Instead of hardcoding '/irc' in two places, the Traefik path prefix is now
derived from the mediaProxy publicUrl_pathPrefix variable by stripping the
trailing slash (Traefik paths must not end with a slash, except for '/').
Added validation to ensure:
- publicUrl_pathPrefix starts and ends with a slash (required by the service)
- Traefik path prefix doesn't end with a slash (consistent with other roles)
Role defaults should not reference playbook-level variables like
matrix_playbook_reverse_proxy_type or traefik_entrypoint_primary,
as this breaks standalone usage of the role.
Following the pattern established by other roles (matrix-sliding-sync,
matrix-synapse-admin, matrix-media-repo, etc.), Traefik variables now
use safe standalone defaults (true, web-secure, default) while the
actual playbook wiring remains in group_vars/matrix_servers.
Also standardized certResolver variable naming to use camelCase,
consistent with other roles in the playbook.
Instead of hardcoding 'https' in the publicUrl, introduce a scheme variable
that can be configured. This follows the pattern used by other roles
(e.g., matrix_mautrix_discord_scheme, matrix_hookshot_public_scheme).
New variables:
- matrix_appservice_irc_ircService_mediaProxy_publicUrl_scheme (defaults to https)
- matrix_appservice_irc_ircService_mediaProxy_publicUrl (combines scheme, hostname, pathPrefix)
The scheme is wired in group_vars/matrix_servers based on matrix_playbook_ssl_enabled,
consistent with how other roles handle this.
Variables that map to nested YAML config properties should follow the pattern:
matrix_<component>_<configPath>_<nestedProperty>
For ircService.mediaProxy.*, we now use:
- matrix_appservice_irc_ircService_mediaProxy_bindPort
- matrix_appservice_irc_ircService_mediaProxy_publicUrl_hostname
- matrix_appservice_irc_ircService_mediaProxy_publicUrl_pathPrefix
This follows the existing pattern used by matrix_appservice_irc_ircService_servers
and similar variables in other roles (e.g., matrix_hookshot_github_defaultOptions_*).
Also renamed the Traefik path prefix variable to include 'media_proxy' for clarity:
- matrix_appservice_irc_container_labels_media_proxy_traefik_path_prefix
This:
- brings consistency - no more mixing `_name_prefix` and `_registry_prefix`
- adds extensibility - a future patch will allow reconfiguring all registry prefixes for all roles in the playbook
We still have `_docker_` vs `_container_` inconsistencies.
These may be worked on later.
This is done for a few reasons:
- less globals and more indepdendence for each role is better. We rely
on various externally-hosted roles and they don't rely on this global
either.
- `matrix_container_global_registry_prefix` could make people think they
could just override this variable and have all their images pull from
elsewhere. This is rarely the case, unless you've taken special care
to mirror all the various components (from their respective
registries) to your own. In such a case, you probably know what you're
mirroring and can adjust individual variables.
- nowadays, various components live on different registries.
With Docker Inc tightening rate limits for Docker Hub, it's even more
likely that we'll see increased diversity in where images are hosted
Related to 0241c71a4c
Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/3270#issuecomment-2143782962
With this change, it should be possible for people to adjust the Docker
dependency from `docker.service` to something else (e.g. `pkg-ContainerManager-dockerd.service`),
or to completely eliminate it by setting `devture_systemd_docker_base_docker_service_name` to an empty string.
This makes it easier for people to use the playbook against a Synology DSM server.
This is backward-compatible with what we had before. We're not changing
the SSL mode - just making it configurable.
Most components are defaulting to `sslmode=disable`, while some
(`matrix-bot-matrix-reminder-bot` and others) do not specify an `sslmode` at all.
We're making sslmode configurable, because certain external Postgres
servers may be configured to require SSL encryption.
In such cases `sslmode=disable` does not work and needs to be changed to
`sslmode=require` or something else (`verify-ca`, `verify-full`, etc).
Slavi Pantaleev
Thom Wiggers
Jade Ellis
Suguru Hirahara
Samuel Meenzen