Drop some matrix_nginx_proxy_proxy_riot_compat_* variables

matrix-nginx-proxy is going away and this is one of the features it offered. This feature will have no equivalent in our new Traefik-only setup, although it's possible to implement it manually by using `matrix_client_element_container_labels_additional_labels`
2 lat temu · e81a395a98
--- a/docs/configuring-playbook-riot-web.md
+++ b/docs/configuring-playbook-riot-web.md
@@ -25,15 +25,10 @@ There are a few options for handling this:
 - (**avoiding changes** - using the old `riot.DOMAIN` domain and avoiding DNS changes) -- to keep using `riot.DOMAIN` instead of `element.DOMAIN`, override the domain at which the playbook serves Element: `matrix_server_fqn_element: "riot.{{ matrix_domain }}"`
 - (**embracing changes** - using only `element.DOMAIN`) - set up the `element.DOMAIN` DNS record (see [Configuring DNS](configuring-dns.md)). You can drop the `riot.DOMAIN` in this case. If so, you may also wish to remove old SSL certificates (`rm -rf /matrix/ssl/config/live/riot.DOMAIN`) and renewal configuration (`rm -f /matrix/ssl/config/renewal/riot.DOMAIN.conf`), so that `certbot` would stop trying to renew them.
 - (**embracing changes and transitioning smoothly** - using both `element.DOMAIN` and `riot.DOMAIN`) - to serve Element at the new domain (`element.DOMAIN`) and to also have `riot.DOMAIN` redirect there - set up the `element.DOMAIN` DNS record (see [Configuring DNS](configuring-dns.md)) and enable Riot to Element redirection (`matrix_nginx_proxy_proxy_riot_compat_redirect_enabled: true`).
 - (**embracing changes** - using only `element.DOMAIN`) - set up the `element.DOMAIN` DNS record (see [Configuring DNS](configuring-dns.md)). You can drop the `riot.DOMAIN` in this case.
 ### Re-running the playbook
 As always, after making the necessary DNS and configuration adjustments, re-run the playbook to apply the changes:
 ```
 ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
 As always, after making the necessary DNS and configuration adjustments, [re-run the playbook](./installing.md) to apply the changes.
 ```
--- a/group_vars/matrix_servers
+++ b/group_vars/matrix_servers
@@ -3050,8 +3050,6 @@ matrix_ssl_domains_to_obtain_certificates_for: |
    +
    ([matrix_server_fqn_element] if matrix_client_element_enabled else [])
    +
    ([matrix_nginx_proxy_proxy_riot_compat_redirect_hostname] if matrix_nginx_proxy_proxy_riot_compat_redirect_enabled else [])
    +
    ([matrix_server_fqn_hydrogen] if matrix_client_hydrogen_enabled else [])
    +
    ([matrix_server_fqn_cinny] if matrix_client_cinny_enabled else [])
--- a/roles/custom/matrix-nginx-proxy/defaults/main.yml
+++ b/roles/custom/matrix-nginx-proxy/defaults/main.yml
@@ -117,10 +117,6 @@ matrix_nginx_proxy_container_federation_host_bind_port: '8448'
 # Option to disable the access log
 matrix_nginx_proxy_access_log_enabled: true
 # Controls whether proxying the riot domain should be done.
 matrix_nginx_proxy_proxy_riot_compat_redirect_enabled: false
 matrix_nginx_proxy_proxy_riot_compat_redirect_hostname: "riot.{{ matrix_domain }}"
 # Controls whether proxying for Synapse should be done.
 matrix_nginx_proxy_proxy_synapse_enabled: false
 matrix_nginx_proxy_proxy_synapse_hostname: "matrix-nginx-proxy"
--- a/roles/custom/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml
+++ b/roles/custom/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml
@@ -94,13 +94,6 @@
    mode: 0644
  when: matrix_nginx_proxy_proxy_element_enabled | bool
 - name: Ensure Matrix nginx-proxy configuration for riot domain exists
  ansible.builtin.template:
    src: "{{ role_path }}/templates/nginx/conf.d/matrix-riot-web.conf.j2"
    dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-riot-web.conf"
    mode: 0644
  when: matrix_nginx_proxy_proxy_riot_compat_redirect_enabled | bool
 - name: Ensure Matrix nginx-proxy configuration for Hydrogen domain exists
  ansible.builtin.template:
    src: "{{ role_path }}/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2"
@@ -251,12 +244,6 @@
    state: absent
  when: "not matrix_nginx_proxy_proxy_matrix_enabled | bool"
 - name: Ensure Matrix nginx-proxy configuration for riot domain deleted
  ansible.builtin.file:
    path: "{{ matrix_nginx_proxy_confd_path }}/matrix-riot-web.conf"
    state: absent
  when: "not matrix_nginx_proxy_proxy_riot_compat_redirect_enabled | bool"
 - name: Ensure Matrix nginx-proxy configuration for Element domain deleted
  ansible.builtin.file:
    path: "{{ matrix_nginx_proxy_confd_path }}/matrix-client-element.conf"
--- a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2
+++ b/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2
@@ -1,89 +0,0 @@
 #jinja2: lstrip_blocks: "True"
 {% macro render_vhost_directives() %}
 	{% if matrix_nginx_proxy_floc_optout_enabled %}
 		add_header Permissions-Policy interest-cohort=() always;
 	{% endif %}
 	{% if matrix_nginx_proxy_hsts_preload_enabled %}
 		add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
 	{% else %}
 		add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
 	{% endif %}
 	add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}";
 	{% for configuration_block in matrix_nginx_proxy_proxy_riot_additional_server_configuration_blocks %}
 		{{- configuration_block }}
 	{% endfor %}
 	location / {
 		return 301 https://{{ matrix_nginx_proxy_proxy_element_hostname }}$request_uri;
 	}
 {% endmacro %}
 server {
 	listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }};
 	listen [::]:{{ 8080 if matrix_nginx_proxy_enabled else 80 }};
 	server_name {{ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname }};
 	server_tokens off;
 	root /dev/null;
 	{% if matrix_nginx_proxy_https_enabled %}
 		location /.well-known/acme-challenge {
 			{% if matrix_nginx_proxy_enabled %}
 				{# Use the embedded DNS resolver in Docker containers to discover the service #}
 				resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s;
 				set $backend "matrix-certbot:8080";
 				proxy_pass http://$backend;
 			{% else %}
 				{# Generic configuration for use outside of our container setup #}
 				proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }};
 			{% endif %}
 		}
 		location / {
 			return 301 https://$http_host$request_uri;
 		}
 	{% else %}
 		{{ render_vhost_directives() }}
 	{% endif %}
 }
 {% if matrix_nginx_proxy_https_enabled %}
 server {
 	listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
 	listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
 	server_name {{ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname }};
 	server_tokens off;
 	root /dev/null;
 	ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname }}/fullchain.pem;
 	ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname }}/privkey.pem;
 	ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
 	{% if matrix_nginx_proxy_ssl_ciphers != '' %}
 	ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }};
 	{% endif %}
 	ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
 	{% if matrix_nginx_proxy_ocsp_stapling_enabled %}
 		ssl_stapling on;
 		ssl_stapling_verify on;
 		ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname }}/chain.pem;
 	{% endif %}
 	{% if matrix_nginx_proxy_ssl_session_tickets_off %}
 		ssl_session_tickets off;
 	{% endif %}
 	ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }};
 	ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }};
 	{{ render_vhost_directives() }}
 }
 {% endif %}
--- a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml
+++ b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml
@@ -81,6 +81,8 @@
    - {'old': 'matrix_nginx_proxy_base_domain_hostname', 'new': 'matrix_static_files_container_labels_base_domain_traefik_hostname'}
    - {'old': 'matrix_nginx_proxy_base_domain_homepage_enabled', 'new': 'matrix_static_files_file_index_html_enabled'}
    - {'old': 'matrix_nginx_proxy_base_domain_create_directory', 'new': '<no longer necessary; see matrix_static_files_file_index_html_enabled>'}
    - {'old': 'matrix_nginx_proxy_proxy_riot_compat_redirect_enabled', 'new': '<redirecting the riot domain to an element domain is no longer supported - you can implement it yourself using matrix_client_element_container_labels_additional_labels>'}
    - {'old': 'matrix_nginx_proxy_proxy_riot_compat_redirect_hostname', 'new': '<redirecting the riot domain to an element domain is no longer supported - you can implement it yourself using matrix_client_element_container_labels_additional_labels>'}
 - name: (Deprecation) Catch and report matrix_postgres variables
  ansible.builtin.fail: