mirror of
https://github.com/spantaleev/matrix-docker-ansible-deploy.git
synced 2024-11-06 02:37:31 +01:00
Adjust TLS variables for homeservers to follow devture_traefik_config_entrypoint_web_secure_enabled (via matrix_federation_traefik_entrypoint_tls)
This commit is contained in:
Slavi Pantaleev
parent
3fa21d19be
commit
b91ad453be
@ -42,7 +42,7 @@ devture_traefik_certs_dumper_ssl_dir_path: "/path/to/your/traefiks/acme.json/dir
|
||||
|
||||
# Uncomment and tweak the variable below if the name of your federation entrypoint is different
|
||||
# than the default value (matrix-federation).
|
||||
# matrix_federation_traefik_entrypoint: matrix-federation
|
||||
# matrix_federation_traefik_entrypoint_name: matrix-federation
|
||||
```
|
||||
|
||||
In this mode all roles will still have Traefik labels attached. You will, however, need to configure your Traefik instance and its entrypoints.
|
||||
@ -145,7 +145,9 @@ matrix_playbook_reverse_proxy_type: playbook-managed-traefik
|
||||
# Ensure that public urls use https
|
||||
matrix_playbook_ssl_enabled: true
|
||||
|
||||
# Disable the web-secure (port 443) endpoint, which also disables SSL certificate retrieval
|
||||
# Disable the web-secure (port 443) endpoint, which also disables SSL certificate retrieval.
|
||||
# This has the side-effect of also automatically disabling TLS for the matrix-federation entrypoint
|
||||
# (by toggling `matrix_federation_traefik_entrypoint_tls`).
|
||||
devture_traefik_config_entrypoint_web_secure_enabled: false
|
||||
|
||||
# If your reverse-proxy runs on another machine, consider using `0.0.0.0:81`, just `81` or `SOME_IP_ADDRESS_OF_THIS_MACHINE:81`
|
||||
|
||||
@ -30,6 +30,11 @@ matrix_playbook_reverse_proxy_hostname: "{{ devture_traefik_identifier if devtur
|
||||
# A separate Matrix Federation entrypoint is always enabled, unless the federation port matches one of the ports for existing (default) entrypoints
|
||||
matrix_playbook_public_matrix_federation_api_traefik_entrypoint_enabled: "{{ matrix_federation_public_port not in [devture_traefik_config_entrypoint_web_port, devture_traefik_config_entrypoint_web_secure_port] }}"
|
||||
|
||||
# `devture_traefik_config_entrypoint_web_secure_enabled` is the variable we currently follow to determine if SSL is enabled or not.
|
||||
# `matrix_playbook_ssl_enabled` is merely an indicator if (when looked at it publicly), the server supports SSL or not,
|
||||
# and affects how services configure their public URLs.
|
||||
matrix_federation_traefik_entrypoint_tls: "{{ devture_traefik_config_entrypoint_web_secure_enabled }}"
|
||||
|
||||
########################################################################
|
||||
# #
|
||||
# /Playbook #
|
||||
@ -3910,7 +3915,9 @@ matrix_synapse_container_labels_public_client_root_redirection_url: "{{ (('https
|
||||
|
||||
matrix_synapse_container_labels_public_client_synapse_admin_api_enabled: "{{ matrix_synapse_admin_enabled }}"
|
||||
|
||||
matrix_synapse_container_labels_public_federation_api_traefik_entrypoints: "{{ matrix_federation_traefik_entrypoint }}"
|
||||
matrix_synapse_container_labels_public_federation_api_traefik_entrypoints: "{{ matrix_federation_traefik_entrypoint_name }}"
|
||||
matrix_synapse_container_labels_public_federation_api_traefik_tls: "{{ matrix_federation_traefik_entrypoint_tls }}"
|
||||
matrix_synapse_container_labels_public_federation_api_traefik_tls_certResolver: "{{ matrix_synapse_container_labels_traefik_tls_certResolver }}" # noqa var-naming
|
||||
|
||||
matrix_synapse_container_labels_public_metrics_middleware_basic_auth_enabled: "{{ matrix_metrics_exposure_http_basic_auth_enabled }}"
|
||||
matrix_synapse_container_labels_public_metrics_middleware_basic_auth_users: "{{ matrix_metrics_exposure_http_basic_auth_users }}"
|
||||
@ -4066,7 +4073,8 @@ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_cl
|
||||
matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_oidc_api_enabled: "{{ matrix_synapse_container_labels_public_client_synapse_oidc_api_enabled }}"
|
||||
matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_enabled: "{{ matrix_synapse_container_labels_public_client_synapse_admin_api_enabled }}"
|
||||
|
||||
matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_entrypoints: "{{ matrix_federation_traefik_entrypoint }}"
|
||||
matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_entrypoints: "{{ matrix_synapse_container_labels_public_federation_api_traefik_entrypoints }}"
|
||||
matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_tls: "{{ matrix_synapse_container_labels_public_federation_api_traefik_tls }}"
|
||||
|
||||
matrix_synapse_reverse_proxy_companion_container_labels_internal_client_api_enabled: "{{ matrix_synapse_container_labels_internal_client_api_enabled }}"
|
||||
matrix_synapse_reverse_proxy_companion_container_labels_internal_client_api_traefik_entrypoints: "{{ matrix_synapse_container_labels_internal_client_api_traefik_entrypoints }}"
|
||||
@ -4585,7 +4593,8 @@ matrix_dendrite_container_labels_public_client_synapse_admin_api_enabled: "{{ ma
|
||||
matrix_dendrite_container_labels_public_client_root_redirection_enabled: "{{ matrix_dendrite_container_labels_public_client_root_redirection_url != '' }}"
|
||||
matrix_dendrite_container_labels_public_client_root_redirection_url: "{{ (('https://' if matrix_playbook_ssl_enabled else 'http://') + matrix_server_fqn_element) if matrix_client_element_enabled else '' }}"
|
||||
|
||||
matrix_dendrite_container_labels_public_federation_api_traefik_entrypoints: "{{ matrix_federation_traefik_entrypoint }}"
|
||||
matrix_dendrite_container_labels_public_federation_api_traefik_entrypoints: "{{ matrix_federation_traefik_entrypoint_name }}"
|
||||
matrix_dendrite_container_labels_public_federation_api_traefik_tls: "{{ matrix_federation_traefik_entrypoint_tls }}"
|
||||
|
||||
matrix_dendrite_container_labels_public_metrics_middleware_basic_auth_enabled: "{{ matrix_metrics_exposure_http_basic_auth_enabled }}"
|
||||
matrix_dendrite_container_labels_public_metrics_middleware_basic_auth_users: "{{ matrix_metrics_exposure_http_basic_auth_users }}"
|
||||
@ -4674,7 +4683,8 @@ matrix_conduit_container_labels_traefik_tls_certResolver: "{{ devture_traefik_ce
|
||||
matrix_conduit_container_labels_public_client_root_redirection_enabled: "{{ matrix_conduit_container_labels_public_client_root_redirection_url != '' }}"
|
||||
matrix_conduit_container_labels_public_client_root_redirection_url: "{{ (('https://' if matrix_playbook_ssl_enabled else 'http://') + matrix_server_fqn_element) if matrix_client_element_enabled else '' }}"
|
||||
|
||||
matrix_conduit_container_labels_public_federation_api_traefik_entrypoints: "{{ matrix_federation_traefik_entrypoint }}"
|
||||
matrix_conduit_container_labels_public_federation_api_traefik_entrypoints: "{{ matrix_federation_traefik_entrypoint_name }}"
|
||||
matrix_conduit_container_labels_public_federation_api_traefik_tls: "{{ matrix_federation_traefik_entrypoint_tls }}"
|
||||
|
||||
matrix_conduit_container_labels_internal_client_api_enabled: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_enabled }}"
|
||||
matrix_conduit_container_labels_internal_client_api_traefik_entrypoints: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_name }}"
|
||||
|
||||
@ -111,7 +111,13 @@ matrix_federation_public_port: 8448
|
||||
|
||||
# The name of the Traefik entrypoint for handling Matrix Federation
|
||||
# Also see the `matrix_playbook_public_matrix_federation_api_traefik_entrypoint_*` variables.
|
||||
matrix_federation_traefik_entrypoint: matrix-federation
|
||||
matrix_federation_traefik_entrypoint_name: matrix-federation
|
||||
|
||||
# Controls whether the federation entrypoint supports TLS.
|
||||
# TLS is force-enabled here, because the spec (https://spec.matrix.org/v1.9/server-server-api/#tls) says that the federation API must use HTTPS.
|
||||
# This may be changed at the playbook level for setups explicitly disabling TLS.
|
||||
# `matrix_playbook_ssl_enabled` has no influence over this.
|
||||
matrix_federation_traefik_entrypoint_tls: true
|
||||
|
||||
# The architecture that your server runs.
|
||||
# Recognized values by us are 'amd64', 'arm32' and 'arm64'.
|
||||
@ -235,7 +241,8 @@ matrix_playbook_reverse_proxyable_services_additional_network: "{{ matrix_playbo
|
||||
|
||||
# Controls if various services think if SSL is enabled or not.
|
||||
# Disabling this does not actually disable Treafik's web-secure entrypoint and TLS termination settings.
|
||||
# For that, you'd need to use other variables. This one merely serves as an indicator if SSL is used or not.
|
||||
# For that, you'd need to use another variable (`devture_traefik_config_entrypoint_web_secure_enabled`).
|
||||
# This variable merely serves as an indicator if SSL is used or not.
|
||||
matrix_playbook_ssl_enabled: true
|
||||
|
||||
matrix_playbook_service_host_bind_interface_prefix: "{{ '' if matrix_playbook_reverse_proxy_type not in ['other-nginx-non-container', 'other-on-same-host', 'other-on-another-host'] else ('0.0.0.0:' if matrix_playbook_reverse_proxy_type == 'other-on-another-host' else '127.0.0.1:') }}"
|
||||
@ -244,7 +251,7 @@ matrix_playbook_service_host_bind_interface_prefix: "{{ '' if matrix_playbook_re
|
||||
# By default, federation is served on a special port (8448), so a separate entrypoint is necessary.
|
||||
# Group variables may influence whether this is enabled based on the port number and on the default entrypoints of the Traefik reverse-proxy.
|
||||
matrix_playbook_public_matrix_federation_api_traefik_entrypoint_enabled: true
|
||||
matrix_playbook_public_matrix_federation_api_traefik_entrypoint_name: "{{ matrix_federation_traefik_entrypoint }}"
|
||||
matrix_playbook_public_matrix_federation_api_traefik_entrypoint_name: "{{ matrix_federation_traefik_entrypoint_name }}"
|
||||
matrix_playbook_public_matrix_federation_api_traefik_entrypoint_port: "{{ matrix_federation_public_port }}"
|
||||
matrix_playbook_public_matrix_federation_api_traefik_entrypoint_host_bind_port: "{{ matrix_federation_public_port }}"
|
||||
matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config: "{{ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_auto | combine(matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_custom, recursive=True) }}"
|
||||
|
||||
@ -85,7 +85,8 @@ matrix_conduit_container_labels_public_federation_api_traefik_path_prefix: /_mat
|
||||
matrix_conduit_container_labels_public_federation_api_traefik_rule: "Host(`{{ matrix_conduit_container_labels_public_federation_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_conduit_container_labels_public_federation_api_traefik_path_prefix }}`)"
|
||||
matrix_conduit_container_labels_public_federation_api_traefik_priority: 0
|
||||
matrix_conduit_container_labels_public_federation_api_traefik_entrypoints: ''
|
||||
matrix_conduit_container_labels_public_federation_api_traefik_tls: "{{ matrix_conduit_container_labels_public_federation_api_traefik_entrypoints != 'web' }}"
|
||||
# TLS is force-enabled here, because the spec (https://spec.matrix.org/v1.9/server-server-api/#tls) says that the federation API must use HTTPS.
|
||||
matrix_conduit_container_labels_public_federation_api_traefik_tls: true
|
||||
matrix_conduit_container_labels_public_federation_api_traefik_tls_certResolver: "{{ matrix_conduit_container_labels_traefik_tls_certResolver }}" # noqa var-naming
|
||||
|
||||
# matrix_conduit_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
|
||||
|
||||
@ -129,7 +129,8 @@ matrix_dendrite_container_labels_public_federation_api_traefik_path_prefix: /_ma
|
||||
matrix_dendrite_container_labels_public_federation_api_traefik_rule: "Host(`{{ matrix_dendrite_container_labels_public_federation_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_dendrite_container_labels_public_federation_api_traefik_path_prefix }}`)"
|
||||
matrix_dendrite_container_labels_public_federation_api_traefik_priority: 0
|
||||
matrix_dendrite_container_labels_public_federation_api_traefik_entrypoints: ''
|
||||
matrix_dendrite_container_labels_public_federation_api_traefik_tls: "{{ matrix_dendrite_container_labels_public_federation_api_traefik_entrypoints != 'web' }}"
|
||||
# TLS is force-enabled here, because the spec (https://spec.matrix.org/v1.9/server-server-api/#tls) says that the federation API must use HTTPS.
|
||||
matrix_dendrite_container_labels_public_federation_api_traefik_tls: true
|
||||
matrix_dendrite_container_labels_public_federation_api_traefik_tls_certResolver: "{{ matrix_dendrite_container_labels_traefik_tls_certResolver }}" # noqa var-naming
|
||||
|
||||
# Controls whether labels will be added that expose Dendrite's metrics on a public Traefik entrypoint.
|
||||
|
||||
@ -107,7 +107,7 @@ matrix_media_repo_container_labels_traefik_t2bot_tls_certResolver: default # no
|
||||
matrix_media_repo_container_labels_traefik_media_federation_path_prefix: "/_matrix/media"
|
||||
matrix_media_repo_container_labels_traefik_media_federation_rule: "Host(`{{ matrix_server_fqn_matrix }}`) && PathPrefix(`{{ matrix_media_repo_container_labels_traefik_media_path_prefix | quote }}`)"
|
||||
matrix_media_repo_container_labels_traefik_media_federation_priority: 0
|
||||
matrix_media_repo_container_labels_traefik_media_federation_entrypoints: "{{ matrix_federation_traefik_entrypoint }}"
|
||||
matrix_media_repo_container_labels_traefik_media_federation_entrypoints: "{{ matrix_federation_traefik_entrypoint_name }}"
|
||||
matrix_media_repo_container_labels_traefik_media_federation_tls: "{{ matrix_media_repo_container_labels_traefik_media_entrypoints != 'web' }}"
|
||||
matrix_media_repo_container_labels_traefik_media_federation_tls_certResolver: default # noqa var-naming
|
||||
|
||||
@ -116,7 +116,7 @@ matrix_media_repo_container_labels_traefik_media_federation_tls_certResolver: de
|
||||
matrix_media_repo_container_labels_traefik_logout_federation_path_prefix: "/_matrix/client/{version:(r0|v1|v3|unstable)}/{endpoint:(logout|logout/all)}"
|
||||
matrix_media_repo_container_labels_traefik_logout_federation_rule: "Host(`{{ matrix_server_fqn_matrix }}`) && PathPrefix(`{{ matrix_media_repo_container_labels_traefik_logout_path_prefix }}`)"
|
||||
matrix_media_repo_container_labels_traefik_logout_federation_priority: 0
|
||||
matrix_media_repo_container_labels_traefik_logout_federation_entrypoints: "{{ matrix_federation_traefik_entrypoint }}"
|
||||
matrix_media_repo_container_labels_traefik_logout_federation_entrypoints: "{{ matrix_federation_traefik_entrypoint_name }}"
|
||||
matrix_media_repo_container_labels_traefik_logout_federation_tls: "{{ matrix_media_repo_container_labels_traefik_logout_entrypoints != 'web' }}"
|
||||
matrix_media_repo_container_labels_traefik_logout_federation_tls_certResolver: default # noqa var-naming
|
||||
|
||||
@ -125,14 +125,14 @@ matrix_media_repo_container_labels_traefik_logout_federation_tls_certResolver: d
|
||||
matrix_media_repo_container_labels_traefik_admin_federation_path_prefix: "/_matrix/client/{version:(r0|v1|v3|unstable)}/admin/{endpoint:(purge_media_cache|quarantine_media/.*)}"
|
||||
matrix_media_repo_container_labels_traefik_admin_federation_rule: "Host(`{{ matrix_server_fqn_matrix }}`) && PathPrefix(`{{ matrix_media_repo_container_labels_traefik_admin_path_prefix }}`)"
|
||||
matrix_media_repo_container_labels_traefik_admin_federation_priority: 0
|
||||
matrix_media_repo_container_labels_traefik_admin_federation_entrypoints: "{{ matrix_federation_traefik_entrypoint }}"
|
||||
matrix_media_repo_container_labels_traefik_admin_federation_entrypoints: "{{ matrix_federation_traefik_entrypoint_name }}"
|
||||
matrix_media_repo_container_labels_traefik_admin_federation_tls: "{{ matrix_media_repo_container_labels_traefik_admin_entrypoints != 'web' }}"
|
||||
matrix_media_repo_container_labels_traefik_admin_federation_tls_certResolver: default # noqa var-naming
|
||||
|
||||
matrix_media_repo_container_labels_traefik_t2bot_federation_path_prefix: "/_matrix/client/unstable/io.t2bot.media"
|
||||
matrix_media_repo_container_labels_traefik_t2bot_federation_rule: "Host(`{{ matrix_server_fqn_matrix }}`) && PathPrefix(`{{ matrix_media_repo_container_labels_traefik_t2bot_path_prefix | quote }}`)"
|
||||
matrix_media_repo_container_labels_traefik_t2bot_federation_priority: 0
|
||||
matrix_media_repo_container_labels_traefik_t2bot_federation_entrypoints: "{{ matrix_federation_traefik_entrypoint }}"
|
||||
matrix_media_repo_container_labels_traefik_t2bot_federation_entrypoints: "{{ matrix_federation_traefik_entrypoint_name }}"
|
||||
matrix_media_repo_container_labels_traefik_t2bot_federation_tls: "{{ matrix_media_repo_container_labels_traefik_t2bot_entrypoints != 'web' }}"
|
||||
matrix_media_repo_container_labels_traefik_t2bot_federation_tls_certResolver: default # noqa var-naming
|
||||
|
||||
|
||||
@ -114,7 +114,8 @@ matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_tr
|
||||
matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_rule: "Host(`{{ matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_path_prefix }}`)"
|
||||
matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_priority: 0
|
||||
matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_entrypoints: ''
|
||||
matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_tls: "{{ matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_entrypoints != 'web' }}"
|
||||
# TLS is force-enabled here, because the spec (https://spec.matrix.org/v1.9/server-server-api/#tls) says that the federation API must use HTTPS.
|
||||
matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_tls: true
|
||||
matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_tls_certResolver: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver }}" # noqa var-naming
|
||||
|
||||
# matrix_synapse_reverse_proxy_companion_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
|
||||
|
||||
@ -259,7 +259,8 @@ matrix_synapse_container_labels_public_federation_api_traefik_path_prefix: /_mat
|
||||
matrix_synapse_container_labels_public_federation_api_traefik_rule: "Host(`{{ matrix_synapse_container_labels_public_federation_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_container_labels_public_federation_api_traefik_path_prefix }}`)"
|
||||
matrix_synapse_container_labels_public_federation_api_traefik_priority: 0
|
||||
matrix_synapse_container_labels_public_federation_api_traefik_entrypoints: ''
|
||||
matrix_synapse_container_labels_public_federation_api_traefik_tls: "{{ matrix_synapse_container_labels_public_federation_api_traefik_entrypoints != 'web' }}"
|
||||
# TLS is force-enabled here, because the spec (https://spec.matrix.org/v1.9/server-server-api/#tls) says that the federation API must use HTTPS.
|
||||
matrix_synapse_container_labels_public_federation_api_traefik_tls: true
|
||||
matrix_synapse_container_labels_public_federation_api_traefik_tls_certResolver: "{{ matrix_synapse_container_labels_traefik_tls_certResolver }}" # noqa var-naming
|
||||
|
||||
# Controls whether labels will be added that expose metrics (see `matrix_synapse_metrics_proxying_enabled`) for the main Synapse process
|
||||
|
||||
@ -310,6 +310,7 @@
|
||||
- {'old': 'matrix_docker_network', 'new': '<removed in favor of various other variables - matrix_addons_container_network, matrix_monitoring_container_network, matrix_homeserver_container_network, etc.>'}
|
||||
- {'old': 'matrix_playbook_ssl_retrieval_method', 'new': '<removed>'}
|
||||
- {'old': 'matrix_ssl_lets_encrypt_support_email', 'new': 'devture_traefik_config_certificatesResolvers_acme_email'}
|
||||
- {'old': 'matrix_federation_traefik_entrypoint', 'new': 'matrix_federation_traefik_entrypoint_name'}
|
||||
|
||||
- when: matrix_playbook_migration_matrix_nginx_proxy_leftover_variable_validation_checks_enabled | bool
|
||||
block:
|
||||
|
||||
Loading…
Reference in New Issue
Block a user