Merge pull request #2464 from spantaleev/traefik
Reverse-proxy configuration changes and initial Traefik support
This commit is contained in:
Slavi Pantaleev
GitHub
@ -19,6 +19,34 @@
|
||||
# Also see `devture_docker_sdk_for_python_installation_enabled`.
|
||||
matrix_playbook_docker_installation_enabled: true
|
||||
|
||||
# Controls whether to run the Traefik role or not
|
||||
# See the `com.devture.ansible.role.traefik` section below for role configuration.
|
||||
#
|
||||
# There's a difference between `devture_traefik_enabled` and `matrix_playbook_traefik_role_enabled`.
|
||||
# `devture_traefik_enabled` controls what the Traefik role would do - when not enabled, it will run uninstall tasks, etc.
|
||||
# `matrix_playbook_traefik_role_enabled` controls if the Traefik role would even run at all.
|
||||
#
|
||||
# Sometimes, you're installing Traefik via a different (related playbook) which uses the same role.
|
||||
# In such cases, you'd like to disable the role in this playbook from bothering with Traefik at all (`matrix_playbook_traefik_role_enabled: false`).
|
||||
# If you used `devture_traefik_enabled: false` + `matrix_playbook_traefik_role_enabled: true` instead, you'd see the Treafik role here
|
||||
# try to delete Traefik data (`/devture-traefik`) installed by the other playbook.
|
||||
matrix_playbook_traefik_role_enabled: "{{ matrix_playbook_reverse_proxy_type != 'other-traefik-container' }}"
|
||||
|
||||
# Controls whether to attach Traefik labels to services.
|
||||
# This is separate from `devture_traefik_enabled` and `matrix_playbook_traefik_role_enabled`,
|
||||
# because you may wish to disable Traefik installation by the playbook, yet still use Traefik
|
||||
# installed in another way.
|
||||
matrix_playbook_traefik_labels_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}"
|
||||
|
||||
matrix_playbook_traefik_certs_dumper_role_enabled: "{{ (matrix_playbook_reverse_proxy_type == 'playbook-managed-traefik' and devture_traefik_config_entrypoint_web_secure_enabled) or matrix_playbook_reverse_proxy_type == 'other-traefik-container' }}"
|
||||
|
||||
# Controls the additional network that reverse-proxyable services will be connected to.
|
||||
matrix_playbook_reverse_proxyable_services_additional_network: "{{ devture_traefik_container_network if devture_traefik_enabled else '' }}"
|
||||
|
||||
matrix_playbook_ssl_retrieval_method: "{{ 'lets-encrypt' if matrix_playbook_traefik_certs_dumper_role_enabled else matrix_ssl_retrieval_method }}"
|
||||
|
||||
matrix_playbook_ssl_enabled: "{{ matrix_playbook_ssl_retrieval_method in ['lets-encrypt', 'self-signed', 'manually-managed'] }}"
|
||||
|
||||
########################################################################
|
||||
# #
|
||||
# /Playbook #
|
||||
@ -171,6 +199,9 @@ matrix_homeserver_app_service_config_files_auto: |
|
||||
# - so that, when the reverse-proxy is up (Matrix is up), all bots and bridges can be interacted with
|
||||
# - monitoring services (Prometheus, Grafana, ..) get a level of 4000 - they can start later than all-of-Matrix
|
||||
# - services which aren't time-sensitive (various crons and timers) get a level of 5000 - they can start later than all-of-Matrix
|
||||
#
|
||||
# `matrix-bot-postmoogle.service` has a higher priority number (4000), unlike other bots' priority (2200),
|
||||
# because it requires SSL certificates. If Traefik is used, then Postmoogle needs to start at least after Traefik (3500) and Traefik certs dumper (3500).
|
||||
devture_systemd_service_manager_services_list_auto: |
|
||||
{{
|
||||
([{'name': 'matrix-backup-borg.timer', 'priority': 5000, 'groups': ['matrix', 'backup', 'borg']}] if matrix_backup_borg_enabled else [])
|
||||
@ -191,7 +222,7 @@ devture_systemd_service_manager_services_list_auto: |
|
||||
+
|
||||
([{'name': 'matrix-bot-draupnir.service', 'priority': 4000, 'groups': ['matrix', 'bots', 'draupnir']}] if matrix_bot_draupnir_enabled else [])
|
||||
+
|
||||
([{'name': 'matrix-bot-postmoogle.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'postmoogle']}] if matrix_bot_postmoogle_enabled else [])
|
||||
([{'name': 'matrix-bot-postmoogle.service', 'priority': 4000, 'groups': ['matrix', 'bots', 'postmoogle']}] if matrix_bot_postmoogle_enabled else [])
|
||||
+
|
||||
([{'name': 'matrix-bot-chatgpt.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'chatgpt']}] if matrix_bot_chatgpt_enabled else [])
|
||||
+
|
||||
@ -324,6 +355,10 @@ devture_systemd_service_manager_services_list_auto: |
|
||||
([{'name': 'matrix-synapse-reverse-proxy-companion.service', 'priority': 1500, 'groups': ['matrix', 'homeservers', 'synapse', 'reverse-proxies']}] if matrix_synapse_reverse_proxy_companion_enabled else [])
|
||||
+
|
||||
([{'name': 'matrix-user-verification-service.service', 'priority': 800, 'groups': ['matrix', 'matrix-user-verification-service']}] if matrix_user_verification_service_enabled else [])
|
||||
+
|
||||
([{'name': 'devture-traefik.service', 'priority': 3000, 'groups': ['matrix', 'traefik', 'reverse-proxies']}] if matrix_playbook_traefik_role_enabled else [])
|
||||
+
|
||||
([{'name': (devture_traefik_certs_dumper_identifier + '.service'), 'priority': 3500, 'groups': ['matrix', 'traefik-certs-dumper']}] if matrix_playbook_traefik_certs_dumper_role_enabled else [])
|
||||
}}
|
||||
|
||||
########################################################################
|
||||
@ -420,7 +455,7 @@ matrix_appservice_discord_enabled: false
|
||||
# Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-appservice-discord over the container network.
|
||||
# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
|
||||
# matrix-appservice-discord's client-server port to the local host.
|
||||
matrix_appservice_discord_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9005' }}"
|
||||
matrix_appservice_discord_container_http_host_bind_port: "{{ matrix_playbook_service_host_bind_interface_prefix + ':9005' if matrix_playbook_service_host_bind_interface_prefix else '' }}"
|
||||
|
||||
# If the homeserver disables presence, it's likely better (less wasteful) to also disable presence on the bridge side.
|
||||
matrix_appservice_discord_bridge_disablePresence: "{{ not matrix_synapse_presence_enabled }}"
|
||||
@ -467,7 +502,7 @@ matrix_appservice_webhooks_container_image_self_build: "{{ matrix_architecture !
|
||||
# Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-appservice-webhooks over the container network.
|
||||
# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
|
||||
# matrix-appservice-webhooks' client-server port to the local host.
|
||||
matrix_appservice_webhooks_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else ('127.0.0.1:' ~ matrix_appservice_webhooks_matrix_port) }}"
|
||||
matrix_appservice_webhooks_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':' ~ matrix_appservice_webhooks_matrix_port) if matrix_playbook_service_host_bind_interface_prefix else '' }}"
|
||||
|
||||
matrix_appservice_webhooks_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'webhook.as.token', rounds=655555) | to_uuid }}"
|
||||
|
||||
@ -506,7 +541,7 @@ matrix_appservice_slack_container_image_self_build: "{{ matrix_architecture not
|
||||
# Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-appservice-slack over the container network.
|
||||
# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
|
||||
# matrix-appservice-slack's client-server port to the local host.
|
||||
matrix_appservice_slack_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else ('127.0.0.1:' ~ matrix_appservice_slack_slack_port) }}"
|
||||
matrix_appservice_slack_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix + ':' ~ matrix_appservice_slack_slack_port) if matrix_playbook_service_host_bind_interface_prefix else '' }}"
|
||||
|
||||
matrix_appservice_slack_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'slack.as.token', rounds=655555) | to_uuid }}"
|
||||
|
||||
@ -549,7 +584,7 @@ matrix_appservice_irc_container_image_self_build: "{{ matrix_architecture != 'am
|
||||
# Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-appservice-irc over the container network.
|
||||
# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
|
||||
# matrix-appservice-irc's client-server port to the local host.
|
||||
matrix_appservice_irc_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9999' }}"
|
||||
matrix_appservice_irc_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':9999') if matrix_playbook_service_host_bind_interface_prefix else '' }}"
|
||||
|
||||
# The IRC bridge docs say that if homeserver presence is disabled, it's better to also disable
|
||||
# IRC bridge presence, for performance reasons.
|
||||
@ -805,7 +840,7 @@ matrix_mautrix_facebook_homeserver_token: "{{ '%s' | format(matrix_homeserver_ge
|
||||
|
||||
matrix_mautrix_facebook_public_endpoint: "/{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'facebook', rounds=655555) | to_uuid }}"
|
||||
|
||||
matrix_mautrix_facebook_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9008' }}"
|
||||
matrix_mautrix_facebook_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':9008') if matrix_playbook_service_host_bind_interface_prefix else '' }}"
|
||||
|
||||
matrix_mautrix_facebook_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"
|
||||
|
||||
@ -856,7 +891,7 @@ matrix_mautrix_googlechat_appservice_token: "{{ '%s' | format(matrix_homeserver_
|
||||
|
||||
matrix_mautrix_googlechat_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'gc.hs.token', rounds=655555) | to_uuid }}"
|
||||
|
||||
matrix_mautrix_googlechat_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9007' }}"
|
||||
matrix_mautrix_googlechat_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':9007') if matrix_playbook_service_host_bind_interface_prefix else '' }}"
|
||||
|
||||
matrix_mautrix_googlechat_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"
|
||||
|
||||
@ -898,7 +933,7 @@ matrix_mautrix_hangouts_appservice_token: "{{ '%s' | format(matrix_homeserver_ge
|
||||
|
||||
matrix_mautrix_hangouts_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'ho.hs.token', rounds=655555) | to_uuid }}"
|
||||
|
||||
matrix_mautrix_hangouts_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9007' }}"
|
||||
matrix_mautrix_hangouts_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':9007') if matrix_playbook_service_host_bind_interface_prefix else '' }}"
|
||||
|
||||
matrix_mautrix_hangouts_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"
|
||||
|
||||
@ -1045,7 +1080,7 @@ matrix_mautrix_telegram_homeserver_token: "{{ '%s' | format(matrix_homeserver_ge
|
||||
|
||||
matrix_mautrix_telegram_public_endpoint: "/{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'telegram', rounds=655555) | to_uuid }}"
|
||||
|
||||
matrix_mautrix_telegram_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9006' }}"
|
||||
matrix_mautrix_telegram_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':9006') if matrix_playbook_service_host_bind_interface_prefix else '' }}"
|
||||
|
||||
matrix_mautrix_telegram_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"
|
||||
|
||||
@ -1220,12 +1255,12 @@ matrix_hookshot_systemd_wanted_services_list: |
|
||||
}}
|
||||
|
||||
matrix_hookshot_container_http_host_bind_ports_defaultmapping:
|
||||
- "127.0.0.1:{{ matrix_hookshot_appservice_port }}:{{ matrix_hookshot_appservice_port }}"
|
||||
- "127.0.0.1:{{ matrix_hookshot_metrics_port }}:{{ matrix_hookshot_metrics_port }}"
|
||||
- "127.0.0.1:{{ matrix_hookshot_webhook_port }}:{{ matrix_hookshot_webhook_port }}"
|
||||
- "127.0.0.1:{{ matrix_hookshot_provisioning_port }}:{{ matrix_hookshot_provisioning_port }}"
|
||||
- "{{ matrix_playbook_service_host_bind_interface_prefix }}{{ matrix_hookshot_appservice_port }}:{{ matrix_hookshot_appservice_port }}"
|
||||
- "{{ matrix_playbook_service_host_bind_interface_prefix }}{{ matrix_hookshot_metrics_port }}:{{ matrix_hookshot_metrics_port }}"
|
||||
- "{{ matrix_playbook_service_host_bind_interface_prefix }}{{ matrix_hookshot_webhook_port }}:{{ matrix_hookshot_webhook_port }}"
|
||||
- "{{ matrix_playbook_service_host_bind_interface_prefix }}{{ matrix_hookshot_provisioning_port }}:{{ matrix_hookshot_provisioning_port }}"
|
||||
|
||||
matrix_hookshot_container_http_host_bind_ports: "{{ [] if matrix_nginx_proxy_enabled else matrix_hookshot_container_http_host_bind_ports_defaultmapping }}"
|
||||
matrix_hookshot_container_http_host_bind_ports: "{{ matrix_hookshot_container_http_host_bind_ports_defaultmapping if matrix_playbook_service_host_bind_interface_prefix else [] }}"
|
||||
|
||||
matrix_hookshot_provisioning_enabled: "{{ matrix_hookshot_provisioning_secret and matrix_dimension_enabled }}"
|
||||
|
||||
@ -1239,7 +1274,7 @@ matrix_hookshot_metrics_enabled: "{{ matrix_prometheus_enabled }}"
|
||||
|
||||
matrix_hookshot_urlprefix_port_enabled: "{{ matrix_nginx_proxy_container_https_host_bind_port == 443 if matrix_nginx_proxy_https_enabled else matrix_nginx_proxy_container_https_host_bind_port == 80 }}"
|
||||
matrix_hookshot_urlprefix_port: ":{{ matrix_nginx_proxy_container_https_host_bind_port if matrix_nginx_proxy_https_enabled else matrix_nginx_proxy_container_http_host_bind_port }}"
|
||||
matrix_hookshot_urlprefix: "http{{ 's' if matrix_nginx_proxy_https_enabled else '' }}://{{ matrix_server_fqn_matrix }}{{ matrix_hookshot_urlprefix_port if matrix_hookshot_urlprefix_port_enabled else '' }}"
|
||||
matrix_hookshot_urlprefix: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}://{{ matrix_server_fqn_matrix }}{{ matrix_hookshot_urlprefix_port if matrix_hookshot_urlprefix_port_enabled else '' }}"
|
||||
|
||||
######################################################################
|
||||
#
|
||||
@ -1315,7 +1350,7 @@ matrix_mx_puppet_twitter_homeserver_token: "{{ '%s' | format(matrix_homeserver_g
|
||||
|
||||
matrix_mx_puppet_twitter_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"
|
||||
|
||||
matrix_mx_puppet_twitter_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else ('127.0.0.1:' ~ matrix_mx_puppet_twitter_appservice_port) }}"
|
||||
matrix_mx_puppet_twitter_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':' ~ matrix_mx_puppet_twitter_appservice_port) if matrix_playbook_service_host_bind_interface_prefix else '' }}"
|
||||
|
||||
# Postgres is the default, except if not using internal Postgres server
|
||||
matrix_mx_puppet_twitter_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}"
|
||||
@ -1575,7 +1610,7 @@ matrix_bot_maubot_registration_shared_secret: |-
|
||||
}[matrix_homeserver_implementation]
|
||||
}}
|
||||
|
||||
matrix_bot_maubot_management_interface_http_bind_port: "{{ '' if matrix_nginx_proxy_enabled else ('127.0.0.1:' + matrix_bot_maubot_management_interface_port | string) }}"
|
||||
matrix_bot_maubot_management_interface_http_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':' ~ matrix_bot_maubot_management_interface_port | string) if matrix_playbook_service_host_bind_interface_prefix else '' }}"
|
||||
|
||||
# Postgres is the default, except if not using internal Postgres server
|
||||
matrix_bot_maubot_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}"
|
||||
@ -1665,9 +1700,52 @@ matrix_bot_postmoogle_enabled: false
|
||||
|
||||
matrix_bot_postmoogle_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}"
|
||||
|
||||
matrix_bot_postmoogle_ssl_path: "{{ matrix_ssl_config_dir_path }}"
|
||||
matrix_bot_postmoogle_tls_cert: "{% for domain in matrix_bot_postmoogle_domains %}/ssl/live/{{ domain }}/fullchain.pem {% endfor %}"
|
||||
matrix_bot_postmoogle_tls_key: "{% for domain in matrix_bot_postmoogle_domains %}/ssl/live/{{ domain }}/privkey.pem {% endfor %}"
|
||||
matrix_bot_postmoogle_ssl_path: |-
|
||||
{{
|
||||
{
|
||||
'playbook-managed-traefik': devture_traefik_certs_dumper_dumped_certificates_dir_path,
|
||||
'other-traefik-container': devture_traefik_certs_dumper_dumped_certificates_dir_path,
|
||||
'playbook-managed-nginx': (matrix_ssl_config_dir_path if matrix_playbook_ssl_retrieval_method != 'none' else ''),
|
||||
'other-nginx-non-container': (matrix_ssl_config_dir_path if matrix_playbook_ssl_retrieval_method != 'none' else ''),
|
||||
'other-on-same-host': '',
|
||||
'other-on-another-host': '',
|
||||
'none': '',
|
||||
}[matrix_playbook_reverse_proxy_type]
|
||||
}}
|
||||
|
||||
matrix_playbook_bot_postmoogle_nginx_proxy_tls_cert: "{% for domain in matrix_bot_postmoogle_domains %}/ssl/live/{{ domain }}/fullchain.pem {% endfor %}"
|
||||
matrix_playbook_bot_postmoogle_nginx_proxy_key: "{% for domain in matrix_bot_postmoogle_domains %}/ssl/live/{{ domain }}/privkey.pem {% endfor %}"
|
||||
|
||||
matrix_playbook_bot_postmoogle_traefik_tls_cert: "{% for domain in matrix_bot_postmoogle_domains %}/ssl/{{ domain }}/certificate.crt {% endfor %}"
|
||||
matrix_playbook_bot_postmoogle_traefik_key: "{% for domain in matrix_bot_postmoogle_domains %}/ssl/{{ domain }}/privatekey.key {% endfor %}"
|
||||
|
||||
matrix_bot_postmoogle_tls_cert: |-
|
||||
{{
|
||||
{
|
||||
'playbook-managed-traefik': matrix_playbook_bot_postmoogle_traefik_tls_cert,
|
||||
'other-traefik-container': matrix_playbook_bot_postmoogle_traefik_tls_cert,
|
||||
'playbook-managed-nginx': (matrix_playbook_bot_postmoogle_nginx_proxy_tls_cert if matrix_playbook_ssl_retrieval_method != 'none' else ''),
|
||||
'other-nginx-non-container': (matrix_playbook_bot_postmoogle_nginx_proxy_tls_cert if matrix_playbook_ssl_retrieval_method != 'none' else ''),
|
||||
'other-on-same-host': '',
|
||||
'other-on-another-host': '',
|
||||
'none': '',
|
||||
}[matrix_playbook_reverse_proxy_type]
|
||||
}}
|
||||
|
||||
matrix_bot_postmoogle_tls_key: |-
|
||||
{{
|
||||
{
|
||||
'playbook-managed-traefik': matrix_playbook_bot_postmoogle_traefik_key,
|
||||
'other-traefik-container': matrix_playbook_bot_postmoogle_traefik_key,
|
||||
'playbook-managed-nginx': (matrix_playbook_bot_postmoogle_nginx_proxy_key if matrix_playbook_ssl_retrieval_method != 'none' else ''),
|
||||
'other-nginx-non-container': (matrix_playbook_bot_postmoogle_nginx_proxy_key if matrix_playbook_ssl_retrieval_method != 'none' else ''),
|
||||
'other-on-same-host': '',
|
||||
'other-on-another-host': '',
|
||||
'none': '',
|
||||
}[matrix_playbook_reverse_proxy_type]
|
||||
}}
|
||||
|
||||
matrix_playbook_bot_postmoogle_traefik_certs_dumper_waiter_services: "{% for domain in matrix_bot_postmoogle_domains %}{{ devture_traefik_certs_dumper_identifier }}-wait-for-domain@{{ domain }}.service {% endfor %}"
|
||||
|
||||
matrix_bot_postmoogle_systemd_required_services_list: |
|
||||
{{
|
||||
@ -1676,6 +1754,8 @@ matrix_bot_postmoogle_systemd_required_services_list: |
|
||||
([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else [])
|
||||
+
|
||||
(['matrix-synapse.service'] if matrix_synapse_enabled else [])
|
||||
+
|
||||
(matrix_playbook_bot_postmoogle_traefik_certs_dumper_waiter_services | trim | split(' ') if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and matrix_playbook_traefik_certs_dumper_role_enabled else [])
|
||||
}}
|
||||
|
||||
# Postgres is the default, except if not using internal Postgres server
|
||||
@ -1726,7 +1806,7 @@ matrix_bot_go_neb_systemd_required_services_list: |
|
||||
(['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else [])
|
||||
}}
|
||||
|
||||
matrix_bot_go_neb_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:4050' }}"
|
||||
matrix_bot_go_neb_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':4050') if matrix_playbook_service_host_bind_interface_prefix else '' }}"
|
||||
|
||||
######################################################################
|
||||
#
|
||||
@ -1873,8 +1953,8 @@ matrix_corporal_container_image_self_build: "{{ matrix_architecture not in ['amd
|
||||
# Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-corporal over the container network.
|
||||
# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
|
||||
# matrix-corporal's web-server ports to the local host.
|
||||
matrix_corporal_container_http_gateway_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:41080' }}"
|
||||
matrix_corporal_container_http_api_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:41081' }}"
|
||||
matrix_corporal_container_http_gateway_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':41080') if matrix_playbook_service_host_bind_interface_prefix else '' }}"
|
||||
matrix_corporal_container_http_api_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':41081') if matrix_playbook_service_host_bind_interface_prefix else '' }}"
|
||||
|
||||
matrix_corporal_systemd_required_services_list: |
|
||||
{{
|
||||
@ -1912,18 +1992,72 @@ matrix_coturn_turn_external_ip_address: "{{ ansible_host }}"
|
||||
|
||||
matrix_coturn_turn_static_auth_secret: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'coturn.sas', rounds=655555) | to_uuid }}"
|
||||
|
||||
matrix_coturn_tls_enabled: "{{ matrix_ssl_retrieval_method != 'none' }}"
|
||||
matrix_coturn_tls_cert_path: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_server_fqn_matrix }}/fullchain.pem"
|
||||
matrix_coturn_tls_key_path: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_server_fqn_matrix }}/privkey.pem"
|
||||
matrix_coturn_tls_enabled: "{{ matrix_playbook_ssl_retrieval_method != 'none' }}"
|
||||
|
||||
matrix_coturn_tls_cert_path: |-
|
||||
{{
|
||||
{
|
||||
'playbook-managed-traefik': '/certificate.crt',
|
||||
'other-traefik-container': '/certificate.crt',
|
||||
'playbook-managed-nginx': '/fullchain.pem',
|
||||
'other-nginx-non-container': '/fullchain.pem',
|
||||
'other-on-same-host': '',
|
||||
'other-on-another-host': '',
|
||||
'none': '',
|
||||
}[matrix_playbook_reverse_proxy_type]
|
||||
}}
|
||||
|
||||
matrix_coturn_tls_key_path: |-
|
||||
{{
|
||||
{
|
||||
'playbook-managed-traefik': '/privatekey.key',
|
||||
'other-traefik-container': '/privatekey.key',
|
||||
'playbook-managed-nginx': '/privkey.pem',
|
||||
'other-nginx-non-container': '/privkey.pem',
|
||||
'other-on-same-host': '',
|
||||
'other-on-another-host': '',
|
||||
'none': '',
|
||||
}[matrix_playbook_reverse_proxy_type]
|
||||
}}
|
||||
|
||||
matrix_coturn_container_additional_volumes: |
|
||||
{{
|
||||
([] if matrix_ssl_retrieval_method == 'none' else [
|
||||
{
|
||||
'src': matrix_ssl_config_dir_path,
|
||||
'dst': matrix_ssl_config_dir_path,
|
||||
'options': 'ro',
|
||||
}
|
||||
])
|
||||
(
|
||||
[
|
||||
{
|
||||
'src': (matrix_ssl_config_dir_path + '/live/' + matrix_server_fqn_matrix + '/fullchain.pem'),
|
||||
'dst': '/fullchain.pem',
|
||||
'options': 'ro',
|
||||
},
|
||||
{
|
||||
'src': (matrix_ssl_config_dir_path + '/live/' + matrix_server_fqn_matrix + '/privkey.pem'),
|
||||
'dst': '/privkey.pem',
|
||||
'options': 'ro',
|
||||
},
|
||||
] if matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else []
|
||||
)
|
||||
+
|
||||
(
|
||||
[
|
||||
{
|
||||
'src': (devture_traefik_certs_dumper_dumped_certificates_dir_path + '/' + matrix_server_fqn_matrix + '/certificate.crt'),
|
||||
'dst': '/certificate.crt',
|
||||
'options': 'ro',
|
||||
},
|
||||
{
|
||||
'src': (devture_traefik_certs_dumper_dumped_certificates_dir_path + '/' + matrix_server_fqn_matrix + '/privatekey.key'),
|
||||
'dst': '/privatekey.key',
|
||||
'options': 'ro',
|
||||
},
|
||||
] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and matrix_playbook_traefik_certs_dumper_role_enabled else []
|
||||
)
|
||||
}}
|
||||
|
||||
matrix_coturn_systemd_required_services_list: |
|
||||
{{
|
||||
['docker.service']
|
||||
+
|
||||
([devture_traefik_certs_dumper_identifier + '-wait-for-domain@' + matrix_server_fqn_matrix + '.service'] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and matrix_playbook_traefik_certs_dumper_role_enabled else [])
|
||||
}}
|
||||
|
||||
######################################################################
|
||||
@ -1945,7 +2079,7 @@ matrix_dimension_container_image_self_build: "{{ matrix_architecture != 'amd64'
|
||||
# Normally, matrix-nginx-proxy is enabled and nginx can reach Dimension over the container network.
|
||||
# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
|
||||
# the Dimension HTTP port to the local host.
|
||||
matrix_dimension_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8184' }}"
|
||||
matrix_dimension_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':8184') if matrix_playbook_service_host_bind_interface_prefix else '' }}"
|
||||
|
||||
matrix_dimension_homeserver_federationUrl: "{{ matrix_homeserver_container_federation_url }}"
|
||||
|
||||
@ -1979,7 +2113,7 @@ matrix_dimension_database_password: "{{ '%s' | format(matrix_homeserver_generic_
|
||||
|
||||
matrix_etherpad_enabled: false
|
||||
|
||||
matrix_etherpad_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9001' }}"
|
||||
matrix_etherpad_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':9001') if matrix_playbook_service_host_bind_interface_prefix else '' }}"
|
||||
|
||||
matrix_etherpad_base_url: "{{ 'https://' + matrix_server_fqn_dimension + matrix_etherpad_public_endpoint if matrix_etherpad_mode == 'dimension' else 'https://' + matrix_server_fqn_etherpad + '/' }}"
|
||||
|
||||
@ -2040,11 +2174,11 @@ matrix_jitsi_enabled: false
|
||||
# Normally, matrix-nginx-proxy is enabled and nginx can reach jitsi/web over the container network.
|
||||
# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
|
||||
# the Jitsi HTTP port to the local host.
|
||||
matrix_jitsi_web_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:13080' }}"
|
||||
matrix_jitsi_web_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':13080') if matrix_playbook_service_host_bind_interface_prefix else '' }}"
|
||||
|
||||
matrix_jitsi_jvb_container_colibri_ws_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:13090' }}"
|
||||
matrix_jitsi_jvb_container_colibri_ws_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':13090') if matrix_playbook_service_host_bind_interface_prefix else '' }}"
|
||||
|
||||
matrix_jitsi_prosody_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:5280' }}"
|
||||
matrix_jitsi_prosody_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':5280') if matrix_playbook_service_host_bind_interface_prefix else '' }}"
|
||||
|
||||
matrix_jitsi_jibri_xmpp_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'jibri', rounds=655555) | to_uuid }}"
|
||||
matrix_jitsi_jicofo_auth_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'jicofo', rounds=655555) | to_uuid }}"
|
||||
@ -2134,7 +2268,7 @@ matrix_ma1sd_container_image_self_build: "{{ matrix_architecture != 'amd64' }}"
|
||||
# Normally, matrix-nginx-proxy is enabled and nginx can reach ma1sd over the container network.
|
||||
# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
|
||||
# ma1sd's web-server port.
|
||||
matrix_ma1sd_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:' + matrix_ma1sd_container_port | string }}"
|
||||
matrix_ma1sd_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':' ~ matrix_ma1sd_container_port | string) if matrix_playbook_service_host_bind_interface_prefix else '' }}"
|
||||
|
||||
|
||||
# We enable Synapse integration via its Postgres database by default.
|
||||
@ -2148,7 +2282,7 @@ matrix_ma1sd_dns_overwrite_enabled: true
|
||||
matrix_ma1sd_dns_overwrite_homeserver_client_name: "{{ matrix_server_fqn_matrix }}"
|
||||
# The `matrix_ma1sd_dns_overwrite_homeserver_client_value` value when matrix_nginx_proxy_enabled is false covers the general case,
|
||||
# but may be inaccurate if matrix-corporal is enabled.
|
||||
matrix_ma1sd_dns_overwrite_homeserver_client_value: "{{ ('http://' + matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container) if matrix_nginx_proxy_enabled else matrix_homeserver_container_url }}"
|
||||
matrix_ma1sd_dns_overwrite_homeserver_client_value: "{{ matrix_homeserver_container_url }}"
|
||||
|
||||
# By default, we send mail through the `matrix-mailer` service.
|
||||
matrix_ma1sd_threepid_medium_email_identity_from: "{{ matrix_mailer_sender_address }}"
|
||||
@ -2156,7 +2290,7 @@ matrix_ma1sd_threepid_medium_email_connectors_smtp_host: "matrix-mailer"
|
||||
matrix_ma1sd_threepid_medium_email_connectors_smtp_port: 8025
|
||||
matrix_ma1sd_threepid_medium_email_connectors_smtp_tls: 0
|
||||
|
||||
matrix_ma1sd_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}"
|
||||
matrix_ma1sd_self_check_validate_certificates: "{{ false if matrix_playbook_ssl_retrieval_method == 'self-signed' else true }}"
|
||||
|
||||
matrix_ma1sd_systemd_required_services_list: |
|
||||
{{
|
||||
@ -2190,10 +2324,26 @@ matrix_ma1sd_database_password: "{{ '%s' | format(matrix_homeserver_generic_secr
|
||||
#
|
||||
######################################################################
|
||||
|
||||
# By default, this playbook sets up a reverse-proxy nginx proxy server on TCP ports 80, 443 and 8448.
|
||||
# This is fine if you're dedicating the whole server to Matrix.
|
||||
# If that's not the case, you may wish to disable this and take care of proxying yourself.
|
||||
matrix_nginx_proxy_enabled: true
|
||||
# This playbook installs its own nginx if
|
||||
# - it's explicitly enabled
|
||||
# - Traefik is in use. Not all services are Traefik-native yet, so we use reverse-proxy to some via a local-only matrix-nginx-proxy
|
||||
matrix_nginx_proxy_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'playbook-managed-traefik', 'other-traefik-container'] }}"
|
||||
|
||||
# matrix-nginx-proxy is only to handle HTTPS only if it's the chosen reverse-proxy.
|
||||
# It may be enabled even if it's not chosen. See `matrix_nginx_proxy_enabled`.
|
||||
matrix_ssl_retrieval_method: "{{ 'lets-encrypt' if matrix_playbook_reverse_proxy_type == 'playbook-managed-nginx' else 'none' }}"
|
||||
matrix_nginx_proxy_https_enabled: "{{ matrix_playbook_reverse_proxy_type == 'playbook-managed-nginx' }}"
|
||||
|
||||
# matrix-nginx-proxy is to publish ports only if it's the chosen reverse-proxy.
|
||||
# It may be enabled even if it's not chosen. See `matrix_nginx_proxy_enabled`.
|
||||
matrix_nginx_proxy_container_http_host_bind_port: "{{ '80' if matrix_playbook_reverse_proxy_type == 'playbook-managed-nginx' else '' }}"
|
||||
matrix_nginx_proxy_container_federation_host_bind_port: "{{ matrix_federation_public_port if matrix_playbook_reverse_proxy_type == 'playbook-managed-nginx' else '' }}"
|
||||
|
||||
# matrix-nginx-proxy is to trust reverse-proxy forwarded protocol and headers, unless it's the "main" (chosen) reverse-proxy
|
||||
matrix_nginx_proxy_trust_forwarded_proto: "{{ matrix_playbook_reverse_proxy_type != 'playbook-managed-nginx' }}"
|
||||
matrix_nginx_proxy_x_forwarded_for: "{{ '$remote_addr' if matrix_playbook_reverse_proxy_type == 'playbook-managed-nginx' else '$proxy_add_x_forwarded_for' }}"
|
||||
|
||||
matrix_nginx_proxy_container_additional_networks: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else [] }}"
|
||||
|
||||
matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container: "{{ 'matrix-corporal:41080' if matrix_corporal_enabled else 'matrix-nginx-proxy:12080' }}"
|
||||
matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "{{ '127.0.0.1:41080' if matrix_corporal_enabled else '127.0.0.1:12080' }}"
|
||||
@ -2226,6 +2376,23 @@ matrix_nginx_proxy_proxy_grafana_enabled: "{{ matrix_grafana_enabled }}"
|
||||
matrix_nginx_proxy_proxy_sygnal_enabled: "{{ matrix_sygnal_enabled }}"
|
||||
matrix_nginx_proxy_proxy_ntfy_enabled: "{{ matrix_ntfy_enabled }}"
|
||||
|
||||
matrix_nginx_proxy_container_labels_traefik_enabled: "{{ matrix_playbook_traefik_labels_enabled }}"
|
||||
matrix_nginx_proxy_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
|
||||
matrix_nginx_proxy_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}"
|
||||
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_matrix_enabled: true
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_element_enabled: "{{ matrix_client_element_enabled }}"
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_hydrogen_enabled: "{{ matrix_client_hydrogen_enabled }}"
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_cinny_enabled: "{{ matrix_client_cinny_enabled }}"
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_enabled: "{{ matrix_bot_buscarron_enabled }}"
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_dimension_enabled: "{{ matrix_dimension_enabled }}"
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_enabled: "{{ matrix_etherpad_enabled and matrix_etherpad_mode == 'standalone' }}"
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_enabled: "{{ matrix_bot_go_neb_enabled }}"
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_enabled: "{{ matrix_jitsi_enabled }}"
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_grafana_enabled: "{{ matrix_grafana_enabled }}"
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_enabled: "{{ matrix_sygnal_enabled }}"
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_enabled: "{{ matrix_ntfy_enabled }}"
|
||||
|
||||
matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: "{{ matrix_corporal_enabled and matrix_corporal_http_api_enabled }}"
|
||||
matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081"
|
||||
matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container: "127.0.0.1:41081"
|
||||
@ -2269,18 +2436,16 @@ matrix_nginx_proxy_proxy_conduit_federation_api_addr_sans_container: "127.0.0.1:
|
||||
# When matrix-nginx-proxy is disabled, the actual port number that the vhost uses may begin to matter.
|
||||
matrix_nginx_proxy_proxy_matrix_federation_port: "{{ matrix_federation_public_port }}"
|
||||
|
||||
matrix_nginx_proxy_container_federation_host_bind_port: "{{ matrix_federation_public_port }}"
|
||||
|
||||
matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: "{{ matrix_ma1sd_enabled }}"
|
||||
matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container }}"
|
||||
matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container }}"
|
||||
|
||||
matrix_nginx_proxy_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}"
|
||||
matrix_nginx_proxy_self_check_validate_certificates: "{{ false if matrix_playbook_ssl_retrieval_method == 'self-signed' else true }}"
|
||||
|
||||
# OCSP stapling does not make sense when self-signed certificates are used.
|
||||
# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1073
|
||||
# and https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1074
|
||||
matrix_nginx_proxy_ocsp_stapling_enabled: "{{ matrix_ssl_retrieval_method != 'self-signed' }}"
|
||||
matrix_nginx_proxy_ocsp_stapling_enabled: "{{ matrix_playbook_ssl_retrieval_method != 'self-signed' }}"
|
||||
|
||||
matrix_nginx_proxy_systemd_wanted_services_list: |
|
||||
{{
|
||||
@ -2698,7 +2863,7 @@ matrix_sygnal_enabled: false
|
||||
# If someone instals Prometheus via the playbook, they most likely wish to monitor Sygnal.
|
||||
matrix_sygnal_metrics_prometheus_enabled: "{{ matrix_prometheus_enabled }}"
|
||||
|
||||
matrix_sygnal_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:6000' }}"
|
||||
matrix_sygnal_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':6000') if matrix_playbook_service_host_bind_interface_prefix else '' }}"
|
||||
|
||||
######################################################################
|
||||
#
|
||||
@ -2714,7 +2879,7 @@ matrix_sygnal_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enable
|
||||
|
||||
matrix_ntfy_enabled: false
|
||||
|
||||
matrix_ntfy_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:2586' }}"
|
||||
matrix_ntfy_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':2586') if matrix_playbook_service_host_bind_interface_prefix else '' }}"
|
||||
|
||||
######################################################################
|
||||
#
|
||||
@ -2751,7 +2916,7 @@ matrix_client_element_container_image_self_build: "{{ matrix_architecture not in
|
||||
# Normally, matrix-nginx-proxy is enabled and nginx can reach Element over the container network.
|
||||
# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
|
||||
# the Element HTTP port to the local host.
|
||||
matrix_client_element_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8765' }}"
|
||||
matrix_client_element_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':8765') if matrix_playbook_service_host_bind_interface_prefix else '' }}"
|
||||
|
||||
matrix_client_element_default_hs_url: "{{ matrix_homeserver_url }}"
|
||||
matrix_client_element_default_is_url: "{{ matrix_identity_server_url }}"
|
||||
@ -2762,7 +2927,7 @@ matrix_client_element_integrations_rest_url: "{{ matrix_dimension_integrations_r
|
||||
matrix_client_element_integrations_widgets_urls: "{{ matrix_dimension_integrations_widgets_urls if matrix_dimension_enabled else ['https://scalar.vector.im/api'] }}"
|
||||
matrix_client_element_integrations_jitsi_widget_url: "{{ matrix_dimension_integrations_jitsi_widget_url if matrix_dimension_enabled else 'https://scalar.vector.im/api/widgets/jitsi.html' }}"
|
||||
|
||||
matrix_client_element_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}"
|
||||
matrix_client_element_self_check_validate_certificates: "{{ false if matrix_playbook_ssl_retrieval_method == 'self-signed' else true }}"
|
||||
|
||||
matrix_client_element_registration_enabled: "{{ matrix_synapse_enable_registration }}"
|
||||
|
||||
@ -2796,11 +2961,11 @@ matrix_client_hydrogen_container_image_self_build: "{{ matrix_architecture not i
|
||||
# Normally, matrix-nginx-proxy is enabled and nginx can reach Hydrogen over the container network.
|
||||
# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
|
||||
# the HTTP port to the local host.
|
||||
matrix_client_hydrogen_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8768' }}"
|
||||
matrix_client_hydrogen_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':8768') if matrix_playbook_service_host_bind_interface_prefix else '' }}"
|
||||
|
||||
matrix_client_hydrogen_default_hs_url: "{{ matrix_homeserver_url }}"
|
||||
|
||||
matrix_client_hydrogen_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}"
|
||||
matrix_client_hydrogen_self_check_validate_certificates: "{{ false if matrix_playbook_ssl_retrieval_method == 'self-signed' else true }}"
|
||||
|
||||
######################################################################
|
||||
#
|
||||
@ -2821,11 +2986,11 @@ matrix_client_cinny_container_image_self_build: "{{ matrix_architecture not in [
|
||||
# Normally, matrix-nginx-proxy is enabled and nginx can reach Cinny over the container network.
|
||||
# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
|
||||
# the HTTP port to the local host.
|
||||
matrix_client_cinny_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8080' }}"
|
||||
matrix_client_cinny_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':8080') if matrix_playbook_service_host_bind_interface_prefix else '' }}"
|
||||
|
||||
matrix_client_cinny_default_hs_url: "{{ matrix_homeserver_url }}"
|
||||
|
||||
matrix_client_cinny_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}"
|
||||
matrix_client_cinny_self_check_validate_certificates: "{{ false if matrix_playbook_ssl_retrieval_method == 'self-signed' else true }}"
|
||||
|
||||
######################################################################
|
||||
#
|
||||
@ -2850,13 +3015,13 @@ matrix_synapse_account_threepid_delegates_msisdn: "{{ 'http://matrix-ma1sd:' + m
|
||||
matrix_synapse_container_federation_api_tls_host_bind_port: "{{ matrix_federation_public_port if (matrix_synapse_federation_enabled and matrix_synapse_tls_federation_listener_enabled) else '' }}"
|
||||
#
|
||||
# For exposing the Synapse Metrics API's port (plain HTTP) to the local host.
|
||||
matrix_synapse_container_metrics_api_host_bind_port: "{{ '127.0.0.1:9100' if (matrix_synapse_metrics_enabled and not matrix_nginx_proxy_enabled) else '' }}"
|
||||
matrix_synapse_container_metrics_api_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':9100') if matrix_synapse_metrics_enabled and matrix_playbook_service_host_bind_interface_prefix else '' }}"
|
||||
#
|
||||
# For exposing the Synapse Manhole port (plain HTTP) to the local host.
|
||||
matrix_synapse_container_manhole_api_host_bind_port: "{{ '127.0.0.1:9000' if matrix_synapse_manhole_enabled else '' }}"
|
||||
matrix_synapse_container_manhole_api_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':9000') if matrix_synapse_metrics_enabled and matrix_playbook_service_host_bind_interface_prefix else '' }}"
|
||||
#
|
||||
# For exposing the Synapse worker (and metrics) ports to the local host.
|
||||
matrix_synapse_workers_container_host_bind_address: "{{ '127.0.0.1' if (matrix_synapse_workers_enabled and not matrix_nginx_proxy_enabled) else '' }}"
|
||||
matrix_synapse_workers_container_host_bind_address: "{{ matrix_playbook_service_host_bind_interface_prefix[0:-1] if (matrix_synapse_workers_enabled and matrix_playbook_service_host_bind_interface_prefix) else '' }}"
|
||||
|
||||
matrix_synapse_database_host: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}"
|
||||
matrix_synapse_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'synapse.db', rounds=655555) | to_uuid }}"
|
||||
@ -2893,7 +3058,7 @@ matrix_synapse_turn_uris: |
|
||||
[
|
||||
'turns:' + matrix_server_fqn_matrix + '?transport=udp',
|
||||
'turns:' + matrix_server_fqn_matrix + '?transport=tcp',
|
||||
] if matrix_coturn_enabled and matrix_coturn_tls_enabled and matrix_ssl_retrieval_method != 'lets-encrypt' else []
|
||||
] if matrix_coturn_enabled and matrix_coturn_tls_enabled and matrix_playbook_ssl_retrieval_method != 'lets-encrypt' else []
|
||||
+
|
||||
[
|
||||
'turn:' + matrix_server_fqn_matrix + '?transport=udp',
|
||||
@ -2903,7 +3068,7 @@ matrix_synapse_turn_uris: |
|
||||
|
||||
matrix_synapse_turn_shared_secret: "{{ matrix_coturn_turn_static_auth_secret if matrix_coturn_enabled else '' }}"
|
||||
|
||||
matrix_synapse_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}"
|
||||
matrix_synapse_self_check_validate_certificates: "{{ false if matrix_playbook_ssl_retrieval_method == 'self-signed' else true }}"
|
||||
|
||||
matrix_synapse_systemd_required_services_list: |
|
||||
{{
|
||||
@ -2945,8 +3110,8 @@ matrix_synapse_reverse_proxy_companion_enabled: "{{ matrix_synapse_enabled }}"
|
||||
|
||||
matrix_synapse_reverse_proxy_companion_client_api_client_max_body_size_mb: "{{ matrix_synapse_max_upload_size_mb }}"
|
||||
|
||||
matrix_synapse_reverse_proxy_companion_container_client_api_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8008' }}"
|
||||
matrix_synapse_reverse_proxy_companion_container_federation_api_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8048' }}"
|
||||
matrix_synapse_reverse_proxy_companion_container_client_api_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':8008') if matrix_playbook_service_host_bind_interface_prefix else '' }}"
|
||||
matrix_synapse_reverse_proxy_companion_container_federation_api_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':8048') if matrix_playbook_service_host_bind_interface_prefix else '' }}"
|
||||
|
||||
matrix_synapse_reverse_proxy_companion_synapse_workers_enabled: "{{ matrix_synapse_workers_enabled }}"
|
||||
matrix_synapse_reverse_proxy_companion_synapse_workers_list: "{{ matrix_synapse_workers_enabled_list }}"
|
||||
@ -2980,7 +3145,7 @@ matrix_synapse_admin_enabled: false
|
||||
# Normally, matrix-nginx-proxy is enabled and nginx can reach Synapse Admin over the container network.
|
||||
# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
|
||||
# Synapse Admin's HTTP port to the local host.
|
||||
matrix_synapse_admin_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8766' }}"
|
||||
matrix_synapse_admin_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':8766') if matrix_playbook_service_host_bind_interface_prefix else '' }}"
|
||||
|
||||
matrix_synapse_admin_container_image_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}"
|
||||
|
||||
@ -3009,7 +3174,11 @@ prometheus_node_exporter_server_fqn: "{{ matrix_server_fqn_matrix }}"
|
||||
|
||||
prometheus_node_exporter_container_network: "{{ matrix_docker_network }}"
|
||||
|
||||
prometheus_node_exporter_container_additional_networks: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else [] }}"
|
||||
|
||||
prometheus_node_exporter_container_labels_traefik_enabled: false
|
||||
prometheus_node_exporter_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
|
||||
prometheus_node_exporter_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}"
|
||||
|
||||
######################################################################
|
||||
#
|
||||
@ -3036,7 +3205,11 @@ prometheus_postgres_exporter_server_fqn: "{{ matrix_server_fqn_matrix }}"
|
||||
|
||||
prometheus_postgres_exporter_container_network: "{{ matrix_docker_network }}"
|
||||
|
||||
prometheus_postgres_exporter_container_additional_networks: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else [] }}"
|
||||
|
||||
prometheus_postgres_exporter_container_labels_traefik_enabled: false
|
||||
prometheus_postgres_exporter_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
|
||||
prometheus_postgres_exporter_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}"
|
||||
|
||||
prometheus_postgres_exporter_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}"
|
||||
prometheus_postgres_exporter_database_username: matrix_prometheus_postgres_exporter
|
||||
@ -3081,7 +3254,7 @@ matrix_prometheus_enabled: false
|
||||
# Normally, matrix-nginx-proxy is enabled and nginx can reach Prometheus over the container network.
|
||||
# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
|
||||
# Prometheus' HTTP port to the local host.
|
||||
matrix_prometheus_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9090' }}"
|
||||
matrix_prometheus_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':99090005') if matrix_playbook_service_host_bind_interface_prefix else '' }}"
|
||||
|
||||
matrix_prometheus_scraper_synapse_enabled: "{{ matrix_synapse_enabled and matrix_synapse_metrics_enabled }}"
|
||||
matrix_prometheus_scraper_synapse_targets: ['matrix-synapse:{{ matrix_synapse_metrics_port }}']
|
||||
@ -3118,7 +3291,7 @@ matrix_grafana_enabled: false
|
||||
# Normally, matrix-nginx-proxy is enabled and nginx can reach Grafana over the container network.
|
||||
# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
|
||||
# Grafana's HTTP port to the local host.
|
||||
matrix_grafana_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:3000' }}"
|
||||
matrix_grafana_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':3000') if matrix_playbook_service_host_bind_interface_prefix else '' }}"
|
||||
|
||||
matrix_grafana_dashboard_download_urls: |
|
||||
{{
|
||||
@ -3157,7 +3330,7 @@ matrix_registration_enabled: false
|
||||
# Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-registration over the container network.
|
||||
# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
|
||||
# matrix-registration's HTTP port to the local host.
|
||||
matrix_registration_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8767' }}"
|
||||
matrix_registration_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':8767') if matrix_playbook_service_host_bind_interface_prefix else '' }}"
|
||||
|
||||
matrix_registration_riot_instance: "{{ ('https://' + matrix_server_fqn_element) if matrix_client_element_enabled else 'https://riot.im/app/' }}"
|
||||
|
||||
@ -3172,7 +3345,7 @@ matrix_registration_shared_secret: |-
|
||||
|
||||
matrix_registration_server_location: "{{ matrix_homeserver_container_url }}"
|
||||
|
||||
matrix_registration_api_validate_certs: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}"
|
||||
matrix_registration_api_validate_certs: "{{ false if matrix_playbook_ssl_retrieval_method == 'self-signed' else true }}"
|
||||
|
||||
matrix_registration_container_image_self_build: "{{ matrix_architecture != 'amd64' }}"
|
||||
|
||||
@ -3208,12 +3381,10 @@ matrix_dendrite_enabled: "{{ matrix_homeserver_implementation == 'dendrite' }}"
|
||||
# you can expose Dendrite's ports to the host.
|
||||
#
|
||||
# For exposing Dendrite's plain HTTP server to the local host.
|
||||
matrix_dendrite_container_http_host_bind_address: "{{ '' if matrix_nginx_proxy_enabled else ('127.0.0.1:' + matrix_dendrite_http_bind_port | string) }}"
|
||||
matrix_dendrite_container_http_host_bind_address: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':' ~ matrix_dendrite_http_bind_port | string) if matrix_playbook_service_host_bind_interface_prefix else '' }}"
|
||||
#
|
||||
# For exposing Dendrite's HTTPS server to the local host.
|
||||
matrix_dendrite_container_https_host_bind_address: "{{ '' if matrix_nginx_proxy_enabled or not matrix_dendrite_https_bind_port else ('127.0.0.1:' + matrix_dendrite_https_bind_port | string) }}"
|
||||
|
||||
matrix_dendrite_sync_api_real_ip_header: "{{ 'X-Forwarded-For' if matrix_nginx_proxy_enabled else '' }}"
|
||||
matrix_dendrite_container_https_host_bind_address: "{{ '' if not matrix_dendrite_https_bind_port or not matrix_playbook_service_host_bind_interface_prefix else (matrix_playbook_service_host_bind_interface_prefix + matrix_dendrite_https_bind_port | string) }}"
|
||||
|
||||
matrix_dendrite_client_api_registration_shared_secret: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'dendrite.rss', rounds=655555) | to_uuid }}"
|
||||
|
||||
@ -3237,9 +3408,9 @@ matrix_dendrite_client_api_turn_uris: |
|
||||
|
||||
matrix_dendrite_client_api_turn_shared_secret: "{{ matrix_coturn_turn_static_auth_secret if matrix_coturn_enabled else '' }}"
|
||||
|
||||
matrix_dendrite_disable_tls_validation: "{{ true if matrix_ssl_retrieval_method == 'self-signed' else false }}"
|
||||
matrix_dendrite_disable_tls_validation: "{{ true if matrix_playbook_ssl_retrieval_method == 'self-signed' else false }}"
|
||||
|
||||
matrix_dendrite_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}"
|
||||
matrix_dendrite_self_check_validate_certificates: "{{ false if matrix_playbook_ssl_retrieval_method == 'self-signed' else true }}"
|
||||
|
||||
matrix_dendrite_trusted_id_servers: "{{ [matrix_server_fqn_matrix] if matrix_ma1sd_enabled else ['matrix.org', 'vector.im'] }}"
|
||||
|
||||
@ -3348,9 +3519,9 @@ matrix_user_verification_service_systemd_required_services_list: |
|
||||
|
||||
# If Jitsi is managed by this playbook we can use the docker network - no need to expose a port.
|
||||
# If Jitsi is not managed by this playbook, or you otherwise have a need for it, you can expose
|
||||
# matrix-user-verfification-services's client-server port to the local host port 3003.
|
||||
# matrix-user-verfification-services's client-server port to port 3003.
|
||||
# By default Matrix-User-Verification-Service binds to port 3000, which collides with grafana, therefore this uses port 3003.
|
||||
matrix_user_verification_service_container_http_host_bind_port: "{{ '' if (matrix_jitsi_enabled | bool and matrix_jitsi_enable_auth | bool and matrix_jitsi_auth_type == 'matrix') else '127.0.0.1:3003' }}"
|
||||
matrix_user_verification_service_container_http_host_bind_port: "{{ '' if (matrix_jitsi_enabled | bool and matrix_jitsi_enable_auth | bool and matrix_jitsi_auth_type == 'matrix') else matrix_playbook_service_host_bind_interface_prefix ~ ':3003' }}"
|
||||
|
||||
# URL exposed in the docker network
|
||||
matrix_user_verification_service_container_url: "http://{{ matrix_user_verification_service_container_name }}:3000"
|
||||
@ -3365,3 +3536,57 @@ matrix_user_verification_service_uvs_auth_token: "{{ '%s' | format(matrix_homese
|
||||
# /matrix-user-verification-service
|
||||
#
|
||||
######################################################################
|
||||
|
||||
|
||||
########################################################################
|
||||
# #
|
||||
# com.devture.ansible.role.traefik #
|
||||
# #
|
||||
########################################################################
|
||||
|
||||
# To completely disable the Traefik role from running, use `matrix_playbook_traefik_role_enabled: false`.
|
||||
# See the comment there for more details about why we have both `devture_traefik_enabled` and `matrix_playbook_traefik_role_enabled`.
|
||||
devture_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type == 'playbook-managed-traefik' }}"
|
||||
|
||||
devture_traefik_uid: "{{ matrix_user_uid }}"
|
||||
devture_traefik_gid: "{{ matrix_user_gid }}"
|
||||
|
||||
devture_traefik_additional_entrypoints_auto:
|
||||
- name: matrix-federation
|
||||
port: "{{ matrix_federation_public_port }}"
|
||||
host_bind_port: "{{ matrix_federation_public_port }}"
|
||||
config: {}
|
||||
|
||||
devture_traefik_additional_domains_to_obtain_certificates_for: "{{ matrix_ssl_additional_domains_to_obtain_certificates_for }}"
|
||||
|
||||
########################################################################
|
||||
# #
|
||||
# /com.devture.ansible.role.traefik #
|
||||
# #
|
||||
########################################################################
|
||||
|
||||
|
||||
########################################################################
|
||||
# #
|
||||
# com.devture.ansible.role.traefik_certs_dumper #
|
||||
# #
|
||||
########################################################################
|
||||
|
||||
# To completely disable the Traefik certs dumper role from running, use `matrix_playbook_traefik_certs_dumper_role_enabled: false`.
|
||||
# See the comment there for more details about why we have both `devture_traefik_certs_dumper_enabled` and `matrix_playbook_traefik_certs_dumper_role_enabled`.
|
||||
devture_traefik_certs_dumper_enabled: "{{ matrix_playbook_traefik_certs_dumper_role_enabled }}"
|
||||
|
||||
devture_traefik_certs_dumper_identifier: matrix-traefik-certs-dumper
|
||||
|
||||
devture_traefik_certs_dumper_base_path: "{{ matrix_base_data_path }}/traefik-certs-dumper"
|
||||
|
||||
devture_traefik_certs_dumper_uid: "{{ matrix_user_uid }}"
|
||||
devture_traefik_certs_dumper_gid: "{{ matrix_user_gid }}"
|
||||
|
||||
devture_traefik_certs_dumper_ssl_dir_path: "{{ devture_traefik_ssl_dir_path if devture_traefik_enabled else '' }}"
|
||||
|
||||
########################################################################
|
||||
# #
|
||||
# /com.devture.ansible.role.traefik_certs_dumper #
|
||||
# #
|
||||
########################################################################
|
||||
|
||||
Reference in New Issue
Block a user