Fix DNS resolution in nginx-proxy

- Allow customising the IP where lookups take place - Reload DNS after all containers are started
преди 4 години · 691b14cd0d
--- a/roles/matrix-bridge-appservice-slack/tasks/init.yml
+++ b/roles/matrix-bridge-appservice-slack/tasks/init.yml
@@ -54,7 +54,7 @@
        location {{ matrix_appservice_slack_public_endpoint }} {
        {% if matrix_nginx_proxy_enabled|default(False) %}
        	{# Use the embedded DNS resolver in Docker containers to discover the service #}
        	resolver 127.0.0.11 valid=5s;
        	resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
        	set $backend "{{ matrix_appservice_slack_appservice_url }}:{{ matrix_appservice_slack_slack_port }}";
        	proxy_pass $backend;
        {% else %}
--- a/roles/matrix-bridge-appservice-webhooks/tasks/init.yml
+++ b/roles/matrix-bridge-appservice-webhooks/tasks/init.yml
@@ -47,7 +47,7 @@
        {% if matrix_nginx_proxy_enabled|default(False) %}
        {# Use the embedded DNS resolver in Docker containers to discover the service #}
        location ~ ^{{ matrix_appservice_webhooks_public_endpoint }}/(.*)$ {
          resolver 127.0.0.11 valid=5s;
          resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
          set $backend "matrix-appservice-webhooks:{{ matrix_appservice_webhooks_matrix_port }}";
          proxy_pass http://$backend/$1;
        }
--- a/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml
+++ b/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml
@@ -38,7 +38,7 @@
        location {{ matrix_mautrix_hangouts_public_endpoint }} {
        {% if matrix_nginx_proxy_enabled|default(False) %}
        	{# Use the embedded DNS resolver in Docker containers to discover the service #}
        	resolver 127.0.0.11 valid=5s;
        	resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
        	set $backend "matrix-mautrix-hangouts:8080";
        	proxy_pass http://$backend;
        {% else %}
--- a/roles/matrix-bridge-mautrix-telegram/tasks/init.yml
+++ b/roles/matrix-bridge-mautrix-telegram/tasks/init.yml
@@ -38,7 +38,7 @@
        location {{ matrix_mautrix_telegram_public_endpoint }} {
        {% if matrix_nginx_proxy_enabled|default(False) %}
        	{# Use the embedded DNS resolver in Docker containers to discover the service #}
        	resolver 127.0.0.11 valid=5s;
        	resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
        	set $backend "matrix-mautrix-telegram:8080";
        	proxy_pass http://$backend;
        {% else %}
--- a/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml
+++ b/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml
@@ -38,7 +38,7 @@
        location {{ matrix_mx_puppet_slack_redirect_path }} {
        {% if matrix_nginx_proxy_enabled|default(False) %}
        	{# Use the embedded DNS resolver in Docker containers to discover the service #}
        	resolver 127.0.0.11 valid=5s;
        	resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
        	set $backend "{{ matrix_mx_puppet_slack_appservice_address }}";
        	proxy_pass $backend;
        {% else %}
--- a/roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml
+++ b/roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml
@@ -38,7 +38,7 @@
        location {{ matrix_mx_puppet_twitter_webhook_path }} {
        {% if matrix_nginx_proxy_enabled|default(False) %}
        	{# Use the embedded DNS resolver in Docker containers to discover the service #}
        	resolver 127.0.0.11 valid=5s;
        	resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
        	set $backend "{{ matrix_mx_puppet_twitter_appservice_address }}";
        	proxy_pass $backend;
        {% else %}
--- a/roles/matrix-etherpad/tasks/init.yml
+++ b/roles/matrix-etherpad/tasks/init.yml
@@ -20,7 +20,7 @@
        location {{ matrix_etherpad_public_endpoint }}/ {
        {% if matrix_nginx_proxy_enabled|default(False) %}
          {# Use the embedded DNS resolver in Docker containers to discover the service #}
          resolver 127.0.0.11 valid=5s;
          resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
          proxy_pass http://matrix-etherpad:9001/;
          {# These are proxy directives needed specifically by Etherpad #}
          proxy_buffering off;
--- a/roles/matrix-nginx-proxy/defaults/main.yml
+++ b/roles/matrix-nginx-proxy/defaults/main.yml
@@ -357,18 +357,6 @@ matrix_nginx_proxy_self_check_validate_certificates: true
 # so we default to not following redirects as well.
 matrix_nginx_proxy_self_check_well_known_matrix_client_follow_redirects: none

 # For OCSP purposes, we need to define a resolver at the `server{}` level or `http{}` level (we do the latter).
 #
 # Otherwise, we get warnings like this:
 # > [warn] 22#22: no resolver defined to resolve r3.o.lencr.org while requesting certificate status, responder: r3.o.lencr.org, certificate: "/matrix/ssl/config/live/.../fullchain.pem"
 #
 # We point it to the internal Docker resolver, which likely delegates to nameservers defined in `/etc/resolv.conf`.
 #
 # When nginx proxy is disabled, our configuration is likely used by non-containerized nginx, so can't use the internal Docker resolver.
 # Pointing `resolver` to some public DNS server might be an option, but for now we impose DNS servers on people.
 # It might also be that no such warnings occur when not running in a container.
 matrix_nginx_proxy_http_level_resolver: "{{ '127.0.0.11' if matrix_nginx_proxy_enabled else '' }}"

 # By default, this playbook automatically retrieves and auto-renews
 # free SSL certificates from Let's Encrypt.
 #
@@ -485,3 +473,5 @@ matrix_nginx_proxy_synapse_frontend_proxy_locations: []
 # http://nginx.org/en/docs/ngx_core_module.html#worker_connections
 matrix_nginx_proxy_worker_processes: 1
 matrix_nginx_proxy_worker_connections: 1024

 matrix_docker_dns_resolver_ip: 127.0.0.11
--- a/roles/matrix-nginx-proxy/tasks/init.yml
+++ b/roles/matrix-nginx-proxy/tasks/init.yml
@@ -1,5 +1,5 @@
 - set_fact:
    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-nginx-proxy.service'] }}"
    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-nginx-proxy.service', 'matrix-nginx-proxy-reload.service'] }}"
  when: matrix_nginx_proxy_enabled|bool

 - set_fact:
--- a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml
+++ b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml
@@ -164,10 +164,18 @@
  register: matrix_nginx_proxy_systemd_service_result
  when: matrix_nginx_proxy_enabled|bool

 - name: Ensure matrix-nginx-proxy-reload.service installed
  template:
    src: "{{ role_path }}/templates/systemd/matrix-nginx-proxy-reload.service.j2"
    dest: "{{ matrix_systemd_path }}/matrix-nginx-proxy-reload.service"
    mode: 0644
  register: matrix_nginx_proxy_reload_systemd_service_result
  when: matrix_nginx_proxy_enabled|bool

 - name: Ensure systemd reloaded after matrix-nginx-proxy.service installation
  service:
    daemon_reload: yes
  when: "matrix_nginx_proxy_enabled and matrix_nginx_proxy_systemd_service_result.changed"
  when: "matrix_nginx_proxy_enabled and matrix_nginx_proxy_systemd_service_result.changed and matrix_nginx_proxy_reload_systemd_service_result.changed"


 #
@@ -194,6 +202,12 @@
    state: absent
  when: "not matrix_nginx_proxy_enabled|bool and matrix_nginx_proxy_service_stat.stat.exists"

 - name: Ensure matrix-nginx-proxy-reload.service doesn't exist
  file:
    path: "{{ matrix_systemd_path }}/matrix-nginx-proxy-reload.service"
    state: absent
  when: "not matrix_nginx_proxy_enabled|bool and matrix_nginx_proxy_service_stat.stat.exists"

 - name: Ensure systemd reloaded after matrix-nginx-proxy.service removal
  service:
    daemon_reload: yes
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2
@@ -44,7 +44,7 @@ server {
 		location /.well-known/acme-challenge {
 			{% if matrix_nginx_proxy_enabled %}
 				{# Use the embedded DNS resolver in Docker containers to discover the service #}
 				resolver 127.0.0.11 valid=5s;
 				resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 				set $backend "matrix-certbot:8080";
 				proxy_pass http://$backend;
 			{% else %}
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2
@@ -18,7 +18,7 @@
 	location / {
 		{% if matrix_nginx_proxy_enabled %}
 			{# Use the embedded DNS resolver in Docker containers to discover the service #}
 			resolver 127.0.0.11 valid=5s;
 			resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 			set $backend "matrix-bot-go-neb:4050";
 			proxy_pass http://$backend;
 		{% else %}
@@ -42,7 +42,7 @@ server {
 		location /.well-known/acme-challenge {
 			{% if matrix_nginx_proxy_enabled %}
 				{# Use the embedded DNS resolver in Docker containers to discover the service #}
 				resolver 127.0.0.11 valid=5s;
 				resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 				set $backend "matrix-certbot:8080";
 				proxy_pass http://$backend;
 			{% else %}
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2
@@ -26,7 +26,7 @@
 	location / {
 		{% if matrix_nginx_proxy_enabled %}
 			{# Use the embedded DNS resolver in Docker containers to discover the service #}
 			resolver 127.0.0.11 valid=5s;
 			resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 			set $backend "matrix-client-element:8080";
 			proxy_pass http://$backend;
 		{% else %}
@@ -51,7 +51,7 @@ server {
 		location /.well-known/acme-challenge {
 			{% if matrix_nginx_proxy_enabled %}
 				{# Use the embedded DNS resolver in Docker containers to discover the service #}
 				resolver 127.0.0.11 valid=5s;
 				resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 				set $backend "matrix-certbot:8080";
 				proxy_pass http://$backend;
 			{% else %}
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2
@@ -24,7 +24,7 @@
 	location / {
 		{% if matrix_nginx_proxy_enabled %}
 			{# Use the embedded DNS resolver in Docker containers to discover the service #}
 			resolver 127.0.0.11 valid=5s;
 			resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 			set $backend "matrix-client-hydrogen:8080";
 			proxy_pass http://$backend;
 		{% else %}
@@ -49,7 +49,7 @@ server {
 		location /.well-known/acme-challenge {
 			{% if matrix_nginx_proxy_enabled %}
 				{# Use the embedded DNS resolver in Docker containers to discover the service #}
 				resolver 127.0.0.11 valid=5s;
 				resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 				set $backend "matrix-certbot:8080";
 				proxy_pass http://$backend;
 			{% else %}
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2
@@ -21,7 +21,7 @@
 	location / {
 		{% if matrix_nginx_proxy_enabled %}
 			{# Use the embedded DNS resolver in Docker containers to discover the service #}
 			resolver 127.0.0.11 valid=5s;
 			resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 			set $backend "matrix-dimension:8184";
 			proxy_pass http://$backend;
 		{% else %}
@@ -45,7 +45,7 @@ server {
 		location /.well-known/acme-challenge {
 			{% if matrix_nginx_proxy_enabled %}
 				{# Use the embedded DNS resolver in Docker containers to discover the service #}
 				resolver 127.0.0.11 valid=5s;
 				resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 				set $backend "matrix-certbot:8080";
 				proxy_pass http://$backend;
 			{% else %}
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2
@@ -49,7 +49,7 @@
 	location ^~ /_matrix/corporal {
 		{% if matrix_nginx_proxy_enabled %}
 			{# Use the embedded DNS resolver in Docker containers to discover the service #}
 			resolver 127.0.0.11 valid=5s;
 			resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 			set $backend "{{ matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container }}";
 			proxy_pass http://$backend;
 		{% else %}
@@ -67,7 +67,7 @@
 	location ^~ /_matrix/identity {
 		{% if matrix_nginx_proxy_enabled %}
 			{# Use the embedded DNS resolver in Docker containers to discover the service #}
 			resolver 127.0.0.11 valid=5s;
 			resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 			set $backend "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container }}";
 			proxy_pass http://$backend;
 		{% else %}
@@ -85,7 +85,7 @@
 	location ^~ /_matrix/client/r0/user_directory/search {
 		{% if matrix_nginx_proxy_enabled %}
 			{# Use the embedded DNS resolver in Docker containers to discover the service #}
 			resolver 127.0.0.11 valid=5s;
 			resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 			set $backend "{{ matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container }}";
 			proxy_pass http://$backend;
 		{% else %}
@@ -102,7 +102,7 @@
 	location ~ ^/_matrix/client/r0/register/(email|msisdn)/requestToken$ {
 		{% if matrix_nginx_proxy_enabled %}
 			{# Use the embedded DNS resolver in Docker containers to discover the service #}
 			resolver 127.0.0.11 valid=5s;
 			resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 			set $backend "{{ matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_with_container }}";
 			proxy_pass http://$backend;
 		{% else %}
@@ -127,7 +127,7 @@
 	location ~* ^({{ matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefix_regexes|join('|') }}) {
 		{% if matrix_nginx_proxy_enabled %}
 			{# Use the embedded DNS resolver in Docker containers to discover the service #}
 			resolver 127.0.0.11 valid=5s;
 			resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 			set $backend "{{ matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container }}";
 			proxy_pass http://$backend;
 		{% else %}
@@ -170,7 +170,7 @@ server {
 		location /.well-known/acme-challenge {
 			{% if matrix_nginx_proxy_enabled %}
 				{# Use the embedded DNS resolver in Docker containers to discover the service #}
 				resolver 127.0.0.11 valid=5s;
 				resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 				set $backend "matrix-certbot:8080";
 				proxy_pass http://$backend;
 			{% else %}
@@ -273,7 +273,7 @@ server {
 	location / {
 		{% if matrix_nginx_proxy_enabled %}
 			{# Use the embedded DNS resolver in Docker containers to discover the service #}
 			resolver 127.0.0.11 valid=5s;
 			resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 			set $backend "{{ matrix_nginx_proxy_proxy_matrix_federation_api_addr_with_container }}";
 			proxy_pass http://$backend;
 		{% else %}
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2
@@ -28,7 +28,7 @@
 	location / {
 		{% if matrix_nginx_proxy_enabled %}
 			{# Use the embedded DNS resolver in Docker containers to discover the service #}
 			resolver 127.0.0.11 valid=5s;
 			resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 			set $backend "matrix-grafana:3000";
 			proxy_pass http://$backend;
 		{% else %}
@@ -53,7 +53,7 @@ server {
 		location /.well-known/acme-challenge {
 			{% if matrix_nginx_proxy_enabled %}
 				{# Use the embedded DNS resolver in Docker containers to discover the service #}
 				resolver 127.0.0.11 valid=5s;
 				resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 				set $backend "matrix-certbot:8080";
 				proxy_pass http://$backend;
 			{% else %}
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2
@@ -21,7 +21,7 @@
 	location / {
 		{% if matrix_nginx_proxy_enabled %}
 			{# Use the embedded DNS resolver in Docker containers to discover the service #}
 			resolver 127.0.0.11 valid=5s;
 			resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 			set $backend "matrix-jitsi-web:80";
 			proxy_pass http://$backend;
 		{% else %}
@@ -36,7 +36,7 @@
 	# colibri (JVB) websockets
 	location ~ ^/colibri-ws/([a-zA-Z0-9-\.]+)/(.*) {
 		{% if matrix_nginx_proxy_enabled %}
 			resolver 127.0.0.11 valid=5s;
 			resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 			set $backend "matrix-jitsi-jvb:9090";
 			proxy_pass http://$backend;
 		{% else %}
@@ -57,7 +57,7 @@
 	# XMPP websocket
 	location = /xmpp-websocket {
 		{% if matrix_nginx_proxy_enabled %}
 			resolver 127.0.0.11 valid=5s;
 			resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 			set $backend {{ matrix_jitsi_xmpp_bosh_url_base }};
 			proxy_pass $backend/xmpp-websocket;
 		{% else %}
@@ -87,7 +87,7 @@ server {
 		location /.well-known/acme-challenge {
 			{% if matrix_nginx_proxy_enabled %}
 				{# Use the embedded DNS resolver in Docker containers to discover the service #}
 				resolver 127.0.0.11 valid=5s;
 				resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 				set $backend "matrix-certbot:8080";
 				proxy_pass http://$backend;
 			{% else %}
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2
@@ -34,7 +34,7 @@ server {
 		location /.well-known/acme-challenge {
 			{% if matrix_nginx_proxy_enabled %}
 				{# Use the embedded DNS resolver in Docker containers to discover the service #}
 				resolver 127.0.0.11 valid=5s;
 				resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 				set $backend "matrix-certbot:8080";
 				proxy_pass http://$backend;
 			{% else %}
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2
@@ -19,7 +19,7 @@
 	location / {
 		{% if matrix_nginx_proxy_enabled %}
 			{# Use the embedded DNS resolver in Docker containers to discover the service #}
 			resolver 127.0.0.11 valid=5s;
 			resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 			set $backend "matrix-sygnal:6000";
 			proxy_pass http://$backend;
 		{% else %}
@@ -44,7 +44,7 @@ server {
 		location /.well-known/acme-challenge {
 			{% if matrix_nginx_proxy_enabled %}
 				{# Use the embedded DNS resolver in Docker containers to discover the service #}
 				resolver 127.0.0.11 valid=5s;
 				resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 				set $backend "matrix-certbot:8080";
 				proxy_pass http://$backend;
 			{% else %}
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2
@@ -136,7 +136,7 @@ server {
 	location /_synapse/metrics {
 		{% if matrix_nginx_proxy_enabled %}
 			{# Use the embedded DNS resolver in Docker containers to discover the service #}
 			resolver 127.0.0.11 valid=5s;
 			resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 			set $backend "{{ matrix_nginx_proxy_proxy_synapse_metrics_addr_with_container }}";
 			proxy_pass http://$backend;
 		{% else %}
@@ -157,7 +157,7 @@ server {
 	location / {
 		{% if matrix_nginx_proxy_enabled %}
 			{# Use the embedded DNS resolver in Docker containers to discover the service #}
 			resolver 127.0.0.11 valid=5s;
 			resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 			set $backend "{{ matrix_nginx_proxy_proxy_synapse_client_api_addr_with_container }}";
 			proxy_pass http://$backend;
 		{% else %}
@@ -213,7 +213,7 @@ server {
 	location / {
 		{% if matrix_nginx_proxy_enabled %}
 			{# Use the embedded DNS resolver in Docker containers to discover the service #}
 			resolver 127.0.0.11 valid=5s;
 			resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 			set $backend "{{ matrix_nginx_proxy_proxy_synapse_federation_api_addr_with_container }}";
 			proxy_pass http://$backend;
 		{% else %}
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/nginx-http.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/nginx-http.conf.j2
@@ -5,8 +5,9 @@
 # Thus, we ensure a larger bucket size value is used.
 server_names_hash_bucket_size 64;

 {% if matrix_nginx_proxy_http_level_resolver %}
 	resolver {{ matrix_nginx_proxy_http_level_resolver }};
 {% if matrix_nginx_proxy_enabled|default(False) %}
 	{# Use the embedded DNS resolver in Docker containers to discover the service #}
 	resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 {% endif %}

 {% for configuration_block in matrix_nginx_proxy_proxy_http_additional_server_configuration_blocks %}
--- a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy-reload.service.j2
+++ b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy-reload.service.j2
@@ -0,0 +1,13 @@
 [Unit]
 Description=Reloads matrix-nginx-proxy so that new IP addresses can kick in
 After=matrix.target


 [Service]
 Type=oneshot
 RemainAfterExit=yes
 ExecStartPre={{ matrix_host_command_sleep }} 30
 ExecStart={{ matrix_host_command_systemctl }} reload matrix-nginx-proxy.service

 [Install]
 WantedBy=matrix.target
--- a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2
+++ b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2
@@ -21,7 +21,18 @@ ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }}
 ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-nginx-proxy \
 			--log-driver=none \
 			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
 			--cap-drop=ALL \
 			--cap-drop=AUDIT_WRITE \
 			--cap-drop=CHOWN \
 			--cap-drop=DAC_OVERRIDE \
 			--cap-drop=FOWNER \
 			--cap-drop=FSETID \
 			--cap-drop=KILL \
 			--cap-drop=MKNOD \
 			--cap-drop=SETFCAP \
 			--cap-drop=SETGID \
 			--cap-drop=SETPCAP \
 			--cap-drop=SETUID \
 			--cap-drop=SYS_CHROOT \
 			--read-only \
 			--tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_nginx_proxy_tmp_directory_size_mb }}m \
 			--network={{ matrix_docker_network }} \
--- a/roles/matrix-registration/tasks/init.yml
+++ b/roles/matrix-registration/tasks/init.yml
@@ -28,7 +28,7 @@
        location ~ ^{{ matrix_registration_public_endpoint }}/(.*) {
        {% if matrix_nginx_proxy_enabled|default(False) %}
          {# Use the embedded DNS resolver in Docker containers to discover the service #}
          resolver 127.0.0.11 valid=5s;
          resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
          set $backend "matrix-registration:5000";
          proxy_pass http://$backend/$1;
        {% else %}
--- a/roles/matrix-synapse-admin/tasks/init.yml
+++ b/roles/matrix-synapse-admin/tasks/init.yml
@@ -27,7 +27,7 @@
        location ~ ^{{ matrix_synapse_admin_public_endpoint }}/(.*) {
        {% if matrix_nginx_proxy_enabled|default(False) %}
          {# Use the embedded DNS resolver in Docker containers to discover the service #}
          resolver 127.0.0.11 valid=5s;
          resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
          set $backend "matrix-synapse-admin:80";
          proxy_pass http://$backend/$1;
        {% else %}