Merge pull request #1509 from rakshazi/cinny

added matrix-client-cinny
This commit is contained in:
Slavi Pantaleev 2022-01-06 10:43:55 +02:00 committed by GitHub
commit cb5e32eaee
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
21 changed files with 526 additions and 1 deletions

View File

@ -113,6 +113,8 @@ Using this playbook, you can get the following services configured on your serve
- (optional) the [Hydrogen](https://github.com/vector-im/hydrogen-web) web client - see [docs/configuring-playbook-client-hydrogen.md](docs/configuring-playbook-client-hydrogen.md) for setup documentation - (optional) the [Hydrogen](https://github.com/vector-im/hydrogen-web) web client - see [docs/configuring-playbook-client-hydrogen.md](docs/configuring-playbook-client-hydrogen.md) for setup documentation
- (optional) the [Cinny](https://github.com/ajbura/cinny) web client - see [docs/configuring-playbook-client-cinny.md](docs/configuring-playbook-client-cinny.md) for setup documentation
Basically, this playbook aims to get you up-and-running with all the necessities around Matrix, without you having to do anything else. Basically, this playbook aims to get you up-and-running with all the necessities around Matrix, without you having to do anything else.
**Note**: the list above is exhaustive. It includes optional or even some advanced components that you will most likely not need. **Note**: the list above is exhaustive. It includes optional or even some advanced components that you will most likely not need.

View File

@ -37,6 +37,7 @@ If you are using Cloudflare DNS, make sure to disable the proxy and set all reco
| CNAME | `goneb` | - | - | - | `matrix.<your-domain>` | | CNAME | `goneb` | - | - | - | `matrix.<your-domain>` |
| CNAME | `sygnal` | - | - | - | `matrix.<your-domain>` | | CNAME | `sygnal` | - | - | - | `matrix.<your-domain>` |
| CNAME | `hydrogen` | - | - | - | `matrix.<your-domain>` | | CNAME | `hydrogen` | - | - | - | `matrix.<your-domain>` |
| CNAME | `cinny` | - | - | - | `matrix.<your-domain>` |
## Subdomains setup ## Subdomains setup
@ -57,6 +58,7 @@ The `sygnal.<your-domain>` subdomain may be necessary, because this playbook cou
The `hydrogen.<your-domain>` subdomain may be necessary, because this playbook could install the [Hydrogen](https://github.com/vector-im/hydrogen-web) web client. The installation of Hydrogen is disabled by default, it is not a core required component. To learn how to install it, see our [configuring Hydrogen guide](configuring-playbook-client-hydrogen.md). If you do not wish to set up Hydrogen, feel free to skip the `hydrogen.<your-domain>` DNS record. The `hydrogen.<your-domain>` subdomain may be necessary, because this playbook could install the [Hydrogen](https://github.com/vector-im/hydrogen-web) web client. The installation of Hydrogen is disabled by default, it is not a core required component. To learn how to install it, see our [configuring Hydrogen guide](configuring-playbook-client-hydrogen.md). If you do not wish to set up Hydrogen, feel free to skip the `hydrogen.<your-domain>` DNS record.
The `cinny.<your-domain>` subdomain may be necessary, because this playbook could install the [Cinny](https://github.com/ajbura/cinny) web client. The installation of cinny is disabled by default, it is not a core required component. To learn how to install it, see our [configuring cinny guide](configuring-playbook-client-cinny.md). If you do not wish to set up cinny, feel free to skip the `cinny.<your-domain>` DNS record.
## `_matrix-identity._tcp` SRV record setup ## `_matrix-identity._tcp` SRV record setup

View File

@ -0,0 +1,21 @@
# Configuring Cinny (optional)
This playbook can install the [cinny](https://github.com/ajbura/cinny) Matrix web client for you.
cinny is a web client focusing primarily on simple, elegant and secure interface.
cinny can be installed alongside or instead of Element.
If you'd like cinny to be installed, add the following to your configuration file (`inventory/host_vars/matrix.<your-domain>/vars.yml`):
```yaml
matrix_client_cinny_enabled: true
```
You will also need to add a DNS record so that cinny can be accessed.
By default cinny will use https://cinny.DOMAIN so you will need to create an CNAME record
for `cinny`. See [Configuring DNS](configuring-dns.md).
If you would like to use a different domain, add the following to your configuration file (changing it to use your preferred domain):
```yaml
matrix_server_fqn_cinny: "app.{{ matrix_domain }}"
```

View File

@ -69,6 +69,7 @@ When you're done with all the configuration you'd like to do, continue with [Ins
- [Adjusting email-sending settings](configuring-playbook-email.md) (optional) - [Adjusting email-sending settings](configuring-playbook-email.md) (optional)
- [Setting up Hydrogen](configuring-playbook-client-hydrogen.md) - a new lightweight matrix client with legacy and mobile browser support (optional) - [Setting up Hydrogen](configuring-playbook-client-hydrogen.md) - a new lightweight matrix client with legacy and mobile browser support (optional)
- [Setting up Cinny](configuring-playbook-client-cinny.md) - a web client focusing primarily on simple, elegant and secure interface (optional)
### Authentication and user-related ### Authentication and user-related

View File

@ -15,6 +15,7 @@ List of roles where self-building the Docker image is currently possible:
- `matrix-synapse-admin` - `matrix-synapse-admin`
- `matrix-client-element` - `matrix-client-element`
- `matrix-client-hydrogen` - `matrix-client-hydrogen`
- `matrix-client-cinny`
- `matrix-registration` - `matrix-registration`
- `matrix-coturn` - `matrix-coturn`
- `matrix-corporal` - `matrix-corporal`

View File

@ -1332,6 +1332,7 @@ matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain: "{{ matrix_s
matrix_nginx_proxy_proxy_matrix_enabled: true matrix_nginx_proxy_proxy_matrix_enabled: true
matrix_nginx_proxy_proxy_element_enabled: "{{ matrix_client_element_enabled }}" matrix_nginx_proxy_proxy_element_enabled: "{{ matrix_client_element_enabled }}"
matrix_nginx_proxy_proxy_hydrogen_enabled: "{{ matrix_client_hydrogen_enabled }}" matrix_nginx_proxy_proxy_hydrogen_enabled: "{{ matrix_client_hydrogen_enabled }}"
matrix_nginx_proxy_proxy_cinny_enabled: "{{ matrix_client_cinny_enabled }}"
matrix_nginx_proxy_proxy_dimension_enabled: "{{ matrix_dimension_enabled }}" matrix_nginx_proxy_proxy_dimension_enabled: "{{ matrix_dimension_enabled }}"
matrix_nginx_proxy_proxy_bot_go_neb_enabled: "{{ matrix_bot_go_neb_enabled }}" matrix_nginx_proxy_proxy_bot_go_neb_enabled: "{{ matrix_bot_go_neb_enabled }}"
matrix_nginx_proxy_proxy_jitsi_enabled: "{{ matrix_jitsi_enabled }}" matrix_nginx_proxy_proxy_jitsi_enabled: "{{ matrix_jitsi_enabled }}"
@ -1417,6 +1418,8 @@ matrix_ssl_domains_to_obtain_certificates_for: |
+ +
([matrix_server_fqn_hydrogen] if matrix_client_hydrogen_enabled else []) ([matrix_server_fqn_hydrogen] if matrix_client_hydrogen_enabled else [])
+ +
([matrix_server_fqn_cinny] if matrix_client_cinny_enabled else [])
+
([matrix_server_fqn_dimension] if matrix_dimension_enabled else []) ([matrix_server_fqn_dimension] if matrix_dimension_enabled else [])
+ +
([matrix_server_fqn_bot_go_neb] if matrix_bot_go_neb_enabled else []) ([matrix_server_fqn_bot_go_neb] if matrix_bot_go_neb_enabled else [])
@ -1760,6 +1763,33 @@ matrix_client_hydrogen_self_check_validate_certificates: "{{ false if matrix_ssl
######################################################################
#
# matrix-client-cinny
#
######################################################################
matrix_client_cinny_enabled: false
matrix_client_cinny_container_image_self_build: "{{ matrix_architecture != 'amd64' }}"
# Normally, matrix-nginx-proxy is enabled and nginx can reach Cinny over the container network.
# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
# the HTTP port to the local host.
matrix_client_cinny_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8080' }}"
matrix_client_cinny_default_hs_url: "{{ matrix_homeserver_url }}"
matrix_client_cinny_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}"
######################################################################
#
# /matrix-client-cinny
#
######################################################################
###################################################################### ######################################################################
# #
# matrix-synapse # matrix-synapse

View File

@ -21,6 +21,9 @@ matrix_server_fqn_element: "element.{{ matrix_domain }}"
# This is where you access the Hydrogen web client from (if enabled via matrix_client_hydrogen_enabled; disabled by default). # This is where you access the Hydrogen web client from (if enabled via matrix_client_hydrogen_enabled; disabled by default).
matrix_server_fqn_hydrogen: "hydrogen.{{ matrix_domain }}" matrix_server_fqn_hydrogen: "hydrogen.{{ matrix_domain }}"
# This is where you access the Cinny web client from (if enabled via matrix_client_cinny_enabled; disabled by default).
matrix_server_fqn_cinny: "cinny.{{ matrix_domain }}"
# This is where you access the Dimension. # This is where you access the Dimension.
matrix_server_fqn_dimension: "dimension.{{ matrix_domain }}" matrix_server_fqn_dimension: "dimension.{{ matrix_domain }}"

View File

@ -0,0 +1,54 @@
matrix_client_cinny_enabled: true
matrix_client_cinny_container_image_self_build: false
matrix_client_cinny_container_image_self_build_repo: "https://github.com/ajbura/cinny.git"
matrix_client_cinny_version: v1.6.1
matrix_client_cinny_docker_image: "{{ matrix_client_cinny_docker_image_name_prefix }}ajbura/cinny:{{ matrix_client_cinny_version }}"
matrix_client_cinny_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_cinny_container_image_self_build }}"
matrix_client_cinny_docker_image_force_pull: "{{ matrix_client_cinny_docker_image.endswith(':latest') }}"
matrix_client_cinny_data_path: "{{ matrix_base_data_path }}/client-cinny"
matrix_client_cinny_docker_src_files_path: "{{ matrix_client_cinny_data_path }}/docker-src"
# Controls whether the container exposes its HTTP port (tcp/8080 in the container).
#
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8768"), or empty string to not expose.
matrix_client_cinny_container_http_host_bind_port: ''
# A list of extra arguments to pass to the container
matrix_client_cinny_container_extra_arguments: []
# List of systemd services that matrix-client-cinny.service depends on
matrix_client_cinny_systemd_required_services_list: ['docker.service']
# Controls whether the self-check feature should validate SSL certificates.
matrix_client_cinny_self_check_validate_certificates: true
# config.json
matrix_client_cinny_default_hs_url: ""
# Default cinny configuration template which covers the generic use case.
# You can customize it by controlling the various variables inside it.
#
# For a more advanced customization, you can extend the default (see `matrix_client_cinny_configuration_extension_json`)
# or completely replace this variable with your own template.
#
# The side-effect of this lookup is that Ansible would even parse the JSON for us, returning a dict.
# This is unlike what it does when looking up YAML template files (no automatic parsing there).
matrix_client_cinny_configuration_default: "{{ lookup('template', 'templates/config.json.j2') }}"
# Your custom JSON configuration for cinny should go to `matrix_client_cinny_configuration_extension_json`.
# This configuration extends the default starting configuration (`matrix_client_cinny_configuration_default`).
#
# You can override individual variables from the default configuration, or introduce new ones.
#
# If you need something more special, you can take full control by
# completely redefining `matrix_client_cinny_configuration_default`.
matrix_client_cinny_configuration_extension_json: '{}'
matrix_client_cinny_configuration_extension: "{{ matrix_client_cinny_configuration_extension_json|from_json if matrix_client_cinny_configuration_extension_json|from_json is mapping else {} }}"
# Holds the final cinny configuration (a combination of the default and its extension).
# You most likely don't need to touch this variable. Instead, see `matrix_client_cinny_configuration_default`.
matrix_client_cinny_configuration: "{{ matrix_client_cinny_configuration_default|combine(matrix_client_cinny_configuration_extension, recursive=True) }}"

View File

@ -0,0 +1,10 @@
# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070
# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407
- name: Fail if trying to self-build on Ansible < 2.8
fail:
msg: "To self-build the Cinny image, you should use Ansible 2.8 or higher. See docs/ansible.md"
when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_client_cinny_container_image_self_build and matrix_client_cinny_enabled"
- set_fact:
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-client-cinny.service'] }}"
when: matrix_client_cinny_enabled|bool

View File

@ -0,0 +1,28 @@
- import_tasks: "{{ role_path }}/tasks/init.yml"
tags:
- always
- import_tasks: "{{ role_path }}/tasks/validate_config.yml"
when: "run_setup|bool and matrix_client_cinny_enabled|bool"
tags:
- setup-all
- setup-client-cinny
- import_tasks: "{{ role_path }}/tasks/setup_install.yml"
when: "run_setup|bool and matrix_client_cinny_enabled|bool"
tags:
- setup-all
- setup-client-cinny
- import_tasks: "{{ role_path }}/tasks/self_check.yml"
delegate_to: 127.0.0.1
become: false
when: "run_self_check|bool and matrix_client_cinny_enabled|bool"
tags:
- self-check
- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
when: "run_setup|bool and not matrix_client_cinny_enabled|bool"
tags:
- setup-all
- setup-client-cinny

View File

@ -0,0 +1,22 @@
---
- set_fact:
matrix_client_cinny_url_endpoint_public: "https://{{ matrix_server_fqn_cinny }}/config.json"
- name: Check Cinny
uri:
url: "{{ matrix_client_cinny_url_endpoint_public }}"
follow_redirects: none
validate_certs: "{{ matrix_client_cinny_self_check_validate_certificates }}"
register: matrix_client_cinny_self_check_result
check_mode: no
ignore_errors: true
- name: Fail if Cinny not working
fail:
msg: "Failed checking Cinny is up at `{{ matrix_server_fqn_cinny }}` (checked endpoint: `{{ matrix_client_cinny_url_endpoint_public }}`). Is Cinny running? Is port 443 open in your firewall? Full error: {{ matrix_client_cinny_self_check_result }}"
when: "matrix_client_cinny_self_check_result.failed or 'json' not in matrix_client_cinny_self_check_result"
- name: Report working Cinny
debug:
msg: "Cinny at `{{ matrix_server_fqn_cinny }}` is working (checked endpoint: `{{ matrix_client_cinny_url_endpoint_public }}`)"

View File

@ -0,0 +1,71 @@
---
- name: Ensure Cinny paths exists
file:
path: "{{ item.path }}"
state: directory
mode: 0750
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
with_items:
- { path: "{{ matrix_client_cinny_data_path }}", when: true }
- { path: "{{ matrix_client_cinny_docker_src_files_path }}", when: "{{ matrix_client_cinny_container_image_self_build }}" }
when: "item.when|bool"
- name: Ensure Cinny Docker image is pulled
docker_image:
name: "{{ matrix_client_cinny_docker_image }}"
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
force_source: "{{ matrix_client_cinny_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_client_cinny_docker_image_force_pull }}"
when: "not matrix_client_cinny_container_image_self_build|bool"
- name: Ensure Cinny repository is present on self-build
git:
repo: "{{ matrix_client_cinny_container_image_self_build_repo }}"
dest: "{{ matrix_client_cinny_docker_src_files_path }}"
version: "{{ matrix_client_cinny_docker_image.split(':')[1] }}"
force: "yes"
register: matrix_client_cinny_git_pull_results
when: "matrix_client_cinny_container_image_self_build|bool"
- name: Ensure Cinny configuration installed
copy:
content: "{{ matrix_client_cinny_configuration|to_nice_json }}"
dest: "{{ matrix_client_cinny_data_path }}/config.json"
mode: 0644
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
- name: Ensure Cinny additional config files installed
template:
src: "{{ item.src }}"
dest: "{{ matrix_client_cinny_data_path }}/{{ item.name }}"
mode: 0644
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
with_items:
- {src: "{{ role_path }}/templates/nginx.conf.j2", name: "nginx.conf"}
when: "item.src is not none"
- name: Ensure Cinny Docker image is built
docker_image:
name: "{{ matrix_client_cinny_docker_image }}"
source: build
force_source: "{{ matrix_client_cinny_git_pull_results.changed }}"
build:
dockerfile: Dockerfile
path: "{{ matrix_client_cinny_docker_src_files_path }}"
pull: yes
when: "matrix_client_cinny_container_image_self_build|bool"
- name: Ensure matrix-client-cinny.service installed
template:
src: "{{ role_path }}/templates/systemd/matrix-client-cinny.service.j2"
dest: "{{ matrix_systemd_path }}/matrix-client-cinny.service"
mode: 0644
register: matrix_client_cinny_systemd_service_result
- name: Ensure systemd reloaded after matrix-client-cinny.service installation
service:
daemon_reload: yes
when: "matrix_client_cinny_systemd_service_result.changed|bool"

View File

@ -0,0 +1,35 @@
---
- name: Check existence of matrix-client-cinny.service
stat:
path: "{{ matrix_systemd_path }}/matrix-client-cinny.service"
register: matrix_client_cinny_service_stat
- name: Ensure matrix-client-cinny is stopped
service:
name: matrix-client-cinny
state: stopped
enabled: no
daemon_reload: yes
register: stopping_result
when: "matrix_client_cinny_service_stat.stat.exists|bool"
- name: Ensure matrix-client-cinny.service doesn't exist
file:
path: "{{ matrix_systemd_path }}/matrix-client-cinny.service"
state: absent
when: "matrix_client_cinny_service_stat.stat.exists|bool"
- name: Ensure systemd reloaded after matrix-client-cinny.service removal
service:
daemon_reload: yes
when: "matrix_client_cinny_service_stat.stat.exists|bool"
- name: Ensure Cinny paths doesn't exist
file:
path: "{{ matrix_client_cinny_data_path }}"
state: absent
- name: Ensure Cinny Docker image doesn't exist
docker_image:
name: "{{ matrix_client_cinny_docker_image }}"
state: absent

View File

@ -0,0 +1,8 @@
---
- name: Fail if required Cinny settings not defined
fail:
msg: >
You need to define a required configuration setting (`{{ item }}`) to use Cinny.
when: "vars[item] == '' or vars[item] is none"
with_items:
- "matrix_client_cinny_default_hs_url"

View File

@ -0,0 +1,6 @@
{
"defaultHomeserver": 0,
"homeserverList": [
{{ matrix_client_cinny_default_hs_url|string|to_json }}
]
}

View File

@ -0,0 +1,66 @@
#jinja2: lstrip_blocks: "True"
# This is a custom nginx configuration file that we use in the container (instead of the default one),
# because it allows us to run nginx with a non-root user.
#
# For this to work, the default vhost file (`/etc/nginx/conf.d/default.conf`) also needs to be removed.
# (mounting `/dev/null` over `/etc/nginx/conf.d/default.conf` works well)
#
# The following changes have been done compared to a default nginx configuration file:
# - default server port is changed (80 -> 8080), so that a non-root user can bind it
# - various temp paths are changed to `/tmp`, so that a non-root user can write to them
# - the `user` directive was removed, as we don't want nginx to switch users
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /tmp/nginx.pid;
events {
worker_connections 1024;
}
http {
proxy_temp_path /tmp/proxy_temp;
client_body_temp_path /tmp/client_temp;
fastcgi_temp_path /tmp/fastcgi_temp;
uwsgi_temp_path /tmp/uwsgi_temp;
scgi_temp_path /tmp/scgi_temp;
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
server {
listen 8080;
server_name localhost;
root /usr/share/nginx/html;
location / {
index index.html index.htm;
}
location ~* ^/(config(.+)?\.json$|(.+)\.html$|i18n) {
expires -1;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
}

View File

@ -0,0 +1,40 @@
#jinja2: lstrip_blocks: "True"
[Unit]
Description=Matrix Cinny Client
{% for service in matrix_client_cinny_systemd_required_services_list %}
Requires={{ service }}
After={{ service }}
{% endfor %}
DefaultDependencies=no
[Service]
Type=simple
Environment="HOME={{ matrix_systemd_unit_home_path }}"
ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-client-cinny 2>/dev/null'
ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-client-cinny 2>/dev/null'
ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-client-cinny \
--log-driver=none \
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
--cap-drop=ALL \
--read-only \
--network={{ matrix_docker_network }} \
{% if matrix_client_cinny_container_http_host_bind_port %}
-p {{ matrix_client_cinny_container_http_host_bind_port }}:8080 \
{% endif %}
--tmpfs=/tmp:rw,noexec,nosuid,size=10m \
--mount type=bind,src={{ matrix_client_cinny_data_path }}/nginx.conf,dst=/etc/nginx/nginx.conf,ro \
--mount type=bind,src={{ matrix_client_cinny_data_path }}/config.json,dst=/app/config.json,ro \
{% for arg in matrix_client_cinny_container_extra_arguments %}
{{ arg }} \
{% endfor %}
{{ matrix_client_cinny_docker_image }}
ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-client-cinny 2>/dev/null'
ExecStopPost=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-client-cinny 2>/dev/null'
Restart=always
RestartSec=30
SyslogIdentifier=matrix-client-cinny
[Install]
WantedBy=multi-user.target

View File

@ -128,6 +128,10 @@ matrix_nginx_proxy_proxy_element_hostname: "{{ matrix_server_fqn_element }}"
matrix_nginx_proxy_proxy_hydrogen_enabled: false matrix_nginx_proxy_proxy_hydrogen_enabled: false
matrix_nginx_proxy_proxy_hydrogen_hostname: "{{ matrix_server_fqn_hydrogen }}" matrix_nginx_proxy_proxy_hydrogen_hostname: "{{ matrix_server_fqn_hydrogen }}"
# Controls whether proxying the Cinny domain should be done.
matrix_nginx_proxy_proxy_cinny_enabled: false
matrix_nginx_proxy_proxy_cinny_hostname: "{{ matrix_server_fqn_cinny }}"
# Controls whether proxying the matrix domain should be done. # Controls whether proxying the matrix domain should be done.
matrix_nginx_proxy_proxy_matrix_enabled: false matrix_nginx_proxy_proxy_matrix_enabled: false
matrix_nginx_proxy_proxy_matrix_hostname: "{{ matrix_server_fqn_matrix }}" matrix_nginx_proxy_proxy_matrix_hostname: "{{ matrix_server_fqn_matrix }}"
@ -273,9 +277,12 @@ matrix_nginx_proxy_proxy_riot_additional_server_configuration_blocks: []
# A list of strings containing additional configuration blocks to add to Element's server configuration (matrix-client-element.conf). # A list of strings containing additional configuration blocks to add to Element's server configuration (matrix-client-element.conf).
matrix_nginx_proxy_proxy_element_additional_server_configuration_blocks: [] matrix_nginx_proxy_proxy_element_additional_server_configuration_blocks: []
# A list of strings containing additional configuration blocks to add to Element's server configuration (matrix-client-element.conf). # A list of strings containing additional configuration blocks to add to Hydrogen's server configuration (matrix-client-hydrogen.conf).
matrix_nginx_proxy_proxy_hydrogen_additional_server_configuration_blocks: [] matrix_nginx_proxy_proxy_hydrogen_additional_server_configuration_blocks: []
# A list of strings containing additional configuration blocks to add to Cinny's server configuration (matrix-client-cinny.conf).
matrix_nginx_proxy_proxy_cinny_additional_server_configuration_blocks: []
# A list of strings containing additional configuration blocks to add to Dimension's server configuration (matrix-dimension.conf). # A list of strings containing additional configuration blocks to add to Dimension's server configuration (matrix-dimension.conf).
matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks: [] matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks: []

View File

@ -88,6 +88,13 @@
mode: 0644 mode: 0644
when: matrix_nginx_proxy_proxy_hydrogen_enabled|bool when: matrix_nginx_proxy_proxy_hydrogen_enabled|bool
- name: Ensure Matrix nginx-proxy configuration for Cinny domain exists
template:
src: "{{ role_path }}/templates/nginx/conf.d/matrix-client-cinny.conf.j2"
dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-client-cinny.conf"
mode: 0644
when: matrix_nginx_proxy_proxy_cinny_enabled|bool
- name: Ensure Matrix nginx-proxy configuration for dimension domain exists - name: Ensure Matrix nginx-proxy configuration for dimension domain exists
template: template:
src: "{{ role_path }}/templates/nginx/conf.d/matrix-dimension.conf.j2" src: "{{ role_path }}/templates/nginx/conf.d/matrix-dimension.conf.j2"
@ -227,6 +234,12 @@
state: absent state: absent
when: "not matrix_nginx_proxy_proxy_hydrogen_enabled|bool" when: "not matrix_nginx_proxy_proxy_hydrogen_enabled|bool"
- name: Ensure Matrix nginx-proxy configuration for Cinny domain deleted
file:
path: "{{ matrix_nginx_proxy_confd_path }}/matrix-client-cinny.conf"
state: absent
when: "not matrix_nginx_proxy_proxy_cinny_enabled|bool"
- name: Ensure Matrix nginx-proxy configuration for dimension domain deleted - name: Ensure Matrix nginx-proxy configuration for dimension domain deleted
file: file:
path: "{{ matrix_nginx_proxy_confd_path }}/matrix-dimension.conf" path: "{{ matrix_nginx_proxy_confd_path }}/matrix-dimension.conf"

View File

@ -0,0 +1,104 @@
#jinja2: lstrip_blocks: "True"
{% macro render_vhost_directives() %}
gzip on;
gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
{% if matrix_nginx_proxy_hsts_preload_enabled %}
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
{% else %}
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
{% endif %}
add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options SAMEORIGIN;
add_header Content-Security-Policy "frame-ancestors 'none'";
{% if matrix_nginx_proxy_floc_optout_enabled %}
add_header Permissions-Policy interest-cohort=() always;
{% endif %}
{% for configuration_block in matrix_nginx_proxy_proxy_cinny_additional_server_configuration_blocks %}
{{- configuration_block }}
{% endfor %}
location / {
{% if matrix_nginx_proxy_enabled %}
{# Use the embedded DNS resolver in Docker containers to discover the service #}
resolver 127.0.0.11 valid=5s;
set $backend "matrix-client-cinny:8080";
proxy_pass http://$backend;
{% else %}
{# Generic configuration for use outside of our container setup #}
proxy_pass http://127.0.0.1:8080;
{% endif %}
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }};
}
{% endmacro %}
server {
listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }};
listen [::]:{{ 8080 if matrix_nginx_proxy_enabled else 80 }};
server_name {{ matrix_nginx_proxy_proxy_cinny_hostname }};
server_tokens off;
root /dev/null;
{% if matrix_nginx_proxy_https_enabled %}
location /.well-known/acme-challenge {
{% if matrix_nginx_proxy_enabled %}
{# Use the embedded DNS resolver in Docker containers to discover the service #}
resolver 127.0.0.11 valid=5s;
set $backend "matrix-certbot:8080";
proxy_pass http://$backend;
{% else %}
{# Generic configuration for use outside of our container setup #}
proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }};
{% endif %}
}
location / {
return 301 https://$http_host$request_uri;
}
{% else %}
{{ render_vhost_directives() }}
{% endif %}
}
{% if matrix_nginx_proxy_https_enabled %}
server {
listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
server_name {{ matrix_nginx_proxy_proxy_cinny_hostname }};
server_tokens off;
root /dev/null;
ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_cinny_hostname }}/fullchain.pem;
ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_cinny_hostname }}/privkey.pem;
ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
{% if matrix_nginx_proxy_ssl_ciphers != "" %}
ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }};
{% endif %}
ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
{% if matrix_nginx_proxy_ocsp_stapling_enabled %}
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_cinny_hostname }}/chain.pem;
{% endif %}
{% if matrix_nginx_proxy_ssl_session_tickets_off %}
ssl_session_tickets off;
{% endif %}
ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }};
ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }};
{{ render_vhost_directives() }}
}
{% endif %}

View File

@ -47,6 +47,7 @@
- matrix-registration - matrix-registration
- matrix-client-element - matrix-client-element
- matrix-client-hydrogen - matrix-client-hydrogen
- matrix-client-cinny
- matrix-jitsi - matrix-jitsi
- matrix-ma1sd - matrix-ma1sd
- matrix-dimension - matrix-dimension