|
||||
#}
|
||||
|
||||
{% endif %}
|
||||
|
||||
{{ matrix_synapse_reverse_proxy_companion_container_labels_additional_labels }}
|
@ -36,6 +36,7 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
|
||||
{% endif %}
|
||||
--mount type=bind,src={{ matrix_synapse_reverse_proxy_companion_base_path }}/nginx.conf,dst=/etc/nginx/nginx.conf,ro \
|
||||
--mount type=bind,src={{ matrix_synapse_reverse_proxy_companion_confd_path }},dst=/etc/nginx/conf.d,ro \
|
||||
--label-file={{ matrix_synapse_reverse_proxy_companion_base_path }}/labels \
|
||||
{{ matrix_synapse_reverse_proxy_companion_container_image }}
|
||||
|
||||
{% for network in matrix_synapse_reverse_proxy_companion_container_additional_networks %}
|
||||
|
Loading…
Reference in New Issue
Block a user