From cc75be9c6533a5cf0d0e79f6bded67ae307c7061 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 3 Jan 2024 14:39:17 +0200 Subject: [PATCH] Add support for serving the base domain via matrix-static-files --- ...onfiguring-playbook-base-domain-serving.md | 35 ++++++-- group_vars/matrix_servers | 10 ++- .../matrix-nginx-proxy/defaults/main.yml | 39 -------- .../tasks/setup_nginx_proxy.yml | 37 -------- .../matrix-nginx-proxy/templates/labels.j2 | 13 --- .../nginx/conf.d/matrix-base-domain.conf.j2 | 88 ------------------- .../matrix-static-files/defaults/main.yml | 56 +++++++++++- .../matrix-static-files/tasks/install.yml | 14 ++- .../tasks/validate_config.yml | 3 + .../matrix-static-files/templates/labels.j2 | 27 +++++- .../tasks/validate_config.yml | 4 + 11 files changed, 130 insertions(+), 196 deletions(-) delete mode 100644 roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 diff --git a/docs/configuring-playbook-base-domain-serving.md b/docs/configuring-playbook-base-domain-serving.md index a5df4ece8..da4e7fc3f 100644 --- a/docs/configuring-playbook-base-domain-serving.md +++ b/docs/configuring-playbook-base-domain-serving.md @@ -17,7 +17,7 @@ This documentation page tells you how to do the latter. With some easy changes, Just **adjust your DNS records**, so that your base domain is pointed to the Matrix server's IP address (using a DNS `A` record) **and then use the following configuration**: ```yaml -matrix_nginx_proxy_base_domain_serving_enabled: true +matrix_static_files_container_labels_base_domain_enabled: true ``` Doing this, the playbook will: @@ -26,27 +26,46 @@ Doing this, the playbook will: - serve the `/.well-known/matrix/*` files which are necessary for [Federation Server Discovery](configuring-well-known.md#introduction-to-client-server-discovery) (also see [Server Delegation](howto-server-delegation.md)) and [Client-Server discovery](configuring-well-known.md#introduction-to-client-server-discovery) -- serve a simple homepage at `https://DOMAIN` with content `Hello from DOMAIN` (configurable via the `matrix_nginx_proxy_base_domain_homepage_template` variable). You can also [serve a more complicated static website](#serving-a-static-website-at-the-base-domain). +- serve a simple homepage at `https://DOMAIN` with content `Hello from DOMAIN` (configurable via the `matrix_static_files_file_index_html_template` variable). You can also [serve a more complicated static website](#serving-a-static-website-at-the-base-domain). ## Serving a static website at the base domain -By default, when "serving the base domain" is enabled, the playbook hosts a simple `index.html` webpage in `/matrix/nginx-proxy/data/matrix-domain`. -The content of this page is taken from the `matrix_nginx_proxy_base_domain_homepage_template` variable. +By default, when "serving the base domain" is enabled, the playbook hosts a simple `index.html` webpage at `/matrix/static-files/public/index.html`. +The content of this page is taken from the `matrix_static_files_file_index_html_template` variable. If you'd like to host your own static website (more than a single `index.html` page) at the base domain, you can disable the creation of this default `index.html` page like this: ```yaml -matrix_nginx_proxy_base_domain_homepage_enabled: false +# Enable base-domain serving +matrix_static_files_container_labels_base_domain_enabled: true + +# Prevent the default index.html file from being installed +matrix_static_files_file_index_html_enabled: false ``` -With this configuration, Ansible will no longer mess around with the `/matrix/nginx-proxy/data/matrix-domain/index.html` file. +With this configuration, Ansible will no longer mess around with the `/matrix/static-files/public/index.html` file. -You are then free to upload any static website files to `/matrix/nginx-proxy/data/matrix-domain` and they will get served at the base domain. +You are then free to upload any static website files to `/matrix/static-files/public` and they will get served at the base domain. +You can do so manually or by using the [ansible-role-aux](https://github.com/mother-of-all-self-hosting/ansible-role-aux) Ansible role, which is part of this playbook already. ## Serving a more complicated website at the base domain If you'd like to serve an even more complicated (dynamic) website from the Matrix server, relying on the playbook to serve the base domain is not the best choice. -Instead, we recommend that you switch to [using your own webserver](configuring-playbook-own-webserver.md) (preferrably nginx). You can then make that webserver host anything you wish, and still easily plug in Matrix services into it. +You have 2 options. + +**One way is to host your base domain elsewhere**. This involves: +- you stopping to serve it from the Matrix server: remove `matrix_static_files_container_labels_base_domain_enabled` from your configuration +- [configuring Matrix Delegation via well-known](./configuring-well-known.md) + +**Another way is to serve the base domain from another (your own) container on the Matrix server**. This involves: +- telling the playbook to only serve `BASE_DOMAIN/.well-known/matrix` files by adjusting your `vars.yml` configuration like this: + - keep `matrix_static_files_container_labels_base_domain_enabled: true` + - add an extra: `matrix_static_files_container_labels_base_domain_traefik_path_prefix: /.well-known/matrix` +- building and running a new container on the Matrix server: + - it should be connected to the `traefik` network, so that Traefik can reverse-proxy to it + - it should have appropriate [container labels](https://docs.docker.com/config/labels-custom-metadata/), which instruct Traefik to reverse-proxy to it + +How you'll be managing building and running this container is up-to-you. You may use of the primitives from [ansible-role-aux](https://github.com/mother-of-all-self-hosting/ansible-role-aux) Ansible role to organize it yourself, or you can set it up in another way. diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 35bc3433a..2464a510e 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -3080,8 +3080,6 @@ matrix_ssl_domains_to_obtain_certificates_for: | + (matrix_bot_postmoogle_domains if matrix_bot_postmoogle_enabled else []) + - ([matrix_domain] if matrix_nginx_proxy_base_domain_serving_enabled else []) - + matrix_ssl_additional_domains_to_obtain_certificates_for }} @@ -4590,13 +4588,17 @@ matrix_static_files_enabled: true matrix_static_files_container_network: "{{ devture_traefik_container_network if matrix_playbook_reverse_proxy_type == 'playbook-managed-traefik' else matrix_well_known_ident }}" -matrix_static_files_container_labels_well_known_matrix_endpoint_traefik_hostname: "{{ matrix_server_fqn_matrix }}" - matrix_static_files_container_labels_traefik_enabled: "{{ matrix_playbook_traefik_labels_enabled }}" matrix_static_files_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" matrix_static_files_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" matrix_static_files_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" +matrix_static_files_container_labels_well_known_matrix_endpoint_traefik_hostname: "{{ matrix_server_fqn_matrix }}" + +# Base domain serving is not enabled by default (see `matrix_static_files_container_labels_base_domain_enabled`), +# but we pass the hostname, so that enabling it is easy. +matrix_static_files_container_labels_base_domain_traefik_hostname: "{{ matrix_domain }}" + matrix_static_files_file_matrix_client_property_io_element_jitsi_preferred_domain: "{{ matrix_server_fqn_jitsi if jitsi_enabled else '' }}" matrix_static_files_file_matrix_client_property_org_matrix_msc3575_proxy_url: "{{ matrix_homeserver_sliding_sync_url }}" diff --git a/roles/custom/matrix-nginx-proxy/defaults/main.yml b/roles/custom/matrix-nginx-proxy/defaults/main.yml index 9b94db2e8..54fed08f0 100644 --- a/roles/custom/matrix-nginx-proxy/defaults/main.yml +++ b/roles/custom/matrix-nginx-proxy/defaults/main.yml @@ -50,11 +50,6 @@ matrix_nginx_proxy_container_labels_traefik_docker_network: "{{ matrix_nginx_pro matrix_nginx_proxy_container_labels_traefik_entrypoints: web-secure matrix_nginx_proxy_container_labels_traefik_tls_certResolver: default # noqa var-naming -matrix_nginx_proxy_container_labels_traefik_proxy_base_domain_enabled: "{{ matrix_nginx_proxy_base_domain_serving_enabled }}" -matrix_nginx_proxy_container_labels_traefik_proxy_base_domain_hostname: "{{ matrix_nginx_proxy_base_domain_hostname }}" -matrix_nginx_proxy_container_labels_traefik_proxy_base_domain_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" -matrix_nginx_proxy_container_labels_traefik_proxy_base_domain_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_base_domain_hostname }}`)" - matrix_nginx_proxy_container_labels_traefik_proxy_matrix_enabled: false matrix_nginx_proxy_container_labels_traefik_proxy_matrix_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" matrix_nginx_proxy_container_labels_traefik_proxy_matrix_client_hostname: "{{ matrix_server_fqn_matrix }}" @@ -119,40 +114,6 @@ matrix_nginx_proxy_container_https_host_bind_port: '443' # When HTTPS is disabled, you'd likely want to only expose the port locally, and front it with another HTTPS-enabled reverse-proxy. matrix_nginx_proxy_container_federation_host_bind_port: '8448' -# Controls whether matrix-nginx-proxy should serve the base domain. -# -# This is useful for when you only have your Matrix server, but you need to serve -# to serve `/.well-known/matrix/*` files from the base domain for the needs of -# Server-Discovery (Federation) and for Client-Discovery. -# -# Besides serving these Matrix files, a homepage would be served with content -# as specified in the `matrix_nginx_proxy_base_domain_homepage_template` variable. -# You can also put additional files to use for this webpage -# in the `{{ matrix_nginx_proxy_data_path }}/matrix-domain` (`/matrix/nginx-proxy/data/matrix-domain`) directory. -matrix_nginx_proxy_base_domain_serving_enabled: false - -# Controls whether the base domain directory and default index.html file are created. -matrix_nginx_proxy_base_domain_create_directory: true - -matrix_nginx_proxy_base_domain_hostname: "{{ matrix_domain }}" - -# Controls whether `matrix_nginx_proxy_base_domain_homepage_template` would be dumped to an `index.html` file -# in the `/matrix/nginx-proxy/data/matrix-domain` directory. -# -# If you would instead like to serve a static website by yourself, you can disable this. -# When disabled, you're expected to put website files in `/matrix/nginx-proxy/data/matrix-domain` manually -# and can expect that the playbook won't intefere with the `index.html` file. -matrix_nginx_proxy_base_domain_homepage_enabled: true - -matrix_nginx_proxy_base_domain_homepage_template: |- - - - - - Hello from {{ matrix_domain }}! - - - # Option to disable the access log matrix_nginx_proxy_access_log_enabled: true diff --git a/roles/custom/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml b/roles/custom/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml index 338ada2fb..90e2389a7 100644 --- a/roles/custom/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml +++ b/roles/custom/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml @@ -198,31 +198,6 @@ dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-domain.conf" mode: 0644 -- name: Ensure Matrix nginx-proxy data directory for base domain exists - ansible.builtin.file: - path: "{{ matrix_nginx_proxy_data_path }}/matrix-domain" - state: directory - mode: 0750 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - when: matrix_nginx_proxy_base_domain_serving_enabled | bool and matrix_nginx_proxy_base_domain_create_directory | bool - -- name: Ensure Matrix nginx-proxy homepage for base domain exists - ansible.builtin.copy: - content: "{{ matrix_nginx_proxy_base_domain_homepage_template }}" - dest: "{{ matrix_nginx_proxy_data_path }}/matrix-domain/index.html" - mode: 0644 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - when: matrix_nginx_proxy_base_domain_serving_enabled | bool and matrix_nginx_proxy_base_domain_homepage_enabled | bool and matrix_nginx_proxy_base_domain_create_directory | bool - -- name: Ensure Matrix nginx-proxy configuration for base domain exists - ansible.builtin.template: - src: "{{ role_path }}/templates/nginx/conf.d/matrix-base-domain.conf.j2" - dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-base-domain.conf" - mode: 0644 - when: matrix_nginx_proxy_base_domain_serving_enabled | bool - # # Tasks related to setting up matrix-nginx-proxy # @@ -366,18 +341,6 @@ state: absent when: "not matrix_nginx_proxy_proxy_etherpad_enabled | bool" -- name: Ensure Matrix nginx-proxy homepage for base domain deleted - ansible.builtin.file: - path: "{{ matrix_nginx_proxy_data_path }}/matrix-domain/index.html" - state: absent - when: "not matrix_nginx_proxy_base_domain_serving_enabled | bool" - -- name: Ensure Matrix nginx-proxy configuration for base domain deleted - ansible.builtin.file: - path: "{{ matrix_nginx_proxy_confd_path }}/matrix-base-domain.conf" - state: absent - when: "not matrix_nginx_proxy_base_domain_serving_enabled | bool" - - name: Ensure Matrix nginx-proxy configuration for main config override deleted ansible.builtin.file: path: "{{ matrix_nginx_proxy_base_path }}/nginx.conf" diff --git a/roles/custom/matrix-nginx-proxy/templates/labels.j2 b/roles/custom/matrix-nginx-proxy/templates/labels.j2 index e15d94231..c4add6ba1 100644 --- a/roles/custom/matrix-nginx-proxy/templates/labels.j2 +++ b/roles/custom/matrix-nginx-proxy/templates/labels.j2 @@ -5,19 +5,6 @@ traefik.enable=true traefik.docker.network={{ matrix_nginx_proxy_container_labels_traefik_docker_network }} {% endif %} - -{% if matrix_nginx_proxy_container_labels_traefik_proxy_base_domain_enabled %} -# Base domain -traefik.http.routers.matrix-nginx-proxy-base-domain.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_base_domain_rule }} -traefik.http.routers.matrix-nginx-proxy-base-domain.service=matrix-nginx-proxy-web -traefik.http.routers.matrix-nginx-proxy-base-domain.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_base_domain_tls | to_json }} -{% if matrix_nginx_proxy_container_labels_traefik_proxy_base_domain_tls %} -traefik.http.routers.matrix-nginx-proxy-base-domain.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }} -{% endif %} -traefik.http.routers.matrix-nginx-proxy-base-domain.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }} -{% endif %} - - {% if matrix_nginx_proxy_container_labels_traefik_proxy_matrix_enabled %} # Matrix Client traefik.http.routers.matrix-nginx-proxy-matrix-client.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_client_rule }} diff --git a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 b/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 deleted file mode 100644 index 63d573d73..000000000 --- a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 +++ /dev/null @@ -1,88 +0,0 @@ -#jinja2: lstrip_blocks: "True" - -{% macro render_vhost_directives() %} - absolute_redirect off; - root {{ matrix_nginx_proxy_data_path_in_container if matrix_nginx_proxy_enabled else matrix_nginx_proxy_data_path }}{{ matrix_nginx_proxy_data_path_extension }}; - index index.html index.htm; - try_files $uri $uri/ =404; - - gzip on; - gzip_types text/plain application/json; - - {% if matrix_nginx_proxy_floc_optout_enabled %} - add_header Permissions-Policy interest-cohort=() always; - {% endif %} - - {% if matrix_nginx_proxy_hsts_preload_enabled %} - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; - {% else %} - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - {% endif %} - - add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; - - {% for configuration_block in matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks %} - {{- configuration_block }} - {% endfor %} -{% endmacro %} - -server { - listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; - listen [::]:{{ 8080 if matrix_nginx_proxy_enabled else 80 }}; - - server_name {{ matrix_nginx_proxy_base_domain_hostname }}; - server_tokens off; - - {% if matrix_nginx_proxy_https_enabled %} - location /.well-known/acme-challenge { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s; - set $backend "matrix-certbot:8080"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; - {% endif %} - } - - location / { - return 301 https://$http_host$request_uri; - } - {% else %} - {{ render_vhost_directives() }} - {% endif %} -} - -{% if matrix_nginx_proxy_https_enabled %} -server { - listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; - listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; - - server_name {{ matrix_nginx_proxy_base_domain_hostname }}; - server_tokens off; - - ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/fullchain.pem; - ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/privkey.pem; - - ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - {% if matrix_nginx_proxy_ssl_ciphers != '' %} - ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; - {% endif %} - ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - - {% if matrix_nginx_proxy_ocsp_stapling_enabled %} - ssl_stapling on; - ssl_stapling_verify on; - ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/chain.pem; - {% endif %} - - {% if matrix_nginx_proxy_ssl_session_tickets_off %} - ssl_session_tickets off; - {% endif %} - ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; - ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; - - {{ render_vhost_directives() }} -} -{% endif %} diff --git a/roles/custom/matrix-static-files/defaults/main.yml b/roles/custom/matrix-static-files/defaults/main.yml index 510e2edbd..b52e9540c 100644 --- a/roles/custom/matrix-static-files/defaults/main.yml +++ b/roles/custom/matrix-static-files/defaults/main.yml @@ -48,7 +48,7 @@ matrix_static_files_container_labels_traefik_docker_network: "{{ matrix_static_f matrix_static_files_container_labels_traefik_entrypoints: web-secure matrix_static_files_container_labels_traefik_tls_certResolver: default -# Controls whether labels will be added that expose the well-known public endpoint +# Controls whether labels will be added that expose the well-known public endpoint on the matrix domain. matrix_static_files_container_labels_well_known_matrix_endpoint_enabled: true matrix_static_files_container_labels_well_known_matrix_endpoint_traefik_hostname: '' matrix_static_files_container_labels_well_known_matrix_endpoint_traefik_path_prefix: /.well-known/matrix @@ -58,6 +58,26 @@ matrix_static_files_container_labels_well_known_matrix_endpoint_traefik_entrypoi matrix_static_files_container_labels_well_known_matrix_endpoint_traefik_tls: "{{ matrix_static_files_container_labels_well_known_matrix_endpoint_traefik_entrypoints != 'web' }}" matrix_static_files_container_labels_well_known_matrix_endpoint_traefik_tls_certResolver: "{{ matrix_static_files_container_labels_traefik_tls_certResolver }}" # noqa var-naming +# Controls whether labels will be added that serve the base domain. +# +# This is similar to `matrix_static_files_container_labels_well_known_matrix_endpoint_*`, but does more. +# +# It's useful when you'd like to avoid setting up `/.well-known/matrix` redirects and can afford to point the base domain to the Matrix server. +# +# By default, these labels are configured to handle all paths for the provided base domain +# (see `matrix_static_files_container_labels_base_domain_traefik_path_prefix`), not just the `/.well-known/matrix` prefix. +# +# By default, an index.html page is also served (see `matrix_static_files_file_index_html_enabled`). +matrix_static_files_container_labels_base_domain_enabled: false +matrix_static_files_container_labels_base_domain_traefik_hostname: '' +matrix_static_files_container_labels_base_domain_traefik_path_prefix: / +matrix_static_files_container_labels_base_domain_traefik_rule: "Host(`{{ matrix_static_files_container_labels_base_domain_traefik_hostname }}`){% if matrix_static_files_container_labels_base_domain_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_static_files_container_labels_well_known_matrix_endpoint_traefik_path_prefix }}`){% endif %}" +matrix_static_files_container_labels_base_domain_traefik_priority: 0 +matrix_static_files_container_labels_base_domain_traefik_entrypoints: "{{ matrix_static_files_container_labels_traefik_entrypoints }}" +matrix_static_files_container_labels_base_domain_traefik_tls: "{{ matrix_static_files_container_labels_base_domain_traefik_entrypoints != 'web' }}" +matrix_static_files_container_labels_base_domain_traefik_tls_certResolver: "{{ matrix_static_files_container_labels_traefik_tls_certResolver }}" # noqa var-naming + + # matrix_static_files_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. # See `../templates/labels.j2` for details. # @@ -298,6 +318,40 @@ matrix_static_files_file_matrix_support_configuration: "{{ matrix_static_files_f # # ######################################################################## + +######################################################################## +# # +# Related to index.html # +# # +######################################################################## + +# Controls whether `matrix_static_files_file_index_html_template` would be dumped to an `index.html` file +# in the public directory (matrix_static_files_public_path). +# +# This is useful if you have enabled serving of the base domain (matrix_static_files_container_labels_base_domain_enabled) +# and wish to serve more than just the `/.well-known/matrix` files from it. +# +# You can also use the auxiliary role (https://github.com/mother-of-all-self-hosting/ansible-role-aux) to create files in +# the public directory (matrix_static_files_public_path) by yourself. +# +# Because you may wish to manage these static files yourself, disabling this variable will intentionally not delete an already existing `index.html` file. +matrix_static_files_file_index_html_enabled: "{{ matrix_static_files_container_labels_base_domain_enabled }}" + +matrix_static_files_file_index_html_template: |- + + + + + Hello from {{ matrix_static_files_container_labels_base_domain_traefik_hostname }}! + + + +######################################################################## +# # +# /Related to /index.html # +# # +######################################################################## + # Controls whether the self-check feature should validate SSL certificates. matrix_static_files_self_check_validate_certificates: true diff --git a/roles/custom/matrix-static-files/tasks/install.yml b/roles/custom/matrix-static-files/tasks/install.yml index b715e875c..6935c17c4 100644 --- a/roles/custom/matrix-static-files/tasks/install.yml +++ b/roles/custom/matrix-static-files/tasks/install.yml @@ -33,25 +33,31 @@ - name: Ensure matrix-static-files files are installed ansible.builtin.copy: - content: "{{ item.content | to_nice_json }}" + content: "{{ item.content }}" dest: "{{ item.dest }}" mode: 0644 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" when: item.when | bool with_items: - - content: "{{ matrix_static_files_file_matrix_client_configuration }}" + - content: "{{ matrix_static_files_file_matrix_client_configuration | to_nice_json }}" dest: "{{ matrix_static_files_public_well_known_matrix_path }}/client" when: true - - content: "{{ matrix_static_files_file_matrix_server_configuration }}" + - content: "{{ matrix_static_files_file_matrix_server_configuration | to_nice_json }}" dest: "{{ matrix_static_files_public_well_known_matrix_path }}/server" when: "{{ matrix_static_files_file_matrix_server_enabled }}" - - content: "{{ matrix_static_files_file_matrix_support_configuration }}" + - content: "{{ matrix_static_files_file_matrix_support_configuration | to_nice_json }}" dest: "{{ matrix_static_files_public_well_known_matrix_path }}/support" when: "{{ matrix_static_files_file_matrix_support_enabled }}" + # This one will not be deleted if `matrix_static_files_file_index_html_enabled` flips to `false`. + # See the comment for `matrix_static_files_file_index_html_enabled` to learn why. + - content: "{{ matrix_static_files_file_index_html_template }}" + dest: "{{ matrix_static_files_public_path }}/index.html" + when: "{{ matrix_static_files_file_index_html_enabled }}" + - name: Ensure /.well-known/matrix/server file deleted if not enabled ansible.builtin.file: path: "{{ matrix_static_files_public_well_known_matrix_path }}/server" diff --git a/roles/custom/matrix-static-files/tasks/validate_config.yml b/roles/custom/matrix-static-files/tasks/validate_config.yml index 38fb4b50e..21d91195e 100644 --- a/roles/custom/matrix-static-files/tasks/validate_config.yml +++ b/roles/custom/matrix-static-files/tasks/validate_config.yml @@ -9,3 +9,6 @@ - {'name': 'matrix_static_files_container_labels_well_known_matrix_endpoint_traefik_hostname', when: "{{ matrix_static_files_container_labels_well_known_matrix_endpoint_enabled }}"} - {'name': 'matrix_static_files_container_labels_well_known_matrix_endpoint_traefik_path_prefix', when: "{{ matrix_static_files_container_labels_well_known_matrix_endpoint_enabled }}"} + - {'name': 'matrix_static_files_container_labels_base_domain_traefik_hostname', when: "{{ matrix_static_files_container_labels_base_domain_enabled }}"} + - {'name': 'matrix_static_files_container_labels_base_domain_traefik_path_prefix', when: "{{ matrix_static_files_container_labels_base_domain_enabled }}"} + diff --git a/roles/custom/matrix-static-files/templates/labels.j2 b/roles/custom/matrix-static-files/templates/labels.j2 index c3058208c..6f49b4018 100644 --- a/roles/custom/matrix-static-files/templates/labels.j2 +++ b/roles/custom/matrix-static-files/templates/labels.j2 @@ -9,7 +9,7 @@ traefik.http.services.{{ matrix_static_files_ident }}.loadbalancer.server.port={ {# - Related to /.well-known/matrix + Related to /.well-known/matrix on the matrix domain #} {% if matrix_static_files_container_labels_well_known_matrix_endpoint_enabled %} @@ -33,10 +33,33 @@ traefik.http.routers.{{ matrix_static_files_ident }}-well-known-endpoint.tls.cer {% endif %} {# - /Related to /.well-known/matrix + /Related to /.well-known/matrix on the matrix domain #} +{# + Base domain serving +#} +{% if matrix_static_files_container_labels_base_domain_enabled %} +traefik.http.routers.{{ matrix_static_files_ident }}-base-domain.rule={{ matrix_static_files_container_labels_base_domain_traefik_rule }} + +{% if matrix_static_files_container_labels_base_domain_traefik_priority | int > 0 %} +traefik.http.routers.{{ matrix_static_files_ident }}-base-domain.priority={{ matrix_static_files_container_labels_base_domain_traefik_priority }} +{% endif %} + +traefik.http.routers.{{ matrix_static_files_ident }}-base-domain.service={{ matrix_static_files_ident }} +traefik.http.routers.{{ matrix_static_files_ident }}-base-domain.entrypoints={{ matrix_static_files_container_labels_base_domain_traefik_entrypoints }} +traefik.http.routers.{{ matrix_static_files_ident }}-base-domain.tls={{ matrix_static_files_container_labels_base_domain_traefik_tls | to_json }} + +{% if matrix_static_files_container_labels_base_domain_traefik_tls %} +traefik.http.routers.{{ matrix_static_files_ident }}-base-domain.tls.certResolver={{ matrix_static_files_container_labels_base_domain_traefik_tls_certResolver }} +{% endif %} + +{% endif %} +{# + /Base domain serving +#} + {% endif %} {{ matrix_static_files_container_labels_additional_labels }} diff --git a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml index 3a45a907f..4720dd6a0 100644 --- a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml +++ b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml @@ -77,6 +77,10 @@ - {'old': 'matrix_well_known_matrix_support_configuration_extension_json', 'new': 'matrix_static_files_file_matrix_support_configuration_extension_json'} - {'old': 'matrix_nginx_proxy_self_check_validate_certificates', 'new': 'matrix_static_files_self_check_validate_certificates'} - {'old': 'matrix_nginx_proxy_self_check_well_known_matrix_client_follow_redirects', 'new': 'matrix_static_files_self_check_well_known_matrix_client_follow_redirects'} + - {'old': 'matrix_nginx_proxy_base_domain_serving_enabled', 'new': 'matrix_static_files_container_labels_base_domain_enabled'} + - {'old': 'matrix_nginx_proxy_base_domain_hostname', 'new': 'matrix_static_files_container_labels_base_domain_traefik_hostname'} + - {'old': 'matrix_nginx_proxy_base_domain_homepage_enabled', 'new': 'matrix_static_files_file_index_html_enabled'} + - {'old': 'matrix_nginx_proxy_base_domain_create_directory', 'new': ''} - name: (Deprecation) Catch and report matrix_postgres variables ansible.builtin.fail: