From b91ad453be811841df80aa6aab7c2f013a0c8c20 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 15 Jan 2024 09:39:36 +0200 Subject: [PATCH] Adjust TLS variables for homeservers to follow devture_traefik_config_entrypoint_web_secure_enabled (via matrix_federation_traefik_entrypoint_tls) --- docs/configuring-playbook-own-webserver.md | 6 ++++-- group_vars/matrix_servers | 18 ++++++++++++++---- roles/custom/matrix-base/defaults/main.yml | 13 ++++++++++--- roles/custom/matrix-conduit/defaults/main.yml | 3 ++- roles/custom/matrix-dendrite/defaults/main.yml | 3 ++- .../custom/matrix-media-repo/defaults/main.yml | 8 ++++---- .../defaults/main.yml | 3 ++- roles/custom/matrix-synapse/defaults/main.yml | 3 ++- .../tasks/validate_config.yml | 1 + 9 files changed, 41 insertions(+), 17 deletions(-) diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index a9dcf352d..4b4be7b53 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -42,7 +42,7 @@ devture_traefik_certs_dumper_ssl_dir_path: "/path/to/your/traefiks/acme.json/dir # Uncomment and tweak the variable below if the name of your federation entrypoint is different # than the default value (matrix-federation). -# matrix_federation_traefik_entrypoint: matrix-federation +# matrix_federation_traefik_entrypoint_name: matrix-federation ``` In this mode all roles will still have Traefik labels attached. You will, however, need to configure your Traefik instance and its entrypoints. @@ -145,7 +145,9 @@ matrix_playbook_reverse_proxy_type: playbook-managed-traefik # Ensure that public urls use https matrix_playbook_ssl_enabled: true -# Disable the web-secure (port 443) endpoint, which also disables SSL certificate retrieval +# Disable the web-secure (port 443) endpoint, which also disables SSL certificate retrieval. +# This has the side-effect of also automatically disabling TLS for the matrix-federation entrypoint +# (by toggling `matrix_federation_traefik_entrypoint_tls`). devture_traefik_config_entrypoint_web_secure_enabled: false # If your reverse-proxy runs on another machine, consider using `0.0.0.0:81`, just `81` or `SOME_IP_ADDRESS_OF_THIS_MACHINE:81` diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 589e8cf35..2718219ec 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -30,6 +30,11 @@ matrix_playbook_reverse_proxy_hostname: "{{ devture_traefik_identifier if devtur # A separate Matrix Federation entrypoint is always enabled, unless the federation port matches one of the ports for existing (default) entrypoints matrix_playbook_public_matrix_federation_api_traefik_entrypoint_enabled: "{{ matrix_federation_public_port not in [devture_traefik_config_entrypoint_web_port, devture_traefik_config_entrypoint_web_secure_port] }}" +# `devture_traefik_config_entrypoint_web_secure_enabled` is the variable we currently follow to determine if SSL is enabled or not. +# `matrix_playbook_ssl_enabled` is merely an indicator if (when looked at it publicly), the server supports SSL or not, +# and affects how services configure their public URLs. +matrix_federation_traefik_entrypoint_tls: "{{ devture_traefik_config_entrypoint_web_secure_enabled }}" + ######################################################################## # # # /Playbook # @@ -3910,7 +3915,9 @@ matrix_synapse_container_labels_public_client_root_redirection_url: "{{ (('https matrix_synapse_container_labels_public_client_synapse_admin_api_enabled: "{{ matrix_synapse_admin_enabled }}" -matrix_synapse_container_labels_public_federation_api_traefik_entrypoints: "{{ matrix_federation_traefik_entrypoint }}" +matrix_synapse_container_labels_public_federation_api_traefik_entrypoints: "{{ matrix_federation_traefik_entrypoint_name }}" +matrix_synapse_container_labels_public_federation_api_traefik_tls: "{{ matrix_federation_traefik_entrypoint_tls }}" +matrix_synapse_container_labels_public_federation_api_traefik_tls_certResolver: "{{ matrix_synapse_container_labels_traefik_tls_certResolver }}" # noqa var-naming matrix_synapse_container_labels_public_metrics_middleware_basic_auth_enabled: "{{ matrix_metrics_exposure_http_basic_auth_enabled }}" matrix_synapse_container_labels_public_metrics_middleware_basic_auth_users: "{{ matrix_metrics_exposure_http_basic_auth_users }}" @@ -4066,7 +4073,8 @@ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_cl matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_oidc_api_enabled: "{{ matrix_synapse_container_labels_public_client_synapse_oidc_api_enabled }}" matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_enabled: "{{ matrix_synapse_container_labels_public_client_synapse_admin_api_enabled }}" -matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_entrypoints: "{{ matrix_federation_traefik_entrypoint }}" +matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_entrypoints: "{{ matrix_synapse_container_labels_public_federation_api_traefik_entrypoints }}" +matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_tls: "{{ matrix_synapse_container_labels_public_federation_api_traefik_tls }}" matrix_synapse_reverse_proxy_companion_container_labels_internal_client_api_enabled: "{{ matrix_synapse_container_labels_internal_client_api_enabled }}" matrix_synapse_reverse_proxy_companion_container_labels_internal_client_api_traefik_entrypoints: "{{ matrix_synapse_container_labels_internal_client_api_traefik_entrypoints }}" @@ -4585,7 +4593,8 @@ matrix_dendrite_container_labels_public_client_synapse_admin_api_enabled: "{{ ma matrix_dendrite_container_labels_public_client_root_redirection_enabled: "{{ matrix_dendrite_container_labels_public_client_root_redirection_url != '' }}" matrix_dendrite_container_labels_public_client_root_redirection_url: "{{ (('https://' if matrix_playbook_ssl_enabled else 'http://') + matrix_server_fqn_element) if matrix_client_element_enabled else '' }}" -matrix_dendrite_container_labels_public_federation_api_traefik_entrypoints: "{{ matrix_federation_traefik_entrypoint }}" +matrix_dendrite_container_labels_public_federation_api_traefik_entrypoints: "{{ matrix_federation_traefik_entrypoint_name }}" +matrix_dendrite_container_labels_public_federation_api_traefik_tls: "{{ matrix_federation_traefik_entrypoint_tls }}" matrix_dendrite_container_labels_public_metrics_middleware_basic_auth_enabled: "{{ matrix_metrics_exposure_http_basic_auth_enabled }}" matrix_dendrite_container_labels_public_metrics_middleware_basic_auth_users: "{{ matrix_metrics_exposure_http_basic_auth_users }}" @@ -4674,7 +4683,8 @@ matrix_conduit_container_labels_traefik_tls_certResolver: "{{ devture_traefik_ce matrix_conduit_container_labels_public_client_root_redirection_enabled: "{{ matrix_conduit_container_labels_public_client_root_redirection_url != '' }}" matrix_conduit_container_labels_public_client_root_redirection_url: "{{ (('https://' if matrix_playbook_ssl_enabled else 'http://') + matrix_server_fqn_element) if matrix_client_element_enabled else '' }}" -matrix_conduit_container_labels_public_federation_api_traefik_entrypoints: "{{ matrix_federation_traefik_entrypoint }}" +matrix_conduit_container_labels_public_federation_api_traefik_entrypoints: "{{ matrix_federation_traefik_entrypoint_name }}" +matrix_conduit_container_labels_public_federation_api_traefik_tls: "{{ matrix_federation_traefik_entrypoint_tls }}" matrix_conduit_container_labels_internal_client_api_enabled: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_enabled }}" matrix_conduit_container_labels_internal_client_api_traefik_entrypoints: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_name }}" diff --git a/roles/custom/matrix-base/defaults/main.yml b/roles/custom/matrix-base/defaults/main.yml index 3630e20cc..b3d907e03 100644 --- a/roles/custom/matrix-base/defaults/main.yml +++ b/roles/custom/matrix-base/defaults/main.yml @@ -111,7 +111,13 @@ matrix_federation_public_port: 8448 # The name of the Traefik entrypoint for handling Matrix Federation # Also see the `matrix_playbook_public_matrix_federation_api_traefik_entrypoint_*` variables. -matrix_federation_traefik_entrypoint: matrix-federation +matrix_federation_traefik_entrypoint_name: matrix-federation + +# Controls whether the federation entrypoint supports TLS. +# TLS is force-enabled here, because the spec (https://spec.matrix.org/v1.9/server-server-api/#tls) says that the federation API must use HTTPS. +# This may be changed at the playbook level for setups explicitly disabling TLS. +# `matrix_playbook_ssl_enabled` has no influence over this. +matrix_federation_traefik_entrypoint_tls: true # The architecture that your server runs. # Recognized values by us are 'amd64', 'arm32' and 'arm64'. @@ -235,7 +241,8 @@ matrix_playbook_reverse_proxyable_services_additional_network: "{{ matrix_playbo # Controls if various services think if SSL is enabled or not. # Disabling this does not actually disable Treafik's web-secure entrypoint and TLS termination settings. -# For that, you'd need to use other variables. This one merely serves as an indicator if SSL is used or not. +# For that, you'd need to use another variable (`devture_traefik_config_entrypoint_web_secure_enabled`). +# This variable merely serves as an indicator if SSL is used or not. matrix_playbook_ssl_enabled: true matrix_playbook_service_host_bind_interface_prefix: "{{ '' if matrix_playbook_reverse_proxy_type not in ['other-nginx-non-container', 'other-on-same-host', 'other-on-another-host'] else ('0.0.0.0:' if matrix_playbook_reverse_proxy_type == 'other-on-another-host' else '127.0.0.1:') }}" @@ -244,7 +251,7 @@ matrix_playbook_service_host_bind_interface_prefix: "{{ '' if matrix_playbook_re # By default, federation is served on a special port (8448), so a separate entrypoint is necessary. # Group variables may influence whether this is enabled based on the port number and on the default entrypoints of the Traefik reverse-proxy. matrix_playbook_public_matrix_federation_api_traefik_entrypoint_enabled: true -matrix_playbook_public_matrix_federation_api_traefik_entrypoint_name: "{{ matrix_federation_traefik_entrypoint }}" +matrix_playbook_public_matrix_federation_api_traefik_entrypoint_name: "{{ matrix_federation_traefik_entrypoint_name }}" matrix_playbook_public_matrix_federation_api_traefik_entrypoint_port: "{{ matrix_federation_public_port }}" matrix_playbook_public_matrix_federation_api_traefik_entrypoint_host_bind_port: "{{ matrix_federation_public_port }}" matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config: "{{ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_auto | combine(matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_custom, recursive=True) }}" diff --git a/roles/custom/matrix-conduit/defaults/main.yml b/roles/custom/matrix-conduit/defaults/main.yml index 9852f9ba9..1872515fe 100644 --- a/roles/custom/matrix-conduit/defaults/main.yml +++ b/roles/custom/matrix-conduit/defaults/main.yml @@ -85,7 +85,8 @@ matrix_conduit_container_labels_public_federation_api_traefik_path_prefix: /_mat matrix_conduit_container_labels_public_federation_api_traefik_rule: "Host(`{{ matrix_conduit_container_labels_public_federation_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_conduit_container_labels_public_federation_api_traefik_path_prefix }}`)" matrix_conduit_container_labels_public_federation_api_traefik_priority: 0 matrix_conduit_container_labels_public_federation_api_traefik_entrypoints: '' -matrix_conduit_container_labels_public_federation_api_traefik_tls: "{{ matrix_conduit_container_labels_public_federation_api_traefik_entrypoints != 'web' }}" +# TLS is force-enabled here, because the spec (https://spec.matrix.org/v1.9/server-server-api/#tls) says that the federation API must use HTTPS. +matrix_conduit_container_labels_public_federation_api_traefik_tls: true matrix_conduit_container_labels_public_federation_api_traefik_tls_certResolver: "{{ matrix_conduit_container_labels_traefik_tls_certResolver }}" # noqa var-naming # matrix_conduit_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. diff --git a/roles/custom/matrix-dendrite/defaults/main.yml b/roles/custom/matrix-dendrite/defaults/main.yml index 9c6e06e49..1261657b4 100644 --- a/roles/custom/matrix-dendrite/defaults/main.yml +++ b/roles/custom/matrix-dendrite/defaults/main.yml @@ -129,7 +129,8 @@ matrix_dendrite_container_labels_public_federation_api_traefik_path_prefix: /_ma matrix_dendrite_container_labels_public_federation_api_traefik_rule: "Host(`{{ matrix_dendrite_container_labels_public_federation_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_dendrite_container_labels_public_federation_api_traefik_path_prefix }}`)" matrix_dendrite_container_labels_public_federation_api_traefik_priority: 0 matrix_dendrite_container_labels_public_federation_api_traefik_entrypoints: '' -matrix_dendrite_container_labels_public_federation_api_traefik_tls: "{{ matrix_dendrite_container_labels_public_federation_api_traefik_entrypoints != 'web' }}" +# TLS is force-enabled here, because the spec (https://spec.matrix.org/v1.9/server-server-api/#tls) says that the federation API must use HTTPS. +matrix_dendrite_container_labels_public_federation_api_traefik_tls: true matrix_dendrite_container_labels_public_federation_api_traefik_tls_certResolver: "{{ matrix_dendrite_container_labels_traefik_tls_certResolver }}" # noqa var-naming # Controls whether labels will be added that expose Dendrite's metrics on a public Traefik entrypoint. diff --git a/roles/custom/matrix-media-repo/defaults/main.yml b/roles/custom/matrix-media-repo/defaults/main.yml index d62037603..0fa520e72 100755 --- a/roles/custom/matrix-media-repo/defaults/main.yml +++ b/roles/custom/matrix-media-repo/defaults/main.yml @@ -107,7 +107,7 @@ matrix_media_repo_container_labels_traefik_t2bot_tls_certResolver: default # no matrix_media_repo_container_labels_traefik_media_federation_path_prefix: "/_matrix/media" matrix_media_repo_container_labels_traefik_media_federation_rule: "Host(`{{ matrix_server_fqn_matrix }}`) && PathPrefix(`{{ matrix_media_repo_container_labels_traefik_media_path_prefix | quote }}`)" matrix_media_repo_container_labels_traefik_media_federation_priority: 0 -matrix_media_repo_container_labels_traefik_media_federation_entrypoints: "{{ matrix_federation_traefik_entrypoint }}" +matrix_media_repo_container_labels_traefik_media_federation_entrypoints: "{{ matrix_federation_traefik_entrypoint_name }}" matrix_media_repo_container_labels_traefik_media_federation_tls: "{{ matrix_media_repo_container_labels_traefik_media_entrypoints != 'web' }}" matrix_media_repo_container_labels_traefik_media_federation_tls_certResolver: default # noqa var-naming @@ -116,7 +116,7 @@ matrix_media_repo_container_labels_traefik_media_federation_tls_certResolver: de matrix_media_repo_container_labels_traefik_logout_federation_path_prefix: "/_matrix/client/{version:(r0|v1|v3|unstable)}/{endpoint:(logout|logout/all)}" matrix_media_repo_container_labels_traefik_logout_federation_rule: "Host(`{{ matrix_server_fqn_matrix }}`) && PathPrefix(`{{ matrix_media_repo_container_labels_traefik_logout_path_prefix }}`)" matrix_media_repo_container_labels_traefik_logout_federation_priority: 0 -matrix_media_repo_container_labels_traefik_logout_federation_entrypoints: "{{ matrix_federation_traefik_entrypoint }}" +matrix_media_repo_container_labels_traefik_logout_federation_entrypoints: "{{ matrix_federation_traefik_entrypoint_name }}" matrix_media_repo_container_labels_traefik_logout_federation_tls: "{{ matrix_media_repo_container_labels_traefik_logout_entrypoints != 'web' }}" matrix_media_repo_container_labels_traefik_logout_federation_tls_certResolver: default # noqa var-naming @@ -125,14 +125,14 @@ matrix_media_repo_container_labels_traefik_logout_federation_tls_certResolver: d matrix_media_repo_container_labels_traefik_admin_federation_path_prefix: "/_matrix/client/{version:(r0|v1|v3|unstable)}/admin/{endpoint:(purge_media_cache|quarantine_media/.*)}" matrix_media_repo_container_labels_traefik_admin_federation_rule: "Host(`{{ matrix_server_fqn_matrix }}`) && PathPrefix(`{{ matrix_media_repo_container_labels_traefik_admin_path_prefix }}`)" matrix_media_repo_container_labels_traefik_admin_federation_priority: 0 -matrix_media_repo_container_labels_traefik_admin_federation_entrypoints: "{{ matrix_federation_traefik_entrypoint }}" +matrix_media_repo_container_labels_traefik_admin_federation_entrypoints: "{{ matrix_federation_traefik_entrypoint_name }}" matrix_media_repo_container_labels_traefik_admin_federation_tls: "{{ matrix_media_repo_container_labels_traefik_admin_entrypoints != 'web' }}" matrix_media_repo_container_labels_traefik_admin_federation_tls_certResolver: default # noqa var-naming matrix_media_repo_container_labels_traefik_t2bot_federation_path_prefix: "/_matrix/client/unstable/io.t2bot.media" matrix_media_repo_container_labels_traefik_t2bot_federation_rule: "Host(`{{ matrix_server_fqn_matrix }}`) && PathPrefix(`{{ matrix_media_repo_container_labels_traefik_t2bot_path_prefix | quote }}`)" matrix_media_repo_container_labels_traefik_t2bot_federation_priority: 0 -matrix_media_repo_container_labels_traefik_t2bot_federation_entrypoints: "{{ matrix_federation_traefik_entrypoint }}" +matrix_media_repo_container_labels_traefik_t2bot_federation_entrypoints: "{{ matrix_federation_traefik_entrypoint_name }}" matrix_media_repo_container_labels_traefik_t2bot_federation_tls: "{{ matrix_media_repo_container_labels_traefik_t2bot_entrypoints != 'web' }}" matrix_media_repo_container_labels_traefik_t2bot_federation_tls_certResolver: default # noqa var-naming diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml b/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml index d70b806c1..7a3f4f709 100644 --- a/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml +++ b/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml @@ -114,7 +114,8 @@ matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_tr matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_rule: "Host(`{{ matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_path_prefix }}`)" matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_priority: 0 matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_entrypoints: '' -matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_tls: "{{ matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_entrypoints != 'web' }}" +# TLS is force-enabled here, because the spec (https://spec.matrix.org/v1.9/server-server-api/#tls) says that the federation API must use HTTPS. +matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_tls: true matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_tls_certResolver: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver }}" # noqa var-naming # matrix_synapse_reverse_proxy_companion_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index 4c0133e2a..4b1513fa5 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -259,7 +259,8 @@ matrix_synapse_container_labels_public_federation_api_traefik_path_prefix: /_mat matrix_synapse_container_labels_public_federation_api_traefik_rule: "Host(`{{ matrix_synapse_container_labels_public_federation_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_container_labels_public_federation_api_traefik_path_prefix }}`)" matrix_synapse_container_labels_public_federation_api_traefik_priority: 0 matrix_synapse_container_labels_public_federation_api_traefik_entrypoints: '' -matrix_synapse_container_labels_public_federation_api_traefik_tls: "{{ matrix_synapse_container_labels_public_federation_api_traefik_entrypoints != 'web' }}" +# TLS is force-enabled here, because the spec (https://spec.matrix.org/v1.9/server-server-api/#tls) says that the federation API must use HTTPS. +matrix_synapse_container_labels_public_federation_api_traefik_tls: true matrix_synapse_container_labels_public_federation_api_traefik_tls_certResolver: "{{ matrix_synapse_container_labels_traefik_tls_certResolver }}" # noqa var-naming # Controls whether labels will be added that expose metrics (see `matrix_synapse_metrics_proxying_enabled`) for the main Synapse process diff --git a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml index 7335e4574..b91ce98b0 100644 --- a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml +++ b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml @@ -310,6 +310,7 @@ - {'old': 'matrix_docker_network', 'new': ''} - {'old': 'matrix_playbook_ssl_retrieval_method', 'new': ''} - {'old': 'matrix_ssl_lets_encrypt_support_email', 'new': 'devture_traefik_config_certificatesResolvers_acme_email'} + - {'old': 'matrix_federation_traefik_entrypoint', 'new': 'matrix_federation_traefik_entrypoint_name'} - when: matrix_playbook_migration_matrix_nginx_proxy_leftover_variable_validation_checks_enabled | bool block: