Initial work on Traefik support

This gets us started on adding a Traefik role and hooking Traefik:

- directly to services which support Traefik - we only have a few of
  these right now, but the list will grow

- to matrix-nginx-proxy for most services that integrate with
  matrix-nginx-proxy right now

Traefik usage should be disabled by default for now and nothing should
change for people just yet.

Enabling these experiments requires additional configuration like this:

```yaml
devture_traefik_ssl_email_address: '.....'

matrix_playbook_traefik_role_enabled: true
matrix_playbook_traefik_labels_enabled: true

matrix_ssl_retrieval_method: none

matrix_nginx_proxy_https_enabled: false

matrix_nginx_proxy_container_http_host_bind_port: ''
matrix_nginx_proxy_container_federation_host_bind_port: ''

matrix_nginx_proxy_trust_forwarded_proto: true

matrix_nginx_proxy_x_forwarded_for: '$proxy_add_x_forwarded_for'

matrix_coturn_enabled: false
```

What currently works is:
reverse-proxying for all nginx-proxy based services **except** for the Matrix homeserver
(both Client-Server an Federation traffic for the homeserver don't work yet)

group_vars/matrix_servers

@@ -19,6 +19,28 @@
 # Also see `devture_docker_sdk_for_python_installation_enabled`.
 matrix_playbook_docker_installation_enabled: true
 
+# Controls whether to run the Traefik role or not
+# See the `com.devture.ansible.role.traefik` section below for role configuration.
+#
+# There's a difference between `devture_traefik_enabled` and `matrix_playbook_traefik_role_enabled`.
+# `devture_traefik_enabled` controls what the Traefik role would do - when not enabled, it will run uninstall tasks, etc.
+# `matrix_playbook_traefik_role_enabled` controls if the Traefik role would even run at all.
+#
+# Sometimes, you're installing Traefik via a different (related playbook) which uses the same role.
+# In such cases, you'd like to disable the role in this playbook from bothering with Traefik at all (`matrix_playbook_traefik_role_enabled: false`).
+# If you used `devture_traefik_enabled: false` + `matrix_playbook_traefik_role_enabled: true` instead, you'd see the Treafik role here
+# try to delete Traefik data (`/devture-traefik`) installed by the other playbook.
+matrix_playbook_traefik_role_enabled: false
+
+# Controls whether to attach Traefik labels to services.
+# This is separate from `devture_traefik_enabled` and `matrix_playbook_traefik_role_enabled`,
+# because you may wish to disable Traefik installation by the playbook, yet still use Traefik
+# installed in another way.
+matrix_playbook_traefik_labels_enabled: false
+
+# Controls the additional network that reverse-proxyable services will be connected to.
+matrix_playbook_reverse_proxyable_services_additional_network: "{{ devture_traefik_container_network if devture_traefik_enabled else '' }}"
+
 ########################################################################
 #                                                                      #
 # /Playbook                                                            #
@@ -320,6 +342,8 @@ devture_systemd_service_manager_services_list_auto: |
     ([{'name': 'matrix-synapse-admin.service', 'priority': 4000, 'groups': ['matrix', 'synapse-admin']}] if matrix_synapse_admin_enabled else [])
     +
     ([{'name': 'matrix-synapse-reverse-proxy-companion.service', 'priority': 1500, 'groups': ['matrix', 'homeservers', 'synapse', 'reverse-proxies']}] if matrix_synapse_reverse_proxy_companion_enabled else [])
+    +
+    ([{'name': 'devture-traefik.service', 'priority': 3000, 'groups': ['matrix', 'traefik', 'reverse-proxies']}] if matrix_playbook_traefik_role_enabled else [])
   }}
 
 ########################################################################
@@ -2157,6 +2181,8 @@ matrix_ma1sd_database_password: "{{ '%s' | format(matrix_homeserver_generic_secr
 # If that's not the case, you may wish to disable this and take care of proxying yourself.
 matrix_nginx_proxy_enabled: true
 
+matrix_nginx_proxy_container_additional_networks: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else [] }}"
+
 matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container: "{{ 'matrix-corporal:41080' if matrix_corporal_enabled else 'matrix-nginx-proxy:12080' }}"
 matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "{{ '127.0.0.1:41080' if matrix_corporal_enabled else '127.0.0.1:12080' }}"
 matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: |-
@@ -2185,6 +2211,22 @@ matrix_nginx_proxy_proxy_grafana_enabled: "{{ matrix_grafana_enabled }}"
 matrix_nginx_proxy_proxy_sygnal_enabled: "{{ matrix_sygnal_enabled }}"
 matrix_nginx_proxy_proxy_ntfy_enabled: "{{ matrix_ntfy_enabled }}"
 
+matrix_nginx_proxy_container_labels_traefik_enabled: "{{ matrix_playbook_traefik_labels_enabled }}"
+matrix_nginx_proxy_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
+matrix_nginx_proxy_container_labels_traefik_entrypoints: "{{ devture_traefik_config_entrypoint_primary }}"
+
+matrix_nginx_proxy_container_labels_traefik_proxy_element_enabled: "{{ matrix_client_element_enabled }}"
+matrix_nginx_proxy_container_labels_traefik_proxy_hydrogen_enabled: "{{ matrix_client_hydrogen_enabled }}"
+matrix_nginx_proxy_container_labels_traefik_proxy_cinny_enabled: "{{ matrix_client_cinny_enabled }}"
+matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_enabled: "{{ matrix_bot_buscarron_enabled }}"
+matrix_nginx_proxy_container_labels_traefik_proxy_dimension_enabled: "{{ matrix_dimension_enabled }}"
+matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_enabled: "{{ matrix_etherpad_enabled and matrix_etherpad_mode == 'standalone' }}"
+matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_enabled: "{{ matrix_bot_go_neb_enabled }}"
+matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_enabled: "{{ matrix_jitsi_enabled }}"
+matrix_nginx_proxy_container_labels_traefik_proxy_grafana_enabled: "{{ matrix_grafana_enabled }}"
+matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_enabled: "{{ matrix_sygnal_enabled }}"
+matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_enabled: "{{ matrix_ntfy_enabled }}"
+
 matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: "{{ matrix_corporal_enabled and matrix_corporal_http_api_enabled }}"
 matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081"
 matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container: "127.0.0.1:41081"
@@ -2968,7 +3010,11 @@ prometheus_node_exporter_server_fqn: "{{ matrix_server_fqn_matrix }}"
 
 prometheus_node_exporter_container_network: "{{ matrix_docker_network }}"
 
+prometheus_node_exporter_container_additional_networks: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else [] }}"
+
 prometheus_node_exporter_container_labels_traefik_enabled: false
+prometheus_node_exporter_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
+prometheus_node_exporter_container_labels_traefik_entrypoints: "{{ devture_traefik_config_entrypoint_primary }}"
 
 ######################################################################
 #
@@ -2995,7 +3041,11 @@ prometheus_postgres_exporter_server_fqn: "{{ matrix_server_fqn_matrix }}"
 
 prometheus_postgres_exporter_container_network: "{{ matrix_docker_network }}"
 
+prometheus_postgres_exporter_container_additional_networks: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else [] }}"
+
 prometheus_postgres_exporter_container_labels_traefik_enabled: false
+prometheus_postgres_exporter_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
+prometheus_postgres_exporter_container_labels_traefik_entrypoints: "{{ devture_traefik_config_entrypoint_primary }}"
 
 prometheus_postgres_exporter_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}"
 prometheus_postgres_exporter_database_username: matrix_prometheus_postgres_exporter
@@ -3284,3 +3334,23 @@ matrix_user_creator_users_auto: |
 # /matrix-user-creator
 #
 ######################################################################
+
+
+########################################################################
+#                                                                      #
+# com.devture.ansible.role.traefik                                     #
+#                                                                      #
+########################################################################
+
+# To completely disable the Traefik role from running, use `matrix_playbook_traefik_role_enabled: false`.
+# See the comment there for more details about why we have both `devture_traefik_enabled` and `matrix_playbook_traefik_role_enabled`.
+devture_traefik_enabled: "{{ matrix_playbook_traefik_role_enabled }}"
+
+devture_traefik_uid: "{{ matrix_user_uid }}"
+devture_traefik_gid: "{{ matrix_user_gid }}"
+
+########################################################################
+#                                                                      #
+# /com.devture.ansible.role.traefik                                    #
+#                                                                      #
+########################################################################

playbooks/matrix.yml

@@ -115,6 +115,9 @@
     - custom/matrix-user-creator
     - custom/matrix-common-after
 
+    - when: matrix_playbook_traefik_role_enabled | bool
+      role: galaxy/com.devture.ansible.role.traefik
+
     - when: devture_systemd_service_manager_enabled | bool
       role: galaxy/com.devture.ansible.role.systemd_service_manager
 

requirements.yml

@@ -35,3 +35,6 @@
 
 - src: git+https://gitlab.com/etke.cc/roles/prometheus_postgres_exporter.git
   version: v0.11.1-2
+
+- src: git+https://github.com/devture/com.devture.ansible.role.traefik.git
+  version: 407af71a3667b1d8083beb10bf22423ecf013f58

roles/custom/matrix-nginx-proxy/defaults/main.yml

@@ -40,6 +40,80 @@ matrix_nginx_proxy_container_additional_networks: []
 # Contains definition objects like this: `{"src": "/outside", "dst": "/inside", "options": "rw|ro|slave|.."}
 matrix_nginx_proxy_container_additional_volumes: []
 
+# matrix_nginx_proxy_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container.
+# See `../templates/labels.j2` for details.
+#
+# To inject your own other container labels, see `matrix_nginx_proxy_container_labels_additional_labels`.
+matrix_nginx_proxy_container_labels_traefik_enabled: false
+matrix_nginx_proxy_container_labels_traefik_docker_network: "{{ matrix_nginx_proxy_container_network }}"
+matrix_nginx_proxy_container_labels_traefik_entrypoints: web-secure
+matrix_nginx_proxy_container_labels_traefik_tls_certResolver: default  # noqa var-naming
+
+matrix_nginx_proxy_container_labels_traefik_proxy_element_enabled: false
+matrix_nginx_proxy_container_labels_traefik_proxy_element_hostname: "{{ matrix_server_fqn_element }}"
+matrix_nginx_proxy_container_labels_traefik_proxy_element_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}"
+matrix_nginx_proxy_container_labels_traefik_proxy_element_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_element_hostname }}`)"
+
+matrix_nginx_proxy_container_labels_traefik_proxy_hydrogen_enabled: false
+matrix_nginx_proxy_container_labels_traefik_proxy_hydrogen_hostname: "{{ matrix_server_fqn_hydrogen }}"
+matrix_nginx_proxy_container_labels_traefik_proxy_hydrogen_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}"
+matrix_nginx_proxy_container_labels_traefik_proxy_hydrogen_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_hydrogen_hostname }}`)"
+
+matrix_nginx_proxy_container_labels_traefik_proxy_cinny_enabled: false
+matrix_nginx_proxy_container_labels_traefik_proxy_cinny_hostname: "{{ matrix_server_fqn_cinny }}"
+matrix_nginx_proxy_container_labels_traefik_proxy_cinny_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}"
+matrix_nginx_proxy_container_labels_traefik_proxy_cinny_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_cinny_hostname }}`)"
+
+matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_enabled: false
+matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_hostname: "{{ matrix_server_fqn_buscarron }}"
+matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}"
+matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_hostname }}`)"
+
+matrix_nginx_proxy_container_labels_traefik_proxy_dimension_enabled: false
+matrix_nginx_proxy_container_labels_traefik_proxy_dimension_hostname: "{{ matrix_server_fqn_dimension }}"
+matrix_nginx_proxy_container_labels_traefik_proxy_dimension_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}"
+matrix_nginx_proxy_container_labels_traefik_proxy_dimension_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_dimension_hostname }}`)"
+
+matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_enabled: false
+matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_hostname: "{{ matrix_server_fqn_etherpad }}"
+matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}"
+matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_hostname }}`)"
+
+matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_enabled: false
+matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_hostname: "{{ matrix_server_fqn_bot_go_neb }}"
+matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}"
+matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_hostname }}`)"
+
+matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_enabled: false
+matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_hostname: "{{ matrix_server_fqn_jitsi }}"
+matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}"
+matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_hostname }}`)"
+
+matrix_nginx_proxy_container_labels_traefik_proxy_grafana_enabled: false
+matrix_nginx_proxy_container_labels_traefik_proxy_grafana_hostname: "{{ matrix_server_fqn_grafana }}"
+matrix_nginx_proxy_container_labels_traefik_proxy_grafana_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}"
+matrix_nginx_proxy_container_labels_traefik_proxy_grafana_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_grafana_hostname }}`)"
+
+matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_enabled: false
+matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_hostname: "{{ matrix_server_fqn_sygnal }}"
+matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}"
+matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_hostname }}`)"
+
+matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_enabled: false
+matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_hostname: "{{ matrix_server_fqn_ntfy }}"
+matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}"
+matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_hostname }}`)"
+
+# matrix_nginx_proxy_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
+# See `../templates/labels.j2` for details.
+#
+# Example:
+# matrix_nginx_proxy_container_labels_additional_labels: |
+#   my.label=1
+#   another.label="here"
+matrix_nginx_proxy_container_labels_additional_labels: ''
+
+
 # A list of extra arguments to pass to the container
 matrix_nginx_proxy_container_extra_arguments: []
 

roles/custom/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml

@@ -22,6 +22,14 @@
     - "{{ matrix_nginx_proxy_data_path }}"
     - "{{ matrix_nginx_proxy_confd_path }}"
 
+- name: Ensure Matrix nginx-proxy labels file is created
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/labels.j2"
+    dest: "{{ matrix_nginx_proxy_base_path }}/labels"
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+    mode: 0640
+
 - name: Ensure Matrix nginx-proxy configured (main config override)
   ansible.builtin.template:
     src: "{{ role_path }}/templates/nginx/nginx.conf.j2"

roles/custom/matrix-nginx-proxy/templates/labels.j2

@@ -0,0 +1,144 @@
+{% if matrix_nginx_proxy_container_labels_traefik_enabled %}
+traefik.enable=true
+
+{% if matrix_nginx_proxy_container_labels_traefik_docker_network %}
+traefik.docker.network={{ matrix_nginx_proxy_container_labels_traefik_docker_network }}
+{% endif %}
+
+
+{% if matrix_nginx_proxy_container_labels_traefik_proxy_element_enabled %}
+# Element
+traefik.http.routers.matrix-nginx-proxy-element.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_element_rule }}
+traefik.http.routers.matrix-nginx-proxy-element.service=matrix-nginx-proxy-web
+traefik.http.routers.matrix-nginx-proxy-element.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_element_tls | to_json }}
+{% if matrix_nginx_proxy_container_labels_traefik_proxy_element_tls %}
+traefik.http.routers.matrix-nginx-proxy-element.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }}
+{% endif %}
+traefik.http.routers.matrix-nginx-proxy-element.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }}
+{% endif %}
+
+
+{% if matrix_nginx_proxy_container_labels_traefik_proxy_hydrogen_enabled %}
+# Hydrogen
+traefik.http.routers.matrix-nginx-proxy-hydrogen.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_hydrogen_rule }}
+traefik.http.routers.matrix-nginx-proxy-hydrogen.service=matrix-nginx-proxy-web
+traefik.http.routers.matrix-nginx-proxy-hydrogen.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_hydrogen_tls | to_json }}
+{% if matrix_nginx_proxy_container_labels_traefik_proxy_hydrogen_tls %}
+traefik.http.routers.matrix-nginx-proxy-hydrogen.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }}
+{% endif %}
+traefik.http.routers.matrix-nginx-proxy-hydrogen.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }}
+{% endif %}
+
+
+{% if matrix_nginx_proxy_container_labels_traefik_proxy_cinny_enabled %}
+# Cinny
+traefik.http.routers.matrix-nginx-proxy-cinny.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_cinny_rule }}
+traefik.http.routers.matrix-nginx-proxy-cinny.service=matrix-nginx-proxy-web
+traefik.http.routers.matrix-nginx-proxy-cinny.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_cinny_tls | to_json }}
+{% if matrix_nginx_proxy_container_labels_traefik_proxy_cinny_tls %}
+traefik.http.routers.matrix-nginx-proxy-cinny.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }}
+{% endif %}
+traefik.http.routers.matrix-nginx-proxy-cinny.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }}
+{% endif %}
+
+
+{% if matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_enabled %}
+# Buscarron
+traefik.http.routers.matrix-nginx-proxy-buscarron.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_rule }}
+traefik.http.routers.matrix-nginx-proxy-buscarron.service=matrix-nginx-proxy-web
+traefik.http.routers.matrix-nginx-proxy-buscarron.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_tls | to_json }}
+{% if matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_tls %}
+traefik.http.routers.matrix-nginx-proxy-buscarron.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }}
+{% endif %}
+traefik.http.routers.matrix-nginx-proxy-buscarron.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }}
+{% endif %}
+
+
+{% if matrix_nginx_proxy_container_labels_traefik_proxy_dimension_enabled %}
+# Dimension
+traefik.http.routers.matrix-nginx-proxy-dimension.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_dimension_rule }}
+traefik.http.routers.matrix-nginx-proxy-dimension.service=matrix-nginx-proxy-web
+traefik.http.routers.matrix-nginx-proxy-dimension.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_dimension_tls | to_json }}
+{% if matrix_nginx_proxy_container_labels_traefik_proxy_dimension_tls %}
+traefik.http.routers.matrix-nginx-proxy-dimension.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }}
+{% endif %}
+traefik.http.routers.matrix-nginx-proxy-dimension.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }}
+{% endif %}
+
+
+{% if matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_enabled %}
+# Etherpad
+traefik.http.routers.matrix-nginx-proxy-etherpad.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_rule }}
+traefik.http.routers.matrix-nginx-proxy-etherpad.service=matrix-nginx-proxy-web
+traefik.http.routers.matrix-nginx-proxy-etherpad.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_tls | to_json }}
+{% if matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_tls %}
+traefik.http.routers.matrix-nginx-proxy-etherpad.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }}
+{% endif %}
+traefik.http.routers.matrix-nginx-proxy-etherpad.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }}
+{% endif %}
+
+
+{% if matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_enabled %}
+# Go NEB bot
+traefik.http.routers.matrix-nginx-proxy-bot_go_neb.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_rule }}
+traefik.http.routers.matrix-nginx-proxy-bot_go_neb.service=matrix-nginx-proxy-web
+traefik.http.routers.matrix-nginx-proxy-bot_go_neb.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_tls | to_json }}
+{% if matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_tls %}
+traefik.http.routers.matrix-nginx-proxy-bot_go_neb.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }}
+{% endif %}
+traefik.http.routers.matrix-nginx-proxy-bot_go_neb.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }}
+{% endif %}
+
+
+{% if matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_enabled %}
+# Jitsi
+traefik.http.routers.matrix-nginx-proxy-jitsi.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_rule }}
+traefik.http.routers.matrix-nginx-proxy-jitsi.service=matrix-nginx-proxy-web
+traefik.http.routers.matrix-nginx-proxy-jitsi.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_tls | to_json }}
+{% if matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_tls %}
+traefik.http.routers.matrix-nginx-proxy-jitsi.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }}
+{% endif %}
+traefik.http.routers.matrix-nginx-proxy-jitsi.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }}
+{% endif %}
+
+
+{% if matrix_nginx_proxy_container_labels_traefik_proxy_grafana_enabled %}
+# Grafana
+traefik.http.routers.matrix-nginx-proxy-grafana.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_grafana_rule }}
+traefik.http.routers.matrix-nginx-proxy-grafana.service=matrix-nginx-proxy-web
+traefik.http.routers.matrix-nginx-proxy-grafana.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_grafana_tls | to_json }}
+{% if matrix_nginx_proxy_container_labels_traefik_proxy_grafana_tls %}
+traefik.http.routers.matrix-nginx-proxy-grafana.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }}
+{% endif %}
+traefik.http.routers.matrix-nginx-proxy-grafana.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }}
+{% endif %}
+
+
+{% if matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_enabled %}
+# Sygnal
+traefik.http.routers.matrix-nginx-proxy-sygnal.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_rule }}
+traefik.http.routers.matrix-nginx-proxy-sygnal.service=matrix-nginx-proxy-web
+traefik.http.routers.matrix-nginx-proxy-sygnal.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_tls | to_json }}
+{% if matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_tls %}
+traefik.http.routers.matrix-nginx-proxy-sygnal.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }}
+{% endif %}
+traefik.http.routers.matrix-nginx-proxy-sygnal.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }}
+{% endif %}
+
+
+{% if matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_enabled %}
+# ntfy
+traefik.http.routers.matrix-nginx-proxy-ntfy.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_rule }}
+traefik.http.routers.matrix-nginx-proxy-ntfy.service=matrix-nginx-proxy-web
+traefik.http.routers.matrix-nginx-proxy-ntfy.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_tls | to_json }}
+{% if matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_tls %}
+traefik.http.routers.matrix-nginx-proxy-ntfy.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }}
+{% endif %}
+traefik.http.routers.matrix-nginx-proxy-ntfy.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }}
+{% endif %}
+
+
+traefik.http.services.matrix-nginx-proxy-web.loadbalancer.server.port=8080
+{% endif %}
+
+{{ matrix_nginx_proxy_container_labels_additional_labels }}

roles/custom/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2

@@ -24,6 +24,7 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
 			--cap-drop=ALL \
 			--read-only \
 			--tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_nginx_proxy_tmp_directory_size_mb }}m \
+			--label-file={{ matrix_nginx_proxy_base_path }}/labels \
 			--network={{ matrix_nginx_proxy_container_network }} \
 			{% if matrix_nginx_proxy_container_http_host_bind_port %}
 			-p {{ matrix_nginx_proxy_container_http_host_bind_port }}:8080 \