From ee0eb59dc6c39cd00ab0819b75f6a772a02ae157 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 14 Jan 2024 10:37:21 +0200 Subject: [PATCH] Add support for the internal Traefik entrypoint to Dendrite --- group_vars/matrix_servers | 3 + .../custom/matrix-dendrite/defaults/main.yml | 8 ++ .../matrix-dendrite/tasks/validate_config.yml | 22 ++--- .../matrix-dendrite/templates/labels.j2 | 82 ++++++++++++------- roles/custom/matrix-synapse/defaults/main.yml | 3 +- 5 files changed, 75 insertions(+), 43 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 1fc7d3e2a..0b0fdc2cd 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -4906,6 +4906,9 @@ matrix_dendrite_container_labels_public_federation_api_traefik_entrypoints: "{{ matrix_dendrite_container_labels_public_metrics_middleware_basic_auth_enabled: "{{ matrix_metrics_exposure_http_basic_auth_enabled }}" matrix_dendrite_container_labels_public_metrics_middleware_basic_auth_users: "{{ matrix_metrics_exposure_http_basic_auth_users }}" +matrix_dendrite_container_labels_internal_client_api_enabled: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_enabled }}" +matrix_dendrite_container_labels_internal_client_api_traefik_entrypoints: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_name }}" + matrix_dendrite_container_extra_arguments_auto: "{{ matrix_homeserver_container_extra_arguments_auto }}" matrix_dendrite_metrics_enabled: "{{ prometheus_enabled }}" diff --git a/roles/custom/matrix-dendrite/defaults/main.yml b/roles/custom/matrix-dendrite/defaults/main.yml index d3fa27d3e..d7911220d 100644 --- a/roles/custom/matrix-dendrite/defaults/main.yml +++ b/roles/custom/matrix-dendrite/defaults/main.yml @@ -90,6 +90,14 @@ matrix_dendrite_container_labels_public_client_api_traefik_entrypoints: "{{ matr matrix_dendrite_container_labels_public_client_api_traefik_tls: "{{ matrix_dendrite_container_labels_public_client_api_traefik_entrypoints != 'web' }}" matrix_dendrite_container_labels_public_client_api_traefik_tls_certResolver: "{{ matrix_dendrite_container_labels_traefik_tls_certResolver }}" # noqa var-naming +# Controls whether labels will be added that expose the Client-Server API on the internal Traefik entrypoint. +# This is similar to `matrix_dendrite_container_labels_public_client_api_enabled`, but the entrypoint and intent is different. +matrix_dendrite_container_labels_internal_client_api_enabled: false +matrix_dendrite_container_labels_internal_client_api_traefik_path_prefix: "{{ matrix_dendrite_container_labels_public_client_api_traefik_path_prefix }}" +matrix_dendrite_container_labels_internal_client_api_traefik_rule: "PathPrefix(`{{ matrix_dendrite_container_labels_internal_client_api_traefik_path_prefix }}`)" +matrix_dendrite_container_labels_internal_client_api_traefik_priority: "{{ matrix_dendrite_container_labels_public_client_api_traefik_priority }}" +matrix_dendrite_container_labels_internal_client_api_traefik_entrypoints: "" + # Controls whether labels will be added that expose the /_synapse/admin paths on a public Traefik entrypoint. # Following these recommendations (https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md), by default, we don't. # Dendrite exposes some admin APIs under a Synapse-specific prefix. diff --git a/roles/custom/matrix-dendrite/tasks/validate_config.yml b/roles/custom/matrix-dendrite/tasks/validate_config.yml index fbd582505..581825a38 100644 --- a/roles/custom/matrix-dendrite/tasks/validate_config.yml +++ b/roles/custom/matrix-dendrite/tasks/validate_config.yml @@ -1,15 +1,6 @@ --- -- name: Fail if required Dendrite settings not defined - ansible.builtin.fail: - msg: >- - You need to define a required configuration setting (`{{ item }}`) for using Dendrite. - when: "vars[item] == ''" - with_items: - - matrix_dendrite_hostname - - matrix_dendrite_client_api_registration_shared_secret - - matrix_dendrite_database_hostname -- name: (Deprecation) Catch and report renamed settings +- name: (Deprecation) Catch and report renamed Dendrite settings ansible.builtin.fail: msg: >- Your configuration contains a variable, which now has a different name. @@ -36,3 +27,14 @@ - {'old': 'matrix_dendrite_pushserver_database', 'new': 'matrix_dendrite_push_server_database'} - {'old': 'matrix_dendrite_relayapi_database', 'new': 'matrix_dendrite_relay_api_database'} - {'old': 'matrix_dendrite_keyserver_database', 'new': 'matrix_dendrite_key_server_database'} + +- name: Fail if required Dendrite settings not defined + ansible.builtin.fail: + msg: >- + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] == ''" + with_items: + - {'name': 'matrix_dendrite_hostname', when: true} + - {'name': 'matrix_dendrite_client_api_registration_shared_secret', when: true} + - {'name': 'matrix_dendrite_database_hostname', when: true} + - {'name': 'matrix_dendrite_container_labels_internal_client_api_traefik_entrypoints', when: "{{ matrix_dendrite_container_labels_internal_client_api_enabled }}"} diff --git a/roles/custom/matrix-dendrite/templates/labels.j2 b/roles/custom/matrix-dendrite/templates/labels.j2 index 626153eb8..21193602e 100644 --- a/roles/custom/matrix-dendrite/templates/labels.j2 +++ b/roles/custom/matrix-dendrite/templates/labels.j2 @@ -21,20 +21,20 @@ traefik.http.middlewares.matrix-dendrite-client-root-redirect.redirectregex.rege traefik.http.middlewares.matrix-dendrite-client-root-redirect.redirectregex.replacement={{ matrix_dendrite_container_labels_public_client_root_redirection_url }} {% endif %} -traefik.http.routers.matrix-dendrite-client-root.rule={{ matrix_dendrite_container_labels_public_client_root_traefik_rule }} +traefik.http.routers.matrix-dendrite-public-client-root.rule={{ matrix_dendrite_container_labels_public_client_root_traefik_rule }} -traefik.http.routers.matrix-dendrite-client-root.middlewares={{ client_root_middlewares | join(',') }} +traefik.http.routers.matrix-dendrite-public-client-root.middlewares={{ client_root_middlewares | join(',') }} {% if matrix_dendrite_container_labels_public_client_root_traefik_priority | int > 0 %} -traefik.http.routers.matrix-dendrite-client-root.priority={{ matrix_dendrite_container_labels_public_client_root_traefik_priority }} +traefik.http.routers.matrix-dendrite-public-client-root.priority={{ matrix_dendrite_container_labels_public_client_root_traefik_priority }} {% endif %} -traefik.http.routers.matrix-dendrite-client-root.service=matrix-dendrite -traefik.http.routers.matrix-dendrite-client-root.entrypoints={{ matrix_dendrite_container_labels_public_client_root_traefik_entrypoints }} -traefik.http.routers.matrix-dendrite-client-root.tls={{ matrix_dendrite_container_labels_public_client_root_traefik_tls | to_json }} +traefik.http.routers.matrix-dendrite-public-client-root.service=matrix-dendrite +traefik.http.routers.matrix-dendrite-public-client-root.entrypoints={{ matrix_dendrite_container_labels_public_client_root_traefik_entrypoints }} +traefik.http.routers.matrix-dendrite-public-client-root.tls={{ matrix_dendrite_container_labels_public_client_root_traefik_tls | to_json }} {% if matrix_dendrite_container_labels_public_client_root_traefik_tls %} -traefik.http.routers.matrix-dendrite-client-root.tls.certResolver={{ matrix_dendrite_container_labels_public_client_root_traefik_tls_certResolver }} +traefik.http.routers.matrix-dendrite-public-client-root.tls.certResolver={{ matrix_dendrite_container_labels_public_client_root_traefik_tls_certResolver }} {% endif %} {% endif %} @@ -48,18 +48,18 @@ traefik.http.routers.matrix-dendrite-client-root.tls.certResolver={{ matrix_dend #} {% if matrix_dendrite_container_labels_public_client_api_enabled %} -traefik.http.routers.matrix-dendrite-client-api.rule={{ matrix_dendrite_container_labels_public_client_api_traefik_rule }} +traefik.http.routers.matrix-dendrite-public-client-api.rule={{ matrix_dendrite_container_labels_public_client_api_traefik_rule }} {% if matrix_dendrite_container_labels_public_client_api_traefik_priority | int > 0 %} -traefik.http.routers.matrix-dendrite-client-api.priority={{ matrix_dendrite_container_labels_public_client_api_traefik_priority }} +traefik.http.routers.matrix-dendrite-public-client-api.priority={{ matrix_dendrite_container_labels_public_client_api_traefik_priority }} {% endif %} -traefik.http.routers.matrix-dendrite-client-api.service=matrix-dendrite -traefik.http.routers.matrix-dendrite-client-api.entrypoints={{ matrix_dendrite_container_labels_public_client_api_traefik_entrypoints }} -traefik.http.routers.matrix-dendrite-client-api.tls={{ matrix_dendrite_container_labels_public_client_api_traefik_tls | to_json }} +traefik.http.routers.matrix-dendrite-public-client-api.service=matrix-dendrite +traefik.http.routers.matrix-dendrite-public-client-api.entrypoints={{ matrix_dendrite_container_labels_public_client_api_traefik_entrypoints }} +traefik.http.routers.matrix-dendrite-public-client-api.tls={{ matrix_dendrite_container_labels_public_client_api_traefik_tls | to_json }} {% if matrix_dendrite_container_labels_public_client_api_traefik_tls %} -traefik.http.routers.matrix-dendrite-client-api.tls.certResolver={{ matrix_dendrite_container_labels_public_client_api_traefik_tls_certResolver }} +traefik.http.routers.matrix-dendrite-public-client-api.tls.certResolver={{ matrix_dendrite_container_labels_public_client_api_traefik_tls_certResolver }} {% endif %} {% endif %} @@ -68,23 +68,43 @@ traefik.http.routers.matrix-dendrite-client-api.tls.certResolver={{ matrix_dendr #} +{# + Internal Client-API (/_matrix) +#} +{% if matrix_dendrite_container_labels_internal_client_api_enabled %} + +traefik.http.routers.matrix-dendrite-internal-client-api.rule={{ matrix_dendrite_container_labels_internal_client_api_traefik_rule }} + +{% if matrix_dendrite_container_labels_internal_client_api_traefik_priority | int > 0 %} +traefik.http.routers.matrix-dendrite-internal-client-api.priority={{ matrix_dendrite_container_labels_internal_client_api_traefik_priority }} +{% endif %} + +traefik.http.routers.matrix-dendrite-internal-client-api.service=matrix-dendrite +traefik.http.routers.matrix-dendrite-internal-client-api.entrypoints={{ matrix_dendrite_container_labels_internal_client_api_traefik_entrypoints }} + +{% endif %} +{# + /Internal Client-API (/_matrix) +#} + + {# Public Synapse Admin API (/_synapse/admin) #} {% if matrix_dendrite_container_labels_public_client_synapse_admin_api_enabled %} -traefik.http.routers.matrix-dendrite-client-synapse-admin-api.rule={{ matrix_dendrite_container_labels_public_client_synapse_admin_api_traefik_rule }} +traefik.http.routers.matrix-dendrite-public-client-synapse-admin-api.rule={{ matrix_dendrite_container_labels_public_client_synapse_admin_api_traefik_rule }} {% if matrix_dendrite_container_labels_public_client_synapse_admin_api_traefik_priority | int > 0 %} -traefik.http.routers.matrix-dendrite-client-synapse-admin-api.priority={{ matrix_dendrite_container_labels_public_client_synapse_admin_api_traefik_priority }} +traefik.http.routers.matrix-dendrite-public-client-synapse-admin-api.priority={{ matrix_dendrite_container_labels_public_client_synapse_admin_api_traefik_priority }} {% endif %} -traefik.http.routers.matrix-dendrite-client-synapse-admin-api.service=matrix-dendrite -traefik.http.routers.matrix-dendrite-client-synapse-admin-api.entrypoints={{ matrix_dendrite_container_labels_public_client_synapse_admin_api_traefik_entrypoints }} -traefik.http.routers.matrix-dendrite-client-synapse-admin-api.tls={{ matrix_dendrite_container_labels_public_client_synapse_admin_api_traefik_tls | to_json }} +traefik.http.routers.matrix-dendrite-public-client-synapse-admin-api.service=matrix-dendrite +traefik.http.routers.matrix-dendrite-public-client-synapse-admin-api.entrypoints={{ matrix_dendrite_container_labels_public_client_synapse_admin_api_traefik_entrypoints }} +traefik.http.routers.matrix-dendrite-public-client-synapse-admin-api.tls={{ matrix_dendrite_container_labels_public_client_synapse_admin_api_traefik_tls | to_json }} {% if matrix_dendrite_container_labels_public_client_synapse_admin_api_traefik_tls %} -traefik.http.routers.matrix-dendrite-client-synapse-admin-api.tls.certResolver={{ matrix_dendrite_container_labels_public_client_synapse_admin_api_traefik_tls_certResolver }} +traefik.http.routers.matrix-dendrite-public-client-synapse-admin-api.tls.certResolver={{ matrix_dendrite_container_labels_public_client_synapse_admin_api_traefik_tls_certResolver }} {% endif %} {% endif %} @@ -98,18 +118,18 @@ traefik.http.routers.matrix-dendrite-client-synapse-admin-api.tls.certResolver={ #} {% if matrix_dendrite_container_labels_public_client_dendrite_admin_api_enabled %} -traefik.http.routers.matrix-dendrite-client-synapse-admin-api.rule={{ matrix_dendrite_container_labels_public_client_dendrite_admin_api_traefik_rule }} +traefik.http.routers.matrix-dendrite-public-client-synapse-admin-api.rule={{ matrix_dendrite_container_labels_public_client_dendrite_admin_api_traefik_rule }} {% if matrix_dendrite_container_labels_public_client_dendrite_admin_api_traefik_priority | int > 0 %} -traefik.http.routers.matrix-dendrite-client-synapse-admin-api.priority={{ matrix_dendrite_container_labels_public_client_dendrite_admin_api_traefik_priority }} +traefik.http.routers.matrix-dendrite-public-client-synapse-admin-api.priority={{ matrix_dendrite_container_labels_public_client_dendrite_admin_api_traefik_priority }} {% endif %} -traefik.http.routers.matrix-dendrite-client-synapse-admin-api.service=matrix-dendrite -traefik.http.routers.matrix-dendrite-client-synapse-admin-api.entrypoints={{ matrix_dendrite_container_labels_public_client_dendrite_admin_api_traefik_entrypoints }} -traefik.http.routers.matrix-dendrite-client-synapse-admin-api.tls={{ matrix_dendrite_container_labels_public_client_dendrite_admin_api_traefik_tls | to_json }} +traefik.http.routers.matrix-dendrite-public-client-synapse-admin-api.service=matrix-dendrite +traefik.http.routers.matrix-dendrite-public-client-synapse-admin-api.entrypoints={{ matrix_dendrite_container_labels_public_client_dendrite_admin_api_traefik_entrypoints }} +traefik.http.routers.matrix-dendrite-public-client-synapse-admin-api.tls={{ matrix_dendrite_container_labels_public_client_dendrite_admin_api_traefik_tls | to_json }} {% if matrix_dendrite_container_labels_public_client_dendrite_admin_api_traefik_tls %} -traefik.http.routers.matrix-dendrite-client-synapse-admin-api.tls.certResolver={{ matrix_dendrite_container_labels_public_client_dendrite_admin_api_traefik_tls_certResolver }} +traefik.http.routers.matrix-dendrite-public-client-synapse-admin-api.tls.certResolver={{ matrix_dendrite_container_labels_public_client_dendrite_admin_api_traefik_tls_certResolver }} {% endif %} {% endif %} @@ -123,18 +143,18 @@ traefik.http.routers.matrix-dendrite-client-synapse-admin-api.tls.certResolver={ #} {% if matrix_dendrite_container_labels_public_federation_api_enabled %} -traefik.http.routers.matrix-dendrite-federation-api.rule={{ matrix_dendrite_container_labels_public_federation_api_traefik_rule }} +traefik.http.routers.matrix-dendrite-public-federation-api.rule={{ matrix_dendrite_container_labels_public_federation_api_traefik_rule }} {% if matrix_dendrite_container_labels_public_federation_api_traefik_priority | int > 0 %} -traefik.http.routers.matrix-dendrite-federation-api.priority={{ matrix_dendrite_container_labels_public_federation_api_traefik_priority }} +traefik.http.routers.matrix-dendrite-public-federation-api.priority={{ matrix_dendrite_container_labels_public_federation_api_traefik_priority }} {% endif %} -traefik.http.routers.matrix-dendrite-federation-api.service=matrix-dendrite -traefik.http.routers.matrix-dendrite-federation-api.entrypoints={{ matrix_dendrite_container_labels_public_federation_api_traefik_entrypoints }} -traefik.http.routers.matrix-dendrite-federation-api.tls={{ matrix_dendrite_container_labels_public_federation_api_traefik_tls | to_json }} +traefik.http.routers.matrix-dendrite-public-federation-api.service=matrix-dendrite +traefik.http.routers.matrix-dendrite-public-federation-api.entrypoints={{ matrix_dendrite_container_labels_public_federation_api_traefik_entrypoints }} +traefik.http.routers.matrix-dendrite-public-federation-api.tls={{ matrix_dendrite_container_labels_public_federation_api_traefik_tls | to_json }} {% if matrix_dendrite_container_labels_public_federation_api_traefik_tls %} -traefik.http.routers.matrix-dendrite-federation-api.tls.certResolver={{ matrix_dendrite_container_labels_public_federation_api_traefik_tls_certResolver }} +traefik.http.routers.matrix-dendrite-public-federation-api.tls.certResolver={{ matrix_dendrite_container_labels_public_federation_api_traefik_tls_certResolver }} {% endif %} {% endif %} diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index 96f581cf0..256cb24e4 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -206,8 +206,7 @@ matrix_synapse_container_labels_public_client_api_traefik_tls_certResolver: "{{ # Regardless of whether this is enabled, it may or may not take effect due to the value of other variables. # See `matrix_synapse_container_labels_traefik_enabled` or `matrix_synapse_container_labels_matrix_related_labels_enabled` matrix_synapse_container_labels_internal_client_api_enabled: false -matrix_synapse_container_labels_internal_client_api_traefik_hostname: "{{ matrix_synapse_container_labels_traefik_hostname }}" -matrix_synapse_container_labels_internal_client_api_traefik_path_prefix: /_matrix +matrix_synapse_container_labels_internal_client_api_traefik_path_prefix: "{{ matrix_synapse_container_labels_public_client_api_traefik_path_prefix }}" matrix_synapse_container_labels_internal_client_api_traefik_rule: "PathPrefix(`{{ matrix_synapse_container_labels_internal_client_api_traefik_path_prefix }}`)" matrix_synapse_container_labels_internal_client_api_traefik_priority: "{{ matrix_synapse_container_labels_public_client_api_traefik_priority }}" matrix_synapse_container_labels_internal_client_api_traefik_entrypoints: ""