Handle /_matrix Client-Server and Federation APIs directly at matrix-synapse-reverse-proxy-companion

This commit is contained in:
Slavi Pantaleev 2024-01-03 17:05:59 +02:00
parent 97f40a95fb
commit bbd9493b8f
7 changed files with 155 additions and 8 deletions

View File

@ -395,7 +395,7 @@ devture_systemd_service_manager_services_list_auto: |
+
([{'name': 'matrix-synapse-admin.service', 'priority': 4000, 'groups': ['matrix', 'synapse-admin']}] if matrix_synapse_admin_enabled else [])
+
([{'name': 'matrix-synapse-reverse-proxy-companion.service', 'priority': 1500, 'groups': ['matrix', 'homeservers', 'synapse', 'reverse-proxies']}] if matrix_synapse_reverse_proxy_companion_enabled else [])
([{'name': 'matrix-synapse-reverse-proxy-companion.service', 'priority': 1500, 'groups': ['matrix', 'homeservers', 'synapse', 'synapse-reverse-proxy-companion', 'reverse-proxies']}] if matrix_synapse_reverse_proxy_companion_enabled else [])
+
([{'name': 'matrix-user-verification-service.service', 'priority': 800, 'groups': ['matrix', 'matrix-user-verification-service']}] if matrix_user_verification_service_enabled else [])
+
@ -3946,11 +3946,32 @@ matrix_synapse_auto_compressor_systemd_required_services_list: |
matrix_synapse_reverse_proxy_companion_enabled: "{{ matrix_synapse_enabled }}"
matrix_synapse_reverse_proxy_companion_container_network: "{{ matrix_synapse_container_network }}"
matrix_synapse_reverse_proxy_companion_container_additional_networks: |
{{
(
([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else [])
+
([] if matrix_homeserver_container_network in ['', matrix_synapse_reverse_proxy_companion_container_network] else [matrix_homeserver_container_network])
) | unique
}}
matrix_synapse_reverse_proxy_companion_client_api_client_max_body_size_mb: "{{ matrix_synapse_max_upload_size_mb }}"
matrix_synapse_reverse_proxy_companion_container_client_api_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '8008') if matrix_playbook_service_host_bind_interface_prefix else '' }}"
matrix_synapse_reverse_proxy_companion_container_federation_api_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '8048') if matrix_playbook_service_host_bind_interface_prefix else '' }}"
matrix_synapse_reverse_proxy_companion_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}"
matrix_synapse_reverse_proxy_companion_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
matrix_synapse_reverse_proxy_companion_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}"
matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}"
matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_hostname: "{{ matrix_server_fqn_matrix }}"
matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_hostname: "{{ matrix_server_fqn_matrix }}"
matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_entrypoints: "{{ matrix_federation_traefik_entrypoint }}"
matrix_synapse_reverse_proxy_companion_synapse_workers_enabled: "{{ matrix_synapse_workers_enabled }}"
matrix_synapse_reverse_proxy_companion_synapse_workers_list: "{{ matrix_synapse_workers_enabled_list }}"
matrix_synapse_reverse_proxy_companion_synapse_generic_worker_client_server_locations: "{{ matrix_synapse_workers_generic_worker_client_server_endpoints }}"
@ -3966,6 +3987,7 @@ matrix_synapse_reverse_proxy_companion_synapse_user_dir_locations: "{{ matrix_sy
matrix_synapse_reverse_proxy_companion_access_log_syslog_integration_enabled: "{{ matrix_prometheus_nginxlog_exporter_enabled }}"
matrix_synapse_reverse_proxy_companion_access_log_syslog_integration_server_port: "{{ (matrix_prometheus_nginxlog_exporter_container_hostname | string +':'+ matrix_prometheus_nginxlog_exporter_container_syslog_port | string) | default('') }}"
######################################################################
#
# /matrix-synapse-reverse-proxy-companion

View File

@ -32,7 +32,10 @@ matrix_synapse_reverse_proxy_companion_base_path: "{{ matrix_synapse_base_path }
matrix_synapse_reverse_proxy_companion_confd_path: "{{ matrix_synapse_reverse_proxy_companion_base_path }}/conf.d"
# List of systemd services that matrix-synapse-reverse-proxy-companion.service depends on
matrix_synapse_reverse_proxy_companion_systemd_required_services_list: ['docker.service']
matrix_synapse_reverse_proxy_companion_systemd_required_services_list: "{{ matrix_synapse_reverse_proxy_companion_systemd_required_services_list_default + matrix_synapse_reverse_proxy_companion_systemd_required_services_list_auto + matrix_synapse_reverse_proxy_companion_systemd_required_services_list_custom }}"
matrix_synapse_reverse_proxy_companion_systemd_required_services_list_default: ['docker.service']
matrix_synapse_reverse_proxy_companion_systemd_required_services_list_auto: []
matrix_synapse_reverse_proxy_companion_systemd_required_services_list_custom: []
# List of systemd services that matrix-synapse-reverse-proxy-companion.service wants
matrix_synapse_reverse_proxy_companion_systemd_wanted_services_list: ['matrix-synapse.service']
@ -43,15 +46,10 @@ matrix_synapse_reverse_proxy_companion_systemd_wanted_services_list: ['matrix-sy
matrix_synapse_reverse_proxy_companion_container_image: "{{ matrix_container_global_registry_prefix }}nginx:{{ matrix_synapse_reverse_proxy_companion_version }}"
matrix_synapse_reverse_proxy_companion_container_image_force_pull: "{{ matrix_synapse_reverse_proxy_companion_container_image.endswith(':latest') }}"
matrix_synapse_reverse_proxy_companion_container_network: "{{ matrix_docker_network }}"
matrix_synapse_reverse_proxy_companion_container_network: ""
# A list of additional container networks that matrix-synapse-reverse-proxy-companion would be connected to.
# The playbook does not create these networks, so make sure they already exist.
#
# Use this to expose matrix-synapse-reverse-proxy-companion to another reverse proxy, which runs in a different container network,
# without exposing all other Matrix services to that other reverse-proxy.
#
# For background, see: https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1498
matrix_synapse_reverse_proxy_companion_container_additional_networks: []
# Controls whether the matrix-synapse-reverse-proxy-companion container exposes its HTTP Client-Server API port (tcp/8008 in the container).
@ -64,6 +62,46 @@ matrix_synapse_reverse_proxy_companion_container_client_api_host_bind_port: ''
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8048"), or empty string to not expose.
matrix_synapse_reverse_proxy_companion_container_federation_api_host_bind_port: ''
# matrix_synapse_reverse_proxy_companion_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container.
# See `../templates/labels.j2` for details.
#
# To inject your own other container labels, see `matrix_synapse_reverse_proxy_companion_container_labels_additional_labels`.
matrix_synapse_reverse_proxy_companion_container_labels_traefik_enabled: true
matrix_synapse_reverse_proxy_companion_container_labels_traefik_docker_network: "{{ matrix_synapse_reverse_proxy_companion_container_network }}"
matrix_synapse_reverse_proxy_companion_container_labels_traefik_entrypoints: web-secure
matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver: default
# Controls whether labels will be added that expose the Client-Server API.
matrix_synapse_reverse_proxy_companion_container_labels_client_api_enabled: true
matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_hostname: ''
matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_path_prefix: /_matrix
matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_rule: "Host(`{{ matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_path_prefix }}`)"
matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_priority: 0
matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_entrypoints: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_entrypoints }}"
matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_tls: "{{ matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_entrypoints != 'web' }}"
matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_tls_certResolver: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver }}" # noqa var-naming
# TODO - /_synapse public exposure, etc.?
# Controls whether labels will be added that expose the Server-Server API (Federation API).
matrix_synapse_reverse_proxy_companion_container_labels_federation_api_enabled: "{{ matrix_synapse_reverse_proxy_companion_federation_api_enabled }}"
matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_hostname: ''
matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_path_prefix: /_matrix
matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_rule: "Host(`{{ matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_path_prefix }}`)"
matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_priority: 0
matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_entrypoints: ''
matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_tls: "{{ matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_entrypoints != 'web' }}"
matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_tls_certResolver: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver }}" # noqa var-naming
# matrix_synapse_reverse_proxy_companion_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
# See `../templates/labels.j2` for details.
#
# Example:
# matrix_synapse_reverse_proxy_companion_container_labels_additional_labels: |
# my.label=1
# another.label="here"
matrix_synapse_reverse_proxy_companion_container_labels_additional_labels: ''
# The amount of worker processes and connections
# Consider increasing these when you are expecting high amounts of traffic
# http://nginx.org/en/docs/ngx_core_module.html#worker_connections

View File

@ -8,6 +8,9 @@
- install-synapse-reverse-proxy-companion
- install-synapse
block:
- when: matrix_synapse_reverse_proxy_companion_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
- when: matrix_synapse_reverse_proxy_companion_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"

View File

@ -25,6 +25,8 @@
dest: "{{ matrix_synapse_reverse_proxy_companion_confd_path }}/nginx-http.conf"
- src: "{{ role_path }}/templates/nginx/conf.d/matrix-synapse-reverse-proxy-companion.conf.j2"
dest: "{{ matrix_synapse_reverse_proxy_companion_confd_path }}/matrix-synapse-reverse-proxy-companion.conf"
- src: "{{ role_path }}/templates/labels.j2"
dest: "{{ matrix_synapse_reverse_proxy_companion_base_path }}/labels"
- name: Ensure matrix-synapse-reverse-proxy-companion nginx container image is pulled
community.docker.docker_image:
@ -37,6 +39,11 @@
delay: "{{ devture_playbook_help_container_retries_delay }}"
until: result is not failed
- name: Ensure matrix-synapse-reverse-proxy-companion container network is created
community.general.docker_network:
name: "{{ matrix_synapse_reverse_proxy_companion_container_network }}"
driver: bridge
- name: Ensure matrix-synapse-reverse-proxy-companion.service installed
ansible.builtin.template:
src: "{{ role_path }}/templates/systemd/matrix-synapse-reverse-proxy-companion.service.j2"

View File

@ -0,0 +1,13 @@
---
- name: Fail if required matrix-synapse-reverse-proxy-companion settings not defined
ansible.builtin.fail:
msg: >-
You need to define a required configuration setting (`{{ item.name }}`).
when: "item.when | bool and vars[item.name] == ''"
with_items:
- {'name': 'matrix_synapse_reverse_proxy_companion_container_network', when: true}
- {'name': 'matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_hostname', when: "{{ matrix_synapse_reverse_proxy_companion_container_labels_client_api_enabled }}"}
- {'name': 'matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_hostname', when: "{{ matrix_synapse_reverse_proxy_companion_container_labels_federation_api_enabled }}"}
- {'name': 'matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_entrypoints', when: "{{ matrix_synapse_reverse_proxy_companion_container_labels_federation_api_enabled }}"}

View File

@ -0,0 +1,63 @@
{% if matrix_synapse_reverse_proxy_companion_container_labels_traefik_enabled %}
traefik.enable=true
{% if matrix_synapse_reverse_proxy_companion_container_labels_traefik_docker_network %}
traefik.docker.network={{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_docker_network }}
{% endif %}
traefik.http.services.matrix-synapse-reverse-proxy-companion-client-api.loadbalancer.server.port=8008
traefik.http.services.matrix-synapse-reverse-proxy-companion-federation-api.loadbalancer.server.port=8048
{#
Client-API
#}
{% if matrix_synapse_reverse_proxy_companion_container_labels_client_api_enabled %}
traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-api.rule={{ matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_rule }}
{% if matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_priority | int > 0 %}
traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-api.priority={{ matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_priority }}
{% endif %}
traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-api.service=matrix-synapse-reverse-proxy-companion-client-api
traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-api.entrypoints={{ matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_entrypoints }}
traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-api.tls={{ matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_tls | to_json }}
{% if matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_tls %}
traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-api.tls.certResolver={{ matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_tls_certResolver }}
{% endif %}
{% endif %}
{#
/Client-API
#}
{#
Federation-API
#}
{% if matrix_synapse_reverse_proxy_companion_container_labels_federation_api_enabled %}
traefik.http.routers.matrix-synapse-reverse-proxy-companion-federation-api.rule={{ matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_rule }}
{% if matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_priority | int > 0 %}
traefik.http.routers.matrix-synapse-reverse-proxy-companion-federation-api.priority={{ matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_priority }}
{% endif %}
traefik.http.routers.matrix-synapse-reverse-proxy-companion-federation-api.service=matrix-synapse-reverse-proxy-companion-federation-api
traefik.http.routers.matrix-synapse-reverse-proxy-companion-federation-api.entrypoints={{ matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_entrypoints }}
traefik.http.routers.matrix-synapse-reverse-proxy-companion-federation-api.tls={{ matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_tls | to_json }}
{% if matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_tls %}
traefik.http.routers.matrix-synapse-reverse-proxy-companion-federation-api.tls.certResolver={{ matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_tls_certResolver }}
{% endif %}
{% endif %}
{#
/Federation-API
#}
{% endif %}
{{ matrix_synapse_reverse_proxy_companion_container_labels_additional_labels }}

View File

@ -36,6 +36,7 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
{% endif %}
--mount type=bind,src={{ matrix_synapse_reverse_proxy_companion_base_path }}/nginx.conf,dst=/etc/nginx/nginx.conf,ro \
--mount type=bind,src={{ matrix_synapse_reverse_proxy_companion_confd_path }},dst=/etc/nginx/conf.d,ro \
--label-file={{ matrix_synapse_reverse_proxy_companion_base_path }}/labels \
{{ matrix_synapse_reverse_proxy_companion_container_image }}
{% for network in matrix_synapse_reverse_proxy_companion_container_additional_networks %}