overmind
/
matrix-docker-ansible-deploy
şunun yansıması https://github.com/spantaleev/matrix-docker-ansible-deploy
1
0
Çatalla 0
Kod Konular 0 Sürümler 0 Wiki Aktivite
Matrix Docker Ansible eploy
25'ten fazla konu seçemezsiniz Konular bir harf veya rakamla başlamalı, kısa çizgiler ('-') içerebilir ve en fazla 35 karakter uzunluğunda olabilir.
3628 İşleme
13 Dallar
78 MiB
 
 
Ağaç: 2bd33e5cf2
Dallar Biçim İmleri
${ item.name }
${ searchTerm } dalı oluştur
'2bd33e5cf2'den
${ noResults }
matrix-docker-ansible-deploy/roles/matrix-nginx-proxy/defaults/main.yml

551 satır
33 KiB
Ham Suçlama Geçmiş 

  1. matrix_nginx_proxy_enabled: true

  2. matrix_nginx_proxy_version: 1.21.5-alpine

  3. 

  4. # We use an official nginx image, which we fix-up to run unprivileged.

  5. # An alternative would be an `nginxinc/nginx-unprivileged` image, but

  6. # that is frequently out of date.

  7. matrix_nginx_proxy_docker_image: "{{ matrix_container_global_registry_prefix }}nginx:{{ matrix_nginx_proxy_version }}"

  8. matrix_nginx_proxy_docker_image_force_pull: "{{ matrix_nginx_proxy_docker_image.endswith(':latest') }}"

  9. 

  10. matrix_nginx_proxy_base_path: "{{ matrix_base_data_path }}/nginx-proxy"

  11. matrix_nginx_proxy_data_path: "{{ matrix_nginx_proxy_base_path }}/data"

  12. matrix_nginx_proxy_data_path_in_container: "/nginx-data"

  13. matrix_nginx_proxy_data_path_extension: "/matrix_domain"

  14. matrix_nginx_proxy_confd_path: "{{ matrix_nginx_proxy_base_path }}/conf.d"

  15. 

  16. # List of systemd services that matrix-nginx-proxy.service depends on

  17. matrix_nginx_proxy_systemd_required_services_list: ['docker.service']

  18. 

  19. # List of systemd services that matrix-nginx-proxy.service wants

  20. matrix_nginx_proxy_systemd_wanted_services_list: []

  21. 

  22. # A list of additional "volumes" to mount in the container.

  23. # This list gets populated dynamically at runtime. You can provide a different default value,

  24. # if you wish to mount your own files into the container.

  25. # Contains definition objects like this: `{"src": "/outside", "dst": "/inside", "options": "rw|ro|slave|.."}

  26. matrix_nginx_proxy_container_additional_volumes: []

  27. 

  28. # A list of extra arguments to pass to the container

  29. matrix_nginx_proxy_container_extra_arguments: []

  30. 

  31. # Controls whether matrix-nginx-proxy serves its vhosts over HTTPS or HTTP.

  32. #

  33. # If enabled:

  34. # - SSL certificates would be expected to be available (see `matrix_ssl_retrieval_method`)

  35. # - the HTTP vhost would be made a redirect to the HTTPS vhost

  36. #

  37. # If not enabled:

  38. # - you don't need any SSL certificates (you can set `matrix_ssl_retrieval_method: none`)

  39. # - naturally, there's no HTTPS vhost

  40. # - services are served directly from the HTTP vhost

  41. matrix_nginx_proxy_https_enabled: true

  42. 

  43. # Controls whether matrix-nginx-proxy trusts an upstream server's X-Forwarded-Proto header

  44. #

  45. # Required if you disable HTTPS for the container (see `matrix_nginx_proxy_https_enabled`) and have an upstream server handle it instead.

  46. matrix_nginx_proxy_trust_forwarded_proto: false

  47. matrix_nginx_proxy_x_forwarded_proto_value: "{{ '$http_x_forwarded_proto' if matrix_nginx_proxy_trust_forwarded_proto else '$scheme' }}"

  48. 

  49. # Controls whether the matrix-nginx-proxy container exposes its HTTP port (tcp/8080 in the container).

  50. #

  51. # Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:80"), or empty string to not expose.

  52. matrix_nginx_proxy_container_http_host_bind_port: '80'

  53. 

  54. # Controls whether the matrix-nginx-proxy container exposes its HTTPS port (tcp/8443 in the container).

  55. #

  56. # Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:443"), or empty string to not expose.

  57. #

  58. # This only makes sense and applies if `matrix_nginx_proxy_https_enabled` is set to `true`.

  59. # Otherwise, there are no HTTPS vhosts to expose.

  60. matrix_nginx_proxy_container_https_host_bind_port: '443'

  61. 

  62. # Controls whether the matrix-nginx-proxy container exposes the Matrix Federation port (tcp/8448 in the container).

  63. #

  64. # Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8448"), or empty string to not expose.

  65. #

  66. # This only makes sense and applies if `matrix_nginx_proxy_proxy_matrix_federation_api_enabled` is set to `true`.

  67. # Otherwise, there is no Matrix Federation port to expose.

  68. #

  69. # This port can take HTTP or HTTPS traffic, depending on `matrix_nginx_proxy_https_enabled`.

  70. # When HTTPS is disabled, you'd likely want to only expose the port locally, and front it with another HTTPS-enabled reverse-proxy.

  71. matrix_nginx_proxy_container_federation_host_bind_port: '8448'

  72. 

  73. # Controls whether matrix-nginx-proxy should serve the base domain.

  74. #

  75. # This is useful for when you only have your Matrix server, but you need to serve

  76. # to serve `/.well-known/matrix/*` files from the base domain for the needs of

  77. # Server-Discovery (Federation) and for Client-Discovery.

  78. #

  79. # Besides serving these Matrix files, a homepage would be served with content

  80. # as specified in the `matrix_nginx_proxy_base_domain_homepage_template` variable.

  81. # You can also put additional files to use for this webpage

  82. # in the `{{ matrix_nginx_proxy_data_path }}/matrix-domain` (`/matrix/nginx-proxy/data/matrix-domain`) directory.

  83. matrix_nginx_proxy_base_domain_serving_enabled: false

  84. 

  85. # Controls whether the base domain directory and default index.html file are created.

  86. matrix_nginx_proxy_base_domain_create_directory: true

  87. 

  88. matrix_nginx_proxy_base_domain_hostname: "{{ matrix_domain }}"

  89. 

  90. # Controls whether `matrix_nginx_proxy_base_domain_homepage_template` would be dumped to an `index.html` file

  91. # in the `/matrix/nginx-proxy/data/matrix-domain` directory.

  92. #

  93. # If you would instead like to serve a static website by yourself, you can disable this.

  94. # When disabled, you're expected to put website files in `/matrix/nginx-proxy/data/matrix-domain` manually

  95. # and can expect that the playbook won't intefere with the `index.html` file.

  96. matrix_nginx_proxy_base_domain_homepage_enabled: true

  97. 

  98. matrix_nginx_proxy_base_domain_homepage_template: |-

  99.   <!doctype html>

  100.   <meta charset="utf-8" />

  101.   <html>

  102.     <body>

  103.       Hello from {{ matrix_domain }}!

  104.     </body>

  105.   </html>

  106. 

  107. # Option to disable the access log

  108. matrix_nginx_proxy_access_log_enabled: true

  109. 

  110. # Controls whether proxying the riot domain should be done.

  111. matrix_nginx_proxy_proxy_riot_compat_redirect_enabled: false

  112. matrix_nginx_proxy_proxy_riot_compat_redirect_hostname: "riot.{{ matrix_domain }}"

  113. 

  114. # Controls whether proxying for Synapse should be done.

  115. matrix_nginx_proxy_proxy_synapse_enabled: false

  116. matrix_nginx_proxy_proxy_synapse_hostname: "matrix-nginx-proxy"

  117. matrix_nginx_proxy_proxy_synapse_federation_api_enabled: "{{ matrix_nginx_proxy_proxy_matrix_federation_api_enabled }}"

  118. # The addresses where the Matrix Client API is, when using Synapse.

  119. matrix_nginx_proxy_proxy_synapse_client_api_addr_with_container: ""

  120. matrix_nginx_proxy_proxy_synapse_client_api_addr_sans_container: ""

  121. # The addresses where the Federation API is, when using Synapse.

  122. matrix_nginx_proxy_proxy_synapse_federation_api_addr_with_container: ""

  123. matrix_nginx_proxy_proxy_synapse_federation_api_addr_sans_container: ""

  124. # A list of strings containing additional configuration blocks to add to the Synapse's server configuration (matrix-synapse.conf).

  125. matrix_nginx_proxy_proxy_synapse_additional_server_configuration_blocks: []

  126. 

  127. # Controls whether proxying for Dendrite should be done.

  128. matrix_nginx_proxy_proxy_dendrite_enabled: false

  129. matrix_nginx_proxy_proxy_dendrite_hostname: "matrix-nginx-proxy"

  130. matrix_nginx_proxy_proxy_dendrite_federation_api_enabled: "{{ matrix_nginx_proxy_proxy_matrix_federation_api_enabled }}"

  131. # Controls whether the Client API server (usually at matrix.DOMAIN:443) should explicitly reject `/_matrix/federation` endpoints.

  132. # Normally, Dendrite Monolith serves both APIs (Client & Federation) at the same port, so we can serve federation at `matrix.DOMAIN:443` too.

  133. matrix_nginx_proxy_proxy_dendrite_block_federation_api_on_client_port: true

  134. # The addresses where the Matrix Client API is, when using Dendrite.

  135. matrix_nginx_proxy_proxy_dendrite_client_api_addr_with_container: ""

  136. matrix_nginx_proxy_proxy_dendrite_client_api_addr_sans_container: ""

  137. # A list of strings containing additional configuration blocks to add to the Dendrite's server configuration (matrix-dendrite.conf).

  138. matrix_nginx_proxy_proxy_dendrite_additional_server_configuration_blocks: []

  139. 

  140. # Controls whether proxying the Element domain should be done.

  141. matrix_nginx_proxy_proxy_element_enabled: false

  142. matrix_nginx_proxy_proxy_element_hostname: "{{ matrix_server_fqn_element }}"

  143. 

  144. # Controls whether proxying the Hydrogen domain should be done.

  145. matrix_nginx_proxy_proxy_hydrogen_enabled: false

  146. matrix_nginx_proxy_proxy_hydrogen_hostname: "{{ matrix_server_fqn_hydrogen }}"

  147. 

  148. # Controls whether proxying the Cinny domain should be done.

  149. matrix_nginx_proxy_proxy_cinny_enabled: false

  150. matrix_nginx_proxy_proxy_cinny_hostname: "{{ matrix_server_fqn_cinny }}"

  151. 

  152. # Controls whether proxying the matrix domain should be done.

  153. matrix_nginx_proxy_proxy_matrix_enabled: false

  154. matrix_nginx_proxy_proxy_matrix_hostname: "{{ matrix_server_fqn_matrix }}"

  155. matrix_nginx_proxy_proxy_matrix_federation_hostname: "{{ matrix_nginx_proxy_proxy_matrix_hostname }}"

  156. # The port name used for federation in the nginx configuration.

  157. # This is not necessarily the port that it's actually on,

  158. # as port-mapping happens (`-p ..`) for the `matrix-nginx-proxy` container.

  159. matrix_nginx_proxy_proxy_matrix_federation_port: 8448

  160. 

  161. # Controls whether proxying the dimension domain should be done.

  162. matrix_nginx_proxy_proxy_dimension_enabled: false

  163. matrix_nginx_proxy_proxy_dimension_hostname: "{{ matrix_server_fqn_dimension }}"

  164. 

  165. # Controls whether proxying the goneb domain should be done.

  166. matrix_nginx_proxy_proxy_bot_go_neb_enabled: false

  167. matrix_nginx_proxy_proxy_bot_go_neb_hostname: "{{ matrix_server_fqn_bot_go_neb }}"

  168. 

  169. # Controls whether proxying the jitsi domain should be done.

  170. matrix_nginx_proxy_proxy_jitsi_enabled: false

  171. matrix_nginx_proxy_proxy_jitsi_hostname: "{{ matrix_server_fqn_jitsi }}"

  172. 

  173. # Controls whether proxying the grafana domain should be done.

  174. matrix_nginx_proxy_proxy_grafana_enabled: false

  175. matrix_nginx_proxy_proxy_grafana_hostname: "{{ matrix_server_fqn_grafana }}"

  176. 

  177. # Controls whether proxying the sygnal domain should be done.

  178. matrix_nginx_proxy_proxy_sygnal_enabled: false

  179. matrix_nginx_proxy_proxy_sygnal_hostname: "{{ matrix_server_fqn_sygnal }}"

  180. 

  181. # Controls whether proxying for the matrix-corporal API (`/_matrix/corporal`) should be done (on the matrix domain)

  182. matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: false

  183. matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081"

  184. matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container: "127.0.0.1:41081"

  185. 

  186. # Controls whether proxying for the User Directory Search API (`/_matrix/client/r0/user_directory/search`) should be done (on the matrix domain).

  187. # This can be used to forward the API endpoint to another service, augmenting the functionality of Synapse's own User Directory Search.

  188. # To learn more, see: https://github.com/ma1uta/ma1sd/blob/master/docs/features/directory.md

  189. matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: false

  190. matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "matrix-ma1sd:{{ matrix_ma1sd_container_port }}"

  191. matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "127.0.0.1:{{ matrix_ma1sd_container_port }}"

  192. 

  193. # Controls whether proxying for 3PID-based registration (`/_matrix/client/r0/register/(email|msisdn)/requestToken`) should be done (on the matrix domain).

  194. # This allows another service to control registrations involving 3PIDs.

  195. # To learn more, see: https://github.com/ma1uta/ma1sd/blob/master/docs/features/registration.md

  196. matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled: false

  197. matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_with_container: "matrix-ma1sd:{{ matrix_ma1sd_container_port }}"

  198. matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_sans_container: "127.0.0.1:{{ matrix_ma1sd_container_port }}"

  199. 

  200. # Controls whether proxying for the Identity API (`/_matrix/identity`) should be done (on the matrix domain)

  201. matrix_nginx_proxy_proxy_matrix_identity_api_enabled: false

  202. matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-ma1sd:{{ matrix_ma1sd_container_port }}"

  203. matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:{{ matrix_ma1sd_container_port }}"

  204. 

  205. # Controls whether proxying for metrics (`/_synapse/metrics`) should be done (on the matrix domain)

  206. matrix_nginx_proxy_proxy_synapse_metrics: false

  207. matrix_nginx_proxy_synapse_workers_enabled_list: []

  208. matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled: false

  209. # The following value will be written verbatim to the htpasswd file that stores the password for nginx to check against and needs to be encoded appropriately.

  210. # Read the manpage at `man 1 htpasswd` to learn more, then encrypt your password, and paste the encrypted value here.

  211. # e.g. `htpasswd -c mypass.htpasswd prometheus` and enter `mysecurepw` when prompted yields `prometheus:$apr1$wZhqsn.U$7LC3kMmjUbjNAZjyMyvYv/`

  212. # The part after `prometheus:` is needed here. matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key: "$apr1$wZhqsn.U$7LC3kMmjUbjNAZjyMyvYv/"

  213. matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key: ""

  214. 

  215. # The addresses where the Matrix Client API is.

  216. # Certain extensions (like matrix-corporal) may override this in order to capture all traffic.

  217. matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container: "matrix-nginx-proxy:12080"

  218. matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "127.0.0.1:12080"

  219. 

  220. # This needs to be equal or higher than the maximum upload size accepted by Synapse.

  221. matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: 50

  222. 

  223. 

  224. # Tells whether `/_synapse/client` is forwarded to the Matrix Client API server.

  225. matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_client_api_enabled: true

  226. 

  227. # Tells whether `/_synapse/oidc` is forwarded to the Matrix Client API server.

  228. # Enable this if you need OpenID Connect authentication support.

  229. matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_oidc_api_enabled: false

  230. 

  231. # Tells whether `/_synapse/admin` is forwarded to the Matrix Client API server.

  232. # Following these recommendations (https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md), by default, we don't.

  233. matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: false

  234. 

  235. # `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefixes` holds

  236. # the location prefixes that get forwarded to the Matrix Client API server.

  237. # These locations get combined into a regex like this `^(/_matrix|/_synapse/client)`.

  238. matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefix_regexes: |

  239.   {{

  240.     (['/_matrix'])

  241.     +

  242.     (['/_synapse/client'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_client_api_enabled else [])

  243.     +

  244.     (['/_synapse/oidc'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_oidc_api_enabled else [])

  245.     +

  246.     (['/_synapse/admin'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled else [])

  247.     +

  248.     (['/_synapse.*/metrics'] if matrix_nginx_proxy_proxy_synapse_metrics else [])

  249.   }}

  250. 

  251. # Specifies where requests for the root URI (`/`) on the `matrix.` domain should be redirected.

  252. # If this has an empty value, they're just passed to the homeserver, which serves a static page.

  253. # If you'd like to make `https://matrix.DOMAIN` redirect to `https://element.DOMAIN` (or something of that sort), specify the domain name here.

  254. # Example value: `element.DOMAIN` (or `{{ matrix_server_fqn_element }}`).

  255. matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain: ""

  256. 

  257. # Controls whether proxying for the Matrix Federation API should be done.

  258. matrix_nginx_proxy_proxy_matrix_federation_api_enabled: false

  259. matrix_nginx_proxy_proxy_matrix_federation_api_addr_with_container: "matrix-nginx-proxy:12088"

  260. matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container: "localhost:12088"

  261. matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb: "{{ (matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb | int) * 3 }}"

  262. matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/fullchain.pem"

  263. matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/privkey.pem"

  264. matrix_nginx_proxy_proxy_matrix_federation_api_ssl_trusted_certificate: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/chain.pem"

  265. 

  266. # The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads.

  267. matrix_nginx_proxy_tmp_directory_size_mb: "{{ (matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb | int) * 50 }}"

  268. 

  269. # A list of strings containing additional configuration blocks to add to the nginx server configuration (nginx.conf).

  270. # for big matrixservers to enlarge the number of open files to prevent timeouts

  271. # matrix_nginx_proxy_proxy_additional_configuration_blocks:

  272. #  - 'worker_rlimit_nofile 30000;'

  273. matrix_nginx_proxy_proxy_additional_configuration_blocks: []

  274. 

  275. # A list of strings containing additional configuration blocks to add to the nginx event server configuration (nginx.conf).

  276. matrix_nginx_proxy_proxy_event_additional_configuration_blocks: []

  277. 

  278. # A list of strings containing additional configuration blocks to add to the nginx http's server configuration (nginx-http.conf).

  279. matrix_nginx_proxy_proxy_http_additional_server_configuration_blocks: []

  280. 

  281. # A list of strings containing additional configuration blocks to add to the base matrix server configuration (matrix-domain.conf).

  282. matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: []

  283. 

  284. # A list of strings containing additional configuration blocks to add to Riot's server configuration (matrix-riot-web.conf).

  285. matrix_nginx_proxy_proxy_riot_additional_server_configuration_blocks: []

  286. 

  287. # A list of strings containing additional configuration blocks to add to Element's server configuration (matrix-client-element.conf).

  288. matrix_nginx_proxy_proxy_element_additional_server_configuration_blocks: []

  289. 

  290. # A list of strings containing additional configuration blocks to add to Hydrogen's server configuration (matrix-client-hydrogen.conf).

  291. matrix_nginx_proxy_proxy_hydrogen_additional_server_configuration_blocks: []

  292. 

  293. # A list of strings containing additional configuration blocks to add to Cinny's server configuration (matrix-client-cinny.conf).

  294. matrix_nginx_proxy_proxy_cinny_additional_server_configuration_blocks: []

  295. 

  296. # A list of strings containing additional configuration blocks to add to Dimension's server configuration (matrix-dimension.conf).

  297. matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks: []

  298. 

  299. # A list of strings containing additional configuration blocks to add to GoNEB's server configuration (matrix-bot-go-neb.conf).

  300. matrix_nginx_proxy_proxy_bot_go_neb_additional_server_configuration_blocks: []

  301. 

  302. # A list of strings containing additional configuration blocks to add to Jitsi's server configuration (matrix-jitsi.conf).

  303. matrix_nginx_proxy_proxy_jitsi_additional_server_configuration_blocks: []

  304. 

  305. # A list of strings containing additional configuration blocks to add to Grafana's server configuration (matrix-grafana.conf).

  306. matrix_nginx_proxy_proxy_grafana_additional_server_configuration_blocks: []

  307. 

  308. # A list of strings containing additional configuration blocks to add to Sygnal's server configuration (matrix-sygnal.conf).

  309. matrix_nginx_proxy_proxy_sygnal_additional_server_configuration_blocks: []

  310. 

  311. # A list of strings containing additional configuration blocks to add to the base domain server configuration (matrix-base-domain.conf).

  312. matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks: []

  313. 

  314. # To increase request timeout in NGINX using proxy_read_timeout, proxy_connect_timeout, proxy_send_timeout, send_timeout directives

  315. # Nginx Default: proxy_connect_timeout 60s;   #Defines a timeout for establishing a connection with a proxied server

  316. # Nginx Default: proxy_send_timeout 60s;      #Sets a timeout for transmitting a request to the proxied server.

  317. # Nginx Default: proxy_read_timeout 60s;      #Defines a timeout for reading a response from the proxied server.

  318. # Nginx Default: send_timeout 60s;            #Sets a timeout for transmitting a response to the client.

  319. #

  320. # For more information visit:

  321. # http://nginx.org/en/docs/http/ngx_http_proxy_module.html

  322. # http://nginx.org/en/docs/http/ngx_http_core_module.html#send_timeout

  323. # https://www.nginx.com/resources/wiki/start/topics/examples/fullexample2/

  324. #

  325. # Here we are sticking with nginx default values change this value carefully.

  326. matrix_nginx_proxy_connect_timeout: 60

  327. matrix_nginx_proxy_send_timeout: 60

  328. matrix_nginx_proxy_read_timeout: 60

  329. matrix_nginx_send_timeout: 60

  330. 

  331. # Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses for all vhosts meant to be accessed by users.

  332. #

  333. # Learn more about what it is here:

  334. # - https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea

  335. # - https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network

  336. # - https://amifloced.org/

  337. #

  338. # Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices.

  339. matrix_nginx_proxy_floc_optout_enabled: true

  340. 

  341. # HSTS Preloading Enable

  342. #

  343. # In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and

  344. # indicates a willingness to be “preloaded” into browsers:

  345. # `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload`

  346. # For more information visit:

  347. # - https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

  348. # - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security

  349. # - https://hstspreload.org/#opt-in

  350. matrix_nginx_proxy_hsts_preload_enabled: false

  351. 

  352. # X-XSS-Protection Enable

  353. # Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks.

  354. # Note: Not applicable for grafana

  355. #

  356. # Learn more about it is here:

  357. # - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection

  358. # - https://portswigger.net/web-security/cross-site-scripting/reflected

  359. matrix_nginx_proxy_xss_protection: "1; mode=block"

  360. 

  361. # Specifies the SSL configuration that should be used for the SSL protocols and ciphers

  362. # This is based on the Mozilla Server Side TLS Recommended configurations.

  363. #

  364. # The posible values are:

  365. # - "modern" - For Modern clients that support TLS 1.3, with no need for backwards compatibility

  366. # - "intermediate" - Recommended configuration for a general-purpose server

  367. # - "old" - Services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8

  368. #

  369. # For more information visit:

  370. # - https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations

  371. # - https://ssl-config.mozilla.org/#server=nginx

  372. matrix_nginx_proxy_ssl_preset: "intermediate"

  373. 

  374. # Presets are taken from Mozilla's Server Side TLS Recommended configurations

  375. # DO NOT modify these values and use `matrix_nginx_proxy_ssl_protocols`, `matrix_nginx_proxy_ssl_ciphers` and `matrix_nginx_proxy_ssl_ciphers`

  376. # if you wish to use something more custom.

  377. matrix_nginx_proxy_ssl_presets:

  378.   modern:

  379.     protocols: TLSv1.3

  380.     ciphers: ""

  381.     prefer_server_ciphers: "off"

  382.   intermediate:

  383.     protocols: TLSv1.2 TLSv1.3

  384.     ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384

  385.     prefer_server_ciphers: "off"

  386.   old:

  387.     protocols: TLSv1 TLSv1.1 TLSv1.2 TLSv1.3

  388.     ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA

  389.     prefer_server_ciphers: "on"

  390. 

  391. 

  392. # Specifies which *SSL protocols* to use when serving all the various vhosts.

  393. matrix_nginx_proxy_ssl_protocols: "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['protocols'] }}"

  394. 

  395. # Specifies whether to prefer *the client’s choice or the server’s choice* when negotiating ciphers.

  396. matrix_nginx_proxy_ssl_prefer_server_ciphers: "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['prefer_server_ciphers'] }}"

  397. 

  398. # Specifies which *SSL Cipher suites* to use when serving all the various vhosts.

  399. # To see the full list for suportes ciphers run `openssl ciphers` on your server

  400. matrix_nginx_proxy_ssl_ciphers: "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['ciphers'] }}"

  401. 

  402. # Specifies what to use for the X-Forwarded-For variable.

  403. # If you're fronting the nginx reverse-proxy with additional reverse-proxy servers,

  404. # you may wish to set this to '$proxy_add_x_forwarded_for' instead.

  405. matrix_nginx_proxy_x_forwarded_for: '$remote_addr'

  406. 

  407. # Controls whether the self-check feature should validate SSL certificates.

  408. matrix_nginx_proxy_self_check_validate_certificates: true

  409. 

  410. # Controls whether redirects will be followed when checking the `/.well-known/matrix/client` resource.

  411. #

  412. # As per the spec (https://matrix.org/docs/spec/client_server/r0.6.0#well-known-uri), it shouldn't be,

  413. # so we default to not following redirects as well.

  414. matrix_nginx_proxy_self_check_well_known_matrix_client_follow_redirects: none

  415. 

  416. # For OCSP purposes, we need to define a resolver at the `server{}` level or `http{}` level (we do the latter).

  417. #

  418. # Otherwise, we get warnings like this:

  419. # > [warn] 22#22: no resolver defined to resolve r3.o.lencr.org while requesting certificate status, responder: r3.o.lencr.org, certificate: "/matrix/ssl/config/live/.../fullchain.pem"

  420. #

  421. # We point it to the internal Docker resolver, which likely delegates to nameservers defined in `/etc/resolv.conf`.

  422. #

  423. # When nginx proxy is disabled, our configuration is likely used by non-containerized nginx, so can't use the internal Docker resolver.

  424. # Pointing `resolver` to some public DNS server might be an option, but for now we impose DNS servers on people.

  425. # It might also be that no such warnings occur when not running in a container.

  426. matrix_nginx_proxy_http_level_resolver: "{{ '127.0.0.11' if matrix_nginx_proxy_enabled else '' }}"

  427. 

  428. # By default, this playbook automatically retrieves and auto-renews

  429. # free SSL certificates from Let's Encrypt.

  430. #

  431. # The following retrieval methods are supported:

  432. # - "lets-encrypt" - the playbook obtains free SSL certificates from Let's Encrypt

  433. # - "self-signed" - the playbook generates and self-signs certificates

  434. # - "manually-managed" - lets you manage certificates by yourself (manually; see below)

  435. # - "none" - like "manually-managed", but doesn't care if you don't drop certificates in the location it expects

  436. #

  437. # If you decide to manage certificates by yourself (`matrix_ssl_retrieval_method: manually-managed`),

  438. # you'd need to drop them into the directory specified by `matrix_ssl_config_dir_path`

  439. # obeying the following hierarchy:

  440. # - <matrix_ssl_config_dir_path>/live/<domain>/fullchain.pem

  441. # - <matrix_ssl_config_dir_path>/live/<domain>/privkey.pem

  442. # where <domain> refers to the domains that you need (usually `matrix_server_fqn_matrix` and `matrix_server_fqn_element`).

  443. #

  444. # The "none" type (`matrix_ssl_retrieval_method: none`), simply means that no certificate retrieval will happen.

  445. # It's useful for when you've disabled the nginx proxy (`matrix_nginx_proxy_enabled: false`)

  446. # and you'll be using another reverse-proxy server (like Apache) with your own certificates, managed by yourself.

  447. # It's also useful if you're using `matrix_nginx_proxy_https_enabled: false` to make this nginx proxy serve

  448. # plain HTTP traffic only (usually, on the loopback interface only) and you'd be terminating SSL using another reverse-proxy.

  449. matrix_ssl_retrieval_method: "lets-encrypt"

  450. 

  451. matrix_ssl_architecture: "amd64"

  452. 

  453. # The full list of domains that this role will obtain certificates for.

  454. # This variable is likely redefined outside of the role, to include the domains that are necessary (depending on the services that are enabled).

  455. # To add additional domain names, consider using `matrix_ssl_additional_domains_to_obtain_certificates_for` instead.

  456. matrix_ssl_domains_to_obtain_certificates_for: "{{ matrix_ssl_additional_domains_to_obtain_certificates_for }}"

  457. 

  458. # A list of additional domain names to obtain certificates for.

  459. matrix_ssl_additional_domains_to_obtain_certificates_for: []

  460. 

  461. # Controls whether to obtain production or staging certificates from Let's Encrypt.

  462. # If you'd like to use another ACME Certificate Authority server (not Let's Encrypt), use `matrix_ssl_lets_encrypt_server`

  463. matrix_ssl_lets_encrypt_staging: false

  464. 

  465. # Controls from which Certificate Authority server to retrieve the SSL certificates (passed as a `--server` flag to Certbot).

  466. # By default, we use the Let's Encrypt production environment (use `matrix_ssl_lets_encrypt_staging` for using the staging environment).

  467. # Learn more here: https://eff-certbot.readthedocs.io/en/stable/using.html#changing-the-acme-server

  468. matrix_ssl_lets_encrypt_server: ''

  469. 

  470. matrix_ssl_lets_encrypt_certbot_docker_image: "{{ matrix_container_global_registry_prefix }}certbot/certbot:{{ matrix_ssl_architecture }}-v1.21.0"

  471. matrix_ssl_lets_encrypt_certbot_docker_image_force_pull: "{{ matrix_ssl_lets_encrypt_certbot_docker_image.endswith(':latest') }}"

  472. matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402

  473. matrix_ssl_lets_encrypt_support_email: ~

  474. 

  475. # Tells which interface and port the Let's Encrypt (certbot) container should try to bind to

  476. # when it tries to obtain initial certificates in standalone mode.

  477. #

  478. # This should normally be a public interface and port.

  479. # If you'd like to not bind on all IP addresses, specify one explicitly (e.g. `a.b.c.d:80`)

  480. matrix_ssl_lets_encrypt_container_standalone_http_host_bind_port: '80'

  481. 

  482. matrix_ssl_base_path: "{{ matrix_base_data_path }}/ssl"

  483. matrix_ssl_config_dir_path: "{{ matrix_ssl_base_path }}/config"

  484. matrix_ssl_log_dir_path: "{{ matrix_ssl_base_path }}/log"

  485. 

  486. # If you'd like to start some service before a certificate is obtained, specify it here.

  487. # This could be something like `matrix-dynamic-dns`, etc.

  488. matrix_ssl_pre_obtaining_required_service_name: ~

  489. matrix_ssl_pre_obtaining_required_service_start_wait_time_seconds: 60

  490. 

  491. # Nginx Optimize SSL Session

  492. #

  493. # ssl_session_cache:

  494. # - Creating a cache of TLS connection parameters reduces the number of handshakes

  495. #   and thus can improve the performance of application.

  496. # - Default session cache is not optimal as it can be used by only one worker process

  497. #   and can cause memory fragmentation. It is much better to use shared cache.

  498. # - Learn More: https://nginx.org/en/docs/http/ngx_http_ssl_module.html

  499. #

  500. # ssl_session_timeout:

  501. # - Nginx by default it is set to 5 minutes which is very low.

  502. #   should be like 4h or 1d but will require you to increase the size of cache.

  503. # - Learn More:

  504. #     https://github.com/certbot/certbot/issues/6903

  505. #     https://github.com/mozilla/server-side-tls/issues/198

  506. #

  507. # ssl_session_tickets:

  508. # - In case of session tickets, information about session is given to the client.

  509. #   Enabling this improve performance also make Perfect Forward Secrecy useless.

  510. # - If you would instead like to use ssl_session_tickets by yourself, you can set

  511. #   matrix_nginx_proxy_ssl_session_tickets_off false.

  512. # - Learn More: https://github.com/mozilla/server-side-tls/issues/135

  513. #

  514. # Presets are taken from Mozilla's Server Side TLS Recommended configurations

  515. matrix_nginx_proxy_ssl_session_cache: "shared:MozSSL:10m"

  516. matrix_nginx_proxy_ssl_session_timeout: "1d"

  517. matrix_nginx_proxy_ssl_session_tickets_off: true

  518. 

  519. # OCSP Stapling eliminating the need for clients to contact the CA, with the aim of improving both security and performance.

  520. # OCSP stapling can provide a performance boost of up to 30%

  521. # nginx web server supports OCSP stapling since version 1.3.7.

  522. #

  523. # *warning* Nginx is lazy loading OCSP responses, which means that for the first few web requests it is unable to add the OCSP response.

  524. # set matrix_nginx_proxy_ocsp_stapling_enabled false to disable OCSP Stapling

  525. #

  526. # Learn more about what it is here:

  527. # - https://en.wikipedia.org/wiki/OCSP_stapling

  528. # - https://blog.cloudflare.com/high-reliability-ocsp-stapling/

  529. # - https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/

  530. matrix_nginx_proxy_ocsp_stapling_enabled: true

  531. 

  532. # nginx status page configurations.

  533. matrix_nginx_proxy_proxy_matrix_nginx_status_enabled: false

  534. matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses: ['{{ ansible_default_ipv4.address }}']

  535. 

  536. 

  537. # synapse worker activation and endpoint mappings

  538. matrix_nginx_proxy_synapse_workers_enabled: false

  539. matrix_nginx_proxy_synapse_workers_list: []

  540. matrix_nginx_proxy_synapse_generic_worker_client_server_locations: []

  541. matrix_nginx_proxy_synapse_generic_worker_federation_locations: []

  542. matrix_nginx_proxy_synapse_media_repository_locations: []

  543. matrix_nginx_proxy_synapse_user_dir_locations: []

  544. matrix_nginx_proxy_synapse_frontend_proxy_locations: []

  545. 

  546. # The amount of worker processes and connections

  547. # Consider increasing these when you are expecting high amounts of traffic

  548. # http://nginx.org/en/docs/ngx_core_module.html#worker_connections

  549. matrix_nginx_proxy_worker_processes: 1

  550. matrix_nginx_proxy_worker_connections: 1024