diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 06ccd0952..6cd942170 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -843,6 +843,8 @@ matrix_appservice_irc_container_additional_networks_auto: |- ([] if matrix_addons_homeserver_container_network == '' else [matrix_addons_homeserver_container_network]) + ([postgres_container_network] if (postgres_enabled and matrix_appservice_irc_database_hostname == postgres_connection_hostname and matrix_appservice_irc_container_network != postgres_container_network) else []) + + + [matrix_playbook_reverse_proxyable_services_additional_network] if (matrix_appservice_irc_container_labels_traefik_enabled and matrix_playbook_reverse_proxyable_services_additional_network) else [] ) | unique }} @@ -860,6 +862,11 @@ matrix_appservice_irc_database_hostname: "{{ postgres_connection_hostname if pos matrix_appservice_irc_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'as.irc.db', rounds=655555) | to_uuid }}" matrix_appservice_irc_database_container_network: "{{ postgres_container_network if postgres_enabled else '' }}" +matrix_appservice_irc_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" +matrix_appservice_irc_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +matrix_appservice_irc_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}" +matrix_appservice_irc_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}" + ###################################################################### # # /matrix-bridge-appservice-irc diff --git a/roles/custom/matrix-bridge-appservice-irc/defaults/main.yml b/roles/custom/matrix-bridge-appservice-irc/defaults/main.yml index 79eb7b426..f8662ab86 100644 --- a/roles/custom/matrix-bridge-appservice-irc/defaults/main.yml +++ b/roles/custom/matrix-bridge-appservice-irc/defaults/main.yml @@ -463,11 +463,16 @@ matrix_appservice_irc_ircService_servers: [] # noqa var-naming # # Kick a Matrix user from ALL rooms if they choose to QUIT the IRC network. # userQuit: true -# Controls whether the matrix-appservice-discord container exposes its HTTP port (tcp/9999 in the container). +# Controls whether the matrix-appservice-irc container exposes its HTTP port (tcp/9999 in the container). # # Takes an ":" or "" value (e.g. "127.0.0.1:9999"), or empty string to not expose. matrix_appservice_irc_container_http_host_bind_port: '' +# Controls whether the matrix-appservice-irc container exposes its media proxy HTTP port (tcp/11111 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:11111"), or empty string to not expose. +matrix_appservice_irc_container_media_proxy_host_bind_port: '' + matrix_appservice_irc_container_network: "" matrix_appservice_irc_container_additional_networks: "{{ matrix_appservice_irc_container_additional_networks_auto + matrix_appservice_irc_container_additional_networks_custom }}" @@ -477,6 +482,24 @@ matrix_appservice_irc_container_additional_networks_custom: [] # A list of extra arguments to pass to the container matrix_appservice_irc_container_extra_arguments: [] +# matrix_appservice_irc_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container. +# To inject your own other container labels, see `matrix_appservice_irc_container_labels_additional_labels`. +matrix_appservice_irc_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" +matrix_appservice_irc_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +matrix_appservice_irc_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}" +matrix_appservice_irc_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}" + +# Controls whether Traefik labels for the media proxy will be applied +matrix_appservice_irc_container_labels_media_proxy_enabled: true +matrix_appservice_irc_container_labels_media_proxy_traefik_rule: "Host(`{{ matrix_domain }}`) && PathPrefix(`/irc/`)" +matrix_appservice_irc_container_labels_media_proxy_traefik_priority: 2000 +matrix_appservice_irc_container_labels_media_proxy_traefik_entrypoints: "{{ matrix_appservice_irc_container_labels_traefik_entrypoints }}" +matrix_appservice_irc_container_labels_media_proxy_traefik_tls: "{{ matrix_appservice_irc_container_labels_media_proxy_traefik_entrypoints != 'web' }}" +matrix_appservice_irc_container_labels_media_proxy_traefik_tls_certResolver: "{{ matrix_appservice_irc_container_labels_traefik_tls_certResolver }}" + +# matrix-appservice-irc container additional labels +matrix_appservice_irc_container_labels_additional_labels: '' + # List of systemd services that matrix-appservice-irc.service depends on. matrix_appservice_irc_systemd_required_services_list: "{{ matrix_appservice_irc_systemd_required_services_list_default + matrix_appservice_irc_systemd_required_services_list_auto + matrix_appservice_irc_systemd_required_services_list_custom }}" matrix_appservice_irc_systemd_required_services_list_default: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}" diff --git a/roles/custom/matrix-bridge-appservice-irc/tasks/setup_install.yml b/roles/custom/matrix-bridge-appservice-irc/tasks/setup_install.yml index 8562e7fd3..a38f7df11 100644 --- a/roles/custom/matrix-bridge-appservice-irc/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-appservice-irc/tasks/setup_install.yml @@ -121,6 +121,14 @@ owner: "{{ matrix_user_name }}" group: "{{ matrix_group_name }}" +- name: Ensure Matrix Appservice IRC labels file installed + ansible.builtin.template: + src: "{{ role_path }}/templates/labels.j2" + dest: "{{ matrix_appservice_irc_base_path }}/labels" + mode: 0644 + owner: "{{ matrix_user_name }}" + group: "{{ matrix_group_name }}" + - name: Generate Appservice IRC passkey if it doesn't exist ansible.builtin.shell: cmd: "{{ matrix_host_command_openssl }} genpkey -out {{ matrix_appservice_irc_data_path }}/passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:2048" diff --git a/roles/custom/matrix-bridge-appservice-irc/templates/labels.j2 b/roles/custom/matrix-bridge-appservice-irc/templates/labels.j2 new file mode 100644 index 000000000..c1308b8b1 --- /dev/null +++ b/roles/custom/matrix-bridge-appservice-irc/templates/labels.j2 @@ -0,0 +1,43 @@ +{# +SPDX-FileCopyrightText: 2025 Jade Ellis + +SPDX-License-Identifier: AGPL-3.0-or-later +#} + +{% if matrix_appservice_irc_container_labels_traefik_enabled and matrix_appservice_irc_container_labels_media_proxy_enabled %} +traefik.enable=true + +{% if matrix_appservice_irc_container_labels_traefik_docker_network %} +traefik.docker.network={{ matrix_appservice_irc_container_labels_traefik_docker_network }} +{% endif %} + +traefik.http.services.matrix-appservice-irc-media-proxy.loadbalancer.server.port={{ matrix_appservice_irc_homeserver_media_bind_port }} + +############################################################ +# # +# IRC Bridge Media Proxy # +# # +############################################################ + +traefik.http.routers.matrix-appservice-irc-media-proxy.rule={{ matrix_appservice_irc_container_labels_media_proxy_traefik_rule }} + +{% if matrix_appservice_irc_container_labels_media_proxy_traefik_priority | int > 0 %} +traefik.http.routers.matrix-appservice-irc-media-proxy.priority={{ matrix_appservice_irc_container_labels_media_proxy_traefik_priority }} +{% endif %} + +traefik.http.routers.matrix-appservice-irc-media-proxy.service=matrix-appservice-irc-media-proxy +traefik.http.routers.matrix-appservice-irc-media-proxy.entrypoints={{ matrix_appservice_irc_container_labels_media_proxy_traefik_entrypoints }} + +traefik.http.routers.matrix-appservice-irc-media-proxy.tls={{ matrix_appservice_irc_container_labels_media_proxy_traefik_tls | to_json }} +{% if matrix_appservice_irc_container_labels_media_proxy_traefik_tls %} +traefik.http.routers.matrix-appservice-irc-media-proxy.tls.certResolver={{ matrix_appservice_irc_container_labels_media_proxy_traefik_tls_certResolver }} +{% endif %} + +############################################################ +# # +# /IRC Bridge Media Proxy # +# # +############################################################ +{% endif %} + +{{ matrix_appservice_irc_container_labels_additional_labels }} diff --git a/roles/custom/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 b/roles/custom/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 index aa26ff78b..93d533580 100644 --- a/roles/custom/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 +++ b/roles/custom/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 @@ -26,8 +26,12 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ {% if matrix_appservice_irc_container_http_host_bind_port %} -p {{ matrix_appservice_irc_container_http_host_bind_port }}:9999 \ {% endif %} + {% if matrix_appservice_irc_container_media_proxy_host_bind_port %} + -p {{ matrix_appservice_irc_container_media_proxy_host_bind_port }}:{{ matrix_appservice_irc_homeserver_media_bind_port }} \ + {% endif %} --mount type=bind,src={{ matrix_appservice_irc_config_path }},dst=/config \ --mount type=bind,src={{ matrix_appservice_irc_data_path }},dst=/data \ + --label-file={{ matrix_appservice_irc_base_path }}/labels \ {% for arg in matrix_appservice_irc_container_extra_arguments %} {{ arg }} \ {% endfor %}