From f9836046956bb7fb3741dcafb2e37a55047b67b5 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 6 Feb 2023 10:34:51 +0200 Subject: [PATCH 01/19] Initial work on Traefik support This gets us started on adding a Traefik role and hooking Traefik: - directly to services which support Traefik - we only have a few of these right now, but the list will grow - to matrix-nginx-proxy for most services that integrate with matrix-nginx-proxy right now Traefik usage should be disabled by default for now and nothing should change for people just yet. Enabling these experiments requires additional configuration like this: ```yaml devture_traefik_ssl_email_address: '.....' matrix_playbook_traefik_role_enabled: true matrix_playbook_traefik_labels_enabled: true matrix_ssl_retrieval_method: none matrix_nginx_proxy_https_enabled: false matrix_nginx_proxy_container_http_host_bind_port: '' matrix_nginx_proxy_container_federation_host_bind_port: '' matrix_nginx_proxy_trust_forwarded_proto: true matrix_nginx_proxy_x_forwarded_for: '$proxy_add_x_forwarded_for' matrix_coturn_enabled: false ``` What currently works is: reverse-proxying for all nginx-proxy based services **except** for the Matrix homeserver (both Client-Server an Federation traffic for the homeserver don't work yet) --- group_vars/matrix_servers | 70 +++++++++ playbooks/matrix.yml | 3 + requirements.yml | 3 + .../matrix-nginx-proxy/defaults/main.yml | 74 +++++++++ .../tasks/setup_nginx_proxy.yml | 8 + .../matrix-nginx-proxy/templates/labels.j2 | 144 ++++++++++++++++++ .../systemd/matrix-nginx-proxy.service.j2 | 1 + 7 files changed, 303 insertions(+) create mode 100644 roles/custom/matrix-nginx-proxy/templates/labels.j2 diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 6d096dea..da624d9a 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -19,6 +19,28 @@ # Also see `devture_docker_sdk_for_python_installation_enabled`. matrix_playbook_docker_installation_enabled: true +# Controls whether to run the Traefik role or not +# See the `com.devture.ansible.role.traefik` section below for role configuration. +# +# There's a difference between `devture_traefik_enabled` and `matrix_playbook_traefik_role_enabled`. +# `devture_traefik_enabled` controls what the Traefik role would do - when not enabled, it will run uninstall tasks, etc. +# `matrix_playbook_traefik_role_enabled` controls if the Traefik role would even run at all. +# +# Sometimes, you're installing Traefik via a different (related playbook) which uses the same role. +# In such cases, you'd like to disable the role in this playbook from bothering with Traefik at all (`matrix_playbook_traefik_role_enabled: false`). +# If you used `devture_traefik_enabled: false` + `matrix_playbook_traefik_role_enabled: true` instead, you'd see the Treafik role here +# try to delete Traefik data (`/devture-traefik`) installed by the other playbook. +matrix_playbook_traefik_role_enabled: false + +# Controls whether to attach Traefik labels to services. +# This is separate from `devture_traefik_enabled` and `matrix_playbook_traefik_role_enabled`, +# because you may wish to disable Traefik installation by the playbook, yet still use Traefik +# installed in another way. +matrix_playbook_traefik_labels_enabled: false + +# Controls the additional network that reverse-proxyable services will be connected to. +matrix_playbook_reverse_proxyable_services_additional_network: "{{ devture_traefik_container_network if devture_traefik_enabled else '' }}" + ######################################################################## # # # /Playbook # @@ -320,6 +342,8 @@ devture_systemd_service_manager_services_list_auto: | ([{'name': 'matrix-synapse-admin.service', 'priority': 4000, 'groups': ['matrix', 'synapse-admin']}] if matrix_synapse_admin_enabled else []) + ([{'name': 'matrix-synapse-reverse-proxy-companion.service', 'priority': 1500, 'groups': ['matrix', 'homeservers', 'synapse', 'reverse-proxies']}] if matrix_synapse_reverse_proxy_companion_enabled else []) + + + ([{'name': 'devture-traefik.service', 'priority': 3000, 'groups': ['matrix', 'traefik', 'reverse-proxies']}] if matrix_playbook_traefik_role_enabled else []) }} ######################################################################## @@ -2157,6 +2181,8 @@ matrix_ma1sd_database_password: "{{ '%s' | format(matrix_homeserver_generic_secr # If that's not the case, you may wish to disable this and take care of proxying yourself. matrix_nginx_proxy_enabled: true +matrix_nginx_proxy_container_additional_networks: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else [] }}" + matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container: "{{ 'matrix-corporal:41080' if matrix_corporal_enabled else 'matrix-nginx-proxy:12080' }}" matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "{{ '127.0.0.1:41080' if matrix_corporal_enabled else '127.0.0.1:12080' }}" matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: |- @@ -2185,6 +2211,22 @@ matrix_nginx_proxy_proxy_grafana_enabled: "{{ matrix_grafana_enabled }}" matrix_nginx_proxy_proxy_sygnal_enabled: "{{ matrix_sygnal_enabled }}" matrix_nginx_proxy_proxy_ntfy_enabled: "{{ matrix_ntfy_enabled }}" +matrix_nginx_proxy_container_labels_traefik_enabled: "{{ matrix_playbook_traefik_labels_enabled }}" +matrix_nginx_proxy_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +matrix_nginx_proxy_container_labels_traefik_entrypoints: "{{ devture_traefik_config_entrypoint_primary }}" + +matrix_nginx_proxy_container_labels_traefik_proxy_element_enabled: "{{ matrix_client_element_enabled }}" +matrix_nginx_proxy_container_labels_traefik_proxy_hydrogen_enabled: "{{ matrix_client_hydrogen_enabled }}" +matrix_nginx_proxy_container_labels_traefik_proxy_cinny_enabled: "{{ matrix_client_cinny_enabled }}" +matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_enabled: "{{ matrix_bot_buscarron_enabled }}" +matrix_nginx_proxy_container_labels_traefik_proxy_dimension_enabled: "{{ matrix_dimension_enabled }}" +matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_enabled: "{{ matrix_etherpad_enabled and matrix_etherpad_mode == 'standalone' }}" +matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_enabled: "{{ matrix_bot_go_neb_enabled }}" +matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_enabled: "{{ matrix_jitsi_enabled }}" +matrix_nginx_proxy_container_labels_traefik_proxy_grafana_enabled: "{{ matrix_grafana_enabled }}" +matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_enabled: "{{ matrix_sygnal_enabled }}" +matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_enabled: "{{ matrix_ntfy_enabled }}" + matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: "{{ matrix_corporal_enabled and matrix_corporal_http_api_enabled }}" matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081" matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container: "127.0.0.1:41081" @@ -2968,7 +3010,11 @@ prometheus_node_exporter_server_fqn: "{{ matrix_server_fqn_matrix }}" prometheus_node_exporter_container_network: "{{ matrix_docker_network }}" +prometheus_node_exporter_container_additional_networks: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else [] }}" + prometheus_node_exporter_container_labels_traefik_enabled: false +prometheus_node_exporter_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +prometheus_node_exporter_container_labels_traefik_entrypoints: "{{ devture_traefik_config_entrypoint_primary }}" ###################################################################### # @@ -2995,7 +3041,11 @@ prometheus_postgres_exporter_server_fqn: "{{ matrix_server_fqn_matrix }}" prometheus_postgres_exporter_container_network: "{{ matrix_docker_network }}" +prometheus_postgres_exporter_container_additional_networks: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else [] }}" + prometheus_postgres_exporter_container_labels_traefik_enabled: false +prometheus_postgres_exporter_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +prometheus_postgres_exporter_container_labels_traefik_entrypoints: "{{ devture_traefik_config_entrypoint_primary }}" prometheus_postgres_exporter_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" prometheus_postgres_exporter_database_username: matrix_prometheus_postgres_exporter @@ -3284,3 +3334,23 @@ matrix_user_creator_users_auto: | # /matrix-user-creator # ###################################################################### + + +######################################################################## +# # +# com.devture.ansible.role.traefik # +# # +######################################################################## + +# To completely disable the Traefik role from running, use `matrix_playbook_traefik_role_enabled: false`. +# See the comment there for more details about why we have both `devture_traefik_enabled` and `matrix_playbook_traefik_role_enabled`. +devture_traefik_enabled: "{{ matrix_playbook_traefik_role_enabled }}" + +devture_traefik_uid: "{{ matrix_user_uid }}" +devture_traefik_gid: "{{ matrix_user_gid }}" + +######################################################################## +# # +# /com.devture.ansible.role.traefik # +# # +######################################################################## diff --git a/playbooks/matrix.yml b/playbooks/matrix.yml index 7be0d629..392a3a0e 100755 --- a/playbooks/matrix.yml +++ b/playbooks/matrix.yml @@ -115,6 +115,9 @@ - custom/matrix-user-creator - custom/matrix-common-after + - when: matrix_playbook_traefik_role_enabled | bool + role: galaxy/com.devture.ansible.role.traefik + - when: devture_systemd_service_manager_enabled | bool role: galaxy/com.devture.ansible.role.systemd_service_manager diff --git a/requirements.yml b/requirements.yml index 4797423d..696b2700 100644 --- a/requirements.yml +++ b/requirements.yml @@ -35,3 +35,6 @@ - src: git+https://gitlab.com/etke.cc/roles/prometheus_postgres_exporter.git version: v0.11.1-2 + +- src: git+https://github.com/devture/com.devture.ansible.role.traefik.git + version: 407af71a3667b1d8083beb10bf22423ecf013f58 diff --git a/roles/custom/matrix-nginx-proxy/defaults/main.yml b/roles/custom/matrix-nginx-proxy/defaults/main.yml index 2861084d..25911a49 100644 --- a/roles/custom/matrix-nginx-proxy/defaults/main.yml +++ b/roles/custom/matrix-nginx-proxy/defaults/main.yml @@ -40,6 +40,80 @@ matrix_nginx_proxy_container_additional_networks: [] # Contains definition objects like this: `{"src": "/outside", "dst": "/inside", "options": "rw|ro|slave|.."} matrix_nginx_proxy_container_additional_volumes: [] +# matrix_nginx_proxy_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container. +# See `../templates/labels.j2` for details. +# +# To inject your own other container labels, see `matrix_nginx_proxy_container_labels_additional_labels`. +matrix_nginx_proxy_container_labels_traefik_enabled: false +matrix_nginx_proxy_container_labels_traefik_docker_network: "{{ matrix_nginx_proxy_container_network }}" +matrix_nginx_proxy_container_labels_traefik_entrypoints: web-secure +matrix_nginx_proxy_container_labels_traefik_tls_certResolver: default # noqa var-naming + +matrix_nginx_proxy_container_labels_traefik_proxy_element_enabled: false +matrix_nginx_proxy_container_labels_traefik_proxy_element_hostname: "{{ matrix_server_fqn_element }}" +matrix_nginx_proxy_container_labels_traefik_proxy_element_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" +matrix_nginx_proxy_container_labels_traefik_proxy_element_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_element_hostname }}`)" + +matrix_nginx_proxy_container_labels_traefik_proxy_hydrogen_enabled: false +matrix_nginx_proxy_container_labels_traefik_proxy_hydrogen_hostname: "{{ matrix_server_fqn_hydrogen }}" +matrix_nginx_proxy_container_labels_traefik_proxy_hydrogen_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" +matrix_nginx_proxy_container_labels_traefik_proxy_hydrogen_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_hydrogen_hostname }}`)" + +matrix_nginx_proxy_container_labels_traefik_proxy_cinny_enabled: false +matrix_nginx_proxy_container_labels_traefik_proxy_cinny_hostname: "{{ matrix_server_fqn_cinny }}" +matrix_nginx_proxy_container_labels_traefik_proxy_cinny_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" +matrix_nginx_proxy_container_labels_traefik_proxy_cinny_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_cinny_hostname }}`)" + +matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_enabled: false +matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_hostname: "{{ matrix_server_fqn_buscarron }}" +matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" +matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_hostname }}`)" + +matrix_nginx_proxy_container_labels_traefik_proxy_dimension_enabled: false +matrix_nginx_proxy_container_labels_traefik_proxy_dimension_hostname: "{{ matrix_server_fqn_dimension }}" +matrix_nginx_proxy_container_labels_traefik_proxy_dimension_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" +matrix_nginx_proxy_container_labels_traefik_proxy_dimension_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_dimension_hostname }}`)" + +matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_enabled: false +matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_hostname: "{{ matrix_server_fqn_etherpad }}" +matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" +matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_hostname }}`)" + +matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_enabled: false +matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_hostname: "{{ matrix_server_fqn_bot_go_neb }}" +matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" +matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_hostname }}`)" + +matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_enabled: false +matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_hostname: "{{ matrix_server_fqn_jitsi }}" +matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" +matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_hostname }}`)" + +matrix_nginx_proxy_container_labels_traefik_proxy_grafana_enabled: false +matrix_nginx_proxy_container_labels_traefik_proxy_grafana_hostname: "{{ matrix_server_fqn_grafana }}" +matrix_nginx_proxy_container_labels_traefik_proxy_grafana_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" +matrix_nginx_proxy_container_labels_traefik_proxy_grafana_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_grafana_hostname }}`)" + +matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_enabled: false +matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_hostname: "{{ matrix_server_fqn_sygnal }}" +matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" +matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_hostname }}`)" + +matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_enabled: false +matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_hostname: "{{ matrix_server_fqn_ntfy }}" +matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" +matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_hostname }}`)" + +# matrix_nginx_proxy_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. +# See `../templates/labels.j2` for details. +# +# Example: +# matrix_nginx_proxy_container_labels_additional_labels: | +# my.label=1 +# another.label="here" +matrix_nginx_proxy_container_labels_additional_labels: '' + + # A list of extra arguments to pass to the container matrix_nginx_proxy_container_extra_arguments: [] diff --git a/roles/custom/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml b/roles/custom/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml index dd11721a..31ff68f2 100644 --- a/roles/custom/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml +++ b/roles/custom/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml @@ -22,6 +22,14 @@ - "{{ matrix_nginx_proxy_data_path }}" - "{{ matrix_nginx_proxy_confd_path }}" +- name: Ensure Matrix nginx-proxy labels file is created + ansible.builtin.template: + src: "{{ role_path }}/templates/labels.j2" + dest: "{{ matrix_nginx_proxy_base_path }}/labels" + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + mode: 0640 + - name: Ensure Matrix nginx-proxy configured (main config override) ansible.builtin.template: src: "{{ role_path }}/templates/nginx/nginx.conf.j2" diff --git a/roles/custom/matrix-nginx-proxy/templates/labels.j2 b/roles/custom/matrix-nginx-proxy/templates/labels.j2 new file mode 100644 index 00000000..06cc8d1a --- /dev/null +++ b/roles/custom/matrix-nginx-proxy/templates/labels.j2 @@ -0,0 +1,144 @@ +{% if matrix_nginx_proxy_container_labels_traefik_enabled %} +traefik.enable=true + +{% if matrix_nginx_proxy_container_labels_traefik_docker_network %} +traefik.docker.network={{ matrix_nginx_proxy_container_labels_traefik_docker_network }} +{% endif %} + + +{% if matrix_nginx_proxy_container_labels_traefik_proxy_element_enabled %} +# Element +traefik.http.routers.matrix-nginx-proxy-element.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_element_rule }} +traefik.http.routers.matrix-nginx-proxy-element.service=matrix-nginx-proxy-web +traefik.http.routers.matrix-nginx-proxy-element.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_element_tls | to_json }} +{% if matrix_nginx_proxy_container_labels_traefik_proxy_element_tls %} +traefik.http.routers.matrix-nginx-proxy-element.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }} +{% endif %} +traefik.http.routers.matrix-nginx-proxy-element.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }} +{% endif %} + + +{% if matrix_nginx_proxy_container_labels_traefik_proxy_hydrogen_enabled %} +# Hydrogen +traefik.http.routers.matrix-nginx-proxy-hydrogen.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_hydrogen_rule }} +traefik.http.routers.matrix-nginx-proxy-hydrogen.service=matrix-nginx-proxy-web +traefik.http.routers.matrix-nginx-proxy-hydrogen.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_hydrogen_tls | to_json }} +{% if matrix_nginx_proxy_container_labels_traefik_proxy_hydrogen_tls %} +traefik.http.routers.matrix-nginx-proxy-hydrogen.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }} +{% endif %} +traefik.http.routers.matrix-nginx-proxy-hydrogen.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }} +{% endif %} + + +{% if matrix_nginx_proxy_container_labels_traefik_proxy_cinny_enabled %} +# Cinny +traefik.http.routers.matrix-nginx-proxy-cinny.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_cinny_rule }} +traefik.http.routers.matrix-nginx-proxy-cinny.service=matrix-nginx-proxy-web +traefik.http.routers.matrix-nginx-proxy-cinny.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_cinny_tls | to_json }} +{% if matrix_nginx_proxy_container_labels_traefik_proxy_cinny_tls %} +traefik.http.routers.matrix-nginx-proxy-cinny.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }} +{% endif %} +traefik.http.routers.matrix-nginx-proxy-cinny.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }} +{% endif %} + + +{% if matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_enabled %} +# Buscarron +traefik.http.routers.matrix-nginx-proxy-buscarron.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_rule }} +traefik.http.routers.matrix-nginx-proxy-buscarron.service=matrix-nginx-proxy-web +traefik.http.routers.matrix-nginx-proxy-buscarron.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_tls | to_json }} +{% if matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_tls %} +traefik.http.routers.matrix-nginx-proxy-buscarron.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }} +{% endif %} +traefik.http.routers.matrix-nginx-proxy-buscarron.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }} +{% endif %} + + +{% if matrix_nginx_proxy_container_labels_traefik_proxy_dimension_enabled %} +# Dimension +traefik.http.routers.matrix-nginx-proxy-dimension.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_dimension_rule }} +traefik.http.routers.matrix-nginx-proxy-dimension.service=matrix-nginx-proxy-web +traefik.http.routers.matrix-nginx-proxy-dimension.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_dimension_tls | to_json }} +{% if matrix_nginx_proxy_container_labels_traefik_proxy_dimension_tls %} +traefik.http.routers.matrix-nginx-proxy-dimension.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }} +{% endif %} +traefik.http.routers.matrix-nginx-proxy-dimension.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }} +{% endif %} + + +{% if matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_enabled %} +# Etherpad +traefik.http.routers.matrix-nginx-proxy-etherpad.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_rule }} +traefik.http.routers.matrix-nginx-proxy-etherpad.service=matrix-nginx-proxy-web +traefik.http.routers.matrix-nginx-proxy-etherpad.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_tls | to_json }} +{% if matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_tls %} +traefik.http.routers.matrix-nginx-proxy-etherpad.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }} +{% endif %} +traefik.http.routers.matrix-nginx-proxy-etherpad.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }} +{% endif %} + + +{% if matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_enabled %} +# Go NEB bot +traefik.http.routers.matrix-nginx-proxy-bot_go_neb.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_rule }} +traefik.http.routers.matrix-nginx-proxy-bot_go_neb.service=matrix-nginx-proxy-web +traefik.http.routers.matrix-nginx-proxy-bot_go_neb.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_tls | to_json }} +{% if matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_tls %} +traefik.http.routers.matrix-nginx-proxy-bot_go_neb.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }} +{% endif %} +traefik.http.routers.matrix-nginx-proxy-bot_go_neb.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }} +{% endif %} + + +{% if matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_enabled %} +# Jitsi +traefik.http.routers.matrix-nginx-proxy-jitsi.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_rule }} +traefik.http.routers.matrix-nginx-proxy-jitsi.service=matrix-nginx-proxy-web +traefik.http.routers.matrix-nginx-proxy-jitsi.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_tls | to_json }} +{% if matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_tls %} +traefik.http.routers.matrix-nginx-proxy-jitsi.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }} +{% endif %} +traefik.http.routers.matrix-nginx-proxy-jitsi.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }} +{% endif %} + + +{% if matrix_nginx_proxy_container_labels_traefik_proxy_grafana_enabled %} +# Grafana +traefik.http.routers.matrix-nginx-proxy-grafana.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_grafana_rule }} +traefik.http.routers.matrix-nginx-proxy-grafana.service=matrix-nginx-proxy-web +traefik.http.routers.matrix-nginx-proxy-grafana.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_grafana_tls | to_json }} +{% if matrix_nginx_proxy_container_labels_traefik_proxy_grafana_tls %} +traefik.http.routers.matrix-nginx-proxy-grafana.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }} +{% endif %} +traefik.http.routers.matrix-nginx-proxy-grafana.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }} +{% endif %} + + +{% if matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_enabled %} +# Sygnal +traefik.http.routers.matrix-nginx-proxy-sygnal.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_rule }} +traefik.http.routers.matrix-nginx-proxy-sygnal.service=matrix-nginx-proxy-web +traefik.http.routers.matrix-nginx-proxy-sygnal.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_tls | to_json }} +{% if matrix_nginx_proxy_container_labels_traefik_proxy_sygnal_tls %} +traefik.http.routers.matrix-nginx-proxy-sygnal.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }} +{% endif %} +traefik.http.routers.matrix-nginx-proxy-sygnal.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }} +{% endif %} + + +{% if matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_enabled %} +# ntfy +traefik.http.routers.matrix-nginx-proxy-ntfy.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_rule }} +traefik.http.routers.matrix-nginx-proxy-ntfy.service=matrix-nginx-proxy-web +traefik.http.routers.matrix-nginx-proxy-ntfy.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_tls | to_json }} +{% if matrix_nginx_proxy_container_labels_traefik_proxy_ntfy_tls %} +traefik.http.routers.matrix-nginx-proxy-ntfy.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }} +{% endif %} +traefik.http.routers.matrix-nginx-proxy-ntfy.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }} +{% endif %} + + +traefik.http.services.matrix-nginx-proxy-web.loadbalancer.server.port=8080 +{% endif %} + +{{ matrix_nginx_proxy_container_labels_additional_labels }} diff --git a/roles/custom/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 b/roles/custom/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 index 301eb9d5..f302c92e 100755 --- a/roles/custom/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 +++ b/roles/custom/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2 @@ -24,6 +24,7 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ --cap-drop=ALL \ --read-only \ --tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_nginx_proxy_tmp_directory_size_mb }}m \ + --label-file={{ matrix_nginx_proxy_base_path }}/labels \ --network={{ matrix_nginx_proxy_container_network }} \ {% if matrix_nginx_proxy_container_http_host_bind_port %} -p {{ matrix_nginx_proxy_container_http_host_bind_port }}:8080 \ From 8155f780e5291496eaf4f4ab989e676cf33e8a91 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 6 Feb 2023 13:08:11 +0200 Subject: [PATCH 02/19] Add support for reverse-proxying Matric (Client & Federation) via Traefik --- group_vars/matrix_servers | 7 +++++ requirements.yml | 2 +- roles/custom/matrix-base/defaults/main.yml | 3 +++ .../matrix-nginx-proxy/defaults/main.yml | 7 +++++ .../matrix-nginx-proxy/templates/labels.j2 | 26 +++++++++++++++++++ 5 files changed, 44 insertions(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index da624d9a..8ce94f52 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -2215,6 +2215,7 @@ matrix_nginx_proxy_container_labels_traefik_enabled: "{{ matrix_playbook_traefik matrix_nginx_proxy_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" matrix_nginx_proxy_container_labels_traefik_entrypoints: "{{ devture_traefik_config_entrypoint_primary }}" +matrix_nginx_proxy_container_labels_traefik_proxy_matrix_enabled: true matrix_nginx_proxy_container_labels_traefik_proxy_element_enabled: "{{ matrix_client_element_enabled }}" matrix_nginx_proxy_container_labels_traefik_proxy_hydrogen_enabled: "{{ matrix_client_hydrogen_enabled }}" matrix_nginx_proxy_container_labels_traefik_proxy_cinny_enabled: "{{ matrix_client_cinny_enabled }}" @@ -3349,6 +3350,12 @@ devture_traefik_enabled: "{{ matrix_playbook_traefik_role_enabled }}" devture_traefik_uid: "{{ matrix_user_uid }}" devture_traefik_gid: "{{ matrix_user_gid }}" +devture_traefik_additional_entrypoints_auto: + - name: matrix-federation + port: "{{ matrix_federation_public_port }}" + host_bind_port: "{{ matrix_federation_public_port }}" + config: {} + ######################################################################## # # # /com.devture.ansible.role.traefik # diff --git a/requirements.yml b/requirements.yml index 696b2700..e0ff1e81 100644 --- a/requirements.yml +++ b/requirements.yml @@ -37,4 +37,4 @@ version: v0.11.1-2 - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git - version: 407af71a3667b1d8083beb10bf22423ecf013f58 + version: b8609fd07c26c89a72fe2934d183af5fd964bc1c diff --git a/roles/custom/matrix-base/defaults/main.yml b/roles/custom/matrix-base/defaults/main.yml index 63aee58a..025e7363 100644 --- a/roles/custom/matrix-base/defaults/main.yml +++ b/roles/custom/matrix-base/defaults/main.yml @@ -92,6 +92,9 @@ matrix_server_fqn_ntfy: "ntfy.{{ matrix_domain }}" matrix_federation_public_port: 8448 +# The name of the Traefik entrypoint for handling Matrix Federation +matrix_federation_traefik_entrypoint: matrix-federation + # The architecture that your server runs. # Recognized values by us are 'amd64', 'arm32' and 'arm64'. # Not all architectures support all services, so your experience (on non-amd64) may vary. diff --git a/roles/custom/matrix-nginx-proxy/defaults/main.yml b/roles/custom/matrix-nginx-proxy/defaults/main.yml index 25911a49..e83e9b5b 100644 --- a/roles/custom/matrix-nginx-proxy/defaults/main.yml +++ b/roles/custom/matrix-nginx-proxy/defaults/main.yml @@ -49,6 +49,13 @@ matrix_nginx_proxy_container_labels_traefik_docker_network: "{{ matrix_nginx_pro matrix_nginx_proxy_container_labels_traefik_entrypoints: web-secure matrix_nginx_proxy_container_labels_traefik_tls_certResolver: default # noqa var-naming +matrix_nginx_proxy_container_labels_traefik_proxy_matrix_enabled: false +matrix_nginx_proxy_container_labels_traefik_proxy_matrix_hostname: "{{ matrix_server_fqn_matrix }}" +matrix_nginx_proxy_container_labels_traefik_proxy_matrix_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" +matrix_nginx_proxy_container_labels_traefik_proxy_matrix_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_hostname }}`)" +matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_entrypoint: "{{ matrix_federation_traefik_entrypoint }}" +matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_entrypoints: "{{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_entrypoint }}" + matrix_nginx_proxy_container_labels_traefik_proxy_element_enabled: false matrix_nginx_proxy_container_labels_traefik_proxy_element_hostname: "{{ matrix_server_fqn_element }}" matrix_nginx_proxy_container_labels_traefik_proxy_element_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" diff --git a/roles/custom/matrix-nginx-proxy/templates/labels.j2 b/roles/custom/matrix-nginx-proxy/templates/labels.j2 index 06cc8d1a..407654a7 100644 --- a/roles/custom/matrix-nginx-proxy/templates/labels.j2 +++ b/roles/custom/matrix-nginx-proxy/templates/labels.j2 @@ -6,6 +6,27 @@ traefik.docker.network={{ matrix_nginx_proxy_container_labels_traefik_docker_net {% endif %} +{% if matrix_nginx_proxy_container_labels_traefik_proxy_matrix_enabled %} +# Matrix Client +traefik.http.routers.matrix-nginx-proxy-matrix-client.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_rule }} +traefik.http.routers.matrix-nginx-proxy-matrix-client.service=matrix-nginx-proxy-web +traefik.http.routers.matrix-nginx-proxy-matrix-client.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_tls | to_json }} +{% if matrix_nginx_proxy_container_labels_traefik_proxy_matrix_tls %} +traefik.http.routers.matrix-nginx-proxy-matrix-client.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }} +{% endif %} +traefik.http.routers.matrix-nginx-proxy-matrix-client.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }} + +# Matrix Federation +traefik.http.routers.matrix-nginx-proxy-matrix-federation.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_rule }} +traefik.http.routers.matrix-nginx-proxy-matrix-federation.service=matrix-nginx-proxy-federation +traefik.http.routers.matrix-nginx-proxy-matrix-federation.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_tls | to_json }} +{% if matrix_nginx_proxy_container_labels_traefik_proxy_matrix_tls %} +traefik.http.routers.matrix-nginx-proxy-matrix-federation.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }} +{% endif %} +traefik.http.routers.matrix-nginx-proxy-matrix-federation.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_entrypoints }} +{% endif %} + + {% if matrix_nginx_proxy_container_labels_traefik_proxy_element_enabled %} # Element traefik.http.routers.matrix-nginx-proxy-element.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_element_rule }} @@ -139,6 +160,11 @@ traefik.http.routers.matrix-nginx-proxy-ntfy.entrypoints={{ matrix_nginx_proxy_c traefik.http.services.matrix-nginx-proxy-web.loadbalancer.server.port=8080 + +{% if matrix_nginx_proxy_proxy_matrix_federation_api_enabled %} +traefik.http.services.matrix-nginx-proxy-federation.loadbalancer.server.port={{ matrix_nginx_proxy_proxy_matrix_federation_port }} +{% endif %} + {% endif %} {{ matrix_nginx_proxy_container_labels_additional_labels }} From 2b9061a5d361b99f344e9198df5141367c909113 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 7 Feb 2023 11:02:02 +0200 Subject: [PATCH 03/19] Add support for reverse-proxying the base domain via Traefik --- roles/custom/matrix-nginx-proxy/defaults/main.yml | 5 +++++ roles/custom/matrix-nginx-proxy/templates/labels.j2 | 12 ++++++++++++ 2 files changed, 17 insertions(+) diff --git a/roles/custom/matrix-nginx-proxy/defaults/main.yml b/roles/custom/matrix-nginx-proxy/defaults/main.yml index e83e9b5b..b60b6194 100644 --- a/roles/custom/matrix-nginx-proxy/defaults/main.yml +++ b/roles/custom/matrix-nginx-proxy/defaults/main.yml @@ -49,6 +49,11 @@ matrix_nginx_proxy_container_labels_traefik_docker_network: "{{ matrix_nginx_pro matrix_nginx_proxy_container_labels_traefik_entrypoints: web-secure matrix_nginx_proxy_container_labels_traefik_tls_certResolver: default # noqa var-naming +matrix_nginx_proxy_container_labels_traefik_proxy_base_domain_enabled: "{{ matrix_nginx_proxy_base_domain_serving_enabled }}" +matrix_nginx_proxy_container_labels_traefik_proxy_base_domain_hostname: "{{ matrix_nginx_proxy_base_domain_hostname }}" +matrix_nginx_proxy_container_labels_traefik_proxy_base_domain_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" +matrix_nginx_proxy_container_labels_traefik_proxy_base_domain_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_base_domain_hostname }}`)" + matrix_nginx_proxy_container_labels_traefik_proxy_matrix_enabled: false matrix_nginx_proxy_container_labels_traefik_proxy_matrix_hostname: "{{ matrix_server_fqn_matrix }}" matrix_nginx_proxy_container_labels_traefik_proxy_matrix_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}" diff --git a/roles/custom/matrix-nginx-proxy/templates/labels.j2 b/roles/custom/matrix-nginx-proxy/templates/labels.j2 index 407654a7..b6994617 100644 --- a/roles/custom/matrix-nginx-proxy/templates/labels.j2 +++ b/roles/custom/matrix-nginx-proxy/templates/labels.j2 @@ -6,6 +6,18 @@ traefik.docker.network={{ matrix_nginx_proxy_container_labels_traefik_docker_net {% endif %} +{% if matrix_nginx_proxy_container_labels_traefik_proxy_base_domain_enabled %} +# Base domain +traefik.http.routers.matrix-nginx-proxy-base-domain.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_base_domain_rule }} +traefik.http.routers.matrix-nginx-proxy-base-domain.service=matrix-nginx-proxy-web +traefik.http.routers.matrix-nginx-proxy-base-domain.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_base_domain_tls | to_json }} +{% if matrix_nginx_proxy_container_labels_traefik_proxy_base_domain_tls %} +traefik.http.routers.matrix-nginx-proxy-base-domain.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }} +{% endif %} +traefik.http.routers.matrix-nginx-proxy-base-domain.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }} +{% endif %} + + {% if matrix_nginx_proxy_container_labels_traefik_proxy_matrix_enabled %} # Matrix Client traefik.http.routers.matrix-nginx-proxy-matrix-client.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_rule }} From c07630ed51f05117659635f45405d946d97d00d6 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 8 Feb 2023 16:05:38 +0200 Subject: [PATCH 04/19] Add com.devture.ansible.role.traefik_certs_dumper role With this, other roles (like Coturn, Postmoogle) will be able to use SSL certificates extracted from Traefik via https://github.com/ldez/traefik-certs-dumper --- group_vars/matrix_servers | 30 ++++++++++++++++++++++++++++++ playbooks/matrix.yml | 3 +++ requirements.yml | 5 ++++- 3 files changed, 37 insertions(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 8ce94f52..08e3bf4e 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -38,6 +38,8 @@ matrix_playbook_traefik_role_enabled: false # installed in another way. matrix_playbook_traefik_labels_enabled: false +matrix_playbook_traefik_certs_dumper_role_enabled: "{{ matrix_playbook_traefik_role_enabled }}" + # Controls the additional network that reverse-proxyable services will be connected to. matrix_playbook_reverse_proxyable_services_additional_network: "{{ devture_traefik_container_network if devture_traefik_enabled else '' }}" @@ -344,6 +346,8 @@ devture_systemd_service_manager_services_list_auto: | ([{'name': 'matrix-synapse-reverse-proxy-companion.service', 'priority': 1500, 'groups': ['matrix', 'homeservers', 'synapse', 'reverse-proxies']}] if matrix_synapse_reverse_proxy_companion_enabled else []) + ([{'name': 'devture-traefik.service', 'priority': 3000, 'groups': ['matrix', 'traefik', 'reverse-proxies']}] if matrix_playbook_traefik_role_enabled else []) + + + ([{'name': (devture_traefik_certs_dumper_identifier + '.service'), 'priority': 3500, 'groups': ['matrix', 'traefik-certs-dumper']}] if matrix_playbook_traefik_certs_dumper_role_enabled else []) }} ######################################################################## @@ -3361,3 +3365,29 @@ devture_traefik_additional_entrypoints_auto: # /com.devture.ansible.role.traefik # # # ######################################################################## + + +######################################################################## +# # +# com.devture.ansible.role.traefik_certs_dumper # +# # +######################################################################## + +# To completely disable the Traefik certs dumper role from running, use `matrix_playbook_traefik_certs_dumper_role_enabled: false`. +# See the comment there for more details about why we have both `devture_traefik_certs_dumper_enabled` and `matrix_playbook_traefik_certs_dumper_role_enabled`. +devture_traefik_certs_dumper_enabled: "{{ matrix_playbook_traefik_certs_dumper_role_enabled and devture_traefik_enabled }}" + +devture_traefik_certs_dumper_identifier: matrix-traefik-certs-dumper + +devture_traefik_certs_dumper_base_path: "{{ matrix_base_data_path }}/traefik-certs-dumper" + +devture_traefik_certs_dumper_uid: "{{ matrix_user_uid }}" +devture_traefik_certs_dumper_gid: "{{ matrix_user_gid }}" + +devture_traefik_certs_dumper_ssl_dir_path: "{{ devture_traefik_ssl_dir_path }}" + +######################################################################## +# # +# /com.devture.ansible.role.traefik_certs_dumper # +# # +######################################################################## diff --git a/playbooks/matrix.yml b/playbooks/matrix.yml index 392a3a0e..3199f8cf 100755 --- a/playbooks/matrix.yml +++ b/playbooks/matrix.yml @@ -118,6 +118,9 @@ - when: matrix_playbook_traefik_role_enabled | bool role: galaxy/com.devture.ansible.role.traefik + - when: matrix_playbook_traefik_certs_dumper_role_enabled | bool + role: galaxy/com.devture.ansible.role.traefik_certs_dumper + - when: devture_systemd_service_manager_enabled | bool role: galaxy/com.devture.ansible.role.systemd_service_manager diff --git a/requirements.yml b/requirements.yml index e0ff1e81..b0dd8d1a 100644 --- a/requirements.yml +++ b/requirements.yml @@ -37,4 +37,7 @@ version: v0.11.1-2 - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git - version: b8609fd07c26c89a72fe2934d183af5fd964bc1c + version: c90a0adcdc1de3d00d256e794b095ffbf466bb05 + +- src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git + version: e7563caa814e634d2f8deec4a41e970caa1c0ae4 From d44d4b637f1d01b1957c451e1bf90339e9f7f3bb Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 8 Feb 2023 16:06:46 +0200 Subject: [PATCH 05/19] Allow Coturn to work with SSL certificates extracted from Traefik --- group_vars/matrix_servers | 90 ++++++++++++++----- .../systemd/matrix-coturn.service.j2 | 2 +- 2 files changed, 70 insertions(+), 22 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 08e3bf4e..1d75d2c0 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -43,6 +43,10 @@ matrix_playbook_traefik_certs_dumper_role_enabled: "{{ matrix_playbook_traefik_r # Controls the additional network that reverse-proxyable services will be connected to. matrix_playbook_reverse_proxyable_services_additional_network: "{{ devture_traefik_container_network if devture_traefik_enabled else '' }}" +matrix_playbook_reverse_proxy_type: "{{ 'traefik' if matrix_playbook_traefik_role_enabled else ('nginx-proxy' if matrix_nginx_proxy_enabled else 'none') }}" + +matrix_playbook_ssl_retrieval_method: "{{ 'lets-encrypt' if matrix_playbook_traefik_certs_dumper_role_enabled else matrix_ssl_retrieval_method }}" + ######################################################################## # # # /Playbook # @@ -1908,18 +1912,62 @@ matrix_coturn_turn_external_ip_address: "{{ ansible_host }}" matrix_coturn_turn_static_auth_secret: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'coturn.sas', rounds=655555) | to_uuid }}" -matrix_coturn_tls_enabled: "{{ matrix_ssl_retrieval_method != 'none' }}" -matrix_coturn_tls_cert_path: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_server_fqn_matrix }}/fullchain.pem" -matrix_coturn_tls_key_path: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_server_fqn_matrix }}/privkey.pem" +matrix_coturn_tls_enabled: "{{ matrix_playbook_ssl_retrieval_method != 'none' }}" + +matrix_coturn_tls_cert_path: |- + {{ + { + 'nginx-proxy': '/fullchain.pem', + 'traefik': '/certificate.crt', + }[matrix_playbook_reverse_proxy_type] + }} + +matrix_coturn_tls_key_path: |- + {{ + { + 'nginx-proxy': '/privkey.pem', + 'traefik': '/privatekey.key', + }[matrix_playbook_reverse_proxy_type] + }} + matrix_coturn_container_additional_volumes: | {{ - ([] if matrix_ssl_retrieval_method == 'none' else [ - { - 'src': matrix_ssl_config_dir_path, - 'dst': matrix_ssl_config_dir_path, - 'options': 'ro', - } - ]) + ( + [ + { + 'src': (matrix_ssl_config_dir_path + '/live/' + matrix_server_fqn_matrix + '/fullchain.pem'), + 'dst': '/fullchain.pem', + 'options': 'ro', + }, + { + 'src': (matrix_ssl_config_dir_path + '/live/' + matrix_server_fqn_matrix + '/privkey.pem'), + 'dst': '/privkey.pem', + 'options': 'ro', + }, + ] if matrix_playbook_reverse_proxy_type == 'nginx-proxy' else [] + ) + + + ( + [ + { + 'src': (devture_traefik_certs_dumper_dumped_certificates_dir_path + '/' + matrix_server_fqn_matrix + '/certificate.crt'), + 'dst': '/certificate.crt', + 'options': 'ro', + }, + { + 'src': (devture_traefik_certs_dumper_dumped_certificates_dir_path + '/' + matrix_server_fqn_matrix + '/privatekey.key'), + 'dst': '/privatekey.key', + 'options': 'ro', + }, + ] if matrix_playbook_reverse_proxy_type == 'traefik' and matrix_playbook_traefik_certs_dumper_role_enabled else [] + ) + }} + +matrix_coturn_systemd_required_services_list: | + {{ + ['docker.service'] + + + ([devture_traefik_certs_dumper_identifier + '-wait-for-domain@' + matrix_server_fqn_matrix + '.service'] if matrix_playbook_reverse_proxy_type == 'traefik' and matrix_playbook_traefik_certs_dumper_role_enabled else []) }} ###################################################################### @@ -2146,7 +2194,7 @@ matrix_ma1sd_threepid_medium_email_connectors_smtp_host: "matrix-mailer" matrix_ma1sd_threepid_medium_email_connectors_smtp_port: 8025 matrix_ma1sd_threepid_medium_email_connectors_smtp_tls: 0 -matrix_ma1sd_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}" +matrix_ma1sd_self_check_validate_certificates: "{{ false if matrix_playbook_ssl_retrieval_method == 'self-signed' else true }}" matrix_ma1sd_systemd_required_services_list: | {{ @@ -2281,12 +2329,12 @@ matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: "{{ matrix_ma1sd_ matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container }}" matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container }}" -matrix_nginx_proxy_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}" +matrix_nginx_proxy_self_check_validate_certificates: "{{ false if matrix_playbook_ssl_retrieval_method == 'self-signed' else true }}" # OCSP stapling does not make sense when self-signed certificates are used. # See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1073 # and https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1074 -matrix_nginx_proxy_ocsp_stapling_enabled: "{{ matrix_ssl_retrieval_method != 'self-signed' }}" +matrix_nginx_proxy_ocsp_stapling_enabled: "{{ matrix_playbook_ssl_retrieval_method != 'self-signed' }}" matrix_nginx_proxy_systemd_wanted_services_list: | {{ @@ -2768,7 +2816,7 @@ matrix_client_element_integrations_rest_url: "{{ matrix_dimension_integrations_r matrix_client_element_integrations_widgets_urls: "{{ matrix_dimension_integrations_widgets_urls if matrix_dimension_enabled else ['https://scalar.vector.im/api'] }}" matrix_client_element_integrations_jitsi_widget_url: "{{ matrix_dimension_integrations_jitsi_widget_url if matrix_dimension_enabled else 'https://scalar.vector.im/api/widgets/jitsi.html' }}" -matrix_client_element_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}" +matrix_client_element_self_check_validate_certificates: "{{ false if matrix_playbook_ssl_retrieval_method == 'self-signed' else true }}" matrix_client_element_registration_enabled: "{{ matrix_synapse_enable_registration }}" @@ -2806,7 +2854,7 @@ matrix_client_hydrogen_container_http_host_bind_port: "{{ '' if matrix_nginx_pro matrix_client_hydrogen_default_hs_url: "{{ matrix_homeserver_url }}" -matrix_client_hydrogen_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}" +matrix_client_hydrogen_self_check_validate_certificates: "{{ false if matrix_playbook_ssl_retrieval_method == 'self-signed' else true }}" ###################################################################### # @@ -2831,7 +2879,7 @@ matrix_client_cinny_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_ matrix_client_cinny_default_hs_url: "{{ matrix_homeserver_url }}" -matrix_client_cinny_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}" +matrix_client_cinny_self_check_validate_certificates: "{{ false if matrix_playbook_ssl_retrieval_method == 'self-signed' else true }}" ###################################################################### # @@ -2899,7 +2947,7 @@ matrix_synapse_turn_uris: | [ 'turns:' + matrix_server_fqn_matrix + '?transport=udp', 'turns:' + matrix_server_fqn_matrix + '?transport=tcp', - ] if matrix_coturn_enabled and matrix_coturn_tls_enabled and matrix_ssl_retrieval_method != 'lets-encrypt' else [] + ] if matrix_coturn_enabled and matrix_coturn_tls_enabled and matrix_playbook_ssl_retrieval_method != 'lets-encrypt' else [] + [ 'turn:' + matrix_server_fqn_matrix + '?transport=udp', @@ -2909,7 +2957,7 @@ matrix_synapse_turn_uris: | matrix_synapse_turn_shared_secret: "{{ matrix_coturn_turn_static_auth_secret if matrix_coturn_enabled else '' }}" -matrix_synapse_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}" +matrix_synapse_self_check_validate_certificates: "{{ false if matrix_playbook_ssl_retrieval_method == 'self-signed' else true }}" matrix_synapse_systemd_required_services_list: | {{ @@ -3186,7 +3234,7 @@ matrix_registration_shared_secret: |- matrix_registration_server_location: "{{ matrix_homeserver_container_url }}" -matrix_registration_api_validate_certs: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}" +matrix_registration_api_validate_certs: "{{ false if matrix_playbook_ssl_retrieval_method == 'self-signed' else true }}" matrix_registration_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" @@ -3251,9 +3299,9 @@ matrix_dendrite_client_api_turn_uris: | matrix_dendrite_client_api_turn_shared_secret: "{{ matrix_coturn_turn_static_auth_secret if matrix_coturn_enabled else '' }}" -matrix_dendrite_disable_tls_validation: "{{ true if matrix_ssl_retrieval_method == 'self-signed' else false }}" +matrix_dendrite_disable_tls_validation: "{{ true if matrix_playbook_ssl_retrieval_method == 'self-signed' else false }}" -matrix_dendrite_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}" +matrix_dendrite_self_check_validate_certificates: "{{ false if matrix_playbook_ssl_retrieval_method == 'self-signed' else true }}" matrix_dendrite_trusted_id_servers: "{{ [matrix_server_fqn_matrix] if matrix_ma1sd_enabled else ['matrix.org', 'vector.im'] }}" diff --git a/roles/custom/matrix-coturn/templates/systemd/matrix-coturn.service.j2 b/roles/custom/matrix-coturn/templates/systemd/matrix-coturn.service.j2 index 8c0272cf..523ad1cc 100644 --- a/roles/custom/matrix-coturn/templates/systemd/matrix-coturn.service.j2 +++ b/roles/custom/matrix-coturn/templates/systemd/matrix-coturn.service.j2 @@ -35,7 +35,7 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name {% endif %} --mount type=bind,src={{ matrix_coturn_config_path }},dst=/turnserver.conf,ro \ {% for volume in matrix_coturn_container_additional_volumes %} - -v {{ volume.src }}:{{ volume.dst }}:{{ volume.options }} \ + --mount type=bind,src={{ volume.src }},dst={{ volume.dst }}{{ (',' + volume.options) if volume.options else '' }} \ {% endfor %} {% for arg in matrix_coturn_container_extra_arguments %} {{ arg }} \ From ddf6b2d4eead44547bdc804d10b1940fbd3a6890 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 8 Feb 2023 16:12:19 +0200 Subject: [PATCH 06/19] Handle matrix_playbook_reverse_proxy_type being "none" when deciding on Coturn certificate parameters --- group_vars/matrix_servers | 2 ++ 1 file changed, 2 insertions(+) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 1d75d2c0..92d729d7 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1919,6 +1919,7 @@ matrix_coturn_tls_cert_path: |- { 'nginx-proxy': '/fullchain.pem', 'traefik': '/certificate.crt', + 'none': '', }[matrix_playbook_reverse_proxy_type] }} @@ -1927,6 +1928,7 @@ matrix_coturn_tls_key_path: |- { 'nginx-proxy': '/privkey.pem', 'traefik': '/privatekey.key', + 'none': '', }[matrix_playbook_reverse_proxy_type] }} From 9a71a5696ba58f3c9278e52a7d926aa8edf58796 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 8 Feb 2023 16:45:03 +0200 Subject: [PATCH 07/19] Allow Postmoogle to work with SSL certificates extracted from Traefik --- group_vars/matrix_servers | 39 ++++++++++++++++++++++++++++++++++++--- 1 file changed, 36 insertions(+), 3 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 92d729d7..d146b252 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1693,9 +1693,40 @@ matrix_bot_postmoogle_enabled: false matrix_bot_postmoogle_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" -matrix_bot_postmoogle_ssl_path: "{{ matrix_ssl_config_dir_path }}" -matrix_bot_postmoogle_tls_cert: "{% for domain in matrix_bot_postmoogle_domains %}/ssl/live/{{ domain }}/fullchain.pem {% endfor %}" -matrix_bot_postmoogle_tls_key: "{% for domain in matrix_bot_postmoogle_domains %}/ssl/live/{{ domain }}/privkey.pem {% endfor %}" +matrix_bot_postmoogle_ssl_path: |- + {{ + { + 'nginx-proxy': (matrix_ssl_config_dir_path if matrix_playbook_ssl_retrieval_method != 'none' else ''), + 'traefik': devture_traefik_certs_dumper_dumped_certificates_dir_path, + 'none': '', + }[matrix_playbook_reverse_proxy_type] + }} + +matrix_playbook_bot_postmoogle_nginx_proxy_tls_cert: "{% for domain in matrix_bot_postmoogle_domains %}/ssl/live/{{ domain }}/fullchain.pem {% endfor %}" +matrix_playbook_bot_postmoogle_nginx_proxy_key: "{% for domain in matrix_bot_postmoogle_domains %}/ssl/live/{{ domain }}/privkey.pem {% endfor %}" + +matrix_playbook_bot_postmoogle_traefik_tls_cert: "{% for domain in matrix_bot_postmoogle_domains %}/ssl/{{ domain }}/certificate.crt {% endfor %}" +matrix_playbook_bot_postmoogle_traefik_key: "{% for domain in matrix_bot_postmoogle_domains %}/ssl/{{ domain }}/privatekey.key {% endfor %}" + +matrix_bot_postmoogle_tls_cert: |- + {{ + { + 'nginx-proxy': (matrix_playbook_bot_postmoogle_nginx_proxy_tls_cert if matrix_playbook_ssl_retrieval_method != 'none' else ''), + 'traefik': matrix_playbook_bot_postmoogle_traefik_tls_cert, + 'none': '', + }[matrix_playbook_reverse_proxy_type] + }} + +matrix_bot_postmoogle_tls_key: |- + {{ + { + 'nginx-proxy': (matrix_playbook_bot_postmoogle_nginx_proxy_key if matrix_playbook_ssl_retrieval_method != 'none' else ''), + 'traefik': matrix_playbook_bot_postmoogle_traefik_key, + 'none': '', + }[matrix_playbook_reverse_proxy_type] + }} + +matrix_playbook_bot_postmoogle_traefik_certs_dumper_waiter_services: "{% for domain in matrix_bot_postmoogle_domains %}{{ devture_traefik_certs_dumper_identifier }}-wait-for-domain@{{ domain }}.service {% endfor %}" matrix_bot_postmoogle_systemd_required_services_list: | {{ @@ -1704,6 +1735,8 @@ matrix_bot_postmoogle_systemd_required_services_list: | ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + (['matrix-synapse.service'] if matrix_synapse_enabled else []) + + + (matrix_playbook_bot_postmoogle_traefik_certs_dumper_waiter_services | trim | split(' ') if matrix_playbook_reverse_proxy_type == 'traefik' and matrix_playbook_traefik_certs_dumper_role_enabled else []) }} # Postgres is the default, except if not using internal Postgres server From 1338963b6cac0273ef078983bac3851fbeedad51 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 8 Feb 2023 18:47:19 +0200 Subject: [PATCH 08/19] Add support for obtaining additional SSL certificates via Traefik --- group_vars/matrix_servers | 2 ++ requirements.yml | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index d146b252..fbc83fa1 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -3443,6 +3443,8 @@ devture_traefik_additional_entrypoints_auto: host_bind_port: "{{ matrix_federation_public_port }}" config: {} +devture_traefik_additional_domains_to_obtain_certificates_for: "{{ matrix_ssl_additional_domains_to_obtain_certificates_for }}" + ######################################################################## # # # /com.devture.ansible.role.traefik # diff --git a/requirements.yml b/requirements.yml index b0dd8d1a..1edda46a 100644 --- a/requirements.yml +++ b/requirements.yml @@ -37,7 +37,7 @@ version: v0.11.1-2 - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git - version: c90a0adcdc1de3d00d256e794b095ffbf466bb05 + version: 650adfa75931714d9bc7c596cab71e33a4873a4e - src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git version: e7563caa814e634d2f8deec4a41e970caa1c0ae4 From a5683a64497e3275908bdeabd3e590b5c61320ef Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 9 Feb 2023 10:12:09 +0200 Subject: [PATCH 09/19] Upgrade com.devture.ansible.role.traefik and rename some variables --- group_vars/matrix_servers | 6 +++--- requirements.yml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 88800113..fcc9c84e 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -2300,7 +2300,7 @@ matrix_nginx_proxy_proxy_ntfy_enabled: "{{ matrix_ntfy_enabled }}" matrix_nginx_proxy_container_labels_traefik_enabled: "{{ matrix_playbook_traefik_labels_enabled }}" matrix_nginx_proxy_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" -matrix_nginx_proxy_container_labels_traefik_entrypoints: "{{ devture_traefik_config_entrypoint_primary }}" +matrix_nginx_proxy_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" matrix_nginx_proxy_container_labels_traefik_proxy_matrix_enabled: true matrix_nginx_proxy_container_labels_traefik_proxy_element_enabled: "{{ matrix_client_element_enabled }}" @@ -3102,7 +3102,7 @@ prometheus_node_exporter_container_additional_networks: "{{ [matrix_playbook_rev prometheus_node_exporter_container_labels_traefik_enabled: false prometheus_node_exporter_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" -prometheus_node_exporter_container_labels_traefik_entrypoints: "{{ devture_traefik_config_entrypoint_primary }}" +prometheus_node_exporter_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" ###################################################################### # @@ -3133,7 +3133,7 @@ prometheus_postgres_exporter_container_additional_networks: "{{ [matrix_playbook prometheus_postgres_exporter_container_labels_traefik_enabled: false prometheus_postgres_exporter_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" -prometheus_postgres_exporter_container_labels_traefik_entrypoints: "{{ devture_traefik_config_entrypoint_primary }}" +prometheus_postgres_exporter_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" prometheus_postgres_exporter_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" prometheus_postgres_exporter_database_username: matrix_prometheus_postgres_exporter diff --git a/requirements.yml b/requirements.yml index 1edda46a..aa1c14de 100644 --- a/requirements.yml +++ b/requirements.yml @@ -37,7 +37,7 @@ version: v0.11.1-2 - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git - version: 650adfa75931714d9bc7c596cab71e33a4873a4e + version: b52ecc4df030fb99ca547575126baaf916db0743 - src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git version: e7563caa814e634d2f8deec4a41e970caa1c0ae4 From c289996cd9a72281263a095fffbc7b95de60bb9e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 9 Feb 2023 10:16:41 +0200 Subject: [PATCH 10/19] Upgrade com.devture.ansible.role.traefik --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index aa1c14de..1341bbbe 100644 --- a/requirements.yml +++ b/requirements.yml @@ -37,7 +37,7 @@ version: v0.11.1-2 - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git - version: b52ecc4df030fb99ca547575126baaf916db0743 + version: fb09fd26f877372417d5586f1e79e83f983f0bd6 - src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git version: e7563caa814e634d2f8deec4a41e970caa1c0ae4 From 28d2eb593cc0b01b4cec70a512990e6df37b9bbd Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 10 Feb 2023 15:50:35 +0200 Subject: [PATCH 11/19] Add matrix_playbook_reverse_proxy_type variable which influences all other services --- group_vars/matrix_servers | 170 ++++++++++-------- roles/custom/matrix-base/defaults/main.yml | 42 +++++ .../matrix-base/tasks/validate_config.yml | 5 + .../custom/matrix-dendrite/defaults/main.yml | 2 +- 4 files changed, 147 insertions(+), 72 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index fc866f9d..62771b6c 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -30,21 +30,19 @@ matrix_playbook_docker_installation_enabled: true # In such cases, you'd like to disable the role in this playbook from bothering with Traefik at all (`matrix_playbook_traefik_role_enabled: false`). # If you used `devture_traefik_enabled: false` + `matrix_playbook_traefik_role_enabled: true` instead, you'd see the Treafik role here # try to delete Traefik data (`/devture-traefik`) installed by the other playbook. -matrix_playbook_traefik_role_enabled: false +matrix_playbook_traefik_role_enabled: true # Controls whether to attach Traefik labels to services. # This is separate from `devture_traefik_enabled` and `matrix_playbook_traefik_role_enabled`, # because you may wish to disable Traefik installation by the playbook, yet still use Traefik # installed in another way. -matrix_playbook_traefik_labels_enabled: false +matrix_playbook_traefik_labels_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-installed-traefik', 'other-traefik-container'] }}" -matrix_playbook_traefik_certs_dumper_role_enabled: "{{ matrix_playbook_traefik_role_enabled }}" +matrix_playbook_traefik_certs_dumper_role_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-installed-traefik', 'other-traefik-container'] }}" # Controls the additional network that reverse-proxyable services will be connected to. matrix_playbook_reverse_proxyable_services_additional_network: "{{ devture_traefik_container_network if devture_traefik_enabled else '' }}" -matrix_playbook_reverse_proxy_type: "{{ 'traefik' if matrix_playbook_traefik_role_enabled else ('nginx-proxy' if matrix_nginx_proxy_enabled else 'none') }}" - matrix_playbook_ssl_retrieval_method: "{{ 'lets-encrypt' if matrix_playbook_traefik_certs_dumper_role_enabled else matrix_ssl_retrieval_method }}" ######################################################################## @@ -452,7 +450,7 @@ matrix_appservice_discord_enabled: false # Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-appservice-discord over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # matrix-appservice-discord's client-server port to the local host. -matrix_appservice_discord_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9005' }}" +matrix_appservice_discord_container_http_host_bind_port: "{{ matrix_playbook_service_host_bind_interface_prefix + ':9005' if matrix_playbook_service_host_bind_interface_prefix else '' }}" # If the homeserver disables presence, it's likely better (less wasteful) to also disable presence on the bridge side. matrix_appservice_discord_bridge_disablePresence: "{{ not matrix_synapse_presence_enabled }}" @@ -499,7 +497,7 @@ matrix_appservice_webhooks_container_image_self_build: "{{ matrix_architecture ! # Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-appservice-webhooks over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # matrix-appservice-webhooks' client-server port to the local host. -matrix_appservice_webhooks_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else ('127.0.0.1:' ~ matrix_appservice_webhooks_matrix_port) }}" +matrix_appservice_webhooks_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':' ~ matrix_appservice_webhooks_matrix_port) if matrix_playbook_service_host_bind_interface_prefix else '' }}" matrix_appservice_webhooks_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'webhook.as.token', rounds=655555) | to_uuid }}" @@ -538,7 +536,7 @@ matrix_appservice_slack_container_image_self_build: "{{ matrix_architecture not # Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-appservice-slack over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # matrix-appservice-slack's client-server port to the local host. -matrix_appservice_slack_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else ('127.0.0.1:' ~ matrix_appservice_slack_slack_port) }}" +matrix_appservice_slack_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix + ':' ~ matrix_appservice_slack_slack_port) if matrix_playbook_service_host_bind_interface_prefix else '' }}" matrix_appservice_slack_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'slack.as.token', rounds=655555) | to_uuid }}" @@ -581,7 +579,7 @@ matrix_appservice_irc_container_image_self_build: "{{ matrix_architecture != 'am # Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-appservice-irc over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # matrix-appservice-irc's client-server port to the local host. -matrix_appservice_irc_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9999' }}" +matrix_appservice_irc_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':9999') if matrix_playbook_service_host_bind_interface_prefix else '' }}" # The IRC bridge docs say that if homeserver presence is disabled, it's better to also disable # IRC bridge presence, for performance reasons. @@ -837,7 +835,7 @@ matrix_mautrix_facebook_homeserver_token: "{{ '%s' | format(matrix_homeserver_ge matrix_mautrix_facebook_public_endpoint: "/{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'facebook', rounds=655555) | to_uuid }}" -matrix_mautrix_facebook_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9008' }}" +matrix_mautrix_facebook_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':9008') if matrix_playbook_service_host_bind_interface_prefix else '' }}" matrix_mautrix_facebook_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" @@ -888,7 +886,7 @@ matrix_mautrix_googlechat_appservice_token: "{{ '%s' | format(matrix_homeserver_ matrix_mautrix_googlechat_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'gc.hs.token', rounds=655555) | to_uuid }}" -matrix_mautrix_googlechat_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9007' }}" +matrix_mautrix_googlechat_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':9007') if matrix_playbook_service_host_bind_interface_prefix else '' }}" matrix_mautrix_googlechat_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" @@ -930,7 +928,7 @@ matrix_mautrix_hangouts_appservice_token: "{{ '%s' | format(matrix_homeserver_ge matrix_mautrix_hangouts_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'ho.hs.token', rounds=655555) | to_uuid }}" -matrix_mautrix_hangouts_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9007' }}" +matrix_mautrix_hangouts_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':9007') if matrix_playbook_service_host_bind_interface_prefix else '' }}" matrix_mautrix_hangouts_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" @@ -1077,7 +1075,7 @@ matrix_mautrix_telegram_homeserver_token: "{{ '%s' | format(matrix_homeserver_ge matrix_mautrix_telegram_public_endpoint: "/{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'telegram', rounds=655555) | to_uuid }}" -matrix_mautrix_telegram_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9006' }}" +matrix_mautrix_telegram_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':9006') if matrix_playbook_service_host_bind_interface_prefix else '' }}" matrix_mautrix_telegram_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" @@ -1252,12 +1250,12 @@ matrix_hookshot_systemd_wanted_services_list: | }} matrix_hookshot_container_http_host_bind_ports_defaultmapping: - - "127.0.0.1:{{ matrix_hookshot_appservice_port }}:{{ matrix_hookshot_appservice_port }}" - - "127.0.0.1:{{ matrix_hookshot_metrics_port }}:{{ matrix_hookshot_metrics_port }}" - - "127.0.0.1:{{ matrix_hookshot_webhook_port }}:{{ matrix_hookshot_webhook_port }}" - - "127.0.0.1:{{ matrix_hookshot_provisioning_port }}:{{ matrix_hookshot_provisioning_port }}" + - "{{ matrix_playbook_service_host_bind_interface_prefix }}{{ matrix_hookshot_appservice_port }}:{{ matrix_hookshot_appservice_port }}" + - "{{ matrix_playbook_service_host_bind_interface_prefix }}{{ matrix_hookshot_metrics_port }}:{{ matrix_hookshot_metrics_port }}" + - "{{ matrix_playbook_service_host_bind_interface_prefix }}{{ matrix_hookshot_webhook_port }}:{{ matrix_hookshot_webhook_port }}" + - "{{ matrix_playbook_service_host_bind_interface_prefix }}{{ matrix_hookshot_provisioning_port }}:{{ matrix_hookshot_provisioning_port }}" -matrix_hookshot_container_http_host_bind_ports: "{{ [] if matrix_nginx_proxy_enabled else matrix_hookshot_container_http_host_bind_ports_defaultmapping }}" +matrix_hookshot_container_http_host_bind_ports: "{{ matrix_hookshot_container_http_host_bind_ports_defaultmapping if matrix_playbook_service_host_bind_interface_prefix else [] }}" matrix_hookshot_provisioning_enabled: "{{ matrix_hookshot_provisioning_secret and matrix_dimension_enabled }}" @@ -1347,7 +1345,7 @@ matrix_mx_puppet_twitter_homeserver_token: "{{ '%s' | format(matrix_homeserver_g matrix_mx_puppet_twitter_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" -matrix_mx_puppet_twitter_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else ('127.0.0.1:' ~ matrix_mx_puppet_twitter_appservice_port) }}" +matrix_mx_puppet_twitter_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':' ~ matrix_mx_puppet_twitter_appservice_port) if matrix_playbook_service_host_bind_interface_prefix else '' }}" # Postgres is the default, except if not using internal Postgres server matrix_mx_puppet_twitter_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" @@ -1607,7 +1605,7 @@ matrix_bot_maubot_registration_shared_secret: |- }[matrix_homeserver_implementation] }} -matrix_bot_maubot_management_interface_http_bind_port: "{{ '' if matrix_nginx_proxy_enabled else ('127.0.0.1:' + matrix_bot_maubot_management_interface_port | string) }}" +matrix_bot_maubot_management_interface_http_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':' ~ matrix_bot_maubot_management_interface_port | string) if matrix_playbook_service_host_bind_interface_prefix else '' }}" # Postgres is the default, except if not using internal Postgres server matrix_bot_maubot_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}" @@ -1700,8 +1698,12 @@ matrix_bot_postmoogle_container_image_self_build: "{{ matrix_architecture not in matrix_bot_postmoogle_ssl_path: |- {{ { - 'nginx-proxy': (matrix_ssl_config_dir_path if matrix_playbook_ssl_retrieval_method != 'none' else ''), - 'traefik': devture_traefik_certs_dumper_dumped_certificates_dir_path, + 'playbook-installed-traefik': devture_traefik_certs_dumper_dumped_certificates_dir_path, + 'other-traefik-container': devture_traefik_certs_dumper_dumped_certificates_dir_path, + 'playbook-installed-nginx': (matrix_ssl_config_dir_path if matrix_playbook_ssl_retrieval_method != 'none' else ''), + 'other-nginx-non-container': (matrix_ssl_config_dir_path if matrix_playbook_ssl_retrieval_method != 'none' else ''), + 'other-on-same-host': '', + 'other-on-another-host': '', 'none': '', }[matrix_playbook_reverse_proxy_type] }} @@ -1715,8 +1717,12 @@ matrix_playbook_bot_postmoogle_traefik_key: "{% for domain in matrix_bot_postmoo matrix_bot_postmoogle_tls_cert: |- {{ { - 'nginx-proxy': (matrix_playbook_bot_postmoogle_nginx_proxy_tls_cert if matrix_playbook_ssl_retrieval_method != 'none' else ''), - 'traefik': matrix_playbook_bot_postmoogle_traefik_tls_cert, + 'playbook-installed-traefik': matrix_playbook_bot_postmoogle_traefik_tls_cert, + 'other-traefik-container': matrix_playbook_bot_postmoogle_traefik_tls_cert, + 'playbook-installed-nginx': (matrix_playbook_bot_postmoogle_nginx_proxy_tls_cert if matrix_playbook_ssl_retrieval_method != 'none' else ''), + 'other-nginx-non-container': (matrix_playbook_bot_postmoogle_nginx_proxy_tls_cert if matrix_playbook_ssl_retrieval_method != 'none' else ''), + 'other-on-same-host': '', + 'other-on-another-host': '', 'none': '', }[matrix_playbook_reverse_proxy_type] }} @@ -1724,8 +1730,12 @@ matrix_bot_postmoogle_tls_cert: |- matrix_bot_postmoogle_tls_key: |- {{ { - 'nginx-proxy': (matrix_playbook_bot_postmoogle_nginx_proxy_key if matrix_playbook_ssl_retrieval_method != 'none' else ''), - 'traefik': matrix_playbook_bot_postmoogle_traefik_key, + 'playbook-installed-traefik': matrix_playbook_bot_postmoogle_traefik_key, + 'other-traefik-container': matrix_playbook_bot_postmoogle_traefik_key, + 'playbook-installed-nginx': (matrix_playbook_bot_postmoogle_nginx_proxy_key if matrix_playbook_ssl_retrieval_method != 'none' else ''), + 'other-nginx-non-container': (matrix_playbook_bot_postmoogle_nginx_proxy_key if matrix_playbook_ssl_retrieval_method != 'none' else ''), + 'other-on-same-host': '', + 'other-on-another-host': '', 'none': '', }[matrix_playbook_reverse_proxy_type] }} @@ -1740,7 +1750,7 @@ matrix_bot_postmoogle_systemd_required_services_list: | + (['matrix-synapse.service'] if matrix_synapse_enabled else []) + - (matrix_playbook_bot_postmoogle_traefik_certs_dumper_waiter_services | trim | split(' ') if matrix_playbook_reverse_proxy_type == 'traefik' and matrix_playbook_traefik_certs_dumper_role_enabled else []) + (matrix_playbook_bot_postmoogle_traefik_certs_dumper_waiter_services | trim | split(' ') if matrix_playbook_reverse_proxy_type in ['playbook-installed-traefik', 'other-traefik-container'] and matrix_playbook_traefik_certs_dumper_role_enabled else []) }} # Postgres is the default, except if not using internal Postgres server @@ -1791,7 +1801,7 @@ matrix_bot_go_neb_systemd_required_services_list: | (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) }} -matrix_bot_go_neb_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:4050' }}" +matrix_bot_go_neb_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':4050') if matrix_playbook_service_host_bind_interface_prefix else '' }}" ###################################################################### # @@ -1938,8 +1948,8 @@ matrix_corporal_container_image_self_build: "{{ matrix_architecture not in ['amd # Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-corporal over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # matrix-corporal's web-server ports to the local host. -matrix_corporal_container_http_gateway_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:41080' }}" -matrix_corporal_container_http_api_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:41081' }}" +matrix_corporal_container_http_gateway_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':41080') if matrix_playbook_service_host_bind_interface_prefix else '' }}" +matrix_corporal_container_http_api_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':41081') if matrix_playbook_service_host_bind_interface_prefix else '' }}" matrix_corporal_systemd_required_services_list: | {{ @@ -1982,8 +1992,12 @@ matrix_coturn_tls_enabled: "{{ matrix_playbook_ssl_retrieval_method != 'none' }} matrix_coturn_tls_cert_path: |- {{ { - 'nginx-proxy': '/fullchain.pem', - 'traefik': '/certificate.crt', + 'playbook-installed-traefik': '/certificate.crt', + 'other-traefik-container': '/certificate.crt', + 'playbook-installed-nginx': '/fullchain.pem', + 'other-nginx-non-container': '/fullchain.pem', + 'other-on-same-host': '', + 'other-on-another-host': '', 'none': '', }[matrix_playbook_reverse_proxy_type] }} @@ -1991,8 +2005,12 @@ matrix_coturn_tls_cert_path: |- matrix_coturn_tls_key_path: |- {{ { - 'nginx-proxy': '/privkey.pem', - 'traefik': '/privatekey.key', + 'playbook-installed-traefik': '/privatekey.key', + 'other-traefik-container': '/privatekey.key', + 'playbook-installed-nginx': '/privkey.pem', + 'other-nginx-non-container': '/privkey.pem', + 'other-on-same-host': '', + 'other-on-another-host': '', 'none': '', }[matrix_playbook_reverse_proxy_type] }} @@ -2011,7 +2029,7 @@ matrix_coturn_container_additional_volumes: | 'dst': '/privkey.pem', 'options': 'ro', }, - ] if matrix_playbook_reverse_proxy_type == 'nginx-proxy' else [] + ] if matrix_playbook_reverse_proxy_type in ['playbook-installed-nginx', 'other-nginx-non-container'] else [] ) + ( @@ -2026,7 +2044,7 @@ matrix_coturn_container_additional_volumes: | 'dst': '/privatekey.key', 'options': 'ro', }, - ] if matrix_playbook_reverse_proxy_type == 'traefik' and matrix_playbook_traefik_certs_dumper_role_enabled else [] + ] if matrix_playbook_reverse_proxy_type in ['playbook-installed-traefik', 'other-traefik-container'] and matrix_playbook_traefik_certs_dumper_role_enabled else [] ) }} @@ -2034,7 +2052,7 @@ matrix_coturn_systemd_required_services_list: | {{ ['docker.service'] + - ([devture_traefik_certs_dumper_identifier + '-wait-for-domain@' + matrix_server_fqn_matrix + '.service'] if matrix_playbook_reverse_proxy_type == 'traefik' and matrix_playbook_traefik_certs_dumper_role_enabled else []) + ([devture_traefik_certs_dumper_identifier + '-wait-for-domain@' + matrix_server_fqn_matrix + '.service'] if matrix_playbook_reverse_proxy_type in ['playbook-installed-traefik', 'other-traefik-container'] and matrix_playbook_traefik_certs_dumper_role_enabled else []) }} ###################################################################### @@ -2056,7 +2074,7 @@ matrix_dimension_container_image_self_build: "{{ matrix_architecture != 'amd64' # Normally, matrix-nginx-proxy is enabled and nginx can reach Dimension over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # the Dimension HTTP port to the local host. -matrix_dimension_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8184' }}" +matrix_dimension_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':8184') if matrix_playbook_service_host_bind_interface_prefix else '' }}" matrix_dimension_homeserver_federationUrl: "{{ matrix_homeserver_container_federation_url }}" @@ -2090,7 +2108,7 @@ matrix_dimension_database_password: "{{ '%s' | format(matrix_homeserver_generic_ matrix_etherpad_enabled: false -matrix_etherpad_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9001' }}" +matrix_etherpad_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':9001') if matrix_playbook_service_host_bind_interface_prefix else '' }}" matrix_etherpad_base_url: "{{ 'https://' + matrix_server_fqn_dimension + matrix_etherpad_public_endpoint if matrix_etherpad_mode == 'dimension' else 'https://' + matrix_server_fqn_etherpad + '/' }}" @@ -2151,11 +2169,11 @@ matrix_jitsi_enabled: false # Normally, matrix-nginx-proxy is enabled and nginx can reach jitsi/web over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # the Jitsi HTTP port to the local host. -matrix_jitsi_web_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:13080' }}" +matrix_jitsi_web_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':13080') if matrix_playbook_service_host_bind_interface_prefix else '' }}" -matrix_jitsi_jvb_container_colibri_ws_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:13090' }}" +matrix_jitsi_jvb_container_colibri_ws_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':13090') if matrix_playbook_service_host_bind_interface_prefix else '' }}" -matrix_jitsi_prosody_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:5280' }}" +matrix_jitsi_prosody_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':5280') if matrix_playbook_service_host_bind_interface_prefix else '' }}" matrix_jitsi_jibri_xmpp_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'jibri', rounds=655555) | to_uuid }}" matrix_jitsi_jicofo_auth_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'jicofo', rounds=655555) | to_uuid }}" @@ -2245,7 +2263,7 @@ matrix_ma1sd_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" # Normally, matrix-nginx-proxy is enabled and nginx can reach ma1sd over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # ma1sd's web-server port. -matrix_ma1sd_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:' + matrix_ma1sd_container_port | string }}" +matrix_ma1sd_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':' ~ matrix_ma1sd_container_port | string) if matrix_playbook_service_host_bind_interface_prefix else '' }}" # We enable Synapse integration via its Postgres database by default. @@ -2259,7 +2277,7 @@ matrix_ma1sd_dns_overwrite_enabled: true matrix_ma1sd_dns_overwrite_homeserver_client_name: "{{ matrix_server_fqn_matrix }}" # The `matrix_ma1sd_dns_overwrite_homeserver_client_value` value when matrix_nginx_proxy_enabled is false covers the general case, # but may be inaccurate if matrix-corporal is enabled. -matrix_ma1sd_dns_overwrite_homeserver_client_value: "{{ ('http://' + matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container) if matrix_nginx_proxy_enabled else matrix_homeserver_container_url }}" +matrix_ma1sd_dns_overwrite_homeserver_client_value: "{{ matrix_homeserver_container_url }}" # By default, we send mail through the `matrix-mailer` service. matrix_ma1sd_threepid_medium_email_identity_from: "{{ matrix_mailer_sender_address }}" @@ -2301,10 +2319,24 @@ matrix_ma1sd_database_password: "{{ '%s' | format(matrix_homeserver_generic_secr # ###################################################################### -# By default, this playbook sets up a reverse-proxy nginx proxy server on TCP ports 80, 443 and 8448. -# This is fine if you're dedicating the whole server to Matrix. -# If that's not the case, you may wish to disable this and take care of proxying yourself. -matrix_nginx_proxy_enabled: true +# This playbook installs its own nginx if +# - it's explicitly enabled +# - Traefik is in use. Not all services are Traefik-native yet, so we use reverse-proxy to some via a local-only matrix-nginx-proxy +matrix_nginx_proxy_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-installed-nginx', 'playbook-installed-traefik', 'other-traefik-container'] }}" + +# matrix-nginx-proxy is only to handle HTTPS only if it's the chosen reverse-proxy. +# It may be enabled even if it's not chosen. See `matrix_nginx_proxy_enabled`. +matrix_ssl_retrieval_method: "{{ 'lets-encrypt' if matrix_playbook_reverse_proxy_type == 'playbook-installed-nginx' else 'none' }}" +matrix_nginx_proxy_https_enabled: "{{ matrix_playbook_reverse_proxy_type == 'playbook-installed-nginx' }}" + +# matrix-nginx-proxy is to publish ports only if it's the chosen reverse-proxy. +# It may be enabled even if it's not chosen. See `matrix_nginx_proxy_enabled`. +matrix_nginx_proxy_container_http_host_bind_port: "{{ '80' if matrix_playbook_reverse_proxy_type == 'playbook-installed-nginx' else '' }}" +matrix_nginx_proxy_container_federation_host_bind_port: "{{ matrix_federation_public_port if matrix_playbook_reverse_proxy_type == 'playbook-installed-nginx' else '' }}" + +# matrix-nginx-proxy is to trust reverse-proxy forwarded protocol and headers, unless it's the "main" (chosen) reverse-proxy +matrix_nginx_proxy_trust_forwarded_proto: "{{ matrix_playbook_reverse_proxy_type != 'playbook-installed-nginx' }}" +matrix_nginx_proxy_x_forwarded_for: "{{ '$remote_addr' if matrix_playbook_reverse_proxy_type == 'playbook-installed-nginx' else '$proxy_add_x_forwarded_for' }}" matrix_nginx_proxy_container_additional_networks: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else [] }}" @@ -2399,8 +2431,6 @@ matrix_nginx_proxy_proxy_conduit_federation_api_addr_sans_container: "127.0.0.1: # When matrix-nginx-proxy is disabled, the actual port number that the vhost uses may begin to matter. matrix_nginx_proxy_proxy_matrix_federation_port: "{{ matrix_federation_public_port }}" -matrix_nginx_proxy_container_federation_host_bind_port: "{{ matrix_federation_public_port }}" - matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: "{{ matrix_ma1sd_enabled }}" matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container }}" matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container }}" @@ -2828,7 +2858,7 @@ matrix_sygnal_enabled: false # If someone instals Prometheus via the playbook, they most likely wish to monitor Sygnal. matrix_sygnal_metrics_prometheus_enabled: "{{ matrix_prometheus_enabled }}" -matrix_sygnal_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:6000' }}" +matrix_sygnal_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':6000') if matrix_playbook_service_host_bind_interface_prefix else '' }}" ###################################################################### # @@ -2844,7 +2874,7 @@ matrix_sygnal_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enable matrix_ntfy_enabled: false -matrix_ntfy_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:2586' }}" +matrix_ntfy_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':2586') if matrix_playbook_service_host_bind_interface_prefix else '' }}" ###################################################################### # @@ -2881,7 +2911,7 @@ matrix_client_element_container_image_self_build: "{{ matrix_architecture not in # Normally, matrix-nginx-proxy is enabled and nginx can reach Element over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # the Element HTTP port to the local host. -matrix_client_element_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8765' }}" +matrix_client_element_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':8765') if matrix_playbook_service_host_bind_interface_prefix else '' }}" matrix_client_element_default_hs_url: "{{ matrix_homeserver_url }}" matrix_client_element_default_is_url: "{{ matrix_identity_server_url }}" @@ -2926,7 +2956,7 @@ matrix_client_hydrogen_container_image_self_build: "{{ matrix_architecture not i # Normally, matrix-nginx-proxy is enabled and nginx can reach Hydrogen over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # the HTTP port to the local host. -matrix_client_hydrogen_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8768' }}" +matrix_client_hydrogen_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':8768') if matrix_playbook_service_host_bind_interface_prefix else '' }}" matrix_client_hydrogen_default_hs_url: "{{ matrix_homeserver_url }}" @@ -2951,7 +2981,7 @@ matrix_client_cinny_container_image_self_build: "{{ matrix_architecture not in [ # Normally, matrix-nginx-proxy is enabled and nginx can reach Cinny over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # the HTTP port to the local host. -matrix_client_cinny_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8080' }}" +matrix_client_cinny_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':8080') if matrix_playbook_service_host_bind_interface_prefix else '' }}" matrix_client_cinny_default_hs_url: "{{ matrix_homeserver_url }}" @@ -2980,13 +3010,13 @@ matrix_synapse_account_threepid_delegates_msisdn: "{{ 'http://matrix-ma1sd:' + m matrix_synapse_container_federation_api_tls_host_bind_port: "{{ matrix_federation_public_port if (matrix_synapse_federation_enabled and matrix_synapse_tls_federation_listener_enabled) else '' }}" # # For exposing the Synapse Metrics API's port (plain HTTP) to the local host. -matrix_synapse_container_metrics_api_host_bind_port: "{{ '127.0.0.1:9100' if (matrix_synapse_metrics_enabled and not matrix_nginx_proxy_enabled) else '' }}" +matrix_synapse_container_metrics_api_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':9100') if matrix_synapse_metrics_enabled and matrix_playbook_service_host_bind_interface_prefix else '' }}" # # For exposing the Synapse Manhole port (plain HTTP) to the local host. -matrix_synapse_container_manhole_api_host_bind_port: "{{ '127.0.0.1:9000' if matrix_synapse_manhole_enabled else '' }}" +matrix_synapse_container_manhole_api_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':9000') if matrix_synapse_metrics_enabled and matrix_playbook_service_host_bind_interface_prefix else '' }}" # # For exposing the Synapse worker (and metrics) ports to the local host. -matrix_synapse_workers_container_host_bind_address: "{{ '127.0.0.1' if (matrix_synapse_workers_enabled and not matrix_nginx_proxy_enabled) else '' }}" +matrix_synapse_workers_container_host_bind_address: "{{ matrix_playbook_service_host_bind_interface_prefix[0:-1] if (matrix_synapse_workers_enabled and matrix_playbook_service_host_bind_interface_prefix) else '' }}" matrix_synapse_database_host: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" matrix_synapse_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'synapse.db', rounds=655555) | to_uuid }}" @@ -3075,8 +3105,8 @@ matrix_synapse_reverse_proxy_companion_enabled: "{{ matrix_synapse_enabled }}" matrix_synapse_reverse_proxy_companion_client_api_client_max_body_size_mb: "{{ matrix_synapse_max_upload_size_mb }}" -matrix_synapse_reverse_proxy_companion_container_client_api_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8008' }}" -matrix_synapse_reverse_proxy_companion_container_federation_api_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8048' }}" +matrix_synapse_reverse_proxy_companion_container_client_api_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':8008') if matrix_playbook_service_host_bind_interface_prefix else '' }}" +matrix_synapse_reverse_proxy_companion_container_federation_api_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':8048') if matrix_playbook_service_host_bind_interface_prefix else '' }}" matrix_synapse_reverse_proxy_companion_synapse_workers_enabled: "{{ matrix_synapse_workers_enabled }}" matrix_synapse_reverse_proxy_companion_synapse_workers_list: "{{ matrix_synapse_workers_enabled_list }}" @@ -3110,7 +3140,7 @@ matrix_synapse_admin_enabled: false # Normally, matrix-nginx-proxy is enabled and nginx can reach Synapse Admin over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # Synapse Admin's HTTP port to the local host. -matrix_synapse_admin_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8766' }}" +matrix_synapse_admin_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':8766') if matrix_playbook_service_host_bind_interface_prefix else '' }}" matrix_synapse_admin_container_image_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}" @@ -3219,7 +3249,7 @@ matrix_prometheus_enabled: false # Normally, matrix-nginx-proxy is enabled and nginx can reach Prometheus over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # Prometheus' HTTP port to the local host. -matrix_prometheus_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9090' }}" +matrix_prometheus_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':99090005') if matrix_playbook_service_host_bind_interface_prefix else '' }}" matrix_prometheus_scraper_synapse_enabled: "{{ matrix_synapse_enabled and matrix_synapse_metrics_enabled }}" matrix_prometheus_scraper_synapse_targets: ['matrix-synapse:{{ matrix_synapse_metrics_port }}'] @@ -3256,7 +3286,7 @@ matrix_grafana_enabled: false # Normally, matrix-nginx-proxy is enabled and nginx can reach Grafana over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # Grafana's HTTP port to the local host. -matrix_grafana_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:3000' }}" +matrix_grafana_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':3000') if matrix_playbook_service_host_bind_interface_prefix else '' }}" matrix_grafana_dashboard_download_urls: | {{ @@ -3295,7 +3325,7 @@ matrix_registration_enabled: false # Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-registration over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose # matrix-registration's HTTP port to the local host. -matrix_registration_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8767' }}" +matrix_registration_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':8767') if matrix_playbook_service_host_bind_interface_prefix else '' }}" matrix_registration_riot_instance: "{{ ('https://' + matrix_server_fqn_element) if matrix_client_element_enabled else 'https://riot.im/app/' }}" @@ -3346,12 +3376,10 @@ matrix_dendrite_enabled: "{{ matrix_homeserver_implementation == 'dendrite' }}" # you can expose Dendrite's ports to the host. # # For exposing Dendrite's plain HTTP server to the local host. -matrix_dendrite_container_http_host_bind_address: "{{ '' if matrix_nginx_proxy_enabled else ('127.0.0.1:' + matrix_dendrite_http_bind_port | string) }}" +matrix_dendrite_container_http_host_bind_address: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ ':' ~ matrix_dendrite_http_bind_port | string) if matrix_playbook_service_host_bind_interface_prefix else '' }}" # # For exposing Dendrite's HTTPS server to the local host. -matrix_dendrite_container_https_host_bind_address: "{{ '' if matrix_nginx_proxy_enabled or not matrix_dendrite_https_bind_port else ('127.0.0.1:' + matrix_dendrite_https_bind_port | string) }}" - -matrix_dendrite_sync_api_real_ip_header: "{{ 'X-Forwarded-For' if matrix_nginx_proxy_enabled else '' }}" +matrix_dendrite_container_https_host_bind_address: "{{ '' if not matrix_dendrite_https_bind_port or not matrix_playbook_service_host_bind_interface_prefix else (matrix_playbook_service_host_bind_interface_prefix + matrix_dendrite_https_bind_port | string) }}" matrix_dendrite_client_api_registration_shared_secret: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'dendrite.rss', rounds=655555) | to_uuid }}" @@ -3486,9 +3514,9 @@ matrix_user_verification_service_systemd_required_services_list: | # If Jitsi is managed by this playbook we can use the docker network - no need to expose a port. # If Jitsi is not managed by this playbook, or you otherwise have a need for it, you can expose -# matrix-user-verfification-services's client-server port to the local host port 3003. +# matrix-user-verfification-services's client-server port to port 3003. # By default Matrix-User-Verification-Service binds to port 3000, which collides with grafana, therefore this uses port 3003. -matrix_user_verification_service_container_http_host_bind_port: "{{ '' if (matrix_jitsi_enabled | bool and matrix_jitsi_enable_auth | bool and matrix_jitsi_auth_type == 'matrix') else '127.0.0.1:3003' }}" +matrix_user_verification_service_container_http_host_bind_port: "{{ '' if (matrix_jitsi_enabled | bool and matrix_jitsi_enable_auth | bool and matrix_jitsi_auth_type == 'matrix') else matrix_playbook_service_host_bind_interface_prefix ~ ':3003' }}" # URL exposed in the docker network matrix_user_verification_service_container_url: "http://{{ matrix_user_verification_service_container_name }}:3000" @@ -3513,7 +3541,7 @@ matrix_user_verification_service_uvs_auth_token: "{{ '%s' | format(matrix_homese # To completely disable the Traefik role from running, use `matrix_playbook_traefik_role_enabled: false`. # See the comment there for more details about why we have both `devture_traefik_enabled` and `matrix_playbook_traefik_role_enabled`. -devture_traefik_enabled: "{{ matrix_playbook_traefik_role_enabled }}" +devture_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type == 'playbook-installed-traefik' }}" devture_traefik_uid: "{{ matrix_user_uid }}" devture_traefik_gid: "{{ matrix_user_gid }}" diff --git a/roles/custom/matrix-base/defaults/main.yml b/roles/custom/matrix-base/defaults/main.yml index 025e7363..e74fa4f1 100644 --- a/roles/custom/matrix-base/defaults/main.yml +++ b/roles/custom/matrix-base/defaults/main.yml @@ -265,6 +265,48 @@ matrix_well_known_matrix_support_enabled: false matrix_homeserver_container_extra_arguments_auto: [] matrix_homeserver_app_service_config_files_auto: [] +# Specifies the type of reverse-proxy used by the playbook. +# +# Changing this has an effect on whether a reverse-proxy is installed at all and what its type is, +# as well as how all other services are configured. +# +# Valid options and a description of their behavior: +# +# - `playbook-installed-traefik` +# - the playbook will install devture-traefik for SSL termination +# - it will also install matrix-nginx-proxy in local-only mode, while we migrate the rest of the services to a Traefik-native mode of working +# +# - `playbook-installed-nginx` +# - the playbook will install matrix-nginx-proxy and do SSL termination with Certbot +# +# - `other-traefik-container` +# - Traefik will be used, but it's not installed by this playbook. +# - you should make sure it's compatible with what the playbook would have configured (web, web-secure, matrix-federation entrypoints, etc.) +# - you may wish to set `matrix_playbook_reverse_proxyable_services_additional_network` to the name of your Traefik network +# - you may wish to enable `devture_traefik_certs_dumper_enabled` and point it to your Traefik's SSL certificates (`devture_traefik_certs_dumper_ssl_dir_path`) +# +# - `other-nginx-non-container` +# - the playbook will not install matrix-nginx-proxy +# - however, it will still dump some nginx configuration in /matrix/nginx/conf.d +# - these configs are meant to be included into a locally-installed (without a container) nginx server +# - all container services are exposed locally (e.g. `-p 127.0.0.1:8080:8080`) +# +# - `other-on-same-host` +# - like other-nginx-non-container, but supposedly won't generate useless configuration in /matrix/nginx/conf.d in the future +# +# - `other-on-another-host` +# - like other-on-same-host, but services are exposed on all interfaces (e.g. `-p 0.0.0.0:8080:8080`) +# - configurable via `matrix_playbook_service_host_bind_interface_prefix` +# +# - `none` +# - no reverse-proxy will be installed +# - no nginx configuration will be dumped in /matrix/nginx/conf.d +# - no port exposure will be done for any of the container services +# - it's up to you to expose the ports you want, etc. +matrix_playbook_reverse_proxy_type: playbook-installed-nginx + +matrix_playbook_service_host_bind_interface_prefix: "{{ '' if matrix_playbook_reverse_proxy_type not in ['other-nginx-non-container', 'other-on-same-host', 'other-on-another-host'] else ('0.0.0.0:' if matrix_playbook_reverse_proxy_type == 'other-on-another-host' else '127.0.0.1:') }}" + # Variables to Control which parts of our roles run. run_postgres_import: true run_postgres_upgrade: true diff --git a/roles/custom/matrix-base/tasks/validate_config.yml b/roles/custom/matrix-base/tasks/validate_config.yml index b3551e2e..5f63c1c6 100644 --- a/roles/custom/matrix-base/tasks/validate_config.yml +++ b/roles/custom/matrix-base/tasks/validate_config.yml @@ -51,6 +51,11 @@ msg: "Detected that variable matrix_architecture {{ matrix_architecture }} appears to be set incorrectly. See docs/alternative-architectures.md. Server appears to be {{ ansible_architecture }}." when: matrix_architecture not in ['amd64', 'arm32', 'arm64'] +- name: Fail if matrix_playbook_reverse_proxy_type is set incorrectly + ansible.builtin.fail: + msg: "Detected that variable matrix_playbook_reverse_proxy_type (current value: `{{ matrix_playbook_reverse_proxy_type }}`) appears to be set incorrectly. See roles/custom/matrix-base/defaults/main.yml for valid choices." + when: matrix_playbook_reverse_proxy_type not in ['playbook-installed-traefik', 'playbook-installed-nginx', 'other-traefik-container', 'other-nginx-non-container', 'other-on-same-host', 'other-on-another-host', 'none'] + - name: Fail if uppercase domain used ansible.builtin.fail: msg: "Detected that you're using an uppercase domain name - `{{ item }}`. This will cause trouble. Please use all-lowercase!" diff --git a/roles/custom/matrix-dendrite/defaults/main.yml b/roles/custom/matrix-dendrite/defaults/main.yml index 6a495f8f..5e6d7d3b 100644 --- a/roles/custom/matrix-dendrite/defaults/main.yml +++ b/roles/custom/matrix-dendrite/defaults/main.yml @@ -84,7 +84,7 @@ matrix_dendrite_max_file_size_bytes: 10485760 # Controls which HTTP header (e.g. 'X-Forwarded-For', 'X-Real-IP') to inspect to find the real remote IP address of the client. # This is likely required if Dendrite is running behind a reverse proxy server. -matrix_dendrite_sync_api_real_ip_header: '' +matrix_dendrite_sync_api_real_ip_header: 'X-Forwarded-For' # The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads. matrix_dendrite_tmp_directory_size_mb: 500 From 97f65e8dffcf979a296cc99dfecaf744392a0116 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 10 Feb 2023 19:36:06 +0200 Subject: [PATCH 12/19] Minor fixes to allow for Traefik without SSL --- group_vars/matrix_servers | 2 +- roles/custom/matrix-base/defaults/main.yml | 13 ++++++++----- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 62771b6c..2bcaa73c 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -38,7 +38,7 @@ matrix_playbook_traefik_role_enabled: true # installed in another way. matrix_playbook_traefik_labels_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-installed-traefik', 'other-traefik-container'] }}" -matrix_playbook_traefik_certs_dumper_role_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-installed-traefik', 'other-traefik-container'] }}" +matrix_playbook_traefik_certs_dumper_role_enabled: "{{ (matrix_playbook_reverse_proxy_type == 'playbook-installed-traefik' and devture_traefik_config_entrypoint_web_secure_enabled) or matrix_playbook_reverse_proxy_type == 'other-traefik-container' }}" # Controls the additional network that reverse-proxyable services will be connected to. matrix_playbook_reverse_proxyable_services_additional_network: "{{ devture_traefik_container_network if devture_traefik_enabled else '' }}" diff --git a/roles/custom/matrix-base/defaults/main.yml b/roles/custom/matrix-base/defaults/main.yml index e74fa4f1..7e76a9e7 100644 --- a/roles/custom/matrix-base/defaults/main.yml +++ b/roles/custom/matrix-base/defaults/main.yml @@ -273,16 +273,19 @@ matrix_homeserver_app_service_config_files_auto: [] # Valid options and a description of their behavior: # # - `playbook-installed-traefik` -# - the playbook will install devture-traefik for SSL termination +# - the playbook will install devture-traefik +# - Traefik will do SSL termination, unless you disable it (e.g. `devture_traefik_config_entrypoint_web_secure_enabled: false`) # - it will also install matrix-nginx-proxy in local-only mode, while we migrate the rest of the services to a Traefik-native mode of working # # - `playbook-installed-nginx` -# - the playbook will install matrix-nginx-proxy and do SSL termination with Certbot +# - the playbook will install matrix-nginx-proxy +# - matrix-nginx-proxy will do SSL termination with Certbot, unless you change that (see `matrix_ssl_retrieval_method`) # # - `other-traefik-container` -# - Traefik will be used, but it's not installed by this playbook. -# - you should make sure it's compatible with what the playbook would have configured (web, web-secure, matrix-federation entrypoints, etc.) -# - you may wish to set `matrix_playbook_reverse_proxyable_services_additional_network` to the name of your Traefik network +# - this playbook will not install Traefik +# - nevertheless, the playbook expects that you would install Traefik yourself via other means +# - you should make sure your Traefik configuration is compatible with what the playbook would have configured (web, web-secure, matrix-federation entrypoints, etc.) +# - you need to set `matrix_playbook_reverse_proxyable_services_additional_network` to the name of your Traefik network # - you may wish to enable `devture_traefik_certs_dumper_enabled` and point it to your Traefik's SSL certificates (`devture_traefik_certs_dumper_ssl_dir_path`) # # - `other-nginx-non-container` From 8309a2130354d407171c489b803d24175c446b2b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 11 Feb 2023 08:44:11 +0200 Subject: [PATCH 13/19] Rename reverse proxy types and fix Hookshot http/https urlPrefix issue --- group_vars/matrix_servers | 52 ++++++++++--------- roles/custom/matrix-base/defaults/main.yml | 6 +-- .../matrix-base/tasks/validate_config.yml | 2 +- 3 files changed, 31 insertions(+), 29 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 2bcaa73c..5a79ccdc 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -36,15 +36,17 @@ matrix_playbook_traefik_role_enabled: true # This is separate from `devture_traefik_enabled` and `matrix_playbook_traefik_role_enabled`, # because you may wish to disable Traefik installation by the playbook, yet still use Traefik # installed in another way. -matrix_playbook_traefik_labels_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-installed-traefik', 'other-traefik-container'] }}" +matrix_playbook_traefik_labels_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" -matrix_playbook_traefik_certs_dumper_role_enabled: "{{ (matrix_playbook_reverse_proxy_type == 'playbook-installed-traefik' and devture_traefik_config_entrypoint_web_secure_enabled) or matrix_playbook_reverse_proxy_type == 'other-traefik-container' }}" +matrix_playbook_traefik_certs_dumper_role_enabled: "{{ (matrix_playbook_reverse_proxy_type == 'playbook-managed-traefik' and devture_traefik_config_entrypoint_web_secure_enabled) or matrix_playbook_reverse_proxy_type == 'other-traefik-container' }}" # Controls the additional network that reverse-proxyable services will be connected to. matrix_playbook_reverse_proxyable_services_additional_network: "{{ devture_traefik_container_network if devture_traefik_enabled else '' }}" matrix_playbook_ssl_retrieval_method: "{{ 'lets-encrypt' if matrix_playbook_traefik_certs_dumper_role_enabled else matrix_ssl_retrieval_method }}" +matrix_playbook_ssl_enabled: "{{ matrix_playbook_ssl_retrieval_method in ['lets-encrypt', 'self-signed', 'manually-managed'] }}" + ######################################################################## # # # /Playbook # @@ -1269,7 +1271,7 @@ matrix_hookshot_metrics_enabled: "{{ matrix_prometheus_enabled }}" matrix_hookshot_urlprefix_port_enabled: "{{ matrix_nginx_proxy_container_https_host_bind_port == 443 if matrix_nginx_proxy_https_enabled else matrix_nginx_proxy_container_https_host_bind_port == 80 }}" matrix_hookshot_urlprefix_port: ":{{ matrix_nginx_proxy_container_https_host_bind_port if matrix_nginx_proxy_https_enabled else matrix_nginx_proxy_container_http_host_bind_port }}" -matrix_hookshot_urlprefix: "http{{ 's' if matrix_nginx_proxy_https_enabled else '' }}://{{ matrix_server_fqn_matrix }}{{ matrix_hookshot_urlprefix_port if matrix_hookshot_urlprefix_port_enabled else '' }}" +matrix_hookshot_urlprefix: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}://{{ matrix_server_fqn_matrix }}{{ matrix_hookshot_urlprefix_port if matrix_hookshot_urlprefix_port_enabled else '' }}" ###################################################################### # @@ -1698,9 +1700,9 @@ matrix_bot_postmoogle_container_image_self_build: "{{ matrix_architecture not in matrix_bot_postmoogle_ssl_path: |- {{ { - 'playbook-installed-traefik': devture_traefik_certs_dumper_dumped_certificates_dir_path, + 'playbook-managed-traefik': devture_traefik_certs_dumper_dumped_certificates_dir_path, 'other-traefik-container': devture_traefik_certs_dumper_dumped_certificates_dir_path, - 'playbook-installed-nginx': (matrix_ssl_config_dir_path if matrix_playbook_ssl_retrieval_method != 'none' else ''), + 'playbook-managed-nginx': (matrix_ssl_config_dir_path if matrix_playbook_ssl_retrieval_method != 'none' else ''), 'other-nginx-non-container': (matrix_ssl_config_dir_path if matrix_playbook_ssl_retrieval_method != 'none' else ''), 'other-on-same-host': '', 'other-on-another-host': '', @@ -1717,9 +1719,9 @@ matrix_playbook_bot_postmoogle_traefik_key: "{% for domain in matrix_bot_postmoo matrix_bot_postmoogle_tls_cert: |- {{ { - 'playbook-installed-traefik': matrix_playbook_bot_postmoogle_traefik_tls_cert, + 'playbook-managed-traefik': matrix_playbook_bot_postmoogle_traefik_tls_cert, 'other-traefik-container': matrix_playbook_bot_postmoogle_traefik_tls_cert, - 'playbook-installed-nginx': (matrix_playbook_bot_postmoogle_nginx_proxy_tls_cert if matrix_playbook_ssl_retrieval_method != 'none' else ''), + 'playbook-managed-nginx': (matrix_playbook_bot_postmoogle_nginx_proxy_tls_cert if matrix_playbook_ssl_retrieval_method != 'none' else ''), 'other-nginx-non-container': (matrix_playbook_bot_postmoogle_nginx_proxy_tls_cert if matrix_playbook_ssl_retrieval_method != 'none' else ''), 'other-on-same-host': '', 'other-on-another-host': '', @@ -1730,9 +1732,9 @@ matrix_bot_postmoogle_tls_cert: |- matrix_bot_postmoogle_tls_key: |- {{ { - 'playbook-installed-traefik': matrix_playbook_bot_postmoogle_traefik_key, + 'playbook-managed-traefik': matrix_playbook_bot_postmoogle_traefik_key, 'other-traefik-container': matrix_playbook_bot_postmoogle_traefik_key, - 'playbook-installed-nginx': (matrix_playbook_bot_postmoogle_nginx_proxy_key if matrix_playbook_ssl_retrieval_method != 'none' else ''), + 'playbook-managed-nginx': (matrix_playbook_bot_postmoogle_nginx_proxy_key if matrix_playbook_ssl_retrieval_method != 'none' else ''), 'other-nginx-non-container': (matrix_playbook_bot_postmoogle_nginx_proxy_key if matrix_playbook_ssl_retrieval_method != 'none' else ''), 'other-on-same-host': '', 'other-on-another-host': '', @@ -1750,7 +1752,7 @@ matrix_bot_postmoogle_systemd_required_services_list: | + (['matrix-synapse.service'] if matrix_synapse_enabled else []) + - (matrix_playbook_bot_postmoogle_traefik_certs_dumper_waiter_services | trim | split(' ') if matrix_playbook_reverse_proxy_type in ['playbook-installed-traefik', 'other-traefik-container'] and matrix_playbook_traefik_certs_dumper_role_enabled else []) + (matrix_playbook_bot_postmoogle_traefik_certs_dumper_waiter_services | trim | split(' ') if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and matrix_playbook_traefik_certs_dumper_role_enabled else []) }} # Postgres is the default, except if not using internal Postgres server @@ -1992,9 +1994,9 @@ matrix_coturn_tls_enabled: "{{ matrix_playbook_ssl_retrieval_method != 'none' }} matrix_coturn_tls_cert_path: |- {{ { - 'playbook-installed-traefik': '/certificate.crt', + 'playbook-managed-traefik': '/certificate.crt', 'other-traefik-container': '/certificate.crt', - 'playbook-installed-nginx': '/fullchain.pem', + 'playbook-managed-nginx': '/fullchain.pem', 'other-nginx-non-container': '/fullchain.pem', 'other-on-same-host': '', 'other-on-another-host': '', @@ -2005,9 +2007,9 @@ matrix_coturn_tls_cert_path: |- matrix_coturn_tls_key_path: |- {{ { - 'playbook-installed-traefik': '/privatekey.key', + 'playbook-managed-traefik': '/privatekey.key', 'other-traefik-container': '/privatekey.key', - 'playbook-installed-nginx': '/privkey.pem', + 'playbook-managed-nginx': '/privkey.pem', 'other-nginx-non-container': '/privkey.pem', 'other-on-same-host': '', 'other-on-another-host': '', @@ -2029,7 +2031,7 @@ matrix_coturn_container_additional_volumes: | 'dst': '/privkey.pem', 'options': 'ro', }, - ] if matrix_playbook_reverse_proxy_type in ['playbook-installed-nginx', 'other-nginx-non-container'] else [] + ] if matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else [] ) + ( @@ -2044,7 +2046,7 @@ matrix_coturn_container_additional_volumes: | 'dst': '/privatekey.key', 'options': 'ro', }, - ] if matrix_playbook_reverse_proxy_type in ['playbook-installed-traefik', 'other-traefik-container'] and matrix_playbook_traefik_certs_dumper_role_enabled else [] + ] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and matrix_playbook_traefik_certs_dumper_role_enabled else [] ) }} @@ -2052,7 +2054,7 @@ matrix_coturn_systemd_required_services_list: | {{ ['docker.service'] + - ([devture_traefik_certs_dumper_identifier + '-wait-for-domain@' + matrix_server_fqn_matrix + '.service'] if matrix_playbook_reverse_proxy_type in ['playbook-installed-traefik', 'other-traefik-container'] and matrix_playbook_traefik_certs_dumper_role_enabled else []) + ([devture_traefik_certs_dumper_identifier + '-wait-for-domain@' + matrix_server_fqn_matrix + '.service'] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and matrix_playbook_traefik_certs_dumper_role_enabled else []) }} ###################################################################### @@ -2322,21 +2324,21 @@ matrix_ma1sd_database_password: "{{ '%s' | format(matrix_homeserver_generic_secr # This playbook installs its own nginx if # - it's explicitly enabled # - Traefik is in use. Not all services are Traefik-native yet, so we use reverse-proxy to some via a local-only matrix-nginx-proxy -matrix_nginx_proxy_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-installed-nginx', 'playbook-installed-traefik', 'other-traefik-container'] }}" +matrix_nginx_proxy_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'playbook-managed-traefik', 'other-traefik-container'] }}" # matrix-nginx-proxy is only to handle HTTPS only if it's the chosen reverse-proxy. # It may be enabled even if it's not chosen. See `matrix_nginx_proxy_enabled`. -matrix_ssl_retrieval_method: "{{ 'lets-encrypt' if matrix_playbook_reverse_proxy_type == 'playbook-installed-nginx' else 'none' }}" -matrix_nginx_proxy_https_enabled: "{{ matrix_playbook_reverse_proxy_type == 'playbook-installed-nginx' }}" +matrix_ssl_retrieval_method: "{{ 'lets-encrypt' if matrix_playbook_reverse_proxy_type == 'playbook-managed-nginx' else 'none' }}" +matrix_nginx_proxy_https_enabled: "{{ matrix_playbook_reverse_proxy_type == 'playbook-managed-nginx' }}" # matrix-nginx-proxy is to publish ports only if it's the chosen reverse-proxy. # It may be enabled even if it's not chosen. See `matrix_nginx_proxy_enabled`. -matrix_nginx_proxy_container_http_host_bind_port: "{{ '80' if matrix_playbook_reverse_proxy_type == 'playbook-installed-nginx' else '' }}" -matrix_nginx_proxy_container_federation_host_bind_port: "{{ matrix_federation_public_port if matrix_playbook_reverse_proxy_type == 'playbook-installed-nginx' else '' }}" +matrix_nginx_proxy_container_http_host_bind_port: "{{ '80' if matrix_playbook_reverse_proxy_type == 'playbook-managed-nginx' else '' }}" +matrix_nginx_proxy_container_federation_host_bind_port: "{{ matrix_federation_public_port if matrix_playbook_reverse_proxy_type == 'playbook-managed-nginx' else '' }}" # matrix-nginx-proxy is to trust reverse-proxy forwarded protocol and headers, unless it's the "main" (chosen) reverse-proxy -matrix_nginx_proxy_trust_forwarded_proto: "{{ matrix_playbook_reverse_proxy_type != 'playbook-installed-nginx' }}" -matrix_nginx_proxy_x_forwarded_for: "{{ '$remote_addr' if matrix_playbook_reverse_proxy_type == 'playbook-installed-nginx' else '$proxy_add_x_forwarded_for' }}" +matrix_nginx_proxy_trust_forwarded_proto: "{{ matrix_playbook_reverse_proxy_type != 'playbook-managed-nginx' }}" +matrix_nginx_proxy_x_forwarded_for: "{{ '$remote_addr' if matrix_playbook_reverse_proxy_type == 'playbook-managed-nginx' else '$proxy_add_x_forwarded_for' }}" matrix_nginx_proxy_container_additional_networks: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else [] }}" @@ -3541,7 +3543,7 @@ matrix_user_verification_service_uvs_auth_token: "{{ '%s' | format(matrix_homese # To completely disable the Traefik role from running, use `matrix_playbook_traefik_role_enabled: false`. # See the comment there for more details about why we have both `devture_traefik_enabled` and `matrix_playbook_traefik_role_enabled`. -devture_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type == 'playbook-installed-traefik' }}" +devture_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type == 'playbook-managed-traefik' }}" devture_traefik_uid: "{{ matrix_user_uid }}" devture_traefik_gid: "{{ matrix_user_gid }}" diff --git a/roles/custom/matrix-base/defaults/main.yml b/roles/custom/matrix-base/defaults/main.yml index 7e76a9e7..8cf63b9b 100644 --- a/roles/custom/matrix-base/defaults/main.yml +++ b/roles/custom/matrix-base/defaults/main.yml @@ -272,12 +272,12 @@ matrix_homeserver_app_service_config_files_auto: [] # # Valid options and a description of their behavior: # -# - `playbook-installed-traefik` +# - `playbook-managed-traefik` # - the playbook will install devture-traefik # - Traefik will do SSL termination, unless you disable it (e.g. `devture_traefik_config_entrypoint_web_secure_enabled: false`) # - it will also install matrix-nginx-proxy in local-only mode, while we migrate the rest of the services to a Traefik-native mode of working # -# - `playbook-installed-nginx` +# - `playbook-managed-nginx` # - the playbook will install matrix-nginx-proxy # - matrix-nginx-proxy will do SSL termination with Certbot, unless you change that (see `matrix_ssl_retrieval_method`) # @@ -306,7 +306,7 @@ matrix_homeserver_app_service_config_files_auto: [] # - no nginx configuration will be dumped in /matrix/nginx/conf.d # - no port exposure will be done for any of the container services # - it's up to you to expose the ports you want, etc. -matrix_playbook_reverse_proxy_type: playbook-installed-nginx +matrix_playbook_reverse_proxy_type: playbook-managed-nginx matrix_playbook_service_host_bind_interface_prefix: "{{ '' if matrix_playbook_reverse_proxy_type not in ['other-nginx-non-container', 'other-on-same-host', 'other-on-another-host'] else ('0.0.0.0:' if matrix_playbook_reverse_proxy_type == 'other-on-another-host' else '127.0.0.1:') }}" diff --git a/roles/custom/matrix-base/tasks/validate_config.yml b/roles/custom/matrix-base/tasks/validate_config.yml index 5f63c1c6..cd6d20cd 100644 --- a/roles/custom/matrix-base/tasks/validate_config.yml +++ b/roles/custom/matrix-base/tasks/validate_config.yml @@ -54,7 +54,7 @@ - name: Fail if matrix_playbook_reverse_proxy_type is set incorrectly ansible.builtin.fail: msg: "Detected that variable matrix_playbook_reverse_proxy_type (current value: `{{ matrix_playbook_reverse_proxy_type }}`) appears to be set incorrectly. See roles/custom/matrix-base/defaults/main.yml for valid choices." - when: matrix_playbook_reverse_proxy_type not in ['playbook-installed-traefik', 'playbook-installed-nginx', 'other-traefik-container', 'other-nginx-non-container', 'other-on-same-host', 'other-on-another-host', 'none'] + when: matrix_playbook_reverse_proxy_type not in ['playbook-managed-traefik', 'playbook-managed-nginx', 'other-traefik-container', 'other-nginx-non-container', 'other-on-same-host', 'other-on-another-host', 'none'] - name: Fail if uppercase domain used ansible.builtin.fail: From f37a7a21f17ff8b1b7c7f38eea3f63ecd2dfc04f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 11 Feb 2023 08:53:32 +0200 Subject: [PATCH 14/19] Delay Postmoogle startup to help Traefik-based setups --- group_vars/matrix_servers | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 5a79ccdc..5b206d91 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -199,6 +199,9 @@ matrix_homeserver_app_service_config_files_auto: | # - so that, when the reverse-proxy is up (Matrix is up), all bots and bridges can be interacted with # - monitoring services (Prometheus, Grafana, ..) get a level of 4000 - they can start later than all-of-Matrix # - services which aren't time-sensitive (various crons and timers) get a level of 5000 - they can start later than all-of-Matrix +# +# `matrix-bot-postmoogle.service` has a higher priority number (4000), unlike other bots' priority (2200), +# because it requires SSL certificates. If Traefik is used, then Postmoogle needs to start at least after Traefik (3500) and Traefik certs dumper (3500). devture_systemd_service_manager_services_list_auto: | {{ ([{'name': 'matrix-backup-borg.timer', 'priority': 5000, 'groups': ['matrix', 'backup', 'borg']}] if matrix_backup_borg_enabled else []) @@ -219,7 +222,7 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': 'matrix-bot-draupnir.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'draupnir']}] if matrix_bot_draupnir_enabled else []) + - ([{'name': 'matrix-bot-postmoogle.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'postmoogle']}] if matrix_bot_postmoogle_enabled else []) + ([{'name': 'matrix-bot-postmoogle.service', 'priority': 4000, 'groups': ['matrix', 'bots', 'postmoogle']}] if matrix_bot_postmoogle_enabled else []) + ([{'name': 'matrix-bot-chatgpt.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'chatgpt']}] if matrix_bot_chatgpt_enabled else []) + From 94be74e633e8141d3cbe784537d4dcc8f59d9d9e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 11 Feb 2023 08:54:07 +0200 Subject: [PATCH 15/19] Improve traefik-certs-dumper defaults for other-traefik-container setups We'd like to auto-enable traefik-certs-dumper for these setups. `devture_traefik_certs_dumper_ssl_dir_path` will be empty though, so the role's validation will point people in the right direction. --- group_vars/matrix_servers | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 5b206d91..df095b88 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -3574,7 +3574,7 @@ devture_traefik_additional_domains_to_obtain_certificates_for: "{{ matrix_ssl_ad # To completely disable the Traefik certs dumper role from running, use `matrix_playbook_traefik_certs_dumper_role_enabled: false`. # See the comment there for more details about why we have both `devture_traefik_certs_dumper_enabled` and `matrix_playbook_traefik_certs_dumper_role_enabled`. -devture_traefik_certs_dumper_enabled: "{{ matrix_playbook_traefik_certs_dumper_role_enabled and devture_traefik_enabled }}" +devture_traefik_certs_dumper_enabled: "{{ matrix_playbook_traefik_certs_dumper_role_enabled }}" devture_traefik_certs_dumper_identifier: matrix-traefik-certs-dumper @@ -3583,7 +3583,7 @@ devture_traefik_certs_dumper_base_path: "{{ matrix_base_data_path }}/traefik-cer devture_traefik_certs_dumper_uid: "{{ matrix_user_uid }}" devture_traefik_certs_dumper_gid: "{{ matrix_user_gid }}" -devture_traefik_certs_dumper_ssl_dir_path: "{{ devture_traefik_ssl_dir_path }}" +devture_traefik_certs_dumper_ssl_dir_path: "{{ devture_traefik_ssl_dir_path if devture_traefik_enabled else '' }}" ######################################################################## # # From 6b0650641ba27b6a13561199c89fcb75b6a2eeb5 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 11 Feb 2023 08:58:53 +0200 Subject: [PATCH 16/19] Update matrix_playbook_reverse_proxy_type documentation --- roles/custom/matrix-base/defaults/main.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/roles/custom/matrix-base/defaults/main.yml b/roles/custom/matrix-base/defaults/main.yml index 8cf63b9b..6a990171 100644 --- a/roles/custom/matrix-base/defaults/main.yml +++ b/roles/custom/matrix-base/defaults/main.yml @@ -275,18 +275,20 @@ matrix_homeserver_app_service_config_files_auto: [] # - `playbook-managed-traefik` # - the playbook will install devture-traefik # - Traefik will do SSL termination, unless you disable it (e.g. `devture_traefik_config_entrypoint_web_secure_enabled: false`) +# - if SSL termination is enabled (as it is by default), you need to populate: `devture_traefik_ssl_email_address` # - it will also install matrix-nginx-proxy in local-only mode, while we migrate the rest of the services to a Traefik-native mode of working # # - `playbook-managed-nginx` # - the playbook will install matrix-nginx-proxy # - matrix-nginx-proxy will do SSL termination with Certbot, unless you change that (see `matrix_ssl_retrieval_method`) +# - if SSL termination is enabled (as it is by default), you need to populate: `matrix_ssl_lets_encrypt_support_email` # # - `other-traefik-container` # - this playbook will not install Traefik # - nevertheless, the playbook expects that you would install Traefik yourself via other means # - you should make sure your Traefik configuration is compatible with what the playbook would have configured (web, web-secure, matrix-federation entrypoints, etc.) # - you need to set `matrix_playbook_reverse_proxyable_services_additional_network` to the name of your Traefik network -# - you may wish to enable `devture_traefik_certs_dumper_enabled` and point it to your Traefik's SSL certificates (`devture_traefik_certs_dumper_ssl_dir_path`) +# - Traefik certs dumper will be enabled by default (`devture_traefik_certs_dumper_enabled`). You need to point it to your Traefik's SSL certificates (`devture_traefik_certs_dumper_ssl_dir_path`) # # - `other-nginx-non-container` # - the playbook will not install matrix-nginx-proxy From b3f6436a0d182918f24ac74d8525aa88d0c0a2cd Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 12 Feb 2023 15:50:13 +0200 Subject: [PATCH 17/19] Do not enable the Traefik role when reverse-proxy = other-traefik-container --- group_vars/matrix_servers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index df095b88..72633c6e 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -30,7 +30,7 @@ matrix_playbook_docker_installation_enabled: true # In such cases, you'd like to disable the role in this playbook from bothering with Traefik at all (`matrix_playbook_traefik_role_enabled: false`). # If you used `devture_traefik_enabled: false` + `matrix_playbook_traefik_role_enabled: true` instead, you'd see the Treafik role here # try to delete Traefik data (`/devture-traefik`) installed by the other playbook. -matrix_playbook_traefik_role_enabled: true +matrix_playbook_traefik_role_enabled: "{{ matrix_playbook_reverse_proxy_type != 'other-traefik-container' }}" # Controls whether to attach Traefik labels to services. # This is separate from `devture_traefik_enabled` and `matrix_playbook_traefik_role_enabled`, From 73435dfe100d1765e007bee97ab747c51e5cfcdd Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 12 Feb 2023 15:53:11 +0200 Subject: [PATCH 18/19] Announce Traefik support --- CHANGELOG.md | 108 +++++++++++++++++++++ docs/configuring-playbook-own-webserver.md | 2 + 2 files changed, 110 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 257f57d9..d3f74e70 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,111 @@ +# 2023-02-12 + +## Reverse-proxy configuration changes and initial Traefik support + +**TLDR**: + +- there's a new `matrix_playbook_reverse_proxy_type` variable (see [roles/custom/matrix-base/defaults/main.yml](roles/custom/matrix-base/defaults/main.yml)), which lets you tell the playbook what reverse-proxy setup you'd like to have. This makes it easier for people who want to do reverse-proxying in other ways. +- the default reverse-proxy (`matrix_playbook_reverse_proxy_type`) is still `playbook-managed-nginx` (via `matrix-nginx-proxy`), for now. **Existing users should not observe any changes** and can stay on this for now. +- we now have **optional [Traefik](https://traefik.io/) support**, so you could easily host Matrix and other Traefik-native services in containers on the same server. Traefik support is still experimental (albeit, good enough) and will improve over time. It does work, but certain esoteric features may not be there yet. +- **Traefik will become the default reverse-proxy in the near future**. `matrix-nginx-proxy` will either remain as an option, or be completely removed to simplify the playbook + +### Motivation for redoing our reverse-proxy setup + +The playbook has supported various reverse-proxy setups for a long time. +We have various configuration variables (`matrix_nginx_proxy_enabled`, various `_host_bind_port` variables, etc.) which allow the playbook to adapt to these different setups. The whole situation was messy though - hard to figure out and with lots of variables to toggle to make things work as you'd expect - huge **operational complexity**. + +We love containers, proven by the fact that **everything** that this playbook manages runs in a container. Yet, we weren't allowing people to easily host other web-exposed containers alongside Matrix services on the same server. We were using `matrix-nginx-proxy` (our integrated [nginx](https://nginx.org/) server), which was handling web-exposure and SSL termination for our own services, but we **weren't helping you with all your other containers**. + +People who were **using `matrix-nginx-proxy`** were on the happy path on which everything worked well by default (Matrix-wise), **but** could not easily run other web-exposed services on their Matrix server because `matrix-nginx-proxy` was occupying ports `80` and `443`. Other services which wanted to get web exposure either had to be plugged into `matrix-nginx-proxy` (somewhat difficult) or people had to forgo using `matrix-nginx-proxy` in favor of something else. + +Of those that decided to forgo `matrix-nginx-proxy`, many were **using nginx** on the same server without a container. This was likely some ancient nginx version, depending on your choice of distro. The Matrix playbook was trying to be helpful and even with `matrix_nginx_proxy_enabled: false` was still generating nginx configuration in `/matrix/nginx-proxy/conf.d`. Those configuration files were adapted for inclusion into an nginx server running locally. Disabling the `matrix-nginx-proxy` role like this, yet still having it produce files is a bit disgusting, but it's what we've had since the early beginnings of this playbook. + +Others still, wanted to run Matrix locally (no SSL certificates), regardless of which web server technology this relied on, and then **reverse-proxy from another machine on the network** which was doing SSL termination. These people were: + +- *either* relying on `matrix_nginx_proxy_enabled: false` as well, combined with exposing services manually (setting `_bind_port` variables) +- *or* better yet, they were keeping `matrix-nginx-proxy` enabled, but in `http`-only mode (no SSL certificate retrieval). + +Despite this operational complexity, things worked and were reasonably flexible to adapt to all these situations. + +When using `matrix-nginx-proxy` as is, we still had another problem - one of **internal playbook complexity**. Too many services need to be web-exposed (port 80/443, SSL certificates). Because of this, they all had to integrate with the `matrix-nginx-proxy` role. Tens of different roles explicitly integrating with `matrix-nginx-proxy` is not what we call clean. The `matrix-nginx-proxy` role contains variables for many of these roles (yikes). Other roles were more decoupled from it and were injecting configuration into `matrix-nginx-proxy` at runtime - see all the `inject_into_nginx_proxy.yml` task files in this playbook (more decoupled, but still.. yikes). + +The next problem is one of **efficiency, interoperability and cost-saving**. We're working on other playbooks: + +- [vaultwarden-docker-ansible-deploy](https://github.com/spantaleev/vaultwarden-docker-ansible-deploy) for hosting the [Vaultwarden](https://github.com/dani-garcia/vaultwarden) server - an alternative implementation of the [Bitwarden](https://bitwarden.com/) password manager +- [gitea-docker-ansible-deploy](https://github.com/spantaleev/gitea-docker-ansible-deploy) - for hosting the [Gitea](https://gitea.io/) git source code hosting service +- [nextcloud-docker-ansible-deploy](https://github.com/spantaleev/nextcloud-docker-ansible-deploy) - for hosting the [Nextcloud](https://nextcloud.com/) groupware platform + +We'd love for users to be able to **seamlessly use all these playbooks (and others, even) against a single server**. We don't want `matrix-nginx-proxy` to have a monopoly on port `80`/`443` and make it hard for other services to join in on the party. Such a thing forces people into running multiple servers (one for each service), which does provide nice security benefits, but is costly and ineffiecient. We'd like to make self-hosting these services cheap and easy. + +These other playbooks have been using [Traefik](https://traefik.io/) as their default reverse-proxy for a long time. They can all coexist nicely together (as an example, see the [Interoperability](https://github.com/spantaleev/nextcloud-docker-ansible-deploy/blob/master/docs/configuring-playbook-interoperability.md) documentation for the [Nextcloud playbook](https://github.com/spantaleev/nextcloud-docker-ansible-deploy)). Now that this playbook is gaining Traefik support, it will be able to interoperate with them. If you're going this way, make sure to have the Matrix playbook install Traefik and have the others use `*_reverse_proxy_type: other-traefik-container`. + +Finally, at [etke.cc - a managed Matrix server hosting service](https://etke.cc) (built on top of this playbook, and coincidentally [turning 2 years old today](https://etke.cc/news/upsyw4ykbtgmwhz8k7ukldx0zbbfq-fh0iqi3llixi0/) 🎉), we're allowing people to host some additional services besides Matrix components. Exposing these services to the web requires ugly hacks and configuration files being dropped into `/matrix/nginx-proxy/conf.d`. We believe that everything should run in independent containers and be exposed to the web via a Traefik server, without a huge Ansible role like `matrix-nginx-proxy` that everything else needs to integrate with. + +### How do these changes fix all these problems? + +The new `matrix_playbook_reverse_proxy_type` lets you easily specify your preferred reverse-proxy type, including `other-on-same-host`, `other-on-another-host` and `none`, so people who'd like to reverse-proxy with their own web server have more options now. + +Using Traefik greatly simplifies things, so going forward we'll have a simpler and easier to maintain playbook, which is also interoperable with other services. + +Traefik is a web server, which has been specifically **designed for reverse-proxying to services running in containers**. It's ideal for usage in an Ansible playbook which runs everything in containers. + +**Traefik obtains SSL certificates automatically**, so there's no need for plugging additional tools like [Certbot](https://certbot.eff.org/) into your web server (like we were doing in the `matrix-nginx-proxy` role). No more certificate renewal timers, web server reloading timers, etc. It's just simpler. + +Traefik is a **modern web server**. [HTTP/3](https://doc.traefik.io/traefik/routing/entrypoints/#http3) is supported already (experimentally) and will move to stable soon, in the upcoming Traefik v3 release. + +Traefik does not lock important functionality we'd like to use into [plus packages like nginx does](https://www.nginx.com/products/nginx/), leading us to resolve to configuration workarounds. The default Traefik package is good enough as it is. + +### Where we're at right now? + +`matrix_playbook_reverse_proxy_type` still defaults to a value of `playbook-managed-nginx`. + +Unless we have some regression, **existing users should be able to update their Matrix server and not observe any changes**. Their setup should still remain on nginx and everything should still work as expected. + +#### How do I explicitly switch to Traefik right now? + +**Users who want to migrate to Traefik** today, can do so by using configuration like this: + +```yaml +matrix_playbook_reverse_proxy_type: playbook-managed-traefik + +devture_traefik_ssl_email_address: YOUR_EMAIL_ADDRESS +``` + +Switching to Traefik will obtain new SSL certificates from Let's Encrypt (stored in `/devture-traefik/ssl/acme.json`). **The switch is reversible**. You can always go back to `playbook-managed-nginx` if Traefik is causing you trouble. + +**Note**: toggling `matrix_playbook_reverse_proxy_type` between Traefik and nginx will uninstall the Traefik role and all of its data (under `/devture-traefik`), so you may run into a Let's Encrypt rate limit if you do it often. + +Treafik directly reverse-proxies to **some** services right now, but for most other services it goes through `matrix-nginx-proxy` (e.g. Traefik -> `matrix-nginx-proxy` -> [Ntfy](docs/configuring-playbook-ntfy.md)). So, even if you opt into Traefik, you'll still see `matrix-nginx-proxy` being installed in local-only mode. This will improve with time. + +Some services (like [Coturn](docs/configuring-playbook-turn.md) and [Postmoogle](docs/configuring-playbook-bot-postmoogle.md)) cannot be reverse-proxied to directly from Traefik, so they require direct access to SSL certificate files extracted out of Traefik. The playbook does this automatically thanks to a new [com.devture.ansible.role.traefik_certs_dumper](https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper) role utilizing the [traefik-certs-dumper](https://github.com/ldez/traefik-certs-dumper) tool. + +Our Traefik setup mostly works, but certain esoteric features may not work. If you have a default setup, we expect you to have a good experience. + + +### Where we're going in the near future? + +The `matrix-nginx-proxy` role is quite messy. It manages both nginx and Certbot and its certificate renewal scripts and timers. It generates configuration even when the role is disabled (weird). Although it doesn't directly reach into variables from other roles, it has explicit awareness of various other services that it reverse-proxies to (`roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-ntfy.conf.j2`, etc.). We'd like to clean this up. The only way is probably to just get rid of the whole thing at some point. + +For now, `matrix-nginx-proxy` will stay around. + +As mentioned above, Traefik still reverse-proxies to some (most) services by going through a local-only `matrix-nginx-proxy` server. This has allowed us to add Traefik support to the playbook early on (without having to rework all services), but is not the final goal. We'll **work on making each service support Traefik natively**, so that traffic will not need to go through `matrix-nginx-proxy` anymore. In the end, choosing Traefik should only give you a pure Traefik installation with no `matrix-nginx-proxy` in sight. + +As Traefik support becomes complete and proves to be stable for a while, especially as a playbook default, we will **most likely remove `matrix-nginx-proxy` completely**. It will likely be some months before this happens though. Keeping support for both Traefik and nginx in the playbook will be a burden, especially with most of us running Traefik in the future. The Traefik role should do everything nginx does in a better and cleaner way. Users who use their own `nginx` server on the Matrix server will be inconvenienced, as nothing will generate ready-to-include nginx configuration for them. Still, we hope it won't be too hard to migrate their setup to another way of doing things, like: + +- not using nginx anymore. A common reason for using nginx until now was that you were running other containers and you need your own nginx to reverse-proxy to all of them. Just switch them to Traefik as well. +- running Traefik in local-only mode (`devture_traefik_config_entrypoint_web_secure_enabled: false`) and using some nginx configuration which reverse-proxies to Traefik (we should introduce examples for this in `examples/nginx`). + +### How do I help? + +You can help by: + +- **explicitly switching your server to Traefik** right now (see example configuration in [How do I explicitly switch to Traefik right now?](#how-do-i-explicitly-switch-to-traefik-right-now) above), testing, reporting troubles + +- **adding native Traefik support to a role** (requires adding Traefik labels, etc.) - for inspiration, see these roles ([prometheus_node_exporter](https://gitlab.com/etke.cc/roles/prometheus_node_exporter), [prometheus_postgres_exporter](https://gitlab.com/etke.cc/roles/prometheus_postgres_exporter)) and how they're hooked into the playbook via [group_vars/matrix_servers](group_vars/matrix_servers). + +- **adding reverse-proxying examples for nginx users** in `examples/nginx`. People who insist on using their own `nginx` server on the same Matrix host, can run Traefik in local-only mode (`devture_traefik_config_entrypoint_web_secure_enabled: false`) and reverse-proxy to the Traefik server + + # 2023-02-10 ## Matrix Authentication Support for Jitsi diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index 06f21b32..e978a1e1 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -1,5 +1,7 @@ # Using your own webserver, instead of this playbook's nginx proxy (optional, advanced) +**Note**: the playbook is [in the process of moving to Traefik](../CHANGELOG.md#reverse-proxy-configuration-changes-and-initial-traefik-support). The documentation below should be correct, but things will change soon. + By default, this playbook installs its own nginx webserver (called `matrix-nginx-proxy`, in a Docker container) which listens on ports 80 and 443. If that's alright, you can skip this. From bc4cb7bb6a52185b43fe710bfa7ec2e956981c55 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 12 Feb 2023 16:03:44 +0200 Subject: [PATCH 19/19] Update configuring-playbook-own-webserver.md with matrix_playbook_reverse_proxy_type awareness --- docs/configuring-playbook-own-webserver.md | 97 +++++++--------------- 1 file changed, 30 insertions(+), 67 deletions(-) diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index e978a1e1..77fa018d 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -102,13 +102,7 @@ You can disable such behavior and make the integrated nginx reverse-proxy webser You would need some configuration like this: ```yaml -# Do not retrieve SSL certificates. This shall be managed by another webserver or other means. -matrix_ssl_retrieval_method: none - -# Do not try to serve HTTPS, since we have no SSL certificates. -# Disabling this also means services will be served on the HTTP port -# (`matrix_nginx_proxy_container_http_host_bind_port`). -matrix_nginx_proxy_https_enabled: false +matrix_playbook_reverse_proxy_type: other-on-same-host # Do not listen for HTTP on port 80 globally (default), listen on the loopback interface. # If you'd like, you can make it use the local network as well and reverse-proxy from another local machine. @@ -122,15 +116,9 @@ matrix_nginx_proxy_container_http_host_bind_port: '127.0.0.1:81' matrix_nginx_proxy_container_federation_host_bind_port: '127.0.0.1:8449' # Coturn relies on SSL certificates that have already been obtained. -# Since we don't obtain any certificates (`matrix_ssl_retrieval_method: none` above), it won't work by default. +# Since we don't obtain any certificates in this `other-on-same-host` mode, it won't work by default. # An alternative is to tweak some of: `matrix_coturn_tls_enabled`, `matrix_coturn_tls_cert_path` and `matrix_coturn_tls_key_path`. matrix_coturn_enabled: false - -# Trust the reverse proxy to send the correct `X-Forwarded-Proto` header as it is handling the SSL connection. -matrix_nginx_proxy_trust_forwarded_proto: true - -# Trust and use the other reverse proxy's `X-Forwarded-For` header. -matrix_nginx_proxy_x_forwarded_for: '$proxy_add_x_forwarded_for' ``` With this, nginx would still be in use, but it would not bother with anything SSL related or with taking up public ports. @@ -142,63 +130,38 @@ The expected domains vary depending on the services you have enabled (`matrix.DO ### Sample configuration for running behind Traefik 2.0 -Below is a sample configuration for using this playbook with a [Traefik](https://traefik.io/) 2.0 reverse proxy. +To run behind Traefik, you can: + +- use a [Playbook-managed Traefik installation](#playbook-managed-traefik-installation) +- or, use [Your own Traefik server (not managed by the playbook)](#your-own-traefik-server-not-managed-by-the-playbook) + +#### Playbook-managed Traefik installation + +The playbook can install and manage Traefik for you using the [com.devture.ansible.role.traefik](https://github.com/devture/com.devture.ansible.role.traefik) role. + +It's simplest if you go with this method. You will need the following configuration: ```yaml -# Disable generation and retrieval of SSL certs -matrix_ssl_retrieval_method: none +matrix_playbook_reverse_proxy_type: playbook-managed-traefik -# Configure Nginx to only use plain HTTP -matrix_nginx_proxy_https_enabled: false - -# Don't bind any HTTP or federation port to the host -# (Traefik will proxy directly into the containers) -matrix_nginx_proxy_container_http_host_bind_port: '' -matrix_nginx_proxy_container_federation_host_bind_port: '' - -# Trust the reverse proxy to send the correct `X-Forwarded-Proto` header as it is handling the SSL connection. -matrix_nginx_proxy_trust_forwarded_proto: true - -# Trust and use the other reverse proxy's `X-Forwarded-For` header. -matrix_nginx_proxy_x_forwarded_for: '$proxy_add_x_forwarded_for' - -# Disable Coturn because it needs SSL certs -# (Clients can, though exposing IP address, use Matrix.org TURN) -matrix_coturn_enabled: false - -# All containers need to be on the same Docker network as Traefik -# (This network should already exist and Traefik should be using this network) -matrix_docker_network: 'traefik' - -matrix_nginx_proxy_container_extra_arguments: - # May be unnecessary depending on Traefik config, but can't hurt - - '--label "traefik.enable=true"' - - # The Nginx proxy container will receive traffic from these subdomains - - '--label "traefik.http.routers.matrix-nginx-proxy.rule=Host(`{{ matrix_server_fqn_matrix }}`,`{{ matrix_server_fqn_element }}`,`{{ matrix_server_fqn_dimension }}`,`{{ matrix_server_fqn_jitsi }}`)"' - # (The 'web-secure' entrypoint must bind to port 443 in Traefik config) - - '--label "traefik.http.routers.matrix-nginx-proxy.entrypoints=web-secure"' - # (The 'default' certificate resolver must be defined in Traefik config) - - '--label "traefik.http.routers.matrix-nginx-proxy.tls.certResolver=default"' - # Traefik requires that we declare which service this router is using - - '--label "traefik.http.routers.matrix-nginx-proxy.service=matrix-nginx-proxy"' - # The Nginx proxy container uses port 8080 internally - - '--label "traefik.http.services.matrix-nginx-proxy.loadbalancer.server.port=8080"' - - # Federation - - '--label "traefik.http.routers.matrix-nginx-proxy-federation.rule=Host(`{{ matrix_server_fqn_matrix }}`)"' - # (The 'federation' entrypoint must bind to port 8448 in Traefik config) - - '--label "traefik.http.routers.matrix-nginx-proxy-federation.entrypoints=federation"' - # (The 'default' certificate resolver must be defined in Traefik config) - - '--label "traefik.http.routers.matrix-nginx-proxy-federation.tls.certResolver=default"' - # Traefik requires that we declare which service this router is using - - '--label "traefik.http.routers.matrix-nginx-proxy-federation.service=matrix-nginx-proxy-federation"' - # The Nginx proxy container uses port `matrix_nginx_proxy_proxy_matrix_federation_port (8448) internally - - '--label "traefik.http.services.matrix-nginx-proxy-federation.loadbalancer.server.port={{ matrix_nginx_proxy_proxy_matrix_federation_port }}"' - - '--label "traefik.http.services.matrix-nginx-proxy-federation.loadbalancer.server.scheme={{ "https" if matrix_nginx_proxy_https_enabled else "http" }}"' +devture_traefik_ssl_email_address: YOUR_EMAIL_ADDRESS ``` -This method uses labels attached to the Nginx and Synapse containers to provide the Traefik Docker provider with the information it needs to proxy `matrix.DOMAIN`, `element.DOMAIN`, `dimension.DOMAIN` and `jitsi.DOMAIN`. Some [static configuration](https://docs.traefik.io/v2.0/reference/static-configuration/file/) is required in Traefik; namely, having endpoints on ports 443 and 8448 and having a certificate resolver. +#### Your own Traefik server (not managed by the playbook) + +If you'd like to run Traefik yourself, you can use configuration like this: + +```yaml +matrix_playbook_reverse_proxy_type: other-traefik-container + +matrix_playbook_reverse_proxyable_services_additional_network: your-traefik-network +``` + +In this mode all roles will still have Traefik labels attached. You will, however, need to configure your Traefik instance and its entrypoints. + +By default, the playbook congiures services use a `web-secure` (443) and `matrix-federation` (8448) entrypoints, as well as a `default` certificate resolver. + +Below is some configuration for running Traefik yourself (although we recommend using a [playbook-managed Traefik installation](#playbook-managed-traefik-installation)). Note that this configuration on its own does **not** redirect traffic on port 80 (plain HTTP) to port 443 for HTTPS, which may cause some issues, since the built-in Nginx proxy usually does this. If you are not already doing this in Traefik, it can be added to Traefik in a [file provider](https://docs.traefik.io/v2.0/providers/file/) as follows: @@ -228,7 +191,7 @@ version: "3.3" services: traefik: - image: "traefik:v2.3" + image: "docker.io/traefik:v2.9.6" restart: always container_name: "traefik" networks: