overmind
/
matrix-docker-ansible-deploy
mirror of https://github.com/spantaleev/matrix-docker-ansible-deploy
1
0
Fork 0
Code Issues 0 Releases 0 Wiki Activity
Matrix Docker Ansible eploy
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
6790 Commits
12 Branches
1.6 GiB
 
 
Tree: ed74e92d22
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'ed74e92d22'
${ noResults }
matrix-docker-ansible-deploy/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2

411 lines
16 KiB
Raw Blame History 

  1. #jinja2: lstrip_blocks: "True"

  2. {% macro render_nginx_status_location_block(addresses) %}

  3. 	{# Empty first line to make indentation prettier. #}

  4. 

  5. 	location /nginx_status {

  6. 		stub_status on;

  7. 		access_log off;

  8. 		{% for address in addresses %}

  9. 		allow {{ address }};

  10. 		{% endfor %}

  11. 		deny all;

  12. 	}

  13. {% endmacro %}

  14. 

  15. 

  16. {% macro render_vhost_directives() %}

  17. 	gzip on;

  18. 	gzip_types text/plain application/json;

  19. 

  20. 	{% if matrix_nginx_proxy_floc_optout_enabled %}

  21. 		add_header Permissions-Policy interest-cohort=() always;

  22. 	{% endif %}

  23. 

  24. 	{% if matrix_nginx_proxy_hsts_preload_enabled %}

  25. 		add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

  26. 	{% else %}

  27. 		add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

  28. 	{% endif %}

  29. 

  30. 	add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}";

  31. 

  32. 	location /.well-known/matrix {

  33. 		root {{ matrix_static_files_base_path }};

  34. 		{#

  35. 			A somewhat long expires value is used to prevent outages

  36. 			in case this is unreachable due to network failure or

  37. 			due to the base domain's server completely dying.

  38. 		#}

  39. 		expires 4h;

  40. 		default_type application/json;

  41. 		add_header Access-Control-Allow-Origin *;

  42. 	}

  43. 

  44. 	{% if matrix_nginx_proxy_proxy_matrix_nginx_status_enabled %}

  45. 		{{ render_nginx_status_location_block(matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses) }}

  46. 	{% endif %}

  47. 

  48. 	{% if matrix_nginx_proxy_proxy_matrix_metrics_enabled %}

  49. 	location /metrics {

  50. 		{% if matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_enabled %}

  51. 			auth_basic "protected";

  52. 			auth_basic_user_file {{ matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_path }};

  53. 		{% endif %}

  54. 

  55. 		{% for configuration_block in matrix_nginx_proxy_proxy_matrix_metrics_additional_location_configuration_blocks %}

  56. 			{{- configuration_block }}

  57. 		{% endfor %}

  58. 	}

  59. 	{% endif %}

  60. 

  61. 	{% if matrix_nginx_proxy_proxy_matrix_corporal_api_enabled %}

  62. 	location ^~ /_matrix/corporal {

  63. 		{% if matrix_nginx_proxy_enabled %}

  64. 			{# Use the embedded DNS resolver in Docker containers to discover the service #}

  65. 			resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s;

  66. 			set $backend "{{ matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container }}";

  67. 			proxy_pass http://$backend;

  68. 		{% else %}

  69. 			{# Generic configuration for use outside of our container setup #}

  70. 			proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container }};

  71. 		{% endif %}

  72. 

  73. 		proxy_set_header Host $host;

  74. 		proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }};

  75. 		proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }};

  76. 	}

  77. 	{% endif %}

  78. 

  79. 	{% if matrix_nginx_proxy_proxy_matrix_identity_api_enabled %}

  80. 	location ^~ /_matrix/identity {

  81. 		{% if matrix_nginx_proxy_enabled %}

  82. 			{# Use the embedded DNS resolver in Docker containers to discover the service #}

  83. 			resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s;

  84. 			set $backend "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container }}";

  85. 			proxy_pass http://$backend;

  86. 		{% else %}

  87. 			{# Generic configuration for use outside of our container setup #}

  88. 			proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container }};

  89. 		{% endif %}

  90. 

  91. 		proxy_set_header Host $host;

  92. 		proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }};

  93. 		proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }};

  94. 	}

  95. 	{% endif %}

  96. 

  97. 	{% if matrix_nginx_proxy_proxy_media_repo_enabled %}

  98. 	# Redirect all media endpoints to the media-repo

  99. 	location ^~ /_matrix/media {

  100. 		{% if matrix_nginx_proxy_enabled %}

  101. 			{# Use the embedded DNS resolver in Docker containers to discover the service #}

  102. 			resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s;

  103. 			set $backend "{{ matrix_nginx_proxy_proxy_media_repo_addr_with_container }}";

  104. 			proxy_pass http://$backend;

  105. 		{% else %}

  106. 			{# Generic configuration for use outside of our container setup #}

  107. 			proxy_pass http://{{ matrix_nginx_proxy_proxy_media_repo_addr_sans_container }};

  108. 		{% endif %}

  109. 

  110. 		# Make sure this matches your homeserver in media-repo.yaml

  111. 		# You may have to manually specify it if using delegation or the

  112. 		# incoming Host doesn't match.

  113. 		proxy_set_header Host $host;

  114. 

  115. 		proxy_set_header X-Real-IP $remote_addr;

  116. 		proxy_set_header X-Forwarded-For $remote_addr;

  117. 	}

  118. 

  119. 	# Redirect other endpoints registered by the media-repo to its container

  120. 	# /_matrix/client/r0/logout

  121. 	# /_matrix/client/r0/logout/all

  122. 	location ~ ^/_matrix/client/(r0|v1|v3|unstable)/(logout|logout/all) {

  123. 		{% if matrix_nginx_proxy_enabled %}

  124. 			{# Use the embedded DNS resolver in Docker containers to discover the service #}

  125. 			resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s;

  126. 			set $backend "{{ matrix_nginx_proxy_proxy_media_repo_addr_with_container }}";

  127. 			proxy_pass http://$backend;

  128. 		{% else %}

  129. 			{# Generic configuration for use outside of our container setup #}

  130. 			proxy_pass http://{{ matrix_nginx_proxy_proxy_media_repo_addr_sans_container }};

  131. 		{% endif %}

  132. 

  133. 		# Make sure this matches your homeserver in media-repo.yaml

  134. 		# You may have to manually specify it if using delegation or the

  135. 		# incoming Host doesn't match.

  136. 		proxy_set_header Host $host;

  137. 

  138. 		proxy_set_header X-Real-IP $remote_addr;

  139. 		proxy_set_header X-Forwarded-For $remote_addr;

  140. 	}

  141. 

  142. 	# Redirect other endpoints registered by the media-repo to its container

  143. 	# /_matrix/client/r0/admin/purge_media_cache

  144. 	# /_matrix/client/r0/admin/quarantine_media/{roomId:[^/]+}

  145. 	location ~ ^/_matrix/client/(r0|v1|v3|unstable)/admin/(purge_media_cache|quarantine_media/.*) {

  146. 		{% if matrix_nginx_proxy_enabled %}

  147. 			{# Use the embedded DNS resolver in Docker containers to discover the service #}

  148. 			resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s;

  149. 			set $backend "{{ matrix_nginx_proxy_proxy_media_repo_addr_with_container }}";

  150. 			proxy_pass http://$backend;

  151. 		{% else %}

  152. 			{# Generic configuration for use outside of our container setup #}

  153. 			proxy_pass http://{{ matrix_nginx_proxy_proxy_media_repo_addr_sans_container }};

  154. 		{% endif %}

  155. 

  156. 		# Make sure this matches your homeserver in media-repo.yaml

  157. 		# You may have to manually specify it if using delegation or the

  158. 		# incoming Host doesn't match.

  159. 		proxy_set_header Host $host;

  160. 

  161. 		proxy_set_header X-Real-IP $remote_addr;

  162. 		proxy_set_header X-Forwarded-For $remote_addr;

  163. 	}

  164. 

  165. 	# Redirect other endpoints registered by the media-repo to its container

  166. 	location ^~ /_matrix/client/unstable/io.t2bot.media {

  167. 		{% if matrix_nginx_proxy_enabled %}

  168. 			{# Use the embedded DNS resolver in Docker containers to discover the service #}

  169. 			resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s;

  170. 			set $backend "{{ matrix_nginx_proxy_proxy_media_repo_addr_with_container }}";

  171. 			proxy_pass http://$backend;

  172. 		{% else %}

  173. 			{# Generic configuration for use outside of our container setup #}

  174. 			proxy_pass http://{{ matrix_nginx_proxy_proxy_media_repo_addr_sans_container }};

  175. 		{% endif %}

  176. 

  177. 		# Make sure this matches your homeserver in media-repo.yaml

  178. 		# You may have to manually specify it if using delegation or the

  179. 		# incoming Host doesn't match.

  180. 		proxy_set_header Host $host;

  181. 

  182. 		proxy_set_header X-Real-IP $remote_addr;

  183. 		proxy_set_header X-Forwarded-For $remote_addr;

  184. 	}

  185. 	{% endif %}

  186. 

  187. 	{% if matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled %}

  188. 	location ~ ^/_matrix/client/(r0|v3)/user_directory/search {

  189. 		{% if matrix_nginx_proxy_enabled %}

  190. 			{# Use the embedded DNS resolver in Docker containers to discover the service #}

  191. 			resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s;

  192. 			set $backend "{{ matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container }}";

  193. 			{% if matrix_nginx_proxy_proxy_matrix_user_directory_search_v3_to_r0_redirect_enabled %}

  194. 			rewrite ^(.*?)/v3/(.*?)$  $1/r0/$2 break;

  195. 			{% endif %}

  196. 			proxy_pass http://$backend;

  197. 		{% else %}

  198. 			{% if matrix_nginx_proxy_proxy_matrix_user_directory_search_v3_to_r0_redirect_enabled %}

  199. 			rewrite ^(.*?)/v3/(.*?)$  $1/r0/$2 break;

  200. 			{% endif %}

  201. 			{# Generic configuration for use outside of our container setup #}

  202. 			proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container }};

  203. 		{% endif %}

  204. 

  205. 		proxy_set_header Host $host;

  206. 		proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }};

  207. 	}

  208. 	{% endif %}

  209. 

  210. 	{% if matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled %}

  211. 	location ~ ^/_matrix/client/(r0|v3)/register/(email|msisdn)/requestToken$ {

  212. 		{% if matrix_nginx_proxy_enabled %}

  213. 			{# Use the embedded DNS resolver in Docker containers to discover the service #}

  214. 			resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s;

  215. 			set $backend "{{ matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_with_container }}";

  216. 			{% if matrix_nginx_proxy_proxy_matrix_3pid_registration_v3_to_r0_redirect_enabled %}

  217. 			rewrite ^(.*?)/v3/(.*?)$  $1/r0/$2 break;

  218. 			{% endif %}

  219. 			proxy_pass http://$backend;

  220. 		{% else %}

  221. 			{% if matrix_nginx_proxy_proxy_matrix_3pid_registration_v3_to_r0_redirect_enabled %}

  222. 			rewrite ^(.*?)/v3/(.*?)$  $1/r0/$2 break;

  223. 			{% endif %}

  224. 			{# Generic configuration for use outside of our container setup #}

  225. 			proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_sans_container }};

  226. 		{% endif %}

  227. 

  228. 		proxy_set_header Host $host;

  229. 		proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }};

  230. 		proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }};

  231. 	}

  232. 	{% endif %}

  233. 

  234. 	{% for configuration_block in matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks %}

  235. 		{{- configuration_block }}

  236. 	{% endfor %}

  237. 

  238. 	{#

  239. 		This handles the Matrix Client API only.

  240. 		The Matrix Federation API is handled by a separate vhost.

  241. 	#}

  242. 	location ~* ^({{ matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefix_regexes|join('|') }}) {

  243. 		{% if matrix_nginx_proxy_enabled %}

  244. 			{# Use the embedded DNS resolver in Docker containers to discover the service #}

  245. 			resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s;

  246. 			set $backend "{{ matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container }}";

  247. 			proxy_pass http://$backend;

  248. 		{% else %}

  249. 			{# Generic configuration for use outside of our container setup #}

  250. 			proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container }};

  251. 		{% endif %}

  252. 

  253. 		proxy_set_header Host $host;

  254. 		proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }};

  255. 		proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }};

  256. 

  257. 		client_body_buffer_size 25M;

  258. 		client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb }}M;

  259. 		proxy_max_temp_file_size 0;

  260. 	}

  261. 

  262. 	{#

  263. 		We only handle the root URI for this redirect or homepage serving.

  264. 		Unhandled URIs (mostly by `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefix_regexes` above) should result in a 404,

  265. 		instead of causing a redirect.

  266. 		See: https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1058

  267. 	#}

  268. 	location ~* ^/$ {

  269. 		{% if matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain %}

  270. 			return 302 {{ matrix_nginx_proxy_x_forwarded_proto_value }}://{{ matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain }}$request_uri;

  271. 		{% else %}

  272. 			rewrite ^/$ /_matrix/static/ last;

  273. 		{% endif %}

  274. 	}

  275. {% endmacro %}

  276. 

  277. server {

  278. 	listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }};

  279. 	listen [::]:{{ 8080 if matrix_nginx_proxy_enabled else 80 }};

  280. 

  281. 	server_name {{ matrix_nginx_proxy_proxy_matrix_hostname }};

  282. 

  283. 	server_tokens off;

  284. 	root /dev/null;

  285. 

  286. 	{% if matrix_nginx_proxy_https_enabled %}

  287. 		location /.well-known/acme-challenge {

  288. 			{% if matrix_nginx_proxy_enabled %}

  289. 				{# Use the embedded DNS resolver in Docker containers to discover the service #}

  290. 				resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s;

  291. 				set $backend "matrix-certbot:8080";

  292. 				proxy_pass http://$backend;

  293. 			{% else %}

  294. 				{# Generic configuration for use outside of our container setup #}

  295. 				proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }};

  296. 			{% endif %}

  297. 		}

  298. 

  299. 		{% if matrix_nginx_proxy_proxy_matrix_nginx_status_enabled %}

  300. 			{{ render_nginx_status_location_block(matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses) }}

  301. 		{% endif %}

  302. 

  303. 		location / {

  304. 			return 301 https://$http_host$request_uri;

  305. 		}

  306. 	{% else %}

  307. 		{{ render_vhost_directives() }}

  308. 	{% endif %}

  309. }

  310. 

  311. {% if matrix_nginx_proxy_https_enabled %}

  312. server {

  313. 	listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;

  314. 	listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;

  315. 

  316. 	server_name {{ matrix_nginx_proxy_proxy_matrix_hostname }};

  317. 

  318. 	server_tokens off;

  319. 	root /dev/null;

  320. 

  321. 	ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/fullchain.pem;

  322. 	ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/privkey.pem;

  323. 

  324. 	ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};

  325. 	{% if matrix_nginx_proxy_ssl_ciphers != '' %}

  326. 	ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }};

  327. 	{% endif %}

  328. 	ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};

  329. 

  330. 	{% if matrix_nginx_proxy_ocsp_stapling_enabled %}

  331. 		ssl_stapling on;

  332. 		ssl_stapling_verify on;

  333. 		ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/chain.pem;

  334. 	{% endif %}

  335. 

  336. 	{% if matrix_nginx_proxy_ssl_session_tickets_off %}

  337. 		ssl_session_tickets off;

  338. 	{% endif %}

  339. 	ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }};

  340. 	ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }};

  341. 

  342. 	{{ render_vhost_directives() }}

  343. }

  344. {% endif %}

  345. 

  346. {% if matrix_nginx_proxy_proxy_matrix_federation_api_enabled %}

  347. {#

  348. 	This federation vhost is a little special.

  349. 	It serves federation over HTTP or HTTPS, depending on `matrix_nginx_proxy_https_enabled`.

  350. #}

  351. server {

  352. 	{% if matrix_nginx_proxy_https_enabled %}

  353. 		listen {{ matrix_nginx_proxy_proxy_matrix_federation_port }} ssl http2;

  354. 		listen [::]:{{ matrix_nginx_proxy_proxy_matrix_federation_port }} ssl http2;

  355. 	{% else %}

  356. 		listen {{ matrix_nginx_proxy_proxy_matrix_federation_port }};

  357. 	{% endif %}

  358. 

  359. 	server_name {{ matrix_nginx_proxy_proxy_matrix_federation_hostname }};

  360. 	server_tokens off;

  361. 

  362. 	root /dev/null;

  363. 

  364. 	gzip on;

  365. 	gzip_types text/plain application/json;

  366. 

  367. 	{% if matrix_nginx_proxy_https_enabled %}

  368. 		ssl_certificate {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate }};

  369. 		ssl_certificate_key {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key }};

  370. 

  371. 		ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};

  372. 		{% if matrix_nginx_proxy_ssl_ciphers != '' %}

  373. 			ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }};

  374. 		{% endif %}

  375. 		ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};

  376. 

  377. 		{% if matrix_nginx_proxy_ocsp_stapling_enabled %}

  378. 			ssl_stapling on;

  379. 			ssl_stapling_verify on;

  380. 			ssl_trusted_certificate {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_trusted_certificate }};

  381. 		{% endif %}

  382. 

  383. 		{% if matrix_nginx_proxy_ssl_session_tickets_off %}

  384. 			ssl_session_tickets off;

  385. 		{% endif %}

  386. 		ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }};

  387. 		ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }};

  388. 	{% endif %}

  389. 

  390. 	location / {

  391. 		{% if matrix_nginx_proxy_enabled %}

  392. 			{# Use the embedded DNS resolver in Docker containers to discover the service #}

  393. 			resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s;

  394. 			set $backend "{{ matrix_nginx_proxy_proxy_matrix_federation_api_addr_with_container }}";

  395. 			proxy_pass http://$backend;

  396. 		{% else %}

  397. 			{# Generic configuration for use outside of our container setup #}

  398. 			proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container }};

  399. 		{% endif %}

  400. 

  401. 		proxy_set_header Host $host;

  402. 		proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }};

  403. 		proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }};

  404. 

  405. 		client_body_buffer_size 25M;

  406. 		client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb }}M;

  407. 		proxy_max_temp_file_size 0;

  408. 	}

  409. }

  410. {% endif %}