feat: add automatic creation of reverse-proxy routing

This commit is contained in:
transcaffeine 2021-04-18 11:55:40 +02:00 committed by Johanna Dorothea Reichmann
parent 78ff8fc450
commit ef0763390c
Signed by: transcaffeine
GPG Key ID: 03624C433676E465
4 changed files with 156 additions and 8 deletions

View File

@ -18,8 +18,12 @@ matrix_base_data_path: "{{ vault_matrix_base_data_path }}"
matrix_server_fqn_element: "chat.{{ matrix_domain }}" matrix_server_fqn_element: "chat.{{ matrix_domain }}"
matrix_docker_installation_enabled: false matrix_docker_installation_enabled: false
matrix_synapse_docker_image: "{{ matrix_synapse_docker_image_name_prefix }}matrixdotorg/synapse:v1.32.0" web_user: "web"
#matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:v1.7.21" revproxy_autoload_dir: "/vault/services/web/sites.d"
#matrix_client_element_version: v1.8.4
#matrix_synapse_docker_image: "{{ matrix_synapse_docker_image_name_prefix }}matrixdotorg/synapse:v1.37.1"
#matrix_mautrix_telegram_version: v0.10.0
# #
# General Synapse config # General Synapse config
@ -178,6 +182,7 @@ matrix_mautrix_telegram_configuration_extension_yaml: |
default: true default: true
permissions: permissions:
"@transcaffeine:finallycoffee.eu": "admin" "@transcaffeine:finallycoffee.eu": "admin"
"gruenhage.xyz": "full"
logging: logging:
root: root:
level: INFO level: INFO
@ -239,15 +244,16 @@ matrix_mx_puppet_instagram_configuration_extension_yaml: |
# mx-puppet-skype configuration # mx-puppet-skype configuration
# #
matrix_mx_puppet_skype_enabled: true matrix_mx_puppet_skype_enabled: true
matrix_mx_puppet_skype_container_http_monitoring_host_bind_port: 9405
matrix_mx_puppet_skype_container_extra_arguments: matrix_mx_puppet_skype_container_extra_arguments:
- "-p 127.0.0.1:9405:9405" - "-p 127.0.0.1:{{ matrix_mx_puppet_skype_container_http_monitoring_host_bind_port }}:{{ matrix_mx_puppet_skype_container_http_monitoring_host_bind_port }}"
matrix_mx_puppet_skype_configuration_extension_yaml: | matrix_mx_puppet_skype_configuration_extension_yaml: |
bridge: bridge:
enableGroupSync: true enableGroupSync: true
avatarUrl: mxc://finallycoffee.eu/jjXDuFqtpFOBOnywoHgzTuYt avatarUrl: mxc://finallycoffee.eu/jjXDuFqtpFOBOnywoHgzTuYt
metrics: metrics:
enabled: true enabled: true
port: 9405 port: {{ matrix_mx_puppet_skype_container_http_monitoring_host_bind_port }}
path: /metrics path: /metrics
@ -283,15 +289,17 @@ matrix_mx_puppet_slack_enabled: true
matrix_mx_puppet_slack_client_id: "{{ vault_matrix_mx_puppet_slack_client_id }}" matrix_mx_puppet_slack_client_id: "{{ vault_matrix_mx_puppet_slack_client_id }}"
matrix_mx_puppet_slack_client_secret: "{{ vault_matrix_mx_puppet_slack_client_secret }}" matrix_mx_puppet_slack_client_secret: "{{ vault_matrix_mx_puppet_slack_client_secret }}"
matrix_mx_puppet_slack_redirect_path: '/bridge/slack/oauth' matrix_mx_puppet_slack_redirect_path: '/bridge/slack/oauth'
matrix_mx_puppet_slack_container_http_auth_host_bind_port: 8981
matrix_mx_puppet_slack_container_http_monitoring_host_bind_port: 9406
matrix_mx_puppet_slack_container_extra_arguments: matrix_mx_puppet_slack_container_extra_arguments:
- "-p 127.0.0.1:9406:9406" - "-p 127.0.0.1:{{ matrix_mx_puppet_slack_container_http_monitoring_host_bind_port }}:{{ matrix_mx_puppet_slack_container_http_monitoring_host_bind_port }}"
- "-p 127.0.0.1:8981:8008" - "-p 127.0.0.1:{{ matrix_mx_puppet_slack_container_http_auth_host_bind_port }}:8008"
matrix_mx_puppet_slack_configuration_extension_yaml: | matrix_mx_puppet_slack_configuration_extension_yaml: |
bridge: bridge:
enableGroupSync: true enableGroupSync: true
metrics: metrics:
enabled: true enabled: true
port: 9406 port: {{ matrix_mx_puppet_slack_container_http_monitoring_host_bind_port }}
path: /metrics path: /metrics
limits: limits:
maxAutojoinUsers: 500 maxAutojoinUsers: 500

View File

@ -135,9 +135,9 @@ matrix_mautrix_telegram_registration_yaml: |
regex: '^#telegram_.+:{{ matrix_mautrix_telegram_homeserver_domain|regex_escape }}$' regex: '^#telegram_.+:{{ matrix_mautrix_telegram_homeserver_domain|regex_escape }}$'
sender_localpart: _bot_{{ matrix_mautrix_telegram_appservice_bot_username }} sender_localpart: _bot_{{ matrix_mautrix_telegram_appservice_bot_username }}
url: {{ matrix_mautrix_telegram_appservice_address }} url: {{ matrix_mautrix_telegram_appservice_address }}
# sender_localpart: "bridges_{{ matrix_mautrix_telegram_sender_localpart }}"
rate_limited: false rate_limited: false
de.sorunome.msc2409.push_ephemeral: true de.sorunome.msc2409.push_ephemeral: true
# sender_localpart: "bridges_{{ matrix_mautrix_telegram_sender_localpart }}"
matrix_mautrix_telegram_registration: "{{ matrix_mautrix_telegram_registration_yaml|from_yaml }}" matrix_mautrix_telegram_registration: "{{ matrix_mautrix_telegram_registration_yaml|from_yaml }}"

View File

@ -64,3 +64,33 @@
- matrix-postgres-backup - matrix-postgres-backup
- matrix-prometheus-postgres-exporter - matrix-prometheus-postgres-exporter
- matrix-common-after - matrix-common-after
tasks:
- name: Ensure web-user is present
user:
name: "{{ web_user }}"
state: present
system: yes
register: web_user_res
tags: [ setup-caddy, setup-all, start ]
- name: Ensure directory for revproxy config is present
file:
path: "{{ revproxy_autoload_dir }}/matrix"
state: directory
owner: "{{ web_user_res.uid }}"
group: "{{ web_user_res.group }}"
mode: 0750
tags: [ setup-caddy, setup-all, start ]
- name: Template reverse proxy configuration
template:
src: Caddyfile.j2
dest: "{{ revproxy_autoload_dir }}/matrix/Caddyfile"
owner: "{{ web_user_res.uid }}"
group: "{{ web_user_res.group }}"
mode: 0640
tags: [ setup-caddy, setup-all, start ]
- name: Restart reverse proxy
docker_container:
name: web
state: started
restart: yes

110
templates/Caddyfile.j2 Normal file
View File

@ -0,0 +1,110 @@
https://{{ matrix_server_fqn_matrix }} {
tls /tls_certs/finallycoffee.eu/fullchain.pem /tls_certs/finallycoffee.eu/privkey.pem
encode zstd gzip
header {
Strict-Transport-Security "max-age=31536000;"
X-Frame-Options "DENY"
X-XSS-Protection "1; mode=block"
}
basicauth /metrics/* bcrypt monitoring {
monitoring JDJhJDE0JGdQRlNHVFpSQmRiaWlPem9LdXlkS09HN2E3LklZS05YZmtXTEY1NlFXbkMxd3hBUmwwbVZl
}
route /metrics/synapse {
uri replace /metrics/synapse /_synapse/metrics
reverse_proxy * http://{{ matrix_nginx_proxy_container_http_host_bind_port }}
}
route /metrics/synapse/worker/appservice {
uri replace /metrics/synapse/worker/appservice /_synapse-worker-appservice-0/metrics
reverse_proxy * http://{{ matrix_nginx_proxy_container_http_host_bind_port }}
}
route /metrics/synapse/worker/federation-sender-0 {
uri replace /metrics/synapse/worker/federation-sender-0 /_synapse-worker-federation_sender-0/metrics
reverse_proxy * http://{{ matrix_nginx_proxy_container_http_host_bind_port }}
}
route /metrics/synapse/worker/federation-sender-1 {
uri replace /metrics/synapse/worker/federation-sender-1 /_synapse-worker-federation_sender-1/metrics
reverse_proxy * http://{{ matrix_nginx_proxy_container_http_host_bind_port }}
}
route /metrics/synapse/worker/federation-sender-2 {
uri replace /metrics/synapse/worker/federation-sender-2 /_synapse-worker-federation_sender-2/metrics
reverse_proxy * http://{{ matrix_nginx_proxy_container_http_host_bind_port }}
}
route /metrics/synapse/worker/generic-0 {
uri replace /metrics/synapse/worker/generic-0 /_synapse-worker-generic_worker-{{ (matrix_synapse_workers_generic_workers_port_range_start)|int}}/metrics
reverse_proxy * http://{{ matrix_nginx_proxy_container_http_host_bind_port }}
}
route /metrics/synapse/worker/generic-1 {
uri replace /metrics/synapse/worker/generic-1 /_synapse-worker-generic_worker-{{ (matrix_synapse_workers_generic_workers_port_range_start + 1)|int}}/metrics
reverse_proxy * http://{{ matrix_nginx_proxy_container_http_host_bind_port }}
}
route /metrics/synapse/worker/media-0 {
uri replace /metrics/synapse/worker/media-0 /_synapse-worker-media_repository-{{ (matrix_synapse_workers_media_repository_workers_port_range_start)|int }}/metrics
reverse_proxy * http://{{ matrix_nginx_proxy_container_http_host_bind_port }}
}
route /metrics/synapse/worker/media-1 {
uri replace /metrics/synapse/worker/media-1 /_synapse-worker-media_repository-{{ (matrix_synapse_workers_media_repository_workers_port_range_start + 1)|int }}/metrics
reverse_proxy * http://{{ matrix_nginx_proxy_container_http_host_bind_port }}
}
route /metrics/bridge/* {
uri strip_prefix /metrics/bridge
route /mautrix-telegram {
uri replace /mautrix-telegram /metrics
reverse_proxy http://127.0.0.1:{{ matrix_mautrix_telegram_container_http_monitoring_host_bind_port }}
}
route /mautrix-whatsapp {
uri replace /mautrix-whatsapp /metrics
reverse_proxy http://127.0.0.1:{{ matrix_mautrix_whatsapp_container_http_monitoring_host_bind_port }}
}
route /mautrix-signal {
uri replace /mautrix-signal /metrics
reverse_proxy http://127.0.0.1:{{ matrix_mautrix_signal_container_http_monitoring_host_bind_port }}
}
route /mx-puppet-instagram {
uri replace /mx-puppet-instagram /metrics
reverse_proxy http://127.0.0.1:{{ matrix_mx_puppet_instagram_container_http_monitoring_host_bind_port }}
}
route /mx-puppet-discord {
uri replace /mx-puppet-discord /metrics
reverse_proxy http://127.0.0.1:{{ matrix_mx_puppet_discord_container_http_monitoring_host_bind_port }}
}
route /mx-puppet-skype {
uri replace /mx-puppet-skype /metrics
reverse_proxy http://127.0.0.1:{{ matrix_mx_puppet_skype_container_http_monitoring_host_bind_port }}
}
route /mx-puppet-slack {
uri replace /mx-puppet-slack /metrics
reverse_proxy http://127.0.0.1:{{ matrix_mx_puppet_slack_container_http_monitoring_host_bind_port }}
}
}
reverse_proxy /_matrix/federation/* http://{{ matrix_nginx_proxy_container_federation_host_bind_port }}
reverse_proxy /_matrix/key/* http://{{ matrix_nginx_proxy_container_federation_host_bind_port }}
reverse_proxy * http://{{ matrix_nginx_proxy_container_http_host_bind_port }}
}
https://{{ matrix_server_fqn_dimension }} {
tls /tls_certs/finallycoffee.eu/fullchain.pem /tls_certs/finallycoffee.eu/privkey.pem
encode zstd gzip
reverse_proxy * http://{{ matrix_nginx_proxy_container_http_host_bind_port }}
}
https://{{ matrix_server_fqn_element }} {
tls /tls_certs/chat.finallycoffee.eu/fullchain.pem /tls_certs/chat.finallycoffee.eu/privkey.pem
encode zstd gzip
reverse_proxy * http://{{ matrix_nginx_proxy_container_http_host_bind_port }}
}
https://{{ matrix_domain }}/.well-known/matrix/* {
tls /tls_certs/finallycoffee.eu/fullchain.pem /tls_certs/finallycoffee.eu/privkey.pem
route {
uri strip_prefix /.well-known/matrix
root * /matrix_static
file_server
}
header {
Content-Type "application/json"
X-Content-Type-Options "nosniff"
Access-Control-Allow-Origin *
Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization"
}
}