diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index 3f3d7f06..f86cf2f1 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -28,6 +28,14 @@ matrix_identity_server_url: ~ # The Docker network that all services would be put into matrix_docker_network: "matrix" +# Controls whether a `/.well-known/matrix/server` file is generated and used at all. +# +# If you wish to rely on DNS SRV records only, you can disable this. +# That implies that you'll be handling Matrix Federation API traffic (tcp/8448) +# using certificates for the base domain (`hostname_identity`) and not for the +# matrix domain (`hostname_matrix`). +matrix_well_known_matrix_server_enabled: true + # Variables to Control which parts of our roles run. run_setup: true run_import_postgres: true diff --git a/roles/matrix-base/tasks/setup_well_known.yml b/roles/matrix-base/tasks/setup_well_known.yml index 70b91f77..06e62617 100644 --- a/roles/matrix-base/tasks/setup_well_known.yml +++ b/roles/matrix-base/tasks/setup_well_known.yml @@ -12,13 +12,25 @@ with_items: - "{{ matrix_static_files_base_path }}/.well-known/matrix" -- name: Ensure Matrix /.well-known/matrix files configured +- name: Ensure Matrix /.well-known/matrix/client file configured template: - src: "{{ role_path }}/templates/static-files/well-known/matrix-{{ item }}.j2" - dest: "{{ matrix_static_files_base_path }}/.well-known/matrix/{{ item }}" + src: "{{ role_path }}/templates/static-files/well-known/matrix-client.j2" + dest: "{{ matrix_static_files_base_path }}/.well-known/matrix/client" mode: 0644 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_username }}" - with_items: - - "client" - - "server" + +- name: Ensure Matrix /.well-known/matrix/server file configured + template: + src: "{{ role_path }}/templates/static-files/well-known/matrix-server.j2" + dest: "{{ matrix_static_files_base_path }}/.well-known/matrix/server" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + when: matrix_well_known_matrix_server_enabled + +- name: Ensure Matrix /.well-known/matrix/server file deleted + file: + path: "{{ matrix_static_files_base_path }}/.well-known/matrix/server" + state: absent + when: "not matrix_well_known_matrix_server_enabled" diff --git a/roles/matrix-nginx-proxy/tasks/self_check_well_known.yml b/roles/matrix-nginx-proxy/tasks/self_check_well_known.yml index 93ac88da..d12e3fd3 100644 --- a/roles/matrix-nginx-proxy/tasks/self_check_well_known.yml +++ b/roles/matrix-nginx-proxy/tasks/self_check_well_known.yml @@ -1,13 +1,26 @@ --- +- name: Determine well-known files to check (Matrix) + set_fact: + well_known_file_checks: + - path: /.well-known/matrix/client + purpose: Client Discovery + cors: true + +- block: + - set_fact: + well_known_file_check_matrix_server: + path: /.well-known/matrix/server + purpose: Server Discovery + cors: false + + - name: Determine domains that we require certificates for (mxisd) + set_fact: + well_known_file_checks: "{{ well_known_file_checks + [well_known_file_check_matrix_server] }}" + when: "matrix_well_known_matrix_server_enabled" + - name: Perform well-known checks include_tasks: "{{ role_path }}/tasks/self_check_well_known_file.yml" - with_items: - - path: /.well-known/matrix/server - purpose: Server Discovery - cors: false - - path: /.well-known/matrix/client - purpose: Client Discovery - cors: true + with_items: "{{ well_known_file_checks }}" loop_control: loop_var: well_known_file_check