matrix_nginx_proxy_enabled: true # We use an official nginx image, which we fix-up to run unprivileged. # An alternative would be an `nginxinc/nginx-unprivileged` image, but # those as more frequently out of date. matrix_nginx_proxy_docker_image: "nginx:1.15.8-alpine" matrix_nginx_proxy_data_path: "{{ matrix_base_data_path }}/nginx-proxy" matrix_nginx_proxy_confd_path: "{{ matrix_nginx_proxy_data_path }}/conf.d" # List of systemd services that matrix-nginx-proxy.service depends on matrix_nginx_proxy_systemd_required_services_list: ['docker.service'] # List of systemd services that matrix-nginx-proxy.service wants matrix_nginx_proxy_systemd_wanted_services_list: [] # Controls whether proxying the riot domain should be done. matrix_nginx_proxy_proxy_riot_enabled: false matrix_nginx_proxy_proxy_riot_hostname: "{{ hostname_riot }}" # Controls whether proxying the matrix domain should be done. matrix_nginx_proxy_proxy_matrix_enabled: false matrix_nginx_proxy_proxy_matrix_hostname: "{{ hostname_matrix }}" # Controls whether proxying for the matrix-corporal API (`/_matrix/corporal`) should be done (on the matrix domain) matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: false matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081" matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container: "localhost:41081" # Controls whether proxying for the User Directory Search API (`/_matrix/client/r0/user_directory/search`) should be done (on the matrix domain). # This can be used to forward the API endpoint to another service, augmenting the functionality of Synapse's own User Directory Search. # To learn more, see: https://github.com/kamax-matrix/mxisd/blob/master/docs/features/directory.md matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: false matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "matrix-mxisd:8090" matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "localhost:8090" # Controls whether proxying for the Identity API (`/_matrix/identity`) should be done (on the matrix domain) matrix_nginx_proxy_proxy_matrix_identity_api_enabled: false matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-mxisd:8090" matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "localhost:8090" # The addresses where the Matrix Client API is. # Certain extensions (like matrix-corporal) may override this in order to capture all traffic. matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container: "matrix-synapse:8008" matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "localhost:8008" # This needs to be equal or higher than the maximum upload size accepted by Synapse. matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size: "25M" # A list of strings containing additional configuration blocks to add to the matrix domain's server configuration. matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: [] # Specifies when to reload the matrix-nginx-proxy service so that # a new SSL certificate could go into effect. matrix_nginx_proxy_reload_cron_time_definition: "20 4 */5 * *" # Specifies which SSL protocols to use when serving Riot and Synapse # Note TLSv1.3 is not yet available in dockerized nginx # See: https://github.com/nginxinc/docker-nginx/issues/190 matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2" # By default, this playbook automatically retrieves and auto-renews # free SSL certificates from Let's Encrypt. # # The following retrieval methods are supported: # - "lets-encrypt" - the playbook obtains free SSL certificates from Let's Encrypt # - "self-signed" - the playbook generates and self-signs certificates # - "manually-managed" - lets you manage certificates by yourself (manually; see below) # # If you decide to manage certificates by yourself (`matrix_ssl_retrieval_method: manually-managed`), # you'd need to drop them into the directory specified by `matrix_ssl_config_dir_path` # obeying the following hierarchy: # - /live//fullchain.pem # - /live//privkey.pem # where refers to the domains that you need (usually `hostname_matrix` and `hostname_riot`). matrix_ssl_retrieval_method: "lets-encrypt" # The list of domains that this role will obtain certificates for. matrix_ssl_domains_to_obtain_certificates_for: [] # Controls whether to obtain production or staging certificates from Let's Encrypt. matrix_ssl_lets_encrypt_staging: false matrix_ssl_lets_encrypt_certbot_docker_image: "certbot/certbot:v0.30.0" matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402 matrix_ssl_lets_encrypt_support_email: "{{ host_specific_matrix_ssl_lets_encrypt_support_email }}" matrix_ssl_base_path: "{{ matrix_base_data_path }}/ssl" matrix_ssl_config_dir_path: "{{ matrix_ssl_base_path }}/config" matrix_ssl_log_dir_path: "{{ matrix_ssl_base_path }}/log"