Make /.well-known/matrix/server optional

People who wish to rely on SRV records can prevent
the `/.well-known/matrix/server` file from being generated
(and thus, served.. which causes trouble).

roles/matrix-base/defaults/main.yml

@@ -28,6 +28,14 @@ matrix_identity_server_url: ~
 # The Docker network that all services would be put into
 matrix_docker_network: "matrix"
 
+# Controls whether a `/.well-known/matrix/server` file is generated and used at all.
+#
+# If you wish to rely on DNS SRV records only, you can disable this.
+# That implies that you'll be handling Matrix Federation API traffic (tcp/8448)
+# using certificates for the base domain (`hostname_identity`) and not for the
+# matrix domain (`hostname_matrix`).
+matrix_well_known_matrix_server_enabled: true
+
 # Variables to Control which parts of our roles run.
 run_setup: true
 run_import_postgres: true

roles/matrix-base/tasks/setup_well_known.yml

@@ -12,13 +12,25 @@
   with_items:
     - "{{ matrix_static_files_base_path }}/.well-known/matrix"
 
-- name: Ensure Matrix /.well-known/matrix files configured
+- name: Ensure Matrix /.well-known/matrix/client file configured
   template:
-    src: "{{ role_path }}/templates/static-files/well-known/matrix-{{ item }}.j2"
-    dest: "{{ matrix_static_files_base_path }}/.well-known/matrix/{{ item }}"
+    src: "{{ role_path }}/templates/static-files/well-known/matrix-client.j2"
+    dest: "{{ matrix_static_files_base_path }}/.well-known/matrix/client"
     mode: 0644
     owner: "{{ matrix_user_username }}"
     group: "{{ matrix_user_username }}"
-  with_items:
-    - "client"
-    - "server"
+
+- name: Ensure Matrix /.well-known/matrix/server file configured
+  template:
+    src: "{{ role_path }}/templates/static-files/well-known/matrix-server.j2"
+    dest: "{{ matrix_static_files_base_path }}/.well-known/matrix/server"
+    mode: 0644
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_username }}"
+  when: matrix_well_known_matrix_server_enabled
+
+- name: Ensure Matrix /.well-known/matrix/server file deleted
+  file:
+    path: "{{ matrix_static_files_base_path }}/.well-known/matrix/server"
+    state: absent
+  when: "not matrix_well_known_matrix_server_enabled"

roles/matrix-nginx-proxy/tasks/self_check_well_known.yml

@@ -1,13 +1,26 @@
 ---
 
+- name: Determine well-known files to check (Matrix)
+  set_fact:
+    well_known_file_checks:
+      - path: /.well-known/matrix/client
+        purpose: Client Discovery
+        cors: true
+
+- block:
+    - set_fact:
+        well_known_file_check_matrix_server:
+          path: /.well-known/matrix/server
+          purpose: Server Discovery
+          cors: false
+
+    - name: Determine domains that we require certificates for (mxisd)
+      set_fact:
+        well_known_file_checks: "{{ well_known_file_checks + [well_known_file_check_matrix_server] }}"
+  when: "matrix_well_known_matrix_server_enabled"
+
 - name: Perform well-known checks
   include_tasks: "{{ role_path }}/tasks/self_check_well_known_file.yml"
-  with_items:
-    - path: /.well-known/matrix/server
-      purpose: Server Discovery
-      cors: false
-    - path: /.well-known/matrix/client
-      purpose: Client Discovery
-      cors: true
+  with_items: "{{ well_known_file_checks }}"
   loop_control:
     loop_var: well_known_file_check