overmind
/
matrix-docker-ansible-deploy
mirror of https://github.com/spantaleev/matrix-docker-ansible-deploy
1
0
Fork 0
Code Issues 0 Releases 0 Wiki Activity
Matrix Docker Ansible eploy
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2266 Commits
12 Branches
798 MiB
 
 
Tree: 92ee3d78a0
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '92ee3d78a0'
${ noResults }
matrix-docker-ansible-deploy/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2

409 lines
14 KiB
Raw Blame History 

  1. #jinja2: lstrip_blocks: "True"

  2. {% macro render_nginx_status_location_block(addresses) %}

  3. 	{# Empty first line to make indentation prettier. #}

  4. 

  5. 	location /nginx_status {

  6. 		stub_status on;

  7. 		access_log off;

  8. 		{% for address in addresses %}

  9. 		allow {{ address }};

  10. 		{% endfor %}

  11. 		deny all;

  12. 	}

  13. {% endmacro %}

  14. 

  15. 

  16. {% macro render_vhost_directives() %}

  17. 	gzip on;

  18. 	gzip_types text/plain application/json;

  19. 

  20. 	location /.well-known/matrix {

  21. 		root {{ matrix_static_files_base_path }};

  22. 		{#

  23. 			A somewhat long expires value is used to prevent outages

  24. 			in case this is unreachable due to network failure or

  25. 			due to the base domain's server completely dying.

  26. 		#}

  27. 		expires 4h;

  28. 		default_type application/json;

  29. 		add_header Access-Control-Allow-Origin *;

  30. 	}

  31. 

  32. 	{% if matrix_nginx_proxy_proxy_matrix_nginx_status_enabled %}

  33. 		{{ render_nginx_status_location_block(matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses) }}

  34. 	{% endif %}

  35. 

  36. 	{% if matrix_nginx_proxy_proxy_matrix_corporal_api_enabled %}

  37. 	location ^~ /_matrix/corporal {

  38. 		{% if matrix_nginx_proxy_enabled %}

  39. 			{# Use the embedded DNS resolver in Docker containers to discover the service #}

  40. 			resolver 127.0.0.11 valid=5s;

  41. 			set $backend "{{ matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container }}";

  42. 			proxy_pass http://$backend;

  43. 		{% else %}

  44. 			{# Generic configuration for use outside of our container setup #}

  45. 			proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container }};

  46. 		{% endif %}

  47. 

  48. 		proxy_set_header Host $host;

  49. 		proxy_set_header X-Forwarded-For $remote_addr;

  50. 	}

  51. 	{% endif %}

  52. 

  53. 	{% if matrix_nginx_proxy_proxy_matrix_identity_api_enabled %}

  54. 	location ^~ /_matrix/identity {

  55. 		{% if matrix_nginx_proxy_enabled %}

  56. 			{# Use the embedded DNS resolver in Docker containers to discover the service #}

  57. 			resolver 127.0.0.11 valid=5s;

  58. 			set $backend "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container }}";

  59. 			proxy_pass http://$backend;

  60. 		{% else %}

  61. 			{# Generic configuration for use outside of our container setup #}

  62. 			proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container }};

  63. 		{% endif %}

  64. 

  65. 		proxy_set_header Host $host;

  66. 		proxy_set_header X-Forwarded-For $remote_addr;

  67. 	}

  68. 	{% endif %}

  69. 

  70. 	{% if matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled %}

  71. 	# NOTE: This redirects user lookup requests to the identity server instead of

  72. 	# synapse, so user_dir_workers endpoints listed further down in this file will

  73. 	# not be reached and workers of this kind should be disabled for consistency.

  74. 	location ^~ /_matrix/client/r0/user_directory/search {

  75. 		{% if matrix_nginx_proxy_enabled %}

  76. 			{# Use the embedded DNS resolver in Docker containers to discover the service #}

  77. 			resolver 127.0.0.11 valid=5s;

  78. 			set $backend "{{ matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container }}";

  79. 			proxy_pass http://$backend;

  80. 		{% else %}

  81. 			{# Generic configuration for use outside of our container setup #}

  82. 			proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container }};

  83. 		{% endif %}

  84. 

  85. 		proxy_set_header Host $host;

  86. 		proxy_set_header X-Forwarded-For $remote_addr;

  87. 	}

  88. 	{% endif %}

  89. 

  90. 	{% if matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled %}

  91. 	location ~ ^/_matrix/client/r0/register/(email|msisdn)/requestToken$ {

  92. 		{% if matrix_nginx_proxy_enabled %}

  93. 			{# Use the embedded DNS resolver in Docker containers to discover the service #}

  94. 			resolver 127.0.0.11 valid=5s;

  95. 			set $backend "{{ matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_with_container }}";

  96. 			proxy_pass http://$backend;

  97. 		{% else %}

  98. 			{# Generic configuration for use outside of our container setup #}

  99. 			proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_sans_container }};

  100. 		{% endif %}

  101. 

  102. 		proxy_set_header Host $host;

  103. 		proxy_set_header X-Forwarded-For $remote_addr;

  104. 	}

  105. 	{% endif %}

  106. 

  107. 	{% if matrix_nginx_proxy_synapse_workers_enabled %}

  108. 		{# Workers redirects BEGIN #}

  109. 

  110. 		{% if generic_workers %}

  111. 			# https://github.com/matrix-org/synapse/blob/master/docs/workers.md#synapseappgeneric_worker

  112. 			{% for location in matrix_nginx_proxy_synapse_generic_worker_locations %}

  113. 			location ~ {{ location }} {

  114. 				proxy_pass http://generic_worker_upstream$request_uri;

  115. 				proxy_set_header Host $host;

  116. 				proxy_set_header X-Forwarded-For $remote_addr;

  117. 			}

  118. 			{% endfor %}

  119. 			# FIXME: add GET ^/_matrix/federation/v1/groups/

  120. 		{% endif %}

  121. 

  122. 		{% if media_repository_workers %}

  123. 			# https://github.com/matrix-org/synapse/blob/master/docs/workers.md#synapseappmedia_repository

  124. 			{% for location in matrix_nginx_proxy_synapse_media_repository_locations %}

  125. 			location ~ {{ location }} {

  126. 				proxy_pass http://media_repository_upstream$request_uri;

  127. 				proxy_set_header Host $host;

  128. 				proxy_set_header X-Forwarded-For $remote_addr;

  129. 

  130. 				client_body_buffer_size 25M;

  131. 				client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb }}M;

  132. 				proxy_max_temp_file_size 0;

  133. 			}

  134. 			{% endfor %}

  135. 		{% endif %}

  136. 

  137. 		{% if user_dir_workers %}

  138. 			# FIXME: obsolete if matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled is set

  139. 			# https://github.com/matrix-org/synapse/blob/master/docs/workers.md#synapseappuser_dir

  140. 			{% for location in matrix_nginx_proxy_synapse_user_dir_locations %}

  141. 			location ~ {{ location }} {

  142. 				proxy_pass http://user_dir_upstream$request_uri;

  143. 				proxy_set_header Host $host;

  144. 				proxy_set_header X-Forwarded-For $remote_addr;

  145. 			}

  146. 			{% endfor %}

  147. 		{% endif %}

  148. 

  149. 		{% if frontend_proxy_workers %}

  150. 			# https://github.com/matrix-org/synapse/blob/master/docs/workers.md#synapseappfrontend_proxy

  151. 			{% for location in matrix_nginx_proxy_synapse_frontend_proxy_locations %}

  152. 			location ~ {{ location }} {

  153. 				proxy_pass http://frontend_proxy_upstream$request_uri;

  154. 				proxy_set_header Host $host;

  155. 				proxy_set_header X-Forwarded-For $remote_addr;

  156. 			}

  157. 			{% endfor %}

  158. 			{% if matrix_nginx_proxy_synapse_presence_disabled %}

  159. 			# FIXME: keep in sync with synapse workers documentation manually

  160. 			location ~ ^/_matrix/client/(api/v1|r0|unstable)/presence/[^/]+/status {

  161. 				proxy_pass http://frontend_proxy_upstream$request_uri;

  162. 				proxy_set_header Host $host;

  163. 				proxy_set_header X-Forwarded-For $remote_addr;

  164. 			}

  165. 			{% endif %}

  166. 		{% endif %}

  167. 		{# Workers redirects END #}

  168. 	{% endif %}

  169. 

  170. 

  171. 	{% for configuration_block in matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks %}

  172. 		{{- configuration_block }}

  173. 	{% endfor %}

  174. 

  175. 	{% if matrix_nginx_proxy_proxy_synapse_metrics %}

  176. 	location /_synapse/metrics {

  177. 		{% if matrix_nginx_proxy_enabled %}

  178. 			{# Use the embedded DNS resolver in Docker containers to discover the service #}

  179. 			resolver 127.0.0.11 valid=5s;

  180. 			set $backend "{{ matrix_nginx_proxy_proxy_synapse_metrics_addr_with_container }}";

  181. 			proxy_pass http://$backend;

  182. 		{% else %}

  183. 			{# Generic configuration for use outside of our container setup #}

  184. 			proxy_pass http://{{ matrix_nginx_proxy_proxy_synapse_metrics_addr_sans_container }};

  185. 		{% endif %}

  186. 

  187. 		proxy_set_header Host $host;

  188. 		proxy_set_header X-Forwarded-For $remote_addr;

  189. 

  190. 		{% if matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled %}

  191. 			auth_basic "protected";

  192. 			auth_basic_user_file /nginx-data/matrix-synapse-metrics-htpasswd;

  193. 		{% endif %}

  194. 	}

  195. 	{% endif %}

  196. 

  197. 	{#

  198. 		This handles the Matrix Client API only.

  199. 		The Matrix Federation API is handled by a separate vhost.

  200. 	#}

  201. 	location ~* ^({{ matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefix_regexes|join('|') }}) {

  202. 		{% if matrix_nginx_proxy_enabled %}

  203. 			{# Use the embedded DNS resolver in Docker containers to discover the service #}

  204. 			resolver 127.0.0.11 valid=5s;

  205. 			set $backend "{{ matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container }}";

  206. 			proxy_pass http://$backend;

  207. 		{% else %}

  208. 			{# Generic configuration for use outside of our container setup #}

  209. 			proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container }};

  210. 		{% endif %}

  211. 

  212. 		proxy_set_header Host $host;

  213. 		proxy_set_header X-Forwarded-For $remote_addr;

  214. 

  215. 		client_body_buffer_size 25M;

  216. 		client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb }}M;

  217. 		proxy_max_temp_file_size 0;

  218. 	}

  219. 

  220. 	location / {

  221. 		{% if matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain %}

  222. 			return 302 $scheme://{{ matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain }}$request_uri;

  223. 		{% else %}

  224. 			rewrite ^/$ /_matrix/static/ last;

  225. 		{% endif %}

  226. 	}

  227. {% endmacro %}

  228. 

  229. {% set generic_workers = matrix_nginx_proxy_synapse_workers_list|selectattr('type', 'equalto', 'generic_worker')|list %}

  230. {% set media_repository_workers = matrix_nginx_proxy_synapse_workers_list|selectattr('type', 'equalto', 'media_repository')|list %}

  231. {% set user_dir_workers = matrix_nginx_proxy_synapse_workers_list|selectattr('type', 'equalto', 'user_dir')|list %}

  232. {% set frontend_proxy_workers = matrix_nginx_proxy_synapse_workers_list|selectattr('type', 'equalto', 'frontend_proxy')|list %}

  233. {% if matrix_nginx_proxy_synapse_workers_enabled %}

  234. 	# Round Robin "upstream" pools for workers

  235. 

  236. 	{% if generic_workers %}

  237. 	upstream generic_worker_upstream {

  238. 		# ensures that requests from the same client will always be passed

  239. 		# to the same server (except when this server is unavailable)

  240. 		ip_hash;

  241. 

  242. 		{% for worker in generic_workers %}

  243. 		server "matrix-synapse:{{ worker.port }}";

  244. 		{% endfor %}

  245. 	}

  246. 	{% endif %}

  247. 

  248. 	{% if frontend_proxy_workers %}

  249. 	upstream frontend_proxy_upstream {

  250. 		{% for worker in frontend_proxy_workers %}

  251. 		server "matrix-synapse:{{ worker.port }}";

  252. 		{% endfor %}

  253. 	}

  254. 	{% endif %}

  255. 

  256. 	{% if media_repository_workers %}

  257. 	upstream media_repository_upstream {

  258. 		{% for worker in media_repository_workers %}

  259. 		server "matrix-synapse:{{ worker.port }}";

  260. 		{% endfor %}

  261. 	}

  262. 	{% endif %}

  263. 

  264. 	{% if user_dir_workers %}

  265. 	upstream user_dir_upstream {

  266. 		{% for worker in user_dir_workers %}

  267. 		server "matrix-synapse:{{ worker.port }}";

  268. 		{% endfor %}

  269. 	}

  270. 	{% endif %}

  271. {% endif %}

  272. 

  273. server {

  274. 	listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }};

  275. 	server_name {{ matrix_nginx_proxy_proxy_matrix_hostname }};

  276. 

  277. 	server_tokens off;

  278. 	root /dev/null;

  279. 

  280. 	{% if matrix_nginx_proxy_https_enabled %}

  281. 		location /.well-known/acme-challenge {

  282. 			{% if matrix_nginx_proxy_enabled %}

  283. 				{# Use the embedded DNS resolver in Docker containers to discover the service #}

  284. 				resolver 127.0.0.11 valid=5s;

  285. 				set $backend "matrix-certbot:8080";

  286. 				proxy_pass http://$backend;

  287. 			{% else %}

  288. 				{# Generic configuration for use outside of our container setup #}

  289. 				proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }};

  290. 			{% endif %}

  291. 		}

  292. 

  293. 		{% if matrix_nginx_proxy_proxy_matrix_nginx_status_enabled %}

  294. 			{{ render_nginx_status_location_block(matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses) }}

  295. 		{% endif %}

  296. 

  297. 		location / {

  298. 			return 301 https://$http_host$request_uri;

  299. 		}

  300. 	{% else %}

  301. 		{{ render_vhost_directives() }}

  302. 	{% endif %}

  303. }

  304. 

  305. {% if matrix_nginx_proxy_https_enabled %}

  306. server {

  307. 	listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;

  308. 	listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;

  309. 

  310. 	server_name {{ matrix_nginx_proxy_proxy_matrix_hostname }};

  311. 

  312. 	server_tokens off;

  313. 	root /dev/null;

  314. 

  315. 	ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/fullchain.pem;

  316. 	ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/privkey.pem;

  317. 

  318. 	ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};

  319. 	{% if matrix_nginx_proxy_ssl_ciphers != '' %}

  320. 	ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }};

  321. 	{% endif %}

  322. 	ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};

  323. 

  324. 	{{ render_vhost_directives() }}

  325. }

  326. {% endif %}

  327. 

  328. {% if matrix_nginx_proxy_proxy_matrix_federation_api_enabled %}

  329. {#

  330. 	This federation vhost is a little special.

  331. 	It serves federation over HTTP or HTTPS, depending on `matrix_nginx_proxy_https_enabled`.

  332. #}

  333. server {

  334. 	{% if matrix_nginx_proxy_https_enabled %}

  335. 		listen 8448 ssl http2;

  336. 		listen [::]:8448 ssl http2;

  337. 	{% else %}

  338. 		listen 8448;

  339. 	{% endif %}

  340. 

  341. 	server_name {{ matrix_nginx_proxy_proxy_matrix_hostname }};

  342. 	server_tokens off;

  343. 

  344. 	root /dev/null;

  345. 

  346. 	gzip on;

  347. 	gzip_types text/plain application/json;

  348. 

  349. 	{% if matrix_nginx_proxy_https_enabled %}

  350. 		ssl_certificate {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate }};

  351. 		ssl_certificate_key {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key }};

  352. 

  353. 	ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};

  354. 	{% if matrix_nginx_proxy_ssl_ciphers != '' %}

  355. 	ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }};

  356. 	{% endif %}

  357. 	ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};

  358. 

  359. 	{% endif %}

  360. 

  361. 	{% if matrix_nginx_proxy_synapse_workers_enabled %}

  362. 		{% if generic_workers %}

  363. 			# https://github.com/matrix-org/synapse/blob/master/docs/workers.md#synapseappgeneric_worker

  364. 			{% for location in matrix_nginx_proxy_synapse_generic_worker_locations %}

  365. 			location ~ {{ location }} {

  366. 				proxy_pass http://generic_worker_upstream$request_uri;

  367. 				proxy_set_header Host $host;

  368. 				proxy_set_header X-Forwarded-For $remote_addr;

  369. 			}

  370. 			{% endfor %}

  371. 			# FIXME: add GET ^/_matrix/federation/v1/groups/

  372. 		{% endif %}

  373. 		{% if media_repository_workers %}

  374. 			# https://github.com/matrix-org/synapse/blob/master/docs/workers.md#synapseappmedia_repository

  375. 			{% for location in matrix_nginx_proxy_synapse_media_repository_locations %}

  376. 			location ~ {{ location }} {

  377. 				proxy_pass http://media_repository_upstream$request_uri;

  378. 				proxy_set_header Host $host;

  379. 				proxy_set_header X-Forwarded-For $remote_addr;

  380. 

  381. 				client_body_buffer_size 25M;

  382. 				client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb }}M;

  383. 				proxy_max_temp_file_size 0;

  384. 			}

  385. 			{% endfor %}

  386. 		{% endif %}

  387. 	{% endif %}

  388. 

  389. 	location / {

  390. 		{% if matrix_nginx_proxy_enabled %}

  391. 			{# Use the embedded DNS resolver in Docker containers to discover the service #}

  392. 			resolver 127.0.0.11 valid=5s;

  393. 			set $backend "{{ matrix_nginx_proxy_proxy_matrix_federation_api_addr_with_container }}";

  394. 			proxy_pass http://$backend;

  395. 		{% else %}

  396. 			{# Generic configuration for use outside of our container setup #}

  397. 			proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container }};

  398. 		{% endif %}

  399. 

  400. 		proxy_set_header Host $host;

  401. 		proxy_set_header X-Forwarded-For $remote_addr;

  402. 

  403. 		client_body_buffer_size 25M;

  404. 		client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb }}M;

  405. 		proxy_max_temp_file_size 0;

  406. 	}

  407. }

  408. {% endif %}