Do not handle /_matrix/federation on client-server port, nor /_matrix/client stuff on federation port

I guess it didn't hurt to do it until now, but it's not great serving
federation APIs on the client-server API port, etc.

matrix-corporal doesn't work yet (still something to be solved in the
future), but its firewalling operations will also be sabotaged
by Client-Server APIs being served on the federation port (it's a way to get around its firewalling).

group_vars/matrix_servers

@@ -975,8 +975,9 @@ matrix_nginx_proxy_synapse_presence_disabled: "{{ not matrix_synapse_use_presenc
 
 matrix_nginx_proxy_synapse_workers_enabled: "{{ matrix_synapse_workers_enabled }}"
 matrix_nginx_proxy_synapse_workers_list: "{{ matrix_synapse_workers_enabled_list }}"
-matrix_nginx_proxy_synapse_generic_worker_locations: "{{ matrix_synapse_workers_generic_worker_endpoints|default([]) }}"
-matrix_nginx_proxy_synapse_media_repository_locations: "{{ matrix_synapse_workers_media_repository_endpoints|default([]) }}"
+matrix_nginx_proxy_synapse_generic_worker_client_server_locations: "{{ matrix_synapse_workers_generic_worker_client_server_endpoints }}"
+matrix_nginx_proxy_synapse_generic_worker_federation_locations: "{{ matrix_synapse_workers_generic_worker_federation_endpoints }}"
+matrix_nginx_proxy_synapse_media_repository_locations: "{{matrix_synapse_workers_media_repository_endpoints|default([]) }}"
 matrix_nginx_proxy_synapse_user_dir_locations: "{{ matrix_synapse_workers_user_dir_endpoints|default([]) }}"
 matrix_nginx_proxy_synapse_frontend_proxy_locations: "{{ matrix_synapse_workers_frontend_proxy_endpoints|default([]) }}"
 

roles/matrix-nginx-proxy/defaults/main.yml

@@ -324,7 +324,8 @@ matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses: ['{{ ansible_def
 # synapse worker activation and endpoint mappings
 matrix_nginx_proxy_synapse_workers_enabled: false
 matrix_nginx_proxy_synapse_workers_list: []
-matrix_nginx_proxy_synapse_generic_worker_locations: []
+matrix_nginx_proxy_synapse_generic_worker_client_server_locations: []
+matrix_nginx_proxy_synapse_generic_worker_federation_locations: []
 matrix_nginx_proxy_synapse_media_repository_locations: []
 matrix_nginx_proxy_synapse_user_dir_locations: []
 matrix_nginx_proxy_synapse_frontend_proxy_locations: []

roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2

@@ -109,14 +109,13 @@
 
 		{% if generic_workers %}
 			# https://github.com/matrix-org/synapse/blob/master/docs/workers.md#synapseappgeneric_worker
-			{% for location in matrix_nginx_proxy_synapse_generic_worker_locations %}
+			{% for location in matrix_nginx_proxy_synapse_generic_worker_client_server_locations %}
 			location ~ {{ location }} {
 				proxy_pass http://generic_worker_upstream$request_uri;
 				proxy_set_header Host $host;
 				proxy_set_header X-Forwarded-For $remote_addr;
 			}
 			{% endfor %}
-			# FIXME: add GET ^/_matrix/federation/v1/groups/
 		{% endif %}
 
 		{% if media_repository_workers %}
@@ -361,7 +360,7 @@ server {
 	{% if matrix_nginx_proxy_synapse_workers_enabled %}
 		{% if generic_workers %}
 			# https://github.com/matrix-org/synapse/blob/master/docs/workers.md#synapseappgeneric_worker
-			{% for location in matrix_nginx_proxy_synapse_generic_worker_locations %}
+			{% for location in matrix_nginx_proxy_synapse_generic_worker_federation_locations %}
 			location ~ {{ location }} {
 				proxy_pass http://generic_worker_upstream$request_uri;
 				proxy_set_header Host $host;

roles/matrix-synapse/vars/main.yml

@@ -8,3 +8,28 @@ matrix_synapse_role_executed: false
 
 matrix_synapse_media_store_parent_path: "{{ matrix_synapse_media_store_path|dirname }}"
 matrix_synapse_media_store_directory_name: "{{ matrix_synapse_media_store_path|basename }}"
+
+# A Synapse generic worker can handle both federation and client-server API endpoints.
+# We wish to split these, as we normally serve federation separately and don't want them mixed up.
+#
+# This is some ugly Ansible/Jinja2 hack (seen here: https://stackoverflow.com/a/47831492),
+# which takes a list of various strings and removes the ones NOT containing `/_matrix/client` anywhere in them.
+#
+# We intentionally don't do a diff between everything possible (`matrix_synapse_workers_generic_worker_endpoints`) and `matrix_synapse_workers_generic_worker_federation_endpoints`,
+# because `matrix_synapse_workers_generic_worker_endpoints` also contains things like `/_synapse/client/`, etc.
+# While /_synapse/client/ endpoints are somewhat client-server API-related, they're:
+# - neither part of the client-server API spec (and are thus, different)
+# - nor always OK to forward to a worker (we're supposed to obey `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_client_api_enabled`)
+#
+# It's also not too many of these APIs (only `^/_synapse/client/password_reset/email/submit_token$` at the time of this writing / 2021-01-24),
+# so it's not that important whether we forward them or not.
+#
+# Basically, we aim to cover most things. Skipping `/_synapse/client` or a few other minor things doesn't matter too much.
+matrix_synapse_workers_generic_worker_client_server_endpoints: "{{ matrix_synapse_workers_generic_worker_endpoints|default([]) | map('regex_search', '.*/_matrix/client.*')| list | difference([none]) }}"
+
+# A Synapse generic worker can handle both federation and client-server API endpoints.
+# We wish to split these, as we normally serve federation separately and don't want them mixed up.
+#
+# This is some ugly Ansible/Jinja2 hack (seen here: https://stackoverflow.com/a/47831492),
+# which takes a list of various strings and removes the ones NOT containing `/_matrix/federation` anywhere in them.
+matrix_synapse_workers_generic_worker_federation_endpoints: "{{ matrix_synapse_workers_generic_worker_endpoints|default([]) | map('regex_search', '.*/_matrix/federation.*')| list | difference([none]) }}"