--- # Project source code URL: https://github.com/nginx/nginx matrix_nginx_proxy_enabled: true # renovate: datasource=docker depName=nginx matrix_nginx_proxy_version: 1.25.3-alpine # We use an official nginx image, which we fix-up to run unprivileged. # An alternative would be an `nginxinc/nginx-unprivileged` image, but # that is frequently out of date. matrix_nginx_proxy_docker_image: "{{ matrix_container_global_registry_prefix }}nginx:{{ matrix_nginx_proxy_version }}" matrix_nginx_proxy_docker_image_force_pull: "{{ matrix_nginx_proxy_docker_image.endswith(':latest') }}" matrix_nginx_proxy_base_path: "{{ matrix_base_data_path }}/nginx-proxy" matrix_nginx_proxy_data_path: "{{ matrix_nginx_proxy_base_path }}/data" matrix_nginx_proxy_data_path_in_container: "/nginx-data" matrix_nginx_proxy_data_path_extension: "/matrix-domain" matrix_nginx_proxy_confd_path: "{{ matrix_nginx_proxy_base_path }}/conf.d" # List of systemd services that matrix-nginx-proxy.service depends on matrix_nginx_proxy_systemd_required_services_list: ['docker.service'] # List of systemd services that matrix-nginx-proxy.service wants matrix_nginx_proxy_systemd_wanted_services_list: [] # The base container network. # Also see: matrix_nginx_proxy_container_additional_networks matrix_nginx_proxy_container_network: "{{ matrix_docker_network }}" # A list of additional container networks that matrix-nginx-proxy would be connected to. # The playbook does not create these networks, so make sure they already exist. # # Use this to expose matrix-nginx-proxy to another reverse proxy, which runs in a different container network, # without exposing all other Matrix services to that other reverse-proxy. # # For background, see: https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1498 matrix_nginx_proxy_container_additional_networks: [] # A list of additional "volumes" to mount in the container. # This list gets populated dynamically at runtime. You can provide a different default value, # if you wish to mount your own files into the container. # Contains definition objects like this: `{"src": "/outside", "dst": "/inside", "options": "rw|ro|slave|.."} matrix_nginx_proxy_container_additional_volumes: [] # matrix_nginx_proxy_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container. # See `../templates/labels.j2` for details. # # To inject your own other container labels, see `matrix_nginx_proxy_container_labels_additional_labels`. matrix_nginx_proxy_container_labels_traefik_enabled: false matrix_nginx_proxy_container_labels_traefik_docker_network: "{{ matrix_nginx_proxy_container_network }}" matrix_nginx_proxy_container_labels_traefik_entrypoints: web-secure matrix_nginx_proxy_container_labels_traefik_tls_certResolver: default # noqa var-naming matrix_nginx_proxy_container_labels_traefik_proxy_matrix_enabled: false matrix_nginx_proxy_container_labels_traefik_proxy_matrix_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" matrix_nginx_proxy_container_labels_traefik_proxy_matrix_client_hostname: "{{ matrix_server_fqn_matrix }}" matrix_nginx_proxy_container_labels_traefik_proxy_matrix_client_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_client_hostname }}`)" matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_hostname: "{{ matrix_server_fqn_matrix }}" matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_hostname }}`)" matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_entrypoint: "{{ matrix_federation_traefik_entrypoint }}" matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_entrypoints: "{{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_entrypoint }}" # matrix_nginx_proxy_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. # See `../templates/labels.j2` for details. # # Example: # matrix_nginx_proxy_container_labels_additional_labels: | # my.label=1 # another.label="here" matrix_nginx_proxy_container_labels_additional_labels: '' # A list of extra arguments to pass to the container matrix_nginx_proxy_container_extra_arguments: [] # Controls whether matrix-nginx-proxy serves its vhosts over HTTPS or HTTP. # # If enabled: # - SSL certificates would be expected to be available (see `matrix_ssl_retrieval_method`) # - the HTTP vhost would be made a redirect to the HTTPS vhost # # If not enabled: # - you don't need any SSL certificates (you can set `matrix_ssl_retrieval_method: none`) # - naturally, there's no HTTPS vhost # - services are served directly from the HTTP vhost matrix_nginx_proxy_https_enabled: true # Controls whether matrix-nginx-proxy trusts an upstream server's X-Forwarded-Proto header # # Required if you disable HTTPS for the container (see `matrix_nginx_proxy_https_enabled`) and have an upstream server handle it instead. matrix_nginx_proxy_trust_forwarded_proto: false matrix_nginx_proxy_x_forwarded_proto_value: "{{ '$http_x_forwarded_proto' if matrix_nginx_proxy_trust_forwarded_proto else '$scheme' }}" # Controls whether the matrix-nginx-proxy container exposes its HTTP port (tcp/8080 in the container). # # Takes an ":" or "" value (e.g. "127.0.0.1:80"), or empty string to not expose. matrix_nginx_proxy_container_http_host_bind_port: '80' # Controls whether the matrix-nginx-proxy container exposes its HTTPS port (tcp/8443 in the container). # # Takes an ":" or "" value (e.g. "127.0.0.1:443"), or empty string to not expose. # # This only makes sense and applies if `matrix_nginx_proxy_https_enabled` is set to `true`. # Otherwise, there are no HTTPS vhosts to expose. matrix_nginx_proxy_container_https_host_bind_port: '443' # Controls whether the matrix-nginx-proxy container exposes the Matrix Federation port (tcp/8448 in the container). # # Takes an ":" or "" value (e.g. "127.0.0.1:8448"), or empty string to not expose. # # This only makes sense and applies if `matrix_nginx_proxy_proxy_matrix_federation_api_enabled` is set to `true`. # Otherwise, there is no Matrix Federation port to expose. # # This port can take HTTP or HTTPS traffic, depending on `matrix_nginx_proxy_https_enabled`. # When HTTPS is disabled, you'd likely want to only expose the port locally, and front it with another HTTPS-enabled reverse-proxy. matrix_nginx_proxy_container_federation_host_bind_port: '8448' # Option to disable the access log matrix_nginx_proxy_access_log_enabled: true # Controls whether proxying for Synapse should be done. matrix_nginx_proxy_proxy_synapse_enabled: false matrix_nginx_proxy_proxy_synapse_hostname: "matrix-nginx-proxy" matrix_nginx_proxy_proxy_synapse_federation_api_enabled: "{{ matrix_nginx_proxy_proxy_matrix_federation_api_enabled }}" # The addresses where the Matrix Client API is, when using Synapse. matrix_nginx_proxy_proxy_synapse_client_api_addr_with_container: "" matrix_nginx_proxy_proxy_synapse_client_api_addr_sans_container: "" # The addresses where the Federation API is, when using Synapse. matrix_nginx_proxy_proxy_synapse_federation_api_addr_with_container: "" matrix_nginx_proxy_proxy_synapse_federation_api_addr_sans_container: "" # A list of strings containing additional configuration blocks to add to the Synapse's server configuration (matrix-synapse.conf). matrix_nginx_proxy_proxy_synapse_additional_server_configuration_blocks: [] # Controls whether proxying for Dendrite should be done. matrix_nginx_proxy_proxy_dendrite_enabled: false matrix_nginx_proxy_proxy_dendrite_hostname: "matrix-nginx-proxy" matrix_nginx_proxy_proxy_dendrite_federation_api_enabled: "{{ matrix_nginx_proxy_proxy_matrix_federation_api_enabled }}" # Controls whether the Client API server (usually at matrix.DOMAIN:443) should explicitly reject `/_matrix/federation` endpoints. # Normally, Dendrite Monolith serves both APIs (Client & Federation) at the same port, so we can serve federation at `matrix.DOMAIN:443` too. matrix_nginx_proxy_proxy_dendrite_block_federation_api_on_client_port: true # The addresses where the Matrix Client API is, when using Dendrite. matrix_nginx_proxy_proxy_dendrite_client_api_addr_with_container: "" matrix_nginx_proxy_proxy_dendrite_client_api_addr_sans_container: "" # A list of strings containing additional configuration blocks to add to the Dendrite's server configuration (matrix-dendrite.conf). matrix_nginx_proxy_proxy_dendrite_additional_server_configuration_blocks: [] # Controls whether proxying for Conduit should be done. matrix_nginx_proxy_proxy_conduit_enabled: false matrix_nginx_proxy_proxy_conduit_hostname: "matrix-nginx-proxy" matrix_nginx_proxy_proxy_conduit_federation_api_enabled: "{{ matrix_nginx_proxy_proxy_matrix_federation_api_enabled }}" # Controls whether the Client API server (usually at matrix.DOMAIN:443) should explicitly reject `/_matrix/federation` endpoints. matrix_nginx_proxy_proxy_conduit_block_federation_api_on_client_port: true # The addresses where the Matrix Client API is, when using Conduit. matrix_nginx_proxy_proxy_conduit_client_api_addr_with_container: "" matrix_nginx_proxy_proxy_conduit_client_api_addr_sans_container: "" # The addresses where the Federation API is, when using Conduit. matrix_nginx_proxy_proxy_conduit_federation_api_addr_with_container: "" matrix_nginx_proxy_proxy_conduit_federation_api_addr_sans_container: "" # A list of strings containing additional configuration blocks to add to the Conduit's server configuration (matrix-conduit.conf). matrix_nginx_proxy_proxy_conduit_additional_server_configuration_blocks: [] # Controls whether proxying the Element domain should be done. matrix_nginx_proxy_proxy_element_enabled: false matrix_nginx_proxy_proxy_element_hostname: "{{ matrix_server_fqn_element }}" # Controls whether proxying the Hydrogen domain should be done. matrix_nginx_proxy_proxy_hydrogen_enabled: false matrix_nginx_proxy_proxy_hydrogen_hostname: "{{ matrix_server_fqn_hydrogen }}" # Controls whether proxying the Cinny domain should be done. matrix_nginx_proxy_proxy_cinny_enabled: false matrix_nginx_proxy_proxy_cinny_hostname: "{{ matrix_server_fqn_cinny }}" # Controls whether proxying the schildichat domain should be done. matrix_nginx_proxy_proxy_schildichat_enabled: false matrix_nginx_proxy_proxy_schildichat_hostname: "{{ matrix_server_fqn_schildichat }}" # Controls whether proxying the buscarron domain should be done. matrix_nginx_proxy_proxy_buscarron_enabled: false matrix_nginx_proxy_proxy_buscarron_hostname: "{{ matrix_server_fqn_buscarron }}" # Controls whether proxying the matrix domain should be done. matrix_nginx_proxy_proxy_matrix_enabled: false matrix_nginx_proxy_proxy_matrix_hostname: "{{ matrix_server_fqn_matrix }}" matrix_nginx_proxy_proxy_matrix_federation_hostname: "{{ matrix_nginx_proxy_proxy_matrix_hostname }}" # The port name used for federation in the nginx configuration. # This is not necessarily the port that it's actually on, # as port-mapping happens (`-p ..`) for the `matrix-nginx-proxy` container. matrix_nginx_proxy_proxy_matrix_federation_port: 8448 # Controls whether proxying the dimension domain should be done. matrix_nginx_proxy_proxy_dimension_enabled: false matrix_nginx_proxy_proxy_dimension_hostname: "{{ matrix_server_fqn_dimension }}" # Controls whether proxying the rageshake domain should be done. matrix_nginx_proxy_proxy_rageshake_enabled: false matrix_nginx_proxy_proxy_rageshake_hostname: "{{ matrix_server_fqn_rageshake }}" # Controls whether proxying the etherpad domain should be done. matrix_nginx_proxy_proxy_etherpad_enabled: false matrix_nginx_proxy_proxy_etherpad_hostname: "{{ matrix_server_fqn_etherpad }}" # Controls whether proxying the goneb domain should be done. matrix_nginx_proxy_proxy_bot_go_neb_enabled: false matrix_nginx_proxy_proxy_bot_go_neb_hostname: "{{ matrix_server_fqn_bot_go_neb }}" # Controls whether proxying the jitsi domain should be done. matrix_nginx_proxy_proxy_jitsi_enabled: false matrix_nginx_proxy_proxy_jitsi_hostname: "{{ matrix_server_fqn_jitsi }}" # Controls whether proxying the grafana domain should be done. matrix_nginx_proxy_proxy_grafana_enabled: false matrix_nginx_proxy_proxy_grafana_hostname: "{{ matrix_server_fqn_grafana }}" # Controls whether proxying the sygnal domain should be done. matrix_nginx_proxy_proxy_sygnal_enabled: false matrix_nginx_proxy_proxy_sygnal_hostname: "{{ matrix_server_fqn_sygnal }}" # Controls whether proxying the mautrix wsproxy should be done. matrix_nginx_proxy_proxy_mautrix_wsproxy_enabled: false matrix_nginx_proxy_proxy_mautrix_wsproxy_hostname: "{{ matrix_server_fqn_mautrix_wsproxy }}" # Controls whether proxying the ntfy domain should be done. matrix_nginx_proxy_proxy_ntfy_enabled: false matrix_nginx_proxy_proxy_ntfy_hostname: "{{ matrix_server_fqn_ntfy }}" # Controls whether proxying for (Prometheus) metrics (`/metrics/*`) for the various services should be done (on the matrix domain) # If the internal Prometheus server (`matrix-prometheus` role) is used, proxying is not necessary, since Prometheus can access each container directly. # This is only useful when an external Prometheus will be collecting metrics. # # To control what kind of metrics are exposed under `/metrics/` (e.g `/metrics/node-exporter`, `/metrics/postgres-exporter`, etc.), # use `matrix_SERVICE_metrics_proxying_enabled` variables in each respective role. # Roles inject themselves into the matrix-nginx-proxy configuration. # # To protect the metrics endpoints, see `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_enabled` matrix_nginx_proxy_proxy_matrix_metrics_enabled: false # Controls whether Basic Auth is enabled for all `/metrics/*` endpoints. # # You can provide the Basic Auth credentials in 2 ways: # 1. A single username/password pair using `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_username` and `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_password` # 2. Using raw content (`htpasswd`-generated file) provided in `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_raw_content` matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_enabled: false # `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_username` and `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_password` specify # the Basic Auth username/password for protecting `/metrics/*` endpoints. # Alternatively, use `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_raw_content`. matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_username: "" matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_password: "" # `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_raw_content` value will be written verbatim to the htpasswd file protecting `/metrics/*` endpoints. # Use this when a single username/password is not enough and you'd like to get more control over credentials. # # Read the manpage at `man 1 htpasswd` to learn more, then encrypt your password, and paste the encrypted value here. # e.g. `htpasswd -c mypass.htpasswd prometheus` and enter `mysecurepw` when prompted yields `prometheus:$apr1$wZhqsn.U$7LC3kMmjUbjNAZjyMyvYv/` # The whole thing is needed here. matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_raw_content: "prometheus:$apr1$wZhqsn.U$7LC3kMmjUbjNAZjyMyvYv/" matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_raw_content: "" # Specifies the path to the htpasswd file holding the htpasswd credentials for protecting `/metrics/*` endpoints # This is not meant to be modified. matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_path: "{{ matrix_nginx_proxy_data_path_in_container if matrix_nginx_proxy_enabled else matrix_nginx_proxy_data_path }}/matrix-metrics-htpasswd" # Specifies the Apache container image to use # when `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_username` and `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_password` are provided. # This image provides the `htpasswd` tool which we use for generating the htpasswd file protecting `/metrics/*`. # To avoid using this, use `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_raw_content` instead of supplying username/password. # Learn more in: `roles/custom/matrix-nginx-proxy/tasks/nginx-proxy/setup_metrics_auth.yml`. matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_apache_container_image: "{{ matrix_container_global_registry_prefix }}httpd:{{ matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_apache_container_image_tag }}" # renovate: datasource=docker depName=httpd matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_apache_container_image_tag: "2.4.54-alpine3.16" matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_apache_container_force_pull: "{{ matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_apache_container_image_tag.endswith(':latest') }}" # A list of strings containing additional configuration blocks to add to the `location /metrics` configuration (matrix-domain.conf). # Do not modify `matrix_nginx_proxy_proxy_matrix_metrics_additional_location_configuration_blocks` and `matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks`. # If you'd like to inject your own configuration blocks, use `matrix_nginx_proxy_proxy_matrix_metrics_additional_user_location_configuration_blocks`. matrix_nginx_proxy_proxy_matrix_metrics_additional_location_configuration_blocks: "{{ matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks + matrix_nginx_proxy_proxy_matrix_metrics_additional_user_location_configuration_blocks }}" matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks: [] matrix_nginx_proxy_proxy_matrix_metrics_additional_user_location_configuration_blocks: [] # Controls whether proxying for the matrix-corporal API (`/_matrix/corporal`) should be done (on the matrix domain) matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: false matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081" matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container: "127.0.0.1:41081" # Controls whether proxying for the User Directory Search API (`/_matrix/client/r0/user_directory/search`) should be done (on the matrix domain). # This can be used to forward the API endpoint to another service, augmenting the functionality of Synapse's own User Directory Search. # To learn more, see: https://github.com/ma1uta/ma1sd/blob/master/docs/features/directory.md matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: false matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "matrix-ma1sd:{{ matrix_ma1sd_container_port }}" matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "127.0.0.1:{{ matrix_ma1sd_container_port }}" # Controls whether the user directory search API will be URL-rewritten (/_matrix/client/v3/user_directory/search -> /_matrix/client/r0/user_directory/search). # This is to assist identity servers which only handle the r0 endpoints. # The v3 endpoints are the same (spec-wise), so they can usually be redirected without downsides. # If this is disabled, API requests will be forwarded as-is, without any URL rewriting. matrix_nginx_proxy_proxy_matrix_user_directory_search_v3_to_r0_redirect_enabled: true # Controls whether proxying for 3PID-based registration (`/_matrix/client/r0/register/(email|msisdn)/requestToken`) should be done (on the matrix domain). # This allows another service to control registrations involving 3PIDs. # To learn more, see: https://github.com/ma1uta/ma1sd/blob/master/docs/features/registration.md matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled: false matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_with_container: "matrix-ma1sd:{{ matrix_ma1sd_container_port }}" matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_sans_container: "127.0.0.1:{{ matrix_ma1sd_container_port }}" # Controls whether the user directory search API will be URL-rewritten (/_matrix/client/v3/register/(email|msisdn)/requestToken -> /_matrix/client/r0/register/(email|msisdn)/requestToken). # This is to assist identity servers which only handle the r0 endpoints. # The v3 endpoints are the same (spec-wise), so they can usually be redirected without downsides. # If this is disabled, API requests will be forwarded as-is, without any URL rewriting. matrix_nginx_proxy_proxy_matrix_3pid_registration_v3_to_r0_redirect_enabled: true # Controls whether proxying for the Identity API (`/_matrix/identity`) should be done (on the matrix domain) matrix_nginx_proxy_proxy_matrix_identity_api_enabled: false matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-ma1sd:{{ matrix_ma1sd_container_port }}" matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:{{ matrix_ma1sd_container_port }}" # Controls whether proxying for the media repo (`/_matrix/media`) should be done (on the matrix domain) matrix_nginx_proxy_proxy_media_repo_enabled: false matrix_nginx_proxy_proxy_media_repo_addr_with_container: "matrix-media-repo:{{ matrix_media_repo_port }}" matrix_nginx_proxy_proxy_media_repo_addr_sans_container: "127.0.0.1:{{ matrix_media_repo_port }}" # The addresses where the Matrix Client API is. # Certain extensions (like matrix-corporal) may override this in order to capture all traffic. matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container: "matrix-nginx-proxy:12080" matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "127.0.0.1:12080" # This needs to be equal or higher than the maximum upload size accepted by Synapse. matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: 50 # Tells whether `/_synapse/client` is forwarded to the Matrix Client API server. matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_client_api_enabled: true # Tells whether `/_synapse/oidc` is forwarded to the Matrix Client API server. # Enable this if you need OpenID Connect authentication support. matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_oidc_api_enabled: false # Tells whether `/_synapse/admin` is forwarded to the Matrix Client API server. # Following these recommendations (https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md), by default, we don't. matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: false # `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefixes` holds # the location prefixes that get forwarded to the Matrix Client API server. # These locations get combined into a regex like this `^(/_matrix|/_synapse/client)`. matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefix_regexes: | {{ (['/_matrix']) + (['/_synapse/client'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_client_api_enabled else []) + (['/_synapse/oidc'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_oidc_api_enabled else []) + (['/_synapse/admin'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled else []) }} # Controls whether proxying for the Matrix Federation API should be done. matrix_nginx_proxy_proxy_matrix_federation_api_enabled: false matrix_nginx_proxy_proxy_matrix_federation_api_addr_with_container: "matrix-nginx-proxy:12088" matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container: "127.0.0.1:12088" matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb: "{{ (matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb | int) * 3 }}" matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/fullchain.pem" matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/privkey.pem" matrix_nginx_proxy_proxy_matrix_federation_api_ssl_trusted_certificate: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/chain.pem" # The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads. matrix_nginx_proxy_tmp_directory_size_mb: "{{ (matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb | int) * 50 }}" matrix_nginx_proxy_tmp_cache_directory_size_mb: "{{ (matrix_nginx_proxy_synapse_cache_max_size_mb | int) * 2 }}" # A list of strings containing additional configuration blocks to add to the nginx server configuration (nginx.conf). # for big matrixservers to enlarge the number of open files to prevent timeouts # matrix_nginx_proxy_proxy_additional_configuration_blocks: # - 'worker_rlimit_nofile 30000;' matrix_nginx_proxy_proxy_additional_configuration_blocks: [] # A list of strings containing additional configuration blocks to add to the nginx event server configuration (nginx.conf). matrix_nginx_proxy_proxy_event_additional_configuration_blocks: [] # A list of strings containing additional configuration blocks to add to the nginx http's server configuration (nginx-http.conf). matrix_nginx_proxy_proxy_http_additional_server_configuration_blocks: [] # A list of strings containing additional configuration blocks to add to the base matrix server configuration (matrix-domain.conf). matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: [] # A list of strings containing additional configuration blocks to add to Riot's server configuration (matrix-riot-web.conf). matrix_nginx_proxy_proxy_riot_additional_server_configuration_blocks: [] # A list of strings containing additional configuration blocks to add to Element's server configuration (matrix-client-element.conf). matrix_nginx_proxy_proxy_element_additional_server_configuration_blocks: [] # A list of strings containing additional configuration blocks to add to Hydrogen's server configuration (matrix-client-hydrogen.conf). matrix_nginx_proxy_proxy_hydrogen_additional_server_configuration_blocks: [] # A list of strings containing additional configuration blocks to add to Cinny's server configuration (matrix-client-cinny.conf). matrix_nginx_proxy_proxy_cinny_additional_server_configuration_blocks: [] # A list of strings containing additional configuration blocks to add to schildichat's server configuration (matrix-client-schildichat.conf). matrix_nginx_proxy_proxy_schildichat_additional_server_configuration_blocks: [] # A list of strings containing additional configuration blocks to add to buscarron's server configuration (matrix-bot-buscarron.conf). matrix_nginx_proxy_proxy_buscarron_additional_server_configuration_blocks: [] # A list of strings containing additional configuration blocks to add to Dimension's server configuration (matrix-dimension.conf). matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks: [] # A list of strings containing additional configuration blocks to add to Rageshake's server configuration (matrix-rageshake.conf). matrix_nginx_proxy_proxy_rageshake_additional_server_configuration_blocks: [] # A list of strings containing additional configuration blocks to add to etherpad's server configuration (matrix-etherpad.conf). matrix_nginx_proxy_proxy_etherpad_additional_server_configuration_blocks: [] # A list of strings containing additional configuration blocks to add to GoNEB's server configuration (matrix-bot-go-neb.conf). matrix_nginx_proxy_proxy_bot_go_neb_additional_server_configuration_blocks: [] # A list of strings containing additional configuration blocks to add to Jitsi's server configuration (matrix-jitsi.conf). matrix_nginx_proxy_proxy_jitsi_additional_server_configuration_blocks: [] # A list of strings containing additional configuration blocks to add to Grafana's server configuration (matrix-grafana.conf). matrix_nginx_proxy_proxy_grafana_additional_server_configuration_blocks: [] # A list of strings containing additional configuration blocks to add to Sygnal's server configuration (matrix-sygnal.conf). matrix_nginx_proxy_proxy_sygnal_additional_server_configuration_blocks: [] # A list of strings containing additional configuration blocks to add to mautrix wsproxy server configuration (matrix-mautrix-wsproxy.conf). matrix_nginx_proxy_proxy_mautrix_wsproxy_additional_server_configuration_blocks: [] # A list of strings containing additional configuration blocks to add to ntfy's server configuration (matrix-ntfy.conf). matrix_nginx_proxy_proxy_ntfy_additional_server_configuration_blocks: [] # A list of strings containing additional configuration blocks to add to the base domain server configuration (matrix-base-domain.conf). matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks: [] # To increase request timeout in NGINX using proxy_read_timeout, proxy_connect_timeout, proxy_send_timeout, send_timeout directives # Nginx Default: proxy_connect_timeout 60s; #Defines a timeout for establishing a connection with a proxied server # Nginx Default: proxy_send_timeout 60s; #Sets a timeout for transmitting a request to the proxied server. # Nginx Default: proxy_read_timeout 60s; #Defines a timeout for reading a response from the proxied server. # Nginx Default: send_timeout 60s; #Sets a timeout for transmitting a response to the client. # # For more information visit: # http://nginx.org/en/docs/http/ngx_http_proxy_module.html # http://nginx.org/en/docs/http/ngx_http_core_module.html#send_timeout # https://www.nginx.com/resources/wiki/start/topics/examples/fullexample2/ # # Here we are sticking with nginx default values change this value carefully. matrix_nginx_proxy_connect_timeout: 60 matrix_nginx_proxy_send_timeout: 60 matrix_nginx_proxy_read_timeout: 60 matrix_nginx_send_timeout: 60 # Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses for all vhosts meant to be accessed by users. # # Learn more about what it is here: # - https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea # - https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network # - https://amifloced.org/ # # Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices. matrix_nginx_proxy_floc_optout_enabled: true # HSTS Preloading Enable # # In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and # indicates a willingness to be “preloaded” into browsers: # `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload` # For more information visit: # - https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security # - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security # - https://hstspreload.org/#opt-in matrix_nginx_proxy_hsts_preload_enabled: false # X-XSS-Protection Enable # Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. # Note: Not applicable for grafana # # Learn more about it is here: # - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection # - https://portswigger.net/web-security/cross-site-scripting/reflected matrix_nginx_proxy_xss_protection: "1; mode=block" # Specifies the SSL configuration that should be used for the SSL protocols and ciphers # This is based on the Mozilla Server Side TLS Recommended configurations. # # The posible values are: # - "modern" - For Modern clients that support TLS 1.3, with no need for backwards compatibility # - "intermediate" - Recommended configuration for a general-purpose server # - "old" - Services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8 # # For more information visit: # - https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations # - https://ssl-config.mozilla.org/#server=nginx matrix_nginx_proxy_ssl_preset: "intermediate" # Presets are taken from Mozilla's Server Side TLS Recommended configurations # DO NOT modify these values and use `matrix_nginx_proxy_ssl_protocols`, `matrix_nginx_proxy_ssl_ciphers` and `matrix_nginx_proxy_ssl_ciphers` # if you wish to use something more custom. matrix_nginx_proxy_ssl_presets: modern: protocols: TLSv1.3 ciphers: "" prefer_server_ciphers: "off" intermediate: protocols: TLSv1.2 TLSv1.3 ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 prefer_server_ciphers: "off" old: protocols: TLSv1 TLSv1.1 TLSv1.2 TLSv1.3 ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA prefer_server_ciphers: "on" # Specifies which *SSL protocols* to use when serving all the various vhosts. matrix_nginx_proxy_ssl_protocols: "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['protocols'] }}" # Specifies whether to prefer *the client’s choice or the server’s choice* when negotiating ciphers. matrix_nginx_proxy_ssl_prefer_server_ciphers: "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['prefer_server_ciphers'] }}" # Specifies which *SSL Cipher suites* to use when serving all the various vhosts. # To see the full list for suportes ciphers run `openssl ciphers` on your server matrix_nginx_proxy_ssl_ciphers: "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['ciphers'] }}" # Specifies what to use for the X-Forwarded-For variable. # If you're fronting the nginx reverse-proxy with additional reverse-proxy servers, # you may wish to set this to '$proxy_add_x_forwarded_for' instead. matrix_nginx_proxy_x_forwarded_for: '$remote_addr' # For OCSP purposes, we need to define a resolver at the `server{}` level or `http{}` level (we do the latter). # # Otherwise, we get warnings like this: # > [warn] 22#22: no resolver defined to resolve r3.o.lencr.org while requesting certificate status, responder: r3.o.lencr.org, certificate: "/matrix/ssl/config/live/.../fullchain.pem" # # We point it to the internal Docker resolver, which likely delegates to nameservers defined in `/etc/resolv.conf`. # # When nginx proxy is disabled, our configuration is likely used by non-containerized nginx, so can't use the internal Docker resolver. # Pointing `resolver` to some public DNS server might be an option, but for now we impose DNS servers on people. # It might also be that no such warnings occur when not running in a container. matrix_nginx_proxy_http_level_resolver: "{{ '127.0.0.11' if matrix_nginx_proxy_enabled else '' }}" # By default, this playbook automatically retrieves and auto-renews # free SSL certificates from Let's Encrypt. # # The following retrieval methods are supported: # - "lets-encrypt" - the playbook obtains free SSL certificates from Let's Encrypt # - "self-signed" - the playbook generates and self-signs certificates # - "manually-managed" - lets you manage certificates by yourself (manually; see below) # - "none" - like "manually-managed", but doesn't care if you don't drop certificates in the location it expects # # If you decide to manage certificates by yourself (`matrix_ssl_retrieval_method: manually-managed`), # you'd need to drop them into the directory specified by `matrix_ssl_config_dir_path` # obeying the following hierarchy: # - /live//fullchain.pem # - /live//privkey.pem # where refers to the domains that you need (usually `matrix_server_fqn_matrix` and `matrix_server_fqn_element`). # # The "none" type (`matrix_ssl_retrieval_method: none`), simply means that no certificate retrieval will happen. # It's useful for when you've disabled the nginx proxy (`matrix_nginx_proxy_enabled: false`) # and you'll be using another reverse-proxy server (like Apache) with your own certificates, managed by yourself. # It's also useful if you're using `matrix_nginx_proxy_https_enabled: false` to make this nginx proxy serve # plain HTTP traffic only (usually, on the loopback interface only) and you'd be terminating SSL using another reverse-proxy. matrix_ssl_retrieval_method: "lets-encrypt" matrix_ssl_architecture: "amd64" # The full list of domains that this role will obtain certificates for. # This variable is likely redefined outside of the role, to include the domains that are necessary (depending on the services that are enabled). # To add additional domain names, consider using `matrix_ssl_additional_domains_to_obtain_certificates_for` instead. matrix_ssl_domains_to_obtain_certificates_for: "{{ matrix_ssl_additional_domains_to_obtain_certificates_for }}" # A list of additional domain names to obtain certificates for. matrix_ssl_additional_domains_to_obtain_certificates_for: [] # Controls whether to obtain production or staging certificates from Let's Encrypt. # If you'd like to use another ACME Certificate Authority server (not Let's Encrypt), use `matrix_ssl_lets_encrypt_server` matrix_ssl_lets_encrypt_staging: false # Controls from which Certificate Authority server to retrieve the SSL certificates (passed as a `--server` flag to Certbot). # By default, we use the Let's Encrypt production environment (use `matrix_ssl_lets_encrypt_staging` for using the staging environment). # Learn more here: https://eff-certbot.readthedocs.io/en/stable/using.html#changing-the-acme-server matrix_ssl_lets_encrypt_server: '' matrix_ssl_lets_encrypt_certbot_docker_image: "{{ matrix_container_global_registry_prefix }}certbot/certbot:{{ matrix_ssl_architecture }}-v2.0.0" matrix_ssl_lets_encrypt_certbot_docker_image_force_pull: "{{ matrix_ssl_lets_encrypt_certbot_docker_image.endswith(':latest') }}" matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402 matrix_ssl_lets_encrypt_support_email: ~ # Tells which interface and port the Let's Encrypt (certbot) container should try to bind to # when it tries to obtain initial certificates in standalone mode. # # This should normally be a public interface and port. # If you'd like to not bind on all IP addresses, specify one explicitly (e.g. `a.b.c.d:80`) matrix_ssl_lets_encrypt_container_standalone_http_host_bind_port: '80' # Specify key type of the private key algorithm. # Learn more here: https://eff-certbot.readthedocs.io/en/stable/using.html#rsa-and-ecdsa-keys matrix_ssl_lets_encrypt_key_type: ecdsa matrix_ssl_base_path: "{{ matrix_base_data_path }}/ssl" matrix_ssl_config_dir_path: "{{ matrix_ssl_base_path }}/config" matrix_ssl_log_dir_path: "{{ matrix_ssl_base_path }}/log" matrix_ssl_bin_dir_path: "{{ matrix_ssl_base_path }}/bin" # If you'd like to start some service before a certificate is obtained, specify it here. # This could be something like `matrix-dynamic-dns`, etc. matrix_ssl_pre_obtaining_required_service_name: ~ matrix_ssl_pre_obtaining_required_service_start_wait_time_seconds: 60 # matrix_ssl_orphaned_renewal_configs_purging_enabled controls whether the playbook will delete Let's Encryption renewal configuration files (`/matrix/ssl/config/renewal/*.conf) # for domains that are not part of the `matrix_ssl_domains_to_obtain_certificates_for` list. # # As the `matrix_ssl_domains_to_obtain_certificates_for` list changes over time, the playbook obtains certificates for various domains # and sets up "renewal" configuration files to keep these certificates fresh. # When a domain disappears from the `matrix_ssl_domains_to_obtain_certificates_for` list (because its associated service had gotten disabled), # the certificate files and renewal configuration still remain in the filesystem and certbot may try to renewal the certificate for this domain. # If there's no DNS record for this domain or it doesn't point to this server anymore, the `matrix-ssl-lets-encrypt-certificates-renew.service` systemd service # won't be able to renew the certificate and will generate an error. # # With `matrix_ssl_orphaned_renewal_configs_purging_enabled` enabled, orphaned renewal configurations will be purged on each playbook run. # Some other leftover files will still remain, but we don't bother purging them because they don't cause troubles. matrix_ssl_orphaned_renewal_configs_purging_enabled: true # Nginx Optimize SSL Session # # ssl_session_cache: # - Creating a cache of TLS connection parameters reduces the number of handshakes # and thus can improve the performance of application. # - Default session cache is not optimal as it can be used by only one worker process # and can cause memory fragmentation. It is much better to use shared cache. # - Learn More: https://nginx.org/en/docs/http/ngx_http_ssl_module.html # # ssl_session_timeout: # - Nginx by default it is set to 5 minutes which is very low. # should be like 4h or 1d but will require you to increase the size of cache. # - Learn More: # https://github.com/certbot/certbot/issues/6903 # https://github.com/mozilla/server-side-tls/issues/198 # # ssl_session_tickets: # - In case of session tickets, information about session is given to the client. # Enabling this improve performance also make Perfect Forward Secrecy useless. # - If you would instead like to use ssl_session_tickets by yourself, you can set # matrix_nginx_proxy_ssl_session_tickets_off false. # - Learn More: https://github.com/mozilla/server-side-tls/issues/135 # # Presets are taken from Mozilla's Server Side TLS Recommended configurations matrix_nginx_proxy_ssl_session_cache: "shared:MozSSL:10m" matrix_nginx_proxy_ssl_session_timeout: "1d" matrix_nginx_proxy_ssl_session_tickets_off: true # OCSP Stapling eliminating the need for clients to contact the CA, with the aim of improving both security and performance. # OCSP stapling can provide a performance boost of up to 30% # nginx web server supports OCSP stapling since version 1.3.7. # # *warning* Nginx is lazy loading OCSP responses, which means that for the first few web requests it is unable to add the OCSP response. # set matrix_nginx_proxy_ocsp_stapling_enabled false to disable OCSP Stapling # # Learn more about what it is here: # - https://en.wikipedia.org/wiki/OCSP_stapling # - https://blog.cloudflare.com/high-reliability-ocsp-stapling/ # - https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/ matrix_nginx_proxy_ocsp_stapling_enabled: true # nginx status page configurations. matrix_nginx_proxy_proxy_matrix_nginx_status_enabled: false matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses: ['{{ ansible_default_ipv4.address }}'] # The amount of worker processes and connections # Consider increasing these when you are expecting high amounts of traffic # http://nginx.org/en/docs/ngx_core_module.html#worker_connections matrix_nginx_proxy_worker_processes: auto matrix_nginx_proxy_worker_connections: 1024