Initial work on Traefik support
This gets us started on adding a Traefik role and hooking Traefik: - directly to services which support Traefik - we only have a few of these right now, but the list will grow - to matrix-nginx-proxy for most services that integrate with matrix-nginx-proxy right now Traefik usage should be disabled by default for now and nothing should change for people just yet. Enabling these experiments requires additional configuration like this: ```yaml devture_traefik_ssl_email_address: '.....' matrix_playbook_traefik_role_enabled: true matrix_playbook_traefik_labels_enabled: true matrix_ssl_retrieval_method: none matrix_nginx_proxy_https_enabled: false matrix_nginx_proxy_container_http_host_bind_port: '' matrix_nginx_proxy_container_federation_host_bind_port: '' matrix_nginx_proxy_trust_forwarded_proto: true matrix_nginx_proxy_x_forwarded_for: '$proxy_add_x_forwarded_for' matrix_coturn_enabled: false ``` What currently works is: reverse-proxying for all nginx-proxy based services **except** for the Matrix homeserver (both Client-Server an Federation traffic for the homeserver don't work yet)
This commit is contained in:
Slavi Pantaleev
@ -40,6 +40,80 @@ matrix_nginx_proxy_container_additional_networks: []
|
||||
# Contains definition objects like this: `{"src": "/outside", "dst": "/inside", "options": "rw|ro|slave|.."}
|
||||
matrix_nginx_proxy_container_additional_volumes: []
|
||||
|
||||
# matrix_nginx_proxy_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container.
|
||||
# See `../templates/labels.j2` for details.
|
||||
#
|
||||
# To inject your own other container labels, see `matrix_nginx_proxy_container_labels_additional_labels`.
|
||||
matrix_nginx_proxy_container_labels_traefik_enabled: false
|
||||
matrix_nginx_proxy_container_labels_traefik_docker_network: "{{ matrix_nginx_proxy_container_network }}"
|
||||
matrix_nginx_proxy_container_labels_traefik_entrypoints: web-secure
|
||||
matrix_nginx_proxy_container_labels_traefik_tls_certResolver: default # noqa var-naming
|
||||
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_element_enabled: false
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_element_hostname: "{{ matrix_server_fqn_element }}"
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_element_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}"
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_element_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_element_hostname }}`)"
|
||||
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_hydrogen_enabled: false
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_hydrogen_hostname: "{{ matrix_server_fqn_hydrogen }}"
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_hydrogen_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}"
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_hydrogen_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_hydrogen_hostname }}`)"
|
||||
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_cinny_enabled: false
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_cinny_hostname: "{{ matrix_server_fqn_cinny }}"
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_cinny_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}"
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_cinny_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_cinny_hostname }}`)"
|
||||
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_enabled: false
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_hostname: "{{ matrix_server_fqn_buscarron }}"
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}"
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_hostname }}`)"
|
||||
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_dimension_enabled: false
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_dimension_hostname: "{{ matrix_server_fqn_dimension }}"
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_dimension_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}"
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_dimension_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_dimension_hostname }}`)"
|
||||
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_enabled: false
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_hostname: "{{ matrix_server_fqn_etherpad }}"
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}"
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_hostname }}`)"
|
||||
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_enabled: false
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_hostname: "{{ matrix_server_fqn_bot_go_neb }}"
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}"
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_hostname }}`)"
|
||||
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_enabled: false
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_hostname: "{{ matrix_server_fqn_jitsi }}"
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}"
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_hostname }}`)"
|
||||
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_grafana_enabled: false
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_grafana_hostname: "{{ matrix_server_fqn_grafana }}"
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_grafana_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}"
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_grafana_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_grafana_hostname }}`)"
|
||||
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_enabled: false
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_hostname: "{{ matrix_server_fqn_sygnal }}"
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}"
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_hostname }}`)"
|
||||
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_enabled: false
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_hostname: "{{ matrix_server_fqn_ntfy }}"
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}"
|
||||
matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_hostname }}`)"
|
||||
|
||||
# matrix_nginx_proxy_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
|
||||
# See `../templates/labels.j2` for details.
|
||||
#
|
||||
# Example:
|
||||
# matrix_nginx_proxy_container_labels_additional_labels: |
|
||||
# my.label=1
|
||||
# another.label="here"
|
||||
matrix_nginx_proxy_container_labels_additional_labels: ''
|
||||
|
||||
|
||||
# A list of extra arguments to pass to the container
|
||||
matrix_nginx_proxy_container_extra_arguments: []
|
||||
|
||||
|
||||
@ -22,6 +22,14 @@
|
||||
- "{{ matrix_nginx_proxy_data_path }}"
|
||||
- "{{ matrix_nginx_proxy_confd_path }}"
|
||||
|
||||
- name: Ensure Matrix nginx-proxy labels file is created
|
||||
ansible.builtin.template:
|
||||
src: "{{ role_path }}/templates/labels.j2"
|
||||
dest: "{{ matrix_nginx_proxy_base_path }}/labels"
|
||||
owner: "{{ matrix_user_username }}"
|
||||
group: "{{ matrix_user_groupname }}"
|
||||
mode: 0640
|
||||
|
||||
- name: Ensure Matrix nginx-proxy configured (main config override)
|
||||
ansible.builtin.template:
|
||||
src: "{{ role_path }}/templates/nginx/nginx.conf.j2"
|
||||
|
||||
144
roles/custom/matrix-nginx-proxy/templates/labels.j2
Normal file
144
roles/custom/matrix-nginx-proxy/templates/labels.j2
Normal file
@ -0,0 +1,144 @@
|
||||
{% if matrix_nginx_proxy_container_labels_traefik_enabled %}
|
||||
traefik.enable=true
|
||||
|
||||
{% if matrix_nginx_proxy_container_labels_traefik_docker_network %}
|
||||
traefik.docker.network={{ matrix_nginx_proxy_container_labels_traefik_docker_network }}
|
||||
{% endif %}
|
||||
|
||||
|
||||
{% if matrix_nginx_proxy_container_labels_traefik_proxy_element_enabled %}
|
||||
# Element
|
||||
traefik.http.routers.matrix-nginx-proxy-element.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_element_rule }}
|
||||
traefik.http.routers.matrix-nginx-proxy-element.service=matrix-nginx-proxy-web
|
||||
traefik.http.routers.matrix-nginx-proxy-element.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_element_tls | to_json }}
|
||||
{% if matrix_nginx_proxy_container_labels_traefik_proxy_element_tls %}
|
||||
traefik.http.routers.matrix-nginx-proxy-element.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }}
|
||||
{% endif %}
|
||||
traefik.http.routers.matrix-nginx-proxy-element.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }}
|
||||
{% endif %}
|
||||
|
||||
|
||||
{% if matrix_nginx_proxy_container_labels_traefik_proxy_hydrogen_enabled %}
|
||||
# Hydrogen
|
||||
traefik.http.routers.matrix-nginx-proxy-hydrogen.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_hydrogen_rule }}
|
||||
traefik.http.routers.matrix-nginx-proxy-hydrogen.service=matrix-nginx-proxy-web
|
||||
traefik.http.routers.matrix-nginx-proxy-hydrogen.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_hydrogen_tls | to_json }}
|
||||
{% if matrix_nginx_proxy_container_labels_traefik_proxy_hydrogen_tls %}
|
||||
traefik.http.routers.matrix-nginx-proxy-hydrogen.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }}
|
||||
{% endif %}
|
||||
traefik.http.routers.matrix-nginx-proxy-hydrogen.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }}
|
||||
{% endif %}
|
||||
|
||||
|
||||
{% if matrix_nginx_proxy_container_labels_traefik_proxy_cinny_enabled %}
|
||||
# Cinny
|
||||
traefik.http.routers.matrix-nginx-proxy-cinny.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_cinny_rule }}
|
||||
traefik.http.routers.matrix-nginx-proxy-cinny.service=matrix-nginx-proxy-web
|
||||
traefik.http.routers.matrix-nginx-proxy-cinny.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_cinny_tls | to_json }}
|
||||
{% if matrix_nginx_proxy_container_labels_traefik_proxy_cinny_tls %}
|
||||
traefik.http.routers.matrix-nginx-proxy-cinny.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }}
|
||||
{% endif %}
|
||||
traefik.http.routers.matrix-nginx-proxy-cinny.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }}
|
||||
{% endif %}
|
||||
|
||||
|
||||
{% if matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_enabled %}
|
||||
# Buscarron
|
||||
traefik.http.routers.matrix-nginx-proxy-buscarron.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_rule }}
|
||||
traefik.http.routers.matrix-nginx-proxy-buscarron.service=matrix-nginx-proxy-web
|
||||
traefik.http.routers.matrix-nginx-proxy-buscarron.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_tls | to_json }}
|
||||
{% if matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_tls %}
|
||||
traefik.http.routers.matrix-nginx-proxy-buscarron.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }}
|
||||
{% endif %}
|
||||
traefik.http.routers.matrix-nginx-proxy-buscarron.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }}
|
||||
{% endif %}
|
||||
|
||||
|
||||
{% if matrix_nginx_proxy_container_labels_traefik_proxy_dimension_enabled %}
|
||||
# Dimension
|
||||
traefik.http.routers.matrix-nginx-proxy-dimension.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_dimension_rule }}
|
||||
traefik.http.routers.matrix-nginx-proxy-dimension.service=matrix-nginx-proxy-web
|
||||
traefik.http.routers.matrix-nginx-proxy-dimension.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_dimension_tls | to_json }}
|
||||
{% if matrix_nginx_proxy_container_labels_traefik_proxy_dimension_tls %}
|
||||
traefik.http.routers.matrix-nginx-proxy-dimension.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }}
|
||||
{% endif %}
|
||||
traefik.http.routers.matrix-nginx-proxy-dimension.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }}
|
||||
{% endif %}
|
||||
|
||||
|
||||
{% if matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_enabled %}
|
||||
# Etherpad
|
||||
traefik.http.routers.matrix-nginx-proxy-etherpad.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_rule }}
|
||||
traefik.http.routers.matrix-nginx-proxy-etherpad.service=matrix-nginx-proxy-web
|
||||
traefik.http.routers.matrix-nginx-proxy-etherpad.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_tls | to_json }}
|
||||
{% if matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_tls %}
|
||||
traefik.http.routers.matrix-nginx-proxy-etherpad.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }}
|
||||
{% endif %}
|
||||
traefik.http.routers.matrix-nginx-proxy-etherpad.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }}
|
||||
{% endif %}
|
||||
|
||||
|
||||
{% if matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_enabled %}
|
||||
# Go NEB bot
|
||||
traefik.http.routers.matrix-nginx-proxy-bot_go_neb.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_rule }}
|
||||
traefik.http.routers.matrix-nginx-proxy-bot_go_neb.service=matrix-nginx-proxy-web
|
||||
traefik.http.routers.matrix-nginx-proxy-bot_go_neb.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_tls | to_json }}
|
||||
{% if matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_tls %}
|
||||
traefik.http.routers.matrix-nginx-proxy-bot_go_neb.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }}
|
||||
{% endif %}
|
||||
traefik.http.routers.matrix-nginx-proxy-bot_go_neb.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }}
|
||||
{% endif %}
|
||||
|
||||
|
||||
{% if matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_enabled %}
|
||||
# Jitsi
|
||||
traefik.http.routers.matrix-nginx-proxy-jitsi.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_rule }}
|
||||
traefik.http.routers.matrix-nginx-proxy-jitsi.service=matrix-nginx-proxy-web
|
||||
traefik.http.routers.matrix-nginx-proxy-jitsi.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_tls | to_json }}
|
||||
{% if matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_tls %}
|
||||
traefik.http.routers.matrix-nginx-proxy-jitsi.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }}
|
||||
{% endif %}
|
||||
traefik.http.routers.matrix-nginx-proxy-jitsi.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }}
|
||||
{% endif %}
|
||||
|
||||
|
||||
{% if matrix_nginx_proxy_container_labels_traefik_proxy_grafana_enabled %}
|
||||
# Grafana
|
||||
traefik.http.routers.matrix-nginx-proxy-grafana.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_grafana_rule }}
|
||||
traefik.http.routers.matrix-nginx-proxy-grafana.service=matrix-nginx-proxy-web
|
||||
traefik.http.routers.matrix-nginx-proxy-grafana.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_grafana_tls | to_json }}
|
||||
{% if matrix_nginx_proxy_container_labels_traefik_proxy_grafana_tls %}
|
||||
traefik.http.routers.matrix-nginx-proxy-grafana.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }}
|
||||
{% endif %}
|
||||
traefik.http.routers.matrix-nginx-proxy-grafana.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }}
|
||||
{% endif %}
|
||||
|
||||
|
||||
{% if matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_enabled %}
|
||||
# Sygnal
|
||||
traefik.http.routers.matrix-nginx-proxy-sygnal.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_rule }}
|
||||
traefik.http.routers.matrix-nginx-proxy-sygnal.service=matrix-nginx-proxy-web
|
||||
traefik.http.routers.matrix-nginx-proxy-sygnal.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_tls | to_json }}
|
||||
{% if matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_tls %}
|
||||
traefik.http.routers.matrix-nginx-proxy-sygnal.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }}
|
||||
{% endif %}
|
||||
traefik.http.routers.matrix-nginx-proxy-sygnal.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }}
|
||||
{% endif %}
|
||||
|
||||
|
||||
{% if matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_enabled %}
|
||||
# ntfy
|
||||
traefik.http.routers.matrix-nginx-proxy-ntfy.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_rule }}
|
||||
traefik.http.routers.matrix-nginx-proxy-ntfy.service=matrix-nginx-proxy-web
|
||||
traefik.http.routers.matrix-nginx-proxy-ntfy.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_tls | to_json }}
|
||||
{% if matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_tls %}
|
||||
traefik.http.routers.matrix-nginx-proxy-ntfy.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }}
|
||||
{% endif %}
|
||||
traefik.http.routers.matrix-nginx-proxy-ntfy.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }}
|
||||
{% endif %}
|
||||
|
||||
|
||||
traefik.http.services.matrix-nginx-proxy-web.loadbalancer.server.port=8080
|
||||
{% endif %}
|
||||
|
||||
{{ matrix_nginx_proxy_container_labels_additional_labels }}
|
||||
@ -24,6 +24,7 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
|
||||
--cap-drop=ALL \
|
||||
--read-only \
|
||||
--tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_nginx_proxy_tmp_directory_size_mb }}m \
|
||||
--label-file={{ matrix_nginx_proxy_base_path }}/labels \
|
||||
--network={{ matrix_nginx_proxy_container_network }} \
|
||||
{% if matrix_nginx_proxy_container_http_host_bind_port %}
|
||||
-p {{ matrix_nginx_proxy_container_http_host_bind_port }}:8080 \
|
||||
|
||||
Reference in New Issue
Block a user