Move matrix-ma1sd to its own container network and add native Traefik support

docs/configuring-playbook-ma1sd.md

@@ -44,9 +44,9 @@ To use the [Registration](https://github.com/ma1uta/ma1sd/blob/master/docs/featu
 
 - `matrix_synapse_enable_registration_captcha` - to validate registering users using reCAPTCHA, as described in the [enabling reCAPTCHA](configuring_captcha.md) documentation.
 
-- `matrix_synapse_registrations_require_3pid` - to control the types of 3pid (`'email'`, `'msisdn'`) required by the Synapse server for registering
+- `matrix_synapse_registrations_require_3pid` - a list of 3pid types (among `'email'`, `'msisdn'`) required by the Synapse server for registering
 
-- variables prefixed with `matrix_nginx_proxy_proxy_matrix_3pid_registration_` (e.g. `matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled`) - to configure the integrated nginx webserver to send registration requests to ma1sd (instead of Synapse), so it can apply its additional functionality
+- variables prefixed with `matrix_ma1sd_container_labels_` (e.g. `matrix_ma1sd_container_labels_matrix_client_3pid_registration_enabled`) - to configure the Traefik reverse-proxy to capture and send registration requests to ma1sd (instead of Synapse), so it can apply its additional functionality
 
 - `matrix_ma1sd_configuration_extension_yaml` - to configure ma1sd as required. See the [Registration feature's docs](https://github.com/ma1uta/ma1sd/blob/master/docs/features/registration.md) for inspiration. Also see the [Additional features](#additional-features) section below to learn more about how to use `matrix_ma1sd_configuration_extension_yaml`.
 

group_vars/matrix_servers

@@ -3131,6 +3131,9 @@ exim_relay_sender_address: "matrix@{{ matrix_domain }}"
 # we can stop installing ma1sd.
 matrix_ma1sd_enabled: false
 
+matrix_ma1sd_scheme: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}"
+matrix_ma1sd_hostname: "{{ matrix_server_fqn_matrix }}"
+
 matrix_ma1sd_container_image_self_build: "{{ matrix_architecture != 'amd64' }}"
 
 # Normally, matrix-nginx-proxy is enabled and nginx can reach ma1sd over the container network.
@@ -3138,12 +3141,25 @@ matrix_ma1sd_container_image_self_build: "{{ matrix_architecture != 'amd64' }}"
 # ma1sd's web-server port.
 matrix_ma1sd_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '' ~ matrix_ma1sd_container_port | string) if matrix_playbook_service_host_bind_interface_prefix else '' }}"
 
-matrix_ma1sd_container_additional_networks: |
- {{
-  (
-    ([exim_relay_container_network] if (exim_relay_enabled and matrix_ma1sd_threepid_medium_email_connectors_smtp_host == exim_relay_identifier and matrix_ma1sd_container_network != exim_relay_container_network) else [])
-  ) | unique
- }}
+matrix_ma1sd_container_network: "{{ matrix_addons_container_network }}"
+
+matrix_ma1sd_container_additional_networks_auto: |
+  {{
+    (
+      ([] if matrix_addons_homeserver_container_network == '' else [matrix_addons_homeserver_container_network])
+      +
+      ([devture_postgres_container_network] if (devture_postgres_enabled and matrix_ma1sd_database_hostname == devture_postgres_connection_hostname and matrix_ma1sd_container_network != devture_postgres_container_network) else [])
+      +
+      ([exim_relay_container_network] if (exim_relay_enabled and matrix_ma1sd_threepid_medium_email_connectors_smtp_host == exim_relay_identifier and matrix_ma1sd_container_network != exim_relay_container_network) else [])
+      +
+      ([matrix_playbook_reverse_proxyable_services_additional_network] if (matrix_playbook_reverse_proxyable_services_additional_network and matrix_ma1sd_container_labels_traefik_enabled) else [])
+    ) | unique
+  }}
+
+matrix_ma1sd_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}"
+matrix_ma1sd_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
+matrix_ma1sd_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}"
+matrix_ma1sd_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}"
 
 # We enable Synapse integration via its Postgres database by default.
 # When using another Identity store, you might wish to disable this and define
@@ -3156,7 +3172,7 @@ matrix_ma1sd_dns_overwrite_enabled: true
 matrix_ma1sd_dns_overwrite_homeserver_client_name: "{{ matrix_server_fqn_matrix }}"
 # The `matrix_ma1sd_dns_overwrite_homeserver_client_value` value when matrix_nginx_proxy_enabled is false covers the general case,
 # but may be inaccurate if matrix-corporal is enabled.
-matrix_ma1sd_dns_overwrite_homeserver_client_value: "{{ matrix_homeserver_container_url }}"
+matrix_ma1sd_dns_overwrite_homeserver_client_value: "{{ matrix_addons_homeserver_client_api_url }}"
 
 # By default, we send mail through the exim relay service.
 matrix_ma1sd_threepid_medium_email_identity_from: "{{ exim_relay_sender_address }}"
@@ -3168,13 +3184,13 @@ matrix_ma1sd_self_check_validate_certificates: "{{ false if matrix_playbook_ssl_
 
 matrix_ma1sd_systemd_required_services_list_auto: |
   {{
+    matrix_addons_homeserver_systemd_services_list
+    +
     ([devture_postgres_identifier ~ '.service'] if (devture_postgres_enabled and matrix_ma1sd_database_hostname == devture_postgres_connection_hostname) else [])
   }}
 
 matrix_ma1sd_systemd_wanted_services_list_auto: |
   {{
-    (['matrix-corporal.service'] if matrix_corporal_enabled else ['matrix-' + matrix_homeserver_implementation + '.service'])
-    +
     ([exim_relay_identifier ~ '.service'] if (exim_relay_enabled and matrix_ma1sd_threepid_medium_email_connectors_smtp_host == exim_relay_identifier) else [])
   }}
 
@@ -3304,10 +3320,6 @@ matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: "{{ matrix_corporal_enable
 matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081"
 matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container: "127.0.0.1:41081"
 
-matrix_nginx_proxy_proxy_matrix_identity_api_enabled: "{{ matrix_ma1sd_enabled }}"
-matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-ma1sd:{{ matrix_ma1sd_container_port }}"
-matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:{{ matrix_ma1sd_container_port }}"
-
 # NOTE: we cannot disable this, even though matrix-media-repo is already natively exposed at the Traefik level.
 # See: https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/3045#issuecomment-1867327001
 matrix_nginx_proxy_proxy_media_repo_enabled: "{{ matrix_media_repo_enabled }}"
@@ -3349,10 +3361,6 @@ matrix_nginx_proxy_proxy_conduit_federation_api_addr_sans_container: "127.0.0.1:
 # When matrix-nginx-proxy is disabled, the actual port number that the vhost uses may begin to matter.
 matrix_nginx_proxy_proxy_matrix_federation_port: "{{ matrix_federation_public_port }}"
 
-matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: "{{ matrix_ma1sd_enabled }}"
-matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container }}"
-matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container }}"
-
 # OCSP stapling does not make sense when self-signed certificates are used.
 # See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1073
 # and https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1074
@@ -3368,8 +3376,6 @@ matrix_nginx_proxy_systemd_wanted_services_list: |
     +
     (['matrix-corporal.service'] if matrix_corporal_enabled else [])
     +
-    (['matrix-ma1sd.service'] if matrix_ma1sd_enabled else [])
-    +
     ([(matrix_media_repo_identifier + '.service')] if matrix_media_repo_enabled else [])
     +
     (['matrix-client-cinny.service'] if matrix_client_cinny_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else [])
@@ -3498,9 +3504,7 @@ matrix_homeserver_proxy_client_api_client_max_body_size_mb: |-
 
 matrix_homeserver_proxy_federation_api_addr: "{{ matrix_homeserver_container_federation_api_endpoint }}"
 
-# matrix_nginx_proxy_proxy_matrix_identity_api_enabled: "{{ matrix_ma1sd_enabled }}"
-# matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-ma1sd:{{ matrix_ma1sd_container_port }}"
-# matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:{{ matrix_ma1sd_container_port }}"
+# TODO - connect this to the identity server, if enabled
 
 # # NOTE: we cannot disable this, even though matrix-media-repo is already natively exposed at the Traefik level.
 # # See: https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/3045#issuecomment-1867327001
@@ -3508,10 +3512,7 @@ matrix_homeserver_proxy_federation_api_addr: "{{ matrix_homeserver_container_fed
 # matrix_nginx_proxy_proxy_media_repo_addr_with_container: "{{ matrix_media_repo_identifier }}:{{ matrix_media_repo_port }}"
 # matrix_nginx_proxy_proxy_media_repo_addr_sans_container: "127.0.0.1:{{ matrix_media_repo_port }}"
 
-# matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: "{{ matrix_ma1sd_enabled }}"
-# matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container }}"
-# matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container }}"
-
+# TODO - adjust ma1sd stuff below, if necessary
 matrix_homeserver_proxy_systemd_wanted_services_list_auto: |
   {{
     matrix_homeserver_systemd_services_list
@@ -4142,8 +4143,10 @@ matrix_synapse_gid: "{{ matrix_user_gid }}"
 
 matrix_synapse_container_image_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}"
 
+matrix_synapse_account_threepid_delegates_msisdn_mas1sd_url: "{{ ('http://matrix-ma1sd:' + matrix_ma1sd_container_port| string) }}"
+
 # When ma1sd is enabled, we can use it to validate phone numbers. It's something that the homeserver cannot do by itself.
-matrix_synapse_account_threepid_delegates_msisdn: "{{ 'http://matrix-ma1sd:' + matrix_ma1sd_container_port | string if matrix_ma1sd_enabled else '' }}"
+matrix_synapse_account_threepid_delegates_msisdn: "{{ matrix_synapse_account_threepid_delegates_msisdn_mas1sd_url if matrix_ma1sd_enabled else '' }}"
 
 # For exposing the Matrix Federation API's TLS port (HTTPS) to the internet on all network interfaces.
 matrix_synapse_container_federation_api_tls_host_bind_port: "{{ matrix_federation_public_port if (matrix_synapse_federation_enabled and matrix_synapse_tls_federation_listener_enabled) else '' }}"
@@ -4166,6 +4169,8 @@ matrix_synapse_container_additional_networks: |
       ([redis_container_network] if matrix_synapse_redis_enabled and matrix_synapse_redis_host == redis_identifier else [])
       +
       ([exim_relay_container_network] if (exim_relay_enabled and matrix_synapse_email_enabled and matrix_synapse_email_smtp_host == exim_relay_identifier and matrix_synapse_container_network != exim_relay_container_network) else [])
+      +
+      ([matrix_ma1sd_container_network] if (matrix_ma1sd_enabled and matrix_synapse_account_threepid_delegates_msisdn == matrix_synapse_account_threepid_delegates_msisdn_mas1sd_url and matrix_synapse_container_network != matrix_ma1sd_container_network) else [])
     ) | unique
   }}
 

roles/custom/matrix-ma1sd/defaults/main.yml

@@ -4,6 +4,9 @@
 
 matrix_ma1sd_enabled: true
 
+matrix_ma1sd_scheme: https
+matrix_ma1sd_hostname: ''
+
 matrix_ma1sd_container_image_self_build: false
 matrix_ma1sd_container_image_self_build_repo: "https://github.com/ma1uta/ma1sd.git"
 matrix_ma1sd_container_image_self_build_branch: "{{ matrix_ma1sd_version }}"
@@ -43,14 +46,65 @@ matrix_ma1sd_systemd_wanted_services_list_auto: []
 matrix_ma1sd_systemd_wanted_services_list_custom: []
 
 # The base container network. It will be auto-created by this role if it doesn't exist already.
-matrix_ma1sd_container_network: "{{ matrix_docker_network }}"
+matrix_ma1sd_container_network: ""
 
 # A list of additional container networks that matrix-ma1sd would be connected to.
 # The playbook does not create these networks, so make sure they already exist.
 #
 # Use this to expose matrix-ma1sd to another docker network, that matrix-ma1sd might have to reach for authentication (e.g. an ldap instance)
+matrix_ma1sd_container_additional_networks: "{{ matrix_ma1sd_container_additional_networks_auto + matrix_ma1sd_container_additional_networks_custom }}"
+matrix_ma1sd_container_additional_networks_auto: []
+matrix_ma1sd_container_additional_networks_custom: []
+
+# matrix_ma1sd_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container.
+# See `../templates/labels.j2` for details.
 #
-matrix_ma1sd_container_additional_networks: []
+# To inject your own other container labels, see `matrix_ma1sd_container_labels_additional_labels`.
+matrix_ma1sd_container_labels_traefik_enabled: true
+matrix_ma1sd_container_labels_traefik_docker_network: "{{ matrix_ma1sd_container_network }}"
+matrix_ma1sd_container_labels_traefik_entrypoints: web-secure
+matrix_ma1sd_container_labels_traefik_tls_certResolver: default  # noqa var-naming
+
+# Controls whether labels will be added that expose ma1sd's /_matrix/identity endpoints
+matrix_ma1sd_container_labels_matrix_identity_enabled: "{{ matrix_ma1sd_container_labels_traefik_enabled }}"
+matrix_ma1sd_container_labels_matrix_identity_hostname: "{{ matrix_ma1sd_hostname }}"
+matrix_ma1sd_container_labels_matrix_identity_path_prefix: "/_matrix/identity"
+matrix_ma1sd_container_labels_matrix_identity_traefik_rule: "Host(`{{ matrix_ma1sd_container_labels_matrix_identity_hostname }}`) && PathPrefix(`{{ matrix_ma1sd_container_labels_matrix_identity_path_prefix }}`)"
+matrix_ma1sd_container_labels_matrix_identity_traefik_priority: 0
+matrix_ma1sd_container_labels_matrix_identity_traefik_entrypoints: "{{ matrix_ma1sd_container_labels_traefik_entrypoints }}"
+matrix_ma1sd_container_labels_matrix_identity_traefik_tls: "{{ matrix_ma1sd_container_labels_matrix_identity_traefik_entrypoints != 'web' }}"
+matrix_ma1sd_container_labels_matrix_identity_traefik_tls_certResolver: "{{ matrix_ma1sd_container_labels_traefik_tls_certResolver }}"  # noqa var-naming
+
+# Controls whether labels will be added that expose ma1sd's /_matrix/client/VERSION/user_directory/search endpoint
+matrix_ma1sd_container_labels_matrix_client_user_directory_search_enabled: "{{ matrix_ma1sd_container_labels_traefik_enabled }}"
+matrix_ma1sd_container_labels_matrix_client_user_directory_search_hostname: "{{ matrix_ma1sd_hostname }}"
+matrix_ma1sd_container_labels_matrix_client_user_directory_search_path: "/_matrix/client/{version:(r0|v3)}/user_directory/search"
+matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_rule: "Host(`{{ matrix_ma1sd_container_labels_matrix_client_user_directory_search_hostname }}`) && Path(`{{ matrix_ma1sd_container_labels_matrix_client_user_directory_search_path }}`)"
+matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_priority: 0
+matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_entrypoints: "{{ matrix_ma1sd_container_labels_traefik_entrypoints }}"
+matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_tls: "{{ matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_entrypoints != 'web' }}"
+matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_tls_certResolver: "{{ matrix_ma1sd_container_labels_traefik_tls_certResolver }}"  # noqa var-naming
+
+# Controls whether labels will be added that expose ma1sd's /_matrix/client/VERSION/register/TYPE/requestToken endpoints
+# This allows another service to control registrations involving 3PIDs.
+# To learn more, see: https://github.com/ma1uta/ma1sd/blob/master/docs/features/registration.md
+matrix_ma1sd_container_labels_matrix_client_3pid_registration_enabled: false
+matrix_ma1sd_container_labels_matrix_client_3pid_registration_hostname: "{{ matrix_ma1sd_hostname }}"
+matrix_ma1sd_container_labels_matrix_client_3pid_registration_path: "/_matrix/client/{version:(r0|v3)}/register/{type:(email|msisdn)}/requestToken"
+matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_rule: "Host(`{{ matrix_ma1sd_container_labels_matrix_client_3pid_registration_hostname }}`) && Path(`{{ matrix_ma1sd_container_labels_matrix_client_3pid_registration_path }}`)"
+matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_priority: 0
+matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_entrypoints: "{{ matrix_ma1sd_container_labels_traefik_entrypoints }}"
+matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_tls: "{{ matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_entrypoints != 'web' }}"
+matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_tls_certResolver: "{{ matrix_ma1sd_container_labels_traefik_tls_certResolver }}"  # noqa var-naming
+
+# matrix_ma1sd_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
+# See `../templates/labels.j2` for details.
+#
+# Example:
+# matrix_ma1sd_container_labels_additional_labels: |
+#   my.label=1
+#   another.label="here"
+matrix_ma1sd_container_labels_additional_labels: ''
 
 # Your identity server is private by default.
 # To ensure maximum discovery, you can make your identity server
@@ -59,7 +113,6 @@ matrix_ma1sd_container_additional_networks: []
 # Enabling this is discouraged. Learn more here: https://github.com/ma1uta/ma1sd/blob/master/docs/features/identity.md#lookups
 matrix_ma1sd_matrixorg_forwarding_enabled: false
 
-
 # Database-related configuration fields.
 #
 # To use SQLite, stick to these defaults.
@@ -130,6 +183,7 @@ matrix_ma1sd_threepid_medium_email_custom_session_unbind_notification_template:
 # Defaults to: https://github.com/ma1uta/ma1sd/blob/master/src/main/resources/threepids/email/mxid-template.eml
 matrix_ma1sd_threepid_medium_email_custom_matrixid_template: ""
 
+matrix_ma1sd_self_check_endpoint_url: "{{ matrix_ma1sd_scheme }}://{{ matrix_ma1sd_hostname }}/_matrix/identity/api/v1"
 # Controls whether the self-check feature should validate SSL certificates.
 matrix_ma1sd_self_check_validate_certificates: true
 

roles/custom/matrix-ma1sd/tasks/main.yml

@@ -20,6 +20,7 @@
 
 - tags:
     - self-check
+    - self-check-ma1sd
   block:
     - when: matrix_ma1sd_enabled | bool
       ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check.yml"

roles/custom/matrix-ma1sd/tasks/self_check.yml

@@ -1,11 +1,8 @@
 ---
 
-- ansible.builtin.set_fact:
-    ma1sd_url_endpoint_public: "https://{{ matrix_server_fqn_matrix }}/_matrix/identity/api/v1"
-
 - name: Check ma1sd Identity Service
   ansible.builtin.uri:
-    url: "{{ ma1sd_url_endpoint_public }}"
+    url: "{{ matrix_ma1sd_self_check_endpoint_url }}"
     follow_redirects: none
     validate_certs: "{{ matrix_ma1sd_self_check_validate_certificates }}"
   check_mode: false
@@ -16,9 +13,9 @@
 
 - name: Fail if ma1sd Identity Service not working
   ansible.builtin.fail:
-    msg: "Failed checking ma1sd is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ ma1sd_url_endpoint_public }}`). Is ma1sd running? Is port 443 open in your firewall? Full error: {{ result_ma1sd }}"
+    msg: "Failed checking ma1sd is up at `{{ matrix_ma1sd_hostname }}` (checked endpoint: `{{ matrix_ma1sd_self_check_endpoint_url }}`). Is ma1sd running? Is port 443 open in your firewall? Full error: {{ result_ma1sd }}"
   when: "result_ma1sd.failed or 'json' not in result_ma1sd"
 
 - name: Report working ma1sd Identity Service
   ansible.builtin.debug:
-    msg: "ma1sd at `{{ matrix_server_fqn_matrix }}` is working (checked endpoint: `{{ ma1sd_url_endpoint_public }}`)"
+    msg: "ma1sd at `{{ matrix_ma1sd_hostname }}` is working (checked endpoint: `{{ matrix_ma1sd_self_check_endpoint_url }}`)"

roles/custom/matrix-ma1sd/tasks/setup_install.yml

@@ -122,6 +122,21 @@
     - {value: "{{ matrix_ma1sd_threepid_medium_email_custom_matrixid_template }}", location: 'mxid-template.eml'}
   when: "matrix_ma1sd_threepid_medium_email_custom_templates_enabled | bool and item.value"
 
+- name: Ensure ma1sd support files installed
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/{{ item }}.j2"
+    dest: "{{ matrix_ma1sd_base_path }}/{{ item }}"
+    mode: 0640
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+  with_items:
+    - labels
+
+- name: Ensure ma1sd container network is created
+  community.general.docker_network:
+    name: "{{ matrix_ma1sd_container_network }}"
+    driver: bridge
+
 - name: Ensure matrix-ma1sd.service installed
   ansible.builtin.template:
     src: "{{ role_path }}/templates/systemd/matrix-ma1sd.service.j2"

roles/custom/matrix-ma1sd/tasks/validate_config.yml

@@ -45,9 +45,15 @@
       You need to define a required configuration setting (`{{ item.name }}`).
   when: "item.when | bool and vars[item.name] == ''"
   with_items:
+    - {'name': 'matrix_ma1sd_hostname', when: true}
     - {'name': 'matrix_ma1sd_threepid_medium_email_connectors_smtp_host', when: true}
     - {'name': 'matrix_ma1sd_dns_overwrite_homeserver_client_value', when: true}
     - {'name': 'matrix_ma1sd_database_hostname', when: "{{ matrix_ma1sd_database_engine == 'postgres' }}"}
+    - {'name': 'matrix_ma1sd_container_network', when: true}
+    - {'name': 'matrix_ma1sd_container_labels_matrix_identity_hostname', when: "{{ matrix_ma1sd_container_labels_matrix_identity_enabled }}"}
+    - {'name': 'matrix_ma1sd_container_labels_matrix_identity_path_prefix', when: "{{ matrix_ma1sd_container_labels_matrix_identity_enabled }}"}
+    - {'name': 'matrix_ma1sd_container_labels_matrix_client_user_directory_search_hostname', when: "{{ matrix_ma1sd_container_labels_matrix_client_user_directory_search_enabled }}"}
+    - {'name': 'matrix_ma1sd_container_labels_matrix_client_user_directory_search_path', when: "{{ matrix_ma1sd_container_labels_matrix_client_user_directory_search_enabled }}"}
 
 - name: (Deprecation) Catch and report renamed ma1sd variables
   ansible.builtin.fail:

roles/custom/matrix-ma1sd/templates/labels.j2

@@ -0,0 +1,99 @@
+{% if matrix_ma1sd_container_labels_traefik_enabled %}
+traefik.enable=true
+
+{% if matrix_ma1sd_container_labels_traefik_docker_network %}
+traefik.docker.network={{ matrix_ma1sd_container_labels_traefik_docker_network }}
+{% endif %}
+
+traefik.http.services.matrix-ma1sd.loadbalancer.server.port={{ matrix_ma1sd_container_port }}
+
+{#
+	Matrix Identity APIs (/_matrix/identity)
+#}
+{% if matrix_ma1sd_container_labels_matrix_identity_enabled %}
+traefik.http.routers.matrix-ma1sd-matrix-identity.rule={{ matrix_ma1sd_container_labels_matrix_identity_traefik_rule }}
+
+{% if matrix_ma1sd_container_labels_matrix_identity_traefik_priority | int > 0 %}
+traefik.http.routers.matrix-ma1sd-matrix-identity.priority={{ matrix_ma1sd_container_labels_matrix_identity_traefik_priority }}
+{% endif %}
+
+traefik.http.routers.matrix-ma1sd-matrix-identity.service=matrix-ma1sd
+traefik.http.routers.matrix-ma1sd-matrix-identity.entrypoints={{ matrix_ma1sd_container_labels_matrix_identity_traefik_entrypoints }}
+
+traefik.http.routers.matrix-ma1sd-matrix-identity.tls={{ matrix_ma1sd_container_labels_matrix_identity_traefik_tls | to_json }}
+{% if matrix_ma1sd_container_labels_matrix_identity_traefik_tls %}
+traefik.http.routers.matrix-ma1sd-matrix-identity.tls.certResolver={{ matrix_ma1sd_container_labels_matrix_identity_traefik_tls_certResolver }}
+{% endif %}
+{% endif %}
+{#
+	/Matrix Identity APIs (/_matrix/identity)
+#}
+
+
+{#
+	Matrix Client user-directory search API endpoint (/_matrix/client/VERSION/user_directory/search)
+#}
+{% if matrix_ma1sd_container_labels_matrix_client_user_directory_search_enabled %}
+{#
+	ma1sd only supports /_matrix/client/r0/user_directory/search,
+	while we potentially handle /_matrix/client/v3/user_directory/search as well,
+	so we need to transparently reroute.
+#}
+traefik.http.middlewares.matrix-ma1sd-matrix-client-user-directory-search-replacepath.replacepath.path=/_matrix/client/r0/user_directory/search
+
+traefik.http.routers.matrix-ma1sd-matrix-client-user-directory-search.rule={{ matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_rule }}
+
+traefik.http.routers.matrix-ma1sd-matrix-client-user-directory-search.middlewares=matrix-ma1sd-matrix-client-user-directory-search-replacepath
+
+{% if matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_priority | int > 0 %}
+traefik.http.routers.matrix-ma1sd-matrix-client-user-directory-search.priority={{ matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_priority }}
+{% endif %}
+
+traefik.http.routers.matrix-ma1sd-matrix-client-user-directory-search.service=matrix-ma1sd
+traefik.http.routers.matrix-ma1sd-matrix-client-user-directory-search.entrypoints={{ matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_entrypoints }}
+
+traefik.http.routers.matrix-ma1sd-matrix-client-user-directory-search.tls={{ matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_tls | to_json }}
+{% if matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_tls %}
+traefik.http.routers.matrix-ma1sd-matrix-client-user-directory-search.tls.certResolver={{ matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_tls_certResolver }}
+{% endif %}
+{% endif %}
+{#
+	/Matrix Client user-directory search API endpoint (/_matrix/client/VERSION/user_directory/search)
+#}
+
+
+{#
+	Matrix Client 3pid registration API endpoint (/_matrix/client/VERSION/register/TYPE/requestToken)
+#}
+{% if matrix_ma1sd_container_labels_matrix_client_user_directory_search_enabled %}
+{#
+	ma1sd only supports /_matrix/client/r0/user_directory/search,
+	while we potentially handle /_matrix/client/v3/user_directory/search as well,
+	so we need to transparently reroute.
+#}
+traefik.http.middlewares.matrix-ma1sd-matrix-client-3pid-registration-replacepathregex.replacepathregex.regex=^/_matrix/client/([^/]+)/register/([^/]+)/requestToken
+traefik.http.middlewares.matrix-ma1sd-matrix-client-3pid-registration-replacepathregex.replacepathregex.replacement=/_matrix/client/r0/register/${2}/requestToken
+
+traefik.http.routers.matrix-ma1sd-matrix-client-3pid-registration.rule={{ matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_rule }}
+
+traefik.http.routers.matrix-ma1sd-matrix-client-3pid-registration.middlewares=matrix-ma1sd-matrix-client-3pid-registration-replacepathregex
+
+{% if matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_priority | int > 0 %}
+traefik.http.routers.matrix-ma1sd-matrix-client-3pid-registration.priority={{ matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_priority }}
+{% endif %}
+
+traefik.http.routers.matrix-ma1sd-matrix-client-3pid-registration.service=matrix-ma1sd
+traefik.http.routers.matrix-ma1sd-matrix-client-3pid-registration.entrypoints={{ matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_entrypoints }}
+
+traefik.http.routers.matrix-ma1sd-matrix-client-3pid-registration.tls={{ matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_tls | to_json }}
+{% if matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_tls %}
+traefik.http.routers.matrix-ma1sd-matrix-client-3pid-registration.tls.certResolver={{ matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_tls_certResolver }}
+{% endif %}
+{% endif %}
+{#
+	/Matrix Client 3pid registration API endpoint (/_matrix/client/VERSION/register/TYPE/requestToken)
+#}
+
+{% endif %}
+
+{{ matrix_ma1sd_container_labels_additional_labels }}

roles/custom/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2

@@ -35,6 +35,7 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
 			{% endif %}
 			--mount type=bind,src={{ matrix_ma1sd_config_path }},dst=/etc/ma1sd,ro \
 			--mount type=bind,src={{ matrix_ma1sd_data_path }},dst=/var/ma1sd \
+			--label-file={{ matrix_ma1sd_base_path }}/labels \
 			{% for arg in matrix_ma1sd_container_extra_arguments %}
 			{{ arg }} \
 			{% endfor %}

roles/custom/matrix-nginx-proxy/defaults/main.yml

@@ -228,37 +228,6 @@ matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: false
 matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081"
 matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container: "127.0.0.1:41081"
 
-# Controls whether proxying for the User Directory Search API (`/_matrix/client/r0/user_directory/search`) should be done (on the matrix domain).
-# This can be used to forward the API endpoint to another service, augmenting the functionality of Synapse's own User Directory Search.
-# To learn more, see: https://github.com/ma1uta/ma1sd/blob/master/docs/features/directory.md
-matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: false
-matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "matrix-ma1sd:{{ matrix_ma1sd_container_port }}"
-matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "127.0.0.1:{{ matrix_ma1sd_container_port }}"
-
-# Controls whether the user directory search API will be URL-rewritten (/_matrix/client/v3/user_directory/search -> /_matrix/client/r0/user_directory/search).
-# This is to assist identity servers which only handle the r0 endpoints.
-# The v3 endpoints are the same (spec-wise), so they can usually be redirected without downsides.
-# If this is disabled, API requests will be forwarded as-is, without any URL rewriting.
-matrix_nginx_proxy_proxy_matrix_user_directory_search_v3_to_r0_redirect_enabled: true
-
-# Controls whether proxying for 3PID-based registration (`/_matrix/client/r0/register/(email|msisdn)/requestToken`) should be done (on the matrix domain).
-# This allows another service to control registrations involving 3PIDs.
-# To learn more, see: https://github.com/ma1uta/ma1sd/blob/master/docs/features/registration.md
-matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled: false
-matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_with_container: "matrix-ma1sd:{{ matrix_ma1sd_container_port }}"
-matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_sans_container: "127.0.0.1:{{ matrix_ma1sd_container_port }}"
-
-# Controls whether the user directory search API will be URL-rewritten (/_matrix/client/v3/register/(email|msisdn)/requestToken -> /_matrix/client/r0/register/(email|msisdn)/requestToken).
-# This is to assist identity servers which only handle the r0 endpoints.
-# The v3 endpoints are the same (spec-wise), so they can usually be redirected without downsides.
-# If this is disabled, API requests will be forwarded as-is, without any URL rewriting.
-matrix_nginx_proxy_proxy_matrix_3pid_registration_v3_to_r0_redirect_enabled: true
-
-# Controls whether proxying for the Identity API (`/_matrix/identity`) should be done (on the matrix domain)
-matrix_nginx_proxy_proxy_matrix_identity_api_enabled: false
-matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-ma1sd:{{ matrix_ma1sd_container_port }}"
-matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:{{ matrix_ma1sd_container_port }}"
-
 # Controls whether proxying for the media repo (`/_matrix/media`) should be done (on the matrix domain)
 matrix_nginx_proxy_proxy_media_repo_enabled: false
 matrix_nginx_proxy_proxy_media_repo_addr_with_container: "matrix-media-repo:{{ matrix_media_repo_port }}"

roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2

@@ -51,24 +51,6 @@
 	}
 	{% endif %}
 
-	{% if matrix_nginx_proxy_proxy_matrix_identity_api_enabled %}
-	location ^~ /_matrix/identity {
-		{% if matrix_nginx_proxy_enabled %}
-			{# Use the embedded DNS resolver in Docker containers to discover the service #}
-			resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s;
-			set $backend "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container }}";
-			proxy_pass http://$backend;
-		{% else %}
-			{# Generic configuration for use outside of our container setup #}
-			proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container }};
-		{% endif %}
-
-		proxy_set_header Host $host;
-		proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }};
-		proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }};
-	}
-	{% endif %}
-
 	{% if matrix_nginx_proxy_proxy_media_repo_enabled %}
 	# Redirect all media endpoints to the media-repo
 	location ^~ /_matrix/media {
@@ -162,53 +144,6 @@
 	}
 	{% endif %}
 
-	{% if matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled %}
-	location ~ ^/_matrix/client/(r0|v3)/user_directory/search {
-		{% if matrix_nginx_proxy_enabled %}
-			{# Use the embedded DNS resolver in Docker containers to discover the service #}
-			resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s;
-			set $backend "{{ matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container }}";
-			{% if matrix_nginx_proxy_proxy_matrix_user_directory_search_v3_to_r0_redirect_enabled %}
-			rewrite ^(.*?)/v3/(.*?)$  $1/r0/$2 break;
-			{% endif %}
-			proxy_pass http://$backend;
-		{% else %}
-			{% if matrix_nginx_proxy_proxy_matrix_user_directory_search_v3_to_r0_redirect_enabled %}
-			rewrite ^(.*?)/v3/(.*?)$  $1/r0/$2 break;
-			{% endif %}
-			{# Generic configuration for use outside of our container setup #}
-			proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container }};
-		{% endif %}
-
-		proxy_set_header Host $host;
-		proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }};
-	}
-	{% endif %}
-
-	{% if matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled %}
-	location ~ ^/_matrix/client/(r0|v3)/register/(email|msisdn)/requestToken$ {
-		{% if matrix_nginx_proxy_enabled %}
-			{# Use the embedded DNS resolver in Docker containers to discover the service #}
-			resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s;
-			set $backend "{{ matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_with_container }}";
-			{% if matrix_nginx_proxy_proxy_matrix_3pid_registration_v3_to_r0_redirect_enabled %}
-			rewrite ^(.*?)/v3/(.*?)$  $1/r0/$2 break;
-			{% endif %}
-			proxy_pass http://$backend;
-		{% else %}
-			{% if matrix_nginx_proxy_proxy_matrix_3pid_registration_v3_to_r0_redirect_enabled %}
-			rewrite ^(.*?)/v3/(.*?)$  $1/r0/$2 break;
-			{% endif %}
-			{# Generic configuration for use outside of our container setup #}
-			proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_sans_container }};
-		{% endif %}
-
-		proxy_set_header Host $host;
-		proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }};
-		proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }};
-	}
-	{% endif %}
-
 	{% for configuration_block in matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks %}
 		{{- configuration_block }}
 	{% endfor %}

roles/custom/matrix_playbook_migration/tasks/validate_config.yml

@@ -94,6 +94,17 @@
     - {'old': 'matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_client_api_enabled', 'new': 'matrix_synapse_container_labels_client_synapse_client_api_enabled'}
     - {'old': 'matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_oidc_api_enabled', 'new': 'matrix_synapse_container_labels_client_synapse_oidc_api_enabled'}
     - {'old': 'matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled', 'new': 'matrix_synapse_container_labels_client_synapse_admin_api_enabled'}
+    - {'old': 'matrix_nginx_proxy_proxy_matrix_identity_api_enabled', 'new': '<superseded by matrix_ma1sd_container_labels_traefik_enabled and matrix_ma1sd_container_labels_matrix_identity_enabled>'}
+    - {'old': 'matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container', 'new': '<removed>'}
+    - {'old': 'matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container', 'new': '<removed>'}
+    - {'old': 'matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled', 'new': '<superseded by matrix_ma1sd_container_labels_traefik_enabled and matrix_ma1sd_container_labels_matrix_client_user_directory_search_enabled>'}
+    - {'old': 'matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container', 'new': '<removed>'}
+    - {'old': 'matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container', 'new': '<removed>'}
+    - {'old': 'matrix_nginx_proxy_proxy_matrix_user_directory_search_v3_to_r0_redirect_enabled', 'new': '<superseded by matrix_ma1sd_container_labels_matrix_client_user_directory_search_path>'}
+    - {'old': 'matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled', 'new': 'matrix_ma1sd_container_labels_matrix_client_3pid_registration_enabled'}
+    - {'old': 'matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_with_container', 'new': '<removed>'}
+    - {'old': 'matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_sans_container', 'new': '<removed>'}
+    - {'old': 'matrix_nginx_proxy_proxy_matrix_3pid_registration_v3_to_r0_redirect_enabled', 'new': '<superseded by matrix_ma1sd_container_labels_matrix_client_3pid_registration_path>'}
 
 - name: (Deprecation) Catch and report matrix_postgres variables
   ansible.builtin.fail: