More progress on matrix-static-files role and cleaning up of matrix-base and matrix-nginx-proxy

2024-01-03 13:44:19 +02:00
parent 23a78d1718
commit da48a605bb
20 changed files with 59 additions and 305 deletions
--- a/roles/custom/matrix-static-files/defaults/main.yml
+++ b/roles/custom/matrix-static-files/defaults/main.yml
@ -112,6 +112,9 @@ matrix_static_files_file_matrix_client_property_m_integrations_managers_api_url:
 matrix_static_files_file_matrix_client_property_m_integrations_managers_ui_url: "{{ matrix_integration_manager_ui_url }}"

 # Controls the io.element.jitsi/preferredDomain property in the /.well-known/matrix/client file
+# This specifies the domain name where a Jitsi server is self-hosted.
+# If set, `/.well-known/matrix/client` will suggest Element clients to use that Jitsi server.
+# See: https://github.com/element-hq/element-web/blob/develop/docs/jitsi.md#configuring-element-to-use-your-self-hosted-jitsi-server
 matrix_static_files_file_matrix_client_property_io_element_jitsi_preferred_domain: ""

 # Controls the org.matrix.msc3575.proxy/url (sliding sync) property in the /.well-known/matrix/client file
@ -295,6 +298,17 @@ matrix_static_files_file_matrix_support_configuration: "{{ matrix_static_files_f
 #                                                                      #
 ########################################################################

+# Controls whether the self-check feature should validate SSL certificates.
+matrix_static_files_self_check_validate_certificates: true
+
+matrix_static_files_self_check_hostname_matrix: ''
+matrix_static_files_self_check_hostname_identity: ''
+
+# Controls whether redirects will be followed when checking the `/.well-known/matrix/client` resource.
+#
+# As per the spec (https://matrix.org/docs/spec/client_server/r0.6.0#well-known-uri), it shouldn't be,
+# so we default to not following redirects as well.
+matrix_static_files_self_check_well_known_matrix_client_follow_redirects: none

 # TODO - review this one
 # Specifies where requests for the root URI (`/`) on the `matrix.` domain should be redirected.
--- a/roles/custom/matrix-static-files/tasks/self_check_well_known.yml
+++ b/roles/custom/matrix-static-files/tasks/self_check_well_known.yml
@ -1,27 +1,28 @@
 ---

-# TODO - migrate these variables and deprecate the old ones
+# TODO - deprecate the old variables in the matrix-nginx-proxy role

- name: Determine well-known files to check (Matrix)
+- name: Determine well-known files to check (start with /.well-known/matrix/client)
  ansible.builtin.set_fact:
    well_known_file_checks:
      - path: /.well-known/matrix/client
        purpose: Client Discovery
        cors: true
-        follow_redirects: "{{ matrix_nginx_proxy_self_check_well_known_matrix_client_follow_redirects }}"
-        validate_certs: "{{ matrix_nginx_proxy_self_check_validate_certificates }}"
+        follow_redirects: "{{ matrix_static_files_self_check_well_known_matrix_client_follow_redirects }}"
+        validate_certs: "{{ matrix_static_files_self_check_validate_certificates }}"

 - when: matrix_well_known_matrix_server_enabled | bool
  block:
-    - ansible.builtin.set_fact:
+    - name: Prepare /.well-known/matrix/server to well-known files to check, if enabled
+      ansible.builtin.set_fact:
        well_known_file_check_matrix_server:
          path: /.well-known/matrix/server
          purpose: Server Discovery
          cors: false
          follow_redirects: safe
-          validate_certs: "{{ matrix_nginx_proxy_self_check_validate_certificates }}"
+          validate_certs: "{{ matrix_static_files_self_check_validate_certificates }}"

-    - name: Determine domains that we require certificates for (ma1sd)
+    - name: Inject /.well-known/matrix/server to well-known files to check, if enabled
      ansible.builtin.set_fact:
        well_known_file_checks: "{{ well_known_file_checks + [well_known_file_check_matrix_server] }}"

--- a/roles/custom/matrix-static-files/tasks/self_check_well_known_file.yml
+++ b/roles/custom/matrix-static-files/tasks/self_check_well_known_file.yml
@ -1,8 +1,8 @@
 ---

 - ansible.builtin.set_fact:
-    well_known_url_matrix: "https://{{ matrix_server_fqn_matrix }}{{ well_known_file_check.path }}"
-    well_known_url_identity: "https://{{ matrix_domain }}{{ well_known_file_check.path }}"
+    well_known_url_matrix: "https://{{ matrix_static_files_self_check_hostname_matrix }}{{ well_known_file_check.path }}"
+    well_known_url_identity: "https://{{ matrix_static_files_self_check_hostname_identity }}{{ well_known_file_check.path }}"

 # These well-known files may be served without a `Content-Type: application/json` header,
 # so we can't rely on the uri module's automatic parsing of JSON.