Handle /_matrix Client-Server and Federation APIs directly at matrix-synapse-reverse-proxy-companion

group_vars/matrix_servers

@@ -395,7 +395,7 @@ devture_systemd_service_manager_services_list_auto: |
     +
     ([{'name': 'matrix-synapse-admin.service', 'priority': 4000, 'groups': ['matrix', 'synapse-admin']}] if matrix_synapse_admin_enabled else [])
     +
-    ([{'name': 'matrix-synapse-reverse-proxy-companion.service', 'priority': 1500, 'groups': ['matrix', 'homeservers', 'synapse', 'reverse-proxies']}] if matrix_synapse_reverse_proxy_companion_enabled else [])
+    ([{'name': 'matrix-synapse-reverse-proxy-companion.service', 'priority': 1500, 'groups': ['matrix', 'homeservers', 'synapse', 'synapse-reverse-proxy-companion', 'reverse-proxies']}] if matrix_synapse_reverse_proxy_companion_enabled else [])
     +
     ([{'name': 'matrix-user-verification-service.service', 'priority': 800, 'groups': ['matrix', 'matrix-user-verification-service']}] if matrix_user_verification_service_enabled else [])
     +
@@ -3946,11 +3946,32 @@ matrix_synapse_auto_compressor_systemd_required_services_list: |
 
 matrix_synapse_reverse_proxy_companion_enabled: "{{ matrix_synapse_enabled }}"
 
+matrix_synapse_reverse_proxy_companion_container_network: "{{ matrix_synapse_container_network }}"
+
+matrix_synapse_reverse_proxy_companion_container_additional_networks: |
+  {{
+    (
+      ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else [])
+      +
+      ([] if matrix_homeserver_container_network in ['', matrix_synapse_reverse_proxy_companion_container_network] else [matrix_homeserver_container_network])
+    ) | unique
+  }}
+
 matrix_synapse_reverse_proxy_companion_client_api_client_max_body_size_mb: "{{ matrix_synapse_max_upload_size_mb }}"
 
 matrix_synapse_reverse_proxy_companion_container_client_api_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '8008') if matrix_playbook_service_host_bind_interface_prefix else '' }}"
 matrix_synapse_reverse_proxy_companion_container_federation_api_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '8048') if matrix_playbook_service_host_bind_interface_prefix else '' }}"
 
+matrix_synapse_reverse_proxy_companion_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}"
+matrix_synapse_reverse_proxy_companion_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
+matrix_synapse_reverse_proxy_companion_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}"
+matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}"
+
+matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_hostname: "{{ matrix_server_fqn_matrix }}"
+
+matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_hostname: "{{ matrix_server_fqn_matrix }}"
+matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_entrypoints: "{{ matrix_federation_traefik_entrypoint }}"
+
 matrix_synapse_reverse_proxy_companion_synapse_workers_enabled: "{{ matrix_synapse_workers_enabled }}"
 matrix_synapse_reverse_proxy_companion_synapse_workers_list: "{{ matrix_synapse_workers_enabled_list }}"
 matrix_synapse_reverse_proxy_companion_synapse_generic_worker_client_server_locations: "{{ matrix_synapse_workers_generic_worker_client_server_endpoints }}"
@@ -3966,6 +3987,7 @@ matrix_synapse_reverse_proxy_companion_synapse_user_dir_locations: "{{ matrix_sy
 matrix_synapse_reverse_proxy_companion_access_log_syslog_integration_enabled: "{{ matrix_prometheus_nginxlog_exporter_enabled }}"
 matrix_synapse_reverse_proxy_companion_access_log_syslog_integration_server_port: "{{ (matrix_prometheus_nginxlog_exporter_container_hostname | string +':'+ matrix_prometheus_nginxlog_exporter_container_syslog_port | string) | default('') }}"
 
+
 ######################################################################
 #
 # /matrix-synapse-reverse-proxy-companion

roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml

@@ -32,7 +32,10 @@ matrix_synapse_reverse_proxy_companion_base_path: "{{ matrix_synapse_base_path }
 matrix_synapse_reverse_proxy_companion_confd_path: "{{ matrix_synapse_reverse_proxy_companion_base_path }}/conf.d"
 
 # List of systemd services that matrix-synapse-reverse-proxy-companion.service depends on
-matrix_synapse_reverse_proxy_companion_systemd_required_services_list: ['docker.service']
+matrix_synapse_reverse_proxy_companion_systemd_required_services_list: "{{ matrix_synapse_reverse_proxy_companion_systemd_required_services_list_default + matrix_synapse_reverse_proxy_companion_systemd_required_services_list_auto + matrix_synapse_reverse_proxy_companion_systemd_required_services_list_custom }}"
+matrix_synapse_reverse_proxy_companion_systemd_required_services_list_default: ['docker.service']
+matrix_synapse_reverse_proxy_companion_systemd_required_services_list_auto: []
+matrix_synapse_reverse_proxy_companion_systemd_required_services_list_custom: []
 
 # List of systemd services that matrix-synapse-reverse-proxy-companion.service wants
 matrix_synapse_reverse_proxy_companion_systemd_wanted_services_list: ['matrix-synapse.service']
@@ -43,15 +46,10 @@ matrix_synapse_reverse_proxy_companion_systemd_wanted_services_list: ['matrix-sy
 matrix_synapse_reverse_proxy_companion_container_image: "{{ matrix_container_global_registry_prefix }}nginx:{{ matrix_synapse_reverse_proxy_companion_version }}"
 matrix_synapse_reverse_proxy_companion_container_image_force_pull: "{{ matrix_synapse_reverse_proxy_companion_container_image.endswith(':latest') }}"
 
-matrix_synapse_reverse_proxy_companion_container_network: "{{ matrix_docker_network }}"
+matrix_synapse_reverse_proxy_companion_container_network: ""
 
 # A list of additional container networks that matrix-synapse-reverse-proxy-companion would be connected to.
 # The playbook does not create these networks, so make sure they already exist.
-#
-# Use this to expose matrix-synapse-reverse-proxy-companion to another reverse proxy, which runs in a different container network,
-# without exposing all other Matrix services to that other reverse-proxy.
-#
-# For background, see: https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1498
 matrix_synapse_reverse_proxy_companion_container_additional_networks: []
 
 # Controls whether the matrix-synapse-reverse-proxy-companion container exposes its HTTP Client-Server API port (tcp/8008 in the container).
@@ -64,6 +62,46 @@ matrix_synapse_reverse_proxy_companion_container_client_api_host_bind_port: ''
 # Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8048"), or empty string to not expose.
 matrix_synapse_reverse_proxy_companion_container_federation_api_host_bind_port: ''
 
+# matrix_synapse_reverse_proxy_companion_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container.
+# See `../templates/labels.j2` for details.
+#
+# To inject your own other container labels, see `matrix_synapse_reverse_proxy_companion_container_labels_additional_labels`.
+matrix_synapse_reverse_proxy_companion_container_labels_traefik_enabled: true
+matrix_synapse_reverse_proxy_companion_container_labels_traefik_docker_network: "{{ matrix_synapse_reverse_proxy_companion_container_network }}"
+matrix_synapse_reverse_proxy_companion_container_labels_traefik_entrypoints: web-secure
+matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver: default
+
+# Controls whether labels will be added that expose the Client-Server API.
+matrix_synapse_reverse_proxy_companion_container_labels_client_api_enabled: true
+matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_hostname: ''
+matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_path_prefix: /_matrix
+matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_rule: "Host(`{{ matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_path_prefix }}`)"
+matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_priority: 0
+matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_entrypoints: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_entrypoints }}"
+matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_tls: "{{ matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_entrypoints != 'web' }}"
+matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_tls_certResolver: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver }}"  # noqa var-naming
+
+# TODO - /_synapse public exposure, etc.?
+
+# Controls whether labels will be added that expose the Server-Server API (Federation API).
+matrix_synapse_reverse_proxy_companion_container_labels_federation_api_enabled: "{{ matrix_synapse_reverse_proxy_companion_federation_api_enabled }}"
+matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_hostname: ''
+matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_path_prefix: /_matrix
+matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_rule: "Host(`{{ matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_path_prefix }}`)"
+matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_priority: 0
+matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_entrypoints: ''
+matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_tls: "{{ matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_entrypoints != 'web' }}"
+matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_tls_certResolver: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver }}"  # noqa var-naming
+
+# matrix_synapse_reverse_proxy_companion_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
+# See `../templates/labels.j2` for details.
+#
+# Example:
+# matrix_synapse_reverse_proxy_companion_container_labels_additional_labels: |
+#   my.label=1
+#   another.label="here"
+matrix_synapse_reverse_proxy_companion_container_labels_additional_labels: ''
+
 # The amount of worker processes and connections
 # Consider increasing these when you are expecting high amounts of traffic
 # http://nginx.org/en/docs/ngx_core_module.html#worker_connections

roles/custom/matrix-synapse-reverse-proxy-companion/tasks/main.yml

@@ -8,6 +8,9 @@
     - install-synapse-reverse-proxy-companion
     - install-synapse
   block:
+    - when: matrix_synapse_reverse_proxy_companion_enabled | bool
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
+
     - when: matrix_synapse_reverse_proxy_companion_enabled | bool
       ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
 

roles/custom/matrix-synapse-reverse-proxy-companion/tasks/setup_install.yml

@@ -25,6 +25,8 @@
       dest: "{{ matrix_synapse_reverse_proxy_companion_confd_path }}/nginx-http.conf"
     - src: "{{ role_path }}/templates/nginx/conf.d/matrix-synapse-reverse-proxy-companion.conf.j2"
       dest: "{{ matrix_synapse_reverse_proxy_companion_confd_path }}/matrix-synapse-reverse-proxy-companion.conf"
+    - src: "{{ role_path }}/templates/labels.j2"
+      dest: "{{ matrix_synapse_reverse_proxy_companion_base_path }}/labels"
 
 - name: Ensure matrix-synapse-reverse-proxy-companion nginx container image is pulled
   community.docker.docker_image:
@@ -37,6 +39,11 @@
   delay: "{{ devture_playbook_help_container_retries_delay }}"
   until: result is not failed
 
+- name: Ensure matrix-synapse-reverse-proxy-companion container network is created
+  community.general.docker_network:
+    name: "{{ matrix_synapse_reverse_proxy_companion_container_network }}"
+    driver: bridge
+
 - name: Ensure matrix-synapse-reverse-proxy-companion.service installed
   ansible.builtin.template:
     src: "{{ role_path }}/templates/systemd/matrix-synapse-reverse-proxy-companion.service.j2"

roles/custom/matrix-synapse-reverse-proxy-companion/tasks/validate_config.yml

@@ -0,0 +1,13 @@
+---
+
+- name: Fail if required matrix-synapse-reverse-proxy-companion settings not defined
+  ansible.builtin.fail:
+    msg: >-
+      You need to define a required configuration setting (`{{ item.name }}`).
+  when: "item.when | bool and vars[item.name] == ''"
+  with_items:
+    - {'name': 'matrix_synapse_reverse_proxy_companion_container_network', when: true}
+    - {'name': 'matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_hostname', when: "{{ matrix_synapse_reverse_proxy_companion_container_labels_client_api_enabled }}"}
+    - {'name': 'matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_hostname', when: "{{ matrix_synapse_reverse_proxy_companion_container_labels_federation_api_enabled }}"}
+    - {'name': 'matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_entrypoints', when: "{{ matrix_synapse_reverse_proxy_companion_container_labels_federation_api_enabled }}"}
+

roles/custom/matrix-synapse-reverse-proxy-companion/templates/labels.j2

@@ -0,0 +1,63 @@
+{% if matrix_synapse_reverse_proxy_companion_container_labels_traefik_enabled %}
+traefik.enable=true
+
+{% if matrix_synapse_reverse_proxy_companion_container_labels_traefik_docker_network %}
+traefik.docker.network={{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_docker_network }}
+{% endif %}
+
+traefik.http.services.matrix-synapse-reverse-proxy-companion-client-api.loadbalancer.server.port=8008
+traefik.http.services.matrix-synapse-reverse-proxy-companion-federation-api.loadbalancer.server.port=8048
+
+
+{#
+	Client-API
+#}
+{% if matrix_synapse_reverse_proxy_companion_container_labels_client_api_enabled %}
+
+traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-api.rule={{ matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_rule }}
+
+{% if matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_priority | int > 0 %}
+traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-api.priority={{ matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_priority }}
+{% endif %}
+
+traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-api.service=matrix-synapse-reverse-proxy-companion-client-api
+traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-api.entrypoints={{ matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_entrypoints }}
+traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-api.tls={{ matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_tls | to_json }}
+
+{% if matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_tls %}
+traefik.http.routers.matrix-synapse-reverse-proxy-companion-client-api.tls.certResolver={{ matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_tls_certResolver }}
+{% endif %}
+
+{% endif %}
+{#
+	/Client-API
+#}
+
+
+{#
+	Federation-API
+#}
+{% if matrix_synapse_reverse_proxy_companion_container_labels_federation_api_enabled %}
+
+traefik.http.routers.matrix-synapse-reverse-proxy-companion-federation-api.rule={{ matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_rule }}
+
+{% if matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_priority | int > 0 %}
+traefik.http.routers.matrix-synapse-reverse-proxy-companion-federation-api.priority={{ matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_priority }}
+{% endif %}
+
+traefik.http.routers.matrix-synapse-reverse-proxy-companion-federation-api.service=matrix-synapse-reverse-proxy-companion-federation-api
+traefik.http.routers.matrix-synapse-reverse-proxy-companion-federation-api.entrypoints={{ matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_entrypoints }}
+traefik.http.routers.matrix-synapse-reverse-proxy-companion-federation-api.tls={{ matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_tls | to_json }}
+
+{% if matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_tls %}
+traefik.http.routers.matrix-synapse-reverse-proxy-companion-federation-api.tls.certResolver={{ matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_tls_certResolver }}
+{% endif %}
+
+{% endif %}
+{#
+	/Federation-API
+#}
+
+{% endif %}
+
+{{ matrix_synapse_reverse_proxy_companion_container_labels_additional_labels }}

roles/custom/matrix-synapse-reverse-proxy-companion/templates/systemd/matrix-synapse-reverse-proxy-companion.service.j2

@@ -36,6 +36,7 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
 			{% endif %}
 			--mount type=bind,src={{ matrix_synapse_reverse_proxy_companion_base_path }}/nginx.conf,dst=/etc/nginx/nginx.conf,ro \
 			--mount type=bind,src={{ matrix_synapse_reverse_proxy_companion_confd_path }},dst=/etc/nginx/conf.d,ro \
+			--label-file={{ matrix_synapse_reverse_proxy_companion_base_path }}/labels \
 			{{ matrix_synapse_reverse_proxy_companion_container_image }}
 
 {% for network in matrix_synapse_reverse_proxy_companion_container_additional_networks %}