Add support for not serving Dendrite federation APIs on the client port

Seems like Dendrite encourages serving both the Client and Federation
API at the same port.

Coming from Synapse and how things are done there, we have separate
ports. Using separate ports probably makes matrix-corporal (etc.)
integration easier, so separating the APIs by default probably makes
sense.

roles/matrix-nginx-proxy/defaults/main.yml

@@ -128,6 +128,9 @@ matrix_nginx_proxy_proxy_synapse_additional_server_configuration_blocks: []
 matrix_nginx_proxy_proxy_dendrite_enabled: false
 matrix_nginx_proxy_proxy_dendrite_hostname: "matrix-nginx-proxy"
 matrix_nginx_proxy_proxy_dendrite_federation_api_enabled: "{{ matrix_nginx_proxy_proxy_matrix_federation_api_enabled }}"
+# Controls whether the Client API server (usually at matrix.DOMAIN:443) should explicitly reject `/_matrix/federation` endpoints.
+# Normally, Dendrite Monolith serves both APIs (Client & Federation) at the same port, so we can serve federation at `matrix.DOMAIN:443` too.
+matrix_nginx_proxy_proxy_dendrite_block_federation_api_on_client_port: true
 # The addresses where the Matrix Client API is, when using Dendrite.
 matrix_nginx_proxy_proxy_dendrite_client_api_addr_with_container: ""
 matrix_nginx_proxy_proxy_dendrite_client_api_addr_sans_container: ""

roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dendrite.conf.j2

@@ -14,6 +14,16 @@ server {
 		{{- configuration_block }}
 	{% endfor %}
 
+	{% if matrix_nginx_proxy_proxy_dendrite_block_federation_api_on_client_port %}
+	location /_matrix/federation {
+		{% if matrix_nginx_proxy_proxy_dendrite_federation_api_enabled %}
+			return 404 'The Federation API is served at https://{{ matrix_server_fqn_matrix }}:{{ matrix_federation_public_port }}';
+		{% else %}
+			return 404 'This Matrix server is running with federation disabled';
+		{% endif %}
+	}
+	{% endif %}
+
 	{# Everything else just goes to the API server ##}
 	location / {
 		{% if matrix_nginx_proxy_enabled %}