mirror of
https://github.com/spantaleev/matrix-docker-ansible-deploy.git
synced 2024-11-13 22:12:51 +01:00
964aa0e84d
The newly extracted role also has native Traefik support, so we no longer need to rely on `matrix-nginx-proxy` for reverse-proxying to Ntfy. The new role uses port `80` inside the container (not `8080`, like before), because that's the default assumption of the officially published container image. Using a custom port (like `8080`), means the default healthcheck command (which hardcodes port `80`) doesn't work. Instead of fiddling to override the healthcheck command, we've decided to stick to the default port instead. This only affects the inside-the-container port, not any external ports. The new role also supports adding the network ranges of the container's multiple additional networks as "exempt hosts". Previously, only one network's address range was added to "exempt hosts".
103 lines
3.5 KiB
Django/Jinja
103 lines
3.5 KiB
Django/Jinja
#jinja2: lstrip_blocks: "True"
|
|
|
|
{% macro render_vhost_directives() %}
|
|
gzip on;
|
|
gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
|
|
|
|
{% if matrix_nginx_proxy_hsts_preload_enabled %}
|
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
|
{% else %}
|
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
|
{% endif %}
|
|
add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}";
|
|
add_header X-Content-Type-Options nosniff;
|
|
add_header X-Frame-Options DENY;
|
|
|
|
{% for configuration_block in matrix_nginx_proxy_proxy_ntfy_additional_server_configuration_blocks %}
|
|
{{- configuration_block }}
|
|
{% endfor %}
|
|
|
|
location / {
|
|
{% if matrix_nginx_proxy_enabled %}
|
|
{# Use the embedded DNS resolver in Docker containers to discover the service #}
|
|
resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s;
|
|
set $backend "matrix-ntfy:80";
|
|
proxy_pass http://$backend;
|
|
{% else %}
|
|
{# Generic configuration for use outside of our container setup #}
|
|
proxy_pass http://127.0.0.1:2586;
|
|
{% endif %}
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }};
|
|
proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }};
|
|
}
|
|
{% endmacro %}
|
|
|
|
server {
|
|
listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }};
|
|
listen [::]:{{ 8080 if matrix_nginx_proxy_enabled else 80 }};
|
|
|
|
server_name {{ matrix_nginx_proxy_proxy_ntfy_hostname }};
|
|
|
|
server_tokens off;
|
|
root /dev/null;
|
|
|
|
{% if matrix_nginx_proxy_https_enabled %}
|
|
location /.well-known/acme-challenge {
|
|
{% if matrix_nginx_proxy_enabled %}
|
|
{# Use the embedded DNS resolver in Docker containers to discover the service #}
|
|
resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s;
|
|
set $backend "matrix-certbot:8080";
|
|
proxy_pass http://$backend;
|
|
{% else %}
|
|
{# Generic configuration for use outside of our container setup #}
|
|
proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }};
|
|
{% endif %}
|
|
}
|
|
|
|
location / {
|
|
return 301 https://$http_host$request_uri;
|
|
}
|
|
{% else %}
|
|
{{ render_vhost_directives() }}
|
|
{% endif %}
|
|
}
|
|
|
|
{% if matrix_nginx_proxy_https_enabled %}
|
|
server {
|
|
listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
|
|
listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
|
|
|
|
server_name {{ matrix_nginx_proxy_proxy_ntfy_hostname }};
|
|
|
|
server_tokens off;
|
|
root /dev/null;
|
|
|
|
ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_ntfy_hostname }}/fullchain.pem;
|
|
ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_ntfy_hostname }}/privkey.pem;
|
|
|
|
ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
|
|
{% if matrix_nginx_proxy_ssl_ciphers != '' %}
|
|
ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }};
|
|
{% endif %}
|
|
ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
|
|
|
|
{% if matrix_nginx_proxy_ocsp_stapling_enabled %}
|
|
ssl_stapling on;
|
|
ssl_stapling_verify on;
|
|
ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_ntfy_hostname }}/chain.pem;
|
|
{% endif %}
|
|
|
|
{% if matrix_nginx_proxy_ssl_session_tickets_off %}
|
|
ssl_session_tickets off;
|
|
{% endif %}
|
|
ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }};
|
|
ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }};
|
|
|
|
{{ render_vhost_directives() }}
|
|
}
|
|
{% endif %}
|