overmind
/
matrix-docker-ansible-deploy
ミラー元 https://github.com/spantaleev/matrix-docker-ansible-deploy
1
0
フォーク 0
コード 課題 0 リリース 0 Wiki アクティビティ
Matrix Docker Ansible eploy
選択できるのは25トピックまでです。 トピックは、先頭が英数字で、英数字とダッシュ('-')を使用した35文字以内のものにしてください。
7065 コミット
12 ブランチ
533 MiB
 
 
ツリー: effca48288
ブランチ タグ
${ item.name }
ブランチ ${ searchTerm } を作成
'effca48288' から
${ noResults }
matrix-docker-ansible-deploy/roles/custom/matrix-synapse-reverse-prox.../defaults/main.yml

235 行
21 KiB
Raw Blame 履歴 

  1. ---

  2. 

  3. # matrix-synapse-reverse-proxy-companion is a role which brings up a containerized nginx webserver which helps with reverse-proxying to Synapse when workers are enabled.

  4. #

  5. # When Synapse is NOT running in worker-mode, reverse-proxying is relatively simple (everything goes to `matrix-synapse:XXXX`).

  6. # In such cases, using this reverse-proxy companion is possible, but unnecessary - it's one more service in the stack, which also impacts performance a bit.

  7. #

  8. # When Synapse workers are enabled, however, the reverse-proxying configuration is much more complicated - certain requests need to go to certain workers, etc.

  9. # matrix-synapse-reverse-proxy-companion is the central place services that need to reach Synapse could be pointed to.

  10. #

  11. # This is also similar to the matrix-homeserver-proxy role, but that one aims to wrap the homeserver

  12. # (along with other homeserver route-stealing services like the identity server, matrix-media-repo, etc.)

  13. # into a neat package that addons (bridges, bots, etc.) can consume and get a unified view of "the currently-enabled homeserver and all related services".

  14. 

  15. matrix_synapse_reverse_proxy_companion_enabled: true

  16. 

  17. # renovate: datasource=docker depName=nginx

  18. matrix_synapse_reverse_proxy_companion_version: 1.25.3-alpine

  19. 

  20. matrix_synapse_reverse_proxy_companion_base_path: "{{ matrix_synapse_base_path }}/reverse-proxy-companion"

  21. matrix_synapse_reverse_proxy_companion_confd_path: "{{ matrix_synapse_reverse_proxy_companion_base_path }}/conf.d"

  22. 

  23. # List of systemd services that matrix-synapse-reverse-proxy-companion.service depends on

  24. matrix_synapse_reverse_proxy_companion_systemd_required_services_list: "{{ matrix_synapse_reverse_proxy_companion_systemd_required_services_list_default + matrix_synapse_reverse_proxy_companion_systemd_required_services_list_auto + matrix_synapse_reverse_proxy_companion_systemd_required_services_list_custom }}"

  25. matrix_synapse_reverse_proxy_companion_systemd_required_services_list_default: ['docker.service']

  26. matrix_synapse_reverse_proxy_companion_systemd_required_services_list_auto: []

  27. matrix_synapse_reverse_proxy_companion_systemd_required_services_list_custom: []

  28. 

  29. # List of systemd services that matrix-synapse-reverse-proxy-companion.service wants

  30. matrix_synapse_reverse_proxy_companion_systemd_wanted_services_list: ['matrix-synapse.service']

  31. 

  32. # We use an official nginx image, which we fix-up to run unprivileged.

  33. # An alternative would be an `nginxinc/nginx-unprivileged` image, but

  34. # that is frequently out of date.

  35. matrix_synapse_reverse_proxy_companion_container_image: "{{ matrix_container_global_registry_prefix }}nginx:{{ matrix_synapse_reverse_proxy_companion_version }}"

  36. matrix_synapse_reverse_proxy_companion_container_image_force_pull: "{{ matrix_synapse_reverse_proxy_companion_container_image.endswith(':latest') }}"

  37. 

  38. matrix_synapse_reverse_proxy_companion_container_network: ""

  39. 

  40. # A list of additional container networks that matrix-synapse-reverse-proxy-companion would be connected to.

  41. # The playbook does not create these networks, so make sure they already exist.

  42. matrix_synapse_reverse_proxy_companion_container_additional_networks: []

  43. 

  44. # Controls whether the matrix-synapse-reverse-proxy-companion container exposes its HTTP Client-Server API port (tcp/8008 in the container).

  45. #

  46. # Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8008"), or empty string to not expose.

  47. matrix_synapse_reverse_proxy_companion_container_client_api_host_bind_port: ''

  48. 

  49. # Controls whether the matrix-synapse-reverse-proxy-companion container exposes its HTTP Federation (Server-Server) API port (tcp/8048 in the container).

  50. #

  51. # Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8048"), or empty string to not expose.

  52. matrix_synapse_reverse_proxy_companion_container_federation_api_host_bind_port: ''

  53. 

  54. # matrix_synapse_reverse_proxy_companion_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container.

  55. # See `../templates/labels.j2` for details.

  56. #

  57. # To inject your own other container labels, see `matrix_synapse_reverse_proxy_companion_container_labels_additional_labels`.

  58. matrix_synapse_reverse_proxy_companion_container_labels_traefik_enabled: true

  59. matrix_synapse_reverse_proxy_companion_container_labels_traefik_docker_network: "{{ matrix_synapse_reverse_proxy_companion_container_network }}"

  60. matrix_synapse_reverse_proxy_companion_container_labels_traefik_entrypoints: web-secure

  61. matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver: default  # noqa var-naming

  62. matrix_synapse_reverse_proxy_companion_container_labels_traefik_hostname: ''

  63. 

  64. # Controls whether labels will be added for handling the root (/) path

  65. matrix_synapse_reverse_proxy_companion_container_labels_client_root_enabled: true

  66. matrix_synapse_reverse_proxy_companion_container_labels_client_root_traefik_hostname: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_hostname }}"

  67. matrix_synapse_reverse_proxy_companion_container_labels_client_root_traefik_rule: "Host(`{{ matrix_synapse_reverse_proxy_companion_container_labels_client_root_traefik_hostname }}`) && Path(`/`)"

  68. matrix_synapse_reverse_proxy_companion_container_labels_client_root_traefik_priority: 0

  69. matrix_synapse_reverse_proxy_companion_container_labels_client_root_traefik_entrypoints: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_entrypoints }}"

  70. matrix_synapse_reverse_proxy_companion_container_labels_client_root_traefik_tls: "{{ matrix_synapse_reverse_proxy_companion_container_labels_client_root_traefik_entrypoints != 'web' }}"

  71. matrix_synapse_reverse_proxy_companion_container_labels_client_root_traefik_tls_certResolver: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver }}"  # noqa var-naming

  72. matrix_synapse_reverse_proxy_companion_container_labels_client_root_redirection_enabled: false

  73. matrix_synapse_reverse_proxy_companion_container_labels_client_root_redirection_url: ""

  74. 

  75. # Controls whether labels will be added that expose the Client-Server API.

  76. matrix_synapse_reverse_proxy_companion_container_labels_client_api_enabled: true

  77. matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_hostname: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_hostname }}"

  78. matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_path_prefix: /_matrix

  79. matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_rule: "Host(`{{ matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_path_prefix }}`)"

  80. matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_priority: 0

  81. matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_entrypoints: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_entrypoints }}"

  82. matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_tls: "{{ matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_entrypoints != 'web' }}"

  83. matrix_synapse_reverse_proxy_companion_container_labels_client_api_traefik_tls_certResolver: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver }}"  # noqa var-naming

  84. 

  85. # Controls whether labels will be added that expose the /_synapse/client paths

  86. matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_client_api_enabled: true

  87. matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_client_api_traefik_hostname: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_hostname }}"

  88. matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_client_api_traefik_path_prefix: /_synapse/client

  89. matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_client_api_traefik_rule: "Host(`{{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_client_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_client_api_traefik_path_prefix }}`)"

  90. matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_client_api_traefik_priority: 0

  91. matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_client_api_traefik_entrypoints: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_entrypoints }}"

  92. matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_client_api_traefik_tls: "{{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_client_api_traefik_entrypoints != 'web' }}"

  93. matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_client_api_traefik_tls_certResolver: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver }}"  # noqa var-naming

  94. 

  95. # Controls whether labels will be added that expose the /_synapse/oidc paths

  96. # Enable this if you need OpenID Connect authentication support.

  97. matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_oidc_api_enabled: false

  98. matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_oidc_api_traefik_hostname: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_hostname }}"

  99. matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_oidc_api_traefik_path_prefix: /_synapse/oidc

  100. matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_oidc_api_traefik_rule: "Host(`{{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_oidc_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_oidc_api_traefik_path_prefix }}`)"

  101. matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_oidc_api_traefik_priority: 0

  102. matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_oidc_api_traefik_entrypoints: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_entrypoints }}"

  103. matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_oidc_api_traefik_tls: "{{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_oidc_api_traefik_entrypoints != 'web' }}"

  104. matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_oidc_api_traefik_tls_certResolver: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver }}"  # noqa var-naming

  105. 

  106. # Controls whether labels will be added that expose the /_synapse/admin paths

  107. # Following these recommendations (https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md), by default, we don't.

  108. matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_admin_api_enabled: false

  109. matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_admin_api_traefik_hostname: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_hostname }}"

  110. matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_admin_api_traefik_path_prefix: /_synapse/admin

  111. matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_admin_api_traefik_rule: "Host(`{{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_admin_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_admin_api_traefik_path_prefix }}`)"

  112. matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_admin_api_traefik_priority: 0

  113. matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_admin_api_traefik_entrypoints: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_entrypoints }}"

  114. matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_admin_api_traefik_tls: "{{ matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_admin_api_traefik_entrypoints != 'web' }}"

  115. matrix_synapse_reverse_proxy_companion_container_labels_client_synapse_admin_api_traefik_tls_certResolver: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver }}"  # noqa var-naming

  116. 

  117. # Controls whether labels will be added that expose the Server-Server API (Federation API).

  118. matrix_synapse_reverse_proxy_companion_container_labels_federation_api_enabled: "{{ matrix_synapse_reverse_proxy_companion_federation_api_enabled }}"

  119. matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_hostname: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_hostname }}"

  120. matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_path_prefix: /_matrix

  121. matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_rule: "Host(`{{ matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_path_prefix }}`)"

  122. matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_priority: 0

  123. matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_entrypoints: ''

  124. matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_tls: "{{ matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_entrypoints != 'web' }}"

  125. matrix_synapse_reverse_proxy_companion_container_labels_federation_api_traefik_tls_certResolver: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver }}"  # noqa var-naming

  126. 

  127. # matrix_synapse_reverse_proxy_companion_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.

  128. # See `../templates/labels.j2` for details.

  129. #

  130. # Example:

  131. # matrix_synapse_reverse_proxy_companion_container_labels_additional_labels: |

  132. #   my.label=1

  133. #   another.label="here"

  134. matrix_synapse_reverse_proxy_companion_container_labels_additional_labels: ''

  135. 

  136. # The amount of worker processes and connections

  137. # Consider increasing these when you are expecting high amounts of traffic

  138. # http://nginx.org/en/docs/ngx_core_module.html#worker_connections

  139. matrix_synapse_reverse_proxy_companion_worker_processes: auto

  140. matrix_synapse_reverse_proxy_companion_worker_connections: 1024

  141. 

  142. # Option to disable the access log

  143. matrix_synapse_reverse_proxy_companion_access_log_enabled: true

  144. 

  145. # The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads.

  146. matrix_synapse_reverse_proxy_companion_tmp_directory_size_mb: "{{ (matrix_synapse_reverse_proxy_companion_federation_api_client_max_body_size_mb | int) * 50 }}"

  147. matrix_synapse_reverse_proxy_companion_tmp_cache_directory_size_mb: "{{ (matrix_synapse_reverse_proxy_companion_synapse_cache_max_size_mb | int) * 2 }}"

  148. 

  149. # A list of strings containing additional configuration blocks to add to the nginx server configuration (nginx.conf).

  150. # for big matrixservers to enlarge the number of open files to prevent timeouts

  151. # matrix_synapse_reverse_proxy_companion_additional_configuration_blocks:

  152. #  - 'worker_rlimit_nofile 30000;'

  153. matrix_synapse_reverse_proxy_companion_additional_configuration_blocks: []

  154. 

  155. # A list of strings containing additional configuration blocks to add to the nginx event server configuration (nginx.conf).

  156. matrix_synapse_reverse_proxy_companion_event_additional_configuration_blocks: []

  157. 

  158. # A list of strings containing additional configuration blocks to add to the nginx http's server configuration (nginx-http.conf).

  159. matrix_synapse_reverse_proxy_companion_http_additional_server_configuration_blocks: []

  160. 

  161. # To increase request timeout in NGINX using proxy_read_timeout, proxy_connect_timeout, proxy_send_timeout, send_timeout directives

  162. # Nginx Default: proxy_connect_timeout 60s;   #Defines a timeout for establishing a connection with a proxied server

  163. # Nginx Default: proxy_send_timeout 60s;      #Sets a timeout for transmitting a request to the proxied server.

  164. # Nginx Default: proxy_read_timeout 60s;      #Defines a timeout for reading a response from the proxied server.

  165. # Nginx Default: send_timeout 60s;            #Sets a timeout for transmitting a response to the client.

  166. #

  167. # For more information visit:

  168. # http://nginx.org/en/docs/http/ngx_http_proxy_module.html

  169. # http://nginx.org/en/docs/http/ngx_http_core_module.html#send_timeout

  170. # https://www.nginx.com/resources/wiki/start/topics/examples/fullexample2/

  171. #

  172. # Here we are sticking with nginx default values change this value carefully.

  173. matrix_synapse_reverse_proxy_companion_proxy_connect_timeout: 60

  174. matrix_synapse_reverse_proxy_companion_proxy_send_timeout: 60

  175. matrix_synapse_reverse_proxy_companion_proxy_read_timeout: 60

  176. matrix_synapse_reverse_proxy_companion_send_timeout: 60

  177. 

  178. # For OCSP purposes, we need to define a resolver at the `server{}` level or `http{}` level (we do the latter).

  179. #

  180. # Otherwise, we get warnings like this:

  181. # > [warn] 22#22: no resolver defined to resolve r3.o.lencr.org while requesting certificate status, responder: r3.o.lencr.org, certificate: "/matrix/ssl/config/live/.../fullchain.pem"

  182. #

  183. # We point it to the internal Docker resolver, which likely delegates to nameservers defined in `/etc/resolv.conf`.

  184. matrix_synapse_reverse_proxy_companion_http_level_resolver: 127.0.0.11

  185. 

  186. matrix_synapse_reverse_proxy_companion_hostname: "matrix-synapse-reverse-proxy-companion"

  187. 

  188. # matrix_synapse_reverse_proxy_companion_client_api_addr specifies the address where the Client-Server API is

  189. matrix_synapse_reverse_proxy_companion_client_api_addr: 'matrix-synapse:{{ matrix_synapse_container_client_api_port }}'

  190. # This needs to be equal or higher than the maximum upload size accepted by Synapse.

  191. matrix_synapse_reverse_proxy_companion_client_api_client_max_body_size_mb: 50

  192. 

  193. # matrix_synapse_reverse_proxy_companion_federation_api_enabled specifies whether reverse proxying for the Federation (Server-Server) API should be done

  194. matrix_synapse_reverse_proxy_companion_federation_api_enabled: true

  195. # matrix_synapse_reverse_proxy_companion_federation_api_addr specifies the address where the Federation (Server-Server) API is

  196. matrix_synapse_reverse_proxy_companion_federation_api_addr: 'matrix-synapse:{{ matrix_synapse_container_federation_api_plain_port }}'

  197. matrix_synapse_reverse_proxy_companion_federation_api_client_max_body_size_mb: "{{ (matrix_synapse_reverse_proxy_companion_client_api_client_max_body_size_mb | int) * 3 }}"

  198. 

  199. # A list of strings containing additional configuration blocks to add to the nginx vhost handling the Synapse Client-Server API

  200. matrix_synapse_reverse_proxy_companion_synapse_client_api_additional_server_configuration_blocks: []

  201. 

  202. # A list of strings containing additional configuration blocks to add to the nginx vhost handling the Synapse Federation (Server-Server) API

  203. matrix_synapse_reverse_proxy_companion_synapse_federation_api_additional_server_configuration_blocks: []

  204. 

  205. 

  206. # synapse worker activation and endpoint mappings

  207. matrix_synapse_reverse_proxy_companion_synapse_workers_enabled: false

  208. matrix_synapse_reverse_proxy_companion_synapse_workers_list: []

  209. matrix_synapse_reverse_proxy_companion_synapse_generic_worker_client_server_locations: []

  210. matrix_synapse_reverse_proxy_companion_synapse_generic_worker_federation_locations: []

  211. matrix_synapse_reverse_proxy_companion_synapse_stream_writer_typing_stream_worker_client_server_locations: []

  212. matrix_synapse_reverse_proxy_companion_synapse_stream_writer_to_device_stream_worker_client_server_locations: []

  213. matrix_synapse_reverse_proxy_companion_synapse_stream_writer_account_data_stream_worker_client_server_locations: []

  214. matrix_synapse_reverse_proxy_companion_synapse_stream_writer_receipts_stream_worker_client_server_locations: []

  215. matrix_synapse_reverse_proxy_companion_synapse_stream_writer_presence_stream_worker_client_server_locations: []

  216. matrix_synapse_reverse_proxy_companion_synapse_media_repository_locations: []

  217. matrix_synapse_reverse_proxy_companion_synapse_user_dir_locations: []

  218. 

  219. 

  220. # synapse content caching

  221. matrix_synapse_reverse_proxy_companion_synapse_cache_enabled: false

  222. matrix_synapse_reverse_proxy_companion_synapse_cache_path: /tmp/synapse-cache

  223. matrix_synapse_reverse_proxy_companion_synapse_cache_keys_zone_name: "STATIC"

  224. matrix_synapse_reverse_proxy_companion_synapse_cache_keys_zone_size: "10m"

  225. matrix_synapse_reverse_proxy_companion_synapse_cache_inactive_time: "48h"

  226. matrix_synapse_reverse_proxy_companion_synapse_cache_max_size_mb: 1024

  227. matrix_synapse_reverse_proxy_companion_synapse_cache_proxy_cache_valid_time: "24h"

  228. 

  229. 

  230. # Controls whether matrix-synapse-reverse-proxy-companion trusts an upstream server's X-Forwarded-Proto header.

  231. # The `matrix-synapse-reverse-proxy-companion` does not terminate SSL and always expects to be fronted by another reverse-proxy server (`matrix-nginx-proxy`, etc.).

  232. # As such, it trusts the protocol scheme forwarded by the upstream proxy.

  233. matrix_synapse_reverse_proxy_companion_trust_forwarded_proto: true

  234. matrix_synapse_reverse_proxy_companion_x_forwarded_proto_value: "{{ '$http_x_forwarded_proto' if matrix_synapse_reverse_proxy_companion_trust_forwarded_proto else '$scheme' }}"