Fix DNS resolution in nginx-proxy

- Allow customising the IP where lookups take place - Reload DNS after all containers are started
4 лет назад · 65ca943508
--- a/roles/matrix-bridge-appservice-slack/tasks/init.yml
+++ b/roles/matrix-bridge-appservice-slack/tasks/init.yml
@@ -47,7 +47,7 @@
        location {{ matrix_appservice_slack_public_endpoint }} {
        {% if matrix_nginx_proxy_enabled|default(False) %}
        	{# Use the embedded DNS resolver in Docker containers to discover the service #}
        	resolver 127.0.0.11 valid=5s;
        	resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
        	set $backend "{{ matrix_appservice_slack_appservice_url }}:{{ matrix_appservice_slack_slack_port }}";
        	proxy_pass $backend;
        {% else %}
--- a/roles/matrix-bridge-appservice-webhooks/tasks/init.yml
+++ b/roles/matrix-bridge-appservice-webhooks/tasks/init.yml
@@ -47,7 +47,7 @@
        location {{ matrix_appservice_webhooks_public_endpoint }}/ {
        {% if matrix_nginx_proxy_enabled|default(False) %}
        {# Use the embedded DNS resolver in Docker containers to discover the service #}
          resolver 127.0.0.11 valid=5s;
          resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
          proxy_pass {{ matrix_appservice_webhooks_appservice_url }}:{{ matrix_appservice_webhooks_matrix_port }}/;
        {% else %}
          {# Generic configuration for use outside of our container setup #}
--- a/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml
+++ b/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml
@@ -31,7 +31,7 @@
        location {{ matrix_mautrix_hangouts_public_endpoint }} {
        {% if matrix_nginx_proxy_enabled|default(False) %}
        	{# Use the embedded DNS resolver in Docker containers to discover the service #}
        	resolver 127.0.0.11 valid=5s;
        	resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
        	set $backend "matrix-mautrix-hangouts:8080";
        	proxy_pass http://$backend;
        {% else %}
--- a/roles/matrix-bridge-mautrix-telegram/tasks/init.yml
+++ b/roles/matrix-bridge-mautrix-telegram/tasks/init.yml
@@ -31,7 +31,7 @@
        location {{ matrix_mautrix_telegram_public_endpoint }} {
        {% if matrix_nginx_proxy_enabled|default(False) %}
        	{# Use the embedded DNS resolver in Docker containers to discover the service #}
        	resolver 127.0.0.11 valid=5s;
        	resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
        	set $backend "matrix-mautrix-telegram:8080";
        	proxy_pass http://$backend;
        {% else %}
--- a/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml
+++ b/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml
@@ -31,7 +31,7 @@
        location {{ matrix_mx_puppet_slack_redirect_path }} {
        {% if matrix_nginx_proxy_enabled|default(False) %}
        	{# Use the embedded DNS resolver in Docker containers to discover the service #}
        	resolver 127.0.0.11 valid=5s;
        	resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
        	set $backend "{{ matrix_mx_puppet_slack_appservice_address }}";
        	proxy_pass $backend;
        {% else %}
--- a/roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml
+++ b/roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml
@@ -31,7 +31,7 @@
        location {{ matrix_mx_puppet_twitter_webhook_path }} {
        {% if matrix_nginx_proxy_enabled|default(False) %}
        	{# Use the embedded DNS resolver in Docker containers to discover the service #}
        	resolver 127.0.0.11 valid=5s;
        	resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
        	set $backend "{{ matrix_mx_puppet_twitter_appservice_address }}";
        	proxy_pass $backend;
        {% else %}
--- a/roles/matrix-etherpad/tasks/init.yml
+++ b/roles/matrix-etherpad/tasks/init.yml
@@ -20,7 +20,7 @@
        location {{ matrix_etherpad_public_endpoint }}/ {
        {% if matrix_nginx_proxy_enabled|default(False) %}
          {# Use the embedded DNS resolver in Docker containers to discover the service #}
          resolver 127.0.0.11 valid=5s;
          resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
          proxy_pass http://matrix-etherpad:9001/;
          {# These are proxy directives needed specifically by Etherpad #}
          proxy_buffering off;
--- a/roles/matrix-nginx-proxy/defaults/main.yml
+++ b/roles/matrix-nginx-proxy/defaults/main.yml
@@ -394,3 +394,5 @@ matrix_nginx_proxy_synapse_frontend_proxy_locations: []
 # http://nginx.org/en/docs/ngx_core_module.html#worker_connections
 matrix_nginx_proxy_worker_processes: 1
 matrix_nginx_proxy_worker_connections: 1024
 matrix_docker_dns_resolver_ip: 127.0.0.11
--- a/roles/matrix-nginx-proxy/tasks/init.yml
+++ b/roles/matrix-nginx-proxy/tasks/init.yml
@@ -1,5 +1,5 @@
 - set_fact:
    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-nginx-proxy.service'] }}"
    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-nginx-proxy.service', 'matrix-nginx-proxy-reload.service'] }}"
  when: matrix_nginx_proxy_enabled|bool
 - set_fact:
--- a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml
+++ b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml
@@ -157,10 +157,18 @@
  register: matrix_nginx_proxy_systemd_service_result
  when: matrix_nginx_proxy_enabled|bool
 - name: Ensure matrix-nginx-proxy-reload.service installed
  template:
    src: "{{ role_path }}/templates/systemd/matrix-nginx-proxy-reload.service.j2"
    dest: "{{ matrix_systemd_path }}/matrix-nginx-proxy-reload.service"
    mode: 0644
  register: matrix_nginx_proxy_reload_systemd_service_result
  when: matrix_nginx_proxy_enabled|bool
 - name: Ensure systemd reloaded after matrix-nginx-proxy.service installation
  service:
    daemon_reload: yes
  when: "matrix_nginx_proxy_enabled and matrix_nginx_proxy_systemd_service_result.changed"
  when: "matrix_nginx_proxy_enabled and matrix_nginx_proxy_systemd_service_result.changed and matrix_nginx_proxy_reload_systemd_service_result.changed"
 #
@@ -187,6 +195,12 @@
    state: absent
  when: "not matrix_nginx_proxy_enabled|bool and matrix_nginx_proxy_service_stat.stat.exists"
 - name: Ensure matrix-nginx-proxy-reload.service doesn't exist
  file:
    path: "{{ matrix_systemd_path }}/matrix-nginx-proxy-reload.service"
    state: absent
  when: "not matrix_nginx_proxy_enabled|bool and matrix_nginx_proxy_service_stat.stat.exists"
 - name: Ensure systemd reloaded after matrix-nginx-proxy.service removal
  service:
    daemon_reload: yes
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2
@@ -31,7 +31,7 @@ server {
 		location /.well-known/acme-challenge {
 			{% if matrix_nginx_proxy_enabled %}
 				{# Use the embedded DNS resolver in Docker containers to discover the service #}
 				resolver 127.0.0.11 valid=5s;
 				resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 				set $backend "matrix-certbot:8080";
 				proxy_pass http://$backend;
 			{% else %}
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2
@@ -12,7 +12,7 @@
 	location / {
 		{% if matrix_nginx_proxy_enabled %}
 			{# Use the embedded DNS resolver in Docker containers to discover the service #}
 			resolver 127.0.0.11 valid=5s;
 			resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 			set $backend "matrix-bot-go-neb:4050";
 			proxy_pass http://$backend;
 		{% else %}
@@ -36,7 +36,7 @@ server {
 		location /.well-known/acme-challenge {
 			{% if matrix_nginx_proxy_enabled %}
 				{# Use the embedded DNS resolver in Docker containers to discover the service #}
 				resolver 127.0.0.11 valid=5s;
 				resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 				set $backend "matrix-certbot:8080";
 				proxy_pass http://$backend;
 			{% else %}
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2
@@ -13,7 +13,7 @@
 	location / {
 		{% if matrix_nginx_proxy_enabled %}
 			{# Use the embedded DNS resolver in Docker containers to discover the service #}
 			resolver 127.0.0.11 valid=5s;
 			resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 			set $backend "matrix-client-element:8080";
 			proxy_pass http://$backend;
 		{% else %}
@@ -38,7 +38,7 @@ server {
 		location /.well-known/acme-challenge {
 			{% if matrix_nginx_proxy_enabled %}
 				{# Use the embedded DNS resolver in Docker containers to discover the service #}
 				resolver 127.0.0.11 valid=5s;
 				resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 				set $backend "matrix-certbot:8080";
 				proxy_pass http://$backend;
 			{% else %}
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2
@@ -12,7 +12,7 @@
 	location / {
 		{% if matrix_nginx_proxy_enabled %}
 			{# Use the embedded DNS resolver in Docker containers to discover the service #}
 			resolver 127.0.0.11 valid=5s;
 			resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 			set $backend "matrix-dimension:8184";
 			proxy_pass http://$backend;
 		{% else %}
@@ -36,7 +36,7 @@ server {
 		location /.well-known/acme-challenge {
 			{% if matrix_nginx_proxy_enabled %}
 				{# Use the embedded DNS resolver in Docker containers to discover the service #}
 				resolver 127.0.0.11 valid=5s;
 				resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 				set $backend "matrix-certbot:8080";
 				proxy_pass http://$backend;
 			{% else %}
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2
@@ -37,7 +37,7 @@
 	location ^~ /_matrix/corporal {
 		{% if matrix_nginx_proxy_enabled %}
 			{# Use the embedded DNS resolver in Docker containers to discover the service #}
 			resolver 127.0.0.11 valid=5s;
 			resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 			set $backend "{{ matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container }}";
 			proxy_pass http://$backend;
 		{% else %}
@@ -55,7 +55,7 @@
 	location ^~ /_matrix/identity {
 		{% if matrix_nginx_proxy_enabled %}
 			{# Use the embedded DNS resolver in Docker containers to discover the service #}
 			resolver 127.0.0.11 valid=5s;
 			resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 			set $backend "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container }}";
 			proxy_pass http://$backend;
 		{% else %}
@@ -73,7 +73,7 @@
 	location ^~ /_matrix/client/r0/user_directory/search {
 		{% if matrix_nginx_proxy_enabled %}
 			{# Use the embedded DNS resolver in Docker containers to discover the service #}
 			resolver 127.0.0.11 valid=5s;
 			resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 			set $backend "{{ matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container }}";
 			proxy_pass http://$backend;
 		{% else %}
@@ -90,7 +90,7 @@
 	location ~ ^/_matrix/client/r0/register/(email|msisdn)/requestToken$ {
 		{% if matrix_nginx_proxy_enabled %}
 			{# Use the embedded DNS resolver in Docker containers to discover the service #}
 			resolver 127.0.0.11 valid=5s;
 			resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 			set $backend "{{ matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_with_container }}";
 			proxy_pass http://$backend;
 		{% else %}
@@ -115,7 +115,7 @@
 	location ~* ^({{ matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefix_regexes|join('|') }}) {
 		{% if matrix_nginx_proxy_enabled %}
 			{# Use the embedded DNS resolver in Docker containers to discover the service #}
 			resolver 127.0.0.11 valid=5s;
 			resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 			set $backend "{{ matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container }}";
 			proxy_pass http://$backend;
 		{% else %}
@@ -152,7 +152,7 @@ server {
 		location /.well-known/acme-challenge {
 			{% if matrix_nginx_proxy_enabled %}
 				{# Use the embedded DNS resolver in Docker containers to discover the service #}
 				resolver 127.0.0.11 valid=5s;
 				resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 				set $backend "matrix-certbot:8080";
 				proxy_pass http://$backend;
 			{% else %}
@@ -231,7 +231,7 @@ server {
 	location / {
 		{% if matrix_nginx_proxy_enabled %}
 			{# Use the embedded DNS resolver in Docker containers to discover the service #}
 			resolver 127.0.0.11 valid=5s;
 			resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 			set $backend "{{ matrix_nginx_proxy_proxy_matrix_federation_api_addr_with_container }}";
 			proxy_pass http://$backend;
 		{% else %}
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2
@@ -13,7 +13,7 @@
 	location / {
 		{% if matrix_nginx_proxy_enabled %}
 			{# Use the embedded DNS resolver in Docker containers to discover the service #}
 			resolver 127.0.0.11 valid=5s;
 			resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 			set $backend "matrix-grafana:3000";
 			proxy_pass http://$backend;
 		{% else %}
@@ -38,7 +38,7 @@ server {
 		location /.well-known/acme-challenge {
 			{% if matrix_nginx_proxy_enabled %}
 				{# Use the embedded DNS resolver in Docker containers to discover the service #}
 				resolver 127.0.0.11 valid=5s;
 				resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 				set $backend "matrix-certbot:8080";
 				proxy_pass http://$backend;
 			{% else %}
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2
@@ -12,7 +12,7 @@
 	location / {
 		{% if matrix_nginx_proxy_enabled %}
 			{# Use the embedded DNS resolver in Docker containers to discover the service #}
 			resolver 127.0.0.11 valid=5s;
 			resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 			set $backend "matrix-jitsi-web:80";
 			proxy_pass http://$backend;
 		{% else %}
@@ -27,7 +27,7 @@
 	# colibri (JVB) websockets
 	location ~ ^/colibri-ws/([a-zA-Z0-9-\.]+)/(.*) {
 		{% if matrix_nginx_proxy_enabled %}
 			resolver 127.0.0.11 valid=5s;
 			resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 			set $backend "matrix-jitsi-jvb:9090";
 			proxy_pass http://$backend;
 		{% else %}
@@ -57,7 +57,7 @@ server {
 		location /.well-known/acme-challenge {
 			{% if matrix_nginx_proxy_enabled %}
 				{# Use the embedded DNS resolver in Docker containers to discover the service #}
 				resolver 127.0.0.11 valid=5s;
 				resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 				set $backend "matrix-certbot:8080";
 				proxy_pass http://$backend;
 			{% else %}
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2
@@ -22,7 +22,7 @@ server {
 		location /.well-known/acme-challenge {
 			{% if matrix_nginx_proxy_enabled %}
 				{# Use the embedded DNS resolver in Docker containers to discover the service #}
 				resolver 127.0.0.11 valid=5s;
 				resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 				set $backend "matrix-certbot:8080";
 				proxy_pass http://$backend;
 			{% else %}
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2
@@ -13,7 +13,7 @@
 	location / {
 		{% if matrix_nginx_proxy_enabled %}
 			{# Use the embedded DNS resolver in Docker containers to discover the service #}
 			resolver 127.0.0.11 valid=5s;
 			resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 			set $backend "matrix-sygnal:6000";
 			proxy_pass http://$backend;
 		{% else %}
@@ -38,7 +38,7 @@ server {
 		location /.well-known/acme-challenge {
 			{% if matrix_nginx_proxy_enabled %}
 				{# Use the embedded DNS resolver in Docker containers to discover the service #}
 				resolver 127.0.0.11 valid=5s;
 				resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 				set $backend "matrix-certbot:8080";
 				proxy_pass http://$backend;
 			{% else %}
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2
@@ -136,7 +136,7 @@ server {
 	location /_synapse/metrics {
 		{% if matrix_nginx_proxy_enabled %}
 			{# Use the embedded DNS resolver in Docker containers to discover the service #}
 			resolver 127.0.0.11 valid=5s;
 			resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 			set $backend "{{ matrix_nginx_proxy_proxy_synapse_metrics_addr_with_container }}";
 			proxy_pass http://$backend;
 		{% else %}
@@ -157,7 +157,7 @@ server {
 	location / {
 		{% if matrix_nginx_proxy_enabled %}
 			{# Use the embedded DNS resolver in Docker containers to discover the service #}
 			resolver 127.0.0.11 valid=5s;
 			resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 			set $backend "{{ matrix_nginx_proxy_proxy_synapse_client_api_addr_with_container }}";
 			proxy_pass http://$backend;
 		{% else %}
@@ -213,7 +213,7 @@ server {
 	location / {
 		{% if matrix_nginx_proxy_enabled %}
 			{# Use the embedded DNS resolver in Docker containers to discover the service #}
 			resolver 127.0.0.11 valid=5s;
 			resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 			set $backend "{{ matrix_nginx_proxy_proxy_synapse_federation_api_addr_with_container }}";
 			proxy_pass http://$backend;
 		{% else %}
--- a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy-reload.service.j2
+++ b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy-reload.service.j2
@@ -0,0 +1,13 @@
 [Unit]
 Description=Reloads matrix-nginx-proxy so that new IP addresses can kick in
 After=matrix.target
 [Service]
 Type=oneshot
 RemainAfterExit=yes
 ExecStartPre={{ matrix_host_command_sleep }} 30
 ExecStart={{ matrix_host_command_systemctl }} reload matrix-nginx-proxy.service
 [Install]
 WantedBy=matrix.target
--- a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2
+++ b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2
@@ -21,7 +21,18 @@ ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }}
 ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-nginx-proxy \
 			--log-driver=none \
 			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
 			--cap-drop=ALL \
 			--cap-drop=AUDIT_WRITE \
 			--cap-drop=CHOWN \
 			--cap-drop=DAC_OVERRIDE \
 			--cap-drop=FOWNER \
 			--cap-drop=FSETID \
 			--cap-drop=KILL \
 			--cap-drop=MKNOD \
 			--cap-drop=SETFCAP \
 			--cap-drop=SETGID \
 			--cap-drop=SETPCAP \
 			--cap-drop=SETUID \
 			--cap-drop=SYS_CHROOT \
 			--read-only \
 			--tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_nginx_proxy_tmp_directory_size_mb }}m \
 			--network={{ matrix_docker_network }} \
--- a/roles/matrix-registration/tasks/init.yml
+++ b/roles/matrix-registration/tasks/init.yml
@@ -21,7 +21,7 @@
        location ~ ^{{ matrix_registration_public_endpoint }}/(.*) {
        {% if matrix_nginx_proxy_enabled|default(False) %}
          {# Use the embedded DNS resolver in Docker containers to discover the service #}
          resolver 127.0.0.11 valid=5s;
          resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
          set $backend "matrix-registration:5000";
          proxy_pass http://$backend/$1;
        {% else %}
--- a/roles/matrix-synapse-admin/tasks/init.yml
+++ b/roles/matrix-synapse-admin/tasks/init.yml
@@ -20,7 +20,7 @@
        location ~ ^{{ matrix_synapse_admin_public_endpoint }}/(.*) {
        {% if matrix_nginx_proxy_enabled|default(False) %}
          {# Use the embedded DNS resolver in Docker containers to discover the service #}
          resolver 127.0.0.11 valid=5s;
          resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
          set $backend "matrix-synapse-admin:80";
          proxy_pass http://$backend/$1;
        {% else %}