overmind
/
matrix-docker-ansible-deploy
mirror of https://github.com/spantaleev/matrix-docker-ansible-deploy
1
0
Fork 0
Code Issues 0 Releases 0 Wiki Activity
Matrix Docker Ansible eploy
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
7117 Commits
11 Branches
1.1 GiB
 
 
Tree: 4639eebf12
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '4639eebf12'
${ noResults }
matrix-docker-ansible-deploy/roles/custom/matrix-nginx-proxy/defaults/main.yml

565 lines
34 KiB
Raw Blame History 

  1. ---

  2. # Project source code URL: https://github.com/nginx/nginx

  3. matrix_nginx_proxy_enabled: true

  4. # renovate: datasource=docker depName=nginx

  5. matrix_nginx_proxy_version: 1.25.3-alpine

  6. 

  7. # We use an official nginx image, which we fix-up to run unprivileged.

  8. # An alternative would be an `nginxinc/nginx-unprivileged` image, but

  9. # that is frequently out of date.

  10. matrix_nginx_proxy_docker_image: "{{ matrix_container_global_registry_prefix }}nginx:{{ matrix_nginx_proxy_version }}"

  11. matrix_nginx_proxy_docker_image_force_pull: "{{ matrix_nginx_proxy_docker_image.endswith(':latest') }}"

  12. 

  13. matrix_nginx_proxy_base_path: "{{ matrix_base_data_path }}/nginx-proxy"

  14. matrix_nginx_proxy_data_path: "{{ matrix_nginx_proxy_base_path }}/data"

  15. matrix_nginx_proxy_data_path_in_container: "/nginx-data"

  16. matrix_nginx_proxy_data_path_extension: "/matrix-domain"

  17. matrix_nginx_proxy_confd_path: "{{ matrix_nginx_proxy_base_path }}/conf.d"

  18. 

  19. # List of systemd services that matrix-nginx-proxy.service depends on

  20. matrix_nginx_proxy_systemd_required_services_list: ['docker.service']

  21. 

  22. # List of systemd services that matrix-nginx-proxy.service wants

  23. matrix_nginx_proxy_systemd_wanted_services_list: []

  24. 

  25. # The base container network.

  26. # Also see: matrix_nginx_proxy_container_additional_networks

  27. matrix_nginx_proxy_container_network: "{{ matrix_docker_network }}"

  28. 

  29. # A list of additional container networks that matrix-nginx-proxy would be connected to.

  30. # The playbook does not create these networks, so make sure they already exist.

  31. #

  32. # Use this to expose matrix-nginx-proxy to another reverse proxy, which runs in a different container network,

  33. # without exposing all other Matrix services to that other reverse-proxy.

  34. #

  35. # For background, see: https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1498

  36. matrix_nginx_proxy_container_additional_networks: []

  37. 

  38. # A list of additional "volumes" to mount in the container.

  39. # This list gets populated dynamically at runtime. You can provide a different default value,

  40. # if you wish to mount your own files into the container.

  41. # Contains definition objects like this: `{"src": "/outside", "dst": "/inside", "options": "rw|ro|slave|.."}

  42. matrix_nginx_proxy_container_additional_volumes: []

  43. 

  44. # matrix_nginx_proxy_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container.

  45. # See `../templates/labels.j2` for details.

  46. #

  47. # To inject your own other container labels, see `matrix_nginx_proxy_container_labels_additional_labels`.

  48. matrix_nginx_proxy_container_labels_traefik_enabled: false

  49. matrix_nginx_proxy_container_labels_traefik_docker_network: "{{ matrix_nginx_proxy_container_network }}"

  50. matrix_nginx_proxy_container_labels_traefik_entrypoints: web-secure

  51. matrix_nginx_proxy_container_labels_traefik_tls_certResolver: default  # noqa var-naming

  52. 

  53. matrix_nginx_proxy_container_labels_traefik_proxy_matrix_enabled: false

  54. matrix_nginx_proxy_container_labels_traefik_proxy_matrix_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}"

  55. matrix_nginx_proxy_container_labels_traefik_proxy_matrix_client_hostname: "{{ matrix_server_fqn_matrix }}"

  56. matrix_nginx_proxy_container_labels_traefik_proxy_matrix_client_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_client_hostname }}`)"

  57. matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_hostname: "{{ matrix_server_fqn_matrix }}"

  58. matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_hostname }}`)"

  59. matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_entrypoint: "{{ matrix_federation_traefik_entrypoint }}"

  60. matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_entrypoints: "{{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_entrypoint }}"

  61. 

  62. # matrix_nginx_proxy_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.

  63. # See `../templates/labels.j2` for details.

  64. #

  65. # Example:

  66. # matrix_nginx_proxy_container_labels_additional_labels: |

  67. #   my.label=1

  68. #   another.label="here"

  69. matrix_nginx_proxy_container_labels_additional_labels: ''

  70. 

  71. 

  72. # A list of extra arguments to pass to the container

  73. matrix_nginx_proxy_container_extra_arguments: []

  74. 

  75. # Controls whether matrix-nginx-proxy serves its vhosts over HTTPS or HTTP.

  76. #

  77. # If enabled:

  78. # - SSL certificates would be expected to be available (see `matrix_ssl_retrieval_method`)

  79. # - the HTTP vhost would be made a redirect to the HTTPS vhost

  80. #

  81. # If not enabled:

  82. # - you don't need any SSL certificates (you can set `matrix_ssl_retrieval_method: none`)

  83. # - naturally, there's no HTTPS vhost

  84. # - services are served directly from the HTTP vhost

  85. matrix_nginx_proxy_https_enabled: true

  86. 

  87. # Controls whether matrix-nginx-proxy trusts an upstream server's X-Forwarded-Proto header

  88. #

  89. # Required if you disable HTTPS for the container (see `matrix_nginx_proxy_https_enabled`) and have an upstream server handle it instead.

  90. matrix_nginx_proxy_trust_forwarded_proto: false

  91. matrix_nginx_proxy_x_forwarded_proto_value: "{{ '$http_x_forwarded_proto' if matrix_nginx_proxy_trust_forwarded_proto else '$scheme' }}"

  92. 

  93. # Controls whether the matrix-nginx-proxy container exposes its HTTP port (tcp/8080 in the container).

  94. #

  95. # Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:80"), or empty string to not expose.

  96. matrix_nginx_proxy_container_http_host_bind_port: '80'

  97. 

  98. # Controls whether the matrix-nginx-proxy container exposes its HTTPS port (tcp/8443 in the container).

  99. #

  100. # Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:443"), or empty string to not expose.

  101. #

  102. # This only makes sense and applies if `matrix_nginx_proxy_https_enabled` is set to `true`.

  103. # Otherwise, there are no HTTPS vhosts to expose.

  104. matrix_nginx_proxy_container_https_host_bind_port: '443'

  105. 

  106. # Controls whether the matrix-nginx-proxy container exposes the Matrix Federation port (tcp/8448 in the container).

  107. #

  108. # Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8448"), or empty string to not expose.

  109. #

  110. # This only makes sense and applies if `matrix_nginx_proxy_proxy_matrix_federation_api_enabled` is set to `true`.

  111. # Otherwise, there is no Matrix Federation port to expose.

  112. #

  113. # This port can take HTTP or HTTPS traffic, depending on `matrix_nginx_proxy_https_enabled`.

  114. # When HTTPS is disabled, you'd likely want to only expose the port locally, and front it with another HTTPS-enabled reverse-proxy.

  115. matrix_nginx_proxy_container_federation_host_bind_port: '8448'

  116. 

  117. # Option to disable the access log

  118. matrix_nginx_proxy_access_log_enabled: true

  119. 

  120. # Controls whether proxying for Synapse should be done.

  121. matrix_nginx_proxy_proxy_synapse_enabled: false

  122. matrix_nginx_proxy_proxy_synapse_hostname: "matrix-nginx-proxy"

  123. matrix_nginx_proxy_proxy_synapse_federation_api_enabled: "{{ matrix_nginx_proxy_proxy_matrix_federation_api_enabled }}"

  124. # The addresses where the Matrix Client API is, when using Synapse.

  125. matrix_nginx_proxy_proxy_synapse_client_api_addr_with_container: ""

  126. matrix_nginx_proxy_proxy_synapse_client_api_addr_sans_container: ""

  127. # The addresses where the Federation API is, when using Synapse.

  128. matrix_nginx_proxy_proxy_synapse_federation_api_addr_with_container: ""

  129. matrix_nginx_proxy_proxy_synapse_federation_api_addr_sans_container: ""

  130. # A list of strings containing additional configuration blocks to add to the Synapse's server configuration (matrix-synapse.conf).

  131. matrix_nginx_proxy_proxy_synapse_additional_server_configuration_blocks: []

  132. 

  133. # Controls whether proxying for Dendrite should be done.

  134. matrix_nginx_proxy_proxy_dendrite_enabled: false

  135. matrix_nginx_proxy_proxy_dendrite_hostname: "matrix-nginx-proxy"

  136. matrix_nginx_proxy_proxy_dendrite_federation_api_enabled: "{{ matrix_nginx_proxy_proxy_matrix_federation_api_enabled }}"

  137. # Controls whether the Client API server (usually at matrix.DOMAIN:443) should explicitly reject `/_matrix/federation` endpoints.

  138. # Normally, Dendrite Monolith serves both APIs (Client & Federation) at the same port, so we can serve federation at `matrix.DOMAIN:443` too.

  139. matrix_nginx_proxy_proxy_dendrite_block_federation_api_on_client_port: true

  140. # The addresses where the Matrix Client API is, when using Dendrite.

  141. matrix_nginx_proxy_proxy_dendrite_client_api_addr_with_container: ""

  142. matrix_nginx_proxy_proxy_dendrite_client_api_addr_sans_container: ""

  143. # A list of strings containing additional configuration blocks to add to the Dendrite's server configuration (matrix-dendrite.conf).

  144. matrix_nginx_proxy_proxy_dendrite_additional_server_configuration_blocks: []

  145. 

  146. # Controls whether proxying for Conduit should be done.

  147. matrix_nginx_proxy_proxy_conduit_enabled: false

  148. matrix_nginx_proxy_proxy_conduit_hostname: "matrix-nginx-proxy"

  149. matrix_nginx_proxy_proxy_conduit_federation_api_enabled: "{{ matrix_nginx_proxy_proxy_matrix_federation_api_enabled }}"

  150. # Controls whether the Client API server (usually at matrix.DOMAIN:443) should explicitly reject `/_matrix/federation` endpoints.

  151. matrix_nginx_proxy_proxy_conduit_block_federation_api_on_client_port: true

  152. # The addresses where the Matrix Client API is, when using Conduit.

  153. matrix_nginx_proxy_proxy_conduit_client_api_addr_with_container: ""

  154. matrix_nginx_proxy_proxy_conduit_client_api_addr_sans_container: ""

  155. # The addresses where the Federation API is, when using Conduit.

  156. matrix_nginx_proxy_proxy_conduit_federation_api_addr_with_container: ""

  157. matrix_nginx_proxy_proxy_conduit_federation_api_addr_sans_container: ""

  158. # A list of strings containing additional configuration blocks to add to the Conduit's server configuration (matrix-conduit.conf).

  159. matrix_nginx_proxy_proxy_conduit_additional_server_configuration_blocks: []

  160. 

  161. # Controls whether proxying the Element domain should be done.

  162. matrix_nginx_proxy_proxy_element_enabled: false

  163. matrix_nginx_proxy_proxy_element_hostname: "{{ matrix_server_fqn_element }}"

  164. 

  165. # Controls whether proxying the Hydrogen domain should be done.

  166. matrix_nginx_proxy_proxy_hydrogen_enabled: false

  167. matrix_nginx_proxy_proxy_hydrogen_hostname: "{{ matrix_server_fqn_hydrogen }}"

  168. 

  169. # Controls whether proxying the Cinny domain should be done.

  170. matrix_nginx_proxy_proxy_cinny_enabled: false

  171. matrix_nginx_proxy_proxy_cinny_hostname: "{{ matrix_server_fqn_cinny }}"

  172. 

  173. # Controls whether proxying the schildichat domain should be done.

  174. matrix_nginx_proxy_proxy_schildichat_enabled: false

  175. matrix_nginx_proxy_proxy_schildichat_hostname: "{{ matrix_server_fqn_schildichat }}"

  176. 

  177. # Controls whether proxying the buscarron domain should be done.

  178. matrix_nginx_proxy_proxy_buscarron_enabled: false

  179. matrix_nginx_proxy_proxy_buscarron_hostname: "{{ matrix_server_fqn_buscarron }}"

  180. 

  181. # Controls whether proxying the matrix domain should be done.

  182. matrix_nginx_proxy_proxy_matrix_enabled: false

  183. matrix_nginx_proxy_proxy_matrix_hostname: "{{ matrix_server_fqn_matrix }}"

  184. matrix_nginx_proxy_proxy_matrix_federation_hostname: "{{ matrix_nginx_proxy_proxy_matrix_hostname }}"

  185. # The port name used for federation in the nginx configuration.

  186. # This is not necessarily the port that it's actually on,

  187. # as port-mapping happens (`-p ..`) for the `matrix-nginx-proxy` container.

  188. matrix_nginx_proxy_proxy_matrix_federation_port: 8448

  189. 

  190. # Controls whether proxying the dimension domain should be done.

  191. matrix_nginx_proxy_proxy_dimension_enabled: false

  192. matrix_nginx_proxy_proxy_dimension_hostname: "{{ matrix_server_fqn_dimension }}"

  193. 

  194. # Controls whether proxying the rageshake domain should be done.

  195. matrix_nginx_proxy_proxy_rageshake_enabled: false

  196. matrix_nginx_proxy_proxy_rageshake_hostname: "{{ matrix_server_fqn_rageshake }}"

  197. 

  198. # Controls whether proxying the etherpad domain should be done.

  199. matrix_nginx_proxy_proxy_etherpad_enabled: false

  200. matrix_nginx_proxy_proxy_etherpad_hostname: "{{ matrix_server_fqn_etherpad }}"

  201. 

  202. # Controls whether proxying the goneb domain should be done.

  203. matrix_nginx_proxy_proxy_bot_go_neb_enabled: false

  204. matrix_nginx_proxy_proxy_bot_go_neb_hostname: "{{ matrix_server_fqn_bot_go_neb }}"

  205. 

  206. # Controls whether proxying the jitsi domain should be done.

  207. matrix_nginx_proxy_proxy_jitsi_enabled: false

  208. matrix_nginx_proxy_proxy_jitsi_hostname: "{{ matrix_server_fqn_jitsi }}"

  209. 

  210. # Controls whether proxying the grafana domain should be done.

  211. matrix_nginx_proxy_proxy_grafana_enabled: false

  212. matrix_nginx_proxy_proxy_grafana_hostname: "{{ matrix_server_fqn_grafana }}"

  213. 

  214. # Controls whether proxying the sygnal domain should be done.

  215. matrix_nginx_proxy_proxy_sygnal_enabled: false

  216. matrix_nginx_proxy_proxy_sygnal_hostname: "{{ matrix_server_fqn_sygnal }}"

  217. 

  218. # Controls whether proxying the mautrix wsproxy should be done.

  219. matrix_nginx_proxy_proxy_mautrix_wsproxy_enabled: false

  220. matrix_nginx_proxy_proxy_mautrix_wsproxy_hostname: "{{ matrix_server_fqn_mautrix_wsproxy }}"

  221. 

  222. # Controls whether proxying the ntfy domain should be done.

  223. matrix_nginx_proxy_proxy_ntfy_enabled: false

  224. matrix_nginx_proxy_proxy_ntfy_hostname: "{{ matrix_server_fqn_ntfy }}"

  225. 

  226. # Controls whether proxying for the matrix-corporal API (`/_matrix/corporal`) should be done (on the matrix domain)

  227. matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: false

  228. matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081"

  229. matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container: "127.0.0.1:41081"

  230. 

  231. # Controls whether proxying for the media repo (`/_matrix/media`) should be done (on the matrix domain)

  232. matrix_nginx_proxy_proxy_media_repo_enabled: false

  233. matrix_nginx_proxy_proxy_media_repo_addr_with_container: "matrix-media-repo:{{ matrix_media_repo_port }}"

  234. matrix_nginx_proxy_proxy_media_repo_addr_sans_container: "127.0.0.1:{{ matrix_media_repo_port }}"

  235. 

  236. # The addresses where the Matrix Client API is.

  237. # Certain extensions (like matrix-corporal) may override this in order to capture all traffic.

  238. matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container: "matrix-nginx-proxy:12080"

  239. matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "127.0.0.1:12080"

  240. 

  241. # This needs to be equal or higher than the maximum upload size accepted by Synapse.

  242. matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: 50

  243. 

  244. # `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefixes` holds

  245. # the location prefixes that get forwarded to the Matrix Client API server.

  246. # These locations get combined into a regex like this `^(/_matrix|/_synapse/client)`.

  247. matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefix_regexes: |

  248.   {{

  249.     (['/_matrix'])

  250.   }}

  251. 

  252. # Controls whether proxying for the Matrix Federation API should be done.

  253. matrix_nginx_proxy_proxy_matrix_federation_api_enabled: false

  254. matrix_nginx_proxy_proxy_matrix_federation_api_addr_with_container: "matrix-nginx-proxy:12088"

  255. matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container: "127.0.0.1:12088"

  256. matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb: "{{ (matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb | int) * 3 }}"

  257. matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/fullchain.pem"

  258. matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/privkey.pem"

  259. matrix_nginx_proxy_proxy_matrix_federation_api_ssl_trusted_certificate: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/chain.pem"

  260. 

  261. # The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads.

  262. matrix_nginx_proxy_tmp_directory_size_mb: "{{ (matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb | int) * 50 }}"

  263. matrix_nginx_proxy_tmp_cache_directory_size_mb: "{{ (matrix_nginx_proxy_synapse_cache_max_size_mb | int) * 2 }}"

  264. # A list of strings containing additional configuration blocks to add to the nginx server configuration (nginx.conf).

  265. # for big matrixservers to enlarge the number of open files to prevent timeouts

  266. # matrix_nginx_proxy_proxy_additional_configuration_blocks:

  267. #  - 'worker_rlimit_nofile 30000;'

  268. matrix_nginx_proxy_proxy_additional_configuration_blocks: []

  269. 

  270. # A list of strings containing additional configuration blocks to add to the nginx event server configuration (nginx.conf).

  271. matrix_nginx_proxy_proxy_event_additional_configuration_blocks: []

  272. 

  273. # A list of strings containing additional configuration blocks to add to the nginx http's server configuration (nginx-http.conf).

  274. matrix_nginx_proxy_proxy_http_additional_server_configuration_blocks: []

  275. 

  276. # A list of strings containing additional configuration blocks to add to the base matrix server configuration (matrix-domain.conf).

  277. matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: []

  278. 

  279. # A list of strings containing additional configuration blocks to add to Riot's server configuration (matrix-riot-web.conf).

  280. matrix_nginx_proxy_proxy_riot_additional_server_configuration_blocks: []

  281. 

  282. # A list of strings containing additional configuration blocks to add to Element's server configuration (matrix-client-element.conf).

  283. matrix_nginx_proxy_proxy_element_additional_server_configuration_blocks: []

  284. 

  285. # A list of strings containing additional configuration blocks to add to Hydrogen's server configuration (matrix-client-hydrogen.conf).

  286. matrix_nginx_proxy_proxy_hydrogen_additional_server_configuration_blocks: []

  287. 

  288. # A list of strings containing additional configuration blocks to add to Cinny's server configuration (matrix-client-cinny.conf).

  289. matrix_nginx_proxy_proxy_cinny_additional_server_configuration_blocks: []

  290. 

  291. # A list of strings containing additional configuration blocks to add to schildichat's server configuration (matrix-client-schildichat.conf).

  292. matrix_nginx_proxy_proxy_schildichat_additional_server_configuration_blocks: []

  293. 

  294. # A list of strings containing additional configuration blocks to add to buscarron's server configuration (matrix-bot-buscarron.conf).

  295. matrix_nginx_proxy_proxy_buscarron_additional_server_configuration_blocks: []

  296. 

  297. # A list of strings containing additional configuration blocks to add to Dimension's server configuration (matrix-dimension.conf).

  298. matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks: []

  299. 

  300. # A list of strings containing additional configuration blocks to add to Rageshake's server configuration (matrix-rageshake.conf).

  301. matrix_nginx_proxy_proxy_rageshake_additional_server_configuration_blocks: []

  302. 

  303. # A list of strings containing additional configuration blocks to add to etherpad's server configuration (matrix-etherpad.conf).

  304. matrix_nginx_proxy_proxy_etherpad_additional_server_configuration_blocks: []

  305. 

  306. # A list of strings containing additional configuration blocks to add to GoNEB's server configuration (matrix-bot-go-neb.conf).

  307. matrix_nginx_proxy_proxy_bot_go_neb_additional_server_configuration_blocks: []

  308. 

  309. # A list of strings containing additional configuration blocks to add to Jitsi's server configuration (matrix-jitsi.conf).

  310. matrix_nginx_proxy_proxy_jitsi_additional_server_configuration_blocks: []

  311. 

  312. # A list of strings containing additional configuration blocks to add to Grafana's server configuration (matrix-grafana.conf).

  313. matrix_nginx_proxy_proxy_grafana_additional_server_configuration_blocks: []

  314. 

  315. # A list of strings containing additional configuration blocks to add to Sygnal's server configuration (matrix-sygnal.conf).

  316. matrix_nginx_proxy_proxy_sygnal_additional_server_configuration_blocks: []

  317. 

  318. # A list of strings containing additional configuration blocks to add to mautrix wsproxy server configuration (matrix-mautrix-wsproxy.conf).

  319. matrix_nginx_proxy_proxy_mautrix_wsproxy_additional_server_configuration_blocks: []

  320. 

  321. # A list of strings containing additional configuration blocks to add to ntfy's server configuration (matrix-ntfy.conf).

  322. matrix_nginx_proxy_proxy_ntfy_additional_server_configuration_blocks: []

  323. 

  324. # A list of strings containing additional configuration blocks to add to the base domain server configuration (matrix-base-domain.conf).

  325. matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks: []

  326. 

  327. # To increase request timeout in NGINX using proxy_read_timeout, proxy_connect_timeout, proxy_send_timeout, send_timeout directives

  328. # Nginx Default: proxy_connect_timeout 60s;   #Defines a timeout for establishing a connection with a proxied server

  329. # Nginx Default: proxy_send_timeout 60s;      #Sets a timeout for transmitting a request to the proxied server.

  330. # Nginx Default: proxy_read_timeout 60s;      #Defines a timeout for reading a response from the proxied server.

  331. # Nginx Default: send_timeout 60s;            #Sets a timeout for transmitting a response to the client.

  332. #

  333. # For more information visit:

  334. # http://nginx.org/en/docs/http/ngx_http_proxy_module.html

  335. # http://nginx.org/en/docs/http/ngx_http_core_module.html#send_timeout

  336. # https://www.nginx.com/resources/wiki/start/topics/examples/fullexample2/

  337. #

  338. # Here we are sticking with nginx default values change this value carefully.

  339. matrix_nginx_proxy_connect_timeout: 60

  340. matrix_nginx_proxy_send_timeout: 60

  341. matrix_nginx_proxy_read_timeout: 60

  342. matrix_nginx_send_timeout: 60

  343. 

  344. # Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses for all vhosts meant to be accessed by users.

  345. #

  346. # Learn more about what it is here:

  347. # - https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea

  348. # - https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network

  349. # - https://amifloced.org/

  350. #

  351. # Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices.

  352. matrix_nginx_proxy_floc_optout_enabled: true

  353. 

  354. # HSTS Preloading Enable

  355. #

  356. # In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and

  357. # indicates a willingness to be “preloaded” into browsers:

  358. # `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload`

  359. # For more information visit:

  360. # - https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

  361. # - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security

  362. # - https://hstspreload.org/#opt-in

  363. matrix_nginx_proxy_hsts_preload_enabled: false

  364. 

  365. # X-XSS-Protection Enable

  366. # Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks.

  367. # Note: Not applicable for grafana

  368. #

  369. # Learn more about it is here:

  370. # - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection

  371. # - https://portswigger.net/web-security/cross-site-scripting/reflected

  372. matrix_nginx_proxy_xss_protection: "1; mode=block"

  373. 

  374. # Specifies the SSL configuration that should be used for the SSL protocols and ciphers

  375. # This is based on the Mozilla Server Side TLS Recommended configurations.

  376. #

  377. # The posible values are:

  378. # - "modern" - For Modern clients that support TLS 1.3, with no need for backwards compatibility

  379. # - "intermediate" - Recommended configuration for a general-purpose server

  380. # - "old" - Services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8

  381. #

  382. # For more information visit:

  383. # - https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations

  384. # - https://ssl-config.mozilla.org/#server=nginx

  385. matrix_nginx_proxy_ssl_preset: "intermediate"

  386. 

  387. # Presets are taken from Mozilla's Server Side TLS Recommended configurations

  388. # DO NOT modify these values and use `matrix_nginx_proxy_ssl_protocols`, `matrix_nginx_proxy_ssl_ciphers` and `matrix_nginx_proxy_ssl_ciphers`

  389. # if you wish to use something more custom.

  390. matrix_nginx_proxy_ssl_presets:

  391.   modern:

  392.     protocols: TLSv1.3

  393.     ciphers: ""

  394.     prefer_server_ciphers: "off"

  395.   intermediate:

  396.     protocols: TLSv1.2 TLSv1.3

  397.     ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384

  398.     prefer_server_ciphers: "off"

  399.   old:

  400.     protocols: TLSv1 TLSv1.1 TLSv1.2 TLSv1.3

  401.     ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA

  402.     prefer_server_ciphers: "on"

  403. 

  404. 

  405. # Specifies which *SSL protocols* to use when serving all the various vhosts.

  406. matrix_nginx_proxy_ssl_protocols: "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['protocols'] }}"

  407. 

  408. # Specifies whether to prefer *the client’s choice or the server’s choice* when negotiating ciphers.

  409. matrix_nginx_proxy_ssl_prefer_server_ciphers: "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['prefer_server_ciphers'] }}"

  410. 

  411. # Specifies which *SSL Cipher suites* to use when serving all the various vhosts.

  412. # To see the full list for suportes ciphers run `openssl ciphers` on your server

  413. matrix_nginx_proxy_ssl_ciphers: "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['ciphers'] }}"

  414. 

  415. # Specifies what to use for the X-Forwarded-For variable.

  416. # If you're fronting the nginx reverse-proxy with additional reverse-proxy servers,

  417. # you may wish to set this to '$proxy_add_x_forwarded_for' instead.

  418. matrix_nginx_proxy_x_forwarded_for: '$remote_addr'

  419. 

  420. # For OCSP purposes, we need to define a resolver at the `server{}` level or `http{}` level (we do the latter).

  421. #

  422. # Otherwise, we get warnings like this:

  423. # > [warn] 22#22: no resolver defined to resolve r3.o.lencr.org while requesting certificate status, responder: r3.o.lencr.org, certificate: "/matrix/ssl/config/live/.../fullchain.pem"

  424. #

  425. # We point it to the internal Docker resolver, which likely delegates to nameservers defined in `/etc/resolv.conf`.

  426. #

  427. # When nginx proxy is disabled, our configuration is likely used by non-containerized nginx, so can't use the internal Docker resolver.

  428. # Pointing `resolver` to some public DNS server might be an option, but for now we impose DNS servers on people.

  429. # It might also be that no such warnings occur when not running in a container.

  430. matrix_nginx_proxy_http_level_resolver: "{{ '127.0.0.11' if matrix_nginx_proxy_enabled else '' }}"

  431. 

  432. # By default, this playbook automatically retrieves and auto-renews

  433. # free SSL certificates from Let's Encrypt.

  434. #

  435. # The following retrieval methods are supported:

  436. # - "lets-encrypt" - the playbook obtains free SSL certificates from Let's Encrypt

  437. # - "self-signed" - the playbook generates and self-signs certificates

  438. # - "manually-managed" - lets you manage certificates by yourself (manually; see below)

  439. # - "none" - like "manually-managed", but doesn't care if you don't drop certificates in the location it expects

  440. #

  441. # If you decide to manage certificates by yourself (`matrix_ssl_retrieval_method: manually-managed`),

  442. # you'd need to drop them into the directory specified by `matrix_ssl_config_dir_path`

  443. # obeying the following hierarchy:

  444. # - <matrix_ssl_config_dir_path>/live/<domain>/fullchain.pem

  445. # - <matrix_ssl_config_dir_path>/live/<domain>/privkey.pem

  446. # where <domain> refers to the domains that you need (usually `matrix_server_fqn_matrix` and `matrix_server_fqn_element`).

  447. #

  448. # The "none" type (`matrix_ssl_retrieval_method: none`), simply means that no certificate retrieval will happen.

  449. # It's useful for when you've disabled the nginx proxy (`matrix_nginx_proxy_enabled: false`)

  450. # and you'll be using another reverse-proxy server (like Apache) with your own certificates, managed by yourself.

  451. # It's also useful if you're using `matrix_nginx_proxy_https_enabled: false` to make this nginx proxy serve

  452. # plain HTTP traffic only (usually, on the loopback interface only) and you'd be terminating SSL using another reverse-proxy.

  453. matrix_ssl_retrieval_method: "lets-encrypt"

  454. 

  455. matrix_ssl_architecture: "amd64"

  456. 

  457. # The full list of domains that this role will obtain certificates for.

  458. # This variable is likely redefined outside of the role, to include the domains that are necessary (depending on the services that are enabled).

  459. # To add additional domain names, consider using `matrix_ssl_additional_domains_to_obtain_certificates_for` instead.

  460. matrix_ssl_domains_to_obtain_certificates_for: "{{ matrix_ssl_additional_domains_to_obtain_certificates_for }}"

  461. 

  462. # A list of additional domain names to obtain certificates for.

  463. matrix_ssl_additional_domains_to_obtain_certificates_for: []

  464. 

  465. # Controls whether to obtain production or staging certificates from Let's Encrypt.

  466. # If you'd like to use another ACME Certificate Authority server (not Let's Encrypt), use `matrix_ssl_lets_encrypt_server`

  467. matrix_ssl_lets_encrypt_staging: false

  468. 

  469. # Controls from which Certificate Authority server to retrieve the SSL certificates (passed as a `--server` flag to Certbot).

  470. # By default, we use the Let's Encrypt production environment (use `matrix_ssl_lets_encrypt_staging` for using the staging environment).

  471. # Learn more here: https://eff-certbot.readthedocs.io/en/stable/using.html#changing-the-acme-server

  472. matrix_ssl_lets_encrypt_server: ''

  473. 

  474. matrix_ssl_lets_encrypt_certbot_docker_image: "{{ matrix_container_global_registry_prefix }}certbot/certbot:{{ matrix_ssl_architecture }}-v2.0.0"

  475. matrix_ssl_lets_encrypt_certbot_docker_image_force_pull: "{{ matrix_ssl_lets_encrypt_certbot_docker_image.endswith(':latest') }}"

  476. matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402

  477. matrix_ssl_lets_encrypt_support_email: ~

  478. 

  479. # Tells which interface and port the Let's Encrypt (certbot) container should try to bind to

  480. # when it tries to obtain initial certificates in standalone mode.

  481. #

  482. # This should normally be a public interface and port.

  483. # If you'd like to not bind on all IP addresses, specify one explicitly (e.g. `a.b.c.d:80`)

  484. matrix_ssl_lets_encrypt_container_standalone_http_host_bind_port: '80'

  485. 

  486. # Specify key type of the private key algorithm.

  487. # Learn more here: https://eff-certbot.readthedocs.io/en/stable/using.html#rsa-and-ecdsa-keys

  488. matrix_ssl_lets_encrypt_key_type: ecdsa

  489. 

  490. matrix_ssl_base_path: "{{ matrix_base_data_path }}/ssl"

  491. matrix_ssl_config_dir_path: "{{ matrix_ssl_base_path }}/config"

  492. matrix_ssl_log_dir_path: "{{ matrix_ssl_base_path }}/log"

  493. matrix_ssl_bin_dir_path: "{{ matrix_ssl_base_path }}/bin"

  494. 

  495. # If you'd like to start some service before a certificate is obtained, specify it here.

  496. # This could be something like `matrix-dynamic-dns`, etc.

  497. matrix_ssl_pre_obtaining_required_service_name: ~

  498. matrix_ssl_pre_obtaining_required_service_start_wait_time_seconds: 60

  499. 

  500. # matrix_ssl_orphaned_renewal_configs_purging_enabled controls whether the playbook will delete Let's Encryption renewal configuration files (`/matrix/ssl/config/renewal/*.conf)

  501. # for domains that are not part of the `matrix_ssl_domains_to_obtain_certificates_for` list.

  502. #

  503. # As the `matrix_ssl_domains_to_obtain_certificates_for` list changes over time, the playbook obtains certificates for various domains

  504. # and sets up "renewal" configuration files to keep these certificates fresh.

  505. # When a domain disappears from the `matrix_ssl_domains_to_obtain_certificates_for` list (because its associated service had gotten disabled),

  506. # the certificate files and renewal configuration still remain in the filesystem and certbot may try to renewal the certificate for this domain.

  507. # If there's no DNS record for this domain or it doesn't point to this server anymore, the `matrix-ssl-lets-encrypt-certificates-renew.service` systemd service

  508. # won't be able to renew the certificate and will generate an error.

  509. #

  510. # With `matrix_ssl_orphaned_renewal_configs_purging_enabled` enabled, orphaned renewal configurations will be purged on each playbook run.

  511. # Some other leftover files will still remain, but we don't bother purging them because they don't cause troubles.

  512. matrix_ssl_orphaned_renewal_configs_purging_enabled: true

  513. 

  514. # Nginx Optimize SSL Session

  515. #

  516. # ssl_session_cache:

  517. # - Creating a cache of TLS connection parameters reduces the number of handshakes

  518. #   and thus can improve the performance of application.

  519. # - Default session cache is not optimal as it can be used by only one worker process

  520. #   and can cause memory fragmentation. It is much better to use shared cache.

  521. # - Learn More: https://nginx.org/en/docs/http/ngx_http_ssl_module.html

  522. #

  523. # ssl_session_timeout:

  524. # - Nginx by default it is set to 5 minutes which is very low.

  525. #   should be like 4h or 1d but will require you to increase the size of cache.

  526. # - Learn More:

  527. #     https://github.com/certbot/certbot/issues/6903

  528. #     https://github.com/mozilla/server-side-tls/issues/198

  529. #

  530. # ssl_session_tickets:

  531. # - In case of session tickets, information about session is given to the client.

  532. #   Enabling this improve performance also make Perfect Forward Secrecy useless.

  533. # - If you would instead like to use ssl_session_tickets by yourself, you can set

  534. #   matrix_nginx_proxy_ssl_session_tickets_off false.

  535. # - Learn More: https://github.com/mozilla/server-side-tls/issues/135

  536. #

  537. # Presets are taken from Mozilla's Server Side TLS Recommended configurations

  538. matrix_nginx_proxy_ssl_session_cache: "shared:MozSSL:10m"

  539. matrix_nginx_proxy_ssl_session_timeout: "1d"

  540. matrix_nginx_proxy_ssl_session_tickets_off: true

  541. 

  542. # OCSP Stapling eliminating the need for clients to contact the CA, with the aim of improving both security and performance.

  543. # OCSP stapling can provide a performance boost of up to 30%

  544. # nginx web server supports OCSP stapling since version 1.3.7.

  545. #

  546. # *warning* Nginx is lazy loading OCSP responses, which means that for the first few web requests it is unable to add the OCSP response.

  547. # set matrix_nginx_proxy_ocsp_stapling_enabled false to disable OCSP Stapling

  548. #

  549. # Learn more about what it is here:

  550. # - https://en.wikipedia.org/wiki/OCSP_stapling

  551. # - https://blog.cloudflare.com/high-reliability-ocsp-stapling/

  552. # - https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/

  553. matrix_nginx_proxy_ocsp_stapling_enabled: true

  554. 

  555. # nginx status page configurations.

  556. matrix_nginx_proxy_proxy_matrix_nginx_status_enabled: false

  557. matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses: ['{{ ansible_default_ipv4.address }}']

  558. 

  559. 

  560. # The amount of worker processes and connections

  561. # Consider increasing these when you are expecting high amounts of traffic

  562. # http://nginx.org/en/docs/ngx_core_module.html#worker_connections

  563. matrix_nginx_proxy_worker_processes: auto

  564. matrix_nginx_proxy_worker_connections: 1024