overmind
/
matrix-docker-ansible-deploy
Mirror von https://github.com/spantaleev/matrix-docker-ansible-deploy
1
0
Fork 0
Code Issues 0 Releases 0 Wiki Aktivität
Matrix Docker Ansible eploy
Du kannst nicht mehr als 25 Themen auswählen Themen müssen entweder mit einem Buchstaben oder einer Ziffer beginnen. Sie können Bindestriche („-“) enthalten und bis zu 35 Zeichen lang sein.
3723 Commits
13 Branches
79 MiB
 
 
Struktur: 6df1d29ab9
Branches Tags
${ item.name }
Erstelle Branch ${ searchTerm }
von „6df1d29ab9“
${ noResults }
matrix-docker-ansible-deploy/roles/matrix-nginx-proxy/defaults/main.yml

560 Zeilen
33 KiB
Originalformat Blame Verlauf 

  1. matrix_nginx_proxy_enabled: true

  2. matrix_nginx_proxy_version: 1.21.5-alpine

  3. 

  4. # We use an official nginx image, which we fix-up to run unprivileged.

  5. # An alternative would be an `nginxinc/nginx-unprivileged` image, but

  6. # that is frequently out of date.

  7. matrix_nginx_proxy_docker_image: "{{ matrix_container_global_registry_prefix }}nginx:{{ matrix_nginx_proxy_version }}"

  8. matrix_nginx_proxy_docker_image_force_pull: "{{ matrix_nginx_proxy_docker_image.endswith(':latest') }}"

  9. 

  10. matrix_nginx_proxy_base_path: "{{ matrix_base_data_path }}/nginx-proxy"

  11. matrix_nginx_proxy_data_path: "{{ matrix_nginx_proxy_base_path }}/data"

  12. matrix_nginx_proxy_data_path_in_container: "/nginx-data"

  13. matrix_nginx_proxy_data_path_extension: "/matrix_domain"

  14. matrix_nginx_proxy_confd_path: "{{ matrix_nginx_proxy_base_path }}/conf.d"

  15. 

  16. # List of systemd services that matrix-nginx-proxy.service depends on

  17. matrix_nginx_proxy_systemd_required_services_list: ['docker.service']

  18. 

  19. # List of systemd services that matrix-nginx-proxy.service wants

  20. matrix_nginx_proxy_systemd_wanted_services_list: []

  21. 

  22. # A list of additional container networks that matrix-nginx-proxy would be connected to.

  23. # The playbook does not create these networks, so make sure they already exist.

  24. #

  25. # Use this to expose matrix-nginx-proxy to another reverse proxy, which runs in a different container network,

  26. # without exposing all other Matrix services to that other reverse-proxy.

  27. #

  28. # For background, see: https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1498

  29. matrix_nginx_proxy_container_additional_networks: []

  30. 

  31. # A list of additional "volumes" to mount in the container.

  32. # This list gets populated dynamically at runtime. You can provide a different default value,

  33. # if you wish to mount your own files into the container.

  34. # Contains definition objects like this: `{"src": "/outside", "dst": "/inside", "options": "rw|ro|slave|.."}

  35. matrix_nginx_proxy_container_additional_volumes: []

  36. 

  37. # A list of extra arguments to pass to the container

  38. matrix_nginx_proxy_container_extra_arguments: []

  39. 

  40. # Controls whether matrix-nginx-proxy serves its vhosts over HTTPS or HTTP.

  41. #

  42. # If enabled:

  43. # - SSL certificates would be expected to be available (see `matrix_ssl_retrieval_method`)

  44. # - the HTTP vhost would be made a redirect to the HTTPS vhost

  45. #

  46. # If not enabled:

  47. # - you don't need any SSL certificates (you can set `matrix_ssl_retrieval_method: none`)

  48. # - naturally, there's no HTTPS vhost

  49. # - services are served directly from the HTTP vhost

  50. matrix_nginx_proxy_https_enabled: true

  51. 

  52. # Controls whether matrix-nginx-proxy trusts an upstream server's X-Forwarded-Proto header

  53. #

  54. # Required if you disable HTTPS for the container (see `matrix_nginx_proxy_https_enabled`) and have an upstream server handle it instead.

  55. matrix_nginx_proxy_trust_forwarded_proto: false

  56. matrix_nginx_proxy_x_forwarded_proto_value: "{{ '$http_x_forwarded_proto' if matrix_nginx_proxy_trust_forwarded_proto else '$scheme' }}"

  57. 

  58. # Controls whether the matrix-nginx-proxy container exposes its HTTP port (tcp/8080 in the container).

  59. #

  60. # Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:80"), or empty string to not expose.

  61. matrix_nginx_proxy_container_http_host_bind_port: '80'

  62. 

  63. # Controls whether the matrix-nginx-proxy container exposes its HTTPS port (tcp/8443 in the container).

  64. #

  65. # Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:443"), or empty string to not expose.

  66. #

  67. # This only makes sense and applies if `matrix_nginx_proxy_https_enabled` is set to `true`.

  68. # Otherwise, there are no HTTPS vhosts to expose.

  69. matrix_nginx_proxy_container_https_host_bind_port: '443'

  70. 

  71. # Controls whether the matrix-nginx-proxy container exposes the Matrix Federation port (tcp/8448 in the container).

  72. #

  73. # Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8448"), or empty string to not expose.

  74. #

  75. # This only makes sense and applies if `matrix_nginx_proxy_proxy_matrix_federation_api_enabled` is set to `true`.

  76. # Otherwise, there is no Matrix Federation port to expose.

  77. #

  78. # This port can take HTTP or HTTPS traffic, depending on `matrix_nginx_proxy_https_enabled`.

  79. # When HTTPS is disabled, you'd likely want to only expose the port locally, and front it with another HTTPS-enabled reverse-proxy.

  80. matrix_nginx_proxy_container_federation_host_bind_port: '8448'

  81. 

  82. # Controls whether matrix-nginx-proxy should serve the base domain.

  83. #

  84. # This is useful for when you only have your Matrix server, but you need to serve

  85. # to serve `/.well-known/matrix/*` files from the base domain for the needs of

  86. # Server-Discovery (Federation) and for Client-Discovery.

  87. #

  88. # Besides serving these Matrix files, a homepage would be served with content

  89. # as specified in the `matrix_nginx_proxy_base_domain_homepage_template` variable.

  90. # You can also put additional files to use for this webpage

  91. # in the `{{ matrix_nginx_proxy_data_path }}/matrix-domain` (`/matrix/nginx-proxy/data/matrix-domain`) directory.

  92. matrix_nginx_proxy_base_domain_serving_enabled: false

  93. 

  94. # Controls whether the base domain directory and default index.html file are created.

  95. matrix_nginx_proxy_base_domain_create_directory: true

  96. 

  97. matrix_nginx_proxy_base_domain_hostname: "{{ matrix_domain }}"

  98. 

  99. # Controls whether `matrix_nginx_proxy_base_domain_homepage_template` would be dumped to an `index.html` file

  100. # in the `/matrix/nginx-proxy/data/matrix-domain` directory.

  101. #

  102. # If you would instead like to serve a static website by yourself, you can disable this.

  103. # When disabled, you're expected to put website files in `/matrix/nginx-proxy/data/matrix-domain` manually

  104. # and can expect that the playbook won't intefere with the `index.html` file.

  105. matrix_nginx_proxy_base_domain_homepage_enabled: true

  106. 

  107. matrix_nginx_proxy_base_domain_homepage_template: |-

  108.   <!doctype html>

  109.   <meta charset="utf-8" />

  110.   <html>

  111.     <body>

  112.       Hello from {{ matrix_domain }}!

  113.     </body>

  114.   </html>

  115. 

  116. # Option to disable the access log

  117. matrix_nginx_proxy_access_log_enabled: true

  118. 

  119. # Controls whether proxying the riot domain should be done.

  120. matrix_nginx_proxy_proxy_riot_compat_redirect_enabled: false

  121. matrix_nginx_proxy_proxy_riot_compat_redirect_hostname: "riot.{{ matrix_domain }}"

  122. 

  123. # Controls whether proxying for Synapse should be done.

  124. matrix_nginx_proxy_proxy_synapse_enabled: false

  125. matrix_nginx_proxy_proxy_synapse_hostname: "matrix-nginx-proxy"

  126. matrix_nginx_proxy_proxy_synapse_federation_api_enabled: "{{ matrix_nginx_proxy_proxy_matrix_federation_api_enabled }}"

  127. # The addresses where the Matrix Client API is, when using Synapse.

  128. matrix_nginx_proxy_proxy_synapse_client_api_addr_with_container: ""

  129. matrix_nginx_proxy_proxy_synapse_client_api_addr_sans_container: ""

  130. # The addresses where the Federation API is, when using Synapse.

  131. matrix_nginx_proxy_proxy_synapse_federation_api_addr_with_container: ""

  132. matrix_nginx_proxy_proxy_synapse_federation_api_addr_sans_container: ""

  133. # A list of strings containing additional configuration blocks to add to the Synapse's server configuration (matrix-synapse.conf).

  134. matrix_nginx_proxy_proxy_synapse_additional_server_configuration_blocks: []

  135. 

  136. # Controls whether proxying for Dendrite should be done.

  137. matrix_nginx_proxy_proxy_dendrite_enabled: false

  138. matrix_nginx_proxy_proxy_dendrite_hostname: "matrix-nginx-proxy"

  139. matrix_nginx_proxy_proxy_dendrite_federation_api_enabled: "{{ matrix_nginx_proxy_proxy_matrix_federation_api_enabled }}"

  140. # Controls whether the Client API server (usually at matrix.DOMAIN:443) should explicitly reject `/_matrix/federation` endpoints.

  141. # Normally, Dendrite Monolith serves both APIs (Client & Federation) at the same port, so we can serve federation at `matrix.DOMAIN:443` too.

  142. matrix_nginx_proxy_proxy_dendrite_block_federation_api_on_client_port: true

  143. # The addresses where the Matrix Client API is, when using Dendrite.

  144. matrix_nginx_proxy_proxy_dendrite_client_api_addr_with_container: ""

  145. matrix_nginx_proxy_proxy_dendrite_client_api_addr_sans_container: ""

  146. # A list of strings containing additional configuration blocks to add to the Dendrite's server configuration (matrix-dendrite.conf).

  147. matrix_nginx_proxy_proxy_dendrite_additional_server_configuration_blocks: []

  148. 

  149. # Controls whether proxying the Element domain should be done.

  150. matrix_nginx_proxy_proxy_element_enabled: false

  151. matrix_nginx_proxy_proxy_element_hostname: "{{ matrix_server_fqn_element }}"

  152. 

  153. # Controls whether proxying the Hydrogen domain should be done.

  154. matrix_nginx_proxy_proxy_hydrogen_enabled: false

  155. matrix_nginx_proxy_proxy_hydrogen_hostname: "{{ matrix_server_fqn_hydrogen }}"

  156. 

  157. # Controls whether proxying the Cinny domain should be done.

  158. matrix_nginx_proxy_proxy_cinny_enabled: false

  159. matrix_nginx_proxy_proxy_cinny_hostname: "{{ matrix_server_fqn_cinny }}"

  160. 

  161. # Controls whether proxying the matrix domain should be done.

  162. matrix_nginx_proxy_proxy_matrix_enabled: false

  163. matrix_nginx_proxy_proxy_matrix_hostname: "{{ matrix_server_fqn_matrix }}"

  164. matrix_nginx_proxy_proxy_matrix_federation_hostname: "{{ matrix_nginx_proxy_proxy_matrix_hostname }}"

  165. # The port name used for federation in the nginx configuration.

  166. # This is not necessarily the port that it's actually on,

  167. # as port-mapping happens (`-p ..`) for the `matrix-nginx-proxy` container.

  168. matrix_nginx_proxy_proxy_matrix_federation_port: 8448

  169. 

  170. # Controls whether proxying the dimension domain should be done.

  171. matrix_nginx_proxy_proxy_dimension_enabled: false

  172. matrix_nginx_proxy_proxy_dimension_hostname: "{{ matrix_server_fqn_dimension }}"

  173. 

  174. # Controls whether proxying the goneb domain should be done.

  175. matrix_nginx_proxy_proxy_bot_go_neb_enabled: false

  176. matrix_nginx_proxy_proxy_bot_go_neb_hostname: "{{ matrix_server_fqn_bot_go_neb }}"

  177. 

  178. # Controls whether proxying the jitsi domain should be done.

  179. matrix_nginx_proxy_proxy_jitsi_enabled: false

  180. matrix_nginx_proxy_proxy_jitsi_hostname: "{{ matrix_server_fqn_jitsi }}"

  181. 

  182. # Controls whether proxying the grafana domain should be done.

  183. matrix_nginx_proxy_proxy_grafana_enabled: false

  184. matrix_nginx_proxy_proxy_grafana_hostname: "{{ matrix_server_fqn_grafana }}"

  185. 

  186. # Controls whether proxying the sygnal domain should be done.

  187. matrix_nginx_proxy_proxy_sygnal_enabled: false

  188. matrix_nginx_proxy_proxy_sygnal_hostname: "{{ matrix_server_fqn_sygnal }}"

  189. 

  190. # Controls whether proxying for the matrix-corporal API (`/_matrix/corporal`) should be done (on the matrix domain)

  191. matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: false

  192. matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081"

  193. matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container: "127.0.0.1:41081"

  194. 

  195. # Controls whether proxying for the User Directory Search API (`/_matrix/client/r0/user_directory/search`) should be done (on the matrix domain).

  196. # This can be used to forward the API endpoint to another service, augmenting the functionality of Synapse's own User Directory Search.

  197. # To learn more, see: https://github.com/ma1uta/ma1sd/blob/master/docs/features/directory.md

  198. matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: false

  199. matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "matrix-ma1sd:{{ matrix_ma1sd_container_port }}"

  200. matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "127.0.0.1:{{ matrix_ma1sd_container_port }}"

  201. 

  202. # Controls whether proxying for 3PID-based registration (`/_matrix/client/r0/register/(email|msisdn)/requestToken`) should be done (on the matrix domain).

  203. # This allows another service to control registrations involving 3PIDs.

  204. # To learn more, see: https://github.com/ma1uta/ma1sd/blob/master/docs/features/registration.md

  205. matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled: false

  206. matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_with_container: "matrix-ma1sd:{{ matrix_ma1sd_container_port }}"

  207. matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_sans_container: "127.0.0.1:{{ matrix_ma1sd_container_port }}"

  208. 

  209. # Controls whether proxying for the Identity API (`/_matrix/identity`) should be done (on the matrix domain)

  210. matrix_nginx_proxy_proxy_matrix_identity_api_enabled: false

  211. matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-ma1sd:{{ matrix_ma1sd_container_port }}"

  212. matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:{{ matrix_ma1sd_container_port }}"

  213. 

  214. # Controls whether proxying for metrics (`/_synapse/metrics`) should be done (on the matrix domain)

  215. matrix_nginx_proxy_proxy_synapse_metrics: false

  216. matrix_nginx_proxy_synapse_workers_enabled_list: []

  217. matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled: false

  218. # The following value will be written verbatim to the htpasswd file that stores the password for nginx to check against and needs to be encoded appropriately.

  219. # Read the manpage at `man 1 htpasswd` to learn more, then encrypt your password, and paste the encrypted value here.

  220. # e.g. `htpasswd -c mypass.htpasswd prometheus` and enter `mysecurepw` when prompted yields `prometheus:$apr1$wZhqsn.U$7LC3kMmjUbjNAZjyMyvYv/`

  221. # The part after `prometheus:` is needed here. matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key: "$apr1$wZhqsn.U$7LC3kMmjUbjNAZjyMyvYv/"

  222. matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key: ""

  223. 

  224. # The addresses where the Matrix Client API is.

  225. # Certain extensions (like matrix-corporal) may override this in order to capture all traffic.

  226. matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container: "matrix-nginx-proxy:12080"

  227. matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "127.0.0.1:12080"

  228. 

  229. # This needs to be equal or higher than the maximum upload size accepted by Synapse.

  230. matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: 50

  231. 

  232. 

  233. # Tells whether `/_synapse/client` is forwarded to the Matrix Client API server.

  234. matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_client_api_enabled: true

  235. 

  236. # Tells whether `/_synapse/oidc` is forwarded to the Matrix Client API server.

  237. # Enable this if you need OpenID Connect authentication support.

  238. matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_oidc_api_enabled: false

  239. 

  240. # Tells whether `/_synapse/admin` is forwarded to the Matrix Client API server.

  241. # Following these recommendations (https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md), by default, we don't.

  242. matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: false

  243. 

  244. # `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefixes` holds

  245. # the location prefixes that get forwarded to the Matrix Client API server.

  246. # These locations get combined into a regex like this `^(/_matrix|/_synapse/client)`.

  247. matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefix_regexes: |

  248.   {{

  249.     (['/_matrix'])

  250.     +

  251.     (['/_synapse/client'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_client_api_enabled else [])

  252.     +

  253.     (['/_synapse/oidc'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_oidc_api_enabled else [])

  254.     +

  255.     (['/_synapse/admin'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled else [])

  256.     +

  257.     (['/_synapse.*/metrics'] if matrix_nginx_proxy_proxy_synapse_metrics else [])

  258.   }}

  259. 

  260. # Specifies where requests for the root URI (`/`) on the `matrix.` domain should be redirected.

  261. # If this has an empty value, they're just passed to the homeserver, which serves a static page.

  262. # If you'd like to make `https://matrix.DOMAIN` redirect to `https://element.DOMAIN` (or something of that sort), specify the domain name here.

  263. # Example value: `element.DOMAIN` (or `{{ matrix_server_fqn_element }}`).

  264. matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain: ""

  265. 

  266. # Controls whether proxying for the Matrix Federation API should be done.

  267. matrix_nginx_proxy_proxy_matrix_federation_api_enabled: false

  268. matrix_nginx_proxy_proxy_matrix_federation_api_addr_with_container: "matrix-nginx-proxy:12088"

  269. matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container: "localhost:12088"

  270. matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb: "{{ (matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb | int) * 3 }}"

  271. matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/fullchain.pem"

  272. matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/privkey.pem"

  273. matrix_nginx_proxy_proxy_matrix_federation_api_ssl_trusted_certificate: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/chain.pem"

  274. 

  275. # The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads.

  276. matrix_nginx_proxy_tmp_directory_size_mb: "{{ (matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb | int) * 50 }}"

  277. 

  278. # A list of strings containing additional configuration blocks to add to the nginx server configuration (nginx.conf).

  279. # for big matrixservers to enlarge the number of open files to prevent timeouts

  280. # matrix_nginx_proxy_proxy_additional_configuration_blocks:

  281. #  - 'worker_rlimit_nofile 30000;'

  282. matrix_nginx_proxy_proxy_additional_configuration_blocks: []

  283. 

  284. # A list of strings containing additional configuration blocks to add to the nginx event server configuration (nginx.conf).

  285. matrix_nginx_proxy_proxy_event_additional_configuration_blocks: []

  286. 

  287. # A list of strings containing additional configuration blocks to add to the nginx http's server configuration (nginx-http.conf).

  288. matrix_nginx_proxy_proxy_http_additional_server_configuration_blocks: []

  289. 

  290. # A list of strings containing additional configuration blocks to add to the base matrix server configuration (matrix-domain.conf).

  291. matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: []

  292. 

  293. # A list of strings containing additional configuration blocks to add to Riot's server configuration (matrix-riot-web.conf).

  294. matrix_nginx_proxy_proxy_riot_additional_server_configuration_blocks: []

  295. 

  296. # A list of strings containing additional configuration blocks to add to Element's server configuration (matrix-client-element.conf).

  297. matrix_nginx_proxy_proxy_element_additional_server_configuration_blocks: []

  298. 

  299. # A list of strings containing additional configuration blocks to add to Hydrogen's server configuration (matrix-client-hydrogen.conf).

  300. matrix_nginx_proxy_proxy_hydrogen_additional_server_configuration_blocks: []

  301. 

  302. # A list of strings containing additional configuration blocks to add to Cinny's server configuration (matrix-client-cinny.conf).

  303. matrix_nginx_proxy_proxy_cinny_additional_server_configuration_blocks: []

  304. 

  305. # A list of strings containing additional configuration blocks to add to Dimension's server configuration (matrix-dimension.conf).

  306. matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks: []

  307. 

  308. # A list of strings containing additional configuration blocks to add to GoNEB's server configuration (matrix-bot-go-neb.conf).

  309. matrix_nginx_proxy_proxy_bot_go_neb_additional_server_configuration_blocks: []

  310. 

  311. # A list of strings containing additional configuration blocks to add to Jitsi's server configuration (matrix-jitsi.conf).

  312. matrix_nginx_proxy_proxy_jitsi_additional_server_configuration_blocks: []

  313. 

  314. # A list of strings containing additional configuration blocks to add to Grafana's server configuration (matrix-grafana.conf).

  315. matrix_nginx_proxy_proxy_grafana_additional_server_configuration_blocks: []

  316. 

  317. # A list of strings containing additional configuration blocks to add to Sygnal's server configuration (matrix-sygnal.conf).

  318. matrix_nginx_proxy_proxy_sygnal_additional_server_configuration_blocks: []

  319. 

  320. # A list of strings containing additional configuration blocks to add to the base domain server configuration (matrix-base-domain.conf).

  321. matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks: []

  322. 

  323. # To increase request timeout in NGINX using proxy_read_timeout, proxy_connect_timeout, proxy_send_timeout, send_timeout directives

  324. # Nginx Default: proxy_connect_timeout 60s;   #Defines a timeout for establishing a connection with a proxied server

  325. # Nginx Default: proxy_send_timeout 60s;      #Sets a timeout for transmitting a request to the proxied server.

  326. # Nginx Default: proxy_read_timeout 60s;      #Defines a timeout for reading a response from the proxied server.

  327. # Nginx Default: send_timeout 60s;            #Sets a timeout for transmitting a response to the client.

  328. #

  329. # For more information visit:

  330. # http://nginx.org/en/docs/http/ngx_http_proxy_module.html

  331. # http://nginx.org/en/docs/http/ngx_http_core_module.html#send_timeout

  332. # https://www.nginx.com/resources/wiki/start/topics/examples/fullexample2/

  333. #

  334. # Here we are sticking with nginx default values change this value carefully.

  335. matrix_nginx_proxy_connect_timeout: 60

  336. matrix_nginx_proxy_send_timeout: 60

  337. matrix_nginx_proxy_read_timeout: 60

  338. matrix_nginx_send_timeout: 60

  339. 

  340. # Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses for all vhosts meant to be accessed by users.

  341. #

  342. # Learn more about what it is here:

  343. # - https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea

  344. # - https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network

  345. # - https://amifloced.org/

  346. #

  347. # Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices.

  348. matrix_nginx_proxy_floc_optout_enabled: true

  349. 

  350. # HSTS Preloading Enable

  351. #

  352. # In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and

  353. # indicates a willingness to be “preloaded” into browsers:

  354. # `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload`

  355. # For more information visit:

  356. # - https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

  357. # - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security

  358. # - https://hstspreload.org/#opt-in

  359. matrix_nginx_proxy_hsts_preload_enabled: false

  360. 

  361. # X-XSS-Protection Enable

  362. # Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks.

  363. # Note: Not applicable for grafana

  364. #

  365. # Learn more about it is here:

  366. # - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection

  367. # - https://portswigger.net/web-security/cross-site-scripting/reflected

  368. matrix_nginx_proxy_xss_protection: "1; mode=block"

  369. 

  370. # Specifies the SSL configuration that should be used for the SSL protocols and ciphers

  371. # This is based on the Mozilla Server Side TLS Recommended configurations.

  372. #

  373. # The posible values are:

  374. # - "modern" - For Modern clients that support TLS 1.3, with no need for backwards compatibility

  375. # - "intermediate" - Recommended configuration for a general-purpose server

  376. # - "old" - Services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8

  377. #

  378. # For more information visit:

  379. # - https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations

  380. # - https://ssl-config.mozilla.org/#server=nginx

  381. matrix_nginx_proxy_ssl_preset: "intermediate"

  382. 

  383. # Presets are taken from Mozilla's Server Side TLS Recommended configurations

  384. # DO NOT modify these values and use `matrix_nginx_proxy_ssl_protocols`, `matrix_nginx_proxy_ssl_ciphers` and `matrix_nginx_proxy_ssl_ciphers`

  385. # if you wish to use something more custom.

  386. matrix_nginx_proxy_ssl_presets:

  387.   modern:

  388.     protocols: TLSv1.3

  389.     ciphers: ""

  390.     prefer_server_ciphers: "off"

  391.   intermediate:

  392.     protocols: TLSv1.2 TLSv1.3

  393.     ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384

  394.     prefer_server_ciphers: "off"

  395.   old:

  396.     protocols: TLSv1 TLSv1.1 TLSv1.2 TLSv1.3

  397.     ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA

  398.     prefer_server_ciphers: "on"

  399. 

  400. 

  401. # Specifies which *SSL protocols* to use when serving all the various vhosts.

  402. matrix_nginx_proxy_ssl_protocols: "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['protocols'] }}"

  403. 

  404. # Specifies whether to prefer *the client’s choice or the server’s choice* when negotiating ciphers.

  405. matrix_nginx_proxy_ssl_prefer_server_ciphers: "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['prefer_server_ciphers'] }}"

  406. 

  407. # Specifies which *SSL Cipher suites* to use when serving all the various vhosts.

  408. # To see the full list for suportes ciphers run `openssl ciphers` on your server

  409. matrix_nginx_proxy_ssl_ciphers: "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['ciphers'] }}"

  410. 

  411. # Specifies what to use for the X-Forwarded-For variable.

  412. # If you're fronting the nginx reverse-proxy with additional reverse-proxy servers,

  413. # you may wish to set this to '$proxy_add_x_forwarded_for' instead.

  414. matrix_nginx_proxy_x_forwarded_for: '$remote_addr'

  415. 

  416. # Controls whether the self-check feature should validate SSL certificates.

  417. matrix_nginx_proxy_self_check_validate_certificates: true

  418. 

  419. # Controls whether redirects will be followed when checking the `/.well-known/matrix/client` resource.

  420. #

  421. # As per the spec (https://matrix.org/docs/spec/client_server/r0.6.0#well-known-uri), it shouldn't be,

  422. # so we default to not following redirects as well.

  423. matrix_nginx_proxy_self_check_well_known_matrix_client_follow_redirects: none

  424. 

  425. # For OCSP purposes, we need to define a resolver at the `server{}` level or `http{}` level (we do the latter).

  426. #

  427. # Otherwise, we get warnings like this:

  428. # > [warn] 22#22: no resolver defined to resolve r3.o.lencr.org while requesting certificate status, responder: r3.o.lencr.org, certificate: "/matrix/ssl/config/live/.../fullchain.pem"

  429. #

  430. # We point it to the internal Docker resolver, which likely delegates to nameservers defined in `/etc/resolv.conf`.

  431. #

  432. # When nginx proxy is disabled, our configuration is likely used by non-containerized nginx, so can't use the internal Docker resolver.

  433. # Pointing `resolver` to some public DNS server might be an option, but for now we impose DNS servers on people.

  434. # It might also be that no such warnings occur when not running in a container.

  435. matrix_nginx_proxy_http_level_resolver: "{{ '127.0.0.11' if matrix_nginx_proxy_enabled else '' }}"

  436. 

  437. # By default, this playbook automatically retrieves and auto-renews

  438. # free SSL certificates from Let's Encrypt.

  439. #

  440. # The following retrieval methods are supported:

  441. # - "lets-encrypt" - the playbook obtains free SSL certificates from Let's Encrypt

  442. # - "self-signed" - the playbook generates and self-signs certificates

  443. # - "manually-managed" - lets you manage certificates by yourself (manually; see below)

  444. # - "none" - like "manually-managed", but doesn't care if you don't drop certificates in the location it expects

  445. #

  446. # If you decide to manage certificates by yourself (`matrix_ssl_retrieval_method: manually-managed`),

  447. # you'd need to drop them into the directory specified by `matrix_ssl_config_dir_path`

  448. # obeying the following hierarchy:

  449. # - <matrix_ssl_config_dir_path>/live/<domain>/fullchain.pem

  450. # - <matrix_ssl_config_dir_path>/live/<domain>/privkey.pem

  451. # where <domain> refers to the domains that you need (usually `matrix_server_fqn_matrix` and `matrix_server_fqn_element`).

  452. #

  453. # The "none" type (`matrix_ssl_retrieval_method: none`), simply means that no certificate retrieval will happen.

  454. # It's useful for when you've disabled the nginx proxy (`matrix_nginx_proxy_enabled: false`)

  455. # and you'll be using another reverse-proxy server (like Apache) with your own certificates, managed by yourself.

  456. # It's also useful if you're using `matrix_nginx_proxy_https_enabled: false` to make this nginx proxy serve

  457. # plain HTTP traffic only (usually, on the loopback interface only) and you'd be terminating SSL using another reverse-proxy.

  458. matrix_ssl_retrieval_method: "lets-encrypt"

  459. 

  460. matrix_ssl_architecture: "amd64"

  461. 

  462. # The full list of domains that this role will obtain certificates for.

  463. # This variable is likely redefined outside of the role, to include the domains that are necessary (depending on the services that are enabled).

  464. # To add additional domain names, consider using `matrix_ssl_additional_domains_to_obtain_certificates_for` instead.

  465. matrix_ssl_domains_to_obtain_certificates_for: "{{ matrix_ssl_additional_domains_to_obtain_certificates_for }}"

  466. 

  467. # A list of additional domain names to obtain certificates for.

  468. matrix_ssl_additional_domains_to_obtain_certificates_for: []

  469. 

  470. # Controls whether to obtain production or staging certificates from Let's Encrypt.

  471. # If you'd like to use another ACME Certificate Authority server (not Let's Encrypt), use `matrix_ssl_lets_encrypt_server`

  472. matrix_ssl_lets_encrypt_staging: false

  473. 

  474. # Controls from which Certificate Authority server to retrieve the SSL certificates (passed as a `--server` flag to Certbot).

  475. # By default, we use the Let's Encrypt production environment (use `matrix_ssl_lets_encrypt_staging` for using the staging environment).

  476. # Learn more here: https://eff-certbot.readthedocs.io/en/stable/using.html#changing-the-acme-server

  477. matrix_ssl_lets_encrypt_server: ''

  478. 

  479. matrix_ssl_lets_encrypt_certbot_docker_image: "{{ matrix_container_global_registry_prefix }}certbot/certbot:{{ matrix_ssl_architecture }}-v1.22.0"

  480. matrix_ssl_lets_encrypt_certbot_docker_image_force_pull: "{{ matrix_ssl_lets_encrypt_certbot_docker_image.endswith(':latest') }}"

  481. matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402

  482. matrix_ssl_lets_encrypt_support_email: ~

  483. 

  484. # Tells which interface and port the Let's Encrypt (certbot) container should try to bind to

  485. # when it tries to obtain initial certificates in standalone mode.

  486. #

  487. # This should normally be a public interface and port.

  488. # If you'd like to not bind on all IP addresses, specify one explicitly (e.g. `a.b.c.d:80`)

  489. matrix_ssl_lets_encrypt_container_standalone_http_host_bind_port: '80'

  490. 

  491. matrix_ssl_base_path: "{{ matrix_base_data_path }}/ssl"

  492. matrix_ssl_config_dir_path: "{{ matrix_ssl_base_path }}/config"

  493. matrix_ssl_log_dir_path: "{{ matrix_ssl_base_path }}/log"

  494. 

  495. # If you'd like to start some service before a certificate is obtained, specify it here.

  496. # This could be something like `matrix-dynamic-dns`, etc.

  497. matrix_ssl_pre_obtaining_required_service_name: ~

  498. matrix_ssl_pre_obtaining_required_service_start_wait_time_seconds: 60

  499. 

  500. # Nginx Optimize SSL Session

  501. #

  502. # ssl_session_cache:

  503. # - Creating a cache of TLS connection parameters reduces the number of handshakes

  504. #   and thus can improve the performance of application.

  505. # - Default session cache is not optimal as it can be used by only one worker process

  506. #   and can cause memory fragmentation. It is much better to use shared cache.

  507. # - Learn More: https://nginx.org/en/docs/http/ngx_http_ssl_module.html

  508. #

  509. # ssl_session_timeout:

  510. # - Nginx by default it is set to 5 minutes which is very low.

  511. #   should be like 4h or 1d but will require you to increase the size of cache.

  512. # - Learn More:

  513. #     https://github.com/certbot/certbot/issues/6903

  514. #     https://github.com/mozilla/server-side-tls/issues/198

  515. #

  516. # ssl_session_tickets:

  517. # - In case of session tickets, information about session is given to the client.

  518. #   Enabling this improve performance also make Perfect Forward Secrecy useless.

  519. # - If you would instead like to use ssl_session_tickets by yourself, you can set

  520. #   matrix_nginx_proxy_ssl_session_tickets_off false.

  521. # - Learn More: https://github.com/mozilla/server-side-tls/issues/135

  522. #

  523. # Presets are taken from Mozilla's Server Side TLS Recommended configurations

  524. matrix_nginx_proxy_ssl_session_cache: "shared:MozSSL:10m"

  525. matrix_nginx_proxy_ssl_session_timeout: "1d"

  526. matrix_nginx_proxy_ssl_session_tickets_off: true

  527. 

  528. # OCSP Stapling eliminating the need for clients to contact the CA, with the aim of improving both security and performance.

  529. # OCSP stapling can provide a performance boost of up to 30%

  530. # nginx web server supports OCSP stapling since version 1.3.7.

  531. #

  532. # *warning* Nginx is lazy loading OCSP responses, which means that for the first few web requests it is unable to add the OCSP response.

  533. # set matrix_nginx_proxy_ocsp_stapling_enabled false to disable OCSP Stapling

  534. #

  535. # Learn more about what it is here:

  536. # - https://en.wikipedia.org/wiki/OCSP_stapling

  537. # - https://blog.cloudflare.com/high-reliability-ocsp-stapling/

  538. # - https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/

  539. matrix_nginx_proxy_ocsp_stapling_enabled: true

  540. 

  541. # nginx status page configurations.

  542. matrix_nginx_proxy_proxy_matrix_nginx_status_enabled: false

  543. matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses: ['{{ ansible_default_ipv4.address }}']

  544. 

  545. 

  546. # synapse worker activation and endpoint mappings

  547. matrix_nginx_proxy_synapse_workers_enabled: false

  548. matrix_nginx_proxy_synapse_workers_list: []

  549. matrix_nginx_proxy_synapse_generic_worker_client_server_locations: []

  550. matrix_nginx_proxy_synapse_generic_worker_federation_locations: []

  551. matrix_nginx_proxy_synapse_media_repository_locations: []

  552. matrix_nginx_proxy_synapse_user_dir_locations: []

  553. matrix_nginx_proxy_synapse_frontend_proxy_locations: []

  554. 

  555. # The amount of worker processes and connections

  556. # Consider increasing these when you are expecting high amounts of traffic

  557. # http://nginx.org/en/docs/ngx_core_module.html#worker_connections

  558. matrix_nginx_proxy_worker_processes: auto

  559. matrix_nginx_proxy_worker_connections: 1024