mirror of
https://github.com/spantaleev/matrix-docker-ansible-deploy.git
synced 2024-11-14 14:32:51 +01:00
74710427e5
If someone decides to not use `/.well-known/matrix/server` and only
relies on SRV records, then they would need to serve tcp/8448 using
a certificate for the base domain (not for the matrix) domain.
Until now, they could do that by giving the certificate to Synapse
and setting it terminate TLS. That makes swapping certificates
more annoying (Synapse requires a restart to re-read certificates),
so it's better if we can support it via matrix-nginx-proxy.
Mounting certificates (or any other file) into the matrix-nginx-proxy container
can be done with `matrix_nginx_proxy_container_additional_volumes`,
introduced in 96afbbb5a
.
114 lines
6.8 KiB
YAML
114 lines
6.8 KiB
YAML
matrix_nginx_proxy_enabled: true
|
|
|
|
# We use an official nginx image, which we fix-up to run unprivileged.
|
|
# An alternative would be an `nginxinc/nginx-unprivileged` image, but
|
|
# those as more frequently out of date.
|
|
matrix_nginx_proxy_docker_image: "nginx:1.15.8-alpine"
|
|
|
|
matrix_nginx_proxy_data_path: "{{ matrix_base_data_path }}/nginx-proxy"
|
|
matrix_nginx_proxy_confd_path: "{{ matrix_nginx_proxy_data_path }}/conf.d"
|
|
|
|
# List of systemd services that matrix-nginx-proxy.service depends on
|
|
matrix_nginx_proxy_systemd_required_services_list: ['docker.service']
|
|
|
|
# List of systemd services that matrix-nginx-proxy.service wants
|
|
matrix_nginx_proxy_systemd_wanted_services_list: []
|
|
|
|
# A list of additional "volumes" to mount in the container.
|
|
# This list gets populated dynamically at runtime. You can provide a different default value,
|
|
# if you wish to mount your own files into the container.
|
|
# Contains definition objects like this: `{"src": "/outside", "dst": "/inside", "options": "rw|ro|slave|.."}
|
|
matrix_nginx_proxy_container_additional_volumes: []
|
|
|
|
# Controls whether proxying the riot domain should be done.
|
|
matrix_nginx_proxy_proxy_riot_enabled: false
|
|
matrix_nginx_proxy_proxy_riot_hostname: "{{ hostname_riot }}"
|
|
|
|
# Controls whether proxying the matrix domain should be done.
|
|
matrix_nginx_proxy_proxy_matrix_enabled: false
|
|
matrix_nginx_proxy_proxy_matrix_hostname: "{{ hostname_matrix }}"
|
|
|
|
# Controls whether proxying for the matrix-corporal API (`/_matrix/corporal`) should be done (on the matrix domain)
|
|
matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: false
|
|
matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081"
|
|
matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container: "127.0.0.1:41081"
|
|
|
|
# Controls whether proxying for the User Directory Search API (`/_matrix/client/r0/user_directory/search`) should be done (on the matrix domain).
|
|
# This can be used to forward the API endpoint to another service, augmenting the functionality of Synapse's own User Directory Search.
|
|
# To learn more, see: https://github.com/kamax-matrix/mxisd/blob/master/docs/features/directory.md
|
|
matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: false
|
|
matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "matrix-mxisd:8090"
|
|
matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "127.0.0.1:8090"
|
|
|
|
# Controls whether proxying for the Identity API (`/_matrix/identity`) should be done (on the matrix domain)
|
|
matrix_nginx_proxy_proxy_matrix_identity_api_enabled: false
|
|
matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-mxisd:8090"
|
|
matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:8090"
|
|
|
|
# Controls whether proxying for metrics (`/_synapse/metrics`) should be done (on the matrix domain)
|
|
matrix_nginx_proxy_proxy_synapse_metrics: false
|
|
matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled: false
|
|
matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key: ""
|
|
|
|
# The addresses where the Matrix Client API is.
|
|
# Certain extensions (like matrix-corporal) may override this in order to capture all traffic.
|
|
matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container: "matrix-synapse:8008"
|
|
matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "127.0.0.1:8008"
|
|
# This needs to be equal or higher than the maximum upload size accepted by Synapse.
|
|
matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: 25
|
|
|
|
# Controls whether proxying for the Matrix Federation API should be done.
|
|
matrix_nginx_proxy_proxy_matrix_federation_api_enabled: false
|
|
matrix_nginx_proxy_proxy_matrix_federation_api_addr_with_container: "matrix-synapse:8048"
|
|
matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container: "localhost:8048"
|
|
matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb: "{{ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb * 3 }}"
|
|
matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/fullchain.pem"
|
|
matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/privkey.pem"
|
|
|
|
# The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads.
|
|
matrix_nginx_proxy_tmp_directory_size_mb: "{{ matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb * 50 }}"
|
|
|
|
# A list of strings containing additional configuration blocks to add to the matrix domain's server configuration.
|
|
matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: []
|
|
|
|
# Specifies when to reload the matrix-nginx-proxy service so that
|
|
# a new SSL certificate could go into effect.
|
|
matrix_nginx_proxy_reload_cron_time_definition: "20 4 */5 * *"
|
|
|
|
# Specifies which SSL protocols to use when serving Riot and Synapse
|
|
matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2 TLSv1.3"
|
|
|
|
# By default, this playbook automatically retrieves and auto-renews
|
|
# free SSL certificates from Let's Encrypt.
|
|
#
|
|
# The following retrieval methods are supported:
|
|
# - "lets-encrypt" - the playbook obtains free SSL certificates from Let's Encrypt
|
|
# - "self-signed" - the playbook generates and self-signs certificates
|
|
# - "manually-managed" - lets you manage certificates by yourself (manually; see below)
|
|
# - "none" - like "manually-managed", but doesn't care if you don't drop certificates in the location it expects
|
|
#
|
|
# If you decide to manage certificates by yourself (`matrix_ssl_retrieval_method: manually-managed`),
|
|
# you'd need to drop them into the directory specified by `matrix_ssl_config_dir_path`
|
|
# obeying the following hierarchy:
|
|
# - <matrix_ssl_config_dir_path>/live/<domain>/fullchain.pem
|
|
# - <matrix_ssl_config_dir_path>/live/<domain>/privkey.pem
|
|
# where <domain> refers to the domains that you need (usually `hostname_matrix` and `hostname_riot`).
|
|
#
|
|
# The "none" type (`matrix_ssl_retrieval_method: none`), simply means that no certificate retrieval will happen.
|
|
# It's useful for when you've disabled the nginx proxy (`matrix_nginx_proxy_enabled: false`)
|
|
# and you'll be using another reverse-proxy server (like Apache) with your own certificates, managed by yourself.
|
|
matrix_ssl_retrieval_method: "lets-encrypt"
|
|
|
|
# The list of domains that this role will obtain certificates for.
|
|
matrix_ssl_domains_to_obtain_certificates_for: []
|
|
|
|
# Controls whether to obtain production or staging certificates from Let's Encrypt.
|
|
matrix_ssl_lets_encrypt_staging: false
|
|
matrix_ssl_lets_encrypt_certbot_docker_image: "certbot/certbot:v0.30.0"
|
|
matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402
|
|
matrix_ssl_lets_encrypt_support_email: "{{ host_specific_matrix_ssl_lets_encrypt_support_email }}"
|
|
|
|
matrix_ssl_base_path: "{{ matrix_base_data_path }}/ssl"
|
|
matrix_ssl_config_dir_path: "{{ matrix_ssl_base_path }}/config"
|
|
matrix_ssl_log_dir_path: "{{ matrix_ssl_base_path }}/log"
|