4d62a75f6f
We do this by creating one more layer of indirection. First we reach some generic vhost handling matrix.DOMAIN. A bunch of override rules are added there (capturing traffic to send to ma1sd, etc). nginx-status and similar generic things also live there. We then proxy to the homeserver on some other vhost (only Synapse being available right now, but repointing this to Dendrite or other will be possible in the future). Then that homeserver-specific vhost does its thing to proxy to the homeserver. It may or may not use workers, etc. Without matrix-corporal, the flow is now: 1. matrix.DOMAIN (matrix-nginx-proxy/matrix-domain.conf) 2. matrix-nginx-proxy/matrix-synapse.conf 3. matrix-synapse With matrix-corporal enabled, it becomes: 1. matrix.DOMAIN (matrix-nginx-proxy/matrix-domain.conf) 2. matrix-corporal 3. matrix-nginx-proxy/matrix-synapse.conf 4. matrix-synapse (matrix-corporal gets injected at step 2).
348 lines
20 KiB
YAML
348 lines
20 KiB
YAML
matrix_nginx_proxy_enabled: true
|
||
|
||
# We use an official nginx image, which we fix-up to run unprivileged.
|
||
# An alternative would be an `nginxinc/nginx-unprivileged` image, but
|
||
# that is frequently out of date.
|
||
matrix_nginx_proxy_docker_image: "docker.io/nginx:1.19.6-alpine"
|
||
matrix_nginx_proxy_docker_image_force_pull: "{{ matrix_nginx_proxy_docker_image.endswith(':latest') }}"
|
||
|
||
matrix_nginx_proxy_base_path: "{{ matrix_base_data_path }}/nginx-proxy"
|
||
matrix_nginx_proxy_data_path: "{{ matrix_nginx_proxy_base_path }}/data"
|
||
matrix_nginx_proxy_confd_path: "{{ matrix_nginx_proxy_base_path }}/conf.d"
|
||
|
||
# List of systemd services that matrix-nginx-proxy.service depends on
|
||
matrix_nginx_proxy_systemd_required_services_list: ['docker.service']
|
||
|
||
# List of systemd services that matrix-nginx-proxy.service wants
|
||
matrix_nginx_proxy_systemd_wanted_services_list: []
|
||
|
||
# A list of additional "volumes" to mount in the container.
|
||
# This list gets populated dynamically at runtime. You can provide a different default value,
|
||
# if you wish to mount your own files into the container.
|
||
# Contains definition objects like this: `{"src": "/outside", "dst": "/inside", "options": "rw|ro|slave|.."}
|
||
matrix_nginx_proxy_container_additional_volumes: []
|
||
|
||
# A list of extra arguments to pass to the container
|
||
matrix_nginx_proxy_container_extra_arguments: []
|
||
|
||
# Controls whether matrix-nginx-proxy serves its vhosts over HTTPS or HTTP.
|
||
#
|
||
# If enabled:
|
||
# - SSL certificates would be expected to be available (see `matrix_ssl_retrieval_method`)
|
||
# - the HTTP vhost would be made a redirect to the HTTPS vhost
|
||
#
|
||
# If not enabled:
|
||
# - you don't need any SSL certificates (you can set `matrix_ssl_retrieval_method: none`)
|
||
# - naturally, there's no HTTPS vhost
|
||
# - services are served directly from the HTTP vhost
|
||
matrix_nginx_proxy_https_enabled: true
|
||
|
||
# Controls whether the matrix-nginx-proxy container exposes its HTTP port (tcp/8080 in the container).
|
||
#
|
||
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:80"), or empty string to not expose.
|
||
matrix_nginx_proxy_container_http_host_bind_port: '80'
|
||
|
||
# Controls whether the matrix-nginx-proxy container exposes its HTTPS port (tcp/8443 in the container).
|
||
#
|
||
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:443"), or empty string to not expose.
|
||
#
|
||
# This only makes sense and applies if `matrix_nginx_proxy_https_enabled` is set to `true`.
|
||
# Otherwise, there are no HTTPS vhosts to expose.
|
||
matrix_nginx_proxy_container_https_host_bind_port: '443'
|
||
|
||
# Controls whether the matrix-nginx-proxy container exposes the Matrix Federation port (tcp/8448 in the container).
|
||
#
|
||
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8448"), or empty string to not expose.
|
||
#
|
||
# This only makes sense and applies if `matrix_nginx_proxy_proxy_matrix_federation_api_enabled` is set to `true`.
|
||
# Otherwise, there is no Matrix Federation port to expose.
|
||
#
|
||
# This port can take HTTP or HTTPS traffic, depending on `matrix_nginx_proxy_https_enabled`.
|
||
# When HTTPS is disabled, you'd likely want to only expose the port locally, and front it with another HTTPS-enabled reverse-proxy.
|
||
matrix_nginx_proxy_container_federation_host_bind_port: '8448'
|
||
|
||
# Controls whether matrix-nginx-proxy should serve the base domain.
|
||
#
|
||
# This is useful for when you only have your Matrix server, but you need to serve
|
||
# to serve `/.well-known/matrix/*` files from the base domain for the needs of
|
||
# Server-Discovery (Federation) and for Client-Discovery.
|
||
#
|
||
# Besides serving these Matrix files, a homepage would be served with content
|
||
# as specified in the `matrix_nginx_proxy_base_domain_homepage_template` variable.
|
||
# You can also put additional files to use for this webpage
|
||
# in the `{{ matrix_nginx_proxy_data_path }}/matrix-domain` (`/matrix/nginx-proxy/data/matrix-domain`) directory.
|
||
matrix_nginx_proxy_base_domain_serving_enabled: false
|
||
|
||
matrix_nginx_proxy_base_domain_hostname: "{{ matrix_domain }}"
|
||
|
||
# Controls whether `matrix_nginx_proxy_base_domain_homepage_template` would be dumped to an `index.html` file
|
||
# in the `/matrix/nginx-proxy/data/matrix-domain` directory.
|
||
#
|
||
# If you would instead like to serve a static website by yourself, you can disable this.
|
||
# When disabled, you're expected to put website files in `/matrix/nginx-proxy/data/matrix-domain` manually
|
||
# and can expect that the playbook won't intefere with the `index.html` file.
|
||
matrix_nginx_proxy_base_domain_homepage_enabled: true
|
||
|
||
matrix_nginx_proxy_base_domain_homepage_template: |-
|
||
<!doctype html>
|
||
<meta charset="utf-8" />
|
||
<html>
|
||
<body>
|
||
Hello from {{ matrix_domain }}!
|
||
</body>
|
||
</html>
|
||
|
||
# Option to disable the access log
|
||
matrix_nginx_proxy_access_log_enabled: true
|
||
|
||
# Controls whether proxying the riot domain should be done.
|
||
matrix_nginx_proxy_proxy_riot_compat_redirect_enabled: false
|
||
matrix_nginx_proxy_proxy_riot_compat_redirect_hostname: "riot.{{ matrix_domain }}"
|
||
|
||
# Controls whether proxying the Synapse domain should be done.
|
||
matrix_nginx_proxy_proxy_synapse_enabled: false
|
||
matrix_nginx_proxy_proxy_synapse_hostname: "matrix-nginx-proxy"
|
||
|
||
# Controls whether proxying the Element domain should be done.
|
||
matrix_nginx_proxy_proxy_element_enabled: false
|
||
matrix_nginx_proxy_proxy_element_hostname: "{{ matrix_server_fqn_element }}"
|
||
|
||
# Controls whether proxying the matrix domain should be done.
|
||
matrix_nginx_proxy_proxy_matrix_enabled: false
|
||
matrix_nginx_proxy_proxy_matrix_hostname: "{{ matrix_server_fqn_matrix }}"
|
||
|
||
# Controls whether proxying the dimension domain should be done.
|
||
matrix_nginx_proxy_proxy_dimension_enabled: false
|
||
matrix_nginx_proxy_proxy_dimension_hostname: "{{ matrix_server_fqn_dimension }}"
|
||
|
||
# Controls whether proxying the jitsi domain should be done.
|
||
matrix_nginx_proxy_proxy_jitsi_enabled: false
|
||
matrix_nginx_proxy_proxy_jitsi_hostname: "{{ matrix_server_fqn_jitsi }}"
|
||
|
||
# Controls whether proxying for the matrix-corporal API (`/_matrix/corporal`) should be done (on the matrix domain)
|
||
matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: false
|
||
matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081"
|
||
matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container: "127.0.0.1:41081"
|
||
|
||
# Controls whether proxying for the User Directory Search API (`/_matrix/client/r0/user_directory/search`) should be done (on the matrix domain).
|
||
# This can be used to forward the API endpoint to another service, augmenting the functionality of Synapse's own User Directory Search.
|
||
# To learn more, see: https://github.com/ma1uta/ma1sd/blob/master/docs/features/directory.md
|
||
matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: false
|
||
matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "matrix-ma1sd:8090"
|
||
matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "127.0.0.1:8090"
|
||
|
||
# Controls whether proxying for 3PID-based registration (`/_matrix/client/r0/register/(email|msisdn)/requestToken`) should be done (on the matrix domain).
|
||
# This allows another service to control registrations involving 3PIDs.
|
||
# To learn more, see: https://github.com/ma1uta/ma1sd/blob/master/docs/features/registration.md
|
||
matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled: false
|
||
matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_with_container: "matrix-ma1sd:8090"
|
||
matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_sans_container: "127.0.0.1:8090"
|
||
|
||
# Controls whether proxying for the Identity API (`/_matrix/identity`) should be done (on the matrix domain)
|
||
matrix_nginx_proxy_proxy_matrix_identity_api_enabled: false
|
||
matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-ma1sd:8090"
|
||
matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:8090"
|
||
|
||
# Controls whether proxying for metrics (`/_synapse/metrics`) should be done (on the matrix domain)
|
||
matrix_nginx_proxy_proxy_synapse_metrics: false
|
||
matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled: false
|
||
matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key: ""
|
||
|
||
# The addresses where the Matrix Client API is.
|
||
# Certain extensions (like matrix-corporal) may override this in order to capture all traffic.
|
||
matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container: "matrix-nginx-proxy:12080"
|
||
matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "127.0.0.1:12080"
|
||
|
||
# The addresses where the Matrix Client API is, when using Synapse.
|
||
matrix_nginx_proxy_proxy_synapse_client_api_addr_with_container: "matrix-synapse:8008"
|
||
matrix_nginx_proxy_proxy_synapse_client_api_addr_sans_container: "127.0.0.1:8008"
|
||
|
||
# This needs to be equal or higher than the maximum upload size accepted by Synapse.
|
||
matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: 50
|
||
|
||
|
||
# Tells whether `/_synapse/client` is forwarded to the Matrix Client API server.
|
||
matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_client_api_enabled: true
|
||
|
||
# Tells whether `/_synapse/oidc` is forwarded to the Matrix Client API server.
|
||
# Enable this if you need OpenID Connect authentication support.
|
||
matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_oidc_api_enabled: false
|
||
|
||
# Tells whether `/_synapse/admin` is forwarded to the Matrix Client API server.
|
||
# Following these recommendations (https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md), by default, we don't.
|
||
matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: false
|
||
|
||
# `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefixes` holds
|
||
# the location prefixes that get forwarded to the Matrix Client API server.
|
||
# These locations get combined into a regex like this `^(/_matrix|/_synapse/client)`.
|
||
matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefix_regexes: |
|
||
{{
|
||
(['/_matrix'])
|
||
+
|
||
(['/_synapse/client'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_client_api_enabled else [])
|
||
+
|
||
(['/_synapse/oidc'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_oidc_api_enabled else [])
|
||
+
|
||
(['/_synapse/admin'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled else [])
|
||
}}
|
||
|
||
# Specifies where requests for the root URI (`/`) on the `matrix.` domain should be redirected.
|
||
# If this has an empty value, they're just passed to the homeserver, which serves a static page.
|
||
# If you'd like to make `https://matrix.DOMAIN` redirect to `https://element.DOMAIN` (or something of that sort), specify the domain name here.
|
||
# Example value: `element.DOMAIN` (or `{{ matrix_server_fqn_element }}`).
|
||
matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain: ""
|
||
|
||
# Controls whether proxying for the Matrix Federation API should be done.
|
||
matrix_nginx_proxy_proxy_matrix_federation_api_enabled: false
|
||
matrix_nginx_proxy_proxy_matrix_federation_api_addr_with_container: "matrix-nginx-proxy:12088"
|
||
matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container: "localhost:12088"
|
||
matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb: "{{ (matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb | int) * 3 }}"
|
||
matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/fullchain.pem"
|
||
matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/privkey.pem"
|
||
|
||
# The addresses where the Federation API is, when using Synapse.
|
||
matrix_nginx_proxy_proxy_synapse_federation_api_addr_with_container: "matrix-synapse:8048"
|
||
matrix_nginx_proxy_proxy_synapse_federation_api_addr_sans_container: "localhost:8048"
|
||
|
||
# The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads.
|
||
matrix_nginx_proxy_tmp_directory_size_mb: "{{ (matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb | int) * 50 }}"
|
||
|
||
# A list of strings containing additional configuration blocks to add to the nginx http's server configuration (nginx-http.conf).
|
||
matrix_nginx_proxy_proxy_http_additional_server_configuration_blocks: []
|
||
|
||
# A list of strings containing additional configuration blocks to add to the base matrix server configuration (matrix-domain.conf).
|
||
matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: []
|
||
|
||
# A list of strings containing additional configuration blocks to add to the synapse's server configuration (matrix-synapse.conf).
|
||
matrix_nginx_proxy_proxy_synapse_additional_server_configuration_blocks: []
|
||
|
||
# A list of strings containing additional configuration blocks to add to Riot's server configuration (matrix-riot-web.conf).
|
||
matrix_nginx_proxy_proxy_riot_additional_server_configuration_blocks: []
|
||
|
||
# A list of strings containing additional configuration blocks to add to Element's server configuration (matrix-client-element.conf).
|
||
matrix_nginx_proxy_proxy_element_additional_server_configuration_blocks: []
|
||
|
||
# A list of strings containing additional configuration blocks to add to Dimension's server configuration (matrix-dimension.conf).
|
||
matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks: []
|
||
|
||
# A list of strings containing additional configuration blocks to add to Jitsi's server configuration (matrix-jitsi.conf).
|
||
matrix_nginx_proxy_proxy_jitsi_additional_server_configuration_blocks: []
|
||
|
||
# A list of strings containing additional configuration blocks to add to the base domain server configuration (matrix-base-domain.conf).
|
||
matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks: []
|
||
|
||
# Specifies the SSL configuration that should be used for the SSL protocols and ciphers
|
||
# This is based on the Mozilla Server Side TLS Recommended configurations.
|
||
#
|
||
# The posible values are:
|
||
# - "modern" - For Modern clients that support TLS 1.3, with no need for backwards compatibility
|
||
# - "intermediate" - Recommended configuration for a general-purpose server
|
||
# - "old" - Services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8
|
||
#
|
||
# For more information visit:
|
||
# - https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
|
||
# - https://ssl-config.mozilla.org/#server=nginx
|
||
matrix_nginx_proxy_ssl_preset: "intermediate"
|
||
|
||
# Presets are taken from Mozilla's Server Side TLS Recommended configurations
|
||
# DO NOT modify these values and use `matrix_nginx_proxy_ssl_protocols`, `matrix_nginx_proxy_ssl_ciphers` and `matrix_nginx_proxy_ssl_ciphers`
|
||
# if you wish to use something more custom.
|
||
matrix_nginx_proxy_ssl_presets:
|
||
modern:
|
||
protocols: TLSv1.3
|
||
ciphers: ""
|
||
prefer_server_ciphers: "off"
|
||
intermediate:
|
||
protocols: TLSv1.2 TLSv1.3
|
||
ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
|
||
prefer_server_ciphers: "off"
|
||
old:
|
||
protocols: TLSv1 TLSv1.1 TLSv1.2 TLSv1.3
|
||
ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
|
||
prefer_server_ciphers: "on"
|
||
|
||
|
||
# Specifies which *SSL protocols* to use when serving all the various vhosts.
|
||
matrix_nginx_proxy_ssl_protocols: "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['protocols'] }}"
|
||
|
||
# Specifies whether to prefer *the client’s choice or the server’s choice* when negotiating ciphers.
|
||
matrix_nginx_proxy_ssl_prefer_server_ciphers: "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['prefer_server_ciphers'] }}"
|
||
|
||
# Specifies which *SSL Cipher suites* to use when serving all the various vhosts.
|
||
# To see the full list for suportes ciphers run `openssl ciphers` on your server
|
||
matrix_nginx_proxy_ssl_ciphers: "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['ciphers'] }}"
|
||
|
||
# Controls whether the self-check feature should validate SSL certificates.
|
||
matrix_nginx_proxy_self_check_validate_certificates: true
|
||
|
||
# Controls whether redirects will be followed when checking the `/.well-known/matrix/client` resource.
|
||
#
|
||
# As per the spec (https://matrix.org/docs/spec/client_server/r0.6.0#well-known-uri), it shouldn't be,
|
||
# so we default to not following redirects as well.
|
||
matrix_nginx_proxy_self_check_well_known_matrix_client_follow_redirects: none
|
||
|
||
# By default, this playbook automatically retrieves and auto-renews
|
||
# free SSL certificates from Let's Encrypt.
|
||
#
|
||
# The following retrieval methods are supported:
|
||
# - "lets-encrypt" - the playbook obtains free SSL certificates from Let's Encrypt
|
||
# - "self-signed" - the playbook generates and self-signs certificates
|
||
# - "manually-managed" - lets you manage certificates by yourself (manually; see below)
|
||
# - "none" - like "manually-managed", but doesn't care if you don't drop certificates in the location it expects
|
||
#
|
||
# If you decide to manage certificates by yourself (`matrix_ssl_retrieval_method: manually-managed`),
|
||
# you'd need to drop them into the directory specified by `matrix_ssl_config_dir_path`
|
||
# obeying the following hierarchy:
|
||
# - <matrix_ssl_config_dir_path>/live/<domain>/fullchain.pem
|
||
# - <matrix_ssl_config_dir_path>/live/<domain>/privkey.pem
|
||
# where <domain> refers to the domains that you need (usually `matrix_server_fqn_matrix` and `matrix_server_fqn_element`).
|
||
#
|
||
# The "none" type (`matrix_ssl_retrieval_method: none`), simply means that no certificate retrieval will happen.
|
||
# It's useful for when you've disabled the nginx proxy (`matrix_nginx_proxy_enabled: false`)
|
||
# and you'll be using another reverse-proxy server (like Apache) with your own certificates, managed by yourself.
|
||
# It's also useful if you're using `matrix_nginx_proxy_https_enabled: false` to make this nginx proxy serve
|
||
# plain HTTP traffic only (usually, on the loopback interface only) and you'd be terminating SSL using another reverse-proxy.
|
||
matrix_ssl_retrieval_method: "lets-encrypt"
|
||
|
||
matrix_ssl_architecture: "amd64"
|
||
|
||
# The list of domains that this role will obtain certificates for.
|
||
matrix_ssl_domains_to_obtain_certificates_for: []
|
||
|
||
# Controls whether to obtain production or staging certificates from Let's Encrypt.
|
||
matrix_ssl_lets_encrypt_staging: false
|
||
matrix_ssl_lets_encrypt_certbot_docker_image: "docker.io/certbot/certbot:{{ matrix_ssl_architecture }}-v1.10.1"
|
||
matrix_ssl_lets_encrypt_certbot_docker_image_force_pull: "{{ matrix_ssl_lets_encrypt_certbot_docker_image.endswith(':latest') }}"
|
||
matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402
|
||
matrix_ssl_lets_encrypt_support_email: ~
|
||
|
||
# Tells which interface and port the Let's Encrypt (certbot) container should try to bind to
|
||
# when it tries to obtain initial certificates in standalone mode.
|
||
#
|
||
# This should normally be a public interface and port.
|
||
# If you'd like to not bind on all IP addresses, specify one explicitly (e.g. `a.b.c.d:80`)
|
||
matrix_ssl_lets_encrypt_container_standalone_http_host_bind_port: '80'
|
||
|
||
matrix_ssl_base_path: "{{ matrix_base_data_path }}/ssl"
|
||
matrix_ssl_config_dir_path: "{{ matrix_ssl_base_path }}/config"
|
||
matrix_ssl_log_dir_path: "{{ matrix_ssl_base_path }}/log"
|
||
|
||
# If you'd like to start some service before a certificate is obtained, specify it here.
|
||
# This could be something like `matrix-dynamic-dns`, etc.
|
||
matrix_ssl_pre_obtaining_required_service_name: ~
|
||
matrix_ssl_pre_obtaining_required_service_start_wait_time_seconds: 60
|
||
|
||
# nginx status page configurations.
|
||
matrix_nginx_proxy_proxy_matrix_nginx_status_enabled: false
|
||
matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses: ['{{ ansible_default_ipv4.address }}']
|
||
|
||
|
||
# synapse worker activation and endpoint mappings
|
||
matrix_nginx_proxy_synapse_workers_enabled: false
|
||
matrix_nginx_proxy_synapse_workers_list: []
|
||
matrix_nginx_proxy_synapse_generic_worker_client_server_locations: []
|
||
matrix_nginx_proxy_synapse_generic_worker_federation_locations: []
|
||
matrix_nginx_proxy_synapse_media_repository_locations: []
|
||
matrix_nginx_proxy_synapse_user_dir_locations: []
|
||
matrix_nginx_proxy_synapse_frontend_proxy_locations: []
|