73af8f7bbb
By default, `--tags=self-check` no longer validates certificates when `matrix_ssl_retrieval_method` is set to `self-signed`. Besides this default, people can also enable/disable validation using the individual role variables manually. Fixes #124 (Github Issue)
143 lines
8.1 KiB
YAML
143 lines
8.1 KiB
YAML
matrix_nginx_proxy_enabled: true
|
|
|
|
# We use an official nginx image, which we fix-up to run unprivileged.
|
|
# An alternative would be an `nginxinc/nginx-unprivileged` image, but
|
|
# those as more frequently out of date.
|
|
matrix_nginx_proxy_docker_image: "nginx:1.15.9-alpine"
|
|
|
|
matrix_nginx_proxy_base_path: "{{ matrix_base_data_path }}/nginx-proxy"
|
|
matrix_nginx_proxy_data_path: "{{ matrix_nginx_proxy_base_path }}/data"
|
|
matrix_nginx_proxy_confd_path: "{{ matrix_nginx_proxy_base_path }}/conf.d"
|
|
|
|
# List of systemd services that matrix-nginx-proxy.service depends on
|
|
matrix_nginx_proxy_systemd_required_services_list: ['docker.service']
|
|
|
|
# List of systemd services that matrix-nginx-proxy.service wants
|
|
matrix_nginx_proxy_systemd_wanted_services_list: []
|
|
|
|
# A list of additional "volumes" to mount in the container.
|
|
# This list gets populated dynamically at runtime. You can provide a different default value,
|
|
# if you wish to mount your own files into the container.
|
|
# Contains definition objects like this: `{"src": "/outside", "dst": "/inside", "options": "rw|ro|slave|.."}
|
|
matrix_nginx_proxy_container_additional_volumes: []
|
|
|
|
# Controls whether matrix-nginx-proxy should serve the base domain.
|
|
#
|
|
# This is useful for when you only have your Matrix server, but you need to serve
|
|
# to serve `/.well-known/matrix/*` files from the base domain for the needs of
|
|
# Server-Discovery (Federation) and for Client-Discovery.
|
|
#
|
|
# Besides serving these Matrix files, a homepage would be served with content
|
|
# as specified in the `matrix_nginx_proxy_base_domain_homepage_template` variable.
|
|
# You can also put additional files to use for this webpage
|
|
# in the `{{ matrix_nginx_proxy_data_path }}/matrix-domain` (`/matrix/nginx-proxy/data/matrix-domain`) directory.
|
|
matrix_nginx_proxy_base_domain_serving_enabled: false
|
|
matrix_nginx_proxy_base_domain_hostname: "{{ matrix_domain }}"
|
|
matrix_nginx_proxy_base_domain_homepage_template: |-
|
|
<!doctype html>
|
|
<meta charset="utf-8" />
|
|
<html>
|
|
<body>
|
|
Hello from {{ matrix_domain }}!
|
|
</body>
|
|
</html>
|
|
|
|
# Controls whether proxying the riot domain should be done.
|
|
matrix_nginx_proxy_proxy_riot_enabled: false
|
|
matrix_nginx_proxy_proxy_riot_hostname: "{{ matrix_server_fqn_riot }}"
|
|
|
|
# Controls whether proxying the matrix domain should be done.
|
|
matrix_nginx_proxy_proxy_matrix_enabled: false
|
|
matrix_nginx_proxy_proxy_matrix_hostname: "{{ matrix_server_fqn_matrix }}"
|
|
|
|
# Controls whether proxying the dimension domain should be done.
|
|
matrix_nginx_proxy_proxy_dimension_enabled: false
|
|
matrix_nginx_proxy_proxy_dimension_hostname: "{{ matrix_server_fqn_dimension }}"
|
|
|
|
# Controls whether proxying for the matrix-corporal API (`/_matrix/corporal`) should be done (on the matrix domain)
|
|
matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: false
|
|
matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081"
|
|
matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container: "127.0.0.1:41081"
|
|
|
|
# Controls whether proxying for the User Directory Search API (`/_matrix/client/r0/user_directory/search`) should be done (on the matrix domain).
|
|
# This can be used to forward the API endpoint to another service, augmenting the functionality of Synapse's own User Directory Search.
|
|
# To learn more, see: https://github.com/kamax-matrix/mxisd/blob/master/docs/features/directory.md
|
|
matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: false
|
|
matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "matrix-mxisd:8090"
|
|
matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "127.0.0.1:8090"
|
|
|
|
# Controls whether proxying for the Identity API (`/_matrix/identity`) should be done (on the matrix domain)
|
|
matrix_nginx_proxy_proxy_matrix_identity_api_enabled: false
|
|
matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-mxisd:8090"
|
|
matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:8090"
|
|
|
|
# Controls whether proxying for metrics (`/_synapse/metrics`) should be done (on the matrix domain)
|
|
matrix_nginx_proxy_proxy_synapse_metrics: false
|
|
matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled: false
|
|
matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key: ""
|
|
|
|
# The addresses where the Matrix Client API is.
|
|
# Certain extensions (like matrix-corporal) may override this in order to capture all traffic.
|
|
matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container: "matrix-synapse:8008"
|
|
matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "127.0.0.1:8008"
|
|
# This needs to be equal or higher than the maximum upload size accepted by Synapse.
|
|
matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: 25
|
|
|
|
# Controls whether proxying for the Matrix Federation API should be done.
|
|
matrix_nginx_proxy_proxy_matrix_federation_api_enabled: false
|
|
matrix_nginx_proxy_proxy_matrix_federation_api_addr_with_container: "matrix-synapse:8048"
|
|
matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container: "localhost:8048"
|
|
matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb: "{{ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb * 3 }}"
|
|
matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/fullchain.pem"
|
|
matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/privkey.pem"
|
|
|
|
# The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads.
|
|
matrix_nginx_proxy_tmp_directory_size_mb: "{{ matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb * 50 }}"
|
|
|
|
# A list of strings containing additional configuration blocks to add to the matrix domain's server configuration.
|
|
matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: []
|
|
|
|
# Specifies when to reload the matrix-nginx-proxy service so that
|
|
# a new SSL certificate could go into effect.
|
|
matrix_nginx_proxy_reload_cron_time_definition: "20 4 */5 * *"
|
|
|
|
# Specifies which SSL protocols to use when serving Riot and Synapse
|
|
matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2 TLSv1.3"
|
|
|
|
# Controls whether the self-check feature should validate SSL certificates.
|
|
matrix_nginx_proxy_self_check_validate_certificates: true
|
|
|
|
# By default, this playbook automatically retrieves and auto-renews
|
|
# free SSL certificates from Let's Encrypt.
|
|
#
|
|
# The following retrieval methods are supported:
|
|
# - "lets-encrypt" - the playbook obtains free SSL certificates from Let's Encrypt
|
|
# - "self-signed" - the playbook generates and self-signs certificates
|
|
# - "manually-managed" - lets you manage certificates by yourself (manually; see below)
|
|
# - "none" - like "manually-managed", but doesn't care if you don't drop certificates in the location it expects
|
|
#
|
|
# If you decide to manage certificates by yourself (`matrix_ssl_retrieval_method: manually-managed`),
|
|
# you'd need to drop them into the directory specified by `matrix_ssl_config_dir_path`
|
|
# obeying the following hierarchy:
|
|
# - <matrix_ssl_config_dir_path>/live/<domain>/fullchain.pem
|
|
# - <matrix_ssl_config_dir_path>/live/<domain>/privkey.pem
|
|
# where <domain> refers to the domains that you need (usually `matrix_server_fqn_matrix` and `matrix_server_fqn_riot`).
|
|
#
|
|
# The "none" type (`matrix_ssl_retrieval_method: none`), simply means that no certificate retrieval will happen.
|
|
# It's useful for when you've disabled the nginx proxy (`matrix_nginx_proxy_enabled: false`)
|
|
# and you'll be using another reverse-proxy server (like Apache) with your own certificates, managed by yourself.
|
|
matrix_ssl_retrieval_method: "lets-encrypt"
|
|
|
|
# The list of domains that this role will obtain certificates for.
|
|
matrix_ssl_domains_to_obtain_certificates_for: []
|
|
|
|
# Controls whether to obtain production or staging certificates from Let's Encrypt.
|
|
matrix_ssl_lets_encrypt_staging: false
|
|
matrix_ssl_lets_encrypt_certbot_docker_image: "certbot/certbot:v0.31.0"
|
|
matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402
|
|
matrix_ssl_lets_encrypt_support_email: ~
|
|
|
|
matrix_ssl_base_path: "{{ matrix_base_data_path }}/ssl"
|
|
matrix_ssl_config_dir_path: "{{ matrix_ssl_base_path }}/config"
|
|
matrix_ssl_log_dir_path: "{{ matrix_ssl_base_path }}/log"
|