overmind
/
matrix-docker-ansible-deploy
의 미러 https://github.com/spantaleev/matrix-docker-ansible-deploy
1
0
포크 0
코드 이슈 0 릴리즈 0 위키 활동
Matrix Docker Ansible eploy
25개 이상의 토픽을 선택하실 수 없습니다. Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2270 커밋
12 브랜치
691 MiB
 
 
트리: 63301b0ef1
브랜치 태그
${ item.name }
${ searchTerm } 브랜치 생성
from '63301b0ef1'
${ noResults }
matrix-docker-ansible-deploy/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2

408 lines
14 KiB
Raw Blame 히스토리 

  1. #jinja2: lstrip_blocks: "True"

  2. {% macro render_nginx_status_location_block(addresses) %}

  3. 	{# Empty first line to make indentation prettier. #}

  4. 

  5. 	location /nginx_status {

  6. 		stub_status on;

  7. 		access_log off;

  8. 		{% for address in addresses %}

  9. 		allow {{ address }};

  10. 		{% endfor %}

  11. 		deny all;

  12. 	}

  13. {% endmacro %}

  14. 

  15. 

  16. {% macro render_vhost_directives() %}

  17. 	gzip on;

  18. 	gzip_types text/plain application/json;

  19. 

  20. 	location /.well-known/matrix {

  21. 		root {{ matrix_static_files_base_path }};

  22. 		{#

  23. 			A somewhat long expires value is used to prevent outages

  24. 			in case this is unreachable due to network failure or

  25. 			due to the base domain's server completely dying.

  26. 		#}

  27. 		expires 4h;

  28. 		default_type application/json;

  29. 		add_header Access-Control-Allow-Origin *;

  30. 	}

  31. 

  32. 	{% if matrix_nginx_proxy_proxy_matrix_nginx_status_enabled %}

  33. 		{{ render_nginx_status_location_block(matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses) }}

  34. 	{% endif %}

  35. 

  36. 	{% if matrix_nginx_proxy_proxy_matrix_corporal_api_enabled %}

  37. 	location ^~ /_matrix/corporal {

  38. 		{% if matrix_nginx_proxy_enabled %}

  39. 			{# Use the embedded DNS resolver in Docker containers to discover the service #}

  40. 			resolver 127.0.0.11 valid=5s;

  41. 			set $backend "{{ matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container }}";

  42. 			proxy_pass http://$backend;

  43. 		{% else %}

  44. 			{# Generic configuration for use outside of our container setup #}

  45. 			proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container }};

  46. 		{% endif %}

  47. 

  48. 		proxy_set_header Host $host;

  49. 		proxy_set_header X-Forwarded-For $remote_addr;

  50. 	}

  51. 	{% endif %}

  52. 

  53. 	{% if matrix_nginx_proxy_proxy_matrix_identity_api_enabled %}

  54. 	location ^~ /_matrix/identity {

  55. 		{% if matrix_nginx_proxy_enabled %}

  56. 			{# Use the embedded DNS resolver in Docker containers to discover the service #}

  57. 			resolver 127.0.0.11 valid=5s;

  58. 			set $backend "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container }}";

  59. 			proxy_pass http://$backend;

  60. 		{% else %}

  61. 			{# Generic configuration for use outside of our container setup #}

  62. 			proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container }};

  63. 		{% endif %}

  64. 

  65. 		proxy_set_header Host $host;

  66. 		proxy_set_header X-Forwarded-For $remote_addr;

  67. 	}

  68. 	{% endif %}

  69. 

  70. 	{% if matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled %}

  71. 	# NOTE: This redirects user lookup requests to the identity server instead of

  72. 	# synapse, so user_dir_workers endpoints listed further down in this file will

  73. 	# not be reached and workers of this kind should be disabled for consistency.

  74. 	location ^~ /_matrix/client/r0/user_directory/search {

  75. 		{% if matrix_nginx_proxy_enabled %}

  76. 			{# Use the embedded DNS resolver in Docker containers to discover the service #}

  77. 			resolver 127.0.0.11 valid=5s;

  78. 			set $backend "{{ matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container }}";

  79. 			proxy_pass http://$backend;

  80. 		{% else %}

  81. 			{# Generic configuration for use outside of our container setup #}

  82. 			proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container }};

  83. 		{% endif %}

  84. 

  85. 		proxy_set_header Host $host;

  86. 		proxy_set_header X-Forwarded-For $remote_addr;

  87. 	}

  88. 	{% endif %}

  89. 

  90. 	{% if matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled %}

  91. 	location ~ ^/_matrix/client/r0/register/(email|msisdn)/requestToken$ {

  92. 		{% if matrix_nginx_proxy_enabled %}

  93. 			{# Use the embedded DNS resolver in Docker containers to discover the service #}

  94. 			resolver 127.0.0.11 valid=5s;

  95. 			set $backend "{{ matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_with_container }}";

  96. 			proxy_pass http://$backend;

  97. 		{% else %}

  98. 			{# Generic configuration for use outside of our container setup #}

  99. 			proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_sans_container }};

  100. 		{% endif %}

  101. 

  102. 		proxy_set_header Host $host;

  103. 		proxy_set_header X-Forwarded-For $remote_addr;

  104. 	}

  105. 	{% endif %}

  106. 

  107. 	{% if matrix_nginx_proxy_synapse_workers_enabled %}

  108. 		{# Workers redirects BEGIN #}

  109. 

  110. 		{% if generic_workers %}

  111. 			# https://github.com/matrix-org/synapse/blob/master/docs/workers.md#synapseappgeneric_worker

  112. 			{% for location in matrix_nginx_proxy_synapse_generic_worker_client_server_locations %}

  113. 			location ~ {{ location }} {

  114. 				proxy_pass http://generic_worker_upstream$request_uri;

  115. 				proxy_set_header Host $host;

  116. 				proxy_set_header X-Forwarded-For $remote_addr;

  117. 			}

  118. 			{% endfor %}

  119. 		{% endif %}

  120. 

  121. 		{% if media_repository_workers %}

  122. 			# https://github.com/matrix-org/synapse/blob/master/docs/workers.md#synapseappmedia_repository

  123. 			{% for location in matrix_nginx_proxy_synapse_media_repository_locations %}

  124. 			location ~ {{ location }} {

  125. 				proxy_pass http://media_repository_upstream$request_uri;

  126. 				proxy_set_header Host $host;

  127. 				proxy_set_header X-Forwarded-For $remote_addr;

  128. 

  129. 				client_body_buffer_size 25M;

  130. 				client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb }}M;

  131. 				proxy_max_temp_file_size 0;

  132. 			}

  133. 			{% endfor %}

  134. 		{% endif %}

  135. 

  136. 		{% if user_dir_workers %}

  137. 			# FIXME: obsolete if matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled is set

  138. 			# https://github.com/matrix-org/synapse/blob/master/docs/workers.md#synapseappuser_dir

  139. 			{% for location in matrix_nginx_proxy_synapse_user_dir_locations %}

  140. 			location ~ {{ location }} {

  141. 				proxy_pass http://user_dir_upstream$request_uri;

  142. 				proxy_set_header Host $host;

  143. 				proxy_set_header X-Forwarded-For $remote_addr;

  144. 			}

  145. 			{% endfor %}

  146. 		{% endif %}

  147. 

  148. 		{% if frontend_proxy_workers %}

  149. 			# https://github.com/matrix-org/synapse/blob/master/docs/workers.md#synapseappfrontend_proxy

  150. 			{% for location in matrix_nginx_proxy_synapse_frontend_proxy_locations %}

  151. 			location ~ {{ location }} {

  152. 				proxy_pass http://frontend_proxy_upstream$request_uri;

  153. 				proxy_set_header Host $host;

  154. 				proxy_set_header X-Forwarded-For $remote_addr;

  155. 			}

  156. 			{% endfor %}

  157. 			{% if matrix_nginx_proxy_synapse_presence_disabled %}

  158. 			# FIXME: keep in sync with synapse workers documentation manually

  159. 			location ~ ^/_matrix/client/(api/v1|r0|unstable)/presence/[^/]+/status {

  160. 				proxy_pass http://frontend_proxy_upstream$request_uri;

  161. 				proxy_set_header Host $host;

  162. 				proxy_set_header X-Forwarded-For $remote_addr;

  163. 			}

  164. 			{% endif %}

  165. 		{% endif %}

  166. 		{# Workers redirects END #}

  167. 	{% endif %}

  168. 

  169. 

  170. 	{% for configuration_block in matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks %}

  171. 		{{- configuration_block }}

  172. 	{% endfor %}

  173. 

  174. 	{% if matrix_nginx_proxy_proxy_synapse_metrics %}

  175. 	location /_synapse/metrics {

  176. 		{% if matrix_nginx_proxy_enabled %}

  177. 			{# Use the embedded DNS resolver in Docker containers to discover the service #}

  178. 			resolver 127.0.0.11 valid=5s;

  179. 			set $backend "{{ matrix_nginx_proxy_proxy_synapse_metrics_addr_with_container }}";

  180. 			proxy_pass http://$backend;

  181. 		{% else %}

  182. 			{# Generic configuration for use outside of our container setup #}

  183. 			proxy_pass http://{{ matrix_nginx_proxy_proxy_synapse_metrics_addr_sans_container }};

  184. 		{% endif %}

  185. 

  186. 		proxy_set_header Host $host;

  187. 		proxy_set_header X-Forwarded-For $remote_addr;

  188. 

  189. 		{% if matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled %}

  190. 			auth_basic "protected";

  191. 			auth_basic_user_file /nginx-data/matrix-synapse-metrics-htpasswd;

  192. 		{% endif %}

  193. 	}

  194. 	{% endif %}

  195. 

  196. 	{#

  197. 		This handles the Matrix Client API only.

  198. 		The Matrix Federation API is handled by a separate vhost.

  199. 	#}

  200. 	location ~* ^({{ matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefix_regexes|join('|') }}) {

  201. 		{% if matrix_nginx_proxy_enabled %}

  202. 			{# Use the embedded DNS resolver in Docker containers to discover the service #}

  203. 			resolver 127.0.0.11 valid=5s;

  204. 			set $backend "{{ matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container }}";

  205. 			proxy_pass http://$backend;

  206. 		{% else %}

  207. 			{# Generic configuration for use outside of our container setup #}

  208. 			proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container }};

  209. 		{% endif %}

  210. 

  211. 		proxy_set_header Host $host;

  212. 		proxy_set_header X-Forwarded-For $remote_addr;

  213. 

  214. 		client_body_buffer_size 25M;

  215. 		client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb }}M;

  216. 		proxy_max_temp_file_size 0;

  217. 	}

  218. 

  219. 	location / {

  220. 		{% if matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain %}

  221. 			return 302 $scheme://{{ matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain }}$request_uri;

  222. 		{% else %}

  223. 			rewrite ^/$ /_matrix/static/ last;

  224. 		{% endif %}

  225. 	}

  226. {% endmacro %}

  227. 

  228. {% set generic_workers = matrix_nginx_proxy_synapse_workers_list|selectattr('type', 'equalto', 'generic_worker')|list %}

  229. {% set media_repository_workers = matrix_nginx_proxy_synapse_workers_list|selectattr('type', 'equalto', 'media_repository')|list %}

  230. {% set user_dir_workers = matrix_nginx_proxy_synapse_workers_list|selectattr('type', 'equalto', 'user_dir')|list %}

  231. {% set frontend_proxy_workers = matrix_nginx_proxy_synapse_workers_list|selectattr('type', 'equalto', 'frontend_proxy')|list %}

  232. {% if matrix_nginx_proxy_synapse_workers_enabled %}

  233. 	# Round Robin "upstream" pools for workers

  234. 

  235. 	{% if generic_workers %}

  236. 	upstream generic_worker_upstream {

  237. 		# ensures that requests from the same client will always be passed

  238. 		# to the same server (except when this server is unavailable)

  239. 		ip_hash;

  240. 

  241. 		{% for worker in generic_workers %}

  242. 		server "matrix-synapse:{{ worker.port }}";

  243. 		{% endfor %}

  244. 	}

  245. 	{% endif %}

  246. 

  247. 	{% if frontend_proxy_workers %}

  248. 	upstream frontend_proxy_upstream {

  249. 		{% for worker in frontend_proxy_workers %}

  250. 		server "matrix-synapse:{{ worker.port }}";

  251. 		{% endfor %}

  252. 	}

  253. 	{% endif %}

  254. 

  255. 	{% if media_repository_workers %}

  256. 	upstream media_repository_upstream {

  257. 		{% for worker in media_repository_workers %}

  258. 		server "matrix-synapse:{{ worker.port }}";

  259. 		{% endfor %}

  260. 	}

  261. 	{% endif %}

  262. 

  263. 	{% if user_dir_workers %}

  264. 	upstream user_dir_upstream {

  265. 		{% for worker in user_dir_workers %}

  266. 		server "matrix-synapse:{{ worker.port }}";

  267. 		{% endfor %}

  268. 	}

  269. 	{% endif %}

  270. {% endif %}

  271. 

  272. server {

  273. 	listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }};

  274. 	server_name {{ matrix_nginx_proxy_proxy_matrix_hostname }};

  275. 

  276. 	server_tokens off;

  277. 	root /dev/null;

  278. 

  279. 	{% if matrix_nginx_proxy_https_enabled %}

  280. 		location /.well-known/acme-challenge {

  281. 			{% if matrix_nginx_proxy_enabled %}

  282. 				{# Use the embedded DNS resolver in Docker containers to discover the service #}

  283. 				resolver 127.0.0.11 valid=5s;

  284. 				set $backend "matrix-certbot:8080";

  285. 				proxy_pass http://$backend;

  286. 			{% else %}

  287. 				{# Generic configuration for use outside of our container setup #}

  288. 				proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }};

  289. 			{% endif %}

  290. 		}

  291. 

  292. 		{% if matrix_nginx_proxy_proxy_matrix_nginx_status_enabled %}

  293. 			{{ render_nginx_status_location_block(matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses) }}

  294. 		{% endif %}

  295. 

  296. 		location / {

  297. 			return 301 https://$http_host$request_uri;

  298. 		}

  299. 	{% else %}

  300. 		{{ render_vhost_directives() }}

  301. 	{% endif %}

  302. }

  303. 

  304. {% if matrix_nginx_proxy_https_enabled %}

  305. server {

  306. 	listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;

  307. 	listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;

  308. 

  309. 	server_name {{ matrix_nginx_proxy_proxy_matrix_hostname }};

  310. 

  311. 	server_tokens off;

  312. 	root /dev/null;

  313. 

  314. 	ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/fullchain.pem;

  315. 	ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/privkey.pem;

  316. 

  317. 	ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};

  318. 	{% if matrix_nginx_proxy_ssl_ciphers != '' %}

  319. 	ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }};

  320. 	{% endif %}

  321. 	ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};

  322. 

  323. 	{{ render_vhost_directives() }}

  324. }

  325. {% endif %}

  326. 

  327. {% if matrix_nginx_proxy_proxy_matrix_federation_api_enabled %}

  328. {#

  329. 	This federation vhost is a little special.

  330. 	It serves federation over HTTP or HTTPS, depending on `matrix_nginx_proxy_https_enabled`.

  331. #}

  332. server {

  333. 	{% if matrix_nginx_proxy_https_enabled %}

  334. 		listen 8448 ssl http2;

  335. 		listen [::]:8448 ssl http2;

  336. 	{% else %}

  337. 		listen 8448;

  338. 	{% endif %}

  339. 

  340. 	server_name {{ matrix_nginx_proxy_proxy_matrix_hostname }};

  341. 	server_tokens off;

  342. 

  343. 	root /dev/null;

  344. 

  345. 	gzip on;

  346. 	gzip_types text/plain application/json;

  347. 

  348. 	{% if matrix_nginx_proxy_https_enabled %}

  349. 		ssl_certificate {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate }};

  350. 		ssl_certificate_key {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key }};

  351. 

  352. 	ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};

  353. 	{% if matrix_nginx_proxy_ssl_ciphers != '' %}

  354. 	ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }};

  355. 	{% endif %}

  356. 	ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};

  357. 

  358. 	{% endif %}

  359. 

  360. 	{% if matrix_nginx_proxy_synapse_workers_enabled %}

  361. 		{% if generic_workers %}

  362. 			# https://github.com/matrix-org/synapse/blob/master/docs/workers.md#synapseappgeneric_worker

  363. 			{% for location in matrix_nginx_proxy_synapse_generic_worker_federation_locations %}

  364. 			location ~ {{ location }} {

  365. 				proxy_pass http://generic_worker_upstream$request_uri;

  366. 				proxy_set_header Host $host;

  367. 				proxy_set_header X-Forwarded-For $remote_addr;

  368. 			}

  369. 			{% endfor %}

  370. 			# FIXME: add GET ^/_matrix/federation/v1/groups/

  371. 		{% endif %}

  372. 		{% if media_repository_workers %}

  373. 			# https://github.com/matrix-org/synapse/blob/master/docs/workers.md#synapseappmedia_repository

  374. 			{% for location in matrix_nginx_proxy_synapse_media_repository_locations %}

  375. 			location ~ {{ location }} {

  376. 				proxy_pass http://media_repository_upstream$request_uri;

  377. 				proxy_set_header Host $host;

  378. 				proxy_set_header X-Forwarded-For $remote_addr;

  379. 

  380. 				client_body_buffer_size 25M;

  381. 				client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb }}M;

  382. 				proxy_max_temp_file_size 0;

  383. 			}

  384. 			{% endfor %}

  385. 		{% endif %}

  386. 	{% endif %}

  387. 

  388. 	location / {

  389. 		{% if matrix_nginx_proxy_enabled %}

  390. 			{# Use the embedded DNS resolver in Docker containers to discover the service #}

  391. 			resolver 127.0.0.11 valid=5s;

  392. 			set $backend "{{ matrix_nginx_proxy_proxy_matrix_federation_api_addr_with_container }}";

  393. 			proxy_pass http://$backend;

  394. 		{% else %}

  395. 			{# Generic configuration for use outside of our container setup #}

  396. 			proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container }};

  397. 		{% endif %}

  398. 

  399. 		proxy_set_header Host $host;

  400. 		proxy_set_header X-Forwarded-For $remote_addr;

  401. 

  402. 		client_body_buffer_size 25M;

  403. 		client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb }}M;

  404. 		proxy_max_temp_file_size 0;

  405. 	}

  406. }

  407. {% endif %}