matrix_nginx_proxy_enabled: true # We use an official nginx image, which we fix-up to run unprivileged. # An alternative would be an `nginxinc/nginx-unprivileged` image, but # that is frequently out of date. matrix_nginx_proxy_docker_image: "docker.io/nginx:1.19.6-alpine" matrix_nginx_proxy_docker_image_force_pull: "{{ matrix_nginx_proxy_docker_image.endswith(':latest') }}" matrix_nginx_proxy_base_path: "{{ matrix_base_data_path }}/nginx-proxy" matrix_nginx_proxy_data_path: "{{ matrix_nginx_proxy_base_path }}/data" matrix_nginx_proxy_confd_path: "{{ matrix_nginx_proxy_base_path }}/conf.d" # List of systemd services that matrix-nginx-proxy.service depends on matrix_nginx_proxy_systemd_required_services_list: ['docker.service'] # List of systemd services that matrix-nginx-proxy.service wants matrix_nginx_proxy_systemd_wanted_services_list: [] # A list of additional "volumes" to mount in the container. # This list gets populated dynamically at runtime. You can provide a different default value, # if you wish to mount your own files into the container. # Contains definition objects like this: `{"src": "/outside", "dst": "/inside", "options": "rw|ro|slave|.."} matrix_nginx_proxy_container_additional_volumes: [] # A list of extra arguments to pass to the container matrix_nginx_proxy_container_extra_arguments: [] # Controls whether matrix-nginx-proxy serves its vhosts over HTTPS or HTTP. # # If enabled: # - SSL certificates would be expected to be available (see `matrix_ssl_retrieval_method`) # - the HTTP vhost would be made a redirect to the HTTPS vhost # # If not enabled: # - you don't need any SSL certificates (you can set `matrix_ssl_retrieval_method: none`) # - naturally, there's no HTTPS vhost # - services are served directly from the HTTP vhost matrix_nginx_proxy_https_enabled: true # Controls whether the matrix-nginx-proxy container exposes its HTTP port (tcp/8080 in the container). # # Takes an ":" or "" value (e.g. "127.0.0.1:80"), or empty string to not expose. matrix_nginx_proxy_container_http_host_bind_port: '80' # Controls whether the matrix-nginx-proxy container exposes its HTTPS port (tcp/8443 in the container). # # Takes an ":" or "" value (e.g. "127.0.0.1:443"), or empty string to not expose. # # This only makes sense and applies if `matrix_nginx_proxy_https_enabled` is set to `true`. # Otherwise, there are no HTTPS vhosts to expose. matrix_nginx_proxy_container_https_host_bind_port: '443' # Controls whether the matrix-nginx-proxy container exposes the Matrix Federation port (tcp/8448 in the container). # # Takes an ":" or "" value (e.g. "127.0.0.1:8448"), or empty string to not expose. # # This only makes sense and applies if `matrix_nginx_proxy_proxy_matrix_federation_api_enabled` is set to `true`. # Otherwise, there is no Matrix Federation port to expose. # # This port can take HTTP or HTTPS traffic, depending on `matrix_nginx_proxy_https_enabled`. # When HTTPS is disabled, you'd likely want to only expose the port locally, and front it with another HTTPS-enabled reverse-proxy. matrix_nginx_proxy_container_federation_host_bind_port: '8448' # Controls whether matrix-nginx-proxy should serve the base domain. # # This is useful for when you only have your Matrix server, but you need to serve # to serve `/.well-known/matrix/*` files from the base domain for the needs of # Server-Discovery (Federation) and for Client-Discovery. # # Besides serving these Matrix files, a homepage would be served with content # as specified in the `matrix_nginx_proxy_base_domain_homepage_template` variable. # You can also put additional files to use for this webpage # in the `{{ matrix_nginx_proxy_data_path }}/matrix-domain` (`/matrix/nginx-proxy/data/matrix-domain`) directory. matrix_nginx_proxy_base_domain_serving_enabled: false matrix_nginx_proxy_base_domain_hostname: "{{ matrix_domain }}" # Controls whether `matrix_nginx_proxy_base_domain_homepage_template` would be dumped to an `index.html` file # in the `/matrix/nginx-proxy/data/matrix-domain` directory. # # If you would instead like to serve a static website by yourself, you can disable this. # When disabled, you're expected to put website files in `/matrix/nginx-proxy/data/matrix-domain` manually # and can expect that the playbook won't intefere with the `index.html` file. matrix_nginx_proxy_base_domain_homepage_enabled: true matrix_nginx_proxy_base_domain_homepage_template: |- Hello from {{ matrix_domain }}! # Option to disable the access log matrix_nginx_proxy_access_log_enabled: true # Controls whether proxying the riot domain should be done. matrix_nginx_proxy_proxy_riot_compat_redirect_enabled: false matrix_nginx_proxy_proxy_riot_compat_redirect_hostname: "riot.{{ matrix_domain }}" # Controls whether proxying the Element domain should be done. matrix_nginx_proxy_proxy_element_enabled: false matrix_nginx_proxy_proxy_element_hostname: "{{ matrix_server_fqn_element }}" # Controls whether proxying the matrix domain should be done. matrix_nginx_proxy_proxy_matrix_enabled: false matrix_nginx_proxy_proxy_matrix_hostname: "{{ matrix_server_fqn_matrix }}" # Controls whether proxying the dimension domain should be done. matrix_nginx_proxy_proxy_dimension_enabled: false matrix_nginx_proxy_proxy_dimension_hostname: "{{ matrix_server_fqn_dimension }}" # Controls whether proxying the jitsi domain should be done. matrix_nginx_proxy_proxy_jitsi_enabled: false matrix_nginx_proxy_proxy_jitsi_hostname: "{{ matrix_server_fqn_jitsi }}" # Controls whether proxying the grafana domain should be done. matrix_nginx_proxy_proxy_grafana_enabled: false matrix_nginx_proxy_proxy_grafana_hostname: "{{ matrix_server_fqn_grafana }}" # Controls whether proxying for the matrix-corporal API (`/_matrix/corporal`) should be done (on the matrix domain) matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: false matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081" matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container: "127.0.0.1:41081" # Controls whether proxying for the User Directory Search API (`/_matrix/client/r0/user_directory/search`) should be done (on the matrix domain). # This can be used to forward the API endpoint to another service, augmenting the functionality of Synapse's own User Directory Search. # To learn more, see: https://github.com/ma1uta/ma1sd/blob/master/docs/features/directory.md matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: false matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "matrix-ma1sd:8090" matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "127.0.0.1:8090" # Controls whether proxying for 3PID-based registration (`/_matrix/client/r0/register/(email|msisdn)/requestToken`) should be done (on the matrix domain). # This allows another service to control registrations involving 3PIDs. # To learn more, see: https://github.com/ma1uta/ma1sd/blob/master/docs/features/registration.md matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled: false matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_with_container: "matrix-ma1sd:8090" matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_sans_container: "127.0.0.1:8090" # Controls whether proxying for the Identity API (`/_matrix/identity`) should be done (on the matrix domain) matrix_nginx_proxy_proxy_matrix_identity_api_enabled: false matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-ma1sd:8090" matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:8090" # Controls whether proxying for metrics (`/_synapse/metrics`) should be done (on the matrix domain) matrix_nginx_proxy_proxy_synapse_metrics: false matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled: false matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key: "" # The addresses where the Matrix Client API is. # Certain extensions (like matrix-corporal) may override this in order to capture all traffic. matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container: "matrix-synapse:8008" matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "127.0.0.1:8008" # This needs to be equal or higher than the maximum upload size accepted by Synapse. matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: 50 # Tells whether `/_synapse/client` is forwarded to the Matrix Client API server. matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_client_api_enabled: true # Tells whether `/_synapse/oidc` is forwarded to the Matrix Client API server. # Enable this if you need OpenID Connect authentication support. matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_oidc_api_enabled: false # Tells whether `/_synapse/admin` is forwarded to the Matrix Client API server. # Following these recommendations (https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md), by default, we don't. matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: false # `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefixes` holds # the location prefixes that get forwarded to the Matrix Client API server. # These locations get combined into a regex like this `^(/_matrix|/_synapse/client)`. matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefix_regexes: | {{ (['/_matrix']) + (['/_synapse/client'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_client_api_enabled else []) + (['/_synapse/oidc'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_oidc_api_enabled else []) + (['/_synapse/admin'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled else []) }} # Specifies where requests for the root URI (`/`) on the `matrix.` domain should be redirected. # If this has an empty value, they're just passed to the homeserver, which serves a static page. # If you'd like to make `https://matrix.DOMAIN` redirect to `https://element.DOMAIN` (or something of that sort), specify the domain name here. # Example value: `element.DOMAIN` (or `{{ matrix_server_fqn_element }}`). matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain: "" # Controls whether proxying for the Matrix Federation API should be done. matrix_nginx_proxy_proxy_matrix_federation_api_enabled: false matrix_nginx_proxy_proxy_matrix_federation_api_addr_with_container: "matrix-synapse:8048" matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container: "localhost:8048" matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb: "{{ (matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb | int) * 3 }}" matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/fullchain.pem" matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/privkey.pem" # The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads. matrix_nginx_proxy_tmp_directory_size_mb: "{{ (matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb | int) * 50 }}" # A list of strings containing additional configuration blocks to add to the nginx http's server configuration. matrix_nginx_proxy_proxy_http_additional_server_configuration_blocks: [] # A list of strings containing additional configuration blocks to add to the matrix synapse's server configuration. matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: [] # A list of strings containing additional configuration blocks to add to Riot's server configuration. matrix_nginx_proxy_proxy_riot_additional_server_configuration_blocks: [] # A list of strings containing additional configuration blocks to add to Element's server configuration. matrix_nginx_proxy_proxy_element_additional_server_configuration_blocks: [] # A list of strings containing additional configuration blocks to add to Dimension's server configuration. matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks: [] # A list of strings containing additional configuration blocks to add to Jitsi's server configuration. matrix_nginx_proxy_proxy_jitsi_additional_server_configuration_blocks: [] # A list of strings containing additional configuration blocks to add to Grafana's server configuration. matrix_nginx_proxy_proxy_grafana_additional_server_configuration_blocks: [] # A list of strings containing additional configuration blocks to add to the base domain server configuration. matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks: [] # Specifies the SSL configuration that should be used for the SSL protocols and ciphers # This is based on the Mozilla Server Side TLS Recommended configurations. # # The posible values are: # - "modern" - For Modern clients that support TLS 1.3, with no need for backwards compatibility # - "intermediate" - Recommended configuration for a general-purpose server # - "old" - Services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8 # # For more information visit: # - https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations # - https://ssl-config.mozilla.org/#server=nginx matrix_nginx_proxy_ssl_preset: "intermediate" # Presets are taken from Mozilla's Server Side TLS Recommended configurations # DO NOT modify these values and use `matrix_nginx_proxy_ssl_protocols`, `matrix_nginx_proxy_ssl_ciphers` and `matrix_nginx_proxy_ssl_ciphers` # if you wish to use something more custom. matrix_nginx_proxy_ssl_presets: modern: protocols: TLSv1.3 ciphers: "" prefer_server_ciphers: "off" intermediate: protocols: TLSv1.2 TLSv1.3 ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 prefer_server_ciphers: "off" old: protocols: TLSv1 TLSv1.1 TLSv1.2 TLSv1.3 ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA prefer_server_ciphers: "on" # Specifies which *SSL protocols* to use when serving all the various vhosts. matrix_nginx_proxy_ssl_protocols: "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['protocols'] }}" # Specifies whether to prefer *the client’s choice or the server’s choice* when negotiating ciphers. matrix_nginx_proxy_ssl_prefer_server_ciphers: "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['prefer_server_ciphers'] }}" # Specifies which *SSL Cipher suites* to use when serving all the various vhosts. # To see the full list for suportes ciphers run `openssl ciphers` on your server matrix_nginx_proxy_ssl_ciphers: "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['ciphers'] }}" # Controls whether the self-check feature should validate SSL certificates. matrix_nginx_proxy_self_check_validate_certificates: true # Controls whether redirects will be followed when checking the `/.well-known/matrix/client` resource. # # As per the spec (https://matrix.org/docs/spec/client_server/r0.6.0#well-known-uri), it shouldn't be, # so we default to not following redirects as well. matrix_nginx_proxy_self_check_well_known_matrix_client_follow_redirects: none # By default, this playbook automatically retrieves and auto-renews # free SSL certificates from Let's Encrypt. # # The following retrieval methods are supported: # - "lets-encrypt" - the playbook obtains free SSL certificates from Let's Encrypt # - "self-signed" - the playbook generates and self-signs certificates # - "manually-managed" - lets you manage certificates by yourself (manually; see below) # - "none" - like "manually-managed", but doesn't care if you don't drop certificates in the location it expects # # If you decide to manage certificates by yourself (`matrix_ssl_retrieval_method: manually-managed`), # you'd need to drop them into the directory specified by `matrix_ssl_config_dir_path` # obeying the following hierarchy: # - /live//fullchain.pem # - /live//privkey.pem # where refers to the domains that you need (usually `matrix_server_fqn_matrix` and `matrix_server_fqn_element`). # # The "none" type (`matrix_ssl_retrieval_method: none`), simply means that no certificate retrieval will happen. # It's useful for when you've disabled the nginx proxy (`matrix_nginx_proxy_enabled: false`) # and you'll be using another reverse-proxy server (like Apache) with your own certificates, managed by yourself. # It's also useful if you're using `matrix_nginx_proxy_https_enabled: false` to make this nginx proxy serve # plain HTTP traffic only (usually, on the loopback interface only) and you'd be terminating SSL using another reverse-proxy. matrix_ssl_retrieval_method: "lets-encrypt" matrix_ssl_architecture: "amd64" # The full list of domains that this role will obtain certificates for. # This variable is likely redefined outside of the role, to include the domains that are necessary (depending on the services that are enabled). # To add additional domain names, consider using `matrix_ssl_additional_domains_to_obtain_certificates_for` instead. matrix_ssl_domains_to_obtain_certificates_for: "{{ matrix_ssl_additional_domains_to_obtain_certificates_for }}" # A list of additional domain names to obtain certificates for. matrix_ssl_additional_domains_to_obtain_certificates_for: [] # Controls whether to obtain production or staging certificates from Let's Encrypt. matrix_ssl_lets_encrypt_staging: false matrix_ssl_lets_encrypt_certbot_docker_image: "docker.io/certbot/certbot:{{ matrix_ssl_architecture }}-v1.11.0" matrix_ssl_lets_encrypt_certbot_docker_image_force_pull: "{{ matrix_ssl_lets_encrypt_certbot_docker_image.endswith(':latest') }}" matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402 matrix_ssl_lets_encrypt_support_email: ~ # Tells which interface and port the Let's Encrypt (certbot) container should try to bind to # when it tries to obtain initial certificates in standalone mode. # # This should normally be a public interface and port. # If you'd like to not bind on all IP addresses, specify one explicitly (e.g. `a.b.c.d:80`) matrix_ssl_lets_encrypt_container_standalone_http_host_bind_port: '80' matrix_ssl_base_path: "{{ matrix_base_data_path }}/ssl" matrix_ssl_config_dir_path: "{{ matrix_ssl_base_path }}/config" matrix_ssl_log_dir_path: "{{ matrix_ssl_base_path }}/log" # If you'd like to start some service before a certificate is obtained, specify it here. # This could be something like `matrix-dynamic-dns`, etc. matrix_ssl_pre_obtaining_required_service_name: ~ matrix_ssl_pre_obtaining_required_service_start_wait_time_seconds: 60 # nginx status page configurations. matrix_nginx_proxy_proxy_matrix_nginx_status_enabled: false matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses: ['{{ ansible_default_ipv4.address }}']