diff --git a/README.md b/README.md index fe573e038..694536664 100644 --- a/README.md +++ b/README.md @@ -63,7 +63,6 @@ Services that run on the server to make the various parts of your installation w | [PostgreSQL](https://www.postgresql.org/)| ✓ | Database for Synapse. [Using an external PostgreSQL server](docs/configuring-playbook-external-postgres.md) is also possible. | [Link](docs/configuring-playbook-external-postgres.md) | | [Coturn](https://github.com/coturn/coturn) | ✓ | STUN/TURN server for WebRTC audio/video calls | [Link](docs/configuring-playbook-turn.md) | | [Traefik](https://doc.traefik.io/traefik/) | ✓ | Web server, listening on ports 80, 443 and 8448 - standing in front of all the other services. Using your own webserver [is possible](docs/configuring-playbook-own-webserver.md) | [Link](docs/configuring-playbook-traefik.md) | -| [nginx](http://nginx.org/) | x | (Deprecated) Web server, listening on ports 80, 443 and 8448 - standing in front of all the other services. Deprecated in favor of Traefik | [Link](docs/configuring-playbook-nginx.md) | | [Let's Encrypt](https://letsencrypt.org/) | ✓ | Free SSL certificate, which secures the connection to all components | [Link](docs/configuring-playbook-ssl-certificates.md) | | [ma1sd](https://github.com/ma1uta/ma1sd) | x | Matrix Identity Server | [Link](docs/configuring-playbook-ma1sd.md) | [Exim](https://www.exim.org/) | ✓ | Mail server, through which all Matrix services send outgoing email (can be configured to relay through another SMTP server) | [Link](docs/configuring-playbook-email.md) | diff --git a/docs/configuring-playbook-base-domain-serving.md b/docs/configuring-playbook-base-domain-serving.md index da4e7fc3f..f1cf992d1 100644 --- a/docs/configuring-playbook-base-domain-serving.md +++ b/docs/configuring-playbook-base-domain-serving.md @@ -10,9 +10,9 @@ Usually, there are 2 options: - either get a separate server for the base domain, just for serving the files necessary for [Server Delegation via a well-known file](howto-server-delegation.md#server-delegation-via-a-well-known-file) -- or, arrange for the Matrix server to serve the base domain. This either involves you [using your own webserver](configuring-playbook-own-webserver.md) or making the integrated webserver (`matrix-nginx-proxy`) serve the base domain for you. +- or, arrange for the Matrix server to serve the base domain. This either involves you [using your own webserver](configuring-playbook-own-webserver.md) or making the integrated webserver serve the base domain for you. -This documentation page tells you how to do the latter. With some easy changes, we make it possible to serve the base domain from the Matrix server via the integrated webserver (`matrix-nginx-proxy`). +This documentation page tells you how to do the latter. With some easy changes, we make it possible to serve the base domain from the Matrix server via the integrated webserver. Just **adjust your DNS records**, so that your base domain is pointed to the Matrix server's IP address (using a DNS `A` record) **and then use the following configuration**: diff --git a/docs/configuring-playbook-bot-buscarron.md b/docs/configuring-playbook-bot-buscarron.md index b21dceef0..84b6c377d 100644 --- a/docs/configuring-playbook-bot-buscarron.md +++ b/docs/configuring-playbook-bot-buscarron.md @@ -20,8 +20,6 @@ matrix_bot_buscarron_hostname: "{{ matrix_server_fqn_matrix }}" matrix_bot_buscarron_path_prefix: /buscarron ``` -**NOTE**: When using `matrix-nginx-proxy` instead of Traefik, you won't be able to override the path prefix. You can only override the domain, but that needs to happen using another variable: `matrix_server_fqn_buscarron` (e.g. `matrix_server_fqn_buscarron: "form.{{ matrix_domain }}"`). - ## Adjusting DNS records diff --git a/docs/configuring-playbook-bot-go-neb.md b/docs/configuring-playbook-bot-go-neb.md index 4fb0d7530..0af4e4aa7 100644 --- a/docs/configuring-playbook-bot-go-neb.md +++ b/docs/configuring-playbook-bot-go-neb.md @@ -39,8 +39,6 @@ matrix_bot_go_neb_hostname: "{{ matrix_server_fqn_matrix }}" matrix_bot_go_neb_path_prefix: /go-neb ``` -**NOTE**: When using `matrix-nginx-proxy` instead of Traefik, you won't be able to override the path prefix. You can only override the domain, but that needs to happen using another variable: `matrix_server_fqn_go_neb` (e.g. `matrix_server_fqn_go_neb: "mybot.{{ matrix_domain }}"`). - ## Adjusting DNS records diff --git a/docs/configuring-playbook-bridge-hookshot.md b/docs/configuring-playbook-bridge-hookshot.md index 17dd7c9ea..917fe5fdd 100644 --- a/docs/configuring-playbook-bridge-hookshot.md +++ b/docs/configuring-playbook-bridge-hookshot.md @@ -59,7 +59,7 @@ Unless indicated otherwise, the following endpoints are reachable on your `matri | widgets | `/hookshot/widgetapi/` | `matrix_hookshot_widgets_endpoint` | Widgets | | metrics | `/metrics/hookshot` | `matrix_hookshot_metrics_enabled` and exposure enabled via `matrix_hookshot_metrics_proxying_enabled` or `matrix_metrics_exposure_enabled`. Read more in the [Metrics section](#metrics) below. | Prometheus | -See also `matrix_hookshot_matrix_nginx_proxy_configuration` in [init.yml](/roles/custom/matrix-bridge-hookshot/tasks/inject_into_nginx_proxy.yml). +Also see the various `matrix_hookshot_container_labels_*` variables in in [default/main.yml](/roles/custom/matrix-bridge-hookshot/default/main.yml), which expose URLs publicly. The different listeners are also reachable *internally* in the docker-network via the container's name (configured by `matrix_hookshot_container_url`) and on different ports (e.g. `matrix_hookshot_appservice_port`). Read [main.yml](/roles/custom/matrix-bridge-hookshot/defaults/main.yml) in detail for more info. diff --git a/docs/configuring-playbook-federation.md b/docs/configuring-playbook-federation.md index a6e87d2a1..5d11b4990 100644 --- a/docs/configuring-playbook-federation.md +++ b/docs/configuring-playbook-federation.md @@ -41,12 +41,11 @@ With that, your server's users will only be able to talk among themselves, but n **Disabling federation does not necessarily disable the federation port** (`8448`). Services like [Dimension](configuring-playbook-dimension.md) and [ma1sd](configuring-playbook-ma1sd.md) normally rely on `openid` APIs exposed on that port. Even if you disable federation and only if necessary, we may still be exposing the federation port and serving the `openid` APIs there. To override this and completely disable Synapse's federation port use: ```yaml +matrix_homeserver_federation_enabled: false + # This stops the federation port on the Synapse side (normally `matrix-synapse:8048` on the container network). matrix_synapse_federation_port_enabled: false -# This removes the `8448` virtual host from the matrix-nginx-proxy reverse-proxy server. -matrix_nginx_proxy_proxy_matrix_federation_api_enabled: false - # This stops the federation port on the synapse-reverse-proxy-companion side (normally `matrix-synapse-reverse-proxy-companion:8048` on the container network). matrix_synapse_reverse_proxy_companion_federation_api_enabled: false ``` @@ -55,6 +54,8 @@ matrix_synapse_reverse_proxy_companion_federation_api_enabled: false Why? This change could be useful for people running small Synapse instances on small severs/VPSes to avoid being impacted by a simple DOS/DDOS when bandwidth, RAM, an CPU resources are limited and if your hosting provider does not provide a DOS/DDOS protection. +**NOTE**: this approach hasn't been tested with the new Traefik-only setup that the playbook started using in 2024-01. It may not work. + The following changes in the configuration file (`inventory/host_vars/matrix./vars.yml`) will allow this and make it possible to proxy the federation through a CDN such as CloudFlare or any other: ``` diff --git a/docs/configuring-playbook-nginx.md b/docs/configuring-playbook-nginx.md index b0dbb48fc..2d3353081 100644 --- a/docs/configuring-playbook-nginx.md +++ b/docs/configuring-playbook-nginx.md @@ -1,83 +1,3 @@ # Configure Nginx (optional, advanced) -**Note**: the playbook is [in the process of moving to Traefik](../CHANGELOG.md#reverse-proxy-configuration-changes-and-initial-traefik-support). Traefik is already the default reverse-proxy for new installations and existing users are also strongly encouraged to switch to Traefik. As such, this **nginx documentation below may be incomplete or misleading**. - - -## Using Nginx status - -This will serve a statuspage to the hosting machine only. Useful for monitoring software like [longview](https://www.linode.com/docs/platform/longview/longview-app-for-nginx/) - -```yaml -matrix_nginx_proxy_proxy_matrix_nginx_status_enabled: true -``` - -This will serve the status page under the following addresses: -- `http://matrix.DOMAIN/nginx_status` (using HTTP) -- `https://matrix.DOMAIN/nginx_status` (using HTTPS) - -By default, if ```matrix_nginx_proxy_nginx_status_enabled``` is enabled, access to the status page would be allowed from the local IP address of the server. If you wish to allow access from other IP addresses, you can provide them as a list: - -```yaml -matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses: -- 8.8.8.8 -- 1.1.1.1 -``` - -## Adjusting SSL in your server - -You can adjust how the SSL is served by the nginx server using the `matrix_nginx_proxy_ssl_preset` variable. We support a few presets, based on the Mozilla Server Side TLS -Recommended configurations. These presets influence the TLS Protocol, the SSL Cipher Suites and the `ssl_prefer_server_ciphers` variable of nginx. -Possible values are: - -- `"modern"` - For Modern clients that support TLS 1.3, with no need for backwards compatibility -- `"intermediate"` (**default**) - Recommended configuration for a general-purpose server -- `"old"` - Services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8 - -**Be really carefull when setting it to `"modern"`**. This could break comunication with other Matrix servers, limiting your federation posibilities. - -Besides changing the preset (`matrix_nginx_proxy_ssl_preset`), you can also directly override these 3 variables: - -- `matrix_nginx_proxy_ssl_protocols`: for specifying the supported TLS protocols. -- `matrix_nginx_proxy_ssl_prefer_server_ciphers`: for specifying if the server or the client choice when negotiating the cipher. It can set to `on` or `off`. -- `matrix_nginx_proxy_ssl_ciphers`: for specifying the SSL Cipher suites used by nginx. - -For more information about these variables, check the `roles/custom/matrix-nginx-proxy/defaults/main.yml` file. - -## Synapse + OpenID Connect for Single-Sign-On - -If you want to use OpenID Connect as an SSO provider (as per the [Synapse OpenID docs](https://github.com/matrix-org/synapse/blob/develop/docs/openid.md)), you need to use the following configuration (in your `vars.yml` file) to instruct nginx to forward `/_synapse/oidc` to Synapse: - -```yaml -matrix_synapse_container_labels_public_client_synapse_oidc_api_enabled: true -``` - -## Disable Nginx access logs - -This will disable the access logging for nginx. - -```yaml -matrix_nginx_proxy_access_log_enabled: false -``` - -## Additional configuration - -This playbook also allows for additional configuration to be applied to the nginx server. - -If you want this playbook to obtain and renew certificates for other domains, then you can set the `matrix_ssl_additional_domains_to_obtain_certificates_for` variable (as mentioned in the [Obtaining SSL certificates for additional domains](configuring-playbook-ssl-certificates.md#obtaining-ssl-certificates-for-additional-domains) documentation as well). Make sure that you have set the DNS configuration for the domains you want to include to point at your server. - -```yaml -matrix_ssl_additional_domains_to_obtain_certificates_for: - - domain.one.example - - domain.two.example -``` - -You can include additional nginx configuration by setting the `matrix_nginx_proxy_proxy_http_additional_server_configuration_blocks` variable. - -```yaml -matrix_nginx_proxy_proxy_http_additional_server_configuration_blocks: - - | - # These lines will be included in the nginx configuration. - # This is at the top level of the file, so you will need to define all of the `server { ... }` blocks. - - | - # For advanced use, have a look at the template files in `roles/custom/matrix-nginx-proxy/templates/nginx/conf.d` -``` +Since 2024-01, this playbook no longer uses nginx as its reverse-proxy. diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index 0867b9052..a9dcf352d 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -6,9 +6,11 @@ If that's alright, you can skip this. ## Traefik -[Traefik](https://traefik.io/) is the default reverse-proxy for the playbook since [2023-02-26](../CHANGELOG.md/#2023-02-26). +[Traefik](https://traefik.io/) is the default reverse-proxy for the playbook since [2023-02-26](../CHANGELOG.md/#2023-02-26) and serves **2 purposes**: -Besides serving public traffic, Traefik is also used for internal communication between addon services (briges, bots, etc.) and the homeserver. +- serving public traffic and providing SSL-termination with certificates obtained from [Let's Encrypt](https://letsencrypt.org/). See [Adjusting SSL certificate retrieval](./configuring-playbook-ssl-certificates.md). + +- assists internal communication between addon services (briges, bots, etc.) and the homeserver via an internal entrypoint (`matrix-internal-matrix-client-api`). There are 2 ways to use Traefik with this playbook, as described below. @@ -24,7 +26,6 @@ devture_traefik_config_certificatesResolvers_acme_email: YOUR_EMAIL_ADDRESS Traefik will manage SSL certificates for all services seamlessly. -**Note**: for a while longer, our old reverse-proxy (`matrix-nginx-proxy`) will still be installed in local-only mode. Do not be alarmed to see `matrix-nginx-proxy` running even when you've chosen Traefik as your reverse-proxy. In the near future, we'll be able to run without nginx, but we're not there yet. ### Traefik managed by you @@ -46,7 +47,7 @@ devture_traefik_certs_dumper_ssl_dir_path: "/path/to/your/traefiks/acme.json/dir In this mode all roles will still have Traefik labels attached. You will, however, need to configure your Traefik instance and its entrypoints. -By default, the playbook configured services use a `web-secure` (443) and `matrix-federation` (8448) entrypoints, as well as a `default` certificate resolver. +By default, the playbook configured a `default` certificate resolver and multiple entrypoints. You need to configure 4 entrypoints for your Traefik server: @@ -186,57 +187,3 @@ Instead of [Fronting the integrated reverse-proxy webserver with another reverse This is more difficult, as you would need to handle the configuration for each service manually. Enabling additional services would come with extra manual work you need to do. If your webserver is on the same machine, ensure your web server user (something like `http`, `apache`, `www-data`, `nginx`) is part of the `matrix` group. You should run something like this: `usermod -a -G matrix nginx`. This allows your webserver user to access files owned by the `matrix` group, so that it can serve static files from `/matrix/static-files`. - -#### Using your own nginx reverse-proxy running on the same machine - -**WARNING**: this type of setup is not maintained and will be removed in the near future. We recommend that you go for [Fronting the integrated reverse-proxy webserver with another reverse-proxy](#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) instead. - -If you'll be using `nginx` running on the same machine (not in a container), you can make the playbook help you generate configuration for `nginx` with this configuration: - -```yaml -matrix_playbook_reverse_proxy_type: other-nginx-non-container - -# If you want https configured in /matrix/nginx-proxy/conf.d/ -matrix_nginx_proxy_https_enabled: true - -# If you will manage SSL certificates yourself, uncomment the line below -# matrix_ssl_retrieval_method: none - -# If you're using an old nginx version, consider using a custom protocol list -# (removing `TLSv1.3` that is enabled by default) to suit your nginx version. -# matrix_nginx_proxy_ssl_protocols: "TLSv1.2" -``` - -You can most likely directly use the config files installed by this playbook at: `/matrix/nginx-proxy/conf.d`. Just include them in your own `nginx.conf` like this: `include /matrix/nginx-proxy/conf.d/*.conf;` - -#### Using your own reverse-proxy running on the same machine or elsewhere - -**WARNING**: this is difficult to set up, likely not very well supported and will be removed in the future. We recommend that you go for [Fronting the integrated reverse-proxy webserver with another reverse-proxy](#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) instead. - -To reverse-proxy manually for each service, use configuration like this: - -```yaml -# If your reverse-proxy runs on the same machine: -matrix_playbook_reverse_proxy_type: other-on-same-host - -# Or, if it runs on another machine: -# matrix_playbook_reverse_proxy_type: other-on-another-host - -# Or, optionally customize the network interface prefix (note the trailing `:` character). -# For other-on-same-host, the interface defaults to `127.0.0.1:`. -# For other-on-another-host, the interface defaults to `0.0.0.0:`. -# matrix_playbook_service_host_bind_interface_prefix: '192.168.30.4:' -``` - -With this configuration, each service will be exposed on a custom port. Example: - -- Synapse will be exposed on port `8008` -- [Grafana](configuring-playbook-prometheus-grafana.md) will be exposed on port `3000` -- [synapse-admin](configuring-playbook-synapse-admin.md) will be exposed on port `8766` - -You can capture traffic for these services and forward it to their port. -Some of these services are configured with certain default expecations with regard to hostname, path, etc., so it's not completely arbitrary where you can host them (unless you change the defaults). - -For each new playbook service that you enable, you'll need special handling. - -The [`examples/`](../examples/) directory contains examples for various servers: Caddy, Apache, HAproxy, Nginx, etc. diff --git a/docs/configuring-playbook-rageshake.md b/docs/configuring-playbook-rageshake.md index fe45db260..782e0e978 100644 --- a/docs/configuring-playbook-rageshake.md +++ b/docs/configuring-playbook-rageshake.md @@ -20,8 +20,6 @@ matrix_rageshake_hostname: "{{ matrix_server_fqn_matrix }}" matrix_rageshake_path_prefix: /rageshake ``` -**NOTE**: When using `matrix-nginx-proxy` instead of Traefik, you won't be able to override the path prefix. You can only override the domain, but that needs to happen using another variable: `matrix_server_fqn_rageshake` (e.g. `matrix_server_fqn_rageshake: "some-domain.{{ matrix_domain }}"`). - ## Adjusting DNS records diff --git a/docs/configuring-playbook-sliding-sync-proxy.md b/docs/configuring-playbook-sliding-sync-proxy.md index 50de9dff0..f1ddba185 100644 --- a/docs/configuring-playbook-sliding-sync-proxy.md +++ b/docs/configuring-playbook-sliding-sync-proxy.md @@ -10,8 +10,6 @@ Element X iOS is [available on TestFlight](https://testflight.apple.com/join/uZb Element X Android is [available on the Github Releases page](https://github.com/element-hq/element-x-android/releases). -**NOTE**: The Sliding Sync proxy **only works with the Traefik reverse-proxy**. If you have an old server installation (from the time `matrix-nginx-proxy` was our default reverse-proxy - `matrix_playbook_reverse_proxy_type: playbook-managed-nginx`), you won't be able to use Sliding Sync. - **NOTE**: The sliding-sync proxy is **not required** when using the **Conduit homeserver**. Starting from version `0.6.0` Conduit has native support for some sliding sync features. If there are issues with the native implementation, you might have a better experience when enabling the sliding-sync proxy anyway. ## Decide on a domain and path diff --git a/docs/configuring-playbook-sygnal.md b/docs/configuring-playbook-sygnal.md index 2fbad04c2..77e2f38a9 100644 --- a/docs/configuring-playbook-sygnal.md +++ b/docs/configuring-playbook-sygnal.md @@ -26,8 +26,6 @@ matrix_sygnal_hostname: "{{ matrix_server_fqn_matrix }}" matrix_sygnal_path_prefix: /sygnal ``` -**NOTE**: When using `matrix-nginx-proxy` instead of Traefik, you won't be able to override the path prefix. You can only override the domain, but that needs to happen using another variable: `matrix_server_fqn_sygnal` (e.g. `matrix_server_fqn_sygnal: "push.{{ matrix_domain }}"`). - ## Adjusting DNS records diff --git a/docs/configuring-playbook-synapse-admin.md b/docs/configuring-playbook-synapse-admin.md index 14bccec1e..a8cc585b4 100644 --- a/docs/configuring-playbook-synapse-admin.md +++ b/docs/configuring-playbook-synapse-admin.md @@ -37,15 +37,3 @@ After installation, Synapse Admin will be accessible at: `https://matrix.DOMAIN/ To use Synapse Admin, you need to have [registered at least one administrator account](registering-users.md) on your server. The Homeserver URL to use on Synapse Admin's login page is: `https://matrix.DOMAIN` - -### Sample configuration for running behind Caddy v2 - -Below is a sample configuration for using this playbook with a [Caddy](https://caddyserver.com/v2) 2.0 reverse proxy (non-default configuration where `matrix-nginx-proxy` is disabled - `matrix_nginx_proxy_enabled: false`). - -```caddy -# This is a basic configuration that will function the same as the default nginx proxy - exposing the synapse-admin panel to matrix.YOURSERVER.com/synapse-admin/ - handle_path /synapse-admin* { - reverse_proxy localhost:8766 { - } - } -``` diff --git a/docs/configuring-playbook-synapse.md b/docs/configuring-playbook-synapse.md index e9413f22c..2701fe85a 100644 --- a/docs/configuring-playbook-synapse.md +++ b/docs/configuring-playbook-synapse.md @@ -73,7 +73,7 @@ matrix_synapse_oidc_providers: backchannel_logout_enabled: true # Optional ``` -**NOTE**: if you inject the OIDC configuration using `matrix_synapse_configuration_extension_yaml` (instead of `matrix_synapse_oidc_enabled: true` + `matrix_synapse_oidc_providers`), then the OIDC routes (`/_synapse/oidc`) will not be publicly exposed automatically. In such a case, you'd need to expose them manually by toggling: `matrix_synapse_container_labels_public_client_synapse_oidc_api_enabled: true`. +**NOTE**: if you inject the OIDC configuration using `matrix_synapse_configuration_extension_yaml` (instead of `matrix_synapse_oidc_enabled: true` + `matrix_synapse_oidc_providers` as explained above), then the OIDC routes (`/_synapse/oidc`) will not be publicly exposed automatically. In such a case, you'd need to expose them manually by toggling: `matrix_synapse_container_labels_public_client_synapse_oidc_api_enabled: true`. ## Customizing templates diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 16d8956ed..1d6227856 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -65,8 +65,6 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Configure the Traefik reverse-proxy](configuring-playbook-traefik.md) (optional, advanced) -- (Deprecated) [Configure the Nginx reverse-proxy](configuring-playbook-nginx.md) (optional, advanced) - - [Using your own webserver, instead of this playbook's default reverse-proxy](configuring-playbook-own-webserver.md) (optional, advanced) - [Adjusting TURN server configuration](configuring-playbook-turn.md) (optional, advanced) diff --git a/docs/howto-server-delegation.md b/docs/howto-server-delegation.md index d1861254f..cf94ec524 100644 --- a/docs/howto-server-delegation.md +++ b/docs/howto-server-delegation.md @@ -73,50 +73,22 @@ Based on your setup, you have different ways to go about it: - [Server Delegation via a DNS SRV record (advanced)](#server-delegation-via-a-dns-srv-record-advanced) - [Obtaining certificates](#obtaining-certificates) - [Serving the Federation API with your certificates](#serving-the-federation-api-with-your-certificates) - - [Serving the Federation API with your certificates and matrix-nginx-proxy](#serving-the-federation-api-with-your-certificates-and-matrix-nginx-proxy) - [Serving the Federation API with your certificates and another webserver](#serving-the-federation-api-with-your-certificates-and-another-webserver) - [Serving the Federation API with your certificates and Synapse handling Federation](#serving-the-federation-api-with-your-certificates-and-synapse-handling-federation) -### Serving the Federation API with your certificates and matrix-nginx-proxy - -**If you are using matrix-nginx-proxy**, a reverse-proxy webserver used by default in this playbook, you only need to override the certificates used for the Matrix Federation API. You can do that using: - -```yaml -# Adjust paths below to point to your certificate. -# -# NOTE: these are in-container paths. `/matrix/ssl` on the host is mounted into the container -# at the same path (`/matrix/ssl`) by default, so if that's the path you need, it would be seamless. -matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate: /matrix/ssl/config/live//fullchain.pem -matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key: /matrix/ssl/config/live//privkey.pem -``` - -If your files are not in `/matrix/ssl` but in some other location, you would need to mount them into the container: - -```yaml -matrix_nginx_proxy_container_extra_arguments: - - "--mount type=bind,src=/some/path/on/the/host,dst=/some/path/inside/the/container,ro" -``` - -You then refer to them (for `matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate` and `matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key`) by using `/some/path/inside/the/container`. - -Make sure to reload matrix-nginx-proxy once in a while (`systemctl reload matrix-nginx-proxy`), so that newer certificates can kick in. -Reloading doesn't cause any downtime. ### Serving the Federation API with your certificates and another webserver -**If you are NOT using matrix-nginx-proxy**, but rather some other webserver, you can set up reverse-proxying for the `tcp/8448` port by yourself. +**If you are using some other webserver**, you can set up reverse-proxying for the `tcp/8448` port by yourself. Make sure to use the proper certificates for `` (not for `matrix.`) when serving the `tcp/8448` port. -Proxying needs to happen to `127.0.0.1:8048` (unencrypted Synapse federation listener). - -Make sure to reload/restart your webserver once in a while, so that newer certificates can kick in. - +As recommended in our [Fronting the integrated reverse-proxy webserver with another reverse-proxy](./configuring-playbook-own-webserver.md#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) documentation section, we recommend you to expose the Matrix Federation entrypoint from traffic at a local port (e.g. `127.0.0.1:8449`), so your reverese-proxy should send traffic there. ### Serving the Federation API with your certificates and Synapse handling Federation -**Alternatively**, if you are **NOT using matrix-nginx-proxy** and **would rather not use your own webserver for Federation traffic**, you can let Synapse handle Federation by itself. +**Alternatively**, you can let Synapse handle Federation by itself. To do that, make sure the certificate files are mounted into the Synapse container: diff --git a/docs/howto-srv-server-delegation.md b/docs/howto-srv-server-delegation.md index 5a9c4d5d0..a5c1990de 100644 --- a/docs/howto-srv-server-delegation.md +++ b/docs/howto-srv-server-delegation.md @@ -102,21 +102,6 @@ matrix_coturn_systemd_required_services_list: ['docker.service'] # This changes the path of the loaded certificate, while maintaining the original functionality, we're now loading the wildcard certificate. matrix_coturn_container_additional_volumes: | {{ - ( - [ - { - 'src': (matrix_ssl_config_dir_path + '/live/*.' + matrix_domain + '/fullchain.pem'), - 'dst': '/fullchain.pem', - 'options': 'ro', - }, - { - 'src': (matrix_ssl_config_dir_path + '/live/*.' + matrix_domain + '/privkey.pem'), - 'dst': '/privkey.pem', - 'options': 'ro', - }, - ] if matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] and matrix_coturn_tls_enabled else [] - ) - + ( [ { @@ -180,21 +165,6 @@ matrix_coturn_systemd_required_services_list: ['docker.service'] # This changes the path of the loaded certificate, while maintaining the original functionality, we're now loading the wildcard certificate. matrix_coturn_container_additional_volumes: | {{ - ( - [ - { - 'src': (matrix_ssl_config_dir_path + '/live/*.' + matrix_domain + '/fullchain.pem'), - 'dst': '/fullchain.pem', - 'options': 'ro', - }, - { - 'src': (matrix_ssl_config_dir_path + '/live/*.' + matrix_domain + '/privkey.pem'), - 'dst': '/privkey.pem', - 'options': 'ro', - }, - ] if matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] and matrix_coturn_tls_enabled else [] - ) - + ( [ { diff --git a/docs/maintenance-and-troubleshooting.md b/docs/maintenance-and-troubleshooting.md index ae90fba23..d5b092ebc 100644 --- a/docs/maintenance-and-troubleshooting.md +++ b/docs/maintenance-and-troubleshooting.md @@ -4,15 +4,20 @@ You can check the status of your services by using `systemctl status`. Example: ``` -sudo systemctl status matrix-nginx-proxy +sudo systemctl status matrix-synapse -● matrix-nginx-proxy.service - Matrix nginx proxy server - Loaded: loaded (/etc/systemd/system/matrix-nginx-proxy.service; enabled; vendor preset: enabled) - Active: active (running) since Wed 2018-11-14 19:38:35 UTC; 49min ago +● matrix-synapse.service - Synapse server + Loaded: loaded (/etc/systemd/system/matrix-synapse.service; enabled; vendor preset: enabled) + Active: active (running) since Sun 2024-01-14 09:13:06 UTC; 1h 31min ago ``` -You can see the logs by using journalctl. Example: -``` +Docker containers that the playbook configures are supervised by [systemd](https://wiki.archlinux.org/title/Systemd) and their logs are configured to go to [systemd-journald](https://wiki.archlinux.org/title/Systemd/Journal). + +To prevent double-logging, Docker logging is disabled by explicitly passing `--log-driver=none` to all containers. Due to this, you **cannot** view logs using `docker logs`. + +To view systemd-journald logs using [journalctl](https://man.archlinux.org/man/journalctl.1), run a command like this: + +```sh sudo journalctl -fu matrix-synapse ``` diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 4175f12fc..fe53c7bfb 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -27,10 +27,6 @@ matrix_playbook_traefik_labels_enabled: "{{ matrix_playbook_reverse_proxy_type i matrix_playbook_reverse_proxy_container_network: "{{ devture_traefik_container_network if devture_traefik_enabled else 'traefik' }}" matrix_playbook_reverse_proxy_hostname: "{{ devture_traefik_identifier if devture_traefik_enabled else 'traefik' }}" -matrix_playbook_ssl_retrieval_method: "{{ 'lets-encrypt' if devture_traefik_certs_dumper_enabled else matrix_ssl_retrieval_method }}" - -matrix_playbook_ssl_enabled: "{{ matrix_playbook_ssl_retrieval_method in ['lets-encrypt', 'self-signed', 'manually-managed'] }}" - # A separate Matrix Federation entrypoint is always enabled, unless the federation port matches one of the ports for existing (default) entrypoints matrix_playbook_public_matrix_federation_api_traefik_entrypoint_enabled: "{{ matrix_federation_public_port not in [devture_traefik_config_entrypoint_web_port, devture_traefik_config_entrypoint_web_secure_port] }}" @@ -360,10 +356,6 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': (exim_relay_identifier ~ '.service'), 'priority': 2000, 'groups': ['matrix', 'mailer', 'exim-relay']}] if exim_relay_enabled else []) + - ([{'name': 'matrix-nginx-proxy.service', 'priority': 3000, 'groups': ['matrix', 'nginx', 'nginx-proxy', 'reverse-proxies']}] if matrix_nginx_proxy_enabled else []) - + - (matrix_ssl_renewal_systemd_units_list | selectattr('applicable') | selectattr('enableable') | list ) - + ([{'name': (ntfy_identifier + '.service'), 'priority': 800, 'groups': ['matrix', 'ntfy']}] if ntfy_enabled else []) + ([{'name': (devture_postgres_identifier + '.service'), 'priority': 500, 'groups': ['matrix', 'postgres']}] if devture_postgres_enabled else []) @@ -565,9 +557,6 @@ matrix_appservice_webhooks_systemd_required_services_list_auto: | matrix_appservice_webhooks_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" -# Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-appservice-webhooks over the container network. -# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose -# matrix-appservice-webhooks' client-server port to the local host. matrix_appservice_webhooks_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ matrix_appservice_webhooks_matrix_port) if matrix_playbook_service_host_bind_interface_prefix else '' }}" matrix_appservice_webhooks_container_network: "{{ matrix_addons_container_network }}" @@ -677,9 +666,6 @@ matrix_appservice_irc_systemd_required_services_list_auto: | matrix_appservice_irc_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" -# Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-appservice-irc over the container network. -# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose -# matrix-appservice-irc's client-server port to the local host. matrix_appservice_irc_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '9999') if matrix_playbook_service_host_bind_interface_prefix else '' }}" matrix_appservice_irc_container_network: "{{ matrix_addons_container_network }}" @@ -2318,17 +2304,10 @@ matrix_bot_postmoogle_ssl_path: |- { 'playbook-managed-traefik': devture_traefik_certs_dumper_dumped_certificates_dir_path, 'other-traefik-container': devture_traefik_certs_dumper_dumped_certificates_dir_path, - 'playbook-managed-nginx': (matrix_ssl_config_dir_path if matrix_playbook_ssl_retrieval_method != 'none' else ''), - 'other-nginx-non-container': (matrix_ssl_config_dir_path if matrix_playbook_ssl_retrieval_method != 'none' else ''), - 'other-on-same-host': '', - 'other-on-another-host': '', 'none': '', }[matrix_playbook_reverse_proxy_type] }} -matrix_playbook_bot_postmoogle_nginx_proxy_tls_cert: "{% for domain in matrix_bot_postmoogle_domains %}/ssl/live/{{ domain }}/fullchain.pem {% endfor %}" -matrix_playbook_bot_postmoogle_nginx_proxy_key: "{% for domain in matrix_bot_postmoogle_domains %}/ssl/live/{{ domain }}/privkey.pem {% endfor %}" - matrix_playbook_bot_postmoogle_traefik_tls_cert: "{% for domain in matrix_bot_postmoogle_domains %}/ssl/{{ domain }}/certificate.crt {% endfor %}" matrix_playbook_bot_postmoogle_traefik_key: "{% for domain in matrix_bot_postmoogle_domains %}/ssl/{{ domain }}/privatekey.key {% endfor %}" @@ -2337,10 +2316,6 @@ matrix_bot_postmoogle_tls_cert: |- { 'playbook-managed-traefik': matrix_playbook_bot_postmoogle_traefik_tls_cert, 'other-traefik-container': matrix_playbook_bot_postmoogle_traefik_tls_cert, - 'playbook-managed-nginx': (matrix_playbook_bot_postmoogle_nginx_proxy_tls_cert if matrix_playbook_ssl_retrieval_method != 'none' else ''), - 'other-nginx-non-container': (matrix_playbook_bot_postmoogle_nginx_proxy_tls_cert if matrix_playbook_ssl_retrieval_method != 'none' else ''), - 'other-on-same-host': '', - 'other-on-another-host': '', 'none': '', }[matrix_playbook_reverse_proxy_type] }} @@ -2350,10 +2325,6 @@ matrix_bot_postmoogle_tls_key: |- { 'playbook-managed-traefik': matrix_playbook_bot_postmoogle_traefik_key, 'other-traefik-container': matrix_playbook_bot_postmoogle_traefik_key, - 'playbook-managed-nginx': (matrix_playbook_bot_postmoogle_nginx_proxy_key if matrix_playbook_ssl_retrieval_method != 'none' else ''), - 'other-nginx-non-container': (matrix_playbook_bot_postmoogle_nginx_proxy_key if matrix_playbook_ssl_retrieval_method != 'none' else ''), - 'other-on-same-host': '', - 'other-on-another-host': '', 'none': '', }[matrix_playbook_reverse_proxy_type] }} @@ -2736,17 +2707,13 @@ matrix_coturn_turn_external_ip_address: "{{ ansible_host }}" matrix_coturn_turn_static_auth_secret: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'coturn.sas', rounds=655555) | to_uuid }}" -matrix_coturn_tls_enabled: "{{ matrix_playbook_ssl_retrieval_method != 'none' }}" +matrix_coturn_tls_enabled: "{{ matrix_playbook_ssl_enabled }}" matrix_coturn_tls_cert_path: |- {{ { 'playbook-managed-traefik': '/certificate.crt', 'other-traefik-container': '/certificate.crt', - 'playbook-managed-nginx': '/fullchain.pem', - 'other-nginx-non-container': '/fullchain.pem', - 'other-on-same-host': '', - 'other-on-another-host': '', 'none': '', }[matrix_playbook_reverse_proxy_type] }} @@ -2756,31 +2723,12 @@ matrix_coturn_tls_key_path: |- { 'playbook-managed-traefik': '/privatekey.key', 'other-traefik-container': '/privatekey.key', - 'playbook-managed-nginx': '/privkey.pem', - 'other-nginx-non-container': '/privkey.pem', - 'other-on-same-host': '', - 'other-on-another-host': '', 'none': '', }[matrix_playbook_reverse_proxy_type] }} matrix_coturn_container_additional_volumes: | {{ - ( - [ - { - 'src': (matrix_ssl_config_dir_path + '/live/' + matrix_server_fqn_matrix + '/fullchain.pem'), - 'dst': '/fullchain.pem', - 'options': 'ro', - }, - { - 'src': (matrix_ssl_config_dir_path + '/live/' + matrix_server_fqn_matrix + '/privkey.pem'), - 'dst': '/privkey.pem', - 'options': 'ro', - }, - ] if matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] and matrix_coturn_tls_enabled else [] - ) - + ( [ { @@ -2899,7 +2847,7 @@ etherpad_container_image_self_build: "{{ matrix_architecture not in ['amd64'] }} etherpad_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '9001') if matrix_playbook_service_host_bind_interface_prefix else '' }}" -etherpad_container_network: "{{ matrix_nginx_proxy_container_network if matrix_playbook_reverse_proxy_type == 'playbook-managed-nginx' else etherpad_identifier }}" +etherpad_container_network: "{{ matrix_addons_container_network }}" etherpad_container_additional_networks: | {{ @@ -2998,9 +2946,6 @@ jitsi_gid: "{{ matrix_user_gid }}" jitsi_user_username: "{{ matrix_user_username }}" -# Normally, matrix-nginx-proxy is enabled and nginx can reach jitsi/web over the container network. -# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose -# the Jitsi HTTP port to the local host. jitsi_web_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '13080') if matrix_playbook_service_host_bind_interface_prefix else '' }}" jitsi_web_container_additional_networks_auto: | @@ -3062,7 +3007,7 @@ jitsi_prosody_auth_matrix_uvs_sync_power_levels: "{{ matrix_user_verification_se jitsi_prosody_auth_matrix_uvs_auth_token: "{{ matrix_user_verification_service_uvs_auth_token }}" jitsi_prosody_auth_matrix_uvs_location: "{{ matrix_user_verification_service_container_url }}" -jitsi_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}" +jitsi_self_check_validate_certificates: "{{ matrix_playbook_ssl_enabled }}" # Gravatar is enabled by default upstream, but there's no need to leak data there needlessly # when embedding Jitsi in Matrix rooms. @@ -3168,9 +3113,6 @@ matrix_ma1sd_hostname: "{{ matrix_server_fqn_matrix }}" matrix_ma1sd_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" -# Normally, matrix-nginx-proxy is enabled and nginx can reach ma1sd over the container network. -# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose -# ma1sd's web-server port. matrix_ma1sd_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '' ~ matrix_ma1sd_container_port | string) if matrix_playbook_service_host_bind_interface_prefix else '' }}" matrix_ma1sd_container_network: "{{ matrix_homeserver_container_network }}" @@ -3210,7 +3152,7 @@ matrix_ma1sd_threepid_medium_email_connectors_smtp_host: "{{ exim_relay_identifi matrix_ma1sd_threepid_medium_email_connectors_smtp_port: 8025 matrix_ma1sd_threepid_medium_email_connectors_smtp_tls: 0 -matrix_ma1sd_self_check_validate_certificates: "{{ false if matrix_playbook_ssl_retrieval_method == 'self-signed' else true }}" +matrix_ma1sd_self_check_validate_certificates: "{{ matrix_playbook_ssl_enabled }}" matrix_ma1sd_systemd_required_services_list_auto: | {{ @@ -3305,198 +3247,6 @@ matrix_media_repo_homeserver_federation_enabled: "{{ matrix_homeserver_federatio # ###################################################################### -###################################################################### -# -# matrix-nginx-proxy -# -###################################################################### - -# This playbook installs its own nginx if -# - it's explicitly enabled -# - Traefik is in use. Not all services are Traefik-native yet, so we use reverse-proxy to some via a local-only matrix-nginx-proxy -matrix_nginx_proxy_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'playbook-managed-traefik', 'other-traefik-container'] }}" - -# matrix-nginx-proxy is only to handle HTTPS only if it's the chosen reverse-proxy. -# It may be enabled even if it's not chosen. See `matrix_nginx_proxy_enabled`. -matrix_ssl_retrieval_method: "{{ 'lets-encrypt' if matrix_playbook_reverse_proxy_type == 'playbook-managed-nginx' else 'none' }}" -matrix_nginx_proxy_https_enabled: "{{ matrix_playbook_reverse_proxy_type == 'playbook-managed-nginx' }}" - -# matrix-nginx-proxy is to publish ports only if it's the chosen reverse-proxy. -# It may be enabled even if it's not chosen. See `matrix_nginx_proxy_enabled`. -matrix_nginx_proxy_container_http_host_bind_port: "{{ '80' if matrix_playbook_reverse_proxy_type == 'playbook-managed-nginx' else '' }}" -matrix_nginx_proxy_container_federation_host_bind_port: "{{ matrix_federation_public_port if matrix_playbook_reverse_proxy_type == 'playbook-managed-nginx' else '' }}" - -# matrix-nginx-proxy is to trust reverse-proxy forwarded protocol and headers, unless it's the "main" (chosen) reverse-proxy -matrix_nginx_proxy_trust_forwarded_proto: "{{ matrix_playbook_reverse_proxy_type != 'playbook-managed-nginx' }}" -matrix_nginx_proxy_x_forwarded_for: "{{ '$remote_addr' if matrix_playbook_reverse_proxy_type == 'playbook-managed-nginx' else '$proxy_add_x_forwarded_for' }}" - -matrix_nginx_proxy_container_additional_networks: | - {{ - ( - ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else []) - + - ([matrix_prometheus_nginxlog_exporter_container_network] if (matrix_prometheus_nginxlog_exporter_enabled and matrix_prometheus_nginxlog_exporter_container_network != matrix_nginx_proxy_container_network) else []) - + - ([jitsi_container_network] if jitsi_enabled and matrix_playbook_reverse_proxy_type == 'playbook-managed-nginx' and jitsi_container_network != matrix_nginx_proxy_container_network else []) - ) | unique - }} - -matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container: "{{ 'matrix-corporal:41080' if matrix_corporal_enabled else 'matrix-nginx-proxy:12080' }}" -matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "{{ '127.0.0.1:41080' if matrix_corporal_enabled else '127.0.0.1:12080' }}" -matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: |- - {{ - { - 'synapse': matrix_synapse_max_upload_size_mb, - 'dendrite': (matrix_dendrite_max_file_size_bytes / 1024 / 1024) | round, - 'conduit': (matrix_conduit_max_request_size / 1024 / 1024) | round, - }[matrix_homeserver_implementation]|int - }} - -matrix_nginx_proxy_proxy_matrix_enabled: true -matrix_nginx_proxy_proxy_element_enabled: "{{ matrix_client_element_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" -matrix_nginx_proxy_proxy_hydrogen_enabled: "{{ matrix_client_hydrogen_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" -matrix_nginx_proxy_proxy_cinny_enabled: "{{ matrix_client_cinny_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" -matrix_nginx_proxy_proxy_schildichat_enabled: "{{ matrix_client_schildichat_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" -matrix_nginx_proxy_proxy_buscarron_enabled: "{{ matrix_bot_buscarron_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" -matrix_nginx_proxy_proxy_dimension_enabled: "{{ matrix_dimension_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" -matrix_nginx_proxy_proxy_rageshake_enabled: "{{ matrix_rageshake_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" -matrix_nginx_proxy_proxy_bot_go_neb_enabled: "{{ matrix_bot_go_neb_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" -matrix_nginx_proxy_proxy_mautrix_wsproxy_enabled: "{{ matrix_mautrix_wsproxy_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" - -matrix_nginx_proxy_proxy_jitsi_enabled: "{{ jitsi_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" - -matrix_nginx_proxy_proxy_grafana_enabled: "{{ grafana_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" -matrix_nginx_proxy_proxy_sygnal_enabled: "{{ matrix_sygnal_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" -matrix_nginx_proxy_proxy_ntfy_enabled: "{{ ntfy_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" - - -matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: "{{ matrix_corporal_enabled and matrix_corporal_http_api_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}" -matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081" -matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container: "127.0.0.1:41081" - -# NOTE: we cannot disable this, even though matrix-media-repo is already natively exposed at the Traefik level. -# See: https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/3045#issuecomment-1867327001 -matrix_nginx_proxy_proxy_media_repo_enabled: "{{ matrix_media_repo_enabled }}" -matrix_nginx_proxy_proxy_media_repo_addr_with_container: "{{ matrix_media_repo_identifier }}:{{ matrix_media_repo_port }}" -matrix_nginx_proxy_proxy_media_repo_addr_sans_container: "127.0.0.1:{{ matrix_media_repo_port }}" - -# By default, we do TLS termination for the Matrix Federation API (port 8448) at matrix-nginx-proxy. -# Unless this is handled there OR Synapse's federation listener port is disabled, we'll reverse-proxy. -matrix_nginx_proxy_proxy_matrix_federation_api_enabled: |- - {{ - { - 'synapse': (matrix_synapse_federation_port_enabled and not matrix_synapse_tls_federation_listener_enabled), - 'dendrite': matrix_dendrite_federation_enabled, - 'conduit': matrix_conduit_allow_federation, - }[matrix_homeserver_implementation]|bool - }} - -matrix_nginx_proxy_proxy_matrix_federation_api_addr_with_container: "matrix-nginx-proxy:12088" -matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container: "127.0.0.1:12088" - -# When matrix-nginx-proxy is disabled, the actual port number that the vhost uses may begin to matter. -matrix_nginx_proxy_proxy_matrix_federation_port: "{{ matrix_federation_public_port }}" - -# OCSP stapling does not make sense when self-signed certificates are used. -# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1073 -# and https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1074 -matrix_nginx_proxy_ocsp_stapling_enabled: "{{ matrix_playbook_ssl_retrieval_method != 'self-signed' }}" - -matrix_nginx_proxy_systemd_wanted_services_list: | - {{ - ['matrix-' + matrix_homeserver_implementation + '.service'] - + - (matrix_synapse_webserving_workers_systemd_services_list if matrix_homeserver_implementation == 'synapse' and matrix_synapse_workers_enabled else []) - + - (['matrix-synapse-reverse-proxy-companion.service'] if matrix_synapse_reverse_proxy_companion_enabled else []) - + - (['matrix-corporal.service'] if matrix_corporal_enabled else []) - + - ([(matrix_media_repo_identifier + '.service')] if matrix_media_repo_enabled else []) - + - (['matrix-client-cinny.service'] if matrix_client_cinny_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else []) - + - (['matrix-bot-buscarron.service'] if matrix_bot_buscarron_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else []) - + - (['matrix-client-element.service'] if matrix_client_element_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else []) - + - (['matrix-client-hydrogen.service'] if matrix_client_hydrogen_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else []) - + - (['matrix-client-schildichat.service'] if matrix_client_schildichat_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else []) - + - ([(grafana_identifier + '.service')] if grafana_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else []) - + - (['matrix-dimension.service'] if matrix_dimension_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else []) - + - (['matrix-rageshake.service'] if matrix_rageshake_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else []) - + - (['matrix-sygnal.service'] if matrix_sygnal_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else []) - + - ([(ntfy_identifier + '.service')] if ntfy_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else []) - + - ([(jitsi_identifier + '-web.service')] if jitsi_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else []) - + - (['matrix-bot-go-neb.service'] if matrix_bot_go_neb_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else []) - + - ([etherpad_identifier + '.service'] if etherpad_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else []) - + - (['matrix-hookshot.service'] if matrix_hookshot_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else []) - }} - -matrix_ssl_domains_to_obtain_certificates_for: | - {{ - ([matrix_server_fqn_matrix]) - + - ([matrix_server_fqn_element] if matrix_client_element_enabled else []) - + - ([matrix_server_fqn_hydrogen] if matrix_client_hydrogen_enabled else []) - + - ([matrix_server_fqn_cinny] if matrix_client_cinny_enabled else []) - + - ([matrix_server_fqn_schildichat] if matrix_client_schildichat_enabled else []) - + - ([matrix_server_fqn_buscarron] if matrix_bot_buscarron_enabled else []) - + - ([matrix_server_fqn_dimension] if matrix_dimension_enabled else []) - + - ([matrix_server_fqn_bot_go_neb] if matrix_bot_go_neb_enabled else []) - + - ([matrix_server_fqn_jitsi] if jitsi_enabled else []) - + - ([matrix_server_fqn_grafana] if grafana_enabled else []) - + - ([matrix_server_fqn_sygnal] if matrix_sygnal_enabled else []) - + - ([matrix_server_fqn_mautrix_wsproxy] if matrix_mautrix_wsproxy_enabled else []) - + - ([ntfy_hostname] if ntfy_enabled else []) - + - ([matrix_server_fqn_rageshake] if matrix_rageshake_enabled else []) - + - (matrix_bot_postmoogle_domains if matrix_bot_postmoogle_enabled else []) - + - matrix_ssl_additional_domains_to_obtain_certificates_for - }} - -matrix_ssl_architecture: "{{ - { - 'amd64': 'amd64', - 'arm32': 'arm32v6', - 'arm64': 'arm64v8', - }[matrix_architecture] -}}" - -matrix_ssl_pre_obtaining_required_service_name: "{{ 'matrix-dynamic-dns' if matrix_dynamic_dns_enabled else '' }}" - -matrix_nginx_proxy_access_log_syslog_integration_enabled: "{{ matrix_prometheus_nginxlog_exporter_enabled }}" -matrix_nginx_proxy_access_log_syslog_integration_server_port: "{{ (matrix_prometheus_nginxlog_exporter_identifier | string +':'+ matrix_prometheus_nginxlog_exporter_container_syslog_port | string) | default('') }}" - -###################################################################### -# -# /matrix-nginx-proxy -# -###################################################################### - ######################################################################## # # @@ -3853,7 +3603,7 @@ matrix_sygnal_metrics_prometheus_enabled: "{{ prometheus_enabled }}" matrix_sygnal_hostname: "{{ matrix_server_fqn_sygnal }}" -matrix_sygnal_container_network: "{{ matrix_nginx_proxy_container_network if matrix_playbook_reverse_proxy_type == 'playbook-managed-nginx' else 'matrix-sygnal' }}" +matrix_sygnal_container_network: "{{ matrix_homeserver_container_network }}" matrix_sygnal_container_additional_networks: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else [] }}" @@ -3887,8 +3637,6 @@ ntfy_gid: "{{ matrix_user_gid }}" ntfy_hostname: "{{ matrix_server_fqn_ntfy }}" -ntfy_container_network: "{{ matrix_nginx_proxy_container_network if matrix_playbook_reverse_proxy_type == 'playbook-managed-nginx' else ntfy_identifier }}" - ntfy_container_additional_networks: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else [] }}" ntfy_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '2586') if matrix_playbook_service_host_bind_interface_prefix else '' }}" @@ -3962,7 +3710,7 @@ matrix_client_element_integrations_rest_url: "{{ matrix_dimension_integrations_r matrix_client_element_integrations_widgets_urls: "{{ matrix_dimension_integrations_widgets_urls if matrix_dimension_enabled else ['https://scalar.vector.im/api'] }}" matrix_client_element_integrations_jitsi_widget_url: "{{ matrix_dimension_integrations_jitsi_widget_url if matrix_dimension_enabled else 'https://scalar.vector.im/api/widgets/jitsi.html' }}" -matrix_client_element_self_check_validate_certificates: "{{ false if matrix_playbook_ssl_retrieval_method == 'self-signed' else true }}" +matrix_client_element_self_check_validate_certificates: "{{ matrix_playbook_ssl_enabled }}" matrix_client_element_registration_enabled: "{{ matrix_synapse_enable_registration }}" @@ -4006,7 +3754,7 @@ matrix_client_hydrogen_container_labels_traefik_tls_certResolver: "{{ devture_tr matrix_client_hydrogen_default_hs_url: "{{ matrix_homeserver_url }}" -matrix_client_hydrogen_self_check_validate_certificates: "{{ false if matrix_playbook_ssl_retrieval_method == 'self-signed' else true }}" +matrix_client_hydrogen_self_check_validate_certificates: "{{ matrix_playbook_ssl_enabled }}" ###################################################################### # @@ -4037,7 +3785,7 @@ matrix_client_cinny_container_labels_traefik_tls_certResolver: "{{ devture_traef matrix_client_cinny_default_hs_url: "{{ matrix_homeserver_url }}" -matrix_client_cinny_self_check_validate_certificates: "{{ false if matrix_playbook_ssl_retrieval_method == 'self-signed' else true }}" +matrix_client_cinny_self_check_validate_certificates: "{{ matrix_playbook_ssl_enabled }}" ###################################################################### # @@ -4075,7 +3823,7 @@ matrix_client_schildichat_integrations_rest_url: "{{ matrix_dimension_integratio matrix_client_schildichat_integrations_widgets_urls: "{{ matrix_dimension_integrations_widgets_urls if matrix_dimension_enabled else ['https://scalar.vector.im/api'] }}" matrix_client_schildichat_integrations_jitsi_widget_url: "{{ matrix_dimension_integrations_jitsi_widget_url if matrix_dimension_enabled else 'https://scalar.vector.im/api/widgets/jitsi.html' }}" -matrix_client_schildichat_self_check_validate_certificates: "{{ false if matrix_playbook_ssl_retrieval_method == 'self-signed' else true }}" +matrix_client_schildichat_self_check_validate_certificates: "{{ matrix_playbook_ssl_enabled }}" matrix_client_schildichat_registration_enabled: "{{ matrix_synapse_enable_registration }}" @@ -4192,12 +3940,6 @@ matrix_synapse_email_smtp_port: 8025 matrix_synapse_email_smtp_require_transport_security: false matrix_synapse_email_notif_from: "Matrix <{{ exim_relay_sender_address }}>" -# Even if TURN doesn't support TLS (it does by default), -# it doesn't hurt to try a secure connection anyway. -# -# When Let's Encrypt certificates are used (the default case), -# we don't enable `turns` endpoints, because WebRTC in Element can't talk to them. -# Learn more here: https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1145 matrix_synapse_turn_uris: | {{ [] @@ -4205,7 +3947,7 @@ matrix_synapse_turn_uris: | [ 'turns:' + matrix_server_fqn_matrix + '?transport=udp', 'turns:' + matrix_server_fqn_matrix + '?transport=tcp', - ] if matrix_coturn_enabled and matrix_coturn_tls_enabled and matrix_playbook_ssl_retrieval_method != 'lets-encrypt' else [] + ] if matrix_coturn_enabled and matrix_coturn_tls_enabled else [] + [ 'turn:' + matrix_server_fqn_matrix + '?transport=udp', @@ -4215,7 +3957,7 @@ matrix_synapse_turn_uris: | matrix_synapse_turn_shared_secret: "{{ matrix_coturn_turn_static_auth_secret if matrix_coturn_enabled else '' }}" -matrix_synapse_self_check_validate_certificates: "{{ false if matrix_playbook_ssl_retrieval_method == 'self-signed' else true }}" +matrix_synapse_self_check_validate_certificates: "{{ matrix_playbook_ssl_enabled }}" matrix_synapse_systemd_required_services_list_auto: | {{ @@ -4356,7 +4098,7 @@ matrix_synapse_admin_container_http_host_bind_port: "{{ (matrix_playbook_service matrix_synapse_admin_container_image_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}" -matrix_synapse_admin_container_network: "{{ matrix_nginx_proxy_container_network if matrix_playbook_reverse_proxy_type == 'playbook-managed-nginx' else 'matrix-synapse-admin' }}" +matrix_synapse_admin_container_network: "{{ matrix_addons_container_network }}" matrix_synapse_admin_container_additional_networks: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else [] }}" @@ -4522,9 +4264,6 @@ prometheus_container_additional_networks: | ) | unique }} -# Normally, matrix-nginx-proxy is enabled and nginx can reach Prometheus over the container network. -# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose -# Prometheus' HTTP port to the local host. prometheus_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '9090') if matrix_playbook_service_host_bind_interface_prefix else '' }}" prometheus_config_rule_files_auto: | @@ -4624,9 +4363,6 @@ grafana_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_pro grafana_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" grafana_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" -# Normally, matrix-nginx-proxy is enabled and nginx can reach Grafana over the container network. -# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose -# Grafana's HTTP port to the local host. grafana_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '3000') if matrix_playbook_service_host_bind_interface_prefix else '' }}" grafana_provisioning_datasources: | @@ -4733,7 +4469,7 @@ matrix_registration_shared_secret: |- matrix_registration_server_location: "{{ matrix_addons_homeserver_client_api_url }}" -matrix_registration_api_validate_certs: "{{ false if matrix_playbook_ssl_retrieval_method == 'self-signed' else true }}" +matrix_registration_api_validate_certs: "{{ matrix_playbook_ssl_enabled }}" # Postgres is the default, except if not using internal Postgres server matrix_registration_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" @@ -4871,9 +4607,9 @@ matrix_dendrite_client_api_turn_uris: | matrix_dendrite_client_api_turn_shared_secret: "{{ matrix_coturn_turn_static_auth_secret if matrix_coturn_enabled else '' }}" -matrix_dendrite_disable_tls_validation: "{{ true if matrix_playbook_ssl_retrieval_method == 'self-signed' else false }}" +matrix_dendrite_disable_tls_validation: "{{ not matrix_playbook_ssl_enabled }}" -matrix_dendrite_self_check_validate_certificates: "{{ false if matrix_playbook_ssl_retrieval_method == 'self-signed' else true }}" +matrix_dendrite_self_check_validate_certificates: "{{ matrix_playbook_ssl_enabled }}" matrix_dendrite_trusted_id_servers: "{{ [matrix_server_fqn_matrix] if matrix_ma1sd_enabled else ['matrix.org', 'vector.im'] }}" @@ -4932,12 +4668,6 @@ matrix_conduit_container_labels_public_federation_api_traefik_entrypoints: "{{ m matrix_conduit_container_labels_internal_client_api_enabled: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_enabled }}" matrix_conduit_container_labels_internal_client_api_traefik_entrypoints: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_name }}" -# Even if TURN doesn't support TLS (it does by default), -# it doesn't hurt to try a secure connection anyway. -# -# When Let's Encrypt certificates are used (the default case), -# we don't enable `turns` endpoints, because WebRTC in Element can't talk to them. -# Learn more here: https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1145 matrix_conduit_turn_uris: | {{ [] @@ -4945,7 +4675,7 @@ matrix_conduit_turn_uris: | [ 'turns:' + matrix_server_fqn_matrix + '?transport=udp', 'turns:' + matrix_server_fqn_matrix + '?transport=tcp', - ] if matrix_coturn_enabled and matrix_coturn_tls_enabled and matrix_playbook_ssl_retrieval_method != 'lets-encrypt' else [] + ] if matrix_coturn_enabled and matrix_coturn_tls_enabled else [] + [ 'turn:' + matrix_server_fqn_matrix + '?transport=udp', @@ -5150,8 +4880,6 @@ devture_traefik_additional_entrypoints_auto: | ([matrix_playbook_internal_matrix_client_api_traefik_entrypoint_definition] if matrix_playbook_internal_matrix_client_api_traefik_entrypoint_enabled else []) }} -devture_traefik_additional_domains_to_obtain_certificates_for: "{{ matrix_ssl_additional_domains_to_obtain_certificates_for }}" - devture_traefik_config_providers_docker_endpoint: "{{ devture_container_socket_proxy_endpoint if devture_container_socket_proxy_enabled else 'unix:///var/run/docker.sock' }}" devture_traefik_container_additional_networks_auto: | diff --git a/roles/custom/matrix-base/defaults/main.yml b/roles/custom/matrix-base/defaults/main.yml index 8c709bff5..3630e20cc 100644 --- a/roles/custom/matrix-base/defaults/main.yml +++ b/roles/custom/matrix-base/defaults/main.yml @@ -209,12 +209,6 @@ matrix_metrics_exposure_http_basic_auth_users: '' # - the playbook will run a managed Traefik instance (matrix-traefik) # - Traefik will do SSL termination, unless you disable it (e.g. `devture_traefik_config_entrypoint_web_secure_enabled: false`) # - if SSL termination is enabled (as it is by default), you need to populate: `devture_traefik_config_certificatesResolvers_acme_email` -# - it will also install matrix-nginx-proxy in local-only mode, while we migrate the rest of the services to a Traefik-native mode of working -# -# - `playbook-managed-nginx` -# - the playbook will install matrix-nginx-proxy -# - matrix-nginx-proxy will do SSL termination with Certbot, unless you change that (see `matrix_ssl_retrieval_method`) -# - if SSL termination is enabled (as it is by default), you need to populate: `matrix_ssl_lets_encrypt_support_email` # # - `other-traefik-container` # - this playbook will not install Traefik @@ -223,24 +217,11 @@ matrix_metrics_exposure_http_basic_auth_users: '' # - you need to set `matrix_playbook_reverse_proxyable_services_additional_network` to the name of your Traefik network # - Traefik certs dumper will be enabled by default (`devture_traefik_certs_dumper_enabled`). You need to point it to your Traefik's SSL certificates (`devture_traefik_certs_dumper_ssl_dir_path`) # -# - `other-nginx-non-container` -# - the playbook will not install matrix-nginx-proxy -# - however, it will still dump some nginx configuration in /matrix/nginx/conf.d -# - these configs are meant to be included into a locally-installed (without a container) nginx server -# - all container services are exposed locally (e.g. `-p 127.0.0.1:8080:8080`) -# -# - `other-on-same-host` -# - like other-nginx-non-container, but supposedly won't generate useless configuration in /matrix/nginx/conf.d in the future -# -# - `other-on-another-host` -# - like other-on-same-host, but services are exposed on all interfaces (e.g. `-p 0.0.0.0:8080:8080`) -# - configurable via `matrix_playbook_service_host_bind_interface_prefix` -# # - `none` # - no reverse-proxy will be installed -# - no nginx configuration will be dumped in /matrix/nginx/conf.d # - no port exposure will be done for any of the container services # - it's up to you to expose the ports you want, etc. +# - this is unlikely to work well (if at all) matrix_playbook_reverse_proxy_type: '' # Specifies the network that the reverse-proxy is operating at @@ -252,6 +233,11 @@ matrix_playbook_reverse_proxy_hostname: 'matrix-traefik' # Controls the additional network that reverse-proxyable services will be connected to. matrix_playbook_reverse_proxyable_services_additional_network: "{{ matrix_playbook_reverse_proxy_container_network }}" +# Controls if various services think if SSL is enabled or not. +# Disabling this does not actually disable Treafik's web-secure entrypoint and TLS termination settings. +# For that, you'd need to use other variables. This one merely serves as an indicator if SSL is used or not. +matrix_playbook_ssl_enabled: true + matrix_playbook_service_host_bind_interface_prefix: "{{ '' if matrix_playbook_reverse_proxy_type not in ['other-nginx-non-container', 'other-on-same-host', 'other-on-another-host'] else ('0.0.0.0:' if matrix_playbook_reverse_proxy_type == 'other-on-another-host' else '127.0.0.1:') }}" # Controls whether to enable an additional Traefik entrypoint for the purpose of serving Matrix Federation. diff --git a/roles/custom/matrix-base/tasks/validate_config.yml b/roles/custom/matrix-base/tasks/validate_config.yml index 33cce48cd..d96fda890 100644 --- a/roles/custom/matrix-base/tasks/validate_config.yml +++ b/roles/custom/matrix-base/tasks/validate_config.yml @@ -65,7 +65,7 @@ - name: Fail if matrix_playbook_reverse_proxy_type is set incorrectly ansible.builtin.fail: msg: "Detected that variable matrix_playbook_reverse_proxy_type (current value: `{{ matrix_playbook_reverse_proxy_type }}`) appears to be set incorrectly. See roles/custom/matrix-base/defaults/main.yml for valid choices." - when: matrix_playbook_reverse_proxy_type not in ['playbook-managed-traefik', 'playbook-managed-nginx', 'other-traefik-container', 'other-nginx-non-container', 'other-on-same-host', 'other-on-another-host', 'none'] + when: matrix_playbook_reverse_proxy_type not in ['playbook-managed-traefik', 'other-traefik-container', 'none'] - name: Fail if uppercase domain used ansible.builtin.fail: diff --git a/roles/custom/matrix-client-cinny/defaults/main.yml b/roles/custom/matrix-client-cinny/defaults/main.yml index 1e1acb3a0..f79c65dda 100644 --- a/roles/custom/matrix-client-cinny/defaults/main.yml +++ b/roles/custom/matrix-client-cinny/defaults/main.yml @@ -127,13 +127,9 @@ matrix_client_cinny_hsts_preload_enabled: false # The hostname at which Cinny is served. # Only works with with Traefik reverse-proxying. -# For matrix-nginx-proxy, `matrix_server_fqn_cinny` is used and this variable has no effect. matrix_client_cinny_hostname: "{{ matrix_server_fqn_cinny }}" # The path at which Cinny is exposed. -# When matrix-nginx-proxy is used, setting this to values other than `/` will cause configuration mismatches and trouble. -# -# If Traefik is used, the hostname is also configurable - see `matrix_client_cinny_container_labels_traefik_hostname`. # This value must either be `/` or not end with a slash (e.g. `/cinny`). matrix_client_cinny_path_prefix: / diff --git a/roles/custom/matrix-client-element/defaults/main.yml b/roles/custom/matrix-client-element/defaults/main.yml index 9e793afe2..950a3c145 100644 --- a/roles/custom/matrix-client-element/defaults/main.yml +++ b/roles/custom/matrix-client-element/defaults/main.yml @@ -130,14 +130,9 @@ matrix_client_element_floc_optout_enabled: true matrix_client_element_hsts_preload_enabled: false # The hostname at which Element is served. -# Only works with with Traefik reverse-proxying. -# For matrix-nginx-proxy, `matrix_server_fqn_element` is used and this variable has no effect. matrix_client_element_hostname: "{{ matrix_server_fqn_element }}" # The path at which Element is exposed. -# When matrix-nginx-proxy is used, setting this to values other than `/` will cause configuration mismatches and trouble. -# -# If Traefik is used, the hostname is also configurable - see `matrix_client_element_container_labels_traefik_hostname`. # This value must either be `/` or not end with a slash (e.g. `/element`). matrix_client_element_path_prefix: / diff --git a/roles/custom/matrix-client-hydrogen/defaults/main.yml b/roles/custom/matrix-client-hydrogen/defaults/main.yml index e2aa0ef16..b4bb5d275 100644 --- a/roles/custom/matrix-client-hydrogen/defaults/main.yml +++ b/roles/custom/matrix-client-hydrogen/defaults/main.yml @@ -125,14 +125,9 @@ matrix_client_hydrogen_floc_optout_enabled: true matrix_client_hydrogen_hsts_preload_enabled: false # The hostname at which Hydrogen is served. -# Only works with with Traefik reverse-proxying. -# For matrix-nginx-proxy, `matrix_server_fqn_hydrogen` is used and this variable has no effect. matrix_client_hydrogen_hostname: "{{ matrix_server_fqn_hydrogen }}" # The path at which Hydrogen is exposed. -# When matrix-nginx-proxy is used, setting this to values other than `/` will cause configuration mismatches and trouble. -# -# If Traefik is used, the hostname is also configurable - see `matrix_client_hydrogen_container_labels_traefik_hostname`. # This value must either be `/` or not end with a slash (e.g. `/hydrogen`). matrix_client_hydrogen_path_prefix: / diff --git a/roles/custom/matrix-client-schildichat/defaults/main.yml b/roles/custom/matrix-client-schildichat/defaults/main.yml index a686930ad..ae79615c1 100644 --- a/roles/custom/matrix-client-schildichat/defaults/main.yml +++ b/roles/custom/matrix-client-schildichat/defaults/main.yml @@ -124,14 +124,9 @@ matrix_client_schildichat_floc_optout_enabled: true matrix_client_schildichat_hsts_preload_enabled: false # The hostname at which schildichat is served. -# Only works with with Traefik reverse-proxying. -# For matrix-nginx-proxy, `matrix_server_fqn_schildichat` is used and this variable has no effect. matrix_client_schildichat_hostname: "{{ matrix_server_fqn_schildichat }}" # The path at which schildichat is exposed. -# When matrix-nginx-proxy is used, setting this to values other than `/` will cause configuration mismatches and trouble. -# -# If Traefik is used, the hostname is also configurable - see `matrix_client_schildichat_container_labels_traefik_hostname`. # This value must either be `/` or not end with a slash (e.g. `/schildichat`). matrix_client_schildichat_path_prefix: / diff --git a/roles/custom/matrix-dendrite/defaults/main.yml b/roles/custom/matrix-dendrite/defaults/main.yml index d7911220d..9c6e06e49 100644 --- a/roles/custom/matrix-dendrite/defaults/main.yml +++ b/roles/custom/matrix-dendrite/defaults/main.yml @@ -27,7 +27,7 @@ matrix_dendrite_ext_path: "{{ matrix_dendrite_base_path }}/ext" matrix_dendrite_docker_src_files_path: "{{ matrix_dendrite_base_path }}/docker-src" # By default, we make Dendrite only serve HTTP (not HTTPS). -# HTTPS is usually served at the reverse-proxy side (usually via `matrix-nginx-proxy`). +# HTTPS is usually served at the reverse-proxy side. # # To enable HTTPS serving by Dendrite (directly): # - `matrix_dendrite_https_bind_port` must be set diff --git a/roles/custom/matrix-nginx-proxy/defaults/main.yml b/roles/custom/matrix-nginx-proxy/defaults/main.yml deleted file mode 100644 index d481019ba..000000000 --- a/roles/custom/matrix-nginx-proxy/defaults/main.yml +++ /dev/null @@ -1,495 +0,0 @@ ---- -# Project source code URL: https://github.com/nginx/nginx -matrix_nginx_proxy_enabled: true -# renovate: datasource=docker depName=nginx -matrix_nginx_proxy_version: 1.25.3-alpine - -# We use an official nginx image, which we fix-up to run unprivileged. -# An alternative would be an `nginxinc/nginx-unprivileged` image, but -# that is frequently out of date. -matrix_nginx_proxy_docker_image: "{{ matrix_container_global_registry_prefix }}nginx:{{ matrix_nginx_proxy_version }}" -matrix_nginx_proxy_docker_image_force_pull: "{{ matrix_nginx_proxy_docker_image.endswith(':latest') }}" - -matrix_nginx_proxy_base_path: "{{ matrix_base_data_path }}/nginx-proxy" -matrix_nginx_proxy_data_path: "{{ matrix_nginx_proxy_base_path }}/data" -matrix_nginx_proxy_data_path_in_container: "/nginx-data" -matrix_nginx_proxy_data_path_extension: "/matrix-domain" -matrix_nginx_proxy_confd_path: "{{ matrix_nginx_proxy_base_path }}/conf.d" - -# List of systemd services that matrix-nginx-proxy.service depends on -matrix_nginx_proxy_systemd_required_services_list: ['docker.service'] - -# List of systemd services that matrix-nginx-proxy.service wants -matrix_nginx_proxy_systemd_wanted_services_list: [] - -# The base container network. -# Also see: matrix_nginx_proxy_container_additional_networks -matrix_nginx_proxy_container_network: matrix-nginx-proxy - -# A list of additional container networks that matrix-nginx-proxy would be connected to. -# The playbook does not create these networks, so make sure they already exist. -# -# Use this to expose matrix-nginx-proxy to another reverse proxy, which runs in a different container network, -# without exposing all other Matrix services to that other reverse-proxy. -# -# For background, see: https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1498 -matrix_nginx_proxy_container_additional_networks: [] - -# A list of additional "volumes" to mount in the container. -# This list gets populated dynamically at runtime. You can provide a different default value, -# if you wish to mount your own files into the container. -# Contains definition objects like this: `{"src": "/outside", "dst": "/inside", "options": "rw|ro|slave|.."} -matrix_nginx_proxy_container_additional_volumes: [] - -# A list of extra arguments to pass to the container -matrix_nginx_proxy_container_extra_arguments: [] - -# Controls whether matrix-nginx-proxy serves its vhosts over HTTPS or HTTP. -# -# If enabled: -# - SSL certificates would be expected to be available (see `matrix_ssl_retrieval_method`) -# - the HTTP vhost would be made a redirect to the HTTPS vhost -# -# If not enabled: -# - you don't need any SSL certificates (you can set `matrix_ssl_retrieval_method: none`) -# - naturally, there's no HTTPS vhost -# - services are served directly from the HTTP vhost -matrix_nginx_proxy_https_enabled: true - -# Controls whether matrix-nginx-proxy trusts an upstream server's X-Forwarded-Proto header -# -# Required if you disable HTTPS for the container (see `matrix_nginx_proxy_https_enabled`) and have an upstream server handle it instead. -matrix_nginx_proxy_trust_forwarded_proto: false -matrix_nginx_proxy_x_forwarded_proto_value: "{{ '$http_x_forwarded_proto' if matrix_nginx_proxy_trust_forwarded_proto else '$scheme' }}" - -# Controls whether the matrix-nginx-proxy container exposes its HTTP port (tcp/8080 in the container). -# -# Takes an ":" or "" value (e.g. "127.0.0.1:80"), or empty string to not expose. -matrix_nginx_proxy_container_http_host_bind_port: '80' - -# Controls whether the matrix-nginx-proxy container exposes its HTTPS port (tcp/8443 in the container). -# -# Takes an ":" or "" value (e.g. "127.0.0.1:443"), or empty string to not expose. -# -# This only makes sense and applies if `matrix_nginx_proxy_https_enabled` is set to `true`. -# Otherwise, there are no HTTPS vhosts to expose. -matrix_nginx_proxy_container_https_host_bind_port: '443' - -# Controls whether the matrix-nginx-proxy container exposes the Matrix Federation port (tcp/8448 in the container). -# -# Takes an ":" or "" value (e.g. "127.0.0.1:8448"), or empty string to not expose. -# -# This only makes sense and applies if `matrix_nginx_proxy_proxy_matrix_federation_api_enabled` is set to `true`. -# Otherwise, there is no Matrix Federation port to expose. -# -# This port can take HTTP or HTTPS traffic, depending on `matrix_nginx_proxy_https_enabled`. -# When HTTPS is disabled, you'd likely want to only expose the port locally, and front it with another HTTPS-enabled reverse-proxy. -matrix_nginx_proxy_container_federation_host_bind_port: '8448' - -# Option to disable the access log -matrix_nginx_proxy_access_log_enabled: true - -# Controls whether proxying the Element domain should be done. -matrix_nginx_proxy_proxy_element_enabled: false -matrix_nginx_proxy_proxy_element_hostname: "{{ matrix_server_fqn_element }}" - -# Controls whether proxying the Hydrogen domain should be done. -matrix_nginx_proxy_proxy_hydrogen_enabled: false -matrix_nginx_proxy_proxy_hydrogen_hostname: "{{ matrix_server_fqn_hydrogen }}" - -# Controls whether proxying the Cinny domain should be done. -matrix_nginx_proxy_proxy_cinny_enabled: false -matrix_nginx_proxy_proxy_cinny_hostname: "{{ matrix_server_fqn_cinny }}" - -# Controls whether proxying the schildichat domain should be done. -matrix_nginx_proxy_proxy_schildichat_enabled: false -matrix_nginx_proxy_proxy_schildichat_hostname: "{{ matrix_server_fqn_schildichat }}" - -# Controls whether proxying the buscarron domain should be done. -matrix_nginx_proxy_proxy_buscarron_enabled: false -matrix_nginx_proxy_proxy_buscarron_hostname: "{{ matrix_server_fqn_buscarron }}" - -# Controls whether proxying the matrix domain should be done. -matrix_nginx_proxy_proxy_matrix_enabled: false -matrix_nginx_proxy_proxy_matrix_hostname: "{{ matrix_server_fqn_matrix }}" -matrix_nginx_proxy_proxy_matrix_federation_hostname: "{{ matrix_nginx_proxy_proxy_matrix_hostname }}" -# The port name used for federation in the nginx configuration. -# This is not necessarily the port that it's actually on, -# as port-mapping happens (`-p ..`) for the `matrix-nginx-proxy` container. -matrix_nginx_proxy_proxy_matrix_federation_port: 8448 - -# Controls whether proxying the dimension domain should be done. -matrix_nginx_proxy_proxy_dimension_enabled: false -matrix_nginx_proxy_proxy_dimension_hostname: "{{ matrix_server_fqn_dimension }}" - -# Controls whether proxying the rageshake domain should be done. -matrix_nginx_proxy_proxy_rageshake_enabled: false -matrix_nginx_proxy_proxy_rageshake_hostname: "{{ matrix_server_fqn_rageshake }}" - -# Controls whether proxying the etherpad domain should be done. -matrix_nginx_proxy_proxy_etherpad_enabled: false -matrix_nginx_proxy_proxy_etherpad_hostname: "{{ matrix_server_fqn_etherpad }}" - -# Controls whether proxying the goneb domain should be done. -matrix_nginx_proxy_proxy_bot_go_neb_enabled: false -matrix_nginx_proxy_proxy_bot_go_neb_hostname: "{{ matrix_server_fqn_bot_go_neb }}" - -# Controls whether proxying the jitsi domain should be done. -matrix_nginx_proxy_proxy_jitsi_enabled: false -matrix_nginx_proxy_proxy_jitsi_hostname: "{{ matrix_server_fqn_jitsi }}" - -# Controls whether proxying the grafana domain should be done. -matrix_nginx_proxy_proxy_grafana_enabled: false -matrix_nginx_proxy_proxy_grafana_hostname: "{{ matrix_server_fqn_grafana }}" - -# Controls whether proxying the sygnal domain should be done. -matrix_nginx_proxy_proxy_sygnal_enabled: false -matrix_nginx_proxy_proxy_sygnal_hostname: "{{ matrix_server_fqn_sygnal }}" - -# Controls whether proxying the mautrix wsproxy should be done. -matrix_nginx_proxy_proxy_mautrix_wsproxy_enabled: false -matrix_nginx_proxy_proxy_mautrix_wsproxy_hostname: "{{ matrix_server_fqn_mautrix_wsproxy }}" - -# Controls whether proxying the ntfy domain should be done. -matrix_nginx_proxy_proxy_ntfy_enabled: false -matrix_nginx_proxy_proxy_ntfy_hostname: "{{ matrix_server_fqn_ntfy }}" - -# Controls whether proxying for the matrix-corporal API (`/_matrix/corporal`) should be done (on the matrix domain) -matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: false -matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081" -matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container: "127.0.0.1:41081" - -# Controls whether proxying for the media repo (`/_matrix/media`) should be done (on the matrix domain) -matrix_nginx_proxy_proxy_media_repo_enabled: false -matrix_nginx_proxy_proxy_media_repo_addr_with_container: "matrix-media-repo:{{ matrix_media_repo_port }}" -matrix_nginx_proxy_proxy_media_repo_addr_sans_container: "127.0.0.1:{{ matrix_media_repo_port }}" - -# The addresses where the Matrix Client API is. -# Certain extensions (like matrix-corporal) may override this in order to capture all traffic. -matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container: "matrix-nginx-proxy:12080" -matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "127.0.0.1:12080" - -# This needs to be equal or higher than the maximum upload size accepted by Synapse. -matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: 50 - -# `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefixes` holds -# the location prefixes that get forwarded to the Matrix Client API server. -# These locations get combined into a regex like this `^(/_matrix|/_synapse/client)`. -matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefix_regexes: | - {{ - (['/_matrix']) - }} - -# Controls whether proxying for the Matrix Federation API should be done. -matrix_nginx_proxy_proxy_matrix_federation_api_enabled: false -matrix_nginx_proxy_proxy_matrix_federation_api_addr_with_container: "matrix-nginx-proxy:12088" -matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container: "127.0.0.1:12088" -matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb: "{{ (matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb | int) * 3 }}" -matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/fullchain.pem" -matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/privkey.pem" -matrix_nginx_proxy_proxy_matrix_federation_api_ssl_trusted_certificate: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/chain.pem" - -# The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads. -matrix_nginx_proxy_tmp_directory_size_mb: "{{ (matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb | int) * 50 }}" -matrix_nginx_proxy_tmp_cache_directory_size_mb: "{{ (matrix_nginx_proxy_synapse_cache_max_size_mb | int) * 2 }}" -# A list of strings containing additional configuration blocks to add to the nginx server configuration (nginx.conf). -# for big matrixservers to enlarge the number of open files to prevent timeouts -# matrix_nginx_proxy_proxy_additional_configuration_blocks: -# - 'worker_rlimit_nofile 30000;' -matrix_nginx_proxy_proxy_additional_configuration_blocks: [] - -# A list of strings containing additional configuration blocks to add to the nginx event server configuration (nginx.conf). -matrix_nginx_proxy_proxy_event_additional_configuration_blocks: [] - -# A list of strings containing additional configuration blocks to add to the nginx http's server configuration (nginx-http.conf). -matrix_nginx_proxy_proxy_http_additional_server_configuration_blocks: [] - -# A list of strings containing additional configuration blocks to add to the base matrix server configuration (matrix-domain.conf). -matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: [] - -# A list of strings containing additional configuration blocks to add to Riot's server configuration (matrix-riot-web.conf). -matrix_nginx_proxy_proxy_riot_additional_server_configuration_blocks: [] - -# A list of strings containing additional configuration blocks to add to Element's server configuration (matrix-client-element.conf). -matrix_nginx_proxy_proxy_element_additional_server_configuration_blocks: [] - -# A list of strings containing additional configuration blocks to add to Hydrogen's server configuration (matrix-client-hydrogen.conf). -matrix_nginx_proxy_proxy_hydrogen_additional_server_configuration_blocks: [] - -# A list of strings containing additional configuration blocks to add to Cinny's server configuration (matrix-client-cinny.conf). -matrix_nginx_proxy_proxy_cinny_additional_server_configuration_blocks: [] - -# A list of strings containing additional configuration blocks to add to schildichat's server configuration (matrix-client-schildichat.conf). -matrix_nginx_proxy_proxy_schildichat_additional_server_configuration_blocks: [] - -# A list of strings containing additional configuration blocks to add to buscarron's server configuration (matrix-bot-buscarron.conf). -matrix_nginx_proxy_proxy_buscarron_additional_server_configuration_blocks: [] - -# A list of strings containing additional configuration blocks to add to Dimension's server configuration (matrix-dimension.conf). -matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks: [] - -# A list of strings containing additional configuration blocks to add to Rageshake's server configuration (matrix-rageshake.conf). -matrix_nginx_proxy_proxy_rageshake_additional_server_configuration_blocks: [] - -# A list of strings containing additional configuration blocks to add to etherpad's server configuration (matrix-etherpad.conf). -matrix_nginx_proxy_proxy_etherpad_additional_server_configuration_blocks: [] - -# A list of strings containing additional configuration blocks to add to GoNEB's server configuration (matrix-bot-go-neb.conf). -matrix_nginx_proxy_proxy_bot_go_neb_additional_server_configuration_blocks: [] - -# A list of strings containing additional configuration blocks to add to Jitsi's server configuration (matrix-jitsi.conf). -matrix_nginx_proxy_proxy_jitsi_additional_server_configuration_blocks: [] - -# A list of strings containing additional configuration blocks to add to Grafana's server configuration (matrix-grafana.conf). -matrix_nginx_proxy_proxy_grafana_additional_server_configuration_blocks: [] - -# A list of strings containing additional configuration blocks to add to Sygnal's server configuration (matrix-sygnal.conf). -matrix_nginx_proxy_proxy_sygnal_additional_server_configuration_blocks: [] - -# A list of strings containing additional configuration blocks to add to mautrix wsproxy server configuration (matrix-mautrix-wsproxy.conf). -matrix_nginx_proxy_proxy_mautrix_wsproxy_additional_server_configuration_blocks: [] - -# A list of strings containing additional configuration blocks to add to ntfy's server configuration (matrix-ntfy.conf). -matrix_nginx_proxy_proxy_ntfy_additional_server_configuration_blocks: [] - -# A list of strings containing additional configuration blocks to add to the base domain server configuration (matrix-base-domain.conf). -matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks: [] - -# To increase request timeout in NGINX using proxy_read_timeout, proxy_connect_timeout, proxy_send_timeout, send_timeout directives -# Nginx Default: proxy_connect_timeout 60s; #Defines a timeout for establishing a connection with a proxied server -# Nginx Default: proxy_send_timeout 60s; #Sets a timeout for transmitting a request to the proxied server. -# Nginx Default: proxy_read_timeout 60s; #Defines a timeout for reading a response from the proxied server. -# Nginx Default: send_timeout 60s; #Sets a timeout for transmitting a response to the client. -# -# For more information visit: -# http://nginx.org/en/docs/http/ngx_http_proxy_module.html -# http://nginx.org/en/docs/http/ngx_http_core_module.html#send_timeout -# https://www.nginx.com/resources/wiki/start/topics/examples/fullexample2/ -# -# Here we are sticking with nginx default values change this value carefully. -matrix_nginx_proxy_connect_timeout: 60 -matrix_nginx_proxy_send_timeout: 60 -matrix_nginx_proxy_read_timeout: 60 -matrix_nginx_send_timeout: 60 - -# Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses for all vhosts meant to be accessed by users. -# -# Learn more about what it is here: -# - https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea -# - https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network -# - https://amifloced.org/ -# -# Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices. -matrix_nginx_proxy_floc_optout_enabled: true - -# HSTS Preloading Enable -# -# In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and -# indicates a willingness to be “preloaded” into browsers: -# `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload` -# For more information visit: -# - https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security -# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security -# - https://hstspreload.org/#opt-in -matrix_nginx_proxy_hsts_preload_enabled: false - -# X-XSS-Protection Enable -# Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. -# Note: Not applicable for grafana -# -# Learn more about it is here: -# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection -# - https://portswigger.net/web-security/cross-site-scripting/reflected -matrix_nginx_proxy_xss_protection: "1; mode=block" - -# Specifies the SSL configuration that should be used for the SSL protocols and ciphers -# This is based on the Mozilla Server Side TLS Recommended configurations. -# -# The posible values are: -# - "modern" - For Modern clients that support TLS 1.3, with no need for backwards compatibility -# - "intermediate" - Recommended configuration for a general-purpose server -# - "old" - Services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8 -# -# For more information visit: -# - https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations -# - https://ssl-config.mozilla.org/#server=nginx -matrix_nginx_proxy_ssl_preset: "intermediate" - -# Presets are taken from Mozilla's Server Side TLS Recommended configurations -# DO NOT modify these values and use `matrix_nginx_proxy_ssl_protocols`, `matrix_nginx_proxy_ssl_ciphers` and `matrix_nginx_proxy_ssl_ciphers` -# if you wish to use something more custom. -matrix_nginx_proxy_ssl_presets: - modern: - protocols: TLSv1.3 - ciphers: "" - prefer_server_ciphers: "off" - intermediate: - protocols: TLSv1.2 TLSv1.3 - ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 - prefer_server_ciphers: "off" - old: - protocols: TLSv1 TLSv1.1 TLSv1.2 TLSv1.3 - ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA - prefer_server_ciphers: "on" - - -# Specifies which *SSL protocols* to use when serving all the various vhosts. -matrix_nginx_proxy_ssl_protocols: "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['protocols'] }}" - -# Specifies whether to prefer *the client’s choice or the server’s choice* when negotiating ciphers. -matrix_nginx_proxy_ssl_prefer_server_ciphers: "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['prefer_server_ciphers'] }}" - -# Specifies which *SSL Cipher suites* to use when serving all the various vhosts. -# To see the full list for suportes ciphers run `openssl ciphers` on your server -matrix_nginx_proxy_ssl_ciphers: "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['ciphers'] }}" - -# Specifies what to use for the X-Forwarded-For variable. -# If you're fronting the nginx reverse-proxy with additional reverse-proxy servers, -# you may wish to set this to '$proxy_add_x_forwarded_for' instead. -matrix_nginx_proxy_x_forwarded_for: '$remote_addr' - -# For OCSP purposes, we need to define a resolver at the `server{}` level or `http{}` level (we do the latter). -# -# Otherwise, we get warnings like this: -# > [warn] 22#22: no resolver defined to resolve r3.o.lencr.org while requesting certificate status, responder: r3.o.lencr.org, certificate: "/matrix/ssl/config/live/.../fullchain.pem" -# -# We point it to the internal Docker resolver, which likely delegates to nameservers defined in `/etc/resolv.conf`. -# -# When nginx proxy is disabled, our configuration is likely used by non-containerized nginx, so can't use the internal Docker resolver. -# Pointing `resolver` to some public DNS server might be an option, but for now we impose DNS servers on people. -# It might also be that no such warnings occur when not running in a container. -matrix_nginx_proxy_http_level_resolver: "{{ '127.0.0.11' if matrix_nginx_proxy_enabled else '' }}" - -# By default, this playbook automatically retrieves and auto-renews -# free SSL certificates from Let's Encrypt. -# -# The following retrieval methods are supported: -# - "lets-encrypt" - the playbook obtains free SSL certificates from Let's Encrypt -# - "self-signed" - the playbook generates and self-signs certificates -# - "manually-managed" - lets you manage certificates by yourself (manually; see below) -# - "none" - like "manually-managed", but doesn't care if you don't drop certificates in the location it expects -# -# If you decide to manage certificates by yourself (`matrix_ssl_retrieval_method: manually-managed`), -# you'd need to drop them into the directory specified by `matrix_ssl_config_dir_path` -# obeying the following hierarchy: -# - /live//fullchain.pem -# - /live//privkey.pem -# where refers to the domains that you need (usually `matrix_server_fqn_matrix` and `matrix_server_fqn_element`). -# -# The "none" type (`matrix_ssl_retrieval_method: none`), simply means that no certificate retrieval will happen. -# It's useful for when you've disabled the nginx proxy (`matrix_nginx_proxy_enabled: false`) -# and you'll be using another reverse-proxy server (like Apache) with your own certificates, managed by yourself. -# It's also useful if you're using `matrix_nginx_proxy_https_enabled: false` to make this nginx proxy serve -# plain HTTP traffic only (usually, on the loopback interface only) and you'd be terminating SSL using another reverse-proxy. -matrix_ssl_retrieval_method: "lets-encrypt" - -matrix_ssl_architecture: "amd64" - -# The full list of domains that this role will obtain certificates for. -# This variable is likely redefined outside of the role, to include the domains that are necessary (depending on the services that are enabled). -# To add additional domain names, consider using `matrix_ssl_additional_domains_to_obtain_certificates_for` instead. -matrix_ssl_domains_to_obtain_certificates_for: "{{ matrix_ssl_additional_domains_to_obtain_certificates_for }}" - -# A list of additional domain names to obtain certificates for. -matrix_ssl_additional_domains_to_obtain_certificates_for: [] - -# Controls whether to obtain production or staging certificates from Let's Encrypt. -# If you'd like to use another ACME Certificate Authority server (not Let's Encrypt), use `matrix_ssl_lets_encrypt_server` -matrix_ssl_lets_encrypt_staging: false - -# Controls from which Certificate Authority server to retrieve the SSL certificates (passed as a `--server` flag to Certbot). -# By default, we use the Let's Encrypt production environment (use `matrix_ssl_lets_encrypt_staging` for using the staging environment). -# Learn more here: https://eff-certbot.readthedocs.io/en/stable/using.html#changing-the-acme-server -matrix_ssl_lets_encrypt_server: '' - -matrix_ssl_lets_encrypt_certbot_docker_image: "{{ matrix_container_global_registry_prefix }}certbot/certbot:{{ matrix_ssl_architecture }}-v2.0.0" -matrix_ssl_lets_encrypt_certbot_docker_image_force_pull: "{{ matrix_ssl_lets_encrypt_certbot_docker_image.endswith(':latest') }}" -matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402 -matrix_ssl_lets_encrypt_support_email: ~ - -# Tells which interface and port the Let's Encrypt (certbot) container should try to bind to -# when it tries to obtain initial certificates in standalone mode. -# -# This should normally be a public interface and port. -# If you'd like to not bind on all IP addresses, specify one explicitly (e.g. `a.b.c.d:80`) -matrix_ssl_lets_encrypt_container_standalone_http_host_bind_port: '80' - -# Specify key type of the private key algorithm. -# Learn more here: https://eff-certbot.readthedocs.io/en/stable/using.html#rsa-and-ecdsa-keys -matrix_ssl_lets_encrypt_key_type: ecdsa - -matrix_ssl_base_path: "{{ matrix_base_data_path }}/ssl" -matrix_ssl_config_dir_path: "{{ matrix_ssl_base_path }}/config" -matrix_ssl_log_dir_path: "{{ matrix_ssl_base_path }}/log" -matrix_ssl_bin_dir_path: "{{ matrix_ssl_base_path }}/bin" - -# If you'd like to start some service before a certificate is obtained, specify it here. -# This could be something like `matrix-dynamic-dns`, etc. -matrix_ssl_pre_obtaining_required_service_name: ~ -matrix_ssl_pre_obtaining_required_service_start_wait_time_seconds: 60 - -# matrix_ssl_orphaned_renewal_configs_purging_enabled controls whether the playbook will delete Let's Encryption renewal configuration files (`/matrix/ssl/config/renewal/*.conf) -# for domains that are not part of the `matrix_ssl_domains_to_obtain_certificates_for` list. -# -# As the `matrix_ssl_domains_to_obtain_certificates_for` list changes over time, the playbook obtains certificates for various domains -# and sets up "renewal" configuration files to keep these certificates fresh. -# When a domain disappears from the `matrix_ssl_domains_to_obtain_certificates_for` list (because its associated service had gotten disabled), -# the certificate files and renewal configuration still remain in the filesystem and certbot may try to renewal the certificate for this domain. -# If there's no DNS record for this domain or it doesn't point to this server anymore, the `matrix-ssl-lets-encrypt-certificates-renew.service` systemd service -# won't be able to renew the certificate and will generate an error. -# -# With `matrix_ssl_orphaned_renewal_configs_purging_enabled` enabled, orphaned renewal configurations will be purged on each playbook run. -# Some other leftover files will still remain, but we don't bother purging them because they don't cause troubles. -matrix_ssl_orphaned_renewal_configs_purging_enabled: true - -# Nginx Optimize SSL Session -# -# ssl_session_cache: -# - Creating a cache of TLS connection parameters reduces the number of handshakes -# and thus can improve the performance of application. -# - Default session cache is not optimal as it can be used by only one worker process -# and can cause memory fragmentation. It is much better to use shared cache. -# - Learn More: https://nginx.org/en/docs/http/ngx_http_ssl_module.html -# -# ssl_session_timeout: -# - Nginx by default it is set to 5 minutes which is very low. -# should be like 4h or 1d but will require you to increase the size of cache. -# - Learn More: -# https://github.com/certbot/certbot/issues/6903 -# https://github.com/mozilla/server-side-tls/issues/198 -# -# ssl_session_tickets: -# - In case of session tickets, information about session is given to the client. -# Enabling this improve performance also make Perfect Forward Secrecy useless. -# - If you would instead like to use ssl_session_tickets by yourself, you can set -# matrix_nginx_proxy_ssl_session_tickets_off false. -# - Learn More: https://github.com/mozilla/server-side-tls/issues/135 -# -# Presets are taken from Mozilla's Server Side TLS Recommended configurations -matrix_nginx_proxy_ssl_session_cache: "shared:MozSSL:10m" -matrix_nginx_proxy_ssl_session_timeout: "1d" -matrix_nginx_proxy_ssl_session_tickets_off: true - -# OCSP Stapling eliminating the need for clients to contact the CA, with the aim of improving both security and performance. -# OCSP stapling can provide a performance boost of up to 30% -# nginx web server supports OCSP stapling since version 1.3.7. -# -# *warning* Nginx is lazy loading OCSP responses, which means that for the first few web requests it is unable to add the OCSP response. -# set matrix_nginx_proxy_ocsp_stapling_enabled false to disable OCSP Stapling -# -# Learn more about what it is here: -# - https://en.wikipedia.org/wiki/OCSP_stapling -# - https://blog.cloudflare.com/high-reliability-ocsp-stapling/ -# - https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/ -matrix_nginx_proxy_ocsp_stapling_enabled: true - -# nginx status page configurations. -matrix_nginx_proxy_proxy_matrix_nginx_status_enabled: false -matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses: ['{{ ansible_default_ipv4.address }}'] - - -# The amount of worker processes and connections -# Consider increasing these when you are expecting high amounts of traffic -# http://nginx.org/en/docs/ngx_core_module.html#worker_connections -matrix_nginx_proxy_worker_processes: auto -matrix_nginx_proxy_worker_connections: 1024 diff --git a/roles/custom/matrix-nginx-proxy/tasks/main.yml b/roles/custom/matrix-nginx-proxy/tasks/main.yml deleted file mode 100644 index c2b93aae1..000000000 --- a/roles/custom/matrix-nginx-proxy/tasks/main.yml +++ /dev/null @@ -1,36 +0,0 @@ ---- - -# Always validating the configuration, even if `matrix_nginx_proxy: false`. -# This role performs actions even if the role is disabled, so we need -# to ensure there's a valid configuration in any case. -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: run_setup | bool - tags: - - setup-all - - setup-nginx-proxy - - install-all - - install-nginx-proxy - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/ssl/main.yml" - when: run_setup | bool - tags: - - setup-all - - setup-nginx-proxy - - setup-ssl - - install-all - - install-nginx-proxy - - install-ssl - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_nginx_proxy.yml" - when: run_setup | bool - tags: - - setup-all - - setup-nginx-proxy - - install-all - - install-nginx-proxy - -- name: Mark matrix-nginx-proxy role as executed - tags: - - always - ansible.builtin.set_fact: - matrix_nginx_proxy_role_executed: true diff --git a/roles/custom/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml b/roles/custom/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml deleted file mode 100644 index c53ca98bd..000000000 --- a/roles/custom/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml +++ /dev/null @@ -1,296 +0,0 @@ ---- - -# -# Generic tasks that we always want to happen, regardless -# if the user wants matrix-nginx-proxy or not. -# -# If the user would set up their own nginx proxy server, -# the config files from matrix-nginx-proxy can be reused. -# -# It doesn't hurt to put them in place, even if they turn out -# to be unnecessary. -# -- name: Ensure Matrix nginx-proxy paths exist - ansible.builtin.file: - path: "{{ item }}" - state: directory - mode: 0750 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - with_items: - - "{{ matrix_nginx_proxy_base_path }}" - - "{{ matrix_nginx_proxy_data_path }}" - - "{{ matrix_nginx_proxy_confd_path }}" - -- name: Ensure Matrix nginx-proxy configured (main config override) - ansible.builtin.template: - src: "{{ role_path }}/templates/nginx/nginx.conf.j2" - dest: "{{ matrix_nginx_proxy_base_path }}/nginx.conf" - mode: 0644 - when: matrix_nginx_proxy_enabled | bool - -- name: Ensure Matrix nginx-proxy configured (generic) - ansible.builtin.template: - src: "{{ role_path }}/templates/nginx/conf.d/nginx-http.conf.j2" - dest: "{{ matrix_nginx_proxy_confd_path }}/nginx-http.conf" - mode: 0644 - when: matrix_nginx_proxy_enabled | bool - -- name: Ensure Matrix nginx-proxy configuration for Element domain exists - ansible.builtin.template: - src: "{{ role_path }}/templates/nginx/conf.d/matrix-client-element.conf.j2" - dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-client-element.conf" - mode: 0644 - when: matrix_nginx_proxy_proxy_element_enabled | bool - -- name: Ensure Matrix nginx-proxy configuration for Hydrogen domain exists - ansible.builtin.template: - src: "{{ role_path }}/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2" - dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-client-hydrogen.conf" - mode: 0644 - when: matrix_nginx_proxy_proxy_hydrogen_enabled | bool - -- name: Ensure Matrix nginx-proxy configuration for Cinny domain exists - ansible.builtin.template: - src: "{{ role_path }}/templates/nginx/conf.d/matrix-client-cinny.conf.j2" - dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-client-cinny.conf" - mode: 0644 - when: matrix_nginx_proxy_proxy_cinny_enabled | bool - -- name: Ensure Matrix nginx-proxy configuration for schildichat domain exists - ansible.builtin.template: - src: "{{ role_path }}/templates/nginx/conf.d/matrix-client-schildichat.conf.j2" - dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-client-schildichat.conf" - mode: 0644 - when: matrix_nginx_proxy_proxy_schildichat_enabled | bool - -- name: Ensure Matrix nginx-proxy configuration for buscarron domain exists - ansible.builtin.template: - src: "{{ role_path }}/templates/nginx/conf.d/matrix-bot-buscarron.conf.j2" - dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-bot-buscarron.conf" - mode: 0644 - when: matrix_nginx_proxy_proxy_buscarron_enabled | bool - -- name: Ensure Matrix nginx-proxy configuration for dimension domain exists - ansible.builtin.template: - src: "{{ role_path }}/templates/nginx/conf.d/matrix-dimension.conf.j2" - dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-dimension.conf" - mode: 0644 - when: matrix_nginx_proxy_proxy_dimension_enabled | bool - -- name: Ensure Matrix nginx-proxy configuration for rageshake domain exists - ansible.builtin.template: - src: "{{ role_path }}/templates/nginx/conf.d/matrix-rageshake.conf.j2" - dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-rageshake.conf" - mode: 0644 - when: matrix_nginx_proxy_proxy_rageshake_enabled | bool - -- name: Ensure Matrix nginx-proxy configuration for etherpad domain exists - ansible.builtin.template: - src: "{{ role_path }}/templates/nginx/conf.d/matrix-etherpad.conf.j2" - dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-etherpad.conf" - mode: 0644 - when: matrix_nginx_proxy_proxy_etherpad_enabled | bool - -- name: Ensure Matrix nginx-proxy configuration for goneb domain exists - ansible.builtin.template: - src: "{{ role_path }}/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2" - dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-bot-go-neb.conf" - mode: 0644 - when: matrix_nginx_proxy_proxy_bot_go_neb_enabled | bool - -- name: Ensure Matrix nginx-proxy configuration for jitsi domain exists - ansible.builtin.template: - src: "{{ role_path }}/templates/nginx/conf.d/matrix-jitsi.conf.j2" - dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-jitsi.conf" - mode: 0644 - when: matrix_nginx_proxy_proxy_jitsi_enabled | bool - -- name: Ensure Matrix nginx-proxy configuration for grafana domain exists - ansible.builtin.template: - src: "{{ role_path }}/templates/nginx/conf.d/matrix-grafana.conf.j2" - dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-grafana.conf" - mode: 0644 - when: matrix_nginx_proxy_proxy_grafana_enabled | bool - -- name: Ensure Matrix nginx-proxy configuration for sygnal domain exists - ansible.builtin.template: - src: "{{ role_path }}/templates/nginx/conf.d/matrix-sygnal.conf.j2" - dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-sygnal.conf" - mode: 0644 - when: matrix_nginx_proxy_proxy_sygnal_enabled | bool - -- name: Ensure Matrix nginx-proxy configuration for ntfy domain exists - ansible.builtin.template: - src: "{{ role_path }}/templates/nginx/conf.d/matrix-ntfy.conf.j2" - dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-ntfy.conf" - mode: 0644 - when: matrix_nginx_proxy_proxy_ntfy_enabled | bool - -- name: Ensure Matrix nginx-proxy configuration for mautrix wsproxy exists - ansible.builtin.template: - src: "{{ role_path }}/templates/nginx/conf.d/matrix-mautrix-wsproxy.conf.j2" - dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-mautrix-wsproxy.conf" - mode: 0644 - when: matrix_nginx_proxy_proxy_mautrix_wsproxy_enabled|bool - -- name: Ensure Matrix nginx-proxy configuration for Matrix domain exists - ansible.builtin.template: - src: "{{ role_path }}/templates/nginx/conf.d/matrix-domain.conf.j2" - dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-domain.conf" - mode: 0644 - -# -# Tasks related to setting up matrix-nginx-proxy -# -- name: Ensure nginx Docker image is pulled - community.docker.docker_image: - name: "{{ matrix_nginx_proxy_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_nginx_proxy_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_nginx_proxy_docker_image_force_pull }}" - when: matrix_nginx_proxy_enabled | bool - register: result - retries: "{{ devture_playbook_help_container_retries_count }}" - delay: "{{ devture_playbook_help_container_retries_delay }}" - until: result is not failed - -- name: Ensure matrix-nginx-proxy container network is created - community.general.docker_network: - name: "{{ matrix_nginx_proxy_container_network }}" - driver: bridge - when: matrix_nginx_proxy_enabled | bool - -- name: Ensure matrix-nginx-proxy.service installed - ansible.builtin.template: - src: "{{ role_path }}/templates/systemd/matrix-nginx-proxy.service.j2" - dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-nginx-proxy.service" - mode: 0644 - when: matrix_nginx_proxy_enabled | bool - - -# -# Tasks related to getting rid of matrix-nginx-proxy (if it was previously enabled) -# - -- name: Check existence of matrix-nginx-proxy service - ansible.builtin.stat: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-nginx-proxy.service" - register: matrix_nginx_proxy_service_stat - when: "not matrix_nginx_proxy_enabled | bool" - -- name: Ensure matrix-nginx-proxy is stopped - ansible.builtin.service: - name: matrix-nginx-proxy - state: stopped - enabled: false - daemon_reload: true - when: "not matrix_nginx_proxy_enabled | bool and matrix_nginx_proxy_service_stat.stat.exists" - -- name: Ensure matrix-nginx-proxy.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-nginx-proxy.service" - state: absent - when: "not matrix_nginx_proxy_enabled | bool and matrix_nginx_proxy_service_stat.stat.exists" - -- name: Ensure Matrix nginx-proxy configuration for matrix domain deleted - ansible.builtin.file: - path: "{{ matrix_nginx_proxy_confd_path }}/matrix-domain.conf" - state: absent - when: "not matrix_nginx_proxy_proxy_matrix_enabled | bool" - -- name: Ensure Matrix nginx-proxy configuration for Element domain deleted - ansible.builtin.file: - path: "{{ matrix_nginx_proxy_confd_path }}/matrix-client-element.conf" - state: absent - when: "not matrix_nginx_proxy_proxy_element_enabled | bool" - -- name: Ensure Matrix nginx-proxy configuration for Schildichat domain deleted - ansible.builtin.file: - path: "{{ matrix_nginx_proxy_confd_path }}/matrix-client-schildichat.conf" - state: absent - when: "not matrix_nginx_proxy_proxy_schildichat_enabled | bool" - -- name: Ensure Matrix nginx-proxy configuration for Hydrogen domain deleted - ansible.builtin.file: - path: "{{ matrix_nginx_proxy_confd_path }}/matrix-client-hydrogen.conf" - state: absent - when: "not matrix_nginx_proxy_proxy_hydrogen_enabled | bool" - -- name: Ensure Matrix nginx-proxy configuration for Cinny domain deleted - ansible.builtin.file: - path: "{{ matrix_nginx_proxy_confd_path }}/matrix-client-cinny.conf" - state: absent - when: "not matrix_nginx_proxy_proxy_cinny_enabled | bool" - -- name: Ensure Matrix nginx-proxy configuration for buscarron domain deleted - ansible.builtin.file: - path: "{{ matrix_nginx_proxy_confd_path }}/matrix-bot-buscarron.conf" - state: absent - when: "not matrix_nginx_proxy_proxy_buscarron_enabled | bool" - -- name: Ensure Matrix nginx-proxy configuration for dimension domain deleted - ansible.builtin.file: - path: "{{ matrix_nginx_proxy_confd_path }}/matrix-dimension.conf" - state: absent - when: "not matrix_nginx_proxy_proxy_dimension_enabled | bool" - -- name: Ensure Matrix nginx-proxy configuration for rageshake domain deleted - ansible.builtin.file: - path: "{{ matrix_nginx_proxy_confd_path }}/matrix-rageshake.conf" - state: absent - when: "not matrix_nginx_proxy_proxy_rageshake_enabled | bool" - -- name: Ensure Matrix nginx-proxy configuration for goneb domain deleted - ansible.builtin.file: - path: "{{ matrix_nginx_proxy_confd_path }}/matrix-bot-go-neb.conf" - state: absent - when: "not matrix_nginx_proxy_proxy_bot_go_neb_enabled | bool" - -- name: Ensure Matrix nginx-proxy configuration for jitsi domain deleted - ansible.builtin.file: - path: "{{ matrix_nginx_proxy_confd_path }}/matrix-jitsi.conf" - state: absent - when: "not matrix_nginx_proxy_proxy_jitsi_enabled | bool" - -- name: Ensure Matrix nginx-proxy configuration for grafana domain deleted - ansible.builtin.file: - path: "{{ matrix_nginx_proxy_confd_path }}/matrix-grafana.conf" - state: absent - when: "not matrix_nginx_proxy_proxy_grafana_enabled | bool" - -- name: Ensure Matrix nginx-proxy configuration for sygnal domain deleted - ansible.builtin.file: - path: "{{ matrix_nginx_proxy_confd_path }}/matrix-sygnal.conf" - state: absent - when: "not matrix_nginx_proxy_proxy_sygnal_enabled | bool" - -- name: Ensure Matrix nginx-proxy configuration for ntfy domain deleted - ansible.builtin.file: - path: "{{ matrix_nginx_proxy_confd_path }}/matrix-ntfy.conf" - state: absent - when: "not matrix_nginx_proxy_proxy_ntfy_enabled | bool" - -- name: Ensure Matrix nginx-proxy configuration for mautrix wsproxy deleted - ansible.builtin.file: - path: "{{ matrix_nginx_proxy_confd_path }}/matrix-mautrix-wsproxy.conf" - state: absent - when: "not matrix_nginx_proxy_proxy_mautrix_wsproxy_enabled|bool" - -- name: Ensure Matrix nginx-proxy configuration for etherpad domain deleted - ansible.builtin.file: - path: "{{ matrix_nginx_proxy_confd_path }}/matrix-etherpad.conf" - state: absent - when: "not matrix_nginx_proxy_proxy_etherpad_enabled | bool" - -- name: Ensure Matrix nginx-proxy configuration for main config override deleted - ansible.builtin.file: - path: "{{ matrix_nginx_proxy_base_path }}/nginx.conf" - state: absent - when: "not matrix_nginx_proxy_enabled | bool" - -# This file is now generated by the matrix-synapse role and saved in the Synapse directory -- name: (Cleanup) Ensure old sample prometheus.yml for external scraping is deleted - ansible.builtin.file: - path: "{{ matrix_base_data_path }}/external_prometheus.yml.example" - state: absent diff --git a/roles/custom/matrix-nginx-proxy/tasks/ssl/main.yml b/roles/custom/matrix-nginx-proxy/tasks/ssl/main.yml deleted file mode 100644 index 6eff8cbf7..000000000 --- a/roles/custom/matrix-nginx-proxy/tasks/ssl/main.yml +++ /dev/null @@ -1,37 +0,0 @@ ---- - -- name: Fail if using unsupported SSL certificate retrieval method - ansible.builtin.fail: - msg: "The `matrix_ssl_retrieval_method` variable contains an unsupported value" - when: "matrix_ssl_retrieval_method not in ['lets-encrypt', 'self-signed', 'manually-managed', 'none']" - -- name: Fail if using unsupported private key type - ansible.builtin.fail: - msg: "The `matrix_ssl_lets_encrypt_key_type` variable contains an unsupported value" - when: "matrix_ssl_lets_encrypt_key_type not in ['rsa', 'ecdsa']" - - -# Common tasks, required by almost any method below. - -- name: Ensure SSL certificate paths exists - ansible.builtin.file: - path: "{{ item }}" - state: directory - mode: 0770 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - recurse: true - with_items: - - "{{ matrix_ssl_log_dir_path }}" - - "{{ matrix_ssl_config_dir_path }}" - - "{{ matrix_ssl_bin_dir_path }}" - when: "matrix_ssl_retrieval_method != 'none'" - - -# Method specific tasks follow - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_lets_encrypt.yml" - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_self_signed.yml" - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_manually_managed.yml" diff --git a/roles/custom/matrix-nginx-proxy/tasks/ssl/purge_ssl_lets_encrypt_orphaned_configs.yml b/roles/custom/matrix-nginx-proxy/tasks/ssl/purge_ssl_lets_encrypt_orphaned_configs.yml deleted file mode 100644 index 51fd1f314..000000000 --- a/roles/custom/matrix-nginx-proxy/tasks/ssl/purge_ssl_lets_encrypt_orphaned_configs.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- - -- name: Check if a Let's Encrypt renewal configuration directory exists - ansible.builtin.stat: - path: "{{ matrix_ssl_config_dir_path }}/renewal" - register: matrix_ssl_config_renewal_directory_stat_result - -- when: matrix_ssl_config_renewal_directory_stat_result.stat.exists | bool - block: - - name: Determine current Let's Encrypt renewal configs - ansible.builtin.find: - path: "{{ matrix_ssl_config_dir_path }}/renewal" - patterns: ".*.conf$" - use_regex: true - register: matrix_ssl_current_renewal_config_files - - - name: Determine unnecessary Let's Encrypt renewal configs - ansible.builtin.set_fact: - matrix_ssl_current_renewal_config_files_to_purge: "{{ matrix_ssl_current_renewal_config_files_to_purge | default([]) + [item.path] }}" - with_items: "{{ matrix_ssl_current_renewal_config_files.files }}" - when: "item.path | basename | replace('.conf', '') not in matrix_ssl_domains_to_obtain_certificates_for" - - - name: Purge unneceessary Let's Encrypt renewal config files - ansible.builtin.file: - path: "{{ item }}" - state: absent - with_items: "{{ matrix_ssl_current_renewal_config_files_to_purge | default([]) }}" diff --git a/roles/custom/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml b/roles/custom/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml deleted file mode 100644 index a1b14e3b2..000000000 --- a/roles/custom/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml +++ /dev/null @@ -1,54 +0,0 @@ ---- -# -# Tasks related to setting up Let's Encrypt's management of certificates -# - -- when: "matrix_ssl_retrieval_method == 'lets-encrypt'" - block: - - when: matrix_ssl_orphaned_renewal_configs_purging_enabled | bool - ansible.builtin.import_tasks: "{{ role_path }}/tasks/ssl/purge_ssl_lets_encrypt_orphaned_configs.yml" - - - name: Ensure certbot Docker image is pulled - community.docker.docker_image: - name: "{{ matrix_ssl_lets_encrypt_certbot_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_ssl_lets_encrypt_certbot_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_ssl_lets_encrypt_certbot_docker_image_force_pull }}" - - - name: Obtain Let's Encrypt certificates - ansible.builtin.include_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml" - with_items: "{{ matrix_ssl_domains_to_obtain_certificates_for | unique }}" - loop_control: - loop_var: domain_name - - - name: Ensure Let's Encrypt SSL renewal script installed - ansible.builtin.template: - src: "{{ role_path }}/templates/bin/lets-encrypt-certificates-renew.j2" - dest: "{{ matrix_ssl_bin_dir_path }}/lets-encrypt-certificates-renew" - mode: 0755 - - - name: Ensure SSL renewal systemd units installed - ansible.builtin.template: - src: "{{ role_path }}/templates/systemd/{{ item.name }}.j2" - dest: "{{ devture_systemd_docker_base_systemd_path }}/{{ item.name }}" - mode: 0644 - when: "item.applicable | bool" - with_items: "{{ matrix_ssl_renewal_systemd_units_list }}" - -# -# Tasks related to getting rid of Let's Encrypt's management of certificates -# - -- when: "matrix_ssl_retrieval_method != 'lets-encrypt'" - block: - - name: Ensure matrix-ssl-lets-encrypt-renew cronjob removed - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/{{ item.name }}" - state: absent - when: "not item.applicable | bool" - with_items: "{{ matrix_ssl_renewal_systemd_units_list }}" - - - name: Ensure Let's Encrypt SSL renewal script removed - ansible.builtin.file: - path: "{{ matrix_ssl_bin_dir_path }}/lets-encrypt-certificates-renew" - state: absent diff --git a/roles/custom/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml b/roles/custom/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml deleted file mode 100644 index 0a1f53be5..000000000 --- a/roles/custom/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml +++ /dev/null @@ -1,98 +0,0 @@ ---- -- ansible.builtin.debug: - msg: "Dealing with SSL certificate retrieval for domain: {{ domain_name }}" - -- ansible.builtin.set_fact: - domain_name_certificate_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/fullchain.pem" - -- name: Check if a certificate for the domain already exists - ansible.builtin.stat: - path: "{{ domain_name_certificate_path }}" - register: domain_name_certificate_path_stat - -- ansible.builtin.set_fact: - domain_name_needs_cert: "{{ not domain_name_certificate_path_stat.stat.exists }}" - -- when: "domain_name_needs_cert | bool and matrix_ssl_pre_obtaining_required_service_name != ''" - block: - - name: Ensure required service for obtaining is started - ansible.builtin.service: - name: "{{ matrix_ssl_pre_obtaining_required_service_name }}" - state: started - register: matrix_ssl_pre_obtaining_required_service_start_result - - - name: Wait some time, so that the required service for obtaining can start - ansible.builtin.wait_for: - timeout: "{{ matrix_ssl_pre_obtaining_required_service_start_wait_time_seconds }}" - when: "matrix_ssl_pre_obtaining_required_service_start_result.changed | bool" - -# This will fail if there is something running on port 80 (like matrix-nginx-proxy). -# We suppress the error, as we'll try another method below. -- name: Attempt initial SSL certificate retrieval with standalone authenticator (directly) - ansible.builtin.shell: >- - {{ devture_systemd_docker_base_host_command_docker }} run - --rm - --name=matrix-certbot - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} - --cap-drop=ALL - -p {{ matrix_ssl_lets_encrypt_container_standalone_http_host_bind_port }}:8080 - --mount type=bind,src={{ matrix_ssl_config_dir_path }},dst=/etc/letsencrypt - --mount type=bind,src={{ matrix_ssl_log_dir_path }},dst=/var/log/letsencrypt - {{ matrix_ssl_lets_encrypt_certbot_docker_image }} - certonly - --non-interactive - --work-dir=/tmp - --http-01-port 8080 - {% if matrix_ssl_lets_encrypt_server %}--server={{ matrix_ssl_lets_encrypt_server|quote }}{% endif %} - {% if matrix_ssl_lets_encrypt_staging %}--staging{% endif %} - --key-type {{ matrix_ssl_lets_encrypt_key_type }} - --standalone - --preferred-challenges http - --agree-tos - --email={{ matrix_ssl_lets_encrypt_support_email }} - -d {{ domain_name }} - changed_when: true - when: domain_name_needs_cert | bool - register: result_certbot_direct - ignore_errors: true - -# If matrix-nginx-proxy is configured from a previous run of this playbook, -# and it's running now, it may be able to proxy requests to `matrix_ssl_lets_encrypt_certbot_standalone_http_port`. -- name: Attempt initial SSL certificate retrieval with standalone authenticator (via proxy) - ansible.builtin.shell: >- - {{ devture_systemd_docker_base_host_command_docker }} run - --rm - --name=matrix-certbot - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} - --cap-drop=ALL - -p 127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}:8080 - --network={{ matrix_nginx_proxy_container_network }} - --mount type=bind,src={{ matrix_ssl_config_dir_path }},dst=/etc/letsencrypt - --mount type=bind,src={{ matrix_ssl_log_dir_path }},dst=/var/log/letsencrypt - {{ matrix_ssl_lets_encrypt_certbot_docker_image }} - certonly - --non-interactive - --work-dir=/tmp - --http-01-port 8080 - {% if matrix_ssl_lets_encrypt_server %}--server={{ matrix_ssl_lets_encrypt_server|quote }}{% endif %} - {% if matrix_ssl_lets_encrypt_staging %}--staging{% endif %} - --key-type {{ matrix_ssl_lets_encrypt_key_type }} - --standalone - --preferred-challenges http - --agree-tos - --email={{ matrix_ssl_lets_encrypt_support_email }} - -d {{ domain_name }} - changed_when: true - when: "domain_name_needs_cert and result_certbot_direct.failed" - register: result_certbot_proxy - ignore_errors: true - -- name: Fail if all SSL certificate retrieval attempts failed - ansible.builtin.fail: - msg: | - Failed to obtain a certificate directly (by listening on port 80) - and also failed to obtain by relying on the server at port 80 to proxy the request. - See above for details. - You may wish to set up proxying of /.well-known/acme-challenge to {{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }} or, - more easily, stop the server on port 80 while this playbook runs. - when: "domain_name_needs_cert and result_certbot_direct.failed and result_certbot_proxy.failed" diff --git a/roles/custom/matrix-nginx-proxy/tasks/ssl/setup_ssl_manually_managed.yml b/roles/custom/matrix-nginx-proxy/tasks/ssl/setup_ssl_manually_managed.yml deleted file mode 100644 index 769af3235..000000000 --- a/roles/custom/matrix-nginx-proxy/tasks/ssl/setup_ssl_manually_managed.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- - -- name: Verify certificates - ansible.builtin.include_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_manually_managed_verify_for_domain.yml" - with_items: "{{ matrix_ssl_domains_to_obtain_certificates_for | unique }}" - loop_control: - loop_var: domain_name - when: "matrix_ssl_retrieval_method == 'manually-managed'" diff --git a/roles/custom/matrix-nginx-proxy/tasks/ssl/setup_ssl_manually_managed_verify_for_domain.yml b/roles/custom/matrix-nginx-proxy/tasks/ssl/setup_ssl_manually_managed_verify_for_domain.yml deleted file mode 100644 index ab0ffa2fe..000000000 --- a/roles/custom/matrix-nginx-proxy/tasks/ssl/setup_ssl_manually_managed_verify_for_domain.yml +++ /dev/null @@ -1,23 +0,0 @@ ---- - -- ansible.builtin.set_fact: - matrix_ssl_certificate_verification_cert_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/fullchain.pem" - matrix_ssl_certificate_verification_cert_key_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/privkey.pem" - -- name: Check if SSL certificate file exists - ansible.builtin.stat: - path: "{{ matrix_ssl_certificate_verification_cert_path }}" - register: matrix_ssl_certificate_verification_cert_path_stat_result - -- ansible.builtin.fail: - msg: "Failed finding a certificate file (for domain `{{ domain_name }}`) at `{{ matrix_ssl_certificate_verification_cert_path }}`" - when: "not matrix_ssl_certificate_verification_cert_path_stat_result.stat.exists" - -- name: Check if SSL certificate key file exists - ansible.builtin.stat: - path: "{{ matrix_ssl_certificate_verification_cert_key_path }}" - register: matrix_ssl_certificate_verification_cert_key_path_stat_result - -- ansible.builtin.fail: - msg: "Failed finding a certificate key file (for domain `{{ domain_name }}`) at `{{ matrix_ssl_certificate_verification_cert_key_path }}`" - when: "not matrix_ssl_certificate_verification_cert_key_path_stat_result.stat.exists" diff --git a/roles/custom/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed.yml b/roles/custom/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed.yml deleted file mode 100644 index b17e4e565..000000000 --- a/roles/custom/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed.yml +++ /dev/null @@ -1,13 +0,0 @@ ---- - -- ansible.builtin.include_role: - name: custom/matrix-base - tasks_from: ensure_openssl_installed - when: "matrix_ssl_retrieval_method == 'self-signed'" - -- name: Generate self-signed certificates - ansible.builtin.include_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml" - with_items: "{{ matrix_ssl_domains_to_obtain_certificates_for | unique }}" - loop_control: - loop_var: domain_name - when: "matrix_ssl_retrieval_method == 'self-signed'" diff --git a/roles/custom/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml b/roles/custom/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml deleted file mode 100644 index c0f195191..000000000 --- a/roles/custom/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml +++ /dev/null @@ -1,52 +0,0 @@ ---- - -- ansible.builtin.set_fact: - matrix_ssl_certificate_csr_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/csr.csr" - matrix_ssl_certificate_cert_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/fullchain.pem" - matrix_ssl_certificate_cert_key_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/privkey.pem" - -- name: Check if SSL certificate file exists - ansible.builtin.stat: - path: "{{ matrix_ssl_certificate_cert_path }}" - register: matrix_ssl_certificate_cert_path_stat_result - -# In order to do any sort of generation (below), we need to ensure the directory exists first -- name: Ensure SSL certificate directory exists - ansible.builtin.file: - path: "{{ matrix_ssl_certificate_csr_path | dirname }}" - state: directory - mode: 0750 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - when: "not matrix_ssl_certificate_cert_path_stat_result.stat.exists" - -# The proper way to do this is by using a sequence of -# `openssl_privatekey`, `openssl_csr` and `openssl_certificate`. -# -# Unfortunately, `openssl_csr` and `openssl_certificate` require `PyOpenSSL>=0.15` to work, -# which is not available on CentOS 7 (at least). -# -# We'll do it in a more manual way. -- name: Generate SSL certificate - when: "not matrix_ssl_certificate_cert_path_stat_result.stat.exists" - ansible.builtin.command: - cmd: | - openssl req -x509 \ - -sha256 \ - -newkey rsa:4096 \ - -nodes \ - -subj "/CN={{ domain_name }}" \ - -keyout {{ matrix_ssl_certificate_cert_key_path }} \ - -out {{ matrix_ssl_certificate_cert_path }} \ - -days 3650 - # Well, this creates 2 files, but Ansible can only check 1. - creates: "{{ matrix_ssl_certificate_cert_path }}" - -- name: Adjust SSL certificate file ownership - ansible.builtin.file: - path: "{{ item }}" - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_groupname }}" - with_items: - - "{{ matrix_ssl_certificate_cert_key_path }}" - - "{{ matrix_ssl_certificate_cert_path }}" diff --git a/roles/custom/matrix-nginx-proxy/tasks/validate_config.yml b/roles/custom/matrix-nginx-proxy/tasks/validate_config.yml deleted file mode 100644 index f14dde1e5..000000000 --- a/roles/custom/matrix-nginx-proxy/tasks/validate_config.yml +++ /dev/null @@ -1,50 +0,0 @@ ---- - -- name: (Deprecation) Catch and report renamed settings - ansible.builtin.fail: - msg: >- - Your configuration contains a variable, which now has a different name. - Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). - when: "item.old in vars" - with_items: - - {'old': 'matrix_nginx_proxy_matrix_client_api_addr_with_proxy_container', 'new': 'matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container'} - - {'old': 'matrix_nginx_proxy_matrix_client_api_addr_sans_proxy_container', 'new': 'matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container'} - # People who configured this to disable Riot, would now wish to be disabling Element. - # We now also have `matrix_nginx_proxy_proxy_riot_compat_redirect_`, but that's something else and is disabled by default. - - {'old': 'matrix_nginx_proxy_proxy_riot_enabled', 'new': 'matrix_nginx_proxy_proxy_element_enabled'} - - {'old': 'matrix_ssl_lets_encrypt_renew_cron_time_definition', 'new': ''} - - {'old': 'matrix_nginx_proxy_reload_cron_time_definition', 'new': ''} - - {'old': 'matrix_nginx_proxy_container_labels_traefik_proxy_matrix_rule', 'new': ''} - - {'old': 'matrix_nginx_proxy_container_labels_traefik_proxy_matrix_hostname', 'new': ''} - - {'old': 'matrix_nginx_proxy_proxy_jitsi_additional_jvbs', 'new': ''} - -- name: Fail on unknown matrix_ssl_retrieval_method - ansible.builtin.fail: - msg: >- - `matrix_ssl_retrieval_method` needs to be set to a known value. - when: "matrix_ssl_retrieval_method not in ['lets-encrypt', 'self-signed', 'manually-managed', 'none']" - -- name: Fail on unknown matrix_nginx_proxy_ssl_config - ansible.builtin.fail: - msg: >- - `matrix_nginx_proxy_ssl_preset` needs to be set to a known value. - when: "matrix_nginx_proxy_ssl_preset not in ['modern', 'intermediate', 'old']" - -- when: "matrix_ssl_retrieval_method == 'lets-encrypt'" - block: - - name: (Deprecation) Catch and report renamed settings - ansible.builtin.fail: - msg: >- - Your configuration contains a variable, which now has a different name. - Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). - with_items: - - {'old': 'host_specific_matrix_ssl_support_email', 'new': 'matrix_ssl_lets_encrypt_support_email'} - - {'old': 'host_specific_matrix_ssl_lets_encrypt_support_email', 'new': 'matrix_ssl_lets_encrypt_support_email'} - when: "item.old in vars" - - - name: Fail if required variables are undefined - ansible.builtin.fail: - msg: "The `{{ item }}` variable must be defined and have a non-null value" - with_items: - - "matrix_ssl_lets_encrypt_support_email" - when: "vars[item] == '' or vars[item] is none" diff --git a/roles/custom/matrix-nginx-proxy/templates/bin/lets-encrypt-certificates-renew.j2 b/roles/custom/matrix-nginx-proxy/templates/bin/lets-encrypt-certificates-renew.j2 deleted file mode 100644 index 5f235ea26..000000000 --- a/roles/custom/matrix-nginx-proxy/templates/bin/lets-encrypt-certificates-renew.j2 +++ /dev/null @@ -1,32 +0,0 @@ -#jinja2: lstrip_blocks: "True" -#!/bin/bash - -# For renewal to work, matrix-nginx-proxy (or another webserver, if matrix-nginx-proxy is disabled) -# need to forward requests for `/.well-known/acme-challenge` to the certbot container. -# -# This can happen inside the container network by proxying to `http://matrix-certbot:8080` -# or outside (on the host) by proxying to `http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}`. - -docker run \ - --rm \ - --name=matrix-certbot \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --cap-drop=ALL \ - --network="{{ matrix_nginx_proxy_container_network }}" \ - -p 127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}:8080 \ - --mount type=bind,src={{ matrix_ssl_config_dir_path }},dst=/etc/letsencrypt \ - --mount type=bind,src={{ matrix_ssl_log_dir_path }},dst=/var/log/letsencrypt \ - {{ matrix_ssl_lets_encrypt_certbot_docker_image }} \ - renew \ - --non-interactive \ - --work-dir=/tmp \ - --http-01-port 8080 \ - {% if matrix_ssl_lets_encrypt_staging %} - --staging \ - {% endif %} - --key-type {{ matrix_ssl_lets_encrypt_key_type }} \ - --standalone \ - --preferred-challenges http \ - --agree-tos \ - --email={{ matrix_ssl_lets_encrypt_support_email }} \ - --no-random-sleep-on-renew diff --git a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-buscarron.conf.j2 b/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-buscarron.conf.j2 deleted file mode 100644 index 4f0fd4a8f..000000000 --- a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-buscarron.conf.j2 +++ /dev/null @@ -1,104 +0,0 @@ -#jinja2: lstrip_blocks: "True" - -{% macro render_vhost_directives() %} - gzip on; - gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; - - {% if matrix_nginx_proxy_hsts_preload_enabled %} - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; - {% else %} - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - {% endif %} - add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; - add_header X-Content-Type-Options nosniff; - add_header X-Frame-Options SAMEORIGIN; - add_header Content-Security-Policy "frame-ancestors 'none'"; - {% if matrix_nginx_proxy_floc_optout_enabled %} - add_header Permissions-Policy interest-cohort=() always; - {% endif %} - - {% for configuration_block in matrix_nginx_proxy_proxy_buscarron_additional_server_configuration_blocks %} - {{- configuration_block }} - {% endfor %} - - location / { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s; - set $backend "matrix-bot-buscarron:8080"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:8080; - {% endif %} - - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; - } -{% endmacro %} - -server { - listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; - listen [::]:{{ 8080 if matrix_nginx_proxy_enabled else 80 }}; - - - server_name {{ matrix_nginx_proxy_proxy_buscarron_hostname }}; - - server_tokens off; - root /dev/null; - - {% if matrix_nginx_proxy_https_enabled %} - location /.well-known/acme-challenge { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s; - set $backend "matrix-certbot:8080"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; - {% endif %} - } - - location / { - return 301 https://$http_host$request_uri; - } - {% else %} - {{ render_vhost_directives() }} - {% endif %} -} - -{% if matrix_nginx_proxy_https_enabled %} -server { - listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; - listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; - - server_name {{ matrix_nginx_proxy_proxy_buscarron_hostname }}; - - server_tokens off; - root /dev/null; - - ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_buscarron_hostname }}/fullchain.pem; - ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_buscarron_hostname }}/privkey.pem; - - ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - {% if matrix_nginx_proxy_ssl_ciphers != "" %} - ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; - {% endif %} - ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - - {% if matrix_nginx_proxy_ocsp_stapling_enabled %} - ssl_stapling on; - ssl_stapling_verify on; - ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_buscarron_hostname }}/chain.pem; - {% endif %} - - {% if matrix_nginx_proxy_ssl_session_tickets_off %} - ssl_session_tickets off; - {% endif %} - ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; - ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; - - {{ render_vhost_directives() }} -} -{% endif %} diff --git a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 b/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 deleted file mode 100644 index a62ddfc81..000000000 --- a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 +++ /dev/null @@ -1,97 +0,0 @@ -#jinja2: lstrip_blocks: "True" - -{% macro render_vhost_directives() %} - gzip on; - gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; - {% if matrix_nginx_proxy_hsts_preload_enabled %} - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; - {% else %} - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - {% endif %} - add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; - add_header X-Content-Type-Options nosniff; - -{% for configuration_block in matrix_nginx_proxy_proxy_bot_go_neb_additional_server_configuration_blocks %} - {{- configuration_block }} -{% endfor %} - - location / { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s; - set $backend "matrix-bot-go-neb:4050"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:4050; - {% endif %} - - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; - } -{% endmacro %} - -server { - listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; - listen [::]:{{ 8080 if matrix_nginx_proxy_enabled else 80 }}; - - server_name {{ matrix_nginx_proxy_proxy_bot_go_neb_hostname }}; - - server_tokens off; - root /dev/null; - - {% if matrix_nginx_proxy_https_enabled %} - location /.well-known/acme-challenge { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s; - set $backend "matrix-certbot:8080"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; - {% endif %} - } - - location / { - return 301 https://$http_host$request_uri; - } - {% else %} - {{ render_vhost_directives() }} - {% endif %} -} - -{% if matrix_nginx_proxy_https_enabled %} -server { - listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; - listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; - - server_name {{ matrix_nginx_proxy_proxy_bot_go_neb_hostname }}; - - server_tokens off; - root /dev/null; - - ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_bot_go_neb_hostname }}/fullchain.pem; - ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_bot_go_neb_hostname }}/privkey.pem; - - ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - {% if matrix_nginx_proxy_ssl_ciphers != '' %} - ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; - {% endif %} - ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - - {% if matrix_nginx_proxy_ocsp_stapling_enabled %} - ssl_stapling on; - ssl_stapling_verify on; - ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_bot_go_neb_hostname }}/chain.pem; - {% endif %} - - {% if matrix_nginx_proxy_ssl_session_tickets_off %} - ssl_session_tickets off; - {% endif %} - ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; - ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; - - {{ render_vhost_directives() }} -} -{% endif %} diff --git a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-cinny.conf.j2 b/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-cinny.conf.j2 deleted file mode 100644 index 2ec6eb1ba..000000000 --- a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-cinny.conf.j2 +++ /dev/null @@ -1,104 +0,0 @@ -#jinja2: lstrip_blocks: "True" - -{% macro render_vhost_directives() %} - gzip on; - gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; - - {% if matrix_nginx_proxy_hsts_preload_enabled %} - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; - {% else %} - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - {% endif %} - add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; - add_header X-Content-Type-Options nosniff; - add_header X-Frame-Options SAMEORIGIN; - add_header Content-Security-Policy "frame-ancestors 'none'"; - {% if matrix_nginx_proxy_floc_optout_enabled %} - add_header Permissions-Policy interest-cohort=() always; - {% endif %} - - {% for configuration_block in matrix_nginx_proxy_proxy_cinny_additional_server_configuration_blocks %} - {{- configuration_block }} - {% endfor %} - - location / { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s; - set $backend "matrix-client-cinny:8080"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:8080; - {% endif %} - - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; - } -{% endmacro %} - -server { - listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; - listen [::]:{{ 8080 if matrix_nginx_proxy_enabled else 80 }}; - - - server_name {{ matrix_nginx_proxy_proxy_cinny_hostname }}; - - server_tokens off; - root /dev/null; - - {% if matrix_nginx_proxy_https_enabled %} - location /.well-known/acme-challenge { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s; - set $backend "matrix-certbot:8080"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; - {% endif %} - } - - location / { - return 301 https://$http_host$request_uri; - } - {% else %} - {{ render_vhost_directives() }} - {% endif %} -} - -{% if matrix_nginx_proxy_https_enabled %} -server { - listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; - listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; - - server_name {{ matrix_nginx_proxy_proxy_cinny_hostname }}; - - server_tokens off; - root /dev/null; - - ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_cinny_hostname }}/fullchain.pem; - ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_cinny_hostname }}/privkey.pem; - - ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - {% if matrix_nginx_proxy_ssl_ciphers != "" %} - ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; - {% endif %} - ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - - {% if matrix_nginx_proxy_ocsp_stapling_enabled %} - ssl_stapling on; - ssl_stapling_verify on; - ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_cinny_hostname }}/chain.pem; - {% endif %} - - {% if matrix_nginx_proxy_ssl_session_tickets_off %} - ssl_session_tickets off; - {% endif %} - ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; - ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; - - {{ render_vhost_directives() }} -} -{% endif %} diff --git a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 b/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 deleted file mode 100644 index 0beeae52b..000000000 --- a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 +++ /dev/null @@ -1,106 +0,0 @@ -#jinja2: lstrip_blocks: "True" - -{% macro render_vhost_directives() %} - gzip on; - gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; - - {% if matrix_nginx_proxy_hsts_preload_enabled %} - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; - {% else %} - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - {% endif %} - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; - add_header X-Frame-Options SAMEORIGIN; - add_header Content-Security-Policy "frame-ancestors 'self'"; - - {% if matrix_nginx_proxy_floc_optout_enabled %} - add_header Permissions-Policy interest-cohort=() always; - {% endif %} - - - {% for configuration_block in matrix_nginx_proxy_proxy_element_additional_server_configuration_blocks %} - {{- configuration_block }} - {% endfor %} - - location / { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s; - set $backend "matrix-client-element:8080"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:8765; - {% endif %} - - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; - } -{% endmacro %} - -server { - listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; - listen [::]:{{ 8080 if matrix_nginx_proxy_enabled else 80 }}; - - - server_name {{ matrix_nginx_proxy_proxy_element_hostname }}; - - server_tokens off; - root /dev/null; - - {% if matrix_nginx_proxy_https_enabled %} - location /.well-known/acme-challenge { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s; - set $backend "matrix-certbot:8080"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; - {% endif %} - } - - location / { - return 301 https://$http_host$request_uri; - } - {% else %} - {{ render_vhost_directives() }} - {% endif %} -} - -{% if matrix_nginx_proxy_https_enabled %} -server { - listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; - listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; - - server_name {{ matrix_nginx_proxy_proxy_element_hostname }}; - - server_tokens off; - root /dev/null; - - ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_element_hostname }}/fullchain.pem; - ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_element_hostname }}/privkey.pem; - - ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - {% if matrix_nginx_proxy_ssl_ciphers != "" %} - ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; - {% endif %} - ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - - {% if matrix_nginx_proxy_ocsp_stapling_enabled %} - ssl_stapling on; - ssl_stapling_verify on; - ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_element_hostname }}/chain.pem; - {% endif %} - - {% if matrix_nginx_proxy_ssl_session_tickets_off %} - ssl_session_tickets off; - {% endif %} - ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; - ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; - - {{ render_vhost_directives() }} -} -{% endif %} diff --git a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 b/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 deleted file mode 100644 index 7a2e9dfac..000000000 --- a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2 +++ /dev/null @@ -1,104 +0,0 @@ -#jinja2: lstrip_blocks: "True" - -{% macro render_vhost_directives() %} - gzip on; - gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; - - {% if matrix_nginx_proxy_hsts_preload_enabled %} - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; - {% else %} - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - {% endif %} - add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; - add_header X-Content-Type-Options nosniff; - add_header X-Frame-Options SAMEORIGIN; - add_header Content-Security-Policy "frame-ancestors 'none'"; - {% if matrix_nginx_proxy_floc_optout_enabled %} - add_header Permissions-Policy interest-cohort=() always; - {% endif %} - - {% for configuration_block in matrix_nginx_proxy_proxy_hydrogen_additional_server_configuration_blocks %} - {{- configuration_block }} - {% endfor %} - - location / { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s; - set $backend "matrix-client-hydrogen:8080"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:8768; - {% endif %} - - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; - } -{% endmacro %} - -server { - listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; - listen [::]:{{ 8080 if matrix_nginx_proxy_enabled else 80 }}; - - - server_name {{ matrix_nginx_proxy_proxy_hydrogen_hostname }}; - - server_tokens off; - root /dev/null; - - {% if matrix_nginx_proxy_https_enabled %} - location /.well-known/acme-challenge { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s; - set $backend "matrix-certbot:8080"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; - {% endif %} - } - - location / { - return 301 https://$http_host$request_uri; - } - {% else %} - {{ render_vhost_directives() }} - {% endif %} -} - -{% if matrix_nginx_proxy_https_enabled %} -server { - listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; - listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; - - server_name {{ matrix_nginx_proxy_proxy_hydrogen_hostname }}; - - server_tokens off; - root /dev/null; - - ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_hydrogen_hostname }}/fullchain.pem; - ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_hydrogen_hostname }}/privkey.pem; - - ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - {% if matrix_nginx_proxy_ssl_ciphers != "" %} - ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; - {% endif %} - ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - - {% if matrix_nginx_proxy_ocsp_stapling_enabled %} - ssl_stapling on; - ssl_stapling_verify on; - ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_hydrogen_hostname }}/chain.pem; - {% endif %} - - {% if matrix_nginx_proxy_ssl_session_tickets_off %} - ssl_session_tickets off; - {% endif %} - ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; - ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; - - {{ render_vhost_directives() }} -} -{% endif %} diff --git a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-schildichat.conf.j2 b/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-schildichat.conf.j2 deleted file mode 100644 index 4919eb9ef..000000000 --- a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-schildichat.conf.j2 +++ /dev/null @@ -1,106 +0,0 @@ -#jinja2: lstrip_blocks: "True" - -{% macro render_vhost_directives() %} - gzip on; - gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; - - {% if matrix_nginx_proxy_hsts_preload_enabled %} - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; - {% else %} - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - {% endif %} - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; - add_header X-Frame-Options SAMEORIGIN; - add_header Content-Security-Policy "frame-ancestors 'self'"; - - {% if matrix_nginx_proxy_floc_optout_enabled %} - add_header Permissions-Policy interest-cohort=() always; - {% endif %} - - - {% for configuration_block in matrix_nginx_proxy_proxy_schildichat_additional_server_configuration_blocks %} - {{- configuration_block }} - {% endfor %} - - location / { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s; - set $backend "matrix-client-schildichat:8080"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:8765; - {% endif %} - - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; - } -{% endmacro %} - -server { - listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; - listen [::]:{{ 8080 if matrix_nginx_proxy_enabled else 80 }}; - - - server_name {{ matrix_nginx_proxy_proxy_schildichat_hostname }}; - - server_tokens off; - root /dev/null; - - {% if matrix_nginx_proxy_https_enabled %} - location /.well-known/acme-challenge { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s; - set $backend "matrix-certbot:8080"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; - {% endif %} - } - - location / { - return 301 https://$http_host$request_uri; - } - {% else %} - {{ render_vhost_directives() }} - {% endif %} -} - -{% if matrix_nginx_proxy_https_enabled %} -server { - listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; - listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; - - server_name {{ matrix_nginx_proxy_proxy_schildichat_hostname }}; - - server_tokens off; - root /dev/null; - - ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_schildichat_hostname }}/fullchain.pem; - ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_schildichat_hostname }}/privkey.pem; - - ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - {% if matrix_nginx_proxy_ssl_ciphers != "" %} - ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; - {% endif %} - ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - - {% if matrix_nginx_proxy_ocsp_stapling_enabled %} - ssl_stapling on; - ssl_stapling_verify on; - ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_schildichat_hostname }}/chain.pem; - {% endif %} - - {% if matrix_nginx_proxy_ssl_session_tickets_off %} - ssl_session_tickets off; - {% endif %} - ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; - ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; - - {{ render_vhost_directives() }} -} -{% endif %} diff --git a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 b/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 deleted file mode 100644 index 730fc4c1d..000000000 --- a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 +++ /dev/null @@ -1,100 +0,0 @@ -#jinja2: lstrip_blocks: "True" - -{% macro render_vhost_directives() %} - gzip on; - gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; - {% if matrix_nginx_proxy_hsts_preload_enabled %} - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; - {% else %} - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - {% endif %} - add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; - add_header X-Content-Type-Options nosniff; - {% if matrix_nginx_proxy_floc_optout_enabled %} - add_header Permissions-Policy interest-cohort=() always; - {% endif %} - -{% for configuration_block in matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks %} - {{- configuration_block }} -{% endfor %} - - location / { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s; - set $backend "matrix-dimension:8184"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:8184; - {% endif %} - - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; - } -{% endmacro %} - -server { - listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; - listen [::]:{{ 8080 if matrix_nginx_proxy_enabled else 80 }}; - - server_name {{ matrix_nginx_proxy_proxy_dimension_hostname }}; - - server_tokens off; - root /dev/null; - - {% if matrix_nginx_proxy_https_enabled %} - location /.well-known/acme-challenge { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s; - set $backend "matrix-certbot:8080"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; - {% endif %} - } - - location / { - return 301 https://$http_host$request_uri; - } - {% else %} - {{ render_vhost_directives() }} - {% endif %} -} - -{% if matrix_nginx_proxy_https_enabled %} -server { - listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; - listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; - - server_name {{ matrix_nginx_proxy_proxy_dimension_hostname }}; - - server_tokens off; - root /dev/null; - - ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_dimension_hostname }}/fullchain.pem; - ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_dimension_hostname }}/privkey.pem; - - ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - {% if matrix_nginx_proxy_ssl_ciphers != '' %} - ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; - {% endif %} - ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - - {% if matrix_nginx_proxy_ocsp_stapling_enabled %} - ssl_stapling on; - ssl_stapling_verify on; - ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_dimension_hostname }}/chain.pem; - {% endif %} - - {% if matrix_nginx_proxy_ssl_session_tickets_off %} - ssl_session_tickets off; - {% endif %} - ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; - ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; - - {{ render_vhost_directives() }} -} -{% endif %} diff --git a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 b/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 deleted file mode 100644 index d364b4782..000000000 --- a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 +++ /dev/null @@ -1,412 +0,0 @@ -#jinja2: lstrip_blocks: "True" -{% macro render_nginx_status_location_block(addresses) %} - {# Empty first line to make indentation prettier. #} - - location /nginx_status { - stub_status on; - access_log off; - {% for address in addresses %} - allow {{ address }}; - {% endfor %} - deny all; - } -{% endmacro %} - - -{% macro render_vhost_directives() %} - gzip on; - gzip_types text/plain application/json; - - {% if matrix_nginx_proxy_floc_optout_enabled %} - add_header Permissions-Policy interest-cohort=() always; - {% endif %} - - {% if matrix_nginx_proxy_hsts_preload_enabled %} - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; - {% else %} - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - {% endif %} - - add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; - - {% if matrix_nginx_proxy_proxy_matrix_nginx_status_enabled %} - {{ render_nginx_status_location_block(matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses) }} - {% endif %} - - {% if matrix_nginx_proxy_proxy_matrix_corporal_api_enabled %} - location ^~ /_matrix/corporal { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s; - set $backend "{{ matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container }}"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container }}; - {% endif %} - - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; - proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }}; - } - {% endif %} - - {% if matrix_nginx_proxy_proxy_media_repo_enabled %} - # Redirect all media endpoints to the media-repo - location ^~ /_matrix/media { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s; - set $backend "{{ matrix_nginx_proxy_proxy_media_repo_addr_with_container }}"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://{{ matrix_nginx_proxy_proxy_media_repo_addr_sans_container }}; - {% endif %} - - # Make sure this matches your homeserver in media-repo.yaml - # You may have to manually specify it if using delegation or the - # incoming Host doesn't match. - proxy_set_header Host {{ matrix_domain }}; - - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $remote_addr; - - client_body_buffer_size {{ ((matrix_media_repo_max_bytes | int) / 4) | int }}; - client_max_body_size {{ matrix_media_repo_max_bytes }}; - } - - # Redirect other endpoints registered by the media-repo to its container - # /_matrix/client/r0/logout - # /_matrix/client/r0/logout/all - location ~ ^/_matrix/client/(r0|v1|v3|unstable)/(logout|logout/all) { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s; - set $backend "{{ matrix_nginx_proxy_proxy_media_repo_addr_with_container }}"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://{{ matrix_nginx_proxy_proxy_media_repo_addr_sans_container }}; - {% endif %} - - # Make sure this matches your homeserver in media-repo.yaml - # You may have to manually specify it if using delegation or the - # incoming Host doesn't match. - proxy_set_header Host {{ matrix_domain }}; - - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $remote_addr; - } - - # Redirect other endpoints registered by the media-repo to its container - # /_matrix/client/r0/admin/purge_media_cache - # /_matrix/client/r0/admin/quarantine_media/{roomId:[^/]+} - location ~ ^/_matrix/client/(r0|v1|v3|unstable)/admin/(purge_media_cache|quarantine_media/.*) { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s; - set $backend "{{ matrix_nginx_proxy_proxy_media_repo_addr_with_container }}"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://{{ matrix_nginx_proxy_proxy_media_repo_addr_sans_container }}; - {% endif %} - - # Make sure this matches your homeserver in media-repo.yaml - # You may have to manually specify it if using delegation or the - # incoming Host doesn't match. - proxy_set_header Host {{ matrix_domain }}; - - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $remote_addr; - } - - # Redirect other endpoints registered by the media-repo to its container - location ^~ /_matrix/client/unstable/io.t2bot.media { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s; - set $backend "{{ matrix_nginx_proxy_proxy_media_repo_addr_with_container }}"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://{{ matrix_nginx_proxy_proxy_media_repo_addr_sans_container }}; - {% endif %} - - # Make sure this matches your homeserver in media-repo.yaml - # You may have to manually specify it if using delegation or the - # incoming Host doesn't match. - proxy_set_header Host {{ matrix_domain }}; - - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $remote_addr; - } - {% endif %} - - {% for configuration_block in matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks %} - {{- configuration_block }} - {% endfor %} - - {# - This handles the Matrix Client API only. - The Matrix Federation API is handled by a separate vhost. - #} - location ~* ^({{ matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefix_regexes|join('|') }}) { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s; - set $backend "{{ matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container }}"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container }}; - {% endif %} - - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; - proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }}; - - client_body_buffer_size 25M; - client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb }}M; - proxy_max_temp_file_size 0; - } - - {# - We only handle the root URI for this redirect or homepage serving. - Unhandled URIs (mostly by `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefix_regexes` above) should result in a 404, - instead of causing a redirect. - See: https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1058 - #} - location ~* ^/$ { - rewrite ^/$ /_matrix/static/ last; - } -{% endmacro %} - -server { - listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; - listen [::]:{{ 8080 if matrix_nginx_proxy_enabled else 80 }}; - - server_name {{ matrix_nginx_proxy_proxy_matrix_hostname }}; - - server_tokens off; - root /dev/null; - - {% if matrix_nginx_proxy_https_enabled %} - location /.well-known/acme-challenge { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s; - set $backend "matrix-certbot:8080"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; - {% endif %} - } - - {% if matrix_nginx_proxy_proxy_matrix_nginx_status_enabled %} - {{ render_nginx_status_location_block(matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses) }} - {% endif %} - - location / { - return 301 https://$http_host$request_uri; - } - {% else %} - {{ render_vhost_directives() }} - {% endif %} -} - -{% if matrix_nginx_proxy_https_enabled %} -server { - listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; - listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; - - server_name {{ matrix_nginx_proxy_proxy_matrix_hostname }}; - - server_tokens off; - root /dev/null; - - ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/fullchain.pem; - ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/privkey.pem; - - ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - {% if matrix_nginx_proxy_ssl_ciphers != '' %} - ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; - {% endif %} - ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - - {% if matrix_nginx_proxy_ocsp_stapling_enabled %} - ssl_stapling on; - ssl_stapling_verify on; - ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/chain.pem; - {% endif %} - - {% if matrix_nginx_proxy_ssl_session_tickets_off %} - ssl_session_tickets off; - {% endif %} - ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; - ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; - - {{ render_vhost_directives() }} -} -{% endif %} - -{% if matrix_nginx_proxy_proxy_matrix_federation_api_enabled %} -{# - This federation vhost is a little special. - It serves federation over HTTP or HTTPS, depending on `matrix_nginx_proxy_https_enabled`. -#} -server { - {% if matrix_nginx_proxy_https_enabled %} - listen {{ matrix_nginx_proxy_proxy_matrix_federation_port }} ssl http2; - listen [::]:{{ matrix_nginx_proxy_proxy_matrix_federation_port }} ssl http2; - {% else %} - listen {{ matrix_nginx_proxy_proxy_matrix_federation_port }}; - {% endif %} - - server_name {{ matrix_nginx_proxy_proxy_matrix_federation_hostname }}; - server_tokens off; - - root /dev/null; - - gzip on; - gzip_types text/plain application/json; - - {% if matrix_nginx_proxy_https_enabled %} - ssl_certificate {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate }}; - ssl_certificate_key {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key }}; - - ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - {% if matrix_nginx_proxy_ssl_ciphers != '' %} - ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; - {% endif %} - ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - - {% if matrix_nginx_proxy_ocsp_stapling_enabled %} - ssl_stapling on; - ssl_stapling_verify on; - ssl_trusted_certificate {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_trusted_certificate }}; - {% endif %} - - {% if matrix_nginx_proxy_ssl_session_tickets_off %} - ssl_session_tickets off; - {% endif %} - ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; - ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; - {% endif %} - - {% if matrix_nginx_proxy_proxy_media_repo_enabled %} - # Redirect all media endpoints to the media-repo - location ^~ /_matrix/media { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s; - set $backend "{{ matrix_nginx_proxy_proxy_media_repo_addr_with_container }}"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://{{ matrix_nginx_proxy_proxy_media_repo_addr_sans_container }}; - {% endif %} - - # Make sure this matches your homeserver in media-repo.yaml - # You may have to manually specify it if using delegation or the - # incoming Host doesn't match. - proxy_set_header Host {{ matrix_domain }}; - - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $remote_addr; - - client_body_buffer_size {{ ((matrix_media_repo_max_bytes | int) / 4) | int }}; - client_max_body_size {{ matrix_media_repo_max_bytes }}; - } - - # Redirect other endpoints registered by the media-repo to its container - # /_matrix/client/r0/logout - # /_matrix/client/r0/logout/all - location ~ ^/_matrix/client/(r0|v1|v3|unstable)/(logout|logout/all) { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s; - set $backend "{{ matrix_nginx_proxy_proxy_media_repo_addr_with_container }}"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://{{ matrix_nginx_proxy_proxy_media_repo_addr_sans_container }}; - {% endif %} - - # Make sure this matches your homeserver in media-repo.yaml - # You may have to manually specify it if using delegation or the - # incoming Host doesn't match. - proxy_set_header Host {{ matrix_domain }}; - - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $remote_addr; - } - - # Redirect other endpoints registered by the media-repo to its container - # /_matrix/client/r0/admin/purge_media_cache - # /_matrix/client/r0/admin/quarantine_media/{roomId:[^/]+} - location ~ ^/_matrix/client/(r0|v1|v3|unstable)/admin/(purge_media_cache|quarantine_media/.*) { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s; - set $backend "{{ matrix_nginx_proxy_proxy_media_repo_addr_with_container }}"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://{{ matrix_nginx_proxy_proxy_media_repo_addr_sans_container }}; - {% endif %} - - # Make sure this matches your homeserver in media-repo.yaml - # You may have to manually specify it if using delegation or the - # incoming Host doesn't match. - proxy_set_header Host {{ matrix_domain }}; - - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $remote_addr; - } - - # Redirect other endpoints registered by the media-repo to its container - location ^~ /_matrix/client/unstable/io.t2bot.media { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s; - set $backend "{{ matrix_nginx_proxy_proxy_media_repo_addr_with_container }}"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://{{ matrix_nginx_proxy_proxy_media_repo_addr_sans_container }}; - {% endif %} - - # Make sure this matches your homeserver in media-repo.yaml - # You may have to manually specify it if using delegation or the - # incoming Host doesn't match. - proxy_set_header Host {{ matrix_domain }}; - - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $remote_addr; - } - {% endif %} - - location / { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s; - set $backend "{{ matrix_nginx_proxy_proxy_matrix_federation_api_addr_with_container }}"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container }}; - {% endif %} - - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; - proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }}; - - client_body_buffer_size 25M; - client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb }}M; - proxy_max_temp_file_size 0; - } -} -{% endif %} diff --git a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-etherpad.conf.j2 b/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-etherpad.conf.j2 deleted file mode 100644 index 8cad9ee37..000000000 --- a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-etherpad.conf.j2 +++ /dev/null @@ -1,108 +0,0 @@ -#jinja2: lstrip_blocks: "True" - -{% macro render_vhost_directives() %} - gzip on; - gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; - {% if matrix_nginx_proxy_hsts_preload_enabled %} - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; - {% else %} - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - {% endif %} - add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; - add_header X-Content-Type-Options nosniff; - {% if matrix_nginx_proxy_floc_optout_enabled %} - add_header Permissions-Policy interest-cohort=() always; - {% endif %} - -{% for configuration_block in matrix_nginx_proxy_proxy_etherpad_additional_server_configuration_blocks %} - {{- configuration_block }} -{% endfor %} - - location / { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s; - set $backend "matrix-etherpad:9001"; - proxy_pass http://$backend; - {# These are proxy directives needed specifically by Etherpad #} - proxy_buffering off; - proxy_http_version 1.1; {# recommended with keepalive connections #} - proxy_pass_header Server; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }}; {# for EP to set secure cookie flag when https is used #} - {# WebSocket proxying - from http://nginx.org/en/docs/http/websocket.html #} - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - {% else %} - {# Generic configuration for use outside of our container setup #} - # A good guide for setting up your Etherpad behind nginx: - # https://docs.gandi.net/en/cloud/tutorials/etherpad_lite.html - proxy_pass http://127.0.0.1:9001/; - {% endif %} - } -{% endmacro %} - -server { - listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; - listen [::]:{{ 8080 if matrix_nginx_proxy_enabled else 80 }}; - - server_name {{ matrix_nginx_proxy_proxy_etherpad_hostname }}; - - server_tokens off; - root /dev/null; - - {% if matrix_nginx_proxy_https_enabled %} - location /.well-known/acme-challenge { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s; - set $backend "matrix-certbot:8080"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; - {% endif %} - } - - location / { - return 301 https://$http_host$request_uri; - } - {% else %} - {{ render_vhost_directives() }} - {% endif %} -} - -{% if matrix_nginx_proxy_https_enabled %} -server { - listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; - listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; - - server_name {{ matrix_nginx_proxy_proxy_etherpad_hostname }}; - - server_tokens off; - root /dev/null; - - ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_etherpad_hostname }}/fullchain.pem; - ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_etherpad_hostname }}/privkey.pem; - - ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - {% if matrix_nginx_proxy_ssl_ciphers != '' %} - ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; - {% endif %} - ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - - {% if matrix_nginx_proxy_ocsp_stapling_enabled %} - ssl_stapling on; - ssl_stapling_verify on; - ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_etherpad_hostname }}/chain.pem; - {% endif %} - - {% if matrix_nginx_proxy_ssl_session_tickets_off %} - ssl_session_tickets off; - {% endif %} - ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; - ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; - - {{ render_vhost_directives() }} -} -{% endif %} diff --git a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 b/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 deleted file mode 100644 index 094180448..000000000 --- a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 +++ /dev/null @@ -1,108 +0,0 @@ -#jinja2: lstrip_blocks: "True" - -{% macro render_vhost_directives() %} - gzip on; - gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; - - {% if matrix_nginx_proxy_hsts_preload_enabled %} - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; - {% else %} - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - {% endif %} - # duplicate X-Content-Type-Options & X-Frame-Options header - # Enabled by grafana by default - # add_header X-Content-Type-Options nosniff; - # add_header X-Frame-Options SAMEORIGIN; - add_header Referrer-Policy "strict-origin-when-cross-origin"; - - {% if matrix_nginx_proxy_floc_optout_enabled %} - add_header Permissions-Policy interest-cohort=() always; - {% endif %} - - proxy_cookie_path / "/; HTTPOnly; Secure"; - - {% for configuration_block in matrix_nginx_proxy_proxy_grafana_additional_server_configuration_blocks %} - {{- configuration_block }} - {% endfor %} - - location / { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s; - set $backend "matrix-grafana:3000"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:3000; - {% endif %} - - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; - } -{% endmacro %} - -server { - listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; - listen [::]:{{ 8080 if matrix_nginx_proxy_enabled else 80 }}; - - - server_name {{ matrix_nginx_proxy_proxy_grafana_hostname }}; - - server_tokens off; - root /dev/null; - - {% if matrix_nginx_proxy_https_enabled %} - location /.well-known/acme-challenge { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s; - set $backend "matrix-certbot:8080"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; - {% endif %} - } - - location / { - return 301 https://$http_host$request_uri; - } - {% else %} - {{ render_vhost_directives() }} - {% endif %} -} - -{% if matrix_nginx_proxy_https_enabled %} -server { - listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; - listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; - - server_name {{ matrix_nginx_proxy_proxy_grafana_hostname }}; - - server_tokens off; - root /dev/null; - - ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_grafana_hostname }}/fullchain.pem; - ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_grafana_hostname }}/privkey.pem; - - ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - {% if matrix_nginx_proxy_ssl_ciphers != "" %} - ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; - {% endif %} - ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - - {% if matrix_nginx_proxy_ocsp_stapling_enabled %} - ssl_stapling on; - ssl_stapling_verify on; - ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_grafana_hostname }}/chain.pem; - {% endif %} - - {% if matrix_nginx_proxy_ssl_session_tickets_off %} - ssl_session_tickets off; - {% endif %} - ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; - ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; - - {{ render_vhost_directives() }} -} -{% endif %} diff --git a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 b/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 deleted file mode 100644 index f745f866c..000000000 --- a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 +++ /dev/null @@ -1,158 +0,0 @@ -#jinja2: lstrip_blocks: "True" - -{% macro render_vhost_directives() %} - gzip on; - gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; - {% if matrix_nginx_proxy_hsts_preload_enabled %} - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; - {% else %} - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - {% endif %} - add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; - add_header X-Content-Type-Options nosniff; - {% if matrix_nginx_proxy_floc_optout_enabled %} - add_header Permissions-Policy interest-cohort=() always; - {% endif %} - -{% for configuration_block in matrix_nginx_proxy_proxy_jitsi_additional_server_configuration_blocks %} - {{- configuration_block }} -{% endfor %} - - location / { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s; - set $backend "matrix-jitsi-web:80"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:13080; - {% endif %} - - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; - } - - # colibri (JVB) websockets - location ~ ^/colibri-ws/jvb-1/(.*) { - {% if matrix_nginx_proxy_enabled %} - resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s; - set $backend "matrix-jitsi-jvb:9090"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:13090; - {% endif %} - - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - - proxy_http_version 1.1; - - tcp_nodelay on; - } - {% for host in groups['jitsi_jvb_servers'] | default([]) %} - # colibri (JVB) websockets for additional JVBs - location ~ ^/colibri-ws/{{ hostvars[host]['jitsi_jvb_server_id'] | regex_escape }}/(.*) { - proxy_pass http://{{ host }}:9090/colibri-ws/{{ hostvars[host]['jitsi_jvb_server_id'] }}/$1$is_args$args; - - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - - proxy_http_version 1.1; - - tcp_nodelay on; - } - {% endfor %} - - - # XMPP websocket - location = /xmpp-websocket { - {% if matrix_nginx_proxy_enabled %} - resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s; - set $backend {{ jitsi_xmpp_bosh_url_base }}; - proxy_pass $backend$request_uri; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:5280; - {% endif %} - proxy_set_header Host $host; - - proxy_http_version 1.1; - proxy_read_timeout 900s; - proxy_set_header Connection "upgrade"; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; - proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }}; - tcp_nodelay on; - } -{% endmacro %} - -server { - listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; - listen [::]:{{ 8080 if matrix_nginx_proxy_enabled else 80 }}; - - server_name {{ matrix_nginx_proxy_proxy_jitsi_hostname }}; - - server_tokens off; - root /dev/null; - - {% if matrix_nginx_proxy_https_enabled %} - location /.well-known/acme-challenge { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s; - set $backend "matrix-certbot:8080"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; - {% endif %} - } - - location / { - return 301 https://$http_host$request_uri; - } - {% else %} - {{ render_vhost_directives() }} - {% endif %} -} - -{% if matrix_nginx_proxy_https_enabled %} -server { - listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; - listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; - - server_name {{ matrix_nginx_proxy_proxy_jitsi_hostname }}; - - server_tokens off; - root /dev/null; - - ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_jitsi_hostname }}/fullchain.pem; - ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_jitsi_hostname }}/privkey.pem; - - ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - {% if matrix_nginx_proxy_ssl_ciphers != '' %} - ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; - {% endif %} - ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - - {% if matrix_nginx_proxy_ocsp_stapling_enabled %} - ssl_stapling on; - ssl_stapling_verify on; - ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_jitsi_hostname }}/chain.pem; - {% endif %} - - {% if matrix_nginx_proxy_ssl_session_tickets_off %} - ssl_session_tickets off; - {% endif %} - ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; - ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; - - {{ render_vhost_directives() }} -} -{% endif %} diff --git a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-mautrix-wsproxy.conf.j2 b/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-mautrix-wsproxy.conf.j2 deleted file mode 100644 index 47e4c4328..000000000 --- a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-mautrix-wsproxy.conf.j2 +++ /dev/null @@ -1,110 +0,0 @@ -#jinja2: lstrip_blocks: "True" - -{% macro render_vhost_directives() %} - gzip on; - gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; - - {% if matrix_nginx_proxy_hsts_preload_enabled %} - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; - {% else %} - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - {% endif %} - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; - add_header X-Frame-Options SAMEORIGIN; - - {% if matrix_nginx_proxy_floc_optout_enabled %} - add_header Permissions-Policy interest-cohort=() always; - {% endif %} - - - {% for configuration_block in matrix_nginx_proxy_proxy_mautrix_wsproxy_additional_server_configuration_blocks %} - {{- configuration_block }} - {% endfor %} - - location / { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "wsproxy:29331"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:29331; - {% endif %} - - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_http_version 1.1; - proxy_send_timeout 1d; - proxy_read_timeout 1d; - - tcp_nodelay on; - } -{% endmacro %} - -server { - listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; - - server_name {{ matrix_nginx_proxy_proxy_mautrix_wsproxy_hostname }}; - - server_tokens off; - root /dev/null; - - {% if matrix_nginx_proxy_https_enabled %} - location /.well-known/acme-challenge { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "matrix-certbot:8080"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; - {% endif %} - } - - location / { - return 301 https://$http_host$request_uri; - } - {% else %} - {{ render_vhost_directives() }} - {% endif %} -} - -{% if matrix_nginx_proxy_https_enabled %} -server { - listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; - listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; - - server_name {{ matrix_nginx_proxy_proxy_mautrix_wsproxy_hostname }}; - - server_tokens off; - root /dev/null; - - ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_mautrix_wsproxy_hostname }}/fullchain.pem; - ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_mautrix_wsproxy_hostname }}/privkey.pem; - - ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - {% if matrix_nginx_proxy_ssl_ciphers != "" %} - ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; - {% endif %} - ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - - {% if matrix_nginx_proxy_ocsp_stapling_enabled %} - ssl_stapling on; - ssl_stapling_verify on; - ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_mautrix_wsproxy_hostname }}/chain.pem; - {% endif %} - - {% if matrix_nginx_proxy_ssl_session_tickets_off %} - ssl_session_tickets off; - {% endif %} - ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; - ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; - - {{ render_vhost_directives() }} -} -{% endif %} diff --git a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-ntfy.conf.j2 b/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-ntfy.conf.j2 deleted file mode 100644 index fbae47e17..000000000 --- a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-ntfy.conf.j2 +++ /dev/null @@ -1,102 +0,0 @@ -#jinja2: lstrip_blocks: "True" - -{% macro render_vhost_directives() %} - gzip on; - gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; - - {% if matrix_nginx_proxy_hsts_preload_enabled %} - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; - {% else %} - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - {% endif %} - add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; - add_header X-Content-Type-Options nosniff; - add_header X-Frame-Options DENY; - -{% for configuration_block in matrix_nginx_proxy_proxy_ntfy_additional_server_configuration_blocks %} - {{- configuration_block }} -{% endfor %} - - location / { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s; - set $backend "matrix-ntfy:8080"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:2586; - {% endif %} - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; - proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }}; - } -{% endmacro %} - -server { - listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; - listen [::]:{{ 8080 if matrix_nginx_proxy_enabled else 80 }}; - - server_name {{ matrix_nginx_proxy_proxy_ntfy_hostname }}; - - server_tokens off; - root /dev/null; - - {% if matrix_nginx_proxy_https_enabled %} - location /.well-known/acme-challenge { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s; - set $backend "matrix-certbot:8080"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; - {% endif %} - } - - location / { - return 301 https://$http_host$request_uri; - } - {% else %} - {{ render_vhost_directives() }} - {% endif %} -} - -{% if matrix_nginx_proxy_https_enabled %} -server { - listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; - listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; - - server_name {{ matrix_nginx_proxy_proxy_ntfy_hostname }}; - - server_tokens off; - root /dev/null; - - ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_ntfy_hostname }}/fullchain.pem; - ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_ntfy_hostname }}/privkey.pem; - - ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - {% if matrix_nginx_proxy_ssl_ciphers != '' %} - ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; - {% endif %} - ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - - {% if matrix_nginx_proxy_ocsp_stapling_enabled %} - ssl_stapling on; - ssl_stapling_verify on; - ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_ntfy_hostname }}/chain.pem; - {% endif %} - - {% if matrix_nginx_proxy_ssl_session_tickets_off %} - ssl_session_tickets off; - {% endif %} - ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; - ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; - - {{ render_vhost_directives() }} -} -{% endif %} diff --git a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-rageshake.conf.j2 b/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-rageshake.conf.j2 deleted file mode 100644 index 5da96684a..000000000 --- a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-rageshake.conf.j2 +++ /dev/null @@ -1,100 +0,0 @@ -#jinja2: lstrip_blocks: "True" - -{% macro render_vhost_directives() %} - gzip on; - gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; - {% if matrix_nginx_proxy_hsts_preload_enabled %} - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; - {% else %} - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - {% endif %} - add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; - add_header X-Content-Type-Options nosniff; - {% if matrix_nginx_proxy_floc_optout_enabled %} - add_header Permissions-Policy interest-cohort=() always; - {% endif %} - -{% for configuration_block in matrix_nginx_proxy_proxy_rageshake_additional_server_configuration_blocks %} - {{- configuration_block }} -{% endfor %} - - location / { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s; - set $backend "matrix-rageshake:9110"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:9110; - {% endif %} - - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; - } -{% endmacro %} - -server { - listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; - listen [::]:{{ 8080 if matrix_nginx_proxy_enabled else 80 }}; - - server_name {{ matrix_nginx_proxy_proxy_rageshake_hostname }}; - - server_tokens off; - root /dev/null; - - {% if matrix_nginx_proxy_https_enabled %} - location /.well-known/acme-challenge { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s; - set $backend "matrix-certbot:8080"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; - {% endif %} - } - - location / { - return 301 https://$http_host$request_uri; - } - {% else %} - {{ render_vhost_directives() }} - {% endif %} -} - -{% if matrix_nginx_proxy_https_enabled %} -server { - listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; - listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; - - server_name {{ matrix_nginx_proxy_proxy_rageshake_hostname }}; - - server_tokens off; - root /dev/null; - - ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_rageshake_hostname }}/fullchain.pem; - ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_rageshake_hostname }}/privkey.pem; - - ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - {% if matrix_nginx_proxy_ssl_ciphers != '' %} - ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; - {% endif %} - ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - - {% if matrix_nginx_proxy_ocsp_stapling_enabled %} - ssl_stapling on; - ssl_stapling_verify on; - ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_rageshake_hostname }}/chain.pem; - {% endif %} - - {% if matrix_nginx_proxy_ssl_session_tickets_off %} - ssl_session_tickets off; - {% endif %} - ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; - ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; - - {{ render_vhost_directives() }} -} -{% endif %} diff --git a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 b/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 deleted file mode 100644 index e3c6a461a..000000000 --- a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 +++ /dev/null @@ -1,99 +0,0 @@ -#jinja2: lstrip_blocks: "True" - -{% macro render_vhost_directives() %} - gzip on; - gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; - {% if matrix_nginx_proxy_hsts_preload_enabled %} - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; - {% else %} - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - {% endif %} - add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; - add_header X-Content-Type-Options nosniff; - add_header X-Frame-Options DENY; - -{% for configuration_block in matrix_nginx_proxy_proxy_sygnal_additional_server_configuration_blocks %} - {{- configuration_block }} -{% endfor %} - - location / { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s; - set $backend "matrix-sygnal:6000"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:6000; - {% endif %} - - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; - proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }}; - } -{% endmacro %} - -server { - listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; - listen [::]:{{ 8080 if matrix_nginx_proxy_enabled else 80 }}; - - server_name {{ matrix_nginx_proxy_proxy_sygnal_hostname }}; - - server_tokens off; - root /dev/null; - - {% if matrix_nginx_proxy_https_enabled %} - location /.well-known/acme-challenge { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s; - set $backend "matrix-certbot:8080"; - proxy_pass http://$backend; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; - {% endif %} - } - - location / { - return 301 https://$http_host$request_uri; - } - {% else %} - {{ render_vhost_directives() }} - {% endif %} -} - -{% if matrix_nginx_proxy_https_enabled %} -server { - listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; - listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; - - server_name {{ matrix_nginx_proxy_proxy_sygnal_hostname }}; - - server_tokens off; - root /dev/null; - - ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_sygnal_hostname }}/fullchain.pem; - ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_sygnal_hostname }}/privkey.pem; - - ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; - {% if matrix_nginx_proxy_ssl_ciphers != '' %} - ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; - {% endif %} - ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; - - {% if matrix_nginx_proxy_ocsp_stapling_enabled %} - ssl_stapling on; - ssl_stapling_verify on; - ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_sygnal_hostname }}/chain.pem; - {% endif %} - - {% if matrix_nginx_proxy_ssl_session_tickets_off %} - ssl_session_tickets off; - {% endif %} - ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; - ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; - - {{ render_vhost_directives() }} -} -{% endif %} diff --git a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/nginx-http.conf.j2 b/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/nginx-http.conf.j2 deleted file mode 100644 index beea6afa1..000000000 --- a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/nginx-http.conf.j2 +++ /dev/null @@ -1,14 +0,0 @@ -#jinja2: lstrip_blocks: "True" -# The default is aligned to the CPU's cache size, -# which can sometimes be too low to handle our 2 vhosts (Synapse and Element). -# -# Thus, we ensure a larger bucket size value is used. -server_names_hash_bucket_size 64; - -{% if matrix_nginx_proxy_http_level_resolver %} - resolver {{ matrix_nginx_proxy_http_level_resolver }}; -{% endif %} - -{% for configuration_block in matrix_nginx_proxy_proxy_http_additional_server_configuration_blocks %} - {{- configuration_block }} -{% endfor %} diff --git a/roles/custom/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 b/roles/custom/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 deleted file mode 100644 index 6b56878a1..000000000 --- a/roles/custom/matrix-nginx-proxy/templates/nginx/nginx.conf.j2 +++ /dev/null @@ -1,77 +0,0 @@ -#jinja2: lstrip_blocks: "True" -# This is a custom nginx configuration file that we use in the container (instead of the default one), -# because it allows us to run nginx with a non-root user. -# -# For this to work, the default vhost file (`/etc/nginx/conf.d/default.conf`) also needs to be removed. -# -# The following changes have been done compared to a default nginx configuration file: -# - various temp paths are changed to `/tmp`, so that a non-root user can write to them -# - the `user` directive was removed, as we don't want nginx to switch users - -worker_processes {{ matrix_nginx_proxy_worker_processes }}; -error_log /var/log/nginx/error.log warn; -pid /tmp/nginx.pid; -{% for configuration_block in matrix_nginx_proxy_proxy_additional_configuration_blocks %} - {{- configuration_block }} -{% endfor %} - -events { - worker_connections {{ matrix_nginx_proxy_worker_connections }}; -{% for configuration_block in matrix_nginx_proxy_proxy_event_additional_configuration_blocks %} - {{- configuration_block }} -{% endfor %} -} - - -http { - proxy_temp_path /tmp/proxy_temp; - client_body_temp_path /tmp/client_temp; - fastcgi_temp_path /tmp/fastcgi_temp; - uwsgi_temp_path /tmp/uwsgi_temp; - scgi_temp_path /tmp/scgi_temp; - - include /etc/nginx/mime.types; - default_type application/octet-stream; - - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; - - {% if matrix_nginx_proxy_access_log_enabled %} - access_log /var/log/nginx/access.log main; - {% endif %} - - {% if matrix_nginx_proxy_access_log_syslog_integration_enabled %} - log_format prometheus_fmt 'matrix-nginx-proxy $server_name - $upstream_addr - $remote_addr - $remote_user [$time_local] ' - '$host "$request" ' - '$status "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; - - access_log syslog:server={{ matrix_nginx_proxy_access_log_syslog_integration_server_port }},tag=matrix_nginx_proxy prometheus_fmt; - {% endif %} - - {% if not matrix_nginx_proxy_access_log_enabled and not matrix_nginx_proxy_access_log_syslog_integration_enabled %} - access_log off; - {% endif %} - - proxy_connect_timeout {{ matrix_nginx_proxy_connect_timeout }}; - proxy_send_timeout {{ matrix_nginx_proxy_send_timeout }}; - proxy_read_timeout {{ matrix_nginx_proxy_read_timeout }}; - send_timeout {{ matrix_nginx_send_timeout }}; - - sendfile on; - #tcp_nopush on; - - keepalive_timeout 65; - - server_tokens off; - - #gzip on; - {# Map directive needed for proxied WebSocket upgrades #} - map $http_upgrade $connection_upgrade { - default upgrade; - '' close; - } - - include /etc/nginx/conf.d/*.conf; -} diff --git a/roles/custom/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 b/roles/custom/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 deleted file mode 100755 index 8c311a6cc..000000000 --- a/roles/custom/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 +++ /dev/null @@ -1,65 +0,0 @@ -#jinja2: lstrip_blocks: "True" -[Unit] -Description=Matrix nginx-proxy server -{% for service in matrix_nginx_proxy_systemd_required_services_list %} -Requires={{ service }} -After={{ service }} -{% endfor %} -{% for service in matrix_nginx_proxy_systemd_wanted_services_list %} -Wants={{ service }} -{% endfor %} -DefaultDependencies=no - -[Service] -Type=simple -Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" -ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-nginx-proxy 2>/dev/null || true' -ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-nginx-proxy 2>/dev/null || true' - -ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ - --rm \ - --name=matrix-nginx-proxy \ - --log-driver=none \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --cap-drop=ALL \ - --read-only \ - --tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_nginx_proxy_tmp_directory_size_mb }}m \ - --network={{ matrix_nginx_proxy_container_network }} \ - {% if matrix_nginx_proxy_container_http_host_bind_port %} - -p {{ matrix_nginx_proxy_container_http_host_bind_port }}:8080 \ - {% endif %} - {% if matrix_nginx_proxy_https_enabled and matrix_nginx_proxy_container_https_host_bind_port %} - -p {{ matrix_nginx_proxy_container_https_host_bind_port }}:8443 \ - {% endif %} - {% if matrix_nginx_proxy_proxy_matrix_federation_api_enabled and matrix_nginx_proxy_container_federation_host_bind_port %} - -p {{ matrix_nginx_proxy_container_federation_host_bind_port }}:{{ matrix_nginx_proxy_proxy_matrix_federation_port }} \ - {% endif %} - --mount type=bind,src={{ matrix_nginx_proxy_base_path }}/nginx.conf,dst=/etc/nginx/nginx.conf,ro \ - --mount type=bind,src={{ matrix_nginx_proxy_data_path }},dst={{ matrix_nginx_proxy_data_path_in_container }},ro \ - --mount type=bind,src={{ matrix_nginx_proxy_confd_path }},dst=/etc/nginx/conf.d,ro \ - {% if matrix_ssl_retrieval_method != 'none' %} - --mount type=bind,src={{ matrix_ssl_config_dir_path }},dst={{ matrix_ssl_config_dir_path }},ro \ - {% endif %} - {% for volume in matrix_nginx_proxy_container_additional_volumes %} - -v {{ volume.src }}:{{ volume.dst }}:{{ volume.options }} \ - {% endfor %} - {% for arg in matrix_nginx_proxy_container_extra_arguments %} - {{ arg }} \ - {% endfor %} - {{ matrix_nginx_proxy_docker_image }} - -{% for network in matrix_nginx_proxy_container_additional_networks %} -ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-nginx-proxy -{% endfor %} - -ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-nginx-proxy - -ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-nginx-proxy 2>/dev/null || true' -ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-nginx-proxy 2>/dev/null || true' -ExecReload={{ devture_systemd_docker_base_host_command_docker }} exec matrix-nginx-proxy /usr/sbin/nginx -s reload -Restart=always -RestartSec=30 -SyslogIdentifier=matrix-nginx-proxy - -[Install] -WantedBy=multi-user.target diff --git a/roles/custom/matrix-nginx-proxy/templates/systemd/matrix-ssl-lets-encrypt-certificates-renew.service.j2 b/roles/custom/matrix-nginx-proxy/templates/systemd/matrix-ssl-lets-encrypt-certificates-renew.service.j2 deleted file mode 100644 index b2f07aca7..000000000 --- a/roles/custom/matrix-nginx-proxy/templates/systemd/matrix-ssl-lets-encrypt-certificates-renew.service.j2 +++ /dev/null @@ -1,7 +0,0 @@ -[Unit] -Description=Renews Let's Encrypt SSL certificates - -[Service] -Type=oneshot -Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" -ExecStart={{ matrix_ssl_bin_dir_path }}/lets-encrypt-certificates-renew diff --git a/roles/custom/matrix-nginx-proxy/templates/systemd/matrix-ssl-lets-encrypt-certificates-renew.timer.j2 b/roles/custom/matrix-nginx-proxy/templates/systemd/matrix-ssl-lets-encrypt-certificates-renew.timer.j2 deleted file mode 100644 index b1e1c21e8..000000000 --- a/roles/custom/matrix-nginx-proxy/templates/systemd/matrix-ssl-lets-encrypt-certificates-renew.timer.j2 +++ /dev/null @@ -1,10 +0,0 @@ -[Unit] -Description=Renews Let's Encrypt SSL certificates periodically - -[Timer] -Unit=matrix-ssl-lets-encrypt-certificates-renew.service -OnCalendar=*-*-* 04:00:00 -RandomizedDelaySec=2h - -[Install] -WantedBy=timers.target diff --git a/roles/custom/matrix-nginx-proxy/templates/systemd/matrix-ssl-nginx-proxy-reload.service.j2 b/roles/custom/matrix-nginx-proxy/templates/systemd/matrix-ssl-nginx-proxy-reload.service.j2 deleted file mode 100644 index 025c5e2d1..000000000 --- a/roles/custom/matrix-nginx-proxy/templates/systemd/matrix-ssl-nginx-proxy-reload.service.j2 +++ /dev/null @@ -1,6 +0,0 @@ -[Unit] -Description=Reloads matrix-nginx-proxy so that new SSL certificates can kick in - -[Service] -Type=oneshot -ExecStart={{ devture_systemd_docker_base_host_command_systemctl }} reload matrix-nginx-proxy.service diff --git a/roles/custom/matrix-nginx-proxy/templates/systemd/matrix-ssl-nginx-proxy-reload.timer.j2 b/roles/custom/matrix-nginx-proxy/templates/systemd/matrix-ssl-nginx-proxy-reload.timer.j2 deleted file mode 100644 index 09cb6dad7..000000000 --- a/roles/custom/matrix-nginx-proxy/templates/systemd/matrix-ssl-nginx-proxy-reload.timer.j2 +++ /dev/null @@ -1,10 +0,0 @@ -[Unit] -Description=Reloads matrix-nginx-proxy periodically so that new SSL certificates can kick in - -[Timer] -Unit=matrix-ssl-nginx-proxy-reload.service -OnCalendar=*-*-* 06:30:00 -RandomizedDelaySec=1h - -[Install] -WantedBy=timers.target diff --git a/roles/custom/matrix-nginx-proxy/vars/main.yml b/roles/custom/matrix-nginx-proxy/vars/main.yml deleted file mode 100644 index 34abf1903..000000000 --- a/roles/custom/matrix-nginx-proxy/vars/main.yml +++ /dev/null @@ -1,26 +0,0 @@ ---- - -# Tells whether this role had executed or not. Toggled to `true` during runtime. -matrix_nginx_proxy_role_executed: false - -matrix_ssl_renewal_systemd_units_list: - - name: matrix-ssl-lets-encrypt-certificates-renew.service - applicable: "{{ matrix_ssl_retrieval_method == 'lets-encrypt' }}" - enableable: false - priority: 5000 - groups: ['matrix', 'nginx', 'ssl', 'reverse-proxies'] - - name: matrix-ssl-lets-encrypt-certificates-renew.timer - applicable: "{{ matrix_ssl_retrieval_method == 'lets-encrypt' }}" - enableable: true - priority: 5000 - groups: ['matrix', 'nginx', 'ssl', 'reverse-proxies'] - - name: matrix-ssl-nginx-proxy-reload.service - applicable: "{{ matrix_ssl_retrieval_method == 'lets-encrypt' and matrix_nginx_proxy_enabled | bool }}" - enableable: false - priority: 5000 - groups: ['matrix', 'nginx', 'ssl', 'reverse-proxies'] - - name: matrix-ssl-nginx-proxy-reload.timer - applicable: "{{ matrix_ssl_retrieval_method == 'lets-encrypt' and matrix_nginx_proxy_enabled | bool }}" - enableable: true - priority: 5000 - groups: ['matrix', 'nginx', 'ssl', 'reverse-proxies'] diff --git a/roles/custom/matrix-prometheus-nginxlog-exporter/tasks/setup_uninstall.yml b/roles/custom/matrix-prometheus-nginxlog-exporter/tasks/setup_uninstall.yml index 93c4aefc1..8828f4ecb 100644 --- a/roles/custom/matrix-prometheus-nginxlog-exporter/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-prometheus-nginxlog-exporter/tasks/setup_uninstall.yml @@ -7,15 +7,6 @@ - when: matrix_prometheus_nginxlog_exporter_service_stat.stat.exists | bool block: - - name: Fail when not cleaning up nginx and prometheus configs - ansible.builtin.fail: - msg: > - This role has added to configs in 'matrix-nginx-proxy', 'matrix-synapse-reverse-proxy-companion' and 'matrix-prometheus'. - Running 'setup-synapse-reverse-proxy-companion' WILL NOT remove those settings from those roles. - Run the playbook again with the `setup-all` tag or all three 'setup-nginx-proxy,setup-synapse-reverse-proxy-companion,setup-prometheus' tags while - 'prometheus_enabled: false' to rebuild their configs. - when: not ('setup-all' in ansible_run_tags or ('setup-nginx-proxy' in ansible_run_tags and 'setup-synapse-reverse-proxy-companion' in ansible_run_tags and 'setup-prometheus' in ansible_run_tags)) - - name: Ensure matrix-prometheus-nginxlog-exporter is stopped ansible.builtin.service: name: matrix-prometheus-nginxlog-exporter diff --git a/roles/custom/matrix-synapse-admin/defaults/main.yml b/roles/custom/matrix-synapse-admin/defaults/main.yml index e69f479bc..1dee1d756 100644 --- a/roles/custom/matrix-synapse-admin/defaults/main.yml +++ b/roles/custom/matrix-synapse-admin/defaults/main.yml @@ -130,13 +130,8 @@ matrix_synapse_admin_floc_optout_enabled: true matrix_synapse_admin_hsts_preload_enabled: false # The hostname at which Synapse Admin is served. -# Only works with with Traefik reverse-proxying. -# For matrix-nginx-proxy, `matrix_server_fqn_matrix` is used and this variable has no effect. matrix_synapse_admin_hostname: "{{ matrix_server_fqn_matrix }}" # The path at which Synapse Admin is exposed. -# When matrix-nginx-proxy is used, setting this to values other than `/` will cause configuration mismatches and trouble. -# -# If Traefik is used, the hostname is also configurable - see `matrix_synapse_admin_container_labels_traefik_hostname`. # This value must either be `/` or not end with a slash (e.g. `/synapse-admin`). matrix_synapse_admin_path_prefix: /synapse-admin diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml b/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml index c1355e056..d70b806c1 100644 --- a/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml +++ b/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml @@ -227,7 +227,7 @@ matrix_synapse_reverse_proxy_companion_synapse_cache_proxy_cache_valid_time: "24 # Controls whether matrix-synapse-reverse-proxy-companion trusts an upstream server's X-Forwarded-Proto header. -# The `matrix-synapse-reverse-proxy-companion` does not terminate SSL and always expects to be fronted by another reverse-proxy server (`matrix-nginx-proxy`, etc.). +# The `matrix-synapse-reverse-proxy-companion` does not terminate SSL and always expects to be fronted by another reverse-proxy server. # As such, it trusts the protocol scheme forwarded by the upstream proxy. matrix_synapse_reverse_proxy_companion_trust_forwarded_proto: true matrix_synapse_reverse_proxy_companion_x_forwarded_proto_value: "{{ '$http_x_forwarded_proto' if matrix_synapse_reverse_proxy_companion_trust_forwarded_proto else '$scheme' }}" diff --git a/roles/custom/matrix_playbook_migration/defaults/main.yml b/roles/custom/matrix_playbook_migration/defaults/main.yml index 1ca6c011f..8b5ff3caa 100644 --- a/roles/custom/matrix_playbook_migration/defaults/main.yml +++ b/roles/custom/matrix_playbook_migration/defaults/main.yml @@ -42,3 +42,24 @@ matrix_playbook_migration_matrix_jitsi_migration_validation_enabled: true # - https://github.com/geerlingguy/ansible-role-docker/pull/410 matrix_playbook_migration_debian_signedby_migration_enabled: true matrix_playbook_migration_debian_signedby_migration_repository_path: "/etc/apt/sources.list.d/download_docker_com_linux_{{ ansible_distribution | lower }}.list" + +# Controls if variable transition checks (related to the matrix-nginx-proxy elimination) will run. +# If you'd like to keep some `matrix_nginx_proxy` and other variables around and not be warned about them, disable this. +# Note: this is not just about `matrix_nginx_proxy_*` variables, but about various other variables that were removed +# during the matrix-nginx-proxy elimination. +matrix_playbook_migration_matrix_nginx_proxy_elimination_variable_transition_checks_enabled: true + +# Controls if (`matrix_nginx_proxy`) leftover variable checks will run. +# If you'd like to keep some `matrix_nginx_proxy` variables around and not be warned about them, disable this. +matrix_playbook_migration_matrix_nginx_proxy_leftover_variable_validation_checks_enabled: true + +# Controls if (`matrix_ssl_`) leftover variable checks will run. +matrix_playbook_migration_matrix_ssl_leftover_variable_checks_enabled: true + +# Controls whether this role will try to detect and clean up after the matrix-nginx-proxy role. +# When enabled, the systemd serivce will be stopped and removed, as well as all data in `/matrix/nginx-proxy +matrix_playbook_migration_matrix_nginx_proxy_uninstallation_enabled: true + +# Controls whether this role will try to detect and clean up the /matrix/ssl files. +matrix_playbook_migration_matrix_ssl_uninstallation_enabled: true + diff --git a/roles/custom/matrix_playbook_migration/tasks/main.yml b/roles/custom/matrix_playbook_migration/tasks/main.yml index e5355b032..9a4efd883 100644 --- a/roles/custom/matrix_playbook_migration/tasks/main.yml +++ b/roles/custom/matrix_playbook_migration/tasks/main.yml @@ -33,6 +33,20 @@ block: - ansible.builtin.include_tasks: "{{ role_path }}/tasks/cleanup_matrix_static_files_well_known.yml" +- when: matrix_playbook_migration_matrix_nginx_proxy_uninstallation_enabled | bool + tags: + - setup-all + - install-all + block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall_matrix_nginx_proxy.yml" + +- when: matrix_playbook_migration_matrix_ssl_uninstallation_enabled | bool + tags: + - setup-all + - install-all + block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall_matrix_ssl.yml" + - when: devture_traefik_enabled | bool tags: - setup-all diff --git a/roles/custom/matrix_playbook_migration/tasks/uninstall_matrix_nginx_proxy.yml b/roles/custom/matrix_playbook_migration/tasks/uninstall_matrix_nginx_proxy.yml new file mode 100644 index 000000000..f1fa4f518 --- /dev/null +++ b/roles/custom/matrix_playbook_migration/tasks/uninstall_matrix_nginx_proxy.yml @@ -0,0 +1,25 @@ +--- + +- name: Check existence of matrix-nginx-proxy service + ansible.builtin.stat: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-nginx-proxy.service" + register: nginx_proxy_service_stat + +- when: nginx_proxy_service_stat.stat.exists | bool + block: + - name: Ensure matrix-nginx-proxy is stopped + ansible.builtin.service: + name: matrix-nginx-proxy + state: stopped + enabled: false + daemon_reload: true + + - name: Ensure matrix-nginx-proxy.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-nginx-proxy.service" + state: absent + + - name: Ensure matrix-proxy-files files are deleted + ansible.builtin.file: + path: "{{ matrix_base_data_path }}/nginx-proxy" + state: absent diff --git a/roles/custom/matrix_playbook_migration/tasks/uninstall_matrix_ssl.yml b/roles/custom/matrix_playbook_migration/tasks/uninstall_matrix_ssl.yml new file mode 100644 index 000000000..ebb2c1049 --- /dev/null +++ b/roles/custom/matrix_playbook_migration/tasks/uninstall_matrix_ssl.yml @@ -0,0 +1,6 @@ +--- + +- name: Ensure matrix-ssl files are deleted + ansible.builtin.file: + path: "{{ matrix_base_data_path }}/ssl" + state: absent diff --git a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml index 9df6e134d..7335e4574 100644 --- a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml +++ b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml @@ -63,79 +63,6 @@ - {'old': 'exim_relay_docker_image_name_prefix', 'new': 'exim_relay_container_image_name_prefix'} - {'old': 'exim_relay_docker_image_force_pull', 'new': 'exim_relay_container_image_force_pull'} - - {'old': 'matrix_nginx_proxy_proxy_matrix_metrics_enabled', 'new': 'matrix_metrics_exposure_enabled'} - - {'old': 'matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_enabled', 'new': 'matrix_metrics_exposure_http_basic_auth_enabled'} - - {'old': 'matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_username', 'new': ''} - - {'old': 'matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_password', 'new': ''} - - {'old': 'matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_raw_content', 'new': ''} - - {'old': 'matrix_nginx_proxy_proxy_matrix_metrics_additional_location_configuration_blocks', 'new': ''} - - {'old': 'matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks', 'new': ''} - - {'old': 'matrix_nginx_proxy_proxy_matrix_metrics_additional_user_location_configuration_blocks', 'new': ''} - - - {'old': 'matrix_well_known_matrix_server_enabled', 'new': 'matrix_static_files_file_matrix_server_enabled'} - - {'old': 'matrix_well_known_matrix_support_enabled', 'new': 'matrix_static_files_file_matrix_support_enabled'} - - {'old': 'matrix_homeserver_admin_contacts', 'new': 'matrix_static_files_file_matrix_support_property_m_contacts'} - - {'old': 'matrix_homeserver_support_url', 'new': 'matrix_static_files_file_matrix_support_property_m_support_page'} - - {'old': 'matrix_well_known_matrix_client_io_element_e2ee_default', 'new': 'matrix_static_files_file_matrix_client_property_io_element_e2ee_default'} - - {'old': 'matrix_well_known_matrix_client_io_element_e2ee_secure_backup_required', 'new': 'matrix_static_files_file_matrix_client_property_io_element_e2ee_secure_backup_required'} - - {'old': 'matrix_well_known_matrix_client_io_element_e2ee_secure_backup_setup_methods', 'new': 'matrix_static_files_file_matrix_client_property_io_element_e2ee_secure_backup_setup_methods'} - - {'old': 'matrix_well_known_matrix_client_configuration_extension_json', 'new': 'matrix_static_files_file_matrix_client_configuration_extension_json'} - - {'old': 'matrix_well_known_matrix_server_configuration_extension_json', 'new': 'matrix_static_files_file_matrix_server_configuration_extension_json'} - - {'old': 'matrix_well_known_matrix_support_configuration_extension_json', 'new': 'matrix_static_files_file_matrix_support_configuration_extension_json'} - - {'old': 'matrix_nginx_proxy_self_check_validate_certificates', 'new': 'matrix_static_files_self_check_validate_certificates'} - - {'old': 'matrix_nginx_proxy_self_check_well_known_matrix_client_follow_redirects', 'new': 'matrix_static_files_self_check_well_known_matrix_client_follow_redirects'} - - {'old': 'matrix_nginx_proxy_base_domain_serving_enabled', 'new': 'matrix_static_files_container_labels_base_domain_enabled'} - - {'old': 'matrix_nginx_proxy_base_domain_hostname', 'new': 'matrix_static_files_container_labels_base_domain_traefik_hostname'} - - {'old': 'matrix_nginx_proxy_base_domain_homepage_enabled', 'new': 'matrix_static_files_file_index_html_enabled'} - - {'old': 'matrix_nginx_proxy_base_domain_create_directory', 'new': ''} - - {'old': 'matrix_nginx_proxy_proxy_riot_compat_redirect_enabled', 'new': ''} - - {'old': 'matrix_nginx_proxy_proxy_riot_compat_redirect_hostname', 'new': ''} - - {'old': 'matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain', 'new': ''} - - {'old': 'matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_client_api_enabled', 'new': 'matrix_synapse_container_labels_public_client_synapse_client_api_enabled'} - - {'old': 'matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_oidc_api_enabled', 'new': ''} - - {'old': 'matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled', 'new': 'matrix_synapse_container_labels_public_client_synapse_admin_api_enabled'} - - {'old': 'matrix_nginx_proxy_proxy_matrix_identity_api_enabled', 'new': ''} - - {'old': 'matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container', 'new': ''} - - {'old': 'matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container', 'new': ''} - - {'old': 'matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled', 'new': ''} - - {'old': 'matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container', 'new': ''} - - {'old': 'matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container', 'new': ''} - - {'old': 'matrix_nginx_proxy_proxy_matrix_user_directory_search_v3_to_r0_redirect_enabled', 'new': ''} - - {'old': 'matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled', 'new': 'matrix_ma1sd_container_labels_matrix_client_3pid_registration_enabled'} - - {'old': 'matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_with_container', 'new': ''} - - {'old': 'matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_sans_container', 'new': ''} - - {'old': 'matrix_nginx_proxy_proxy_matrix_3pid_registration_v3_to_r0_redirect_enabled', 'new': ''} - - {'old': 'matrix_nginx_proxy_proxy_conduit_enabled', 'new': 'matrix_conduit_container_labels_traefik_enabled'} - - {'old': 'matrix_nginx_proxy_proxy_conduit_block_federation_api_on_client_port', 'new': ''} - - {'old': 'matrix_nginx_proxy_proxy_conduit_federation_api_enabled', 'new': 'matrix_conduit_container_labels_public_federation_api_enabled'} - - {'old': 'matrix_nginx_proxy_proxy_conduit_client_api_addr_with_container', 'new': ''} - - {'old': 'matrix_nginx_proxy_proxy_conduit_client_api_addr_sans_container', 'new': ''} - - {'old': 'matrix_nginx_proxy_proxy_conduit_federation_api_addr_with_container', 'new': ''} - - {'old': 'matrix_nginx_proxy_proxy_conduit_federation_api_addr_sans_container', 'new': ''} - - {'old': 'matrix_nginx_proxy_proxy_conduit_additional_server_configuration_blocks', 'new': ''} - - {'old': 'matrix_nginx_proxy_proxy_dendrite_enabled', 'new': 'matrix_dendrite_container_labels_traefik_enabled'} - - {'old': 'matrix_nginx_proxy_proxy_dendrite_block_federation_api_on_client_port', 'new': ''} - - {'old': 'matrix_nginx_proxy_proxy_dendrite_federation_api_enabled', 'new': 'matrix_dendrite_container_labels_public_federation_api_enabled'} - - {'old': 'matrix_nginx_proxy_proxy_dendrite_client_api_addr_with_container', 'new': ''} - - {'old': 'matrix_nginx_proxy_proxy_dendrite_client_api_addr_sans_container', 'new': ''} - - {'old': 'matrix_nginx_proxy_proxy_dendrite_federation_api_addr_with_container', 'new': ''} - - {'old': 'matrix_nginx_proxy_proxy_dendrite_federation_api_addr_sans_container', 'new': ''} - - {'old': 'matrix_nginx_proxy_proxy_dendrite_additional_server_configuration_blocks', 'new': ''} - - {'old': 'matrix_nginx_proxy_proxy_synapse_enabled', 'new': 'matrix_synapse_container_labels_traefik_enabled'} - - {'old': 'matrix_nginx_proxy_proxy_synapse_federation_api_enabled', 'new': 'matrix_synapse_container_labels_public_federation_api_enabled'} - - {'old': 'matrix_nginx_proxy_proxy_synapse_client_api_addr_with_container', 'new': ''} - - {'old': 'matrix_nginx_proxy_proxy_synapse_client_api_addr_sans_container', 'new': ''} - - {'old': 'matrix_nginx_proxy_proxy_synapse_federation_api_addr_with_container', 'new': ''} - - {'old': 'matrix_nginx_proxy_proxy_synapse_federation_api_addr_sans_container', 'new': ''} - - {'old': 'matrix_nginx_proxy_proxy_synapse_additional_server_configuration_blocks', 'new': ''} - - {'old': 'etherpad_nginx_proxy_dimension_integration_enabled', 'new': ''} - - {'old': 'etherpad_nginx_proxy_dimension_integration_path_prefix', 'new': ''} - - {'old': 'matrix_prometheus_services_proxy_connect_prometheus_node_exporter_metrics_proxying_enabled', 'new': ''} - - {'old': 'matrix_prometheus_services_proxy_connect_prometheus_node_exporter_matrix_nginx_proxy_not_enabled_proxy_pass_host', 'new': ''} - - {'old': 'matrix_prometheus_services_proxy_connect_prometheus_postgres_exporter_metrics_proxying_enabled', 'new': ''} - - {'old': 'matrix_prometheus_services_proxy_connect_prometheus_postgres_exporter_matrix_nginx_proxy_not_enabled_proxy_pass_host', 'new': ''} - - {'old': 'matrix_docker_network', 'new': ''} - - name: (Deprecation) Catch and report matrix_postgres variables ansible.builtin.fail: msg: |- @@ -295,3 +222,119 @@ Please change your configuration (vars.yml) to rename all variables (`matrix_jitsi_` -> `jitsi_`). We found usage of the following variables: {{ matrix_playbook_migration_jitsi_migration_vars.keys() | join(', ') }} when: "matrix_playbook_migration_jitsi_migration_vars | length > 0" + +- when: matrix_playbook_migration_matrix_nginx_proxy_elimination_variable_transition_checks_enabled | bool + block: + - name: (Deprecation) Catch and report transitioned playbook settings during the matrix-nginx-proxy elimination + ansible.builtin.fail: + msg: >- + Your configuration contains a variable, which now has a different name. + Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). + when: "item.old in vars" + with_items: + - {'old': 'matrix_nginx_proxy_proxy_matrix_metrics_enabled', 'new': 'matrix_metrics_exposure_enabled'} + - {'old': 'matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_enabled', 'new': 'matrix_metrics_exposure_http_basic_auth_enabled'} + - {'old': 'matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_username', 'new': ''} + - {'old': 'matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_password', 'new': ''} + - {'old': 'matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_raw_content', 'new': ''} + - {'old': 'matrix_nginx_proxy_proxy_matrix_metrics_additional_location_configuration_blocks', 'new': ''} + - {'old': 'matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks', 'new': ''} + - {'old': 'matrix_nginx_proxy_proxy_matrix_metrics_additional_user_location_configuration_blocks', 'new': ''} + + - {'old': 'matrix_well_known_matrix_server_enabled', 'new': 'matrix_static_files_file_matrix_server_enabled'} + - {'old': 'matrix_well_known_matrix_support_enabled', 'new': 'matrix_static_files_file_matrix_support_enabled'} + - {'old': 'matrix_homeserver_admin_contacts', 'new': 'matrix_static_files_file_matrix_support_property_m_contacts'} + - {'old': 'matrix_homeserver_support_url', 'new': 'matrix_static_files_file_matrix_support_property_m_support_page'} + - {'old': 'matrix_well_known_matrix_client_io_element_e2ee_default', 'new': 'matrix_static_files_file_matrix_client_property_io_element_e2ee_default'} + - {'old': 'matrix_well_known_matrix_client_io_element_e2ee_secure_backup_required', 'new': 'matrix_static_files_file_matrix_client_property_io_element_e2ee_secure_backup_required'} + - {'old': 'matrix_well_known_matrix_client_io_element_e2ee_secure_backup_setup_methods', 'new': 'matrix_static_files_file_matrix_client_property_io_element_e2ee_secure_backup_setup_methods'} + - {'old': 'matrix_well_known_matrix_client_configuration_extension_json', 'new': 'matrix_static_files_file_matrix_client_configuration_extension_json'} + - {'old': 'matrix_well_known_matrix_server_configuration_extension_json', 'new': 'matrix_static_files_file_matrix_server_configuration_extension_json'} + - {'old': 'matrix_well_known_matrix_support_configuration_extension_json', 'new': 'matrix_static_files_file_matrix_support_configuration_extension_json'} + - {'old': 'matrix_nginx_proxy_self_check_validate_certificates', 'new': 'matrix_static_files_self_check_validate_certificates'} + - {'old': 'matrix_nginx_proxy_self_check_well_known_matrix_client_follow_redirects', 'new': 'matrix_static_files_self_check_well_known_matrix_client_follow_redirects'} + - {'old': 'matrix_nginx_proxy_base_domain_serving_enabled', 'new': 'matrix_static_files_container_labels_base_domain_enabled'} + - {'old': 'matrix_nginx_proxy_base_domain_hostname', 'new': 'matrix_static_files_container_labels_base_domain_traefik_hostname'} + - {'old': 'matrix_nginx_proxy_base_domain_homepage_enabled', 'new': 'matrix_static_files_file_index_html_enabled'} + - {'old': 'matrix_nginx_proxy_base_domain_homepage_template', 'new': 'matrix_static_files_file_index_html_template'} + - {'old': 'matrix_nginx_proxy_base_domain_create_directory', 'new': ''} + - {'old': 'matrix_nginx_proxy_proxy_riot_compat_redirect_enabled', 'new': ''} + - {'old': 'matrix_nginx_proxy_proxy_riot_compat_redirect_hostname', 'new': ''} + - {'old': 'matrix_nginx_proxy_proxy_matrix_client_redirect_enabled', 'new': ''} + - {'old': 'matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain', 'new': ''} + - {'old': 'matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_client_api_enabled', 'new': 'matrix_synapse_container_labels_public_client_synapse_client_api_enabled'} + - {'old': 'matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_oidc_api_enabled', 'new': ''} + - {'old': 'matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled', 'new': 'matrix_synapse_container_labels_public_client_synapse_admin_api_enabled'} + - {'old': 'matrix_nginx_proxy_proxy_matrix_identity_api_enabled', 'new': ''} + - {'old': 'matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container', 'new': ''} + - {'old': 'matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container', 'new': ''} + - {'old': 'matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled', 'new': ''} + - {'old': 'matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container', 'new': ''} + - {'old': 'matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container', 'new': ''} + - {'old': 'matrix_nginx_proxy_proxy_matrix_user_directory_search_v3_to_r0_redirect_enabled', 'new': ''} + - {'old': 'matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled', 'new': 'matrix_ma1sd_container_labels_matrix_client_3pid_registration_enabled'} + - {'old': 'matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_with_container', 'new': ''} + - {'old': 'matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_sans_container', 'new': ''} + - {'old': 'matrix_nginx_proxy_proxy_matrix_3pid_registration_v3_to_r0_redirect_enabled', 'new': ''} + - {'old': 'matrix_nginx_proxy_proxy_conduit_enabled', 'new': 'matrix_conduit_container_labels_traefik_enabled'} + - {'old': 'matrix_nginx_proxy_proxy_conduit_block_federation_api_on_client_port', 'new': ''} + - {'old': 'matrix_nginx_proxy_proxy_conduit_federation_api_enabled', 'new': 'matrix_conduit_container_labels_public_federation_api_enabled'} + - {'old': 'matrix_nginx_proxy_proxy_conduit_client_api_addr_with_container', 'new': ''} + - {'old': 'matrix_nginx_proxy_proxy_conduit_client_api_addr_sans_container', 'new': ''} + - {'old': 'matrix_nginx_proxy_proxy_conduit_federation_api_addr_with_container', 'new': ''} + - {'old': 'matrix_nginx_proxy_proxy_conduit_federation_api_addr_sans_container', 'new': ''} + - {'old': 'matrix_nginx_proxy_proxy_conduit_additional_server_configuration_blocks', 'new': ''} + - {'old': 'matrix_nginx_proxy_proxy_dendrite_enabled', 'new': 'matrix_dendrite_container_labels_traefik_enabled'} + - {'old': 'matrix_nginx_proxy_proxy_dendrite_block_federation_api_on_client_port', 'new': ''} + - {'old': 'matrix_nginx_proxy_proxy_dendrite_federation_api_enabled', 'new': 'matrix_dendrite_container_labels_public_federation_api_enabled'} + - {'old': 'matrix_nginx_proxy_proxy_dendrite_client_api_addr_with_container', 'new': ''} + - {'old': 'matrix_nginx_proxy_proxy_dendrite_client_api_addr_sans_container', 'new': ''} + - {'old': 'matrix_nginx_proxy_proxy_dendrite_federation_api_addr_with_container', 'new': ''} + - {'old': 'matrix_nginx_proxy_proxy_dendrite_federation_api_addr_sans_container', 'new': ''} + - {'old': 'matrix_nginx_proxy_proxy_dendrite_additional_server_configuration_blocks', 'new': ''} + - {'old': 'matrix_nginx_proxy_proxy_synapse_enabled', 'new': 'matrix_synapse_container_labels_traefik_enabled'} + - {'old': 'matrix_nginx_proxy_proxy_synapse_federation_api_enabled', 'new': 'matrix_synapse_container_labels_public_federation_api_enabled'} + - {'old': 'matrix_nginx_proxy_proxy_synapse_client_api_addr_with_container', 'new': ''} + - {'old': 'matrix_nginx_proxy_proxy_synapse_client_api_addr_sans_container', 'new': ''} + - {'old': 'matrix_nginx_proxy_proxy_synapse_federation_api_addr_with_container', 'new': ''} + - {'old': 'matrix_nginx_proxy_proxy_synapse_federation_api_addr_sans_container', 'new': ''} + - {'old': 'matrix_nginx_proxy_proxy_synapse_additional_server_configuration_blocks', 'new': ''} + - {'old': 'matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks', 'new': ''} + - {'old': 'matrix_nginx_proxy_access_log_enabled', 'new': 'devture_traefik_config_accessLog_enabled'} + - {'old': 'etherpad_nginx_proxy_dimension_integration_enabled', 'new': ''} + - {'old': 'etherpad_nginx_proxy_dimension_integration_path_prefix', 'new': ''} + - {'old': 'matrix_prometheus_services_proxy_connect_prometheus_node_exporter_metrics_proxying_enabled', 'new': ''} + - {'old': 'matrix_prometheus_services_proxy_connect_prometheus_node_exporter_matrix_nginx_proxy_not_enabled_proxy_pass_host', 'new': ''} + - {'old': 'matrix_prometheus_services_proxy_connect_prometheus_postgres_exporter_metrics_proxying_enabled', 'new': ''} + - {'old': 'matrix_prometheus_services_proxy_connect_prometheus_postgres_exporter_matrix_nginx_proxy_not_enabled_proxy_pass_host', 'new': ''} + - {'old': 'matrix_docker_network', 'new': ''} + - {'old': 'matrix_playbook_ssl_retrieval_method', 'new': ''} + - {'old': 'matrix_ssl_lets_encrypt_support_email', 'new': 'devture_traefik_config_certificatesResolvers_acme_email'} + +- when: matrix_playbook_migration_matrix_nginx_proxy_leftover_variable_validation_checks_enabled | bool + block: + - ansible.builtin.set_fact: + matrix_playbook_migration_nginx_proxy_migration_vars: |- + {{ vars | dict2items | selectattr('key', 'match', 'matrix_nginx_proxy_.*') | list | items2dict }} + + - name: (Deprecation) Catch and report leftover matrix_nginx_proxy variables + ansible.builtin.fail: + msg: >- + The matrix-nginx-proxy role that used to be part of this playbook has been removed. + You should remove all its variables (`matrix_nginx_proxy_*`) from your vars.yml file. + We found usage of the following variables: {{ matrix_playbook_migration_nginx_proxy_migration_vars.keys() | join(', ') }} + when: "matrix_playbook_migration_nginx_proxy_migration_vars | length > 0" + +- when: matrix_playbook_migration_matrix_ssl_leftover_variable_checks_enabled | bool + block: + - ansible.builtin.set_fact: + matrix_playbook_migration_ssl_migration_vars: |- + {{ vars | dict2items | selectattr('key', 'match', 'matrix_ssl_.*') | list | items2dict }} + + - name: (Deprecation) Catch and report matrix_ssl variables + ansible.builtin.fail: + msg: >- + The matrix-nginx-proxy role that used to be part of this playbook has been removed. + You should remove all its variables (`matrix_ssl_*`) from your vars.yml file. + We found usage of the following variables: {{ matrix_playbook_migration_ssl_migration_vars.keys() | join(', ') }} + when: "matrix_playbook_migration_ssl_migration_vars | length > 0" diff --git a/setup.yml b/setup.yml index cd9f4a008..ea5070aa6 100644 --- a/setup.yml +++ b/setup.yml @@ -114,7 +114,6 @@ - custom/matrix-email2matrix - custom/matrix-sygnal - galaxy/ntfy - - custom/matrix-nginx-proxy - custom/matrix-static-files - custom/matrix-coturn - custom/matrix-media-repo