Fix OCSP-stapling-related errors due to missing resolver

Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1057

roles/matrix-nginx-proxy/defaults/main.yml

@@ -357,6 +357,18 @@ matrix_nginx_proxy_self_check_validate_certificates: true
 # so we default to not following redirects as well.
 matrix_nginx_proxy_self_check_well_known_matrix_client_follow_redirects: none
 
+# For OCSP purposes, we need to define a resolver at the `server{}` level or `http{}` level (we do the latter).
+#
+# Otherwise, we get warnings like this:
+# > [warn] 22#22: no resolver defined to resolve r3.o.lencr.org while requesting certificate status, responder: r3.o.lencr.org, certificate: "/matrix/ssl/config/live/.../fullchain.pem"
+#
+# We point it to the internal Docker resolver, which likely delegates to nameservers defined in `/etc/resolv.conf`.
+#
+# When nginx proxy is disabled, our configuration is likely used by non-containerized nginx, so can't use the internal Docker resolver.
+# Pointing `resolver` to some public DNS server might be an option, but for now we impose DNS servers on people.
+# It might also be that no such warnings occur when not running in a container.
+matrix_nginx_proxy_http_level_resolver: "{{ '127.0.0.11' if matrix_nginx_proxy_enabled else '' }}"
+
 # By default, this playbook automatically retrieves and auto-renews
 # free SSL certificates from Let's Encrypt.
 #

roles/matrix-nginx-proxy/templates/nginx/conf.d/nginx-http.conf.j2

@@ -4,6 +4,11 @@
 #
 # Thus, we ensure a larger bucket size value is used.
 server_names_hash_bucket_size 64;
+
+{% if matrix_nginx_proxy_http_level_resolver %}
+	resolver {{ matrix_nginx_proxy_http_level_resolver }};
+{% endif %}
+
 {% for configuration_block in matrix_nginx_proxy_proxy_http_additional_server_configuration_blocks %}
 	{{- configuration_block }}
 {% endfor %}