mirror of
https://github.com/spantaleev/matrix-docker-ansible-deploy.git
synced 2024-12-12 08:43:55 +02:00
3b9d5b13e9
Seems like Dendrite encourages serving both the Client and Federation API at the same port. Coming from Synapse and how things are done there, we have separate ports. Using separate ports probably makes matrix-corporal (etc.) integration easier, so separating the APIs by default probably makes sense.
551 lines
33 KiB
YAML
551 lines
33 KiB
YAML
matrix_nginx_proxy_enabled: true
|
|
matrix_nginx_proxy_version: 1.21.5-alpine
|
|
|
|
# We use an official nginx image, which we fix-up to run unprivileged.
|
|
# An alternative would be an `nginxinc/nginx-unprivileged` image, but
|
|
# that is frequently out of date.
|
|
matrix_nginx_proxy_docker_image: "{{ matrix_container_global_registry_prefix }}nginx:{{ matrix_nginx_proxy_version }}"
|
|
matrix_nginx_proxy_docker_image_force_pull: "{{ matrix_nginx_proxy_docker_image.endswith(':latest') }}"
|
|
|
|
matrix_nginx_proxy_base_path: "{{ matrix_base_data_path }}/nginx-proxy"
|
|
matrix_nginx_proxy_data_path: "{{ matrix_nginx_proxy_base_path }}/data"
|
|
matrix_nginx_proxy_data_path_in_container: "/nginx-data"
|
|
matrix_nginx_proxy_data_path_extension: "/matrix_domain"
|
|
matrix_nginx_proxy_confd_path: "{{ matrix_nginx_proxy_base_path }}/conf.d"
|
|
|
|
# List of systemd services that matrix-nginx-proxy.service depends on
|
|
matrix_nginx_proxy_systemd_required_services_list: ['docker.service']
|
|
|
|
# List of systemd services that matrix-nginx-proxy.service wants
|
|
matrix_nginx_proxy_systemd_wanted_services_list: []
|
|
|
|
# A list of additional "volumes" to mount in the container.
|
|
# This list gets populated dynamically at runtime. You can provide a different default value,
|
|
# if you wish to mount your own files into the container.
|
|
# Contains definition objects like this: `{"src": "/outside", "dst": "/inside", "options": "rw|ro|slave|.."}
|
|
matrix_nginx_proxy_container_additional_volumes: []
|
|
|
|
# A list of extra arguments to pass to the container
|
|
matrix_nginx_proxy_container_extra_arguments: []
|
|
|
|
# Controls whether matrix-nginx-proxy serves its vhosts over HTTPS or HTTP.
|
|
#
|
|
# If enabled:
|
|
# - SSL certificates would be expected to be available (see `matrix_ssl_retrieval_method`)
|
|
# - the HTTP vhost would be made a redirect to the HTTPS vhost
|
|
#
|
|
# If not enabled:
|
|
# - you don't need any SSL certificates (you can set `matrix_ssl_retrieval_method: none`)
|
|
# - naturally, there's no HTTPS vhost
|
|
# - services are served directly from the HTTP vhost
|
|
matrix_nginx_proxy_https_enabled: true
|
|
|
|
# Controls whether matrix-nginx-proxy trusts an upstream server's X-Forwarded-Proto header
|
|
#
|
|
# Required if you disable HTTPS for the container (see `matrix_nginx_proxy_https_enabled`) and have an upstream server handle it instead.
|
|
matrix_nginx_proxy_trust_forwarded_proto: false
|
|
matrix_nginx_proxy_x_forwarded_proto_value: "{{ '$http_x_forwarded_proto' if matrix_nginx_proxy_trust_forwarded_proto else '$scheme' }}"
|
|
|
|
# Controls whether the matrix-nginx-proxy container exposes its HTTP port (tcp/8080 in the container).
|
|
#
|
|
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:80"), or empty string to not expose.
|
|
matrix_nginx_proxy_container_http_host_bind_port: '80'
|
|
|
|
# Controls whether the matrix-nginx-proxy container exposes its HTTPS port (tcp/8443 in the container).
|
|
#
|
|
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:443"), or empty string to not expose.
|
|
#
|
|
# This only makes sense and applies if `matrix_nginx_proxy_https_enabled` is set to `true`.
|
|
# Otherwise, there are no HTTPS vhosts to expose.
|
|
matrix_nginx_proxy_container_https_host_bind_port: '443'
|
|
|
|
# Controls whether the matrix-nginx-proxy container exposes the Matrix Federation port (tcp/8448 in the container).
|
|
#
|
|
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8448"), or empty string to not expose.
|
|
#
|
|
# This only makes sense and applies if `matrix_nginx_proxy_proxy_matrix_federation_api_enabled` is set to `true`.
|
|
# Otherwise, there is no Matrix Federation port to expose.
|
|
#
|
|
# This port can take HTTP or HTTPS traffic, depending on `matrix_nginx_proxy_https_enabled`.
|
|
# When HTTPS is disabled, you'd likely want to only expose the port locally, and front it with another HTTPS-enabled reverse-proxy.
|
|
matrix_nginx_proxy_container_federation_host_bind_port: '8448'
|
|
|
|
# Controls whether matrix-nginx-proxy should serve the base domain.
|
|
#
|
|
# This is useful for when you only have your Matrix server, but you need to serve
|
|
# to serve `/.well-known/matrix/*` files from the base domain for the needs of
|
|
# Server-Discovery (Federation) and for Client-Discovery.
|
|
#
|
|
# Besides serving these Matrix files, a homepage would be served with content
|
|
# as specified in the `matrix_nginx_proxy_base_domain_homepage_template` variable.
|
|
# You can also put additional files to use for this webpage
|
|
# in the `{{ matrix_nginx_proxy_data_path }}/matrix-domain` (`/matrix/nginx-proxy/data/matrix-domain`) directory.
|
|
matrix_nginx_proxy_base_domain_serving_enabled: false
|
|
|
|
# Controls whether the base domain directory and default index.html file are created.
|
|
matrix_nginx_proxy_base_domain_create_directory: true
|
|
|
|
matrix_nginx_proxy_base_domain_hostname: "{{ matrix_domain }}"
|
|
|
|
# Controls whether `matrix_nginx_proxy_base_domain_homepage_template` would be dumped to an `index.html` file
|
|
# in the `/matrix/nginx-proxy/data/matrix-domain` directory.
|
|
#
|
|
# If you would instead like to serve a static website by yourself, you can disable this.
|
|
# When disabled, you're expected to put website files in `/matrix/nginx-proxy/data/matrix-domain` manually
|
|
# and can expect that the playbook won't intefere with the `index.html` file.
|
|
matrix_nginx_proxy_base_domain_homepage_enabled: true
|
|
|
|
matrix_nginx_proxy_base_domain_homepage_template: |-
|
|
<!doctype html>
|
|
<meta charset="utf-8" />
|
|
<html>
|
|
<body>
|
|
Hello from {{ matrix_domain }}!
|
|
</body>
|
|
</html>
|
|
|
|
# Option to disable the access log
|
|
matrix_nginx_proxy_access_log_enabled: true
|
|
|
|
# Controls whether proxying the riot domain should be done.
|
|
matrix_nginx_proxy_proxy_riot_compat_redirect_enabled: false
|
|
matrix_nginx_proxy_proxy_riot_compat_redirect_hostname: "riot.{{ matrix_domain }}"
|
|
|
|
# Controls whether proxying for Synapse should be done.
|
|
matrix_nginx_proxy_proxy_synapse_enabled: false
|
|
matrix_nginx_proxy_proxy_synapse_hostname: "matrix-nginx-proxy"
|
|
matrix_nginx_proxy_proxy_synapse_federation_api_enabled: "{{ matrix_nginx_proxy_proxy_matrix_federation_api_enabled }}"
|
|
# The addresses where the Matrix Client API is, when using Synapse.
|
|
matrix_nginx_proxy_proxy_synapse_client_api_addr_with_container: ""
|
|
matrix_nginx_proxy_proxy_synapse_client_api_addr_sans_container: ""
|
|
# The addresses where the Federation API is, when using Synapse.
|
|
matrix_nginx_proxy_proxy_synapse_federation_api_addr_with_container: ""
|
|
matrix_nginx_proxy_proxy_synapse_federation_api_addr_sans_container: ""
|
|
# A list of strings containing additional configuration blocks to add to the Synapse's server configuration (matrix-synapse.conf).
|
|
matrix_nginx_proxy_proxy_synapse_additional_server_configuration_blocks: []
|
|
|
|
# Controls whether proxying for Dendrite should be done.
|
|
matrix_nginx_proxy_proxy_dendrite_enabled: false
|
|
matrix_nginx_proxy_proxy_dendrite_hostname: "matrix-nginx-proxy"
|
|
matrix_nginx_proxy_proxy_dendrite_federation_api_enabled: "{{ matrix_nginx_proxy_proxy_matrix_federation_api_enabled }}"
|
|
# Controls whether the Client API server (usually at matrix.DOMAIN:443) should explicitly reject `/_matrix/federation` endpoints.
|
|
# Normally, Dendrite Monolith serves both APIs (Client & Federation) at the same port, so we can serve federation at `matrix.DOMAIN:443` too.
|
|
matrix_nginx_proxy_proxy_dendrite_block_federation_api_on_client_port: true
|
|
# The addresses where the Matrix Client API is, when using Dendrite.
|
|
matrix_nginx_proxy_proxy_dendrite_client_api_addr_with_container: ""
|
|
matrix_nginx_proxy_proxy_dendrite_client_api_addr_sans_container: ""
|
|
# A list of strings containing additional configuration blocks to add to the Dendrite's server configuration (matrix-dendrite.conf).
|
|
matrix_nginx_proxy_proxy_dendrite_additional_server_configuration_blocks: []
|
|
|
|
# Controls whether proxying the Element domain should be done.
|
|
matrix_nginx_proxy_proxy_element_enabled: false
|
|
matrix_nginx_proxy_proxy_element_hostname: "{{ matrix_server_fqn_element }}"
|
|
|
|
# Controls whether proxying the Hydrogen domain should be done.
|
|
matrix_nginx_proxy_proxy_hydrogen_enabled: false
|
|
matrix_nginx_proxy_proxy_hydrogen_hostname: "{{ matrix_server_fqn_hydrogen }}"
|
|
|
|
# Controls whether proxying the Cinny domain should be done.
|
|
matrix_nginx_proxy_proxy_cinny_enabled: false
|
|
matrix_nginx_proxy_proxy_cinny_hostname: "{{ matrix_server_fqn_cinny }}"
|
|
|
|
# Controls whether proxying the matrix domain should be done.
|
|
matrix_nginx_proxy_proxy_matrix_enabled: false
|
|
matrix_nginx_proxy_proxy_matrix_hostname: "{{ matrix_server_fqn_matrix }}"
|
|
matrix_nginx_proxy_proxy_matrix_federation_hostname: "{{ matrix_nginx_proxy_proxy_matrix_hostname }}"
|
|
# The port name used for federation in the nginx configuration.
|
|
# This is not necessarily the port that it's actually on,
|
|
# as port-mapping happens (`-p ..`) for the `matrix-nginx-proxy` container.
|
|
matrix_nginx_proxy_proxy_matrix_federation_port: 8448
|
|
|
|
# Controls whether proxying the dimension domain should be done.
|
|
matrix_nginx_proxy_proxy_dimension_enabled: false
|
|
matrix_nginx_proxy_proxy_dimension_hostname: "{{ matrix_server_fqn_dimension }}"
|
|
|
|
# Controls whether proxying the goneb domain should be done.
|
|
matrix_nginx_proxy_proxy_bot_go_neb_enabled: false
|
|
matrix_nginx_proxy_proxy_bot_go_neb_hostname: "{{ matrix_server_fqn_bot_go_neb }}"
|
|
|
|
# Controls whether proxying the jitsi domain should be done.
|
|
matrix_nginx_proxy_proxy_jitsi_enabled: false
|
|
matrix_nginx_proxy_proxy_jitsi_hostname: "{{ matrix_server_fqn_jitsi }}"
|
|
|
|
# Controls whether proxying the grafana domain should be done.
|
|
matrix_nginx_proxy_proxy_grafana_enabled: false
|
|
matrix_nginx_proxy_proxy_grafana_hostname: "{{ matrix_server_fqn_grafana }}"
|
|
|
|
# Controls whether proxying the sygnal domain should be done.
|
|
matrix_nginx_proxy_proxy_sygnal_enabled: false
|
|
matrix_nginx_proxy_proxy_sygnal_hostname: "{{ matrix_server_fqn_sygnal }}"
|
|
|
|
# Controls whether proxying for the matrix-corporal API (`/_matrix/corporal`) should be done (on the matrix domain)
|
|
matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: false
|
|
matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081"
|
|
matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container: "127.0.0.1:41081"
|
|
|
|
# Controls whether proxying for the User Directory Search API (`/_matrix/client/r0/user_directory/search`) should be done (on the matrix domain).
|
|
# This can be used to forward the API endpoint to another service, augmenting the functionality of Synapse's own User Directory Search.
|
|
# To learn more, see: https://github.com/ma1uta/ma1sd/blob/master/docs/features/directory.md
|
|
matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: false
|
|
matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "matrix-ma1sd:{{ matrix_ma1sd_container_port }}"
|
|
matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "127.0.0.1:{{ matrix_ma1sd_container_port }}"
|
|
|
|
# Controls whether proxying for 3PID-based registration (`/_matrix/client/r0/register/(email|msisdn)/requestToken`) should be done (on the matrix domain).
|
|
# This allows another service to control registrations involving 3PIDs.
|
|
# To learn more, see: https://github.com/ma1uta/ma1sd/blob/master/docs/features/registration.md
|
|
matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled: false
|
|
matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_with_container: "matrix-ma1sd:{{ matrix_ma1sd_container_port }}"
|
|
matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_sans_container: "127.0.0.1:{{ matrix_ma1sd_container_port }}"
|
|
|
|
# Controls whether proxying for the Identity API (`/_matrix/identity`) should be done (on the matrix domain)
|
|
matrix_nginx_proxy_proxy_matrix_identity_api_enabled: false
|
|
matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-ma1sd:{{ matrix_ma1sd_container_port }}"
|
|
matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:{{ matrix_ma1sd_container_port }}"
|
|
|
|
# Controls whether proxying for metrics (`/_synapse/metrics`) should be done (on the matrix domain)
|
|
matrix_nginx_proxy_proxy_synapse_metrics: false
|
|
matrix_nginx_proxy_synapse_workers_enabled_list: []
|
|
matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled: false
|
|
# The following value will be written verbatim to the htpasswd file that stores the password for nginx to check against and needs to be encoded appropriately.
|
|
# Read the manpage at `man 1 htpasswd` to learn more, then encrypt your password, and paste the encrypted value here.
|
|
# e.g. `htpasswd -c mypass.htpasswd prometheus` and enter `mysecurepw` when prompted yields `prometheus:$apr1$wZhqsn.U$7LC3kMmjUbjNAZjyMyvYv/`
|
|
# The part after `prometheus:` is needed here. matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key: "$apr1$wZhqsn.U$7LC3kMmjUbjNAZjyMyvYv/"
|
|
matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key: ""
|
|
|
|
# The addresses where the Matrix Client API is.
|
|
# Certain extensions (like matrix-corporal) may override this in order to capture all traffic.
|
|
matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container: "matrix-nginx-proxy:12080"
|
|
matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "127.0.0.1:12080"
|
|
|
|
# This needs to be equal or higher than the maximum upload size accepted by Synapse.
|
|
matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb: 50
|
|
|
|
|
|
# Tells whether `/_synapse/client` is forwarded to the Matrix Client API server.
|
|
matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_client_api_enabled: true
|
|
|
|
# Tells whether `/_synapse/oidc` is forwarded to the Matrix Client API server.
|
|
# Enable this if you need OpenID Connect authentication support.
|
|
matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_oidc_api_enabled: false
|
|
|
|
# Tells whether `/_synapse/admin` is forwarded to the Matrix Client API server.
|
|
# Following these recommendations (https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md), by default, we don't.
|
|
matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: false
|
|
|
|
# `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefixes` holds
|
|
# the location prefixes that get forwarded to the Matrix Client API server.
|
|
# These locations get combined into a regex like this `^(/_matrix|/_synapse/client)`.
|
|
matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefix_regexes: |
|
|
{{
|
|
(['/_matrix'])
|
|
+
|
|
(['/_synapse/client'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_client_api_enabled else [])
|
|
+
|
|
(['/_synapse/oidc'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_oidc_api_enabled else [])
|
|
+
|
|
(['/_synapse/admin'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled else [])
|
|
+
|
|
(['/_synapse.*/metrics'] if matrix_nginx_proxy_proxy_synapse_metrics else [])
|
|
}}
|
|
|
|
# Specifies where requests for the root URI (`/`) on the `matrix.` domain should be redirected.
|
|
# If this has an empty value, they're just passed to the homeserver, which serves a static page.
|
|
# If you'd like to make `https://matrix.DOMAIN` redirect to `https://element.DOMAIN` (or something of that sort), specify the domain name here.
|
|
# Example value: `element.DOMAIN` (or `{{ matrix_server_fqn_element }}`).
|
|
matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain: ""
|
|
|
|
# Controls whether proxying for the Matrix Federation API should be done.
|
|
matrix_nginx_proxy_proxy_matrix_federation_api_enabled: false
|
|
matrix_nginx_proxy_proxy_matrix_federation_api_addr_with_container: "matrix-nginx-proxy:12088"
|
|
matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container: "localhost:12088"
|
|
matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb: "{{ (matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb | int) * 3 }}"
|
|
matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/fullchain.pem"
|
|
matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/privkey.pem"
|
|
matrix_nginx_proxy_proxy_matrix_federation_api_ssl_trusted_certificate: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/chain.pem"
|
|
|
|
# The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads.
|
|
matrix_nginx_proxy_tmp_directory_size_mb: "{{ (matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb | int) * 50 }}"
|
|
|
|
# A list of strings containing additional configuration blocks to add to the nginx server configuration (nginx.conf).
|
|
# for big matrixservers to enlarge the number of open files to prevent timeouts
|
|
# matrix_nginx_proxy_proxy_additional_configuration_blocks:
|
|
# - 'worker_rlimit_nofile 30000;'
|
|
matrix_nginx_proxy_proxy_additional_configuration_blocks: []
|
|
|
|
# A list of strings containing additional configuration blocks to add to the nginx event server configuration (nginx.conf).
|
|
matrix_nginx_proxy_proxy_event_additional_configuration_blocks: []
|
|
|
|
# A list of strings containing additional configuration blocks to add to the nginx http's server configuration (nginx-http.conf).
|
|
matrix_nginx_proxy_proxy_http_additional_server_configuration_blocks: []
|
|
|
|
# A list of strings containing additional configuration blocks to add to the base matrix server configuration (matrix-domain.conf).
|
|
matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: []
|
|
|
|
# A list of strings containing additional configuration blocks to add to Riot's server configuration (matrix-riot-web.conf).
|
|
matrix_nginx_proxy_proxy_riot_additional_server_configuration_blocks: []
|
|
|
|
# A list of strings containing additional configuration blocks to add to Element's server configuration (matrix-client-element.conf).
|
|
matrix_nginx_proxy_proxy_element_additional_server_configuration_blocks: []
|
|
|
|
# A list of strings containing additional configuration blocks to add to Hydrogen's server configuration (matrix-client-hydrogen.conf).
|
|
matrix_nginx_proxy_proxy_hydrogen_additional_server_configuration_blocks: []
|
|
|
|
# A list of strings containing additional configuration blocks to add to Cinny's server configuration (matrix-client-cinny.conf).
|
|
matrix_nginx_proxy_proxy_cinny_additional_server_configuration_blocks: []
|
|
|
|
# A list of strings containing additional configuration blocks to add to Dimension's server configuration (matrix-dimension.conf).
|
|
matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks: []
|
|
|
|
# A list of strings containing additional configuration blocks to add to GoNEB's server configuration (matrix-bot-go-neb.conf).
|
|
matrix_nginx_proxy_proxy_bot_go_neb_additional_server_configuration_blocks: []
|
|
|
|
# A list of strings containing additional configuration blocks to add to Jitsi's server configuration (matrix-jitsi.conf).
|
|
matrix_nginx_proxy_proxy_jitsi_additional_server_configuration_blocks: []
|
|
|
|
# A list of strings containing additional configuration blocks to add to Grafana's server configuration (matrix-grafana.conf).
|
|
matrix_nginx_proxy_proxy_grafana_additional_server_configuration_blocks: []
|
|
|
|
# A list of strings containing additional configuration blocks to add to Sygnal's server configuration (matrix-sygnal.conf).
|
|
matrix_nginx_proxy_proxy_sygnal_additional_server_configuration_blocks: []
|
|
|
|
# A list of strings containing additional configuration blocks to add to the base domain server configuration (matrix-base-domain.conf).
|
|
matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks: []
|
|
|
|
# To increase request timeout in NGINX using proxy_read_timeout, proxy_connect_timeout, proxy_send_timeout, send_timeout directives
|
|
# Nginx Default: proxy_connect_timeout 60s; #Defines a timeout for establishing a connection with a proxied server
|
|
# Nginx Default: proxy_send_timeout 60s; #Sets a timeout for transmitting a request to the proxied server.
|
|
# Nginx Default: proxy_read_timeout 60s; #Defines a timeout for reading a response from the proxied server.
|
|
# Nginx Default: send_timeout 60s; #Sets a timeout for transmitting a response to the client.
|
|
#
|
|
# For more information visit:
|
|
# http://nginx.org/en/docs/http/ngx_http_proxy_module.html
|
|
# http://nginx.org/en/docs/http/ngx_http_core_module.html#send_timeout
|
|
# https://www.nginx.com/resources/wiki/start/topics/examples/fullexample2/
|
|
#
|
|
# Here we are sticking with nginx default values change this value carefully.
|
|
matrix_nginx_proxy_connect_timeout: 60
|
|
matrix_nginx_proxy_send_timeout: 60
|
|
matrix_nginx_proxy_read_timeout: 60
|
|
matrix_nginx_send_timeout: 60
|
|
|
|
# Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses for all vhosts meant to be accessed by users.
|
|
#
|
|
# Learn more about what it is here:
|
|
# - https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea
|
|
# - https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network
|
|
# - https://amifloced.org/
|
|
#
|
|
# Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices.
|
|
matrix_nginx_proxy_floc_optout_enabled: true
|
|
|
|
# HSTS Preloading Enable
|
|
#
|
|
# In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and
|
|
# indicates a willingness to be “preloaded” into browsers:
|
|
# `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload`
|
|
# For more information visit:
|
|
# - https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
|
|
# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
|
|
# - https://hstspreload.org/#opt-in
|
|
matrix_nginx_proxy_hsts_preload_enabled: false
|
|
|
|
# X-XSS-Protection Enable
|
|
# Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks.
|
|
# Note: Not applicable for grafana
|
|
#
|
|
# Learn more about it is here:
|
|
# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
|
|
# - https://portswigger.net/web-security/cross-site-scripting/reflected
|
|
matrix_nginx_proxy_xss_protection: "1; mode=block"
|
|
|
|
# Specifies the SSL configuration that should be used for the SSL protocols and ciphers
|
|
# This is based on the Mozilla Server Side TLS Recommended configurations.
|
|
#
|
|
# The posible values are:
|
|
# - "modern" - For Modern clients that support TLS 1.3, with no need for backwards compatibility
|
|
# - "intermediate" - Recommended configuration for a general-purpose server
|
|
# - "old" - Services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8
|
|
#
|
|
# For more information visit:
|
|
# - https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
|
|
# - https://ssl-config.mozilla.org/#server=nginx
|
|
matrix_nginx_proxy_ssl_preset: "intermediate"
|
|
|
|
# Presets are taken from Mozilla's Server Side TLS Recommended configurations
|
|
# DO NOT modify these values and use `matrix_nginx_proxy_ssl_protocols`, `matrix_nginx_proxy_ssl_ciphers` and `matrix_nginx_proxy_ssl_ciphers`
|
|
# if you wish to use something more custom.
|
|
matrix_nginx_proxy_ssl_presets:
|
|
modern:
|
|
protocols: TLSv1.3
|
|
ciphers: ""
|
|
prefer_server_ciphers: "off"
|
|
intermediate:
|
|
protocols: TLSv1.2 TLSv1.3
|
|
ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
|
|
prefer_server_ciphers: "off"
|
|
old:
|
|
protocols: TLSv1 TLSv1.1 TLSv1.2 TLSv1.3
|
|
ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
|
|
prefer_server_ciphers: "on"
|
|
|
|
|
|
# Specifies which *SSL protocols* to use when serving all the various vhosts.
|
|
matrix_nginx_proxy_ssl_protocols: "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['protocols'] }}"
|
|
|
|
# Specifies whether to prefer *the client’s choice or the server’s choice* when negotiating ciphers.
|
|
matrix_nginx_proxy_ssl_prefer_server_ciphers: "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['prefer_server_ciphers'] }}"
|
|
|
|
# Specifies which *SSL Cipher suites* to use when serving all the various vhosts.
|
|
# To see the full list for suportes ciphers run `openssl ciphers` on your server
|
|
matrix_nginx_proxy_ssl_ciphers: "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['ciphers'] }}"
|
|
|
|
# Specifies what to use for the X-Forwarded-For variable.
|
|
# If you're fronting the nginx reverse-proxy with additional reverse-proxy servers,
|
|
# you may wish to set this to '$proxy_add_x_forwarded_for' instead.
|
|
matrix_nginx_proxy_x_forwarded_for: '$remote_addr'
|
|
|
|
# Controls whether the self-check feature should validate SSL certificates.
|
|
matrix_nginx_proxy_self_check_validate_certificates: true
|
|
|
|
# Controls whether redirects will be followed when checking the `/.well-known/matrix/client` resource.
|
|
#
|
|
# As per the spec (https://matrix.org/docs/spec/client_server/r0.6.0#well-known-uri), it shouldn't be,
|
|
# so we default to not following redirects as well.
|
|
matrix_nginx_proxy_self_check_well_known_matrix_client_follow_redirects: none
|
|
|
|
# For OCSP purposes, we need to define a resolver at the `server{}` level or `http{}` level (we do the latter).
|
|
#
|
|
# Otherwise, we get warnings like this:
|
|
# > [warn] 22#22: no resolver defined to resolve r3.o.lencr.org while requesting certificate status, responder: r3.o.lencr.org, certificate: "/matrix/ssl/config/live/.../fullchain.pem"
|
|
#
|
|
# We point it to the internal Docker resolver, which likely delegates to nameservers defined in `/etc/resolv.conf`.
|
|
#
|
|
# When nginx proxy is disabled, our configuration is likely used by non-containerized nginx, so can't use the internal Docker resolver.
|
|
# Pointing `resolver` to some public DNS server might be an option, but for now we impose DNS servers on people.
|
|
# It might also be that no such warnings occur when not running in a container.
|
|
matrix_nginx_proxy_http_level_resolver: "{{ '127.0.0.11' if matrix_nginx_proxy_enabled else '' }}"
|
|
|
|
# By default, this playbook automatically retrieves and auto-renews
|
|
# free SSL certificates from Let's Encrypt.
|
|
#
|
|
# The following retrieval methods are supported:
|
|
# - "lets-encrypt" - the playbook obtains free SSL certificates from Let's Encrypt
|
|
# - "self-signed" - the playbook generates and self-signs certificates
|
|
# - "manually-managed" - lets you manage certificates by yourself (manually; see below)
|
|
# - "none" - like "manually-managed", but doesn't care if you don't drop certificates in the location it expects
|
|
#
|
|
# If you decide to manage certificates by yourself (`matrix_ssl_retrieval_method: manually-managed`),
|
|
# you'd need to drop them into the directory specified by `matrix_ssl_config_dir_path`
|
|
# obeying the following hierarchy:
|
|
# - <matrix_ssl_config_dir_path>/live/<domain>/fullchain.pem
|
|
# - <matrix_ssl_config_dir_path>/live/<domain>/privkey.pem
|
|
# where <domain> refers to the domains that you need (usually `matrix_server_fqn_matrix` and `matrix_server_fqn_element`).
|
|
#
|
|
# The "none" type (`matrix_ssl_retrieval_method: none`), simply means that no certificate retrieval will happen.
|
|
# It's useful for when you've disabled the nginx proxy (`matrix_nginx_proxy_enabled: false`)
|
|
# and you'll be using another reverse-proxy server (like Apache) with your own certificates, managed by yourself.
|
|
# It's also useful if you're using `matrix_nginx_proxy_https_enabled: false` to make this nginx proxy serve
|
|
# plain HTTP traffic only (usually, on the loopback interface only) and you'd be terminating SSL using another reverse-proxy.
|
|
matrix_ssl_retrieval_method: "lets-encrypt"
|
|
|
|
matrix_ssl_architecture: "amd64"
|
|
|
|
# The full list of domains that this role will obtain certificates for.
|
|
# This variable is likely redefined outside of the role, to include the domains that are necessary (depending on the services that are enabled).
|
|
# To add additional domain names, consider using `matrix_ssl_additional_domains_to_obtain_certificates_for` instead.
|
|
matrix_ssl_domains_to_obtain_certificates_for: "{{ matrix_ssl_additional_domains_to_obtain_certificates_for }}"
|
|
|
|
# A list of additional domain names to obtain certificates for.
|
|
matrix_ssl_additional_domains_to_obtain_certificates_for: []
|
|
|
|
# Controls whether to obtain production or staging certificates from Let's Encrypt.
|
|
# If you'd like to use another ACME Certificate Authority server (not Let's Encrypt), use `matrix_ssl_lets_encrypt_server`
|
|
matrix_ssl_lets_encrypt_staging: false
|
|
|
|
# Controls from which Certificate Authority server to retrieve the SSL certificates (passed as a `--server` flag to Certbot).
|
|
# By default, we use the Let's Encrypt production environment (use `matrix_ssl_lets_encrypt_staging` for using the staging environment).
|
|
# Learn more here: https://eff-certbot.readthedocs.io/en/stable/using.html#changing-the-acme-server
|
|
matrix_ssl_lets_encrypt_server: ''
|
|
|
|
matrix_ssl_lets_encrypt_certbot_docker_image: "{{ matrix_container_global_registry_prefix }}certbot/certbot:{{ matrix_ssl_architecture }}-v1.21.0"
|
|
matrix_ssl_lets_encrypt_certbot_docker_image_force_pull: "{{ matrix_ssl_lets_encrypt_certbot_docker_image.endswith(':latest') }}"
|
|
matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402
|
|
matrix_ssl_lets_encrypt_support_email: ~
|
|
|
|
# Tells which interface and port the Let's Encrypt (certbot) container should try to bind to
|
|
# when it tries to obtain initial certificates in standalone mode.
|
|
#
|
|
# This should normally be a public interface and port.
|
|
# If you'd like to not bind on all IP addresses, specify one explicitly (e.g. `a.b.c.d:80`)
|
|
matrix_ssl_lets_encrypt_container_standalone_http_host_bind_port: '80'
|
|
|
|
matrix_ssl_base_path: "{{ matrix_base_data_path }}/ssl"
|
|
matrix_ssl_config_dir_path: "{{ matrix_ssl_base_path }}/config"
|
|
matrix_ssl_log_dir_path: "{{ matrix_ssl_base_path }}/log"
|
|
|
|
# If you'd like to start some service before a certificate is obtained, specify it here.
|
|
# This could be something like `matrix-dynamic-dns`, etc.
|
|
matrix_ssl_pre_obtaining_required_service_name: ~
|
|
matrix_ssl_pre_obtaining_required_service_start_wait_time_seconds: 60
|
|
|
|
# Nginx Optimize SSL Session
|
|
#
|
|
# ssl_session_cache:
|
|
# - Creating a cache of TLS connection parameters reduces the number of handshakes
|
|
# and thus can improve the performance of application.
|
|
# - Default session cache is not optimal as it can be used by only one worker process
|
|
# and can cause memory fragmentation. It is much better to use shared cache.
|
|
# - Learn More: https://nginx.org/en/docs/http/ngx_http_ssl_module.html
|
|
#
|
|
# ssl_session_timeout:
|
|
# - Nginx by default it is set to 5 minutes which is very low.
|
|
# should be like 4h or 1d but will require you to increase the size of cache.
|
|
# - Learn More:
|
|
# https://github.com/certbot/certbot/issues/6903
|
|
# https://github.com/mozilla/server-side-tls/issues/198
|
|
#
|
|
# ssl_session_tickets:
|
|
# - In case of session tickets, information about session is given to the client.
|
|
# Enabling this improve performance also make Perfect Forward Secrecy useless.
|
|
# - If you would instead like to use ssl_session_tickets by yourself, you can set
|
|
# matrix_nginx_proxy_ssl_session_tickets_off false.
|
|
# - Learn More: https://github.com/mozilla/server-side-tls/issues/135
|
|
#
|
|
# Presets are taken from Mozilla's Server Side TLS Recommended configurations
|
|
matrix_nginx_proxy_ssl_session_cache: "shared:MozSSL:10m"
|
|
matrix_nginx_proxy_ssl_session_timeout: "1d"
|
|
matrix_nginx_proxy_ssl_session_tickets_off: true
|
|
|
|
# OCSP Stapling eliminating the need for clients to contact the CA, with the aim of improving both security and performance.
|
|
# OCSP stapling can provide a performance boost of up to 30%
|
|
# nginx web server supports OCSP stapling since version 1.3.7.
|
|
#
|
|
# *warning* Nginx is lazy loading OCSP responses, which means that for the first few web requests it is unable to add the OCSP response.
|
|
# set matrix_nginx_proxy_ocsp_stapling_enabled false to disable OCSP Stapling
|
|
#
|
|
# Learn more about what it is here:
|
|
# - https://en.wikipedia.org/wiki/OCSP_stapling
|
|
# - https://blog.cloudflare.com/high-reliability-ocsp-stapling/
|
|
# - https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
|
|
matrix_nginx_proxy_ocsp_stapling_enabled: true
|
|
|
|
# nginx status page configurations.
|
|
matrix_nginx_proxy_proxy_matrix_nginx_status_enabled: false
|
|
matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses: ['{{ ansible_default_ipv4.address }}']
|
|
|
|
|
|
# synapse worker activation and endpoint mappings
|
|
matrix_nginx_proxy_synapse_workers_enabled: false
|
|
matrix_nginx_proxy_synapse_workers_list: []
|
|
matrix_nginx_proxy_synapse_generic_worker_client_server_locations: []
|
|
matrix_nginx_proxy_synapse_generic_worker_federation_locations: []
|
|
matrix_nginx_proxy_synapse_media_repository_locations: []
|
|
matrix_nginx_proxy_synapse_user_dir_locations: []
|
|
matrix_nginx_proxy_synapse_frontend_proxy_locations: []
|
|
|
|
# The amount of worker processes and connections
|
|
# Consider increasing these when you are expecting high amounts of traffic
|
|
# http://nginx.org/en/docs/ngx_core_module.html#worker_connections
|
|
matrix_nginx_proxy_worker_processes: 1
|
|
matrix_nginx_proxy_worker_connections: 1024
|