Fix DNS resolution in nginx-proxy

- Allow customising the IP where lookups take place
- Reload DNS after all containers are started

roles/matrix-bridge-appservice-slack/tasks/init.yml

@@ -54,7 +54,7 @@
         location {{ matrix_appservice_slack_public_endpoint }} {
         {% if matrix_nginx_proxy_enabled|default(False) %}
         	{# Use the embedded DNS resolver in Docker containers to discover the service #}
-        	resolver 127.0.0.11 valid=5s;
+        	resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
         	set $backend "{{ matrix_appservice_slack_appservice_url }}:{{ matrix_appservice_slack_slack_port }}";
         	proxy_pass $backend;
         {% else %}

roles/matrix-bridge-appservice-webhooks/tasks/init.yml

@@ -47,7 +47,7 @@
         {% if matrix_nginx_proxy_enabled|default(False) %}
         {# Use the embedded DNS resolver in Docker containers to discover the service #}
         location ~ ^{{ matrix_appservice_webhooks_public_endpoint }}/(.*)$ {
-          resolver 127.0.0.11 valid=5s;
+          resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
           set $backend "matrix-appservice-webhooks:{{ matrix_appservice_webhooks_matrix_port }}";
           proxy_pass http://$backend/$1;
         }

roles/matrix-bridge-mautrix-hangouts/tasks/init.yml

@@ -38,7 +38,7 @@
         location {{ matrix_mautrix_hangouts_public_endpoint }} {
         {% if matrix_nginx_proxy_enabled|default(False) %}
         	{# Use the embedded DNS resolver in Docker containers to discover the service #}
-        	resolver 127.0.0.11 valid=5s;
+        	resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
         	set $backend "matrix-mautrix-hangouts:8080";
         	proxy_pass http://$backend;
         {% else %}

roles/matrix-bridge-mautrix-telegram/tasks/init.yml

@@ -38,7 +38,7 @@
         location {{ matrix_mautrix_telegram_public_endpoint }} {
         {% if matrix_nginx_proxy_enabled|default(False) %}
         	{# Use the embedded DNS resolver in Docker containers to discover the service #}
-        	resolver 127.0.0.11 valid=5s;
+        	resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
         	set $backend "matrix-mautrix-telegram:8080";
         	proxy_pass http://$backend;
         {% else %}

roles/matrix-bridge-mx-puppet-slack/tasks/init.yml

@@ -38,7 +38,7 @@
         location {{ matrix_mx_puppet_slack_redirect_path }} {
         {% if matrix_nginx_proxy_enabled|default(False) %}
         	{# Use the embedded DNS resolver in Docker containers to discover the service #}
-        	resolver 127.0.0.11 valid=5s;
+        	resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
         	set $backend "{{ matrix_mx_puppet_slack_appservice_address }}";
         	proxy_pass $backend;
         {% else %}

roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml

@@ -38,7 +38,7 @@
         location {{ matrix_mx_puppet_twitter_webhook_path }} {
         {% if matrix_nginx_proxy_enabled|default(False) %}
         	{# Use the embedded DNS resolver in Docker containers to discover the service #}
-        	resolver 127.0.0.11 valid=5s;
+        	resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
         	set $backend "{{ matrix_mx_puppet_twitter_appservice_address }}";
         	proxy_pass $backend;
         {% else %}

roles/matrix-etherpad/tasks/init.yml

@@ -20,7 +20,7 @@
         location {{ matrix_etherpad_public_endpoint }}/ {
         {% if matrix_nginx_proxy_enabled|default(False) %}
           {# Use the embedded DNS resolver in Docker containers to discover the service #}
-          resolver 127.0.0.11 valid=5s;
+          resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
           proxy_pass http://matrix-etherpad:9001/;
           {# These are proxy directives needed specifically by Etherpad #}
           proxy_buffering off;

roles/matrix-nginx-proxy/defaults/main.yml

@@ -357,18 +357,6 @@ matrix_nginx_proxy_self_check_validate_certificates: true
 # so we default to not following redirects as well.
 matrix_nginx_proxy_self_check_well_known_matrix_client_follow_redirects: none
 
-# For OCSP purposes, we need to define a resolver at the `server{}` level or `http{}` level (we do the latter).
-#
-# Otherwise, we get warnings like this:
-# > [warn] 22#22: no resolver defined to resolve r3.o.lencr.org while requesting certificate status, responder: r3.o.lencr.org, certificate: "/matrix/ssl/config/live/.../fullchain.pem"
-#
-# We point it to the internal Docker resolver, which likely delegates to nameservers defined in `/etc/resolv.conf`.
-#
-# When nginx proxy is disabled, our configuration is likely used by non-containerized nginx, so can't use the internal Docker resolver.
-# Pointing `resolver` to some public DNS server might be an option, but for now we impose DNS servers on people.
-# It might also be that no such warnings occur when not running in a container.
-matrix_nginx_proxy_http_level_resolver: "{{ '127.0.0.11' if matrix_nginx_proxy_enabled else '' }}"
-
 # By default, this playbook automatically retrieves and auto-renews
 # free SSL certificates from Let's Encrypt.
 #
@@ -485,3 +473,5 @@ matrix_nginx_proxy_synapse_frontend_proxy_locations: []
 # http://nginx.org/en/docs/ngx_core_module.html#worker_connections
 matrix_nginx_proxy_worker_processes: 1
 matrix_nginx_proxy_worker_connections: 1024
+
+matrix_docker_dns_resolver_ip: 127.0.0.11

roles/matrix-nginx-proxy/tasks/init.yml

@@ -1,5 +1,5 @@
 - set_fact:
-    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-nginx-proxy.service'] }}"
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-nginx-proxy.service', 'matrix-nginx-proxy-reload.service'] }}"
   when: matrix_nginx_proxy_enabled|bool
 
 - set_fact:

roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml

@@ -164,10 +164,18 @@
   register: matrix_nginx_proxy_systemd_service_result
   when: matrix_nginx_proxy_enabled|bool
 
+- name: Ensure matrix-nginx-proxy-reload.service installed
+  template:
+    src: "{{ role_path }}/templates/systemd/matrix-nginx-proxy-reload.service.j2"
+    dest: "{{ matrix_systemd_path }}/matrix-nginx-proxy-reload.service"
+    mode: 0644
+  register: matrix_nginx_proxy_reload_systemd_service_result
+  when: matrix_nginx_proxy_enabled|bool
+
 - name: Ensure systemd reloaded after matrix-nginx-proxy.service installation
   service:
     daemon_reload: yes
-  when: "matrix_nginx_proxy_enabled and matrix_nginx_proxy_systemd_service_result.changed"
+  when: "matrix_nginx_proxy_enabled and matrix_nginx_proxy_systemd_service_result.changed and matrix_nginx_proxy_reload_systemd_service_result.changed"
 
 
 #
@@ -194,6 +202,12 @@
     state: absent
   when: "not matrix_nginx_proxy_enabled|bool and matrix_nginx_proxy_service_stat.stat.exists"
 
+- name: Ensure matrix-nginx-proxy-reload.service doesn't exist
+  file:
+    path: "{{ matrix_systemd_path }}/matrix-nginx-proxy-reload.service"
+    state: absent
+  when: "not matrix_nginx_proxy_enabled|bool and matrix_nginx_proxy_service_stat.stat.exists"
+
 - name: Ensure systemd reloaded after matrix-nginx-proxy.service removal
   service:
     daemon_reload: yes

roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2

@@ -44,7 +44,7 @@ server {
 		location /.well-known/acme-challenge {
 			{% if matrix_nginx_proxy_enabled %}
 				{# Use the embedded DNS resolver in Docker containers to discover the service #}
-				resolver 127.0.0.11 valid=5s;
+				resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 				set $backend "matrix-certbot:8080";
 				proxy_pass http://$backend;
 			{% else %}

roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2

@@ -18,7 +18,7 @@
 	location / {
 		{% if matrix_nginx_proxy_enabled %}
 			{# Use the embedded DNS resolver in Docker containers to discover the service #}
-			resolver 127.0.0.11 valid=5s;
+			resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 			set $backend "matrix-bot-go-neb:4050";
 			proxy_pass http://$backend;
 		{% else %}
@@ -42,7 +42,7 @@ server {
 		location /.well-known/acme-challenge {
 			{% if matrix_nginx_proxy_enabled %}
 				{# Use the embedded DNS resolver in Docker containers to discover the service #}
-				resolver 127.0.0.11 valid=5s;
+				resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 				set $backend "matrix-certbot:8080";
 				proxy_pass http://$backend;
 			{% else %}

roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2

@@ -26,7 +26,7 @@
 	location / {
 		{% if matrix_nginx_proxy_enabled %}
 			{# Use the embedded DNS resolver in Docker containers to discover the service #}
-			resolver 127.0.0.11 valid=5s;
+			resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 			set $backend "matrix-client-element:8080";
 			proxy_pass http://$backend;
 		{% else %}
@@ -51,7 +51,7 @@ server {
 		location /.well-known/acme-challenge {
 			{% if matrix_nginx_proxy_enabled %}
 				{# Use the embedded DNS resolver in Docker containers to discover the service #}
-				resolver 127.0.0.11 valid=5s;
+				resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 				set $backend "matrix-certbot:8080";
 				proxy_pass http://$backend;
 			{% else %}

roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2

@@ -24,7 +24,7 @@
 	location / {
 		{% if matrix_nginx_proxy_enabled %}
 			{# Use the embedded DNS resolver in Docker containers to discover the service #}
-			resolver 127.0.0.11 valid=5s;
+			resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 			set $backend "matrix-client-hydrogen:8080";
 			proxy_pass http://$backend;
 		{% else %}
@@ -49,7 +49,7 @@ server {
 		location /.well-known/acme-challenge {
 			{% if matrix_nginx_proxy_enabled %}
 				{# Use the embedded DNS resolver in Docker containers to discover the service #}
-				resolver 127.0.0.11 valid=5s;
+				resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 				set $backend "matrix-certbot:8080";
 				proxy_pass http://$backend;
 			{% else %}

roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2

@@ -21,7 +21,7 @@
 	location / {
 		{% if matrix_nginx_proxy_enabled %}
 			{# Use the embedded DNS resolver in Docker containers to discover the service #}
-			resolver 127.0.0.11 valid=5s;
+			resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 			set $backend "matrix-dimension:8184";
 			proxy_pass http://$backend;
 		{% else %}
@@ -45,7 +45,7 @@ server {
 		location /.well-known/acme-challenge {
 			{% if matrix_nginx_proxy_enabled %}
 				{# Use the embedded DNS resolver in Docker containers to discover the service #}
-				resolver 127.0.0.11 valid=5s;
+				resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 				set $backend "matrix-certbot:8080";
 				proxy_pass http://$backend;
 			{% else %}

roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2

@@ -49,7 +49,7 @@
 	location ^~ /_matrix/corporal {
 		{% if matrix_nginx_proxy_enabled %}
 			{# Use the embedded DNS resolver in Docker containers to discover the service #}
-			resolver 127.0.0.11 valid=5s;
+			resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 			set $backend "{{ matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container }}";
 			proxy_pass http://$backend;
 		{% else %}
@@ -67,7 +67,7 @@
 	location ^~ /_matrix/identity {
 		{% if matrix_nginx_proxy_enabled %}
 			{# Use the embedded DNS resolver in Docker containers to discover the service #}
-			resolver 127.0.0.11 valid=5s;
+			resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 			set $backend "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container }}";
 			proxy_pass http://$backend;
 		{% else %}
@@ -85,7 +85,7 @@
 	location ^~ /_matrix/client/r0/user_directory/search {
 		{% if matrix_nginx_proxy_enabled %}
 			{# Use the embedded DNS resolver in Docker containers to discover the service #}
-			resolver 127.0.0.11 valid=5s;
+			resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 			set $backend "{{ matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container }}";
 			proxy_pass http://$backend;
 		{% else %}
@@ -102,7 +102,7 @@
 	location ~ ^/_matrix/client/r0/register/(email|msisdn)/requestToken$ {
 		{% if matrix_nginx_proxy_enabled %}
 			{# Use the embedded DNS resolver in Docker containers to discover the service #}
-			resolver 127.0.0.11 valid=5s;
+			resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 			set $backend "{{ matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_with_container }}";
 			proxy_pass http://$backend;
 		{% else %}
@@ -127,7 +127,7 @@
 	location ~* ^({{ matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefix_regexes|join('|') }}) {
 		{% if matrix_nginx_proxy_enabled %}
 			{# Use the embedded DNS resolver in Docker containers to discover the service #}
-			resolver 127.0.0.11 valid=5s;
+			resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 			set $backend "{{ matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container }}";
 			proxy_pass http://$backend;
 		{% else %}
@@ -170,7 +170,7 @@ server {
 		location /.well-known/acme-challenge {
 			{% if matrix_nginx_proxy_enabled %}
 				{# Use the embedded DNS resolver in Docker containers to discover the service #}
-				resolver 127.0.0.11 valid=5s;
+				resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 				set $backend "matrix-certbot:8080";
 				proxy_pass http://$backend;
 			{% else %}
@@ -273,7 +273,7 @@ server {
 	location / {
 		{% if matrix_nginx_proxy_enabled %}
 			{# Use the embedded DNS resolver in Docker containers to discover the service #}
-			resolver 127.0.0.11 valid=5s;
+			resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 			set $backend "{{ matrix_nginx_proxy_proxy_matrix_federation_api_addr_with_container }}";
 			proxy_pass http://$backend;
 		{% else %}

roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2

@@ -28,7 +28,7 @@
 	location / {
 		{% if matrix_nginx_proxy_enabled %}
 			{# Use the embedded DNS resolver in Docker containers to discover the service #}
-			resolver 127.0.0.11 valid=5s;
+			resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 			set $backend "matrix-grafana:3000";
 			proxy_pass http://$backend;
 		{% else %}
@@ -53,7 +53,7 @@ server {
 		location /.well-known/acme-challenge {
 			{% if matrix_nginx_proxy_enabled %}
 				{# Use the embedded DNS resolver in Docker containers to discover the service #}
-				resolver 127.0.0.11 valid=5s;
+				resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 				set $backend "matrix-certbot:8080";
 				proxy_pass http://$backend;
 			{% else %}

roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2

@@ -21,7 +21,7 @@
 	location / {
 		{% if matrix_nginx_proxy_enabled %}
 			{# Use the embedded DNS resolver in Docker containers to discover the service #}
-			resolver 127.0.0.11 valid=5s;
+			resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 			set $backend "matrix-jitsi-web:80";
 			proxy_pass http://$backend;
 		{% else %}
@@ -36,7 +36,7 @@
 	# colibri (JVB) websockets
 	location ~ ^/colibri-ws/([a-zA-Z0-9-\.]+)/(.*) {
 		{% if matrix_nginx_proxy_enabled %}
-			resolver 127.0.0.11 valid=5s;
+			resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 			set $backend "matrix-jitsi-jvb:9090";
 			proxy_pass http://$backend;
 		{% else %}
@@ -57,7 +57,7 @@
 	# XMPP websocket
 	location = /xmpp-websocket {
 		{% if matrix_nginx_proxy_enabled %}
-			resolver 127.0.0.11 valid=5s;
+			resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 			set $backend {{ matrix_jitsi_xmpp_bosh_url_base }};
 			proxy_pass $backend/xmpp-websocket;
 		{% else %}
@@ -87,7 +87,7 @@ server {
 		location /.well-known/acme-challenge {
 			{% if matrix_nginx_proxy_enabled %}
 				{# Use the embedded DNS resolver in Docker containers to discover the service #}
-				resolver 127.0.0.11 valid=5s;
+				resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 				set $backend "matrix-certbot:8080";
 				proxy_pass http://$backend;
 			{% else %}

roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2

@@ -34,7 +34,7 @@ server {
 		location /.well-known/acme-challenge {
 			{% if matrix_nginx_proxy_enabled %}
 				{# Use the embedded DNS resolver in Docker containers to discover the service #}
-				resolver 127.0.0.11 valid=5s;
+				resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 				set $backend "matrix-certbot:8080";
 				proxy_pass http://$backend;
 			{% else %}

roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2

@@ -19,7 +19,7 @@
 	location / {
 		{% if matrix_nginx_proxy_enabled %}
 			{# Use the embedded DNS resolver in Docker containers to discover the service #}
-			resolver 127.0.0.11 valid=5s;
+			resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 			set $backend "matrix-sygnal:6000";
 			proxy_pass http://$backend;
 		{% else %}
@@ -44,7 +44,7 @@ server {
 		location /.well-known/acme-challenge {
 			{% if matrix_nginx_proxy_enabled %}
 				{# Use the embedded DNS resolver in Docker containers to discover the service #}
-				resolver 127.0.0.11 valid=5s;
+				resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 				set $backend "matrix-certbot:8080";
 				proxy_pass http://$backend;
 			{% else %}

roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2

@@ -136,7 +136,7 @@ server {
 	location /_synapse/metrics {
 		{% if matrix_nginx_proxy_enabled %}
 			{# Use the embedded DNS resolver in Docker containers to discover the service #}
-			resolver 127.0.0.11 valid=5s;
+			resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 			set $backend "{{ matrix_nginx_proxy_proxy_synapse_metrics_addr_with_container }}";
 			proxy_pass http://$backend;
 		{% else %}
@@ -157,7 +157,7 @@ server {
 	location / {
 		{% if matrix_nginx_proxy_enabled %}
 			{# Use the embedded DNS resolver in Docker containers to discover the service #}
-			resolver 127.0.0.11 valid=5s;
+			resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 			set $backend "{{ matrix_nginx_proxy_proxy_synapse_client_api_addr_with_container }}";
 			proxy_pass http://$backend;
 		{% else %}
@@ -213,7 +213,7 @@ server {
 	location / {
 		{% if matrix_nginx_proxy_enabled %}
 			{# Use the embedded DNS resolver in Docker containers to discover the service #}
-			resolver 127.0.0.11 valid=5s;
+			resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 			set $backend "{{ matrix_nginx_proxy_proxy_synapse_federation_api_addr_with_container }}";
 			proxy_pass http://$backend;
 		{% else %}

roles/matrix-nginx-proxy/templates/nginx/conf.d/nginx-http.conf.j2

@@ -5,8 +5,9 @@
 # Thus, we ensure a larger bucket size value is used.
 server_names_hash_bucket_size 64;
 
-{% if matrix_nginx_proxy_http_level_resolver %}
-	resolver {{ matrix_nginx_proxy_http_level_resolver }};
+{% if matrix_nginx_proxy_enabled|default(False) %}
+	{# Use the embedded DNS resolver in Docker containers to discover the service #}
+	resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
 {% endif %}
 
 {% for configuration_block in matrix_nginx_proxy_proxy_http_additional_server_configuration_blocks %}

roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy-reload.service.j2

@@ -0,0 +1,13 @@
+[Unit]
+Description=Reloads matrix-nginx-proxy so that new IP addresses can kick in
+After=matrix.target
+
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStartPre={{ matrix_host_command_sleep }} 30
+ExecStart={{ matrix_host_command_systemctl }} reload matrix-nginx-proxy.service
+
+[Install]
+WantedBy=matrix.target

roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2

@@ -21,7 +21,18 @@ ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }}
 ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-nginx-proxy \
 			--log-driver=none \
 			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
-			--cap-drop=ALL \
+			--cap-drop=AUDIT_WRITE \
+			--cap-drop=CHOWN \
+			--cap-drop=DAC_OVERRIDE \
+			--cap-drop=FOWNER \
+			--cap-drop=FSETID \
+			--cap-drop=KILL \
+			--cap-drop=MKNOD \
+			--cap-drop=SETFCAP \
+			--cap-drop=SETGID \
+			--cap-drop=SETPCAP \
+			--cap-drop=SETUID \
+			--cap-drop=SYS_CHROOT \
 			--read-only \
 			--tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_nginx_proxy_tmp_directory_size_mb }}m \
 			--network={{ matrix_docker_network }} \

roles/matrix-registration/tasks/init.yml

@@ -28,7 +28,7 @@
         location ~ ^{{ matrix_registration_public_endpoint }}/(.*) {
         {% if matrix_nginx_proxy_enabled|default(False) %}
           {# Use the embedded DNS resolver in Docker containers to discover the service #}
-          resolver 127.0.0.11 valid=5s;
+          resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
           set $backend "matrix-registration:5000";
           proxy_pass http://$backend/$1;
         {% else %}

roles/matrix-synapse-admin/tasks/init.yml

@@ -27,7 +27,7 @@
         location ~ ^{{ matrix_synapse_admin_public_endpoint }}/(.*) {
         {% if matrix_nginx_proxy_enabled|default(False) %}
           {# Use the embedded DNS resolver in Docker containers to discover the service #}
-          resolver 127.0.0.11 valid=5s;
+          resolver {{ matrix_docker_dns_resolver_ip }} valid=5s;
           set $backend "matrix-synapse-admin:80";
           proxy_pass http://$backend/$1;
         {% else %}