From f9836046956bb7fb3741dcafb2e37a55047b67b5 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 6 Feb 2023 10:34:51 +0200 Subject: [PATCH] Initial work on Traefik support This gets us started on adding a Traefik role and hooking Traefik: - directly to services which support Traefik - we only have a few of these right now, but the list will grow - to matrix-nginx-proxy for most services that integrate with matrix-nginx-proxy right now Traefik usage should be disabled by default for now and nothing should change for people just yet. Enabling these experiments requires additional configuration like this: ```yaml devture_traefik_ssl_email_address: '.....' matrix_playbook_traefik_role_enabled: true matrix_playbook_traefik_labels_enabled: true matrix_ssl_retrieval_method: none matrix_nginx_proxy_https_enabled: false matrix_nginx_proxy_container_http_host_bind_port: '' matrix_nginx_proxy_container_federation_host_bind_port: '' matrix_nginx_proxy_trust_forwarded_proto: true matrix_nginx_proxy_x_forwarded_for: '$proxy_add_x_forwarded_for' matrix_coturn_enabled: false ``` What currently works is: reverse-proxying for all nginx-proxy based services **except** for the Matrix homeserver (both Client-Server an Federation traffic for the homeserver don't work yet) --- group_vars/matrix_servers | 70 +++++++++ playbooks/matrix.yml | 3 + requirements.yml | 3 + .../matrix-nginx-proxy/defaults/main.yml | 74 +++++++++ .../tasks/setup_nginx_proxy.yml | 8 + .../matrix-nginx-proxy/templates/labels.j2 | 144 ++++++++++++++++++ .../systemd/matrix-nginx-proxy.service.j2 | 1 + 7 files changed, 303 insertions(+) create mode 100644 roles/custom/matrix-nginx-proxy/templates/labels.j2 diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 6d096dea0..da624d9a5 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -19,6 +19,28 @@ # Also see `devture_docker_sdk_for_python_installation_enabled`. matrix_playbook_docker_installation_enabled: true +# Controls whether to run the Traefik role or not +# See the `com.devture.ansible.role.traefik` section below for role configuration. +# +# There's a difference between `devture_traefik_enabled` and `matrix_playbook_traefik_role_enabled`. +# `devture_traefik_enabled` controls what the Traefik role would do - when not enabled, it will run uninstall tasks, etc. +# `matrix_playbook_traefik_role_enabled` controls if the Traefik role would even run at all. +# +# Sometimes, you're installing Traefik via a different (related playbook) which uses the same role. +# In such cases, you'd like to disable the role in this playbook from bothering with Traefik at all (`matrix_playbook_traefik_role_enabled: false`). +# If you used `devture_traefik_enabled: false` + `matrix_playbook_traefik_role_enabled: true` instead, you'd see the Treafik role here +# try to delete Traefik data (`/devture-traefik`) installed by the other playbook. +matrix_playbook_traefik_role_enabled: false + +# Controls whether to attach Traefik labels to services. +# This is separate from `devture_traefik_enabled` and `matrix_playbook_traefik_role_enabled`, +# because you may wish to disable Traefik installation by the playbook, yet still use Traefik +# installed in another way. +matrix_playbook_traefik_labels_enabled: false + +# Controls the additional network that reverse-proxyable services will be connected to. +matrix_playbook_reverse_proxyable_services_additional_network: "{{ devture_traefik_container_network if devture_traefik_enabled else '' }}" + ######################################################################## # # # /Playbook # @@ -320,6 +342,8 @@ devture_systemd_service_manager_services_list_auto: | ([{'name': 'matrix-synapse-admin.service', 'priority': 4000, 'groups': ['matrix', 'synapse-admin']}] if matrix_synapse_admin_enabled else []) + ([{'name': 'matrix-synapse-reverse-proxy-companion.service', 'priority': 1500, 'groups': ['matrix', 'homeservers', 'synapse', 'reverse-proxies']}] if matrix_synapse_reverse_proxy_companion_enabled else []) + + + ([{'name': 'devture-traefik.service', 'priority': 3000, 'groups': ['matrix', 'traefik', 'reverse-proxies']}] if matrix_playbook_traefik_role_enabled else []) }} ######################################################################## @@ -2157,6 +2181,8 @@ matrix_ma1sd_database_password: "{{ '%s' | format(matrix_homeserver_generic_secr # If that's not the case, you may wish to disable this and take care of proxying yourself. matrix_nginx_proxy_enabled: true +matrix_nginx_proxy_container_additional_networks: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else [] }}" + matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container: "{{ 'matrix-corporal:41080' if matrix_corporal_enabled else 'matrix-nginx-proxy:12080' }}" matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "{{ '127.0.0.1:41080' if matrix_corporal_enabled else '127.0.0.1:12080' }}" matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: |- @@ -2185,6 +2211,22 @@ matrix_nginx_proxy_proxy_grafana_enabled: "{{ matrix_grafana_enabled }}" matrix_nginx_proxy_proxy_sygnal_enabled: "{{ matrix_sygnal_enabled }}" matrix_nginx_proxy_proxy_ntfy_enabled: "{{ matrix_ntfy_enabled }}" +matrix_nginx_proxy_container_labels_traefik_enabled: "{{ matrix_playbook_traefik_labels_enabled }}" +matrix_nginx_proxy_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +matrix_nginx_proxy_container_labels_traefik_entrypoints: "{{ devture_traefik_config_entrypoint_primary }}" + +matrix_nginx_proxy_container_labels_traefik_proxy_element_enabled: "{{ matrix_client_element_enabled }}" +matrix_nginx_proxy_container_labels_traefik_proxy_hydrogen_enabled: "{{ matrix_client_hydrogen_enabled }}" +matrix_nginx_proxy_container_labels_traefik_proxy_cinny_enabled: "{{ matrix_client_cinny_enabled }}" +matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_enabled: "{{ matrix_bot_buscarron_enabled }}" +matrix_nginx_proxy_container_labels_traefik_proxy_dimension_enabled: "{{ matrix_dimension_enabled }}" +matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_enabled: "{{ matrix_etherpad_enabled and matrix_etherpad_mode == 'standalone' }}" +matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_enabled: "{{ matrix_bot_go_neb_enabled }}" +matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_enabled: "{{ matrix_jitsi_enabled }}" +matrix_nginx_proxy_container_labels_traefik_proxy_grafana_enabled: "{{ matrix_grafana_enabled }}" +matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_enabled: "{{ matrix_sygnal_enabled }}" +matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_enabled: "{{ matrix_ntfy_enabled }}" + matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: "{{ matrix_corporal_enabled and matrix_corporal_http_api_enabled }}" matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081" matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container: "127.0.0.1:41081" @@ -2968,7 +3010,11 @@ prometheus_node_exporter_server_fqn: "{{ matrix_server_fqn_matrix }}" prometheus_node_exporter_container_network: "{{ matrix_docker_network }}" +prometheus_node_exporter_container_additional_networks: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else [] }}" + prometheus_node_exporter_container_labels_traefik_enabled: false +prometheus_node_exporter_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +prometheus_node_exporter_container_labels_traefik_entrypoints: "{{ devture_traefik_config_entrypoint_primary }}" ###################################################################### # @@ -2995,7 +3041,11 @@ prometheus_postgres_exporter_server_fqn: "{{ matrix_server_fqn_matrix }}" prometheus_postgres_exporter_container_network: "{{ matrix_docker_network }}" +prometheus_postgres_exporter_container_additional_networks: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else [] }}" + prometheus_postgres_exporter_container_labels_traefik_enabled: false +prometheus_postgres_exporter_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +prometheus_postgres_exporter_container_labels_traefik_entrypoints: "{{ devture_traefik_config_entrypoint_primary }}" prometheus_postgres_exporter_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" prometheus_postgres_exporter_database_username: matrix_prometheus_postgres_exporter @@ -3284,3 +3334,23 @@ matrix_user_creator_users_auto: | # /matrix-user-creator # ###################################################################### + + +######################################################################## +# # +# com.devture.ansible.role.traefik # +# # +######################################################################## + +# To completely disable the Traefik role from running, use `matrix_playbook_traefik_role_enabled: false`. +# See the comment there for more details about why we have both `devture_traefik_enabled` and `matrix_playbook_traefik_role_enabled`. +devture_traefik_enabled: "{{ matrix_playbook_traefik_role_enabled }}" + +devture_traefik_uid: "{{ matrix_user_uid }}" +devture_traefik_gid: "{{ matrix_user_gid }}" + +######################################################################## +# # +# /com.devture.ansible.role.traefik # +# # +######################################################################## diff --git a/playbooks/matrix.yml b/playbooks/matrix.yml index 7be0d6295..392a3a0e0 100755 --- a/playbooks/matrix.yml +++ b/playbooks/matrix.yml @@ -115,6 +115,9 @@ - custom/matrix-user-creator - custom/matrix-common-after + - when: matrix_playbook_traefik_role_enabled | bool + role: galaxy/com.devture.ansible.role.traefik + - when: devture_systemd_service_manager_enabled | bool role: galaxy/com.devture.ansible.role.systemd_service_manager diff --git a/requirements.yml b/requirements.yml index 4797423d9..696b27000 100644 --- a/requirements.yml +++ b/requirements.yml @@ -35,3 +35,6 @@ - src: git+https://gitlab.com/etke.cc/roles/prometheus_postgres_exporter.git version: v0.11.1-2 + +- src: git+https://github.com/devture/com.devture.ansible.role.traefik.git + version: 407af71a3667b1d8083beb10bf22423ecf013f58 diff --git a/roles/custom/matrix-nginx-proxy/defaults/main.yml b/roles/custom/matrix-nginx-proxy/defaults/main.yml index 2861084de..25911a499 100644 --- a/roles/custom/matrix-nginx-proxy/defaults/main.yml +++ b/roles/custom/matrix-nginx-proxy/defaults/main.yml @@ -40,6 +40,80 @@ matrix_nginx_proxy_container_additional_networks: [] # Contains definition objects like this: `{"src": "/outside", "dst": "/inside", "options": "rw|ro|slave|.."} matrix_nginx_proxy_container_additional_volumes: [] +# matrix_nginx_proxy_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container. +# See `../templates/labels.j2` for details. +# +# To inject your own other container labels, see `matrix_nginx_proxy_container_labels_additional_labels`. +matrix_nginx_proxy_container_labels_traefik_enabled: false +matrix_nginx_proxy_container_labels_traefik_docker_network: "{{ matrix_nginx_proxy_container_network }}" +matrix_nginx_proxy_container_labels_traefik_entrypoints: web-secure +matrix_nginx_proxy_container_labels_traefik_tls_certResolver: default # noqa var-naming + +matrix_nginx_proxy_container_labels_traefik_proxy_element_enabled: false +matrix_nginx_proxy_container_labels_traefik_proxy_element_hostname: "{{ matrix_server_fqn_element }}" +matrix_nginx_proxy_container_labels_traefik_proxy_element_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" +matrix_nginx_proxy_container_labels_traefik_proxy_element_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_element_hostname }}`)" + +matrix_nginx_proxy_container_labels_traefik_proxy_hydrogen_enabled: false +matrix_nginx_proxy_container_labels_traefik_proxy_hydrogen_hostname: "{{ matrix_server_fqn_hydrogen }}" +matrix_nginx_proxy_container_labels_traefik_proxy_hydrogen_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" +matrix_nginx_proxy_container_labels_traefik_proxy_hydrogen_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_hydrogen_hostname }}`)" + +matrix_nginx_proxy_container_labels_traefik_proxy_cinny_enabled: false +matrix_nginx_proxy_container_labels_traefik_proxy_cinny_hostname: "{{ matrix_server_fqn_cinny }}" +matrix_nginx_proxy_container_labels_traefik_proxy_cinny_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" +matrix_nginx_proxy_container_labels_traefik_proxy_cinny_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_cinny_hostname }}`)" + +matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_enabled: false +matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_hostname: "{{ matrix_server_fqn_buscarron }}" +matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" +matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_hostname }}`)" + +matrix_nginx_proxy_container_labels_traefik_proxy_dimension_enabled: false +matrix_nginx_proxy_container_labels_traefik_proxy_dimension_hostname: "{{ matrix_server_fqn_dimension }}" +matrix_nginx_proxy_container_labels_traefik_proxy_dimension_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" +matrix_nginx_proxy_container_labels_traefik_proxy_dimension_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_dimension_hostname }}`)" + +matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_enabled: false +matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_hostname: "{{ matrix_server_fqn_etherpad }}" +matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" +matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_hostname }}`)" + +matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_enabled: false +matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_hostname: "{{ matrix_server_fqn_bot_go_neb }}" +matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" +matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_hostname }}`)" + +matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_enabled: false +matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_hostname: "{{ matrix_server_fqn_jitsi }}" +matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" +matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_hostname }}`)" + +matrix_nginx_proxy_container_labels_traefik_proxy_grafana_enabled: false +matrix_nginx_proxy_container_labels_traefik_proxy_grafana_hostname: "{{ matrix_server_fqn_grafana }}" +matrix_nginx_proxy_container_labels_traefik_proxy_grafana_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" +matrix_nginx_proxy_container_labels_traefik_proxy_grafana_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_grafana_hostname }}`)" + +matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_enabled: false +matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_hostname: "{{ matrix_server_fqn_sygnal }}" +matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" +matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_hostname }}`)" + +matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_enabled: false +matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_hostname: "{{ matrix_server_fqn_ntfy }}" +matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" +matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_hostname }}`)" + +# matrix_nginx_proxy_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. +# See `../templates/labels.j2` for details. +# +# Example: +# matrix_nginx_proxy_container_labels_additional_labels: | +# my.label=1 +# another.label="here" +matrix_nginx_proxy_container_labels_additional_labels: '' + + # A list of extra arguments to pass to the container matrix_nginx_proxy_container_extra_arguments: [] diff --git a/roles/custom/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml b/roles/custom/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml index dd11721a0..31ff68f25 100644 --- a/roles/custom/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml +++ b/roles/custom/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml @@ -22,6 +22,14 @@ - "{{ matrix_nginx_proxy_data_path }}" - "{{ matrix_nginx_proxy_confd_path }}" +- name: Ensure Matrix nginx-proxy labels file is created + ansible.builtin.template: + src: "{{ role_path }}/templates/labels.j2" + dest: "{{ matrix_nginx_proxy_base_path }}/labels" + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + mode: 0640 + - name: Ensure Matrix nginx-proxy configured (main config override) ansible.builtin.template: src: "{{ role_path }}/templates/nginx/nginx.conf.j2" diff --git a/roles/custom/matrix-nginx-proxy/templates/labels.j2 b/roles/custom/matrix-nginx-proxy/templates/labels.j2 new file mode 100644 index 000000000..06cc8d1a8 --- /dev/null +++ b/roles/custom/matrix-nginx-proxy/templates/labels.j2 @@ -0,0 +1,144 @@ +{% if matrix_nginx_proxy_container_labels_traefik_enabled %} +traefik.enable=true + +{% if matrix_nginx_proxy_container_labels_traefik_docker_network %} +traefik.docker.network={{ matrix_nginx_proxy_container_labels_traefik_docker_network }} +{% endif %} + + +{% if matrix_nginx_proxy_container_labels_traefik_proxy_element_enabled %} +# Element +traefik.http.routers.matrix-nginx-proxy-element.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_element_rule }} +traefik.http.routers.matrix-nginx-proxy-element.service=matrix-nginx-proxy-web +traefik.http.routers.matrix-nginx-proxy-element.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_element_tls | to_json }} +{% if matrix_nginx_proxy_container_labels_traefik_proxy_element_tls %} +traefik.http.routers.matrix-nginx-proxy-element.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }} +{% endif %} +traefik.http.routers.matrix-nginx-proxy-element.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }} +{% endif %} + + +{% if matrix_nginx_proxy_container_labels_traefik_proxy_hydrogen_enabled %} +# Hydrogen +traefik.http.routers.matrix-nginx-proxy-hydrogen.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_hydrogen_rule }} +traefik.http.routers.matrix-nginx-proxy-hydrogen.service=matrix-nginx-proxy-web +traefik.http.routers.matrix-nginx-proxy-hydrogen.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_hydrogen_tls | to_json }} +{% if matrix_nginx_proxy_container_labels_traefik_proxy_hydrogen_tls %} +traefik.http.routers.matrix-nginx-proxy-hydrogen.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }} +{% endif %} +traefik.http.routers.matrix-nginx-proxy-hydrogen.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }} +{% endif %} + + +{% if matrix_nginx_proxy_container_labels_traefik_proxy_cinny_enabled %} +# Cinny +traefik.http.routers.matrix-nginx-proxy-cinny.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_cinny_rule }} +traefik.http.routers.matrix-nginx-proxy-cinny.service=matrix-nginx-proxy-web +traefik.http.routers.matrix-nginx-proxy-cinny.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_cinny_tls | to_json }} +{% if matrix_nginx_proxy_container_labels_traefik_proxy_cinny_tls %} +traefik.http.routers.matrix-nginx-proxy-cinny.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }} +{% endif %} +traefik.http.routers.matrix-nginx-proxy-cinny.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }} +{% endif %} + + +{% if matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_enabled %} +# Buscarron +traefik.http.routers.matrix-nginx-proxy-buscarron.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_rule }} +traefik.http.routers.matrix-nginx-proxy-buscarron.service=matrix-nginx-proxy-web +traefik.http.routers.matrix-nginx-proxy-buscarron.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_tls | to_json }} +{% if matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_tls %} +traefik.http.routers.matrix-nginx-proxy-buscarron.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }} +{% endif %} +traefik.http.routers.matrix-nginx-proxy-buscarron.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }} +{% endif %} + + +{% if matrix_nginx_proxy_container_labels_traefik_proxy_dimension_enabled %} +# Dimension +traefik.http.routers.matrix-nginx-proxy-dimension.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_dimension_rule }} +traefik.http.routers.matrix-nginx-proxy-dimension.service=matrix-nginx-proxy-web +traefik.http.routers.matrix-nginx-proxy-dimension.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_dimension_tls | to_json }} +{% if matrix_nginx_proxy_container_labels_traefik_proxy_dimension_tls %} +traefik.http.routers.matrix-nginx-proxy-dimension.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }} +{% endif %} +traefik.http.routers.matrix-nginx-proxy-dimension.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }} +{% endif %} + + +{% if matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_enabled %} +# Etherpad +traefik.http.routers.matrix-nginx-proxy-etherpad.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_rule }} +traefik.http.routers.matrix-nginx-proxy-etherpad.service=matrix-nginx-proxy-web +traefik.http.routers.matrix-nginx-proxy-etherpad.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_tls | to_json }} +{% if matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_tls %} +traefik.http.routers.matrix-nginx-proxy-etherpad.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }} +{% endif %} +traefik.http.routers.matrix-nginx-proxy-etherpad.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }} +{% endif %} + + +{% if matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_enabled %} +# Go NEB bot +traefik.http.routers.matrix-nginx-proxy-bot_go_neb.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_rule }} +traefik.http.routers.matrix-nginx-proxy-bot_go_neb.service=matrix-nginx-proxy-web +traefik.http.routers.matrix-nginx-proxy-bot_go_neb.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_tls | to_json }} +{% if matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_tls %} +traefik.http.routers.matrix-nginx-proxy-bot_go_neb.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }} +{% endif %} +traefik.http.routers.matrix-nginx-proxy-bot_go_neb.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }} +{% endif %} + + +{% if matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_enabled %} +# Jitsi +traefik.http.routers.matrix-nginx-proxy-jitsi.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_rule }} +traefik.http.routers.matrix-nginx-proxy-jitsi.service=matrix-nginx-proxy-web +traefik.http.routers.matrix-nginx-proxy-jitsi.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_tls | to_json }} +{% if matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_tls %} +traefik.http.routers.matrix-nginx-proxy-jitsi.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }} +{% endif %} +traefik.http.routers.matrix-nginx-proxy-jitsi.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }} +{% endif %} + + +{% if matrix_nginx_proxy_container_labels_traefik_proxy_grafana_enabled %} +# Grafana +traefik.http.routers.matrix-nginx-proxy-grafana.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_grafana_rule }} +traefik.http.routers.matrix-nginx-proxy-grafana.service=matrix-nginx-proxy-web +traefik.http.routers.matrix-nginx-proxy-grafana.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_grafana_tls | to_json }} +{% if matrix_nginx_proxy_container_labels_traefik_proxy_grafana_tls %} +traefik.http.routers.matrix-nginx-proxy-grafana.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }} +{% endif %} +traefik.http.routers.matrix-nginx-proxy-grafana.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }} +{% endif %} + + +{% if matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_enabled %} +# Sygnal +traefik.http.routers.matrix-nginx-proxy-sygnal.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_rule }} +traefik.http.routers.matrix-nginx-proxy-sygnal.service=matrix-nginx-proxy-web +traefik.http.routers.matrix-nginx-proxy-sygnal.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_tls | to_json }} +{% if matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_tls %} +traefik.http.routers.matrix-nginx-proxy-sygnal.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }} +{% endif %} +traefik.http.routers.matrix-nginx-proxy-sygnal.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }} +{% endif %} + + +{% if matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_enabled %} +# ntfy +traefik.http.routers.matrix-nginx-proxy-ntfy.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_rule }} +traefik.http.routers.matrix-nginx-proxy-ntfy.service=matrix-nginx-proxy-web +traefik.http.routers.matrix-nginx-proxy-ntfy.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_tls | to_json }} +{% if matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_tls %} +traefik.http.routers.matrix-nginx-proxy-ntfy.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }} +{% endif %} +traefik.http.routers.matrix-nginx-proxy-ntfy.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }} +{% endif %} + + +traefik.http.services.matrix-nginx-proxy-web.loadbalancer.server.port=8080 +{% endif %} + +{{ matrix_nginx_proxy_container_labels_additional_labels }} diff --git a/roles/custom/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 b/roles/custom/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 index 301eb9d5d..f302c92e0 100755 --- a/roles/custom/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 +++ b/roles/custom/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 @@ -24,6 +24,7 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ --cap-drop=ALL \ --read-only \ --tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_nginx_proxy_tmp_directory_size_mb }}m \ + --label-file={{ matrix_nginx_proxy_base_path }}/labels \ --network={{ matrix_nginx_proxy_container_network }} \ {% if matrix_nginx_proxy_container_http_host_bind_port %} -p {{ matrix_nginx_proxy_container_http_host_bind_port }}:8080 \