More progress on matrix-static-files role and cleaning up of matrix-base and matrix-nginx-proxy

This commit is contained in:
Slavi Pantaleev 2024-01-03 13:44:19 +02:00
parent 23a78d1718
commit da48a605bb
20 changed files with 59 additions and 305 deletions

View File

@ -40,15 +40,15 @@ To learn how to set it up, read the Installing section below.
[MSC 1929](https://github.com/matrix-org/matrix-spec-proposals/pull/1929) specifies a way to add contact details of admins, as well as a link to a support page for users who are having issues with the service. Automated services may also index this information and use it for abuse reports, etc. [MSC 1929](https://github.com/matrix-org/matrix-spec-proposals/pull/1929) specifies a way to add contact details of admins, as well as a link to a support page for users who are having issues with the service. Automated services may also index this information and use it for abuse reports, etc.
The two playbook variables that you could look for, if you're interested in being an early adopter, are: `matrix_homeserver_admin_contacts` and `matrix_homeserver_support_url`. The two playbook variables that you could look for, if you're interested in being an early adopter, are: `matrix_static_files_file_matrix_support_property_m_contacts` and `matrix_static_files_file_matrix_support_property_m_support_page`.
Example snippet for `vars.yml`: Example snippet for `vars.yml`:
``` ```
# Enable generation of `/.well-known/matrix/support`. # Enable generation of `/.well-known/matrix/support`.
matrix_well_known_matrix_support_enabled: true matrix_static_files_file_matrix_support_enabled: true
# Homeserver admin contacts as per MSC 1929 https://github.com/matrix-org/matrix-spec-proposals/pull/1929 # Homeserver admin contacts as per MSC 1929 https://github.com/matrix-org/matrix-spec-proposals/pull/1929
matrix_homeserver_admin_contacts: matrix_static_files_file_matrix_support_property_m_contacts:
- matrix_id: "@admin1:{{ matrix_domain }}" - matrix_id: "@admin1:{{ matrix_domain }}"
email_address: admin@domain.tld email_address: admin@domain.tld
role: m.role.admin role: m.role.admin
@ -58,7 +58,7 @@ matrix_homeserver_admin_contacts:
- email_address: security@domain.tld - email_address: security@domain.tld
role: m.role.security role: m.role.security
matrix_homeserver_support_url: "https://example.domain.tld/support" matrix_static_files_file_matrix_support_property_m_support_page: "https://example.domain.tld/support"
``` ```
To learn how to set up `/.well-known/matrix/support` for the base domain, read the Installing section below. To learn how to set up `/.well-known/matrix/support` for the base domain, read the Installing section below.

View File

@ -2996,8 +2996,6 @@ matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: "{{ matrix_ma1sd_
matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container }}" matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container }}"
matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container }}" matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container }}"
matrix_nginx_proxy_self_check_validate_certificates: "{{ false if matrix_playbook_ssl_retrieval_method == 'self-signed' else true }}"
# OCSP stapling does not make sense when self-signed certificates are used. # OCSP stapling does not make sense when self-signed certificates are used.
# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1073 # See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1073
# and https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1074 # and https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1074
@ -4599,21 +4597,17 @@ matrix_static_files_container_labels_traefik_docker_network: "{{ matrix_playbook
matrix_static_files_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" matrix_static_files_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}"
matrix_static_files_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" matrix_static_files_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}"
matrix_static_files_file_matrix_client_property_io_element_jitsi_preferred_domain: "{{ matrix_client_element_jitsi_preferred_domain }}" matrix_static_files_file_matrix_client_property_io_element_jitsi_preferred_domain: "{{ matrix_server_fqn_jitsi if jitsi_enabled else '' }}"
matrix_static_files_file_matrix_client_property_org_matrix_msc3575_proxy_url: "{{ matrix_homeserver_sliding_sync_url }}" matrix_static_files_file_matrix_client_property_org_matrix_msc3575_proxy_url: "{{ matrix_homeserver_sliding_sync_url }}"
matrix_static_files_file_matrix_client_property_m_tile_server_entries_enabled: "{{ matrix_client_element_location_sharing_enabled }}" matrix_static_files_file_matrix_client_property_m_tile_server_entries_enabled: "{{ matrix_client_element_location_sharing_enabled }}"
matrix_static_files_file_matrix_client_property_m_tile_server_map_style_url: "https://{{ matrix_server_fqn_element }}/map_style.json" matrix_static_files_file_matrix_client_property_m_tile_server_map_style_url: "https://{{ matrix_server_fqn_element }}/map_style.json"
matrix_static_files_file_matrix_client_property_io_element_e2ee_default: "{{ matrix_well_known_matrix_client_io_element_e2ee_default }}"
matrix_static_files_file_matrix_client_property_io_element_e2ee_secure_backup_required: "{{ matrix_well_known_matrix_client_io_element_e2ee_secure_backup_required }}"
matrix_static_files_file_matrix_client_property_io_element_e2ee_secure_backup_setup_methods: "{{ matrix_well_known_matrix_client_io_element_e2ee_secure_backup_setup_methods }}"
matrix_static_files_file_matrix_server_property_m_server: "{{ matrix_server_fqn_matrix_federation }}:{{ matrix_federation_public_port }}" matrix_static_files_file_matrix_server_property_m_server: "{{ matrix_server_fqn_matrix_federation }}:{{ matrix_federation_public_port }}"
matrix_static_files_file_matrix_support_property_m_contacts: "{{ matrix_homeserver_admin_contacts }}" matrix_static_files_self_check_hostname_matrix: "{{ matrix_server_fqn_matrix }}"
matrix_static_files_file_matrix_support_property_m_support_page: "{{ matrix_homeserver_support_url }}" matrix_static_files_self_check_hostname_identity: "{{ matrix_domain }}"
######################################################################## ########################################################################
# # # #

View File

@ -52,21 +52,6 @@ matrix_bots_homeserver_systemd_services_list: "{{ matrix_homeserver_systemd_serv
# Whether homeserver software is installed depends on other (`matrix_HOMESERVER_enabled`) variables - see `group_vars/matrix_servers`. # Whether homeserver software is installed depends on other (`matrix_HOMESERVER_enabled`) variables - see `group_vars/matrix_servers`.
matrix_homeserver_enabled: true matrix_homeserver_enabled: true
# Homeserver admin contacts and support page as per MSC 1929
# See: https://github.com/matrix-org/matrix-spec-proposals/pull/1929
# Users in form:
# matrix_homeserver_admin_contacts:
# - matrix_id: @admin:domain.tld
# email_address: admin@domain.tld
# role: admin
# - email_address: security@domain.tld
# role: security
# Also see: `matrix_well_known_matrix_support_enabled`
matrix_homeserver_admin_contacts: []
# Url string like https://domain.tld/support.html
# Also see: `matrix_well_known_matrix_support_enabled`
matrix_homeserver_support_url: ''
# This will contain the homeserver implementation that is in use. # This will contain the homeserver implementation that is in use.
# Valid values: synapse, dendrite, conduit # Valid values: synapse, dendrite, conduit
# #
@ -161,8 +146,6 @@ matrix_base_data_path_mode: "750"
matrix_bin_path: "{{ matrix_base_data_path }}/bin" matrix_bin_path: "{{ matrix_base_data_path }}/bin"
matrix_static_files_base_path: "{{ matrix_base_data_path }}/static-files"
matrix_host_command_sleep: "/usr/bin/env sleep" matrix_host_command_sleep: "/usr/bin/env sleep"
matrix_host_command_chown: "/usr/bin/env chown" matrix_host_command_chown: "/usr/bin/env chown"
matrix_host_command_fusermount: "/usr/bin/env fusermount" matrix_host_command_fusermount: "/usr/bin/env fusermount"
@ -203,122 +186,9 @@ matrix_identity_server_url: ~
matrix_integration_manager_rest_url: ~ matrix_integration_manager_rest_url: ~
matrix_integration_manager_ui_url: ~ matrix_integration_manager_ui_url: ~
# The domain name where a Jitsi server is self-hosted.
# If set, `/.well-known/matrix/client` will suggest Element clients to use that Jitsi server.
# See: https://github.com/element-hq/element-web/blob/develop/docs/jitsi.md#configuring-element-to-use-your-self-hosted-jitsi-server
matrix_client_element_jitsi_preferred_domain: '' # noqa var-naming
# Controls whether Element should use End-to-End Encryption by default.
# Setting this to false will update `/.well-known/matrix/client` and tell Element clients to avoid E2EE.
# See: https://github.com/element-hq/element-web/blob/develop/docs/e2ee.md
matrix_well_known_matrix_client_io_element_e2ee_default: true
# Controls whether Element should require a secure backup set up before Element can be used.
# Setting this to true will update `/.well-known/matrix/client` and tell Element require a secure backup.
# See: https://github.com/element-hq/element-web/blob/develop/docs/e2ee.md
matrix_well_known_matrix_client_io_element_e2ee_secure_backup_required: false
# Controls which backup methods from ["key", "passphrase"] should be used, both is the default.
# Setting this to other then empty will update `/.well-known/matrix/client` and tell Element which method to use
# See: https://github.com/element-hq/element-web/blob/develop/docs/e2ee.md
matrix_well_known_matrix_client_io_element_e2ee_secure_backup_setup_methods: []
# Controls whether element related entries should be added to the client well-known. Override this to false to hide
# element related well-known entries.
# By default if any of the following change from their default this is set to true:
# `matrix_well_known_matrix_client_io_element_e2ee_default`
# `matrix_well_known_matrix_client_io_element_e2ee_secure_backup_required`
# `matrix_well_known_matrix_client_io_element_e2ee_secure_backup_setup_methods`
matrix_well_known_matrix_client_io_element_e2ee_entries_enabled: "{{ not matrix_well_known_matrix_client_io_element_e2ee_default or matrix_well_known_matrix_client_io_element_e2ee_secure_backup_required or matrix_well_known_matrix_client_io_element_e2ee_secure_backup_setup_methods | length > 0 }}"
# Default `/.well-known/matrix/client` configuration - it covers the generic use case.
# You can customize it by controlling the various variables inside the template file that it references.
#
# For a more advanced customization, you can extend the default (see `matrix_well_known_matrix_client_configuration_extension_json`)
# or completely replace this variable with your own template.
#
# The side-effect of this lookup is that Ansible would even parse the JSON for us, returning a dict.
# This is unlike what it does when looking up YAML template files (no automatic parsing there).
matrix_well_known_matrix_client_configuration_default: "{{ lookup('template', 'templates/static-files/well-known/matrix-client.j2') }}"
# Your custom JSON configuration for `/.well-known/matrix/client` should go to `matrix_well_known_matrix_client_configuration_extension_json`.
# This configuration extends the default starting configuration (`matrix_well_known_matrix_client_configuration_default`).
#
# You can override individual variables from the default configuration, or introduce new ones.
#
# If you need something more special, you can take full control by
# completely redefining `matrix_well_known_matrix_client_configuration`.
#
# Example configuration extension follows:
#
# matrix_well_known_matrix_client_configuration_extension_json: |
# {
# "io.element.call_behaviour": {
# "widget_build_url": "https://dimension.example.com/api/v1/dimension/bigbluebutton/widget_state"
# }
# }
matrix_well_known_matrix_client_configuration_extension_json: '{}'
matrix_well_known_matrix_client_configuration_extension: "{{ matrix_well_known_matrix_client_configuration_extension_json | from_json if matrix_well_known_matrix_client_configuration_extension_json | from_json is mapping else {} }}"
# Holds the final `/.well-known/matrix/client` configuration (a combination of the default and its extension).
# You most likely don't need to touch this variable. Instead, see `matrix_well_known_matrix_client_configuration_default` and `matrix_well_known_matrix_client_configuration_extension_json`.
matrix_well_known_matrix_client_configuration: "{{ matrix_well_known_matrix_client_configuration_default | combine(matrix_well_known_matrix_client_configuration_extension, recursive=True) }}"
# Default `/.well-known/matrix/server` configuration - it covers the generic use case.
# You can customize it by controlling the various variables inside the template file that it references.
#
# For a more advanced customization, you can extend the default (see `matrix_well_known_matrix_server_configuration_extension_json`)
# or completely replace this variable with your own template.
#
# The side-effect of this lookup is that Ansible would even parse the JSON for us, returning a dict.
# This is unlike what it does when looking up YAML template files (no automatic parsing there).
matrix_well_known_matrix_server_configuration_default: "{{ lookup('template', 'templates/static-files/well-known/matrix-server.j2') }}"
# Your custom JSON configuration for `/.well-known/matrix/server` should go to `matrix_well_known_matrix_server_configuration_extension_json`.
# This configuration extends the default starting configuration (`matrix_well_known_matrix_server_configuration_default`).
#
# You can override individual variables from the default configuration, or introduce new ones.
#
# If you need something more special, you can take full control by
# completely redefining `matrix_well_known_matrix_server_configuration`.
#
# Example configuration extension follows:
#
# matrix_well_known_matrix_server_configuration_extension_json: |
# {
# "something": "another"
# }
matrix_well_known_matrix_server_configuration_extension_json: '{}'
matrix_well_known_matrix_server_configuration_extension: "{{ matrix_well_known_matrix_server_configuration_extension_json | from_json if matrix_well_known_matrix_server_configuration_extension_json | from_json is mapping else {} }}"
# Holds the final `/.well-known/matrix/server` configuration (a combination of the default and its extension).
# You most likely don't need to touch this variable. Instead, see `matrix_well_known_matrix_server_configuration_default` and `matrix_well_known_matrix_server_configuration_extension_json`.
matrix_well_known_matrix_server_configuration: "{{ matrix_well_known_matrix_server_configuration_default | combine(matrix_well_known_matrix_server_configuration_extension, recursive=True) }}"
# The side-effect of this lookup is that Ansible would even parse the JSON for us, returning a dict.
# This is unlike what it does when looking up YAML template files (no automatic parsing there).
matrix_well_known_matrix_support_configuration_default: "{{ lookup('template', 'templates/static-files/well-known/matrix-support.j2') }}"
matrix_well_known_matrix_support_configuration_extension_json: '{}'
matrix_well_known_matrix_support_configuration_extension: "{{ matrix_well_known_matrix_support_configuration_extension_json | from_json if matrix_well_known_matrix_support_configuration_extension_json | from_json is mapping else {} }}"
# Holds the final `/.well-known/matrix/support` configuration (a combination of the default and its extension).
# You most likely don't need to touch this variable. Instead, see `matrix_well_known_matrix_support_configuration_default` and `matrix_well_known_matrix_support_configuration_extension_json`.
matrix_well_known_matrix_support_configuration: "{{ matrix_well_known_matrix_support_configuration_default | combine(matrix_well_known_matrix_support_configuration_extension, recursive=True) }}"
# The Docker network that all services would be put into # The Docker network that all services would be put into
matrix_docker_network: "matrix" matrix_docker_network: "matrix"
# Controls whether a `/.well-known/matrix/support` file is generated and used at all.
# For details about this file, see the spec: https://github.com/matrix-org/matrix-spec-proposals/pull/1929
#
# This is not enabled by default, as for it to be useful, other information is necessary.
# See `matrix_homeserver_admin_contacts`, `matrix_homeserver_support_url`, etc.
matrix_well_known_matrix_support_enabled: false
matrix_homeserver_container_extra_arguments_auto: [] matrix_homeserver_container_extra_arguments_auto: []
matrix_homeserver_app_service_config_files_auto: [] matrix_homeserver_app_service_config_files_auto: []

View File

@ -21,19 +21,3 @@
- common - common
block: block:
- ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_matrix_base.yml" - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_matrix_base.yml"
- tags:
- setup-all
- setup-ma1sd
- setup-synapse
- setup-dendrite
- setup-conduit
- setup-nginx-proxy
- install-all
- install-ma1sd
- install-synapse
- install-dendrite
- install-conduit
- install-nginx-proxy
block:
- ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_well_known.yml"

View File

@ -1,14 +0,0 @@
---
# We need others to be able to read these directories too,
# so that matrix-nginx-proxy's nginx user can access the files.
#
# For running with another webserver, we recommend being part of the `matrix` group.
- name: Ensure Matrix static-files path exists
ansible.builtin.file:
path: "{{ item }}"
state: directory
mode: 0755
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
with_items:
- "{{ matrix_static_files_base_path }}/.well-known/matrix"

View File

@ -18,9 +18,9 @@
- {'old': 'hostname_riot', 'new': 'matrix_server_fqn_element'} - {'old': 'hostname_riot', 'new': 'matrix_server_fqn_element'}
- {'old': 'matrix_server_fqn_riot', 'new': 'matrix_server_fqn_element'} - {'old': 'matrix_server_fqn_riot', 'new': 'matrix_server_fqn_element'}
- {'old': 'matrix_local_bin_path', 'new': '<there is no global bin path anymore - each role has its own>'} - {'old': 'matrix_local_bin_path', 'new': '<there is no global bin path anymore - each role has its own>'}
- {'old': 'matrix_client_element_e2ee_default', 'new': 'matrix_well_known_matrix_client_io_element_e2ee_default'} - {'old': 'matrix_client_element_e2ee_default', 'new': 'matrix_static_files_file_matrix_client_property_io_element_e2ee_default'}
- {'old': 'matrix_client_element_e2ee_secure_backup_required', 'new': 'matrix_well_known_matrix_client_io_element_e2ee_secure_backup_required'} - {'old': 'matrix_client_element_e2ee_secure_backup_required', 'new': 'matrix_static_files_file_matrix_client_property_io_element_e2ee_secure_backup_required'}
- {'old': 'matrix_client_element_e2ee_secure_backup_setup_methods', 'new': 'matrix_well_known_matrix_client_io_element_e2ee_secure_backup_setup_methods'} - {'old': 'matrix_client_element_e2ee_secure_backup_setup_methods', 'new': 'matrix_static_files_file_matrix_client_property_io_element_e2ee_secure_backup_setup_methods'}
# We have a dedicated check for this variable, because we'd like to have a custom (friendlier) message. # We have a dedicated check for this variable, because we'd like to have a custom (friendlier) message.
- name: Fail if matrix_homeserver_generic_secret_key is undefined - name: Fail if matrix_homeserver_generic_secret_key is undefined

View File

@ -1,51 +0,0 @@
#jinja2: lstrip_blocks: "True"
{
"m.homeserver": {
"base_url": "{{ matrix_homeserver_url }}"
}
{% if matrix_identity_server_url %},
"m.identity_server": {
"base_url": "{{ matrix_identity_server_url }}"
}
{% endif %}
{% if matrix_integration_manager_rest_url and matrix_integration_manager_ui_url %},
"m.integrations": {
"managers": [
{
"api_url": "{{ matrix_integration_manager_rest_url }}",
"ui_url": "{{ matrix_integration_manager_ui_url }}"
}
]
}
{% endif %}
{% if matrix_client_element_jitsi_preferred_domain %},
"io.element.jitsi": {
"preferredDomain": {{ matrix_client_element_jitsi_preferred_domain|to_json }}
},
"im.vector.riot.jitsi": {
"preferredDomain": {{ matrix_client_element_jitsi_preferred_domain|to_json }}
}
{% endif %}
{% if matrix_homeserver_sliding_sync_url %},
"org.matrix.msc3575.proxy": {
"url": "{{ matrix_homeserver_sliding_sync_url }}"
}
{% endif %}
{% if matrix_client_element_location_sharing_enabled %},
"m.tile_server": {
"map_style_url": "https://{{ matrix_server_fqn_element }}/map_style.json"
}
{% endif %}
{% if matrix_well_known_matrix_client_io_element_e2ee_entries_enabled %},
"io.element.e2ee": {
"default": {{ matrix_well_known_matrix_client_io_element_e2ee_default|to_json }},
"secure_backup_required": {{ matrix_well_known_matrix_client_io_element_e2ee_secure_backup_required|to_json }},
"secure_backup_setup_methods": {{ matrix_well_known_matrix_client_io_element_e2ee_secure_backup_setup_methods|to_json }}
}
{% endif %}
{% if matrix_well_known_matrix_client_io_element_e2ee_entries_enabled %},
"im.vector.riot.e2ee": {
"default": {{ matrix_well_known_matrix_client_io_element_e2ee_default|to_json }}
}
{% endif %}
}

View File

@ -1,4 +0,0 @@
#jinja2: lstrip_blocks: "True"
{
"m.server": "{{ matrix_server_fqn_matrix_federation }}:{{ matrix_federation_public_port }}"
}

View File

@ -1,7 +0,0 @@
#jinja2: lstrip_blocks: "True"
{
"contacts": {{ matrix_homeserver_admin_contacts|to_json }}
{% if matrix_homeserver_support_url %},
"support_page": {{ matrix_homeserver_support_url|to_json }}
{% endif %}
}

View File

@ -568,15 +568,6 @@ matrix_nginx_proxy_ssl_ciphers: "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_
# you may wish to set this to '$proxy_add_x_forwarded_for' instead. # you may wish to set this to '$proxy_add_x_forwarded_for' instead.
matrix_nginx_proxy_x_forwarded_for: '$remote_addr' matrix_nginx_proxy_x_forwarded_for: '$remote_addr'
# Controls whether the self-check feature should validate SSL certificates.
matrix_nginx_proxy_self_check_validate_certificates: true
# Controls whether redirects will be followed when checking the `/.well-known/matrix/client` resource.
#
# As per the spec (https://matrix.org/docs/spec/client_server/r0.6.0#well-known-uri), it shouldn't be,
# so we default to not following redirects as well.
matrix_nginx_proxy_self_check_well_known_matrix_client_follow_redirects: none
# For OCSP purposes, we need to define a resolver at the `server{}` level or `http{}` level (we do the latter). # For OCSP purposes, we need to define a resolver at the `server{}` level or `http{}` level (we do the latter).
# #
# Otherwise, we get warnings like this: # Otherwise, we get warnings like this:

View File

@ -1,25 +0,0 @@
---
- ansible.builtin.set_fact:
matrix_well_known_file_path: "{{ matrix_static_files_base_path }}/.well-known/matrix/client"
# We need others to be able to read these directories too,
# so that matrix-nginx-proxy's nginx user can access the files.
#
# For running with another webserver, we recommend being part of the `matrix` group.
- name: Ensure Matrix static-files path exists
ansible.builtin.file:
path: "{{ item }}"
state: directory
mode: 0755
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
with_items:
- "{{ matrix_static_files_base_path }}/.well-known/matrix"
- name: Ensure Matrix /.well-known/matrix/client configured
ansible.builtin.template:
src: "{{ role_path }}/templates/well-known/matrix-client.j2"
dest: "{{ matrix_static_files_base_path }}/.well-known/matrix"
mode: 0644
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"

View File

@ -24,17 +24,6 @@
{% for configuration_block in matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks %} {% for configuration_block in matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks %}
{{- configuration_block }} {{- configuration_block }}
{% endfor %} {% endfor %}
location /.well-known/matrix {
root {{ matrix_static_files_base_path }};
{#
A somewhat long expires value is used to prevent outages
in case this is unreachable due to network failure.
#}
expires 4h;
default_type application/json;
add_header Access-Control-Allow-Origin *;
}
{% endmacro %} {% endmacro %}
server { server {

View File

@ -29,18 +29,6 @@
add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}";
location /.well-known/matrix {
root {{ matrix_static_files_base_path }};
{#
A somewhat long expires value is used to prevent outages
in case this is unreachable due to network failure or
due to the base domain's server completely dying.
#}
expires 4h;
default_type application/json;
add_header Access-Control-Allow-Origin *;
}
{% if matrix_nginx_proxy_proxy_matrix_nginx_status_enabled %} {% if matrix_nginx_proxy_proxy_matrix_nginx_status_enabled %}
{{ render_nginx_status_location_block(matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses) }} {{ render_nginx_status_location_block(matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses) }}
{% endif %} {% endif %}

View File

@ -41,7 +41,6 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
{% if matrix_ssl_retrieval_method != 'none' %} {% if matrix_ssl_retrieval_method != 'none' %}
--mount type=bind,src={{ matrix_ssl_config_dir_path }},dst={{ matrix_ssl_config_dir_path }},ro \ --mount type=bind,src={{ matrix_ssl_config_dir_path }},dst={{ matrix_ssl_config_dir_path }},ro \
{% endif %} {% endif %}
--mount type=bind,src={{ matrix_static_files_base_path }},dst={{ matrix_static_files_base_path }},ro \
{% for volume in matrix_nginx_proxy_container_additional_volumes %} {% for volume in matrix_nginx_proxy_container_additional_volumes %}
-v {{ volume.src }}:{{ volume.dst }}:{{ volume.options }} \ -v {{ volume.src }}:{{ volume.dst }}:{{ volume.options }} \
{% endfor %} {% endfor %}

View File

@ -112,6 +112,9 @@ matrix_static_files_file_matrix_client_property_m_integrations_managers_api_url:
matrix_static_files_file_matrix_client_property_m_integrations_managers_ui_url: "{{ matrix_integration_manager_ui_url }}" matrix_static_files_file_matrix_client_property_m_integrations_managers_ui_url: "{{ matrix_integration_manager_ui_url }}"
# Controls the io.element.jitsi/preferredDomain property in the /.well-known/matrix/client file # Controls the io.element.jitsi/preferredDomain property in the /.well-known/matrix/client file
# This specifies the domain name where a Jitsi server is self-hosted.
# If set, `/.well-known/matrix/client` will suggest Element clients to use that Jitsi server.
# See: https://github.com/element-hq/element-web/blob/develop/docs/jitsi.md#configuring-element-to-use-your-self-hosted-jitsi-server
matrix_static_files_file_matrix_client_property_io_element_jitsi_preferred_domain: "" matrix_static_files_file_matrix_client_property_io_element_jitsi_preferred_domain: ""
# Controls the org.matrix.msc3575.proxy/url (sliding sync) property in the /.well-known/matrix/client file # Controls the org.matrix.msc3575.proxy/url (sliding sync) property in the /.well-known/matrix/client file
@ -295,6 +298,17 @@ matrix_static_files_file_matrix_support_configuration: "{{ matrix_static_files_f
# # # #
######################################################################## ########################################################################
# Controls whether the self-check feature should validate SSL certificates.
matrix_static_files_self_check_validate_certificates: true
matrix_static_files_self_check_hostname_matrix: ''
matrix_static_files_self_check_hostname_identity: ''
# Controls whether redirects will be followed when checking the `/.well-known/matrix/client` resource.
#
# As per the spec (https://matrix.org/docs/spec/client_server/r0.6.0#well-known-uri), it shouldn't be,
# so we default to not following redirects as well.
matrix_static_files_self_check_well_known_matrix_client_follow_redirects: none
# TODO - review this one # TODO - review this one
# Specifies where requests for the root URI (`/`) on the `matrix.` domain should be redirected. # Specifies where requests for the root URI (`/`) on the `matrix.` domain should be redirected.

View File

@ -1,27 +1,28 @@
--- ---
# TODO - migrate these variables and deprecate the old ones # TODO - deprecate the old variables in the matrix-nginx-proxy role
- name: Determine well-known files to check (Matrix) - name: Determine well-known files to check (start with /.well-known/matrix/client)
ansible.builtin.set_fact: ansible.builtin.set_fact:
well_known_file_checks: well_known_file_checks:
- path: /.well-known/matrix/client - path: /.well-known/matrix/client
purpose: Client Discovery purpose: Client Discovery
cors: true cors: true
follow_redirects: "{{ matrix_nginx_proxy_self_check_well_known_matrix_client_follow_redirects }}" follow_redirects: "{{ matrix_static_files_self_check_well_known_matrix_client_follow_redirects }}"
validate_certs: "{{ matrix_nginx_proxy_self_check_validate_certificates }}" validate_certs: "{{ matrix_static_files_self_check_validate_certificates }}"
- when: matrix_well_known_matrix_server_enabled | bool - when: matrix_well_known_matrix_server_enabled | bool
block: block:
- ansible.builtin.set_fact: - name: Prepare /.well-known/matrix/server to well-known files to check, if enabled
ansible.builtin.set_fact:
well_known_file_check_matrix_server: well_known_file_check_matrix_server:
path: /.well-known/matrix/server path: /.well-known/matrix/server
purpose: Server Discovery purpose: Server Discovery
cors: false cors: false
follow_redirects: safe follow_redirects: safe
validate_certs: "{{ matrix_nginx_proxy_self_check_validate_certificates }}" validate_certs: "{{ matrix_static_files_self_check_validate_certificates }}"
- name: Determine domains that we require certificates for (ma1sd) - name: Inject /.well-known/matrix/server to well-known files to check, if enabled
ansible.builtin.set_fact: ansible.builtin.set_fact:
well_known_file_checks: "{{ well_known_file_checks + [well_known_file_check_matrix_server] }}" well_known_file_checks: "{{ well_known_file_checks + [well_known_file_check_matrix_server] }}"

View File

@ -1,8 +1,8 @@
--- ---
- ansible.builtin.set_fact: - ansible.builtin.set_fact:
well_known_url_matrix: "https://{{ matrix_server_fqn_matrix }}{{ well_known_file_check.path }}" well_known_url_matrix: "https://{{ matrix_static_files_self_check_hostname_matrix }}{{ well_known_file_check.path }}"
well_known_url_identity: "https://{{ matrix_domain }}{{ well_known_file_check.path }}" well_known_url_identity: "https://{{ matrix_static_files_self_check_hostname_identity }}{{ well_known_file_check.path }}"
# These well-known files may be served without a `Content-Type: application/json` header, # These well-known files may be served without a `Content-Type: application/json` header,
# so we can't rely on the uri module's automatic parsing of JSON. # so we can't rely on the uri module's automatic parsing of JSON.

View File

@ -0,0 +1,9 @@
---
# Files used to be installed by the `matrix-base` role into `/matrix/static-files/.well-known/*`.
# Such files are now generated by the `matrix-static-files` role into a slightly different path: `/matrix/static-files/public/.well-known/*`.
- name: Ensure old /matrix/static-files/.well-known files are deleted
ansible.builtin.file:
path: "{{ matrix_base_data_path }}/static-files/.well-known"
state: absent

View File

@ -21,6 +21,12 @@
block: block:
- ansible.builtin.include_tasks: "{{ role_path }}/tasks/cleanup_usr_local_bin.yml" - ansible.builtin.include_tasks: "{{ role_path }}/tasks/cleanup_usr_local_bin.yml"
- tags:
- setup-all
- install-all
block:
- ansible.builtin.include_tasks: "{{ role_path }}/tasks/cleanup_matrix_static_files_well_known.yml"
- when: devture_traefik_enabled | bool - when: devture_traefik_enabled | bool
tags: tags:
- setup-all - setup-all

View File

@ -67,6 +67,16 @@
- {'old': 'matrix_well_known_matrix_server_enabled', 'new': 'matrix_static_files_file_matrix_server_enabled'} - {'old': 'matrix_well_known_matrix_server_enabled', 'new': 'matrix_static_files_file_matrix_server_enabled'}
- {'old': 'matrix_well_known_matrix_support_enabled', 'new': 'matrix_static_files_file_matrix_support_enabled'} - {'old': 'matrix_well_known_matrix_support_enabled', 'new': 'matrix_static_files_file_matrix_support_enabled'}
- {'old': 'matrix_homeserver_admin_contacts', 'new': 'matrix_static_files_file_matrix_support_property_m_contacts'}
- {'old': 'matrix_homeserver_support_url', 'new': 'matrix_static_files_file_matrix_support_property_m_support_page'}
- {'old': 'matrix_well_known_matrix_client_io_element_e2ee_default', 'new': 'matrix_static_files_file_matrix_client_property_io_element_e2ee_default'}
- {'old': 'matrix_well_known_matrix_client_io_element_e2ee_secure_backup_required', 'new': 'matrix_static_files_file_matrix_client_property_io_element_e2ee_secure_backup_required'}
- {'old': 'matrix_well_known_matrix_client_io_element_e2ee_secure_backup_setup_methods', 'new': 'matrix_static_files_file_matrix_client_property_io_element_e2ee_secure_backup_setup_methods'}
- {'old': 'matrix_well_known_matrix_client_configuration_extension_json', 'new': 'matrix_static_files_file_matrix_client_configuration_extension_json'}
- {'old': 'matrix_well_known_matrix_server_configuration_extension_json', 'new': 'matrix_static_files_file_matrix_server_configuration_extension_json'}
- {'old': 'matrix_well_known_matrix_support_configuration_extension_json', 'new': 'matrix_static_files_file_matrix_support_configuration_extension_json'}
- {'old': 'matrix_nginx_proxy_self_check_validate_certificates', 'new': 'matrix_static_files_self_check_validate_certificates'}
- {'old': 'matrix_nginx_proxy_self_check_well_known_matrix_client_follow_redirects', 'new': 'matrix_static_files_self_check_well_known_matrix_client_follow_redirects'}
- name: (Deprecation) Catch and report matrix_postgres variables - name: (Deprecation) Catch and report matrix_postgres variables
ansible.builtin.fail: ansible.builtin.fail: