mirror of
				https://github.com/spantaleev/matrix-docker-ansible-deploy.git
				synced 2025-10-26 01:53:24 +00:00 
			
		
		
		
	Merge branch 'master' into conduit
This commit is contained in:
		| @@ -0,0 +1,104 @@ | ||||
| #jinja2: lstrip_blocks: "True" | ||||
|  | ||||
| {% macro render_vhost_directives() %} | ||||
| 	gzip on; | ||||
| 	gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; | ||||
|  | ||||
| 	{% if matrix_nginx_proxy_hsts_preload_enabled %} | ||||
| 		add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; | ||||
| 	{% else %} | ||||
| 		add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; | ||||
| 	{% endif %} | ||||
| 	add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; | ||||
| 	add_header X-Content-Type-Options nosniff; | ||||
| 	add_header X-Frame-Options SAMEORIGIN; | ||||
| 	add_header Content-Security-Policy "frame-ancestors 'none'"; | ||||
| 	{% if matrix_nginx_proxy_floc_optout_enabled %} | ||||
| 		add_header Permissions-Policy interest-cohort=() always; | ||||
| 	{% endif %} | ||||
|  | ||||
| 	{% for configuration_block in matrix_nginx_proxy_proxy_buscarron_additional_server_configuration_blocks %} | ||||
| 		{{- configuration_block }} | ||||
| 	{% endfor %} | ||||
|  | ||||
| 	location / { | ||||
| 		{% if matrix_nginx_proxy_enabled %} | ||||
| 			{# Use the embedded DNS resolver in Docker containers to discover the service #} | ||||
| 			resolver 127.0.0.11 valid=5s; | ||||
| 			set $backend "matrix-bot-buscarron:8080"; | ||||
| 			proxy_pass http://$backend; | ||||
| 		{% else %} | ||||
| 			{# Generic configuration for use outside of our container setup #} | ||||
| 			proxy_pass http://127.0.0.1:8080; | ||||
| 		{% endif %} | ||||
|  | ||||
| 		proxy_set_header Host $host; | ||||
| 		proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; | ||||
| 	} | ||||
| {% endmacro %} | ||||
|  | ||||
| server { | ||||
| 	listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; | ||||
| 	listen [::]:{{ 8080 if matrix_nginx_proxy_enabled else 80 }}; | ||||
|  | ||||
|  | ||||
| 	server_name {{ matrix_nginx_proxy_proxy_buscarron_hostname }}; | ||||
|  | ||||
| 	server_tokens off; | ||||
| 	root /dev/null; | ||||
|  | ||||
| 	{% if matrix_nginx_proxy_https_enabled %} | ||||
| 		location /.well-known/acme-challenge { | ||||
| 			{% if matrix_nginx_proxy_enabled %} | ||||
| 				{# Use the embedded DNS resolver in Docker containers to discover the service #} | ||||
| 				resolver 127.0.0.11 valid=5s; | ||||
| 				set $backend "matrix-certbot:8080"; | ||||
| 				proxy_pass http://$backend; | ||||
| 			{% else %} | ||||
| 				{# Generic configuration for use outside of our container setup #} | ||||
| 				proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; | ||||
| 			{% endif %} | ||||
| 		} | ||||
|  | ||||
| 		location / { | ||||
| 			return 301 https://$http_host$request_uri; | ||||
| 		} | ||||
| 	{% else %} | ||||
| 		{{ render_vhost_directives() }} | ||||
| 	{% endif %} | ||||
| } | ||||
|  | ||||
| {% if matrix_nginx_proxy_https_enabled %} | ||||
| server { | ||||
| 	listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; | ||||
| 	listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; | ||||
|  | ||||
| 	server_name {{ matrix_nginx_proxy_proxy_buscarron_hostname }}; | ||||
|  | ||||
| 	server_tokens off; | ||||
| 	root /dev/null; | ||||
|  | ||||
| 	ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_buscarron_hostname }}/fullchain.pem; | ||||
| 	ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_buscarron_hostname }}/privkey.pem; | ||||
|  | ||||
| 	ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; | ||||
| 	{% if matrix_nginx_proxy_ssl_ciphers != "" %} | ||||
| 	ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; | ||||
| 	{% endif %} | ||||
| 	ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; | ||||
|  | ||||
| 	{% if matrix_nginx_proxy_ocsp_stapling_enabled %} | ||||
| 		ssl_stapling on; | ||||
| 		ssl_stapling_verify on; | ||||
| 		ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_buscarron_hostname }}/chain.pem; | ||||
| 	{% endif %} | ||||
|  | ||||
| 	{% if matrix_nginx_proxy_ssl_session_tickets_off %} | ||||
| 		ssl_session_tickets off; | ||||
| 	{% endif %} | ||||
| 	ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; | ||||
| 	ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; | ||||
|  | ||||
| 	{{ render_vhost_directives() }} | ||||
| } | ||||
| {% endif %} | ||||
| @@ -45,6 +45,19 @@ | ||||
| 		{{ render_nginx_status_location_block(matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses) }} | ||||
| 	{% endif %} | ||||
|  | ||||
| 	{% if matrix_nginx_proxy_proxy_matrix_metrics_enabled %} | ||||
| 	location /metrics { | ||||
| 		{% if matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_enabled %} | ||||
| 			auth_basic "protected"; | ||||
| 			auth_basic_user_file {{ matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_path }}; | ||||
| 		{% endif %} | ||||
|  | ||||
| 		{% for configuration_block in matrix_nginx_proxy_proxy_matrix_metrics_additional_location_configuration_blocks %} | ||||
| 			{{- configuration_block }} | ||||
| 		{% endfor %} | ||||
| 	} | ||||
| 	{% endif %} | ||||
|  | ||||
| 	{% if matrix_nginx_proxy_proxy_matrix_corporal_api_enabled %} | ||||
| 	location ^~ /_matrix/corporal { | ||||
| 		{% if matrix_nginx_proxy_enabled %} | ||||
|   | ||||
| @@ -0,0 +1,102 @@ | ||||
| #jinja2: lstrip_blocks: "True" | ||||
|  | ||||
| {% macro render_vhost_directives() %} | ||||
| 	gzip on; | ||||
| 	gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif; | ||||
|  | ||||
| 	{% if matrix_nginx_proxy_hsts_preload_enabled %} | ||||
| 		add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; | ||||
| 	{% else %} | ||||
| 		add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; | ||||
| 	{% endif %} | ||||
| 	add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; | ||||
| 	add_header X-Content-Type-Options nosniff; | ||||
| 	add_header X-Frame-Options DENY; | ||||
|  | ||||
| {% for configuration_block in matrix_nginx_proxy_proxy_ntfy_additional_server_configuration_blocks %} | ||||
| 	{{- configuration_block }} | ||||
| {% endfor %} | ||||
|  | ||||
| 	location / { | ||||
| 		{% if matrix_nginx_proxy_enabled %} | ||||
| 			{# Use the embedded DNS resolver in Docker containers to discover the service #} | ||||
| 			resolver 127.0.0.11 valid=5s; | ||||
| 			set $backend "matrix-ntfy:80"; | ||||
| 			proxy_pass http://$backend; | ||||
| 		{% else %} | ||||
| 			{# Generic configuration for use outside of our container setup #} | ||||
| 			proxy_pass http://127.0.0.1:2586; | ||||
| 		{% endif %} | ||||
| 		proxy_set_header Upgrade $http_upgrade; | ||||
| 		proxy_set_header Connection "upgrade"; | ||||
|  | ||||
| 		proxy_set_header Host $host; | ||||
| 		proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }}; | ||||
| 		proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }}; | ||||
| 	} | ||||
| {% endmacro %} | ||||
|  | ||||
| server { | ||||
| 	listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }}; | ||||
| 	listen [::]:{{ 8080 if matrix_nginx_proxy_enabled else 80 }}; | ||||
|  | ||||
| 	server_name {{ matrix_nginx_proxy_proxy_ntfy_hostname }}; | ||||
|  | ||||
| 	server_tokens off; | ||||
| 	root /dev/null; | ||||
|  | ||||
| 	{% if matrix_nginx_proxy_https_enabled %} | ||||
| 		location /.well-known/acme-challenge { | ||||
| 			{% if matrix_nginx_proxy_enabled %} | ||||
| 				{# Use the embedded DNS resolver in Docker containers to discover the service #} | ||||
| 				resolver 127.0.0.11 valid=5s; | ||||
| 				set $backend "matrix-certbot:8080"; | ||||
| 				proxy_pass http://$backend; | ||||
| 			{% else %} | ||||
| 				{# Generic configuration for use outside of our container setup #} | ||||
| 				proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}; | ||||
| 			{% endif %} | ||||
| 		} | ||||
|  | ||||
| 		location / { | ||||
| 			return 301 https://$http_host$request_uri; | ||||
| 		} | ||||
| 	{% else %} | ||||
| 		{{ render_vhost_directives() }} | ||||
| 	{% endif %} | ||||
| } | ||||
|  | ||||
| {% if matrix_nginx_proxy_https_enabled %} | ||||
| server { | ||||
| 	listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; | ||||
| 	listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2; | ||||
|  | ||||
| 	server_name {{ matrix_nginx_proxy_proxy_ntfy_hostname }}; | ||||
|  | ||||
| 	server_tokens off; | ||||
| 	root /dev/null; | ||||
|  | ||||
| 	ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_ntfy_hostname }}/fullchain.pem; | ||||
| 	ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_ntfy_hostname }}/privkey.pem; | ||||
|  | ||||
| 	ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }}; | ||||
| 	{% if matrix_nginx_proxy_ssl_ciphers != '' %} | ||||
| 	ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }}; | ||||
| 	{% endif %} | ||||
| 	ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }}; | ||||
|  | ||||
| 	{% if matrix_nginx_proxy_ocsp_stapling_enabled %} | ||||
| 		ssl_stapling on; | ||||
| 		ssl_stapling_verify on; | ||||
| 		ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_ntfy_hostname }}/chain.pem; | ||||
| 	{% endif %} | ||||
|  | ||||
| 	{% if matrix_nginx_proxy_ssl_session_tickets_off %} | ||||
| 		ssl_session_tickets off; | ||||
| 	{% endif %} | ||||
| 	ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }}; | ||||
| 	ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }}; | ||||
|  | ||||
| 	{{ render_vhost_directives() }} | ||||
| } | ||||
| {% endif %} | ||||
| @@ -1,10 +1,13 @@ | ||||
| #jinja2: lstrip_blocks: "True" | ||||
|  | ||||
| {% set generic_workers = matrix_nginx_proxy_synapse_workers_list|selectattr('type', 'equalto', 'generic_worker')|list %} | ||||
| {% set media_repository_workers = matrix_nginx_proxy_synapse_workers_list|selectattr('type', 'equalto', 'media_repository')|list %} | ||||
| {% set user_dir_workers = matrix_nginx_proxy_synapse_workers_list|selectattr('type', 'equalto', 'user_dir')|list %} | ||||
| {% set frontend_proxy_workers = matrix_nginx_proxy_synapse_workers_list|selectattr('type', 'equalto', 'frontend_proxy')|list %} | ||||
| {% set generic_workers = matrix_nginx_proxy_synapse_workers_list | selectattr('type', 'equalto', 'generic_worker') | list %} | ||||
| {% set media_repository_workers = matrix_nginx_proxy_synapse_workers_list | selectattr('type', 'equalto', 'media_repository') | list %} | ||||
| {% set user_dir_workers = matrix_nginx_proxy_synapse_workers_list | selectattr('type', 'equalto', 'user_dir') | list %} | ||||
| {% set frontend_proxy_workers = matrix_nginx_proxy_synapse_workers_list | selectattr('type', 'equalto', 'frontend_proxy') | list %} | ||||
| {% if matrix_nginx_proxy_synapse_workers_enabled %} | ||||
| 	{% if matrix_nginx_proxy_synapse_cache_enabled %} | ||||
|     	proxy_cache_path  {{ matrix_nginx_proxy_synapse_cache_path }} levels=1:2 keys_zone={{ matrix_nginx_proxy_synapse_cache_keys_zone_name }}:{{ matrix_nginx_proxy_synapse_cache_keys_zone_size }} inactive={{ matrix_nginx_proxy_synapse_cache_inactive_time }} max_size={{ matrix_nginx_proxy_synapse_cache_max_size_mb }}m; | ||||
| 	{% endif %} | ||||
| 	# Round Robin "upstream" pools for workers | ||||
|  | ||||
| 	{% if generic_workers %} | ||||
| @@ -95,6 +98,14 @@ server { | ||||
| 				client_body_buffer_size 25M; | ||||
| 				client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb }}M; | ||||
| 				proxy_max_temp_file_size 0; | ||||
|  | ||||
| 				{% if matrix_nginx_proxy_synapse_cache_enabled %} | ||||
| 					proxy_buffering        on; | ||||
| 					proxy_cache            {{ matrix_nginx_proxy_synapse_cache_keys_zone_name }}; | ||||
| 					proxy_cache_valid      any  {{ matrix_nginx_proxy_synapse_cache_proxy_cache_valid_time }}; | ||||
| 					proxy_force_ranges on; | ||||
| 					add_header X-Cache-Status $upstream_cache_status; | ||||
| 				{% endif %} | ||||
| 			} | ||||
| 			{% endfor %} | ||||
| 		{% endif %} | ||||
| @@ -134,45 +145,6 @@ server { | ||||
| 		{{- configuration_block }} | ||||
| 	{% endfor %} | ||||
|  | ||||
| 	{% if matrix_nginx_proxy_proxy_synapse_metrics %} | ||||
| 	location /_synapse/metrics { | ||||
| 		{% if matrix_nginx_proxy_enabled %} | ||||
| 			{# Use the embedded DNS resolver in Docker containers to discover the service #} | ||||
| 			resolver 127.0.0.11 valid=5s; | ||||
| 			set $backend "{{ matrix_nginx_proxy_proxy_synapse_metrics_addr_with_container }}"; | ||||
| 			proxy_pass http://$backend; | ||||
| 		{% else %} | ||||
| 			{# Generic configuration for use outside of our container setup #} | ||||
| 			proxy_pass http://{{ matrix_nginx_proxy_proxy_synapse_metrics_addr_sans_container }}; | ||||
| 		{% endif %} | ||||
|  | ||||
| 		proxy_set_header Host $host; | ||||
|  | ||||
| 		{% if matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled %} | ||||
| 			auth_basic "protected"; | ||||
| 			auth_basic_user_file /nginx-data/matrix-synapse-metrics-htpasswd; | ||||
| 		{% endif %} | ||||
| 	} | ||||
| 	{% endif %} | ||||
|  | ||||
| 	{% if matrix_nginx_proxy_enabled and matrix_nginx_proxy_proxy_synapse_metrics %} | ||||
| 		{% for worker in matrix_nginx_proxy_proxy_synapse_workers_enabled_list %} | ||||
| 			{% if worker.metrics_port != 0 %} | ||||
| 				location /_synapse-worker-{{ worker.type }}-{{ worker.instanceId }}/metrics { | ||||
| 					resolver 127.0.0.11 valid=5s; | ||||
| 					set $backend "matrix-synapse-worker-{{ worker.type }}-{{ worker.instanceId }}:{{ worker.metrics_port }}"; | ||||
| 					proxy_pass http://$backend/_synapse/metrics; | ||||
| 					proxy_set_header Host $host; | ||||
|  | ||||
| 					{% if matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled %} | ||||
| 						auth_basic "protected"; | ||||
| 						auth_basic_user_file /nginx-data/matrix-synapse-metrics-htpasswd; | ||||
| 					{% endif %} | ||||
| 				} | ||||
| 			{% endif %} | ||||
| 		{% endfor %} | ||||
| 	{% endif %} | ||||
|  | ||||
| 	{# Everything else just goes to the API server ##} | ||||
| 	location / { | ||||
| 		{% if matrix_nginx_proxy_enabled %} | ||||
| @@ -227,6 +199,14 @@ server { | ||||
| 				client_body_buffer_size 25M; | ||||
| 				client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb }}M; | ||||
| 				proxy_max_temp_file_size 0; | ||||
|  | ||||
| 				{% if matrix_nginx_proxy_synapse_cache_enabled %} | ||||
| 					proxy_buffering        on; | ||||
| 					proxy_cache            {{ matrix_nginx_proxy_synapse_cache_keys_zone_name }}; | ||||
| 					proxy_cache_valid      any  {{ matrix_nginx_proxy_synapse_cache_proxy_cache_valid_time }}; | ||||
| 					proxy_force_ranges on; | ||||
| 					add_header X-Cache-Status $upstream_cache_status; | ||||
| 				{% endif %} | ||||
| 			} | ||||
| 			{% endfor %} | ||||
| 		{% endif %} | ||||
|   | ||||
| @@ -1,3 +0,0 @@ | ||||
| #jinja2: lstrip_blocks: "True" | ||||
| # User and password for protecting /_synapse/metrics URI | ||||
| prometheus:{{ matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key }} | ||||
		Reference in New Issue
	
	Block a user