Move matrix-ma1sd to its own container network and add native Traefik support

This commit is contained in:
Slavi Pantaleev 2024-01-09 15:27:13 +02:00
parent 81f1c4683b
commit aea66442a1
12 changed files with 227 additions and 134 deletions

View File

@ -44,9 +44,9 @@ To use the [Registration](https://github.com/ma1uta/ma1sd/blob/master/docs/featu
- `matrix_synapse_enable_registration_captcha` - to validate registering users using reCAPTCHA, as described in the [enabling reCAPTCHA](configuring_captcha.md) documentation.
- `matrix_synapse_registrations_require_3pid` - to control the types of 3pid (`'email'`, `'msisdn'`) required by the Synapse server for registering
- `matrix_synapse_registrations_require_3pid` - a list of 3pid types (among `'email'`, `'msisdn'`) required by the Synapse server for registering
- variables prefixed with `matrix_nginx_proxy_proxy_matrix_3pid_registration_` (e.g. `matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled`) - to configure the integrated nginx webserver to send registration requests to ma1sd (instead of Synapse), so it can apply its additional functionality
- variables prefixed with `matrix_ma1sd_container_labels_` (e.g. `matrix_ma1sd_container_labels_matrix_client_3pid_registration_enabled`) - to configure the Traefik reverse-proxy to capture and send registration requests to ma1sd (instead of Synapse), so it can apply its additional functionality
- `matrix_ma1sd_configuration_extension_yaml` - to configure ma1sd as required. See the [Registration feature's docs](https://github.com/ma1uta/ma1sd/blob/master/docs/features/registration.md) for inspiration. Also see the [Additional features](#additional-features) section below to learn more about how to use `matrix_ma1sd_configuration_extension_yaml`.

View File

@ -3131,6 +3131,9 @@ exim_relay_sender_address: "matrix@{{ matrix_domain }}"
# we can stop installing ma1sd.
matrix_ma1sd_enabled: false
matrix_ma1sd_scheme: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}"
matrix_ma1sd_hostname: "{{ matrix_server_fqn_matrix }}"
matrix_ma1sd_container_image_self_build: "{{ matrix_architecture != 'amd64' }}"
# Normally, matrix-nginx-proxy is enabled and nginx can reach ma1sd over the container network.
@ -3138,13 +3141,26 @@ matrix_ma1sd_container_image_self_build: "{{ matrix_architecture != 'amd64' }}"
# ma1sd's web-server port.
matrix_ma1sd_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '' ~ matrix_ma1sd_container_port | string) if matrix_playbook_service_host_bind_interface_prefix else '' }}"
matrix_ma1sd_container_additional_networks: |
matrix_ma1sd_container_network: "{{ matrix_addons_container_network }}"
matrix_ma1sd_container_additional_networks_auto: |
{{
(
([] if matrix_addons_homeserver_container_network == '' else [matrix_addons_homeserver_container_network])
+
([devture_postgres_container_network] if (devture_postgres_enabled and matrix_ma1sd_database_hostname == devture_postgres_connection_hostname and matrix_ma1sd_container_network != devture_postgres_container_network) else [])
+
([exim_relay_container_network] if (exim_relay_enabled and matrix_ma1sd_threepid_medium_email_connectors_smtp_host == exim_relay_identifier and matrix_ma1sd_container_network != exim_relay_container_network) else [])
+
([matrix_playbook_reverse_proxyable_services_additional_network] if (matrix_playbook_reverse_proxyable_services_additional_network and matrix_ma1sd_container_labels_traefik_enabled) else [])
) | unique
}}
matrix_ma1sd_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}"
matrix_ma1sd_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
matrix_ma1sd_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}"
matrix_ma1sd_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}"
# We enable Synapse integration via its Postgres database by default.
# When using another Identity store, you might wish to disable this and define
# your own configuration in `matrix_ma1sd_configuration_extension_yaml`.
@ -3156,7 +3172,7 @@ matrix_ma1sd_dns_overwrite_enabled: true
matrix_ma1sd_dns_overwrite_homeserver_client_name: "{{ matrix_server_fqn_matrix }}"
# The `matrix_ma1sd_dns_overwrite_homeserver_client_value` value when matrix_nginx_proxy_enabled is false covers the general case,
# but may be inaccurate if matrix-corporal is enabled.
matrix_ma1sd_dns_overwrite_homeserver_client_value: "{{ matrix_homeserver_container_url }}"
matrix_ma1sd_dns_overwrite_homeserver_client_value: "{{ matrix_addons_homeserver_client_api_url }}"
# By default, we send mail through the exim relay service.
matrix_ma1sd_threepid_medium_email_identity_from: "{{ exim_relay_sender_address }}"
@ -3168,13 +3184,13 @@ matrix_ma1sd_self_check_validate_certificates: "{{ false if matrix_playbook_ssl_
matrix_ma1sd_systemd_required_services_list_auto: |
{{
matrix_addons_homeserver_systemd_services_list
+
([devture_postgres_identifier ~ '.service'] if (devture_postgres_enabled and matrix_ma1sd_database_hostname == devture_postgres_connection_hostname) else [])
}}
matrix_ma1sd_systemd_wanted_services_list_auto: |
{{
(['matrix-corporal.service'] if matrix_corporal_enabled else ['matrix-' + matrix_homeserver_implementation + '.service'])
+
([exim_relay_identifier ~ '.service'] if (exim_relay_enabled and matrix_ma1sd_threepid_medium_email_connectors_smtp_host == exim_relay_identifier) else [])
}}
@ -3304,10 +3320,6 @@ matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: "{{ matrix_corporal_enable
matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081"
matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container: "127.0.0.1:41081"
matrix_nginx_proxy_proxy_matrix_identity_api_enabled: "{{ matrix_ma1sd_enabled }}"
matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-ma1sd:{{ matrix_ma1sd_container_port }}"
matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:{{ matrix_ma1sd_container_port }}"
# NOTE: we cannot disable this, even though matrix-media-repo is already natively exposed at the Traefik level.
# See: https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/3045#issuecomment-1867327001
matrix_nginx_proxy_proxy_media_repo_enabled: "{{ matrix_media_repo_enabled }}"
@ -3349,10 +3361,6 @@ matrix_nginx_proxy_proxy_conduit_federation_api_addr_sans_container: "127.0.0.1:
# When matrix-nginx-proxy is disabled, the actual port number that the vhost uses may begin to matter.
matrix_nginx_proxy_proxy_matrix_federation_port: "{{ matrix_federation_public_port }}"
matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: "{{ matrix_ma1sd_enabled }}"
matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container }}"
matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container }}"
# OCSP stapling does not make sense when self-signed certificates are used.
# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1073
# and https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1074
@ -3368,8 +3376,6 @@ matrix_nginx_proxy_systemd_wanted_services_list: |
+
(['matrix-corporal.service'] if matrix_corporal_enabled else [])
+
(['matrix-ma1sd.service'] if matrix_ma1sd_enabled else [])
+
([(matrix_media_repo_identifier + '.service')] if matrix_media_repo_enabled else [])
+
(['matrix-client-cinny.service'] if matrix_client_cinny_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else [])
@ -3498,9 +3504,7 @@ matrix_homeserver_proxy_client_api_client_max_body_size_mb: |-
matrix_homeserver_proxy_federation_api_addr: "{{ matrix_homeserver_container_federation_api_endpoint }}"
# matrix_nginx_proxy_proxy_matrix_identity_api_enabled: "{{ matrix_ma1sd_enabled }}"
# matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-ma1sd:{{ matrix_ma1sd_container_port }}"
# matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:{{ matrix_ma1sd_container_port }}"
# TODO - connect this to the identity server, if enabled
# # NOTE: we cannot disable this, even though matrix-media-repo is already natively exposed at the Traefik level.
# # See: https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/3045#issuecomment-1867327001
@ -3508,10 +3512,7 @@ matrix_homeserver_proxy_federation_api_addr: "{{ matrix_homeserver_container_fed
# matrix_nginx_proxy_proxy_media_repo_addr_with_container: "{{ matrix_media_repo_identifier }}:{{ matrix_media_repo_port }}"
# matrix_nginx_proxy_proxy_media_repo_addr_sans_container: "127.0.0.1:{{ matrix_media_repo_port }}"
# matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: "{{ matrix_ma1sd_enabled }}"
# matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container }}"
# matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container }}"
# TODO - adjust ma1sd stuff below, if necessary
matrix_homeserver_proxy_systemd_wanted_services_list_auto: |
{{
matrix_homeserver_systemd_services_list
@ -4142,8 +4143,10 @@ matrix_synapse_gid: "{{ matrix_user_gid }}"
matrix_synapse_container_image_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}"
matrix_synapse_account_threepid_delegates_msisdn_mas1sd_url: "{{ ('http://matrix-ma1sd:' + matrix_ma1sd_container_port| string) }}"
# When ma1sd is enabled, we can use it to validate phone numbers. It's something that the homeserver cannot do by itself.
matrix_synapse_account_threepid_delegates_msisdn: "{{ 'http://matrix-ma1sd:' + matrix_ma1sd_container_port | string if matrix_ma1sd_enabled else '' }}"
matrix_synapse_account_threepid_delegates_msisdn: "{{ matrix_synapse_account_threepid_delegates_msisdn_mas1sd_url if matrix_ma1sd_enabled else '' }}"
# For exposing the Matrix Federation API's TLS port (HTTPS) to the internet on all network interfaces.
matrix_synapse_container_federation_api_tls_host_bind_port: "{{ matrix_federation_public_port if (matrix_synapse_federation_enabled and matrix_synapse_tls_federation_listener_enabled) else '' }}"
@ -4166,6 +4169,8 @@ matrix_synapse_container_additional_networks: |
([redis_container_network] if matrix_synapse_redis_enabled and matrix_synapse_redis_host == redis_identifier else [])
+
([exim_relay_container_network] if (exim_relay_enabled and matrix_synapse_email_enabled and matrix_synapse_email_smtp_host == exim_relay_identifier and matrix_synapse_container_network != exim_relay_container_network) else [])
+
([matrix_ma1sd_container_network] if (matrix_ma1sd_enabled and matrix_synapse_account_threepid_delegates_msisdn == matrix_synapse_account_threepid_delegates_msisdn_mas1sd_url and matrix_synapse_container_network != matrix_ma1sd_container_network) else [])
) | unique
}}

View File

@ -4,6 +4,9 @@
matrix_ma1sd_enabled: true
matrix_ma1sd_scheme: https
matrix_ma1sd_hostname: ''
matrix_ma1sd_container_image_self_build: false
matrix_ma1sd_container_image_self_build_repo: "https://github.com/ma1uta/ma1sd.git"
matrix_ma1sd_container_image_self_build_branch: "{{ matrix_ma1sd_version }}"
@ -43,14 +46,65 @@ matrix_ma1sd_systemd_wanted_services_list_auto: []
matrix_ma1sd_systemd_wanted_services_list_custom: []
# The base container network. It will be auto-created by this role if it doesn't exist already.
matrix_ma1sd_container_network: "{{ matrix_docker_network }}"
matrix_ma1sd_container_network: ""
# A list of additional container networks that matrix-ma1sd would be connected to.
# The playbook does not create these networks, so make sure they already exist.
#
# Use this to expose matrix-ma1sd to another docker network, that matrix-ma1sd might have to reach for authentication (e.g. an ldap instance)
matrix_ma1sd_container_additional_networks: "{{ matrix_ma1sd_container_additional_networks_auto + matrix_ma1sd_container_additional_networks_custom }}"
matrix_ma1sd_container_additional_networks_auto: []
matrix_ma1sd_container_additional_networks_custom: []
# matrix_ma1sd_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container.
# See `../templates/labels.j2` for details.
#
matrix_ma1sd_container_additional_networks: []
# To inject your own other container labels, see `matrix_ma1sd_container_labels_additional_labels`.
matrix_ma1sd_container_labels_traefik_enabled: true
matrix_ma1sd_container_labels_traefik_docker_network: "{{ matrix_ma1sd_container_network }}"
matrix_ma1sd_container_labels_traefik_entrypoints: web-secure
matrix_ma1sd_container_labels_traefik_tls_certResolver: default # noqa var-naming
# Controls whether labels will be added that expose ma1sd's /_matrix/identity endpoints
matrix_ma1sd_container_labels_matrix_identity_enabled: "{{ matrix_ma1sd_container_labels_traefik_enabled }}"
matrix_ma1sd_container_labels_matrix_identity_hostname: "{{ matrix_ma1sd_hostname }}"
matrix_ma1sd_container_labels_matrix_identity_path_prefix: "/_matrix/identity"
matrix_ma1sd_container_labels_matrix_identity_traefik_rule: "Host(`{{ matrix_ma1sd_container_labels_matrix_identity_hostname }}`) && PathPrefix(`{{ matrix_ma1sd_container_labels_matrix_identity_path_prefix }}`)"
matrix_ma1sd_container_labels_matrix_identity_traefik_priority: 0
matrix_ma1sd_container_labels_matrix_identity_traefik_entrypoints: "{{ matrix_ma1sd_container_labels_traefik_entrypoints }}"
matrix_ma1sd_container_labels_matrix_identity_traefik_tls: "{{ matrix_ma1sd_container_labels_matrix_identity_traefik_entrypoints != 'web' }}"
matrix_ma1sd_container_labels_matrix_identity_traefik_tls_certResolver: "{{ matrix_ma1sd_container_labels_traefik_tls_certResolver }}" # noqa var-naming
# Controls whether labels will be added that expose ma1sd's /_matrix/client/VERSION/user_directory/search endpoint
matrix_ma1sd_container_labels_matrix_client_user_directory_search_enabled: "{{ matrix_ma1sd_container_labels_traefik_enabled }}"
matrix_ma1sd_container_labels_matrix_client_user_directory_search_hostname: "{{ matrix_ma1sd_hostname }}"
matrix_ma1sd_container_labels_matrix_client_user_directory_search_path: "/_matrix/client/{version:(r0|v3)}/user_directory/search"
matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_rule: "Host(`{{ matrix_ma1sd_container_labels_matrix_client_user_directory_search_hostname }}`) && Path(`{{ matrix_ma1sd_container_labels_matrix_client_user_directory_search_path }}`)"
matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_priority: 0
matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_entrypoints: "{{ matrix_ma1sd_container_labels_traefik_entrypoints }}"
matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_tls: "{{ matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_entrypoints != 'web' }}"
matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_tls_certResolver: "{{ matrix_ma1sd_container_labels_traefik_tls_certResolver }}" # noqa var-naming
# Controls whether labels will be added that expose ma1sd's /_matrix/client/VERSION/register/TYPE/requestToken endpoints
# This allows another service to control registrations involving 3PIDs.
# To learn more, see: https://github.com/ma1uta/ma1sd/blob/master/docs/features/registration.md
matrix_ma1sd_container_labels_matrix_client_3pid_registration_enabled: false
matrix_ma1sd_container_labels_matrix_client_3pid_registration_hostname: "{{ matrix_ma1sd_hostname }}"
matrix_ma1sd_container_labels_matrix_client_3pid_registration_path: "/_matrix/client/{version:(r0|v3)}/register/{type:(email|msisdn)}/requestToken"
matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_rule: "Host(`{{ matrix_ma1sd_container_labels_matrix_client_3pid_registration_hostname }}`) && Path(`{{ matrix_ma1sd_container_labels_matrix_client_3pid_registration_path }}`)"
matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_priority: 0
matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_entrypoints: "{{ matrix_ma1sd_container_labels_traefik_entrypoints }}"
matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_tls: "{{ matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_entrypoints != 'web' }}"
matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_tls_certResolver: "{{ matrix_ma1sd_container_labels_traefik_tls_certResolver }}" # noqa var-naming
# matrix_ma1sd_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
# See `../templates/labels.j2` for details.
#
# Example:
# matrix_ma1sd_container_labels_additional_labels: |
# my.label=1
# another.label="here"
matrix_ma1sd_container_labels_additional_labels: ''
# Your identity server is private by default.
# To ensure maximum discovery, you can make your identity server
@ -59,7 +113,6 @@ matrix_ma1sd_container_additional_networks: []
# Enabling this is discouraged. Learn more here: https://github.com/ma1uta/ma1sd/blob/master/docs/features/identity.md#lookups
matrix_ma1sd_matrixorg_forwarding_enabled: false
# Database-related configuration fields.
#
# To use SQLite, stick to these defaults.
@ -130,6 +183,7 @@ matrix_ma1sd_threepid_medium_email_custom_session_unbind_notification_template:
# Defaults to: https://github.com/ma1uta/ma1sd/blob/master/src/main/resources/threepids/email/mxid-template.eml
matrix_ma1sd_threepid_medium_email_custom_matrixid_template: ""
matrix_ma1sd_self_check_endpoint_url: "{{ matrix_ma1sd_scheme }}://{{ matrix_ma1sd_hostname }}/_matrix/identity/api/v1"
# Controls whether the self-check feature should validate SSL certificates.
matrix_ma1sd_self_check_validate_certificates: true

View File

@ -20,6 +20,7 @@
- tags:
- self-check
- self-check-ma1sd
block:
- when: matrix_ma1sd_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check.yml"

View File

@ -1,11 +1,8 @@
---
- ansible.builtin.set_fact:
ma1sd_url_endpoint_public: "https://{{ matrix_server_fqn_matrix }}/_matrix/identity/api/v1"
- name: Check ma1sd Identity Service
ansible.builtin.uri:
url: "{{ ma1sd_url_endpoint_public }}"
url: "{{ matrix_ma1sd_self_check_endpoint_url }}"
follow_redirects: none
validate_certs: "{{ matrix_ma1sd_self_check_validate_certificates }}"
check_mode: false
@ -16,9 +13,9 @@
- name: Fail if ma1sd Identity Service not working
ansible.builtin.fail:
msg: "Failed checking ma1sd is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ ma1sd_url_endpoint_public }}`). Is ma1sd running? Is port 443 open in your firewall? Full error: {{ result_ma1sd }}"
msg: "Failed checking ma1sd is up at `{{ matrix_ma1sd_hostname }}` (checked endpoint: `{{ matrix_ma1sd_self_check_endpoint_url }}`). Is ma1sd running? Is port 443 open in your firewall? Full error: {{ result_ma1sd }}"
when: "result_ma1sd.failed or 'json' not in result_ma1sd"
- name: Report working ma1sd Identity Service
ansible.builtin.debug:
msg: "ma1sd at `{{ matrix_server_fqn_matrix }}` is working (checked endpoint: `{{ ma1sd_url_endpoint_public }}`)"
msg: "ma1sd at `{{ matrix_ma1sd_hostname }}` is working (checked endpoint: `{{ matrix_ma1sd_self_check_endpoint_url }}`)"

View File

@ -122,6 +122,21 @@
- {value: "{{ matrix_ma1sd_threepid_medium_email_custom_matrixid_template }}", location: 'mxid-template.eml'}
when: "matrix_ma1sd_threepid_medium_email_custom_templates_enabled | bool and item.value"
- name: Ensure ma1sd support files installed
ansible.builtin.template:
src: "{{ role_path }}/templates/{{ item }}.j2"
dest: "{{ matrix_ma1sd_base_path }}/{{ item }}"
mode: 0640
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
with_items:
- labels
- name: Ensure ma1sd container network is created
community.general.docker_network:
name: "{{ matrix_ma1sd_container_network }}"
driver: bridge
- name: Ensure matrix-ma1sd.service installed
ansible.builtin.template:
src: "{{ role_path }}/templates/systemd/matrix-ma1sd.service.j2"

View File

@ -45,9 +45,15 @@
You need to define a required configuration setting (`{{ item.name }}`).
when: "item.when | bool and vars[item.name] == ''"
with_items:
- {'name': 'matrix_ma1sd_hostname', when: true}
- {'name': 'matrix_ma1sd_threepid_medium_email_connectors_smtp_host', when: true}
- {'name': 'matrix_ma1sd_dns_overwrite_homeserver_client_value', when: true}
- {'name': 'matrix_ma1sd_database_hostname', when: "{{ matrix_ma1sd_database_engine == 'postgres' }}"}
- {'name': 'matrix_ma1sd_container_network', when: true}
- {'name': 'matrix_ma1sd_container_labels_matrix_identity_hostname', when: "{{ matrix_ma1sd_container_labels_matrix_identity_enabled }}"}
- {'name': 'matrix_ma1sd_container_labels_matrix_identity_path_prefix', when: "{{ matrix_ma1sd_container_labels_matrix_identity_enabled }}"}
- {'name': 'matrix_ma1sd_container_labels_matrix_client_user_directory_search_hostname', when: "{{ matrix_ma1sd_container_labels_matrix_client_user_directory_search_enabled }}"}
- {'name': 'matrix_ma1sd_container_labels_matrix_client_user_directory_search_path', when: "{{ matrix_ma1sd_container_labels_matrix_client_user_directory_search_enabled }}"}
- name: (Deprecation) Catch and report renamed ma1sd variables
ansible.builtin.fail:

View File

@ -0,0 +1,99 @@
{% if matrix_ma1sd_container_labels_traefik_enabled %}
traefik.enable=true
{% if matrix_ma1sd_container_labels_traefik_docker_network %}
traefik.docker.network={{ matrix_ma1sd_container_labels_traefik_docker_network }}
{% endif %}
traefik.http.services.matrix-ma1sd.loadbalancer.server.port={{ matrix_ma1sd_container_port }}
{#
Matrix Identity APIs (/_matrix/identity)
#}
{% if matrix_ma1sd_container_labels_matrix_identity_enabled %}
traefik.http.routers.matrix-ma1sd-matrix-identity.rule={{ matrix_ma1sd_container_labels_matrix_identity_traefik_rule }}
{% if matrix_ma1sd_container_labels_matrix_identity_traefik_priority | int > 0 %}
traefik.http.routers.matrix-ma1sd-matrix-identity.priority={{ matrix_ma1sd_container_labels_matrix_identity_traefik_priority }}
{% endif %}
traefik.http.routers.matrix-ma1sd-matrix-identity.service=matrix-ma1sd
traefik.http.routers.matrix-ma1sd-matrix-identity.entrypoints={{ matrix_ma1sd_container_labels_matrix_identity_traefik_entrypoints }}
traefik.http.routers.matrix-ma1sd-matrix-identity.tls={{ matrix_ma1sd_container_labels_matrix_identity_traefik_tls | to_json }}
{% if matrix_ma1sd_container_labels_matrix_identity_traefik_tls %}
traefik.http.routers.matrix-ma1sd-matrix-identity.tls.certResolver={{ matrix_ma1sd_container_labels_matrix_identity_traefik_tls_certResolver }}
{% endif %}
{% endif %}
{#
/Matrix Identity APIs (/_matrix/identity)
#}
{#
Matrix Client user-directory search API endpoint (/_matrix/client/VERSION/user_directory/search)
#}
{% if matrix_ma1sd_container_labels_matrix_client_user_directory_search_enabled %}
{#
ma1sd only supports /_matrix/client/r0/user_directory/search,
while we potentially handle /_matrix/client/v3/user_directory/search as well,
so we need to transparently reroute.
#}
traefik.http.middlewares.matrix-ma1sd-matrix-client-user-directory-search-replacepath.replacepath.path=/_matrix/client/r0/user_directory/search
traefik.http.routers.matrix-ma1sd-matrix-client-user-directory-search.rule={{ matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_rule }}
traefik.http.routers.matrix-ma1sd-matrix-client-user-directory-search.middlewares=matrix-ma1sd-matrix-client-user-directory-search-replacepath
{% if matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_priority | int > 0 %}
traefik.http.routers.matrix-ma1sd-matrix-client-user-directory-search.priority={{ matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_priority }}
{% endif %}
traefik.http.routers.matrix-ma1sd-matrix-client-user-directory-search.service=matrix-ma1sd
traefik.http.routers.matrix-ma1sd-matrix-client-user-directory-search.entrypoints={{ matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_entrypoints }}
traefik.http.routers.matrix-ma1sd-matrix-client-user-directory-search.tls={{ matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_tls | to_json }}
{% if matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_tls %}
traefik.http.routers.matrix-ma1sd-matrix-client-user-directory-search.tls.certResolver={{ matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_tls_certResolver }}
{% endif %}
{% endif %}
{#
/Matrix Client user-directory search API endpoint (/_matrix/client/VERSION/user_directory/search)
#}
{#
Matrix Client 3pid registration API endpoint (/_matrix/client/VERSION/register/TYPE/requestToken)
#}
{% if matrix_ma1sd_container_labels_matrix_client_user_directory_search_enabled %}
{#
ma1sd only supports /_matrix/client/r0/user_directory/search,
while we potentially handle /_matrix/client/v3/user_directory/search as well,
so we need to transparently reroute.
#}
traefik.http.middlewares.matrix-ma1sd-matrix-client-3pid-registration-replacepathregex.replacepathregex.regex=^/_matrix/client/([^/]+)/register/([^/]+)/requestToken
traefik.http.middlewares.matrix-ma1sd-matrix-client-3pid-registration-replacepathregex.replacepathregex.replacement=/_matrix/client/r0/register/${2}/requestToken
traefik.http.routers.matrix-ma1sd-matrix-client-3pid-registration.rule={{ matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_rule }}
traefik.http.routers.matrix-ma1sd-matrix-client-3pid-registration.middlewares=matrix-ma1sd-matrix-client-3pid-registration-replacepathregex
{% if matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_priority | int > 0 %}
traefik.http.routers.matrix-ma1sd-matrix-client-3pid-registration.priority={{ matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_priority }}
{% endif %}
traefik.http.routers.matrix-ma1sd-matrix-client-3pid-registration.service=matrix-ma1sd
traefik.http.routers.matrix-ma1sd-matrix-client-3pid-registration.entrypoints={{ matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_entrypoints }}
traefik.http.routers.matrix-ma1sd-matrix-client-3pid-registration.tls={{ matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_tls | to_json }}
{% if matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_tls %}
traefik.http.routers.matrix-ma1sd-matrix-client-3pid-registration.tls.certResolver={{ matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_tls_certResolver }}
{% endif %}
{% endif %}
{#
/Matrix Client 3pid registration API endpoint (/_matrix/client/VERSION/register/TYPE/requestToken)
#}
{% endif %}
{{ matrix_ma1sd_container_labels_additional_labels }}

View File

@ -35,6 +35,7 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
{% endif %}
--mount type=bind,src={{ matrix_ma1sd_config_path }},dst=/etc/ma1sd,ro \
--mount type=bind,src={{ matrix_ma1sd_data_path }},dst=/var/ma1sd \
--label-file={{ matrix_ma1sd_base_path }}/labels \
{% for arg in matrix_ma1sd_container_extra_arguments %}
{{ arg }} \
{% endfor %}

View File

@ -228,37 +228,6 @@ matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: false
matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081"
matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container: "127.0.0.1:41081"
# Controls whether proxying for the User Directory Search API (`/_matrix/client/r0/user_directory/search`) should be done (on the matrix domain).
# This can be used to forward the API endpoint to another service, augmenting the functionality of Synapse's own User Directory Search.
# To learn more, see: https://github.com/ma1uta/ma1sd/blob/master/docs/features/directory.md
matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: false
matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "matrix-ma1sd:{{ matrix_ma1sd_container_port }}"
matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "127.0.0.1:{{ matrix_ma1sd_container_port }}"
# Controls whether the user directory search API will be URL-rewritten (/_matrix/client/v3/user_directory/search -> /_matrix/client/r0/user_directory/search).
# This is to assist identity servers which only handle the r0 endpoints.
# The v3 endpoints are the same (spec-wise), so they can usually be redirected without downsides.
# If this is disabled, API requests will be forwarded as-is, without any URL rewriting.
matrix_nginx_proxy_proxy_matrix_user_directory_search_v3_to_r0_redirect_enabled: true
# Controls whether proxying for 3PID-based registration (`/_matrix/client/r0/register/(email|msisdn)/requestToken`) should be done (on the matrix domain).
# This allows another service to control registrations involving 3PIDs.
# To learn more, see: https://github.com/ma1uta/ma1sd/blob/master/docs/features/registration.md
matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled: false
matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_with_container: "matrix-ma1sd:{{ matrix_ma1sd_container_port }}"
matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_sans_container: "127.0.0.1:{{ matrix_ma1sd_container_port }}"
# Controls whether the user directory search API will be URL-rewritten (/_matrix/client/v3/register/(email|msisdn)/requestToken -> /_matrix/client/r0/register/(email|msisdn)/requestToken).
# This is to assist identity servers which only handle the r0 endpoints.
# The v3 endpoints are the same (spec-wise), so they can usually be redirected without downsides.
# If this is disabled, API requests will be forwarded as-is, without any URL rewriting.
matrix_nginx_proxy_proxy_matrix_3pid_registration_v3_to_r0_redirect_enabled: true
# Controls whether proxying for the Identity API (`/_matrix/identity`) should be done (on the matrix domain)
matrix_nginx_proxy_proxy_matrix_identity_api_enabled: false
matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-ma1sd:{{ matrix_ma1sd_container_port }}"
matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:{{ matrix_ma1sd_container_port }}"
# Controls whether proxying for the media repo (`/_matrix/media`) should be done (on the matrix domain)
matrix_nginx_proxy_proxy_media_repo_enabled: false
matrix_nginx_proxy_proxy_media_repo_addr_with_container: "matrix-media-repo:{{ matrix_media_repo_port }}"

View File

@ -51,24 +51,6 @@
}
{% endif %}
{% if matrix_nginx_proxy_proxy_matrix_identity_api_enabled %}
location ^~ /_matrix/identity {
{% if matrix_nginx_proxy_enabled %}
{# Use the embedded DNS resolver in Docker containers to discover the service #}
resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s;
set $backend "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container }}";
proxy_pass http://$backend;
{% else %}
{# Generic configuration for use outside of our container setup #}
proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container }};
{% endif %}
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }};
proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }};
}
{% endif %}
{% if matrix_nginx_proxy_proxy_media_repo_enabled %}
# Redirect all media endpoints to the media-repo
location ^~ /_matrix/media {
@ -162,53 +144,6 @@
}
{% endif %}
{% if matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled %}
location ~ ^/_matrix/client/(r0|v3)/user_directory/search {
{% if matrix_nginx_proxy_enabled %}
{# Use the embedded DNS resolver in Docker containers to discover the service #}
resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s;
set $backend "{{ matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container }}";
{% if matrix_nginx_proxy_proxy_matrix_user_directory_search_v3_to_r0_redirect_enabled %}
rewrite ^(.*?)/v3/(.*?)$ $1/r0/$2 break;
{% endif %}
proxy_pass http://$backend;
{% else %}
{% if matrix_nginx_proxy_proxy_matrix_user_directory_search_v3_to_r0_redirect_enabled %}
rewrite ^(.*?)/v3/(.*?)$ $1/r0/$2 break;
{% endif %}
{# Generic configuration for use outside of our container setup #}
proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container }};
{% endif %}
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }};
}
{% endif %}
{% if matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled %}
location ~ ^/_matrix/client/(r0|v3)/register/(email|msisdn)/requestToken$ {
{% if matrix_nginx_proxy_enabled %}
{# Use the embedded DNS resolver in Docker containers to discover the service #}
resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s;
set $backend "{{ matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_with_container }}";
{% if matrix_nginx_proxy_proxy_matrix_3pid_registration_v3_to_r0_redirect_enabled %}
rewrite ^(.*?)/v3/(.*?)$ $1/r0/$2 break;
{% endif %}
proxy_pass http://$backend;
{% else %}
{% if matrix_nginx_proxy_proxy_matrix_3pid_registration_v3_to_r0_redirect_enabled %}
rewrite ^(.*?)/v3/(.*?)$ $1/r0/$2 break;
{% endif %}
{# Generic configuration for use outside of our container setup #}
proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_sans_container }};
{% endif %}
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }};
proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }};
}
{% endif %}
{% for configuration_block in matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks %}
{{- configuration_block }}
{% endfor %}

View File

@ -94,6 +94,17 @@
- {'old': 'matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_client_api_enabled', 'new': 'matrix_synapse_container_labels_client_synapse_client_api_enabled'}
- {'old': 'matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_oidc_api_enabled', 'new': 'matrix_synapse_container_labels_client_synapse_oidc_api_enabled'}
- {'old': 'matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled', 'new': 'matrix_synapse_container_labels_client_synapse_admin_api_enabled'}
- {'old': 'matrix_nginx_proxy_proxy_matrix_identity_api_enabled', 'new': '<superseded by matrix_ma1sd_container_labels_traefik_enabled and matrix_ma1sd_container_labels_matrix_identity_enabled>'}
- {'old': 'matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container', 'new': '<removed>'}
- {'old': 'matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container', 'new': '<removed>'}
- {'old': 'matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled', 'new': '<superseded by matrix_ma1sd_container_labels_traefik_enabled and matrix_ma1sd_container_labels_matrix_client_user_directory_search_enabled>'}
- {'old': 'matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container', 'new': '<removed>'}
- {'old': 'matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container', 'new': '<removed>'}
- {'old': 'matrix_nginx_proxy_proxy_matrix_user_directory_search_v3_to_r0_redirect_enabled', 'new': '<superseded by matrix_ma1sd_container_labels_matrix_client_user_directory_search_path>'}
- {'old': 'matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled', 'new': 'matrix_ma1sd_container_labels_matrix_client_3pid_registration_enabled'}
- {'old': 'matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_with_container', 'new': '<removed>'}
- {'old': 'matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_sans_container', 'new': '<removed>'}
- {'old': 'matrix_nginx_proxy_proxy_matrix_3pid_registration_v3_to_r0_redirect_enabled', 'new': '<superseded by matrix_ma1sd_container_labels_matrix_client_3pid_registration_path>'}
- name: (Deprecation) Catch and report matrix_postgres variables
ansible.builtin.fail: