Clean up some matrix_nginx_proxy_proxy_matrix_metrics_* references

2 lat temu · abde681b56
--- a/docs/configuring-playbook-bridge-hookshot.md
+++ b/docs/configuring-playbook-bridge-hookshot.md
@@ -57,7 +57,7 @@ Unless indicated otherwise, the following endpoints are reachable on your `matri
 | provisioning | `/hookshot/v1/` | `matrix_hookshot_provisioning_endpoint` | Dimension [provisioning](#provisioning-api) |
 | appservice | `/hookshot/_matrix/app/` | `matrix_hookshot_appservice_endpoint` | Matrix server |
 | widgets | `/hookshot/widgetapi/` | `matrix_hookshot_widgets_endpoint` | Widgets |
 | metrics | `/metrics/hookshot` | `matrix_hookshot_metrics_enabled` and `matrix_hookshot_metrics_proxying_enabled`. Requires `/metrics/*` endpoints to also be enabled via `matrix_nginx_proxy_proxy_matrix_metrics_enabled` (see the `matrix-nginx-proxy` role). Read more in the [Metrics section](#metrics) below. | Prometheus |
 | metrics | `/metrics/hookshot` | `matrix_hookshot_metrics_enabled` and exposure enabled via `matrix_hookshot_metrics_proxying_enabled` or `matrix_metrics_exposure_enabled`. Read more in the [Metrics section](#metrics) below. | Prometheus |

 See also `matrix_hookshot_matrix_nginx_proxy_configuration` in [init.yml](/roles/custom/matrix-bridge-hookshot/tasks/inject_into_nginx_proxy.yml).

@@ -91,10 +91,12 @@ Metrics are **only enabled by default** if the builtin [Prometheus](configuring-

 To explicitly enable metrics, use `matrix_hookshot_metrics_enabled: true`. This only exposes metrics over the container network, however.

 **To collect metrics from an external Prometheus server**, besides enabling metrics as described above, you will also need to:
 **To collect metrics from an external Prometheus server**, besides enabling metrics as described above, you will also need to enable metrics exposure on `https://matrix.DOMAIN/metrics/hookshot` by:

 - enable the `https://matrix.DOMAIN/metrics/*` endpoints on `matrix.DOMAIN` using `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true` (see the `matrix-nginx-role` or [the Prometheus and Grafana docs](configuring-playbook-prometheus-grafana.md) for enabling this feature)
 - expose the Hookshot metrics under `https://matrix.DOMAIN/metrics/hookshot` by setting `matrix_hookshot_metrics_proxying_enabled: true`
 - either enabling metrics exposure for Hookshot via `matrix_hookshot_metrics_proxying_enabled: true`
 - or enabling metrics exposure for all services via `matrix_metrics_exposure_enabled: true`

 Whichever one you go with, by default metrics are exposed publicly **without** password-protection. See [the Prometheus and Grafana docs](configuring-playbook-prometheus-grafana.md) for details about password-protection for metrics.

 ### Collision with matrix-appservice-webhooks

--- a/docs/configuring-playbook-prometheus-grafana.md
+++ b/docs/configuring-playbook-prometheus-grafana.md
@@ -61,43 +61,29 @@ Most of our docker containers run with limited system access, but the `prometheu

 When you'd like **to collect metrics from an external Prometheus server**, you need to expose service metrics outside of the container network.

 The playbook provides a single endpoint (`https://matrix.DOMAIN/metrics/*`), under which various services may expose their metrics (e.g. `/metrics/node-exporter`, `/metrics/postgres-exporter`, `/metrics/hookshot`, etc). To enable this `/metrics/*` feature, use `matrix_nginx_proxy_proxy_matrix_metrics_enabled`. To protect access using [Basic Authentication](https://en.wikipedia.org/wiki/Basic_access_authentication), see `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_enabled` below.
 The playbook provides a single endpoint (`https://matrix.DOMAIN/metrics/*`), under which various services may expose their metrics (e.g. `/metrics/node-exporter`, `/metrics/postgres-exporter`, `/metrics/hookshot`, etc). To expose all services on this `/metrics/*` feature, use `matrix_metrics_exposure_enabled`. To protect access using [Basic Authentication](https://en.wikipedia.org/wiki/Basic_access_authentication), see `matrix_metrics_exposure_http_basic_auth_enabled` and `matrix_metrics_exposure_http_basic_auth_users` below.

 When using `matrix_metrics_exposure_enabled`, you don't need to expose metrics for individual services one by one.

 The following variables may be of interest:

 Name | Description
 -----|----------
 `matrix_nginx_proxy_proxy_matrix_metrics_enabled`|Set this to `true` to enable metrics exposure for various services on `https://matrix.DOMAIN/metrics/*`. Refer to the individual `matrix_SERVICE_metrics_proxying_enabled` variables below for exposing metrics for each individual service.
 `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_enabled`|Set this to `true` to protect all `https://matrix.DOMAIN/metrics/*` endpoints with [Basic Authentication](https://en.wikipedia.org/wiki/Basic_access_authentication) (see the other variables below for supplying the actual credentials). When enabled, all endpoints beneath `/metrics` will be protected with the same credentials
 `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_username`|Set this to the Basic Authentication username you'd like to protect `/metrics/*` with. You also need to set `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_password`. If one username/password pair is not enough, you can leave the `username` and `password` variables unset and use `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_raw_content` instead
 `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_password`|Set this to the Basic Authentication password you'd like to protect `/metrics/*` with
 `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_raw_content`|Set this to the Basic Authentication credentials (raw `htpasswd` file content) used to protect `/metrics/*`. This htpasswd-file needs to be generated with the `htpasswd` tool and can include multiple username/password pairs. If you only need one credential, use `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_username` and `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_password` instead.
 `matrix_metrics_exposure_enabled`|Set this to `true` to **enable metrics exposure for all services** on `https://matrix.DOMAIN/metrics/*`. If you think this is too much, refer to the helpful (but nonexhaustive) list of individual `matrix_SERVICE_metrics_proxying_enabled` variables below for exposing metrics on a per-service basis.
 `matrix_metrics_exposure_http_basic_auth_enabled`|Set this to `true` to protect all `https://matrix.DOMAIN/metrics/*` endpoints with [Basic Authentication](https://en.wikipedia.org/wiki/Basic_access_authentication) (see the other variables below for supplying the actual credentials). When enabled, all endpoints beneath `/metrics` will be protected with the same credentials
 `matrix_metrics_exposure_http_basic_auth_users`|Set this to the Basic Authentication credentials (raw `htpasswd` file content) used to protect `/metrics/*`. This htpasswd-file needs to be generated with the `htpasswd` tool and can include multiple username/password pairs.
 `matrix_synapse_metrics_enabled`|Set this to `true` to make Synapse expose metrics (locally, on the container network)
 `matrix_synapse_metrics_proxying_enabled`|Set this to `true` to expose Synapse's metrics on `https://matrix.DOMAIN/metrics/synapse/main-process` and `https://matrix.DOMAIN/metrics/synapse/worker/TYPE-ID` (only takes effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`). Read [below](#collecting-synapse-worker-metrics-to-an-external-prometheus-server) if you're running a Synapse worker setup (`matrix_synapse_workers_enabled: true`).
 `matrix_synapse_metrics_proxying_enabled`|Set this to `true` to expose Synapse's metrics on `https://matrix.DOMAIN/metrics/synapse/main-process` and `https://matrix.DOMAIN/metrics/synapse/worker/TYPE-ID`. Read [below](#collecting-synapse-worker-metrics-to-an-external-prometheus-server) if you're running a Synapse worker setup (`matrix_synapse_workers_enabled: true`). To password-protect the metrics, see `matrix_metrics_exposure_http_basic_auth_users` above.
 `prometheus_node_exporter_enabled`|Set this to `true` to enable the node (general system stats) exporter (locally, on the container network)
 `matrix_prometheus_services_proxy_connect_prometheus_node_exporter_metrics_proxying_enabled`|Set this to `true` to expose the node (general system stats) metrics on `https://matrix.DOMAIN/metrics/node-exporter` (only takes effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`)
 `matrix_prometheus_services_proxy_connect_prometheus_node_exporter_metrics_proxying_enabled`|Set this to `true` to expose the node (general system stats) metrics on `https://matrix.DOMAIN/metrics/node-exporter`. To password-protect the metrics, see `matrix_metrics_exposure_http_basic_auth_users` above.
 `prometheus_postgres_exporter_enabled`|Set this to `true` to enable the [Postgres exporter](configuring-playbook-prometheus-postgres.md) (locally, on the container network)
 `matrix_prometheus_nginxlog_exporter_enabled`|Set this to `true` to enable the [NGINX Log exporter](configuring-playbook-prometheus-nginxlog.md) (locally, on the container network)
 `matrix_prometheus_services_proxy_connect_prometheus_postgres_exporter_metrics_proxying_enabled`|Set this to `true` to expose the [Postgres exporter](configuring-playbook-prometheus-postgres.md) metrics on `https://matrix.DOMAIN/metrics/postgres-exporter` (only takes effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`)
 `matrix_prometheus_services_proxy_connect_prometheus_postgres_exporter_metrics_proxying_enabled`|Set this to `true` to expose the [Postgres exporter](configuring-playbook-prometheus-postgres.md) metrics on `https://matrix.DOMAIN/metrics/postgres-exporter`. To password-protect the metrics, see `matrix_metrics_exposure_http_basic_auth_users` above.
 `matrix_bridge_hookshot_metrics_enabled`|Set this to `true` to make [Hookshot](configuring-playbook-bridge-hookshot.md) expose metrics (locally, on the container network)
 `matrix_bridge_hookshot_metrics_proxying_enabled`|Set this to `true` to expose the [Hookshot](configuring-playbook-bridge-hookshot.md) metrics on `https://matrix.DOMAIN/metrics/hookshot` (only takes effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`)
 `matrix_SERVICE_metrics_proxying_enabled`|Various other services/roles may provide similar `_metrics_enabled` and `_metrics_proxying_enabled` variables for exposing their metrics. Refer to each role for details. Only takes effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`
 `matrix_nginx_proxy_proxy_matrix_metrics_additional_user_location_configuration_blocks`|Add nginx `location` blocks to this list if you'd like to expose additional exporters manually (see below)
 `matrix_bridge_hookshot_metrics_proxying_enabled`|Set this to `true` to expose the [Hookshot](configuring-playbook-bridge-hookshot.md) metrics on `https://matrix.DOMAIN/metrics/hookshot`. To password-protect the metrics, see `matrix_metrics_exposure_http_basic_auth_users` above.
 `matrix_SERVICE_metrics_proxying_enabled`|Various other services/roles may provide similar `_metrics_enabled` and `_metrics_proxying_enabled` variables for exposing their metrics. Refer to each role for details. To password-protect the metrics, see `matrix_metrics_exposure_http_basic_auth_users` above or `matrix_SERVICE_container_labels_metrics_middleware_basic_auth_enabled`/`matrix_SERVICE_container_labels_metrics_middleware_basic_auth_users` variables provided by each role.
 `matrix_media_repo_metrics_enabled`|Set this to `true` to make media-repo expose metrics (locally, on the container network)

 Example for how to make use of `matrix_nginx_proxy_proxy_matrix_metrics_additional_user_location_configuration_blocks` for exposing additional metrics locations:
 ```nginx
 matrix_nginx_proxy_proxy_matrix_metrics_additional_user_location_configuration_blocks:
  - 'location /metrics/another-service {
  resolver 127.0.0.11 valid=5s;
  proxy_pass http://matrix-another-service:9100/metrics;
  }'
 ```

 Using `matrix_nginx_proxy_proxy_matrix_metrics_additional_user_location_configuration_blocks` only takes effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true` (see above).

 Note : The playbook will hash the basic_auth password for you on setup. Thus, you need to give the plain-text version of the password as a variable.

 ### Collecting Synapse worker metrics to an external Prometheus server

 If you are using workers (`matrix_synapse_workers_enabled: true`) and have enabled `matrix_synapse_metrics_proxying_enabled` as described above, the playbook will also automatically expose all Synapse worker threads' metrics to `https://matrix.DOMAIN/metrics/synapse/worker/ID`, where `ID` corresponds to the worker `id` as exemplified in `matrix_synapse_workers_enabled_list`.
--- a/docs/configuring-playbook-prometheus-nginxlog.md
+++ b/docs/configuring-playbook-prometheus-nginxlog.md
@@ -46,14 +46,5 @@ The playbook will automatically integrate the metrics into the Prometheus server
 The metrics of this role will be exposed on `https://matrix.DOMAIN/metrics/nginxlog` when setting
 ```yaml
 matrix_prometheus_nginxlog_exporter_metrics_proxying_enabled: true

 # required dependency
 matrix_nginx_proxy_proxy_matrix_metrics_enabled: true
 ```
 The playbook can provide a single endpoint (`https://matrix.DOMAIN/metrics/*`), under which various services may expose their metrics (e.g. `/metrics/node-exporter`, `/metrics/postgres-exporter`, `/metrics/nginxlog`, etc). To enable this `/metrics/*` feature, use `matrix_nginx_proxy_proxy_matrix_metrics_enabled`. To protect access using [Basic Authentication](https://en.wikipedia.org/wiki/Basic_access_authentication), see `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_enabled`.

 The following variables may be of interest:

 Name | Description
 -----|----------
 `matrix_nginx_proxy_proxy_matrix_metrics_enabled`|Set this to `true` to enable metrics exposure for various services on `https://matrix.DOMAIN/metrics/*`. Refer to the individual `matrix_SERVICE_metrics_proxying_enabled` variables below for exposing metrics for each individual service.
--- a/docs/configuring-playbook-prometheus-postgres.md
+++ b/docs/configuring-playbook-prometheus-postgres.md
@@ -16,7 +16,7 @@ Name | Description
 `prometheus_postgres_exporter_enabled`|Enable the postgres prometheus exporter. This sets up the docker container, connects it to the database and adds a 'job' to the prometheus config which tells prometheus about this new exporter. The default is 'false'
 `prometheus_postgres_exporter_database_username`| The 'username' for the user that the exporter uses to connect to the database. The default is 'matrix_prometheus_postgres_exporter'
 `prometheus_postgres_exporter_database_password`| The 'password' for the user that the exporter uses to connect to the database. By default, this is auto-generated by the playbook
 `matrix_prometheus_services_proxy_connect_prometheus_postgres_exporter_metrics_proxying_enabled`|If set to `true`, exposes the Postgres exporter metrics on `https://matrix.DOMAIN/metrics/postgres-exporter` for usage with an [external Prometheus server](configuring-playbook-prometheus-grafana.md#collecting-metrics-to-an-external-prometheus-server) (only takes effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`)
 `matrix_prometheus_services_proxy_connect_prometheus_postgres_exporter_metrics_proxying_enabled`|If set to `true`, exposes the Postgres exporter metrics on `https://matrix.DOMAIN/metrics/postgres-exporter` for usage with an [external Prometheus server](configuring-playbook-prometheus-grafana.md#collecting-metrics-to-an-external-prometheus-server).


 ## More information
--- a/group_vars/matrix_servers
+++ b/group_vars/matrix_servers
@@ -1144,12 +1144,10 @@ matrix_mautrix_signal_appservice_token: "{{ '%s' | format(matrix_homeserver_gene

 matrix_mautrix_signal_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"

 # People using an external Prometheus server will need to toggle all of these to be able to consume metrics remotely:
 # - `matrix_mautrix_signal_metrics_enabled`
 # - `matrix_mautrix_signal_proxying_metrics_enabled`
 # - `matrix_nginx_proxy_proxy_matrix_metrics_enabled`
 matrix_mautrix_signal_metrics_enabled: "{{ prometheus_enabled }}"

 # TODO - add support for exposing metrics

 matrix_mautrix_signal_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}"
 matrix_mautrix_signal_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}"
 matrix_mautrix_signal_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.signal.db', rounds=655555) | to_uuid }}"
@@ -1271,12 +1269,10 @@ matrix_mautrix_gmessages_homeserver_token: "{{ '%s' | format(matrix_homeserver_g

 matrix_mautrix_gmessages_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"

 # People using an external Prometheus server will need to toggle all of these to be able to consume metrics remotely:
 # - `matrix_mautrix_gmessages_metrics_enabled`
 # - `matrix_mautrix_gmessages_proxying_metrics_enabled`
 # - `matrix_nginx_proxy_proxy_matrix_metrics_enabled`
 matrix_mautrix_gmessages_metrics_enabled: "{{ prometheus_enabled }}"

 # TODO - add support for exposing metrics

 # Postgres is the default, except if not using internal Postgres server
 matrix_mautrix_gmessages_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}"
 matrix_mautrix_gmessages_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}"
--- a/roles/custom/matrix-bridge-mautrix-gmessages/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-gmessages/defaults/main.yml
@@ -54,10 +54,9 @@ matrix_mautrix_gmessages_federate_rooms: true
 # If metrics need to be consumed by another (external) Prometheus server, consider exposing them via `matrix_mautrix_gmessages_metrics_proxying_enabled`.
 matrix_mautrix_gmessages_metrics_enabled: false

 # Controls whether metrics should be proxied (exposed) on `matrix.DOMAIN/metrics/mautrix-gmessages`.
 # This will only work take effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`.
 # See the `matrix-nginx-proxy` role for details about enabling `matrix_nginx_proxy_proxy_matrix_metrics_enabled`.
 # Controls whether metrics should be proxied (exposed) on a public URL.
 matrix_mautrix_gmessages_metrics_proxying_enabled: false
 # TODO - add more variables for controlling the hostname and prefix, etc.

 # Database-related configuration fields.
 #
--- a/roles/custom/matrix-bridge-mautrix-gmessages/tasks/inject_into_nginx_proxy.yml
+++ b/roles/custom/matrix-bridge-mautrix-gmessages/tasks/inject_into_nginx_proxy.yml
@@ -25,11 +25,4 @@
            {% endif %}
          }

    - name: Register mautrix-gmessages metrics proxying configuration with matrix-nginx-proxy (matrix.DOMAIN/metrics/mautrix-gmessages)
      ansible.builtin.set_fact:
        matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks: |
          {{
            matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks | default([])
            +
            [matrix_mautrix_gmessages_nginx_metrics_configuration_block]
          }}
 # Injection code was here
--- a/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml
@@ -67,10 +67,9 @@ matrix_mautrix_signal_federate_rooms: true
 # If metrics need to be consumed by another (external) Prometheus server, consider exposing them via `matrix_mautrix_signal_metrics_proxying_enabled`.
 matrix_mautrix_signal_metrics_enabled: false

 # Controls whether metrics should be proxied (exposed) on `matrix.DOMAIN/metrics/mautrix-signal`.
 # This will only work take effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`.
 # See the `matrix-nginx-proxy` role for details about enabling `matrix_nginx_proxy_proxy_matrix_metrics_enabled`.
 # Controls whether metrics should be proxied (exposed) on a public URL.
 matrix_mautrix_signal_metrics_proxying_enabled: false
 # TODO - add more variables for controlling the hostname, path prefix, etc.

 # Database-related configuration fields.
 #
--- a/roles/custom/matrix-bridge-mautrix-twitter/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-twitter/defaults/main.yml
@@ -84,10 +84,9 @@ matrix_mautrix_twitter_logging_level: WARNING
 # If metrics need to be consumed by another (external) Prometheus server, consider exposing them via `matrix_mautrix_twitter_metrics_proxying_enabled`.
 matrix_mautrix_twitter_metrics_enabled: false

 # Controls whether metrics should be proxied (exposed) on `matrix.DOMAIN/metrics/mautrix-twitter`.
 # This will only work take effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`.
 # See the `matrix-nginx-proxy` role for details about enabling `matrix_nginx_proxy_proxy_matrix_metrics_enabled`.
 # Controls whether metrics should be proxied (exposed) on a public URL
 matrix_mautrix_twitter_metrics_proxying_enabled: false
 # TODO - add more variables for controlling the hostname, path prefix, etc.

 # Default configuration template which covers the generic use case.
 # You can customize it by controlling the various variables inside it.
--- a/roles/custom/matrix-bridge-mautrix-twitter/tasks/inject_into_nginx_proxy.yml
+++ b/roles/custom/matrix-bridge-mautrix-twitter/tasks/inject_into_nginx_proxy.yml
@@ -25,11 +25,4 @@
            {% endif %}
          }

    - name: Register mautrix-twitter metrics proxying configuration with matrix-nginx-proxy (matrix.DOMAIN/metrics/mautrix-twitter)
      ansible.builtin.set_fact:
        matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks: |
          {{
            matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks | default([])
            +
            [matrix_mautrix_twitter_nginx_metrics_configuration_block]
          }}
 # Injection code was here
--- a/roles/custom/matrix-nginx-proxy/defaults/main.yml
+++ b/roles/custom/matrix-nginx-proxy/defaults/main.yml
@@ -223,59 +223,6 @@ matrix_nginx_proxy_proxy_mautrix_wsproxy_hostname: "{{ matrix_server_fqn_mautrix
 matrix_nginx_proxy_proxy_ntfy_enabled: false
 matrix_nginx_proxy_proxy_ntfy_hostname: "{{ matrix_server_fqn_ntfy }}"

 # Controls whether proxying for (Prometheus) metrics (`/metrics/*`) for the various services should be done (on the matrix domain)
 # If the internal Prometheus server (`matrix-prometheus` role) is used, proxying is not necessary, since Prometheus can access each container directly.
 # This is only useful when an external Prometheus will be collecting metrics.
 #
 # To control what kind of metrics are exposed under `/metrics/` (e.g `/metrics/node-exporter`, `/metrics/postgres-exporter`, etc.),
 # use `matrix_SERVICE_metrics_proxying_enabled` variables in each respective role.
 # Roles inject themselves into the matrix-nginx-proxy configuration.
 #
 # To protect the metrics endpoints, see `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_enabled`
 matrix_nginx_proxy_proxy_matrix_metrics_enabled: false

 # Controls whether Basic Auth is enabled for all `/metrics/*` endpoints.
 #
 # You can provide the Basic Auth credentials in 2 ways:
 # 1. A single username/password pair using `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_username` and `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_password`
 # 2. Using raw content (`htpasswd`-generated file) provided in `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_raw_content`
 matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_enabled: false

 # `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_username` and `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_password` specify
 # the Basic Auth username/password for protecting `/metrics/*` endpoints.
 # Alternatively, use `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_raw_content`.
 matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_username: ""
 matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_password: ""

 # `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_raw_content` value will be written verbatim to the htpasswd file protecting `/metrics/*` endpoints.
 # Use this when a single username/password is not enough and you'd like to get more control over credentials.
 #
 # Read the manpage at `man 1 htpasswd` to learn more, then encrypt your password, and paste the encrypted value here.
 # e.g. `htpasswd -c mypass.htpasswd prometheus` and enter `mysecurepw` when prompted yields `prometheus:$apr1$wZhqsn.U$7LC3kMmjUbjNAZjyMyvYv/`
 # The whole thing is needed here. matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_raw_content: "prometheus:$apr1$wZhqsn.U$7LC3kMmjUbjNAZjyMyvYv/"
 matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_raw_content: ""

 # Specifies the path to the htpasswd file holding the htpasswd credentials for protecting `/metrics/*` endpoints
 # This is not meant to be modified.
 matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_path: "{{ matrix_nginx_proxy_data_path_in_container if matrix_nginx_proxy_enabled else matrix_nginx_proxy_data_path }}/matrix-metrics-htpasswd"

 # Specifies the Apache container image to use
 # when `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_username` and `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_password` are provided.
 # This image provides the `htpasswd` tool which we use for generating the htpasswd file protecting `/metrics/*`.
 # To avoid using this, use `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_raw_content` instead of supplying username/password.
 # Learn more in: `roles/custom/matrix-nginx-proxy/tasks/nginx-proxy/setup_metrics_auth.yml`.
 matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_apache_container_image: "{{ matrix_container_global_registry_prefix }}httpd:{{ matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_apache_container_image_tag }}"
 # renovate: datasource=docker depName=httpd
 matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_apache_container_image_tag: "2.4.54-alpine3.16"
 matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_apache_container_force_pull: "{{ matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_apache_container_image_tag.endswith(':latest') }}"

 # A list of strings containing additional configuration blocks to add to the `location /metrics` configuration (matrix-domain.conf).
 # Do not modify `matrix_nginx_proxy_proxy_matrix_metrics_additional_location_configuration_blocks` and `matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks`.
 # If you'd like to inject your own configuration blocks, use `matrix_nginx_proxy_proxy_matrix_metrics_additional_user_location_configuration_blocks`.
 matrix_nginx_proxy_proxy_matrix_metrics_additional_location_configuration_blocks: "{{ matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks + matrix_nginx_proxy_proxy_matrix_metrics_additional_user_location_configuration_blocks }}"
 matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks: []
 matrix_nginx_proxy_proxy_matrix_metrics_additional_user_location_configuration_blocks: []

 # Controls whether proxying for the matrix-corporal API (`/_matrix/corporal`) should be done (on the matrix domain)
 matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: false
 matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081"
--- a/roles/custom/matrix-nginx-proxy/tasks/nginx-proxy/setup_metrics_auth.yml
+++ b/roles/custom/matrix-nginx-proxy/tasks/nginx-proxy/setup_metrics_auth.yml
@@ -1,60 +0,0 @@
 ---

 # When we're dealing with raw htpasswd content, we just store it in the file directly.
 - name: Ensure matrix-metrics-htpasswd is present when generated from raw content (protecting /metrics/* URIs)
  ansible.builtin.copy:
    content: "{{ matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_raw_content }}"
    dest: "{{ matrix_nginx_proxy_data_path }}/matrix-metrics-htpasswd"
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"
    mode: 0600
  when: not matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_username

 # Alternatively, we need to use the `htpasswd` tool to generate the htpasswd file.
 # There's an Ansible module that helps with that, but it requires passlib (a Python module) to be installed on the server.
 # See: https://docs.ansible.com/ansible/2.3/htpasswd_module.html#requirements-on-host-that-executes-module
 # We support various distros, with various versions of Python. Installing additional Python modules can be a hassle.
 # As a workaround, we run `htpasswd` from an Apache container image.
 - when: matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_username != ''
  block:
    - name: Ensure Apache Docker image is pulled for generating matrix-metrics-htpasswd from username/password (protecting /metrics/* URIs)
      community.docker.docker_image:
        name: "{{ matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_apache_container_image }}"
        source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
        force_source: "{{ matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_apache_container_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
        force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_apache_container_force_pull }}"
      register: result
      retries: "{{ devture_playbook_help_container_retries_count }}"
      delay: "{{ devture_playbook_help_container_retries_delay }}"
      until: result is not failed

    # We store the password in a file and make the `htpasswd` tool read it from there,
    # as opposed to passing it directly on stdin (which will expose it to other processes on the server).
    - name: Store metrics password in a temporary file
      ansible.builtin.copy:
        content: "{{ matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_password }}"
        dest: "/tmp/matrix-nginx-proxy-metrics-password"
        mode: 0400
        owner: "{{ matrix_user_uid }}"
        group: "{{ matrix_user_gid }}"

    - name: Generate matrix-metrics-htpasswd from username/password (protecting /metrics/* URIs)
      ansible.builtin.command:
        cmd: >-
          {{ devture_systemd_docker_base_host_command_docker }} run
          --rm
          --user={{ matrix_user_uid }}:{{ matrix_user_gid }}
          --cap-drop=ALL
          --network=none
          --mount type=bind,src={{ matrix_nginx_proxy_data_path }},dst=/data
          --mount type=bind,src=/tmp/matrix-nginx-proxy-metrics-password,dst=/password,ro
          --entrypoint=/bin/sh
          {{ matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_apache_container_image }}
          -c
          'cat /password | htpasswd -i -c /data/matrix-metrics-htpasswd {{ matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_username }} && chmod 600 /data/matrix-metrics-htpasswd'
      changed_when: true

    - name: Delete temporary metrics password file
      ansible.builtin.file:
        path: /tmp/matrix-nginx-proxy-metrics-password
        state: absent
--- a/roles/custom/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml
+++ b/roles/custom/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml
@@ -37,10 +37,6 @@
    mode: 0644
  when: matrix_nginx_proxy_enabled | bool

 - name: Setup metrics
  ansible.builtin.include_tasks: "{{ role_path }}/tasks/nginx-proxy/setup_metrics_auth.yml"
  when: matrix_nginx_proxy_proxy_matrix_metrics_enabled | bool and matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_enabled | bool

 - name: Ensure Matrix nginx-proxy configured (generic)
  ansible.builtin.template:
    src: "{{ role_path }}/templates/nginx/conf.d/nginx-http.conf.j2"
@@ -334,19 +330,8 @@
    state: absent
  when: "not matrix_nginx_proxy_enabled | bool"

 - name: Ensure Matrix nginx-proxy htpasswd is deleted (protecting /_synapse/metrics URI)
  ansible.builtin.file:
    path: "{{ matrix_nginx_proxy_data_path }}/matrix-synapse-metrics-htpasswd"
    state: absent

 # This file is now generated by the matrix-synapse role and saved in the Synapse directory
 - name: (Cleanup) Ensure old sample prometheus.yml for external scraping is deleted
  ansible.builtin.file:
    path: "{{ matrix_base_data_path }}/external_prometheus.yml.example"
    state: absent

 - name: Ensure Matrix nginx-proxy htpasswd is deleted (protecting /metrics/* URIs)
  ansible.builtin.file:
    path: "{{ matrix_nginx_proxy_data_path }}/matrix-metrics-htpasswd"
    state: absent
  when: "not matrix_nginx_proxy_proxy_matrix_metrics_enabled | bool or not matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_enabled | bool"
--- a/roles/custom/matrix-nginx-proxy/tasks/validate_config.yml
+++ b/roles/custom/matrix-nginx-proxy/tasks/validate_config.yml
@@ -30,14 +30,6 @@
      `matrix_nginx_proxy_ssl_preset` needs to be set to a known value.
  when: "matrix_nginx_proxy_ssl_preset not in ['modern', 'intermediate', 'old']"

 - name: Fail if Basic Auth enabled for metrics, but no credentials supplied
  ansible.builtin.fail:
    msg: |
      Enabling Basic Auth for metrics (`matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_enabled`) requires:
      - either a username/password (provided in `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_username` and `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_password`)
      - or raw htpasswd content (provided in `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_raw_content`)
  when: "matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_enabled | bool and (matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_raw_content == '' and (matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_username == '' or matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_password == ''))"

 - when: "matrix_ssl_retrieval_method == 'lets-encrypt'"
  block:
    - name: (Deprecation) Catch and report renamed settings
--- a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2
+++ b/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2
@@ -33,19 +33,6 @@
 		{{ render_nginx_status_location_block(matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses) }}
 	{% endif %}

 	{% if matrix_nginx_proxy_proxy_matrix_metrics_enabled %}
 	location /metrics {
 		{% if matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_enabled %}
 			auth_basic "protected";
 			auth_basic_user_file {{ matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_path }};
 		{% endif %}

 		{% for configuration_block in matrix_nginx_proxy_proxy_matrix_metrics_additional_location_configuration_blocks %}
 			{{- configuration_block }}
 		{% endfor %}
 	}
 	{% endif %}

 	{% if matrix_nginx_proxy_proxy_matrix_corporal_api_enabled %}
 	location ^~ /_matrix/corporal {
 		{% if matrix_nginx_proxy_enabled %}
--- a/roles/custom/matrix-prometheus-nginxlog-exporter/defaults/main.yml
+++ b/roles/custom/matrix-prometheus-nginxlog-exporter/defaults/main.yml
@@ -17,10 +17,9 @@ matrix_prometheus_nginxlog_exporter_docker_image: "{{ matrix_prometheus_nginxlog
 matrix_prometheus_nginxlog_exporter_docker_image_force_pull: "{{ matrix_prometheus_nginxlog_exporter_docker_image.endswith(':latest') }}"
 matrix_prometheus_nginxlog_exporter_docker_image_arch_check_enabled: true

 # Controls whether prometheus-nginxlog-exporter metrics should be proxied (exposed) on `matrix.DOMAIN/metrics/nginxlog`.
 # This will only take effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`.
 # See the `matrix-nginx-proxy` role for details about enabling `matrix_nginx_proxy_proxy_matrix_metrics_enabled`.
 # Controls whether prometheus-nginxlog-exporter metrics should be proxied (exposed) on a public URL
 matrix_prometheus_nginxlog_exporter_metrics_proxying_enabled: false
 # TODO - add more variables for controlling the hostname, path prefix, etc.

 # matrix_prometheus_nginxlog_exporter_dashboard_urls contains a list of URLs with Grafana dashboard definitions.
 # If the Grafana role is enabled, these dashboards will be downloaded.
--- a/roles/custom/matrix-prometheus-nginxlog-exporter/tasks/inject_into_nginx_proxy.yml
+++ b/roles/custom/matrix-prometheus-nginxlog-exporter/tasks/inject_into_nginx_proxy.yml
@@ -20,12 +20,4 @@
      }
  when: matrix_prometheus_nginxlog_exporter_metrics_proxying_enabled | bool and matrix_nginx_proxy_enabled | bool

 - name: Register prometheus-nginxlog-exporter metrics proxying configuration with matrix-nginx-proxy (matrix.DOMAIN/metrics/nginxlog)
  ansible.builtin.set_fact:
    matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks: |
      {{
        matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks | default([])
        +
        [matrix_prometheus_nginxlog_exporter_matrix_nginx_proxy_metrics_configuration_matrix_domain]
      }}
  when: matrix_prometheus_nginxlog_exporter_metrics_proxying_enabled | bool
 # Injection code was here
--- a/roles/custom/matrix-prometheus-nginxlog-exporter/tasks/validate_config.yml
+++ b/roles/custom/matrix-prometheus-nginxlog-exporter/tasks/validate_config.yml
@@ -23,10 +23,3 @@

      in vars.yml
  when: matrix_prometheus_nginxlog_exporter_docker_image_arch_check_enabled and matrix_architecture not in matrix_prometheus_nginxlog_exporter_docker_image_arch


 - name: Fail if nginx-proxy is not set to proxy metrics while prometheus-nginxlog-exporter is
  ansible.builtin.fail:
    msg: >
      'matrix_prometheus_nginxlog_exporter_metrics_proxying_enabled' is set but 'matrix_nginx_proxy_proxy_matrix_metrics_enabled' is not
  when: matrix_prometheus_nginxlog_exporter_metrics_proxying_enabled | bool and not matrix_nginx_proxy_proxy_matrix_metrics_enabled | bool
--- a/roles/custom/matrix-prometheus-services-proxy-connect/defaults/main.yml
+++ b/roles/custom/matrix-prometheus-services-proxy-connect/defaults/main.yml
@@ -4,8 +4,6 @@


 # Controls whether node-exporter metrics should be proxied (exposed) on `matrix.DOMAIN/metrics/node-exporter`.
 # This will only work take effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`.
 # See the `matrix-nginx-proxy` role for details about enabling `matrix_nginx_proxy_proxy_matrix_metrics_enabled`.
 matrix_prometheus_services_proxy_connect_prometheus_node_exporter_metrics_proxying_enabled: false

 # If you are supplying your own NGINX proxy but want to use the provided exporters you will have to supply an "<ip>:<port>" value for the containers to bind to on your host.
@@ -16,8 +14,6 @@ matrix_prometheus_services_proxy_connect_prometheus_node_exporter_matrix_nginx_p


 # Controls whether postgres-exporter metrics should be proxied (exposed) on `matrix.DOMAIN/metrics/postgres-exporter`.
 # This will only work take effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`.
 # See the `matrix-nginx-proxy` role for details about enabling `matrix_nginx_proxy_proxy_matrix_metrics_enabled`.
 matrix_prometheus_services_proxy_connect_prometheus_postgres_exporter_metrics_proxying_enabled: false

 # If you are supplying your own NGINX proxy but want to use the provided exporters you will have to supply an "<ip>:<port>" value for the containers to bind to on your host.
--- a/roles/custom/matrix-prometheus-services-proxy-connect/tasks/prometheus-node-exporter/inject_into_nginx_proxy.yml
+++ b/roles/custom/matrix-prometheus-services-proxy-connect/tasks/prometheus-node-exporter/inject_into_nginx_proxy.yml
@@ -16,11 +16,4 @@
        {% endif %}
      }

 - name: Register node-exporter metrics proxying configuration with matrix-nginx-proxy (matrix.DOMAIN/metrics/node-exporter)
  ansible.builtin.set_fact:
    matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks: |
      {{
        matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks | default([])
        +
        [matrix_prometheus_services_proxy_connect_node_exporter_nginx_metrics_configuration_block]
      }}
 # Injection code was here
--- a/roles/custom/matrix-prometheus-services-proxy-connect/tasks/prometheus-postgres-exporter/inject_into_nginx_proxy.yml
+++ b/roles/custom/matrix-prometheus-services-proxy-connect/tasks/prometheus-postgres-exporter/inject_into_nginx_proxy.yml
@@ -16,11 +16,4 @@
        {% endif %}
      }

 - name: Register postgres-exporter metrics proxying configuration with matrix-nginx-proxy (matrix.DOMAIN/metrics/postgres-exporter)
  ansible.builtin.set_fact:
    matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks: |
      {{
        matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks | default([])
        +
        [matrix_prometheus_services_proxy_connect_postgres_exporter_nginx_metrics_configuration_block]
      }}
 # Injection code was here
--- a/roles/custom/matrix-synapse/defaults/main.yml
+++ b/roles/custom/matrix-synapse/defaults/main.yml
@@ -513,10 +513,8 @@ matrix_synapse_grafana_dashboard_urls:
 # Controls whether Synapse metrics should be proxied (exposed) on:
 # - `matrix.DOMAIN/metrics/synapse/main-process` for the main process
 # - `matrix.DOMAIN/metrics/synapse/worker/{type}-{id}` for each worker process
 #
 # This will only work take effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`.
 # See the `matrix-nginx-proxy` role for details about enabling `matrix_nginx_proxy_proxy_matrix_metrics_enabled`.
 matrix_synapse_metrics_proxying_enabled: false
 # TODO - add variables for controlling the hostname, path prefix, etc.

 # Enable the Synapse manhole
 # See https://github.com/matrix-org/synapse/blob/master/docs/manhole.md
--- a/roles/custom/matrix-synapse/tasks/init.yml
+++ b/roles/custom/matrix-synapse/tasks/init.yml
@@ -38,14 +38,7 @@
            {% endif %}
          }

    - name: Register synapse metrics proxying configuration with matrix-nginx-proxy (matrix.DOMAIN/metrics/synapse/main-process)
      ansible.builtin.set_fact:
        matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks: |
          {{
            matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks | default([])
            +
            [matrix_synapse_nginx_metrics_configuration_block]
          }}
 # Injection code was here

    - name: Generate synapse worker metrics proxying configuration for matrix-nginx-proxy (matrix.DOMAIN/metrics/synapse/worker)
      ansible.builtin.set_fact:
@@ -62,12 +55,4 @@
          {% endfor %}
      when: matrix_synapse_workers_enabled_list | length > 0

    - name: Register synapse worker metrics proxying configuration with matrix-nginx-proxy (matrix.DOMAIN/metrics/synapse/worker)
      ansible.builtin.set_fact:
        matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks: |
          {{
            matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks | default([])
            +
            [matrix_synapse_worker_nginx_metrics_configuration_block]
          }}
      when: matrix_synapse_workers_enabled_list | length > 0
 # Injection code was here
--- a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml
+++ b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml
@@ -64,6 +64,10 @@
    - {'old': 'matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_enabled', 'new': 'matrix_metrics_exposure_http_basic_auth_enabled'}
    - {'old': 'matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_username', 'new': '<superseded by matrix_metrics_exposure_http_basic_auth_users>'}
    - {'old': 'matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_password', 'new': '<superseded by matrix_metrics_exposure_http_basic_auth_users>'}
    - {'old': 'matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_raw_content', 'new': '<superseded by matrix_metrics_exposure_http_basic_auth_users>'}
    - {'old': 'matrix_nginx_proxy_proxy_matrix_metrics_additional_location_configuration_blocks', 'new': '<superseded by adding labels to each individual service that you care about>'}
    - {'old': 'matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks', 'new': '<superseded by adding labels to each individual service that you care about>'}
    - {'old': 'matrix_nginx_proxy_proxy_matrix_metrics_additional_user_location_configuration_blocks', 'new': '<superseded by adding labels to each individual service that you care about>'}

    - {'old': 'matrix_well_known_matrix_server_enabled', 'new': 'matrix_static_files_file_matrix_server_enabled'}
    - {'old': 'matrix_well_known_matrix_support_enabled', 'new': 'matrix_static_files_file_matrix_support_enabled'}