From fa397886e105088f1f38938b2ee787ae598ddc8a Mon Sep 17 00:00:00 2001 From: transcaffeine Date: Sun, 18 Apr 2021 11:55:40 +0200 Subject: [PATCH] feat: add automatic creation of reverse-proxy routing --- .../matrix.finallycoffee.eu/vars.yml | 22 ++-- .../defaults/main.yml | 2 +- setup.yml | 27 ++++- templates/Caddyfile.j2 | 110 ++++++++++++++++++ 4 files changed, 152 insertions(+), 9 deletions(-) create mode 100644 templates/Caddyfile.j2 diff --git a/inventory/host_vars/matrix.finallycoffee.eu/vars.yml b/inventory/host_vars/matrix.finallycoffee.eu/vars.yml index 309c5f3b1..893b4fbd0 100644 --- a/inventory/host_vars/matrix.finallycoffee.eu/vars.yml +++ b/inventory/host_vars/matrix.finallycoffee.eu/vars.yml @@ -8,8 +8,12 @@ matrix_nginx_proxy_enabled: false matrix_base_data_path: "{{ vault_matrix_base_data_path }}" matrix_server_fqn_element: "chat.{{ matrix_domain }}" -matrix_synapse_docker_image: "{{ matrix_synapse_docker_image_name_prefix }}matrixdotorg/synapse:v1.32.0" -#matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:v1.7.21" +web_user: "web" +revproxy_autoload_dir: "/vault/services/web/sites.d" + +matrix_client_element_version: v1.8.4 +#matrix_synapse_docker_image: "{{ matrix_synapse_docker_image_name_prefix }}matrixdotorg/synapse:v1.37.1" +#matrix_mautrix_telegram_version: v0.10.0 # # General Synapse config @@ -149,6 +153,7 @@ matrix_mautrix_telegram_configuration_extension_yaml: | default: true permissions: "@transcaffeine:finallycoffee.eu": "admin" + "gruenhage.xyz": "full" logging: root: level: INFO @@ -208,15 +213,16 @@ matrix_mx_puppet_instagram_configuration_extension_yaml: | # mx-puppet-skype configuration # matrix_mx_puppet_skype_enabled: true +matrix_mx_puppet_skype_container_http_monitoring_host_bind_port: 9405 matrix_mx_puppet_skype_container_extra_arguments: - - "-p 127.0.0.1:9405:9405" + - "-p 127.0.0.1:{{ matrix_mx_puppet_skype_container_http_monitoring_host_bind_port }}:{{ matrix_mx_puppet_skype_container_http_monitoring_host_bind_port }}" matrix_mx_puppet_skype_configuration_extension_yaml: | bridge: enableGroupSync: true avatarUrl: mxc://finallycoffee.eu/jjXDuFqtpFOBOnywoHgzTuYt metrics: enabled: true - port: 9405 + port: {{ matrix_mx_puppet_skype_container_http_monitoring_host_bind_port }} path: /metrics @@ -252,15 +258,17 @@ matrix_mx_puppet_slack_enabled: true matrix_mx_puppet_slack_client_id: "{{ vault_matrix_mx_puppet_slack_client_id }}" matrix_mx_puppet_slack_client_secret: "{{ vault_matrix_mx_puppet_slack_client_secret }}" matrix_mx_puppet_slack_redirect_path: '/bridge/slack/oauth' +matrix_mx_puppet_slack_container_http_auth_host_bind_port: 8981 +matrix_mx_puppet_slack_container_http_monitoring_host_bind_port: 9406 matrix_mx_puppet_slack_container_extra_arguments: - - "-p 127.0.0.1:9406:9406" - - "-p 127.0.0.1:8981:8008" + - "-p 127.0.0.1:{{ matrix_mx_puppet_slack_container_http_monitoring_host_bind_port }}:{{ matrix_mx_puppet_slack_container_http_monitoring_host_bind_port }}" + - "-p 127.0.0.1:{{ matrix_mx_puppet_slack_container_http_auth_host_bind_port }}:8008" matrix_mx_puppet_slack_configuration_extension_yaml: | bridge: enableGroupSync: true metrics: enabled: true - port: 9406 + port: {{ matrix_mx_puppet_slack_container_http_monitoring_host_bind_port }} path: /metrics limits: maxAutojoinUsers: 500 diff --git a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml index dcfa30333..33c129f49 100644 --- a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml @@ -127,8 +127,8 @@ matrix_mautrix_telegram_registration_yaml: | regex: '^#telegram_.+:{{ matrix_mautrix_telegram_homeserver_domain|regex_escape }}$' sender_localpart: _bot_{{ matrix_mautrix_telegram_appservice_bot_username }} url: {{ matrix_mautrix_telegram_appservice_address }} -# sender_localpart: "bridges_{{ matrix_mautrix_telegram_sender_localpart }}" rate_limited: false de.sorunome.msc2409.push_ephemeral: true +# sender_localpart: "bridges_{{ matrix_mautrix_telegram_sender_localpart }}" matrix_mautrix_telegram_registration: "{{ matrix_mautrix_telegram_registration_yaml|from_yaml }}" diff --git a/setup.yml b/setup.yml index 21d67f1a8..a1dca3c2b 100755 --- a/setup.yml +++ b/setup.yml @@ -56,4 +56,29 @@ - matrix-aux - matrix-postgres-backup - matrix-prometheus-postgres-exporter - - matrix-common-after \ No newline at end of file + - matrix-common-after + + tasks: + - name: Ensure web-user is present + user: + name: "{{ web_user }}" + state: present + system: yes + register: web_user_res + tags: [ setup-caddy, setup-all, start ] + - name: Ensure directory for revproxy config is present + file: + path: "{{ revproxy_autoload_dir }}/matrix" + state: directory + owner: "{{ web_user_res.uid }}" + group: "{{ web_user_res.group }}" + mode: 0750 + tags: [ setup-caddy, setup-all, start ] + - name: Template reverse proxy configuration + template: + src: Caddyfile.j2 + dest: "{{ revproxy_autoload_dir }}/matrix/Caddyfile" + owner: "{{ web_user_res.uid }}" + group: "{{ web_user_res.group }}" + mode: 0640 + tags: [ setup-caddy, setup-all, start ] diff --git a/templates/Caddyfile.j2 b/templates/Caddyfile.j2 new file mode 100644 index 000000000..b1e0a8b13 --- /dev/null +++ b/templates/Caddyfile.j2 @@ -0,0 +1,110 @@ +https://{{ matrix_server_fqn_matrix }} { + tls /tls_certs/finallycoffee.eu/fullchain.pem /tls_certs/finallycoffee.eu/privkey.pem + encode zstd gzip + header { + Strict-Transport-Security "max-age=31536000;" + X-Frame-Options "DENY" + X-XSS-Protection "1; mode=block" + } + # matrix-ma1sd + reverse_proxy /_matrix/identity/* {{ matrix_ma1sd_container_http_host_bind_port }} { + header_down Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" + header_down Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization" + } + reverse_proxy /_matrix/client/r0/user_directory/search/* {{ matrix_ma1sd_container_http_host_bind_port }} { + header_down Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" + header_down Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization" + } + reverse_proxy /_matrix/federation/* http://{{ matrix_synapse_container_federation_api_plain_host_bind_port }} + reverse_proxy /_matrix/key/* http://{{ matrix_synapse_container_federation_api_plain_host_bind_port }} + reverse_proxy /_matrix/* {{ matrix_synapse_container_client_api_host_bind_port }} { + import proxyheaders + header_down Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" + header_down Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization" + } + route /synapse-admin/* { + uri strip_prefix /synapse-admin + reverse_proxy http://127.0.0.1{{ matrix_synapse_admin_container_http_host_bind_port }} + } + reverse_proxy /_synapse/* http://{{ matrix_synapse_container_client_api_host_bind_port }} + basicauth /metrics/* bcrypt monitoring { + monitoring JDJhJDE0JGdQRlNHVFpSQmRiaWlPem9LdXlkS09HN2E3LklZS05YZmtXTEY1NlFXbkMxd3hBUmwwbVZl + } + route /metrics/synapse { + uri replace /metrics/synapse /_synapse/metrics + reverse_proxy http://{{ matrix_synapse_container_metrics_api_host_bind_port }} + } + route /metrics/synapse/worker/appservice { + uri replace /metrics/synapse/worker/appservice /_synapse/metrics + reverse_proxy http://127.0.0.1:{{ matrix_synapse_workers_appservice_workers_metrics_range_start }} + } + route /metrics/synapse/worker/federation-sender { + uri replace /metrics/synapse/worker/federation-sender /_synapse/metrics + reverse_proxy http://127.0.0.1:{{ matrix_synapse_workers_federation_sender_workers_metrics_range_start }} + } + route /metrics/bridge/* { + uri strip_prefix /metrics/bridge + route /mautrix-telegram { + uri replace /mautrix-telegram /metrics + reverse_proxy http://127.0.0.1:{{ matrix_mautrix_telegram_container_http_monitoring_host_bind_port }} + } + route /mautrix-whatsapp { + uri replace /mautrix-whatsapp /metrics + reverse_proxy http://127.0.0.1:{{ matrix_mautrix_whatsapp_container_http_monitoring_host_bind_port }} + } + route /mautrix-signal { + uri replace /mautrix-signal /metrics + reverse_proxy http://127.0.0.1:{{ matrix_mautrix_signal_container_http_monitoring_host_bind_port }} + } + route /mx-puppet-instagram { + uri replace /mx-puppet-instagram /metrics + reverse_proxy http://127.0.0.1:{{ matrix_mx_puppet_instagram_container_http_monitoring_host_bind_port }} + } + route /mx-puppet-discord { + uri replace /mx-puppet-discord /metrics + reverse_proxy http://127.0.0.1:{{ matrix_mx_puppet_discord_container_http_monitoring_host_bind_port }} + } + route /mx-puppet-skype { + uri replace /mx-puppet-skype /metrics + reverse_proxy http://127.0.0.1:{{ matrix_mx_puppet_skype_container_http_monitoring_host_bind_port }} + } + route /mx-puppet-slack { + uri replace /mx-puppet-slack /metrics + reverse_proxy http://127.0.0.1:{{ matrix_mx_puppet_slack_container_http_monitoring_host_bind_port }} + } + } + reverse_proxy /bridge/telegram/* http://127.0.0.1:{{ matrix_mautrix_telegram_container_http_host_bind_port_public }} + reverse_proxy /bridge/slack/* http://127.0.0.1:{{ matrix_mx_puppet_slack_container_http_auth_host_bind_port }} +} + +https://{{ matrix_server_fqn_dimension }} { + tls /tls_certs/finallycoffee.eu/fullchain.pem /tls_certs/finallycoffee.eu/privkey.pem + encode zstd gzip + reverse_proxy http://{{ matrix_dimension_container_http_host_bind_port }} { + #header_up X-Forwarded-For {remote} + import proxyheaders + #header_up Host {host} + } +} + +https://{{ matrix_server_fqn_element }} { + tls /tls_certs/chat.finallycoffee.eu/fullchain.pem /tls_certs/chat.finallycoffee.eu/privkey.pem + encode zstd gzip + reverse_proxy http://{{ matrix_client_element_container_http_host_bind_port }} +} + +https://{{ matrix_domain }}/.well-known/matrix/* { + tls /tls_certs/finallycoffee.eu/fullchain.pem /tls_certs/finallycoffee.eu/privkey.pem + route { + uri strip_prefix /.well-known/matrix + root * /matrix_static + file_server + } + header { + Content-Type "application/json" + X-Content-Type-Options "nosniff" + Access-Control-Allow-Origin * + Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" + Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization" + } +}