7d3adc4512
We do use some `:latest` images by default for the following services: - matrix-dimension - Goofys (in the matrix-synapse role) - matrix-bridge-appservice-irc - matrix-bridge-appservice-discord - matrix-bridge-mautrix-facebook - matrix-bridge-mautrix-whatsapp It's terribly unfortunate that those software projects don't release anything other than `:latest`, but that's how it is for now. Updating that software requires that users manually do `docker pull` on the server. The playbook didn't force-repull images that it already had. With this patch, it starts doing so. Any image tagged `:latest` will be force re-pulled by the playbook every time it's executed. It should be noted that even though we ask the `docker_image` module to force-pull, it only reports "changed" when it actually pulls something new. This is nice, because it lets people know exactly when something gets updated, as opposed to giving the indication that it's always updating the images (even though it isn't).
155 lines
9.0 KiB
YAML
155 lines
9.0 KiB
YAML
matrix_nginx_proxy_enabled: true
|
|
|
|
# We use an official nginx image, which we fix-up to run unprivileged.
|
|
# An alternative would be an `nginxinc/nginx-unprivileged` image, but
|
|
# that is frequently out of date.
|
|
matrix_nginx_proxy_docker_image: "nginx:1.15.12-alpine"
|
|
matrix_nginx_proxy_docker_image_force_pull: "{{ matrix_nginx_proxy_docker_image.endswith(':latest') }}"
|
|
|
|
matrix_nginx_proxy_base_path: "{{ matrix_base_data_path }}/nginx-proxy"
|
|
matrix_nginx_proxy_data_path: "{{ matrix_nginx_proxy_base_path }}/data"
|
|
matrix_nginx_proxy_confd_path: "{{ matrix_nginx_proxy_base_path }}/conf.d"
|
|
|
|
# List of systemd services that matrix-nginx-proxy.service depends on
|
|
matrix_nginx_proxy_systemd_required_services_list: ['docker.service']
|
|
|
|
# List of systemd services that matrix-nginx-proxy.service wants
|
|
matrix_nginx_proxy_systemd_wanted_services_list: []
|
|
|
|
# A list of additional "volumes" to mount in the container.
|
|
# This list gets populated dynamically at runtime. You can provide a different default value,
|
|
# if you wish to mount your own files into the container.
|
|
# Contains definition objects like this: `{"src": "/outside", "dst": "/inside", "options": "rw|ro|slave|.."}
|
|
matrix_nginx_proxy_container_additional_volumes: []
|
|
|
|
# A list of extra arguments to pass to the container
|
|
matrix_nginx_proxy_container_extra_arguments: []
|
|
|
|
# Controls whether matrix-nginx-proxy should serve the base domain.
|
|
#
|
|
# This is useful for when you only have your Matrix server, but you need to serve
|
|
# to serve `/.well-known/matrix/*` files from the base domain for the needs of
|
|
# Server-Discovery (Federation) and for Client-Discovery.
|
|
#
|
|
# Besides serving these Matrix files, a homepage would be served with content
|
|
# as specified in the `matrix_nginx_proxy_base_domain_homepage_template` variable.
|
|
# You can also put additional files to use for this webpage
|
|
# in the `{{ matrix_nginx_proxy_data_path }}/matrix-domain` (`/matrix/nginx-proxy/data/matrix-domain`) directory.
|
|
matrix_nginx_proxy_base_domain_serving_enabled: false
|
|
matrix_nginx_proxy_base_domain_hostname: "{{ matrix_domain }}"
|
|
matrix_nginx_proxy_base_domain_homepage_template: |-
|
|
<!doctype html>
|
|
<meta charset="utf-8" />
|
|
<html>
|
|
<body>
|
|
Hello from {{ matrix_domain }}!
|
|
</body>
|
|
</html>
|
|
|
|
# Controls whether proxying the riot domain should be done.
|
|
matrix_nginx_proxy_proxy_riot_enabled: false
|
|
matrix_nginx_proxy_proxy_riot_hostname: "{{ matrix_server_fqn_riot }}"
|
|
|
|
# Controls whether proxying the matrix domain should be done.
|
|
matrix_nginx_proxy_proxy_matrix_enabled: false
|
|
matrix_nginx_proxy_proxy_matrix_hostname: "{{ matrix_server_fqn_matrix }}"
|
|
|
|
# Controls whether proxying the dimension domain should be done.
|
|
matrix_nginx_proxy_proxy_dimension_enabled: false
|
|
matrix_nginx_proxy_proxy_dimension_hostname: "{{ matrix_server_fqn_dimension }}"
|
|
|
|
# Controls whether proxying for the matrix-corporal API (`/_matrix/corporal`) should be done (on the matrix domain)
|
|
matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: false
|
|
matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081"
|
|
matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container: "127.0.0.1:41081"
|
|
|
|
# Controls whether proxying for the User Directory Search API (`/_matrix/client/r0/user_directory/search`) should be done (on the matrix domain).
|
|
# This can be used to forward the API endpoint to another service, augmenting the functionality of Synapse's own User Directory Search.
|
|
# To learn more, see: https://github.com/kamax-matrix/mxisd/blob/master/docs/features/directory.md
|
|
matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: false
|
|
matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "matrix-mxisd:8090"
|
|
matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "127.0.0.1:8090"
|
|
|
|
# Controls whether proxying for 3PID-based registration (`/_matrix/client/r0/register/(email|msisdn)/requestToken`) should be done (on the matrix domain).
|
|
# This allows another service to control registrations involving 3PIDs.
|
|
# To learn more, see: https://github.com/kamax-matrix/mxisd/blob/master/docs/features/registration.md
|
|
matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled: false
|
|
matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_with_container: "matrix-mxisd:8090"
|
|
matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_sans_container: "127.0.0.1:8090"
|
|
|
|
# Controls whether proxying for the Identity API (`/_matrix/identity`) should be done (on the matrix domain)
|
|
matrix_nginx_proxy_proxy_matrix_identity_api_enabled: false
|
|
matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-mxisd:8090"
|
|
matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:8090"
|
|
|
|
# Controls whether proxying for metrics (`/_synapse/metrics`) should be done (on the matrix domain)
|
|
matrix_nginx_proxy_proxy_synapse_metrics: false
|
|
matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled: false
|
|
matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key: ""
|
|
|
|
# The addresses where the Matrix Client API is.
|
|
# Certain extensions (like matrix-corporal) may override this in order to capture all traffic.
|
|
matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container: "matrix-synapse:8008"
|
|
matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "127.0.0.1:8008"
|
|
# This needs to be equal or higher than the maximum upload size accepted by Synapse.
|
|
matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: 25
|
|
|
|
# Controls whether proxying for the Matrix Federation API should be done.
|
|
matrix_nginx_proxy_proxy_matrix_federation_api_enabled: false
|
|
matrix_nginx_proxy_proxy_matrix_federation_api_addr_with_container: "matrix-synapse:8048"
|
|
matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container: "localhost:8048"
|
|
matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb: "{{ (matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb | int) * 3 }}"
|
|
matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/fullchain.pem"
|
|
matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/privkey.pem"
|
|
|
|
# The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads.
|
|
matrix_nginx_proxy_tmp_directory_size_mb: "{{ (matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb | int) * 50 }}"
|
|
|
|
# A list of strings containing additional configuration blocks to add to the matrix domain's server configuration.
|
|
matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: []
|
|
|
|
# Specifies when to reload the matrix-nginx-proxy service so that
|
|
# a new SSL certificate could go into effect.
|
|
matrix_nginx_proxy_reload_cron_time_definition: "20 4 */5 * *"
|
|
|
|
# Specifies which SSL protocols to use when serving Riot and Synapse
|
|
matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2 TLSv1.3"
|
|
|
|
# Controls whether the self-check feature should validate SSL certificates.
|
|
matrix_nginx_proxy_self_check_validate_certificates: true
|
|
|
|
# By default, this playbook automatically retrieves and auto-renews
|
|
# free SSL certificates from Let's Encrypt.
|
|
#
|
|
# The following retrieval methods are supported:
|
|
# - "lets-encrypt" - the playbook obtains free SSL certificates from Let's Encrypt
|
|
# - "self-signed" - the playbook generates and self-signs certificates
|
|
# - "manually-managed" - lets you manage certificates by yourself (manually; see below)
|
|
# - "none" - like "manually-managed", but doesn't care if you don't drop certificates in the location it expects
|
|
#
|
|
# If you decide to manage certificates by yourself (`matrix_ssl_retrieval_method: manually-managed`),
|
|
# you'd need to drop them into the directory specified by `matrix_ssl_config_dir_path`
|
|
# obeying the following hierarchy:
|
|
# - <matrix_ssl_config_dir_path>/live/<domain>/fullchain.pem
|
|
# - <matrix_ssl_config_dir_path>/live/<domain>/privkey.pem
|
|
# where <domain> refers to the domains that you need (usually `matrix_server_fqn_matrix` and `matrix_server_fqn_riot`).
|
|
#
|
|
# The "none" type (`matrix_ssl_retrieval_method: none`), simply means that no certificate retrieval will happen.
|
|
# It's useful for when you've disabled the nginx proxy (`matrix_nginx_proxy_enabled: false`)
|
|
# and you'll be using another reverse-proxy server (like Apache) with your own certificates, managed by yourself.
|
|
matrix_ssl_retrieval_method: "lets-encrypt"
|
|
|
|
# The list of domains that this role will obtain certificates for.
|
|
matrix_ssl_domains_to_obtain_certificates_for: []
|
|
|
|
# Controls whether to obtain production or staging certificates from Let's Encrypt.
|
|
matrix_ssl_lets_encrypt_staging: false
|
|
matrix_ssl_lets_encrypt_certbot_docker_image: "certbot/certbot:v0.33.1"
|
|
matrix_ssl_lets_encrypt_certbot_docker_image_force_pull: "{{ matrix_ssl_lets_encrypt_certbot_docker_image.endswith(':latest') }}"
|
|
matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402
|
|
matrix_ssl_lets_encrypt_support_email: ~
|
|
|
|
matrix_ssl_base_path: "{{ matrix_base_data_path }}/ssl"
|
|
matrix_ssl_config_dir_path: "{{ matrix_ssl_base_path }}/config"
|
|
matrix_ssl_log_dir_path: "{{ matrix_ssl_base_path }}/log"
|