diff --git a/CHANGELOG.md b/CHANGELOG.md index 98283d233..b4bbaf0f4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,15 @@ +# 2026-02-26 + +## Internal refactor: merged the Synapse reverse-proxy companion role into `matrix-synapse` + +The standalone `matrix-synapse-reverse-proxy-companion` role has been merged into the [matrix-synapse](roles/custom/matrix-synapse/) role. + +This is not a user-facing change and does not change variable names (`matrix_synapse_reverse_proxy_companion_*` remain the same). The split looked clean on paper, but in practice both parts are tightly coupled through worker routing, tags (`setup-synapse`/`install-synapse`), and lifecycle ordering, so keeping them separate added coordination overhead with little practical benefit. + +Compatibility note: existing companion-specific tags (`setup-synapse-reverse-proxy-companion` and `install-synapse-reverse-proxy-companion`) are still available. + +With this change, Synapse and its reverse-proxy companion are managed in one role (`matrix-synapse`) while still keeping companion logic in dedicated task/template subdirectories for maintainability. + # 2026-02-21 ## (BC Break) coturn is no longer auto-enabled by default diff --git a/docs/configuring-playbook-synapse.md b/docs/configuring-playbook-synapse.md index 846694f0b..f56ec4aea 100644 --- a/docs/configuring-playbook-synapse.md +++ b/docs/configuring-playbook-synapse.md @@ -76,7 +76,7 @@ The only thing you **cannot** do is mix [generic workers](#generic-workers) and When Synapse workers are enabled, the integrated [Postgres database is tuned](maintenance-postgres.md#tuning-postgresql), so that the maximum number of Postgres connections are increased from `200` to `500`. If you need to decrease or increase the number of maximum Postgres connections further, use the `postgres_max_connections` variable. -A separate Ansible role (`matrix-synapse-reverse-proxy-companion`) and component handles load-balancing for workers. This role/component is automatically enabled when you enable workers. Make sure to use the `setup-all` tag (not `install-all`!) during the playbook's [installation](./installing.md) process, especially if you're disabling workers, so that components may be installed/uninstalled correctly. +The `matrix-synapse` role also manages the `matrix-synapse-reverse-proxy-companion` component for load-balancing with workers. This component is automatically enabled when you enable workers. Make sure to use the `setup-all` tag (not `install-all`!) during the playbook's [installation](./installing.md) process, especially if you're disabling workers, so that components may be installed/uninstalled correctly. In case any problems occur, make sure to have a look at the [list of synapse issues about workers](https://github.com/element-hq/synapse/issues?q=workers+in%3Atitle) and your `journalctl --unit 'matrix-*'`. diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 9da9c3a05..d7ab159d7 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -4788,6 +4788,32 @@ matrix_synapse_register_user_script_matrix_authentication_service_path: "{{ matr # so it stays in sync automatically. matrix_synapse_systemd_service_post_start_delay_seconds: "{{ (traefik_config_providers_providersThrottleDuration_seconds | int + 1) if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] else 0 }}" +matrix_synapse_reverse_proxy_companion_systemd_required_services_list_default: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}" +matrix_synapse_reverse_proxy_companion_container_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else matrix_synapse_reverse_proxy_companion_container_image_registry_prefix_upstream_default }}" +matrix_synapse_reverse_proxy_companion_container_client_api_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '8008') if matrix_playbook_service_host_bind_interface_prefix else '' }}" +matrix_synapse_reverse_proxy_companion_container_federation_api_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '8048') if matrix_playbook_service_host_bind_interface_prefix else '' }}" +matrix_synapse_reverse_proxy_companion_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" +matrix_synapse_reverse_proxy_companion_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +matrix_synapse_reverse_proxy_companion_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}" +matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}" +matrix_synapse_reverse_proxy_companion_container_labels_traefik_hostname: "{{ matrix_server_fqn_matrix }}" +matrix_synapse_reverse_proxy_companion_container_labels_traefik_compression_middleware_enabled: "{{ matrix_playbook_reverse_proxy_traefik_middleware_compression_enabled }}" +matrix_synapse_reverse_proxy_companion_container_labels_traefik_compression_middleware_name: "{{ matrix_playbook_reverse_proxy_traefik_middleware_compression_name if matrix_playbook_reverse_proxy_traefik_middleware_compression_enabled else '' }}" +matrix_synapse_reverse_proxy_companion_container_labels_internal_client_synapse_admin_api_traefik_entrypoints: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_name }}" +matrix_synapse_reverse_proxy_companion_access_log_syslog_integration_enabled: "{{ prometheus_nginxlog_exporter_enabled }}" +matrix_synapse_reverse_proxy_companion_access_log_syslog_integration_server_port: "{{ (prometheus_nginxlog_exporter_identifier | string +':'+ prometheus_nginxlog_exporter_container_syslog_port | string) | default('') }}" + +matrix_synapse_reverse_proxy_companion_container_additional_networks_auto: | + {{ + ( + ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_synapse_reverse_proxy_companion_container_labels_traefik_enabled and matrix_playbook_reverse_proxyable_services_additional_network else []) + + + ([prometheus_nginxlog_exporter_container_network] if (prometheus_nginxlog_exporter_enabled and prometheus_nginxlog_exporter_container_network != matrix_synapse_reverse_proxy_companion_container_network) else []) + + + ([] if matrix_homeserver_container_network in ['', matrix_synapse_reverse_proxy_companion_container_network] else [matrix_homeserver_container_network]) + ) | unique + }} + ###################################################################### # # /matrix-synapse @@ -4833,81 +4859,6 @@ matrix_synapse_auto_compressor_systemd_required_services_list_auto: | ###################################################################### -###################################################################### -# -# matrix-synapse-reverse-proxy-companion -# -###################################################################### - -matrix_synapse_reverse_proxy_companion_enabled: "{{ matrix_synapse_enabled and matrix_synapse_workers_enabled }}" - -matrix_synapse_reverse_proxy_companion_container_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else matrix_synapse_reverse_proxy_companion_container_image_registry_prefix_upstream_default }}" - -matrix_synapse_reverse_proxy_companion_container_network: "{{ matrix_synapse_container_network }}" - -matrix_synapse_reverse_proxy_companion_container_additional_networks_auto: | - {{ - ( - ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_synapse_reverse_proxy_companion_container_labels_traefik_enabled and matrix_playbook_reverse_proxyable_services_additional_network else []) - + - ([prometheus_nginxlog_exporter_container_network] if (prometheus_nginxlog_exporter_enabled and prometheus_nginxlog_exporter_container_network != matrix_synapse_reverse_proxy_companion_container_network) else []) - + - ([] if matrix_homeserver_container_network in ['', matrix_synapse_reverse_proxy_companion_container_network] else [matrix_homeserver_container_network]) - ) | unique - }} - -matrix_synapse_reverse_proxy_companion_client_api_client_max_body_size_mb: "{{ matrix_synapse_max_upload_size_mb }}" - -matrix_synapse_reverse_proxy_companion_container_client_api_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '8008') if matrix_playbook_service_host_bind_interface_prefix else '' }}" -matrix_synapse_reverse_proxy_companion_container_federation_api_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '8048') if matrix_playbook_service_host_bind_interface_prefix else '' }}" - -matrix_synapse_reverse_proxy_companion_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" -matrix_synapse_reverse_proxy_companion_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" -matrix_synapse_reverse_proxy_companion_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}" -matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}" -matrix_synapse_reverse_proxy_companion_container_labels_traefik_hostname: "{{ matrix_server_fqn_matrix }}" - -matrix_synapse_reverse_proxy_companion_container_labels_traefik_compression_middleware_enabled: "{{ matrix_playbook_reverse_proxy_traefik_middleware_compression_enabled }}" -matrix_synapse_reverse_proxy_companion_container_labels_traefik_compression_middleware_name: "{{ matrix_playbook_reverse_proxy_traefik_middleware_compression_name if matrix_playbook_reverse_proxy_traefik_middleware_compression_enabled else '' }}" - -matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_enabled: "{{ matrix_synapse_container_labels_public_client_synapse_client_api_enabled }}" -matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_enabled: "{{ matrix_synapse_container_labels_public_client_synapse_admin_api_enabled }}" - -matrix_synapse_reverse_proxy_companion_container_labels_internal_client_synapse_admin_api_enabled: "{{ matrix_synapse_container_labels_internal_client_synapse_admin_api_enabled }}" -matrix_synapse_reverse_proxy_companion_container_labels_internal_client_synapse_admin_api_traefik_entrypoints: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_name }}" - -matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_entrypoints: "{{ matrix_synapse_container_labels_public_federation_api_traefik_entrypoints }}" -matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_tls: "{{ matrix_synapse_container_labels_public_federation_api_traefik_tls }}" - -matrix_synapse_reverse_proxy_companion_container_labels_internal_client_api_enabled: "{{ matrix_synapse_container_labels_internal_client_api_enabled }}" -matrix_synapse_reverse_proxy_companion_container_labels_internal_client_api_traefik_entrypoints: "{{ matrix_synapse_container_labels_internal_client_api_traefik_entrypoints }}" - -matrix_synapse_reverse_proxy_companion_synapse_workers_enabled: "{{ matrix_synapse_workers_enabled }}" -matrix_synapse_reverse_proxy_companion_synapse_workers_list: "{{ matrix_synapse_workers_enabled_list }}" -matrix_synapse_reverse_proxy_companion_synapse_room_worker_client_server_locations: "{{ matrix_synapse_workers_room_worker_client_server_endpoints }}" -matrix_synapse_reverse_proxy_companion_synapse_room_worker_federation_locations: "{{ matrix_synapse_workers_room_worker_federation_endpoints }}" -matrix_synapse_reverse_proxy_companion_synapse_sync_worker_client_server_locations: "{{ matrix_synapse_workers_sync_worker_client_server_endpoints }}" -matrix_synapse_reverse_proxy_companion_synapse_client_reader_client_server_locations: "{{ matrix_synapse_workers_client_reader_client_server_endpoints }}" -matrix_synapse_reverse_proxy_companion_synapse_federation_reader_federation_locations: "{{ matrix_synapse_workers_federation_reader_federation_endpoints }}" -matrix_synapse_reverse_proxy_companion_synapse_generic_worker_client_server_locations: "{{ matrix_synapse_workers_generic_worker_client_server_endpoints }}" -matrix_synapse_reverse_proxy_companion_synapse_generic_worker_federation_locations: "{{ matrix_synapse_workers_generic_worker_federation_endpoints }}" -matrix_synapse_reverse_proxy_companion_synapse_stream_writer_typing_stream_worker_client_server_locations: "{{ matrix_synapse_workers_stream_writer_typing_stream_worker_client_server_endpoints }}" -matrix_synapse_reverse_proxy_companion_synapse_stream_writer_to_device_stream_worker_client_server_locations: "{{ matrix_synapse_workers_stream_writer_to_device_stream_worker_client_server_endpoints }}" -matrix_synapse_reverse_proxy_companion_synapse_stream_writer_account_data_stream_worker_client_server_locations: "{{ matrix_synapse_workers_stream_writer_account_data_stream_worker_client_server_endpoints }}" -matrix_synapse_reverse_proxy_companion_synapse_stream_writer_receipts_stream_worker_client_server_locations: "{{ matrix_synapse_workers_stream_writer_receipts_stream_worker_client_server_endpoints }}" -matrix_synapse_reverse_proxy_companion_synapse_stream_writer_presence_stream_worker_client_server_locations: "{{ matrix_synapse_workers_stream_writer_presence_stream_worker_client_server_endpoints }}" -matrix_synapse_reverse_proxy_companion_synapse_media_repository_locations: "{{matrix_synapse_workers_media_repository_endpoints|default([]) }}" -matrix_synapse_reverse_proxy_companion_synapse_user_dir_locations: "{{ matrix_synapse_workers_user_dir_worker_client_server_endpoints|default([]) }}" - -matrix_synapse_reverse_proxy_companion_access_log_syslog_integration_enabled: "{{ prometheus_nginxlog_exporter_enabled }}" -matrix_synapse_reverse_proxy_companion_access_log_syslog_integration_server_port: "{{ (prometheus_nginxlog_exporter_identifier | string +':'+ prometheus_nginxlog_exporter_container_syslog_port | string) | default('') }}" - -###################################################################### -# -# /matrix-synapse-reverse-proxy-companion -# -###################################################################### - ###################################################################### # # matrix-synapse-admin diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml b/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml deleted file mode 100644 index fc20a5415..000000000 --- a/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml +++ /dev/null @@ -1,373 +0,0 @@ -# SPDX-FileCopyrightText: 2022 - 2024 Slavi Pantaleev -# SPDX-FileCopyrightText: 2023 - 2024 Nikita Chernyi -# SPDX-FileCopyrightText: 2023 Dan Arnfield -# SPDX-FileCopyrightText: 2023 Samuel Meenzen -# SPDX-FileCopyrightText: 2024 Charles Wright -# SPDX-FileCopyrightText: 2024 David Mehren -# SPDX-FileCopyrightText: 2024 Michael Hollister -# SPDX-FileCopyrightText: 2024 - 2025 Catalan Lover -# -# SPDX-License-Identifier: AGPL-3.0-or-later - ---- - -# matrix-synapse-reverse-proxy-companion is a role which brings up a containerized nginx webserver which helps with reverse-proxying to Synapse when workers are enabled. -# -# When Synapse is NOT running in worker-mode, reverse-proxying is relatively simple (everything goes to `matrix-synapse:XXXX`). -# In such cases, using this reverse-proxy companion is possible, but unnecessary - it's one more service in the stack, which also impacts performance a bit. -# -# When Synapse workers are enabled, however, the reverse-proxying configuration is much more complicated - certain requests need to go to certain workers, etc. -# matrix-synapse-reverse-proxy-companion is the central place services that need to reach Synapse could be pointed to. -# -# Project source code URL: https://github.com/nginx/nginx - -matrix_synapse_reverse_proxy_companion_enabled: true - -# renovate: datasource=docker depName=nginx -matrix_synapse_reverse_proxy_companion_version: 1.29.5-alpine - -matrix_synapse_reverse_proxy_companion_base_path: "{{ matrix_synapse_base_path }}/reverse-proxy-companion" -matrix_synapse_reverse_proxy_companion_confd_path: "{{ matrix_synapse_reverse_proxy_companion_base_path }}/conf.d" -matrix_synapse_reverse_proxy_companion_njs_path: "{{ matrix_synapse_reverse_proxy_companion_base_path }}/njs" - -# List of systemd services that matrix-synapse-reverse-proxy-companion.service depends on -matrix_synapse_reverse_proxy_companion_systemd_required_services_list: "{{ matrix_synapse_reverse_proxy_companion_systemd_required_services_list_default + matrix_synapse_reverse_proxy_companion_systemd_required_services_list_auto + matrix_synapse_reverse_proxy_companion_systemd_required_services_list_custom }}" -matrix_synapse_reverse_proxy_companion_systemd_required_services_list_default: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}" -matrix_synapse_reverse_proxy_companion_systemd_required_services_list_auto: [] -matrix_synapse_reverse_proxy_companion_systemd_required_services_list_custom: [] - -# List of systemd services that matrix-synapse-reverse-proxy-companion.service wants -matrix_synapse_reverse_proxy_companion_systemd_wanted_services_list: ['matrix-synapse.service'] - -# We use an official nginx image, which we fix-up to run unprivileged. -# An alternative would be an `nginxinc/nginx-unprivileged` image, but -# that is frequently out of date. -matrix_synapse_reverse_proxy_companion_container_image: "{{ matrix_synapse_reverse_proxy_companion_container_image_registry_prefix }}nginx:{{ matrix_synapse_reverse_proxy_companion_container_image_tag }}" -matrix_synapse_reverse_proxy_companion_container_image_registry_prefix: "{{ matrix_synapse_reverse_proxy_companion_container_image_registry_prefix_upstream }}" -matrix_synapse_reverse_proxy_companion_container_image_registry_prefix_upstream: "{{ matrix_synapse_reverse_proxy_companion_container_image_registry_prefix_upstream_default }}" -matrix_synapse_reverse_proxy_companion_container_image_registry_prefix_upstream_default: "docker.io/" -matrix_synapse_reverse_proxy_companion_container_image_tag: "{{ matrix_synapse_reverse_proxy_companion_version }}" -matrix_synapse_reverse_proxy_companion_container_image_force_pull: "{{ matrix_synapse_reverse_proxy_companion_container_image.endswith(':latest') }}" - -matrix_synapse_reverse_proxy_companion_container_network: "" - -# A list of additional container networks that matrix-synapse-reverse-proxy-companion would be connected to. -# The playbook does not create these networks, so make sure they already exist. -matrix_synapse_reverse_proxy_companion_container_additional_networks: "{{ matrix_synapse_reverse_proxy_companion_container_additional_networks_auto + matrix_synapse_reverse_proxy_companion_container_additional_networks_custom }}" -matrix_synapse_reverse_proxy_companion_container_additional_networks_auto: [] -matrix_synapse_reverse_proxy_companion_container_additional_networks_custom: [] - -# Controls whether the matrix-synapse-reverse-proxy-companion container exposes its HTTP Client-Server API port (tcp/8008 in the container). -# -# Takes an ":" or "" value (e.g. "127.0.0.1:8008"), or empty string to not expose. -matrix_synapse_reverse_proxy_companion_container_client_api_host_bind_port: '' - -# Controls whether the matrix-synapse-reverse-proxy-companion container exposes its HTTP Federation (Server-Server) API port (tcp/8048 in the container). -# -# Takes an ":" or "" value (e.g. "127.0.0.1:8048"), or empty string to not expose. -matrix_synapse_reverse_proxy_companion_container_federation_api_host_bind_port: '' - -# matrix_synapse_reverse_proxy_companion_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container. -# See `../templates/labels.j2` for details. -# -# To inject your own other container labels, see `matrix_synapse_reverse_proxy_companion_container_labels_additional_labels`. -matrix_synapse_reverse_proxy_companion_container_labels_traefik_enabled: true -matrix_synapse_reverse_proxy_companion_container_labels_traefik_docker_network: "{{ matrix_synapse_reverse_proxy_companion_container_network }}" -matrix_synapse_reverse_proxy_companion_container_labels_traefik_entrypoints: web-secure -matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver: default # noqa var-naming -matrix_synapse_reverse_proxy_companion_container_labels_traefik_hostname: '' - -# Controls whether a compression middleware will be injected into the middlewares list. -# This compression middleware is supposed to be defined elsewhere (using labels or a File provider, etc.) and is merely referenced by this router. -matrix_synapse_reverse_proxy_companion_container_labels_traefik_compression_middleware_enabled: false -matrix_synapse_reverse_proxy_companion_container_labels_traefik_compression_middleware_name: "" - -# Controls whether labels will be added that expose the Client-Server API on a public Traefik entrypoint. -matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_enabled: true -matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_hostname: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_hostname }}" -matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_path_prefix: /_matrix -matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_rule: "Host(`{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_path_prefix }}`)" -matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_priority: 0 -matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_entrypoints: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_entrypoints }}" -matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_tls: "{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_entrypoints != 'web' }}" -matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_tls_certResolver: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver }}" # noqa var-naming - -# Controls whether labels will be added that expose the Client-Server API on the internal Traefik entrypoint. -# This is similar to `matrix_synapse_container_labels_public_client_api_enabled`, but the entrypoint and intent is different. -matrix_synapse_reverse_proxy_companion_container_labels_internal_client_api_enabled: false -matrix_synapse_reverse_proxy_companion_container_labels_internal_client_api_traefik_path_prefix: "{{ matrix_synapse_container_labels_public_client_api_traefik_path_prefix }}" -matrix_synapse_reverse_proxy_companion_container_labels_internal_client_api_traefik_rule: "PathPrefix(`{{ matrix_synapse_reverse_proxy_companion_container_labels_internal_client_api_traefik_path_prefix }}`)" -matrix_synapse_reverse_proxy_companion_container_labels_internal_client_api_traefik_priority: "{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_priority }}" -matrix_synapse_reverse_proxy_companion_container_labels_internal_client_api_traefik_entrypoints: "" - -# Controls whether labels will be added that expose the /_synapse/client paths -matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_enabled: true -matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_hostname: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_hostname }}" -matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_path_prefix: /_synapse/client -matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_rule: "Host(`{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_path_prefix }}`)" -matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_priority: 0 -matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_entrypoints: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_entrypoints }}" -matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_tls: "{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_entrypoints != 'web' }}" -matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_tls_certResolver: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver }}" # noqa var-naming - -# Controls whether labels will be added that expose the /_synapse/admin paths -# Following these recommendations (https://github.com/element-hq/synapse/blob/master/docs/reverse_proxy.md), by default, we don't. -matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_enabled: false -matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_hostname: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_hostname }}" -matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_path_prefix: /_synapse/admin -matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_rule: "Host(`{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_path_prefix }}`)" -matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_priority: 0 -matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_entrypoints: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_entrypoints }}" -matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_tls: "{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_entrypoints != 'web' }}" -matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_tls_certResolver: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver }}" # noqa var-naming - -# Controls whether labels will be added that expose the /_synapse/admin paths on the internal Traefik entrypoint. -# This is similar to `matrix_synapse_container_labels_public_client_api_enabled`, but the entrypoint and intent is different. -matrix_synapse_reverse_proxy_companion_container_labels_internal_client_synapse_admin_api_enabled: false -matrix_synapse_reverse_proxy_companion_container_labels_internal_client_synapse_admin_api_traefik_path_prefix: "{{ matrix_synapse_container_labels_internal_client_synapse_admin_api_traefik_path_prefix }}" -matrix_synapse_reverse_proxy_companion_container_labels_internal_client_synapse_admin_api_traefik_rule: "PathPrefix(`{{ matrix_synapse_reverse_proxy_companion_container_labels_internal_client_synapse_admin_api_traefik_path_prefix }}`)" -matrix_synapse_reverse_proxy_companion_container_labels_internal_client_synapse_admin_api_traefik_priority: 0 -matrix_synapse_reverse_proxy_companion_container_labels_internal_client_synapse_admin_api_traefik_entrypoints: "" - -# Controls whether labels will be added that expose the Server-Server API (Federation API). -matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_enabled: "{{ matrix_synapse_reverse_proxy_companion_federation_api_enabled }}" -matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_hostname: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_hostname }}" -matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_path_prefix: /_matrix -matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_rule: "Host(`{{ matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_path_prefix }}`)" -matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_priority: 0 -matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_entrypoints: '' -# TLS is force-enabled here, because the spec (https://spec.matrix.org/v1.9/server-server-api/#tls) says that the federation API must use HTTPS. -matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_tls: true -matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_tls_certResolver: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver }}" # noqa var-naming - -# matrix_synapse_reverse_proxy_companion_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. -# See `../templates/labels.j2` for details. -# -# Example: -# matrix_synapse_reverse_proxy_companion_container_labels_additional_labels: | -# my.label=1 -# another.label="here" -matrix_synapse_reverse_proxy_companion_container_labels_additional_labels: '' - -# A list of extra arguments to pass to the container -# Also see `matrix_synapse_reverse_proxy_companion_container_arguments` -matrix_synapse_reverse_proxy_companion_container_extra_arguments: [] - -# matrix_synapse_reverse_proxy_companion_container_extra_arguments_auto is a list of extra arguments to pass to the container. -# This list is managed by the playbook. You're not meant to override this variable. -# If you'd like to inject your own arguments, see `matrix_synapse_reverse_proxy_companion_container_extra_arguments`. -matrix_synapse_reverse_proxy_companion_container_extra_arguments_auto: [] - -# matrix_synapse_reverse_proxy_companion_container_arguments holds the final list of extra arguments to pass to the container. -# You're not meant to override this variable. -# If you'd like to inject your own arguments, see `matrix_synapse_reverse_proxy_companion_container_extra_arguments`. -matrix_synapse_reverse_proxy_companion_container_arguments: "{{ matrix_synapse_reverse_proxy_companion_container_extra_arguments + matrix_synapse_reverse_proxy_companion_container_extra_arguments_auto }}" - -# The amount of worker processes and connections -# Consider increasing these when you are expecting high amounts of traffic -# http://nginx.org/en/docs/ngx_core_module.html#worker_connections -matrix_synapse_reverse_proxy_companion_worker_processes: auto -matrix_synapse_reverse_proxy_companion_worker_connections: 1024 - -# Option to disable the access log -matrix_synapse_reverse_proxy_companion_access_log_enabled: true - -# Controls whether to send access logs to a remote syslog-compatible server -matrix_synapse_reverse_proxy_companion_access_log_syslog_integration_enabled: false -matrix_synapse_reverse_proxy_companion_access_log_syslog_integration_server_port: '' -# This is intentionally different. The maximum allowed length is 32 characters and dashes are not allowed. -matrix_synapse_reverse_proxy_companion_access_log_syslog_integration_tag: matrix_synapse_rev_proxy_comp - -# The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads. -matrix_synapse_reverse_proxy_companion_tmp_directory_size_mb: "{{ (matrix_synapse_reverse_proxy_companion_federation_api_client_max_body_size_mb | int) * 50 }}" -matrix_synapse_reverse_proxy_companion_tmp_cache_directory_size_mb: "{{ (matrix_synapse_reverse_proxy_companion_synapse_cache_max_size_mb | int) * 2 }}" - -# A list of strings containing additional configuration blocks to add to the nginx server configuration (nginx.conf). -# for big matrixservers to enlarge the number of open files to prevent timeouts -# matrix_synapse_reverse_proxy_companion_additional_configuration_blocks: -# - 'worker_rlimit_nofile 30000;' -matrix_synapse_reverse_proxy_companion_additional_configuration_blocks: [] - -# A list of strings containing additional configuration blocks to add to the nginx event server configuration (nginx.conf). -matrix_synapse_reverse_proxy_companion_event_additional_configuration_blocks: [] - -# A list of strings containing additional configuration blocks to add to the nginx http's server configuration (nginx-http.conf). -matrix_synapse_reverse_proxy_companion_http_additional_server_configuration_blocks: [] - -# To increase request timeout in NGINX using proxy_read_timeout, proxy_connect_timeout, proxy_send_timeout, send_timeout directives -# Nginx Default: proxy_connect_timeout 60s; #Defines a timeout for establishing a connection with a proxied server -# Nginx Default: proxy_send_timeout 60s; #Sets a timeout for transmitting a request to the proxied server. -# Nginx Default: proxy_read_timeout 60s; #Defines a timeout for reading a response from the proxied server. -# Nginx Default: send_timeout 60s; #Sets a timeout for transmitting a response to the client. -# -# For more information visit: -# http://nginx.org/en/docs/http/ngx_http_proxy_module.html -# http://nginx.org/en/docs/http/ngx_http_core_module.html#send_timeout -# https://www.nginx.com/resources/wiki/start/topics/examples/fullexample2/ -# -# Here we are sticking with nginx default values change this value carefully. -matrix_synapse_reverse_proxy_companion_proxy_connect_timeout: 60 -matrix_synapse_reverse_proxy_companion_proxy_send_timeout: 60 -matrix_synapse_reverse_proxy_companion_proxy_read_timeout: 60 -matrix_synapse_reverse_proxy_companion_send_timeout: 60 - -# For OCSP purposes, we need to define a resolver at the `server{}` level or `http{}` level (we do the latter). -# -# Otherwise, we get warnings like this: -# > [warn] 22#22: no resolver defined to resolve r3.o.lencr.org while requesting certificate status, responder: r3.o.lencr.org, certificate: "/matrix/ssl/config/live/…/fullchain.pem" -# -# We point it to the internal Docker resolver, which likely delegates to nameservers defined in `/etc/resolv.conf`. -matrix_synapse_reverse_proxy_companion_http_level_resolver: 127.0.0.11 - -matrix_synapse_reverse_proxy_companion_hostname: "matrix-synapse-reverse-proxy-companion" - -# matrix_synapse_reverse_proxy_companion_client_api_addr specifies the address where the Client-Server API is -matrix_synapse_reverse_proxy_companion_client_api_addr: 'matrix-synapse:{{ matrix_synapse_container_client_api_port }}' - -# The maximum body size for client requests to any of the endpoints on the Client-Server API. -# This needs to be equal or higher than the maximum upload size accepted by Synapse. -matrix_synapse_reverse_proxy_companion_client_api_client_max_body_size_mb: 100 - -# The buffer size for client requests to any of the endpoints on the Client-Server API. -matrix_synapse_reverse_proxy_companion_client_api_client_body_buffer_size_mb: "{{ matrix_synapse_reverse_proxy_companion_client_api_client_max_body_size_mb }}" - -# matrix_synapse_reverse_proxy_companion_federation_api_enabled specifies whether reverse proxying for the Federation (Server-Server) API should be done -matrix_synapse_reverse_proxy_companion_federation_api_enabled: true -# matrix_synapse_reverse_proxy_companion_federation_api_addr specifies the address where the Federation (Server-Server) API is -matrix_synapse_reverse_proxy_companion_federation_api_addr: 'matrix-synapse:{{ matrix_synapse_container_federation_api_plain_port }}' - -# The maximum body size for client requests to any of the endpoints on the Federation API. -# We auto-calculate this based on the Client-Server API's maximum body size, but use a minimum value to ensure we don't go to low. -matrix_synapse_reverse_proxy_companion_federation_api_client_max_body_size_mb: "{{ [matrix_synapse_reverse_proxy_companion_federation_api_client_max_body_size_mb_minimum, (matrix_synapse_reverse_proxy_companion_client_api_client_max_body_size_mb | int) * 3] | max }}" -matrix_synapse_reverse_proxy_companion_federation_api_client_max_body_size_mb_minimum: 100 - -# The buffer size for client requests to any of the endpoints on the Federation API. -matrix_synapse_reverse_proxy_companion_federation_api_client_body_buffer_size_mb: "{{ matrix_synapse_reverse_proxy_companion_federation_api_client_max_body_size_mb }}" - -# A list of strings containing additional configuration blocks to add to the nginx vhost handling the Synapse Client-Server API -matrix_synapse_reverse_proxy_companion_synapse_client_api_additional_server_configuration_blocks: [] - -# A list of strings containing additional configuration blocks to add to the nginx vhost handling the Synapse Federation (Server-Server) API -matrix_synapse_reverse_proxy_companion_synapse_federation_api_additional_server_configuration_blocks: [] - - -# synapse worker activation and endpoint mappings. -# These are all populated via Ansible group variables. -matrix_synapse_reverse_proxy_companion_synapse_workers_enabled: false -matrix_synapse_reverse_proxy_companion_synapse_workers_list: [] -matrix_synapse_reverse_proxy_companion_synapse_room_worker_client_server_locations: [] -matrix_synapse_reverse_proxy_companion_synapse_room_worker_federation_locations: [] -matrix_synapse_reverse_proxy_companion_synapse_sync_worker_client_server_locations: [] -matrix_synapse_reverse_proxy_companion_synapse_client_reader_client_server_locations: [] -matrix_synapse_reverse_proxy_companion_synapse_federation_reader_federation_locations: [] -matrix_synapse_reverse_proxy_companion_synapse_generic_worker_client_server_locations: [] -matrix_synapse_reverse_proxy_companion_synapse_generic_worker_federation_locations: [] -matrix_synapse_reverse_proxy_companion_synapse_stream_writer_typing_stream_worker_client_server_locations: [] -matrix_synapse_reverse_proxy_companion_synapse_stream_writer_to_device_stream_worker_client_server_locations: [] -matrix_synapse_reverse_proxy_companion_synapse_stream_writer_account_data_stream_worker_client_server_locations: [] -matrix_synapse_reverse_proxy_companion_synapse_stream_writer_receipts_stream_worker_client_server_locations: [] -matrix_synapse_reverse_proxy_companion_synapse_stream_writer_presence_stream_worker_client_server_locations: [] -matrix_synapse_reverse_proxy_companion_synapse_media_repository_locations: [] -matrix_synapse_reverse_proxy_companion_synapse_user_dir_locations: [] -matrix_synapse_reverse_proxy_companion_client_server_main_override_locations_regex: ^/_matrix/client/(api/v1|r0|v3|unstable)/(account/3pid/|directory/list/room/|pushrules/|rooms/[^/]+/(forget|upgrade|report)|login/sso/redirect/|register) -matrix_synapse_reverse_proxy_companion_client_server_sso_override_locations_regex: ^(/_matrix/client/(api/v1|r0|v3|unstable)/login/sso/redirect|/_synapse/client/(pick_username|(new_user_consent|oidc/callback|pick_idp|sso_register)$)) -# Related to MSC4108 (https://github.com/matrix-org/matrix-spec-proposals/pull/4108) -matrix_synapse_reverse_proxy_companion_client_server_qr_code_login_locations_regex: ^(/_matrix/client/(unstable|v1)/org.matrix.msc4108/rendezvous|/_synapse/client/rendezvous)$ - -matrix_synapse_reverse_proxy_companion_federation_override_locations_regex: ^/_matrix/federation/v1/openid/userinfo$ - -# synapse content caching -matrix_synapse_reverse_proxy_companion_synapse_cache_enabled: false -matrix_synapse_reverse_proxy_companion_synapse_cache_path: /tmp/synapse-cache -matrix_synapse_reverse_proxy_companion_synapse_cache_keys_zone_name: "STATIC" -matrix_synapse_reverse_proxy_companion_synapse_cache_keys_zone_size: "10m" -matrix_synapse_reverse_proxy_companion_synapse_cache_inactive_time: "48h" -matrix_synapse_reverse_proxy_companion_synapse_cache_max_size_mb: 1024 -matrix_synapse_reverse_proxy_companion_synapse_cache_proxy_cache_valid_time: "24h" - - -# Controls whether matrix-synapse-reverse-proxy-companion trusts an upstream server's X-Forwarded-Proto header. -# The `matrix-synapse-reverse-proxy-companion` does not terminate SSL and always expects to be fronted by another reverse-proxy server. -# As such, it trusts the protocol scheme forwarded by the upstream proxy. -matrix_synapse_reverse_proxy_companion_trust_forwarded_proto: true -matrix_synapse_reverse_proxy_companion_x_forwarded_proto_value: "{{ '$http_x_forwarded_proto' if matrix_synapse_reverse_proxy_companion_trust_forwarded_proto else '$scheme' }}" - - -######################################################################################## -# # -# njs module # -# # -######################################################################################## - -# Controls whether the njs module is loaded. -matrix_synapse_reverse_proxy_companion_njs_enabled: "{{ matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_enabled }}" - -######################################################################################## -# # -# /njs module # -# # -######################################################################################## - - -######################################################################################## -# # -# Whoami-based sync worker routing # -# # -######################################################################################## - -# Controls whether the whoami-based sync worker router is enabled. -# When enabled, the reverse proxy will call Synapse's /_matrix/client/v3/account/whoami endpoint -# to resolve access tokens to usernames, allowing consistent routing of requests from the same user -# to the same sync worker regardless of which device or token they use. -# -# This works with any authentication system (native Synapse auth, MAS, etc.) because Synapse -# handles the token validation internally. -# -# Enabled by default when there are sync workers, because sync workers benefit from user-level -# stickiness due to their per-user in-memory caches. -matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_enabled: "{{ matrix_synapse_reverse_proxy_companion_synapse_workers_list | selectattr('type', 'equalto', 'sync_worker') | list | length > 0 }}" - -# The whoami endpoint path (Matrix spec endpoint). -matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_endpoint: /_matrix/client/v3/account/whoami - -# The full URL to the whoami endpoint. -matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_url: "http://{{ matrix_synapse_reverse_proxy_companion_client_api_addr }}{{ matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_endpoint }}" - -# Cache duration (in seconds) for whoami lookup results. -# Token -> username mappings are cached to avoid repeated whoami calls. -# A longer TTL reduces load on Synapse but means username changes take longer to take effect. -matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_cache_ttl_seconds: 3600 - -# Size of the shared memory zone for caching whoami results (in megabytes). -# Each cached entry is approximately 100-200 bytes. -matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_cache_size_mb: 1 - -# Controls whether verbose logging is enabled for the whoami sync worker router. -# When enabled, logs cache hits/misses and routing decisions. -# Useful for debugging, but should be disabled in production. -matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_logging_enabled: false - -# The length of the access token to show in logs when logging is enabled. -# Keeping this short is a good idea from a security perspective. -matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_logging_token_length: 12 - -# Controls whether debug response headers are added to sync requests. -# When enabled, adds X-Sync-Worker-Router-User-Identifier and X-Sync-Worker-Router-Upstream headers. -# Useful for debugging routing behavior, but should be disabled in production. -matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_debug_headers_enabled: false - -######################################################################################## -# # -# /Whoami-based sync worker routing # -# # -######################################################################################## - -# matrix_synapse_reverse_proxy_companion_restart_necessary controls whether the service -# will be restarted (when true) or merely started (when false) by the -# systemd service manager role (when conditional restart is enabled). -# -# This value is automatically computed during installation based on whether -# any configuration files, the systemd service file, or the container image changed. -# The default of `false` means "no restart needed" — appropriate when the role's -# installation tasks haven't run (e.g., due to --tags skipping them). -matrix_synapse_reverse_proxy_companion_restart_necessary: false diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index f6d28f091..cc3b94943 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -1710,3 +1710,378 @@ matrix_synapse_configuration: "{{ matrix_synapse_configuration_yaml | from_yaml # When the Matrix Authentication Service is enabled, the register-user script from this role cannot be used # and users will be pointed to the one provided by Matrix Authentication Service. matrix_synapse_register_user_script_matrix_authentication_service_path: "" + + +######################################################################################## +# # +# Synapse reverse-proxy companion # +# # +######################################################################################## + +# matrix-synapse-reverse-proxy-companion is a role which brings up a containerized nginx webserver which helps with reverse-proxying to Synapse when workers are enabled. +# +# When Synapse is NOT running in worker-mode, reverse-proxying is relatively simple (everything goes to `matrix-synapse:XXXX`). +# In such cases, using this reverse-proxy companion is possible, but unnecessary - it's one more service in the stack, which also impacts performance a bit. +# +# When Synapse workers are enabled, however, the reverse-proxying configuration is much more complicated - certain requests need to go to certain workers, etc. +# matrix-synapse-reverse-proxy-companion is the central place services that need to reach Synapse could be pointed to. +# +# Project source code URL: https://github.com/nginx/nginx + +matrix_synapse_reverse_proxy_companion_enabled: "{{ matrix_synapse_enabled and matrix_synapse_workers_enabled }}" + +# renovate: datasource=docker depName=nginx +matrix_synapse_reverse_proxy_companion_version: 1.29.5-alpine + +matrix_synapse_reverse_proxy_companion_base_path: "{{ matrix_synapse_base_path }}/reverse-proxy-companion" +matrix_synapse_reverse_proxy_companion_confd_path: "{{ matrix_synapse_reverse_proxy_companion_base_path }}/conf.d" +matrix_synapse_reverse_proxy_companion_njs_path: "{{ matrix_synapse_reverse_proxy_companion_base_path }}/njs" + +# List of systemd services that matrix-synapse-reverse-proxy-companion.service depends on +matrix_synapse_reverse_proxy_companion_systemd_required_services_list: "{{ matrix_synapse_reverse_proxy_companion_systemd_required_services_list_default + matrix_synapse_reverse_proxy_companion_systemd_required_services_list_auto + matrix_synapse_reverse_proxy_companion_systemd_required_services_list_custom }}" +matrix_synapse_reverse_proxy_companion_systemd_required_services_list_default: [] +matrix_synapse_reverse_proxy_companion_systemd_required_services_list_auto: [] +matrix_synapse_reverse_proxy_companion_systemd_required_services_list_custom: [] + +# List of systemd services that matrix-synapse-reverse-proxy-companion.service wants +matrix_synapse_reverse_proxy_companion_systemd_wanted_services_list: ['matrix-synapse.service'] + +# We use an official nginx image, which we fix-up to run unprivileged. +# An alternative would be an `nginxinc/nginx-unprivileged` image, but +# that is frequently out of date. +matrix_synapse_reverse_proxy_companion_container_image: "{{ matrix_synapse_reverse_proxy_companion_container_image_registry_prefix }}nginx:{{ matrix_synapse_reverse_proxy_companion_container_image_tag }}" +matrix_synapse_reverse_proxy_companion_container_image_registry_prefix: "{{ matrix_synapse_reverse_proxy_companion_container_image_registry_prefix_upstream }}" +matrix_synapse_reverse_proxy_companion_container_image_registry_prefix_upstream: "{{ matrix_synapse_reverse_proxy_companion_container_image_registry_prefix_upstream_default }}" +matrix_synapse_reverse_proxy_companion_container_image_registry_prefix_upstream_default: "docker.io/" +matrix_synapse_reverse_proxy_companion_container_image_tag: "{{ matrix_synapse_reverse_proxy_companion_version }}" +matrix_synapse_reverse_proxy_companion_container_image_force_pull: "{{ matrix_synapse_reverse_proxy_companion_container_image.endswith(':latest') }}" + +matrix_synapse_reverse_proxy_companion_container_network: "{{ matrix_synapse_container_network }}" + +# A list of additional container networks that matrix-synapse-reverse-proxy-companion would be connected to. +# The playbook does not create these networks, so make sure they already exist. +matrix_synapse_reverse_proxy_companion_container_additional_networks: "{{ matrix_synapse_reverse_proxy_companion_container_additional_networks_auto + matrix_synapse_reverse_proxy_companion_container_additional_networks_custom }}" +matrix_synapse_reverse_proxy_companion_container_additional_networks_auto: [] +matrix_synapse_reverse_proxy_companion_container_additional_networks_custom: [] + +# Controls whether the matrix-synapse-reverse-proxy-companion container exposes its HTTP Client-Server API port (tcp/8008 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:8008"), or empty string to not expose. +matrix_synapse_reverse_proxy_companion_container_client_api_host_bind_port: '' + +# Controls whether the matrix-synapse-reverse-proxy-companion container exposes its HTTP Federation (Server-Server) API port (tcp/8048 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:8048"), or empty string to not expose. +matrix_synapse_reverse_proxy_companion_container_federation_api_host_bind_port: '' + +# matrix_synapse_reverse_proxy_companion_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container. +# See `../templates/labels.j2` for details. +# +# To inject your own other container labels, see `matrix_synapse_reverse_proxy_companion_container_labels_additional_labels`. +matrix_synapse_reverse_proxy_companion_container_labels_traefik_enabled: true +matrix_synapse_reverse_proxy_companion_container_labels_traefik_docker_network: "{{ matrix_synapse_reverse_proxy_companion_container_network }}" +matrix_synapse_reverse_proxy_companion_container_labels_traefik_entrypoints: web-secure +matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver: default # noqa var-naming +matrix_synapse_reverse_proxy_companion_container_labels_traefik_hostname: '' + +# Controls whether a compression middleware will be injected into the middlewares list. +# This compression middleware is supposed to be defined elsewhere (using labels or a File provider, etc.) and is merely referenced by this router. +matrix_synapse_reverse_proxy_companion_container_labels_traefik_compression_middleware_enabled: false +matrix_synapse_reverse_proxy_companion_container_labels_traefik_compression_middleware_name: "" + +# Controls whether labels will be added that expose the Client-Server API on a public Traefik entrypoint. +matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_enabled: true +matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_hostname: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_hostname }}" +matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_path_prefix: /_matrix +matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_rule: "Host(`{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_path_prefix }}`)" +matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_priority: 0 +matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_entrypoints: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_entrypoints }}" +matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_tls: "{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_entrypoints != 'web' }}" +matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_tls_certResolver: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver }}" # noqa var-naming + +# Controls whether labels will be added that expose the Client-Server API on the internal Traefik entrypoint. +# This is similar to `matrix_synapse_container_labels_public_client_api_enabled`, but the entrypoint and intent is different. +matrix_synapse_reverse_proxy_companion_container_labels_internal_client_api_enabled: "{{ matrix_synapse_container_labels_internal_client_api_enabled }}" +matrix_synapse_reverse_proxy_companion_container_labels_internal_client_api_traefik_path_prefix: "{{ matrix_synapse_container_labels_public_client_api_traefik_path_prefix }}" +matrix_synapse_reverse_proxy_companion_container_labels_internal_client_api_traefik_rule: "PathPrefix(`{{ matrix_synapse_reverse_proxy_companion_container_labels_internal_client_api_traefik_path_prefix }}`)" +matrix_synapse_reverse_proxy_companion_container_labels_internal_client_api_traefik_priority: "{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_priority }}" +matrix_synapse_reverse_proxy_companion_container_labels_internal_client_api_traefik_entrypoints: "{{ matrix_synapse_container_labels_internal_client_api_traefik_entrypoints }}" + +# Controls whether labels will be added that expose the /_synapse/client paths +matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_enabled: "{{ matrix_synapse_container_labels_public_client_synapse_client_api_enabled }}" +matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_hostname: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_hostname }}" +matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_path_prefix: /_synapse/client +matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_rule: "Host(`{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_path_prefix }}`)" +matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_priority: 0 +matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_entrypoints: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_entrypoints }}" +matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_tls: "{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_entrypoints != 'web' }}" +matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_tls_certResolver: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver }}" # noqa var-naming + +# Controls whether labels will be added that expose the /_synapse/admin paths +# Following these recommendations (https://github.com/element-hq/synapse/blob/master/docs/reverse_proxy.md), by default, we don't. +matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_enabled: "{{ matrix_synapse_container_labels_public_client_synapse_admin_api_enabled }}" +matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_hostname: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_hostname }}" +matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_path_prefix: /_synapse/admin +matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_rule: "Host(`{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_path_prefix }}`)" +matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_priority: 0 +matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_entrypoints: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_entrypoints }}" +matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_tls: "{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_entrypoints != 'web' }}" +matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_tls_certResolver: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver }}" # noqa var-naming + +# Controls whether labels will be added that expose the /_synapse/admin paths on the internal Traefik entrypoint. +# This is similar to `matrix_synapse_container_labels_public_client_api_enabled`, but the entrypoint and intent is different. +matrix_synapse_reverse_proxy_companion_container_labels_internal_client_synapse_admin_api_enabled: "{{ matrix_synapse_container_labels_internal_client_synapse_admin_api_enabled }}" +matrix_synapse_reverse_proxy_companion_container_labels_internal_client_synapse_admin_api_traefik_path_prefix: "{{ matrix_synapse_container_labels_internal_client_synapse_admin_api_traefik_path_prefix }}" +matrix_synapse_reverse_proxy_companion_container_labels_internal_client_synapse_admin_api_traefik_rule: "PathPrefix(`{{ matrix_synapse_reverse_proxy_companion_container_labels_internal_client_synapse_admin_api_traefik_path_prefix }}`)" +matrix_synapse_reverse_proxy_companion_container_labels_internal_client_synapse_admin_api_traefik_priority: 0 +matrix_synapse_reverse_proxy_companion_container_labels_internal_client_synapse_admin_api_traefik_entrypoints: "" + +# Controls whether labels will be added that expose the Server-Server API (Federation API). +matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_enabled: "{{ matrix_synapse_reverse_proxy_companion_federation_api_enabled }}" +matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_hostname: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_hostname }}" +matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_path_prefix: /_matrix +matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_rule: "Host(`{{ matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_path_prefix }}`)" +matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_priority: 0 +matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_entrypoints: "{{ matrix_synapse_container_labels_public_federation_api_traefik_entrypoints }}" +# TLS is force-enabled here, because the spec (https://spec.matrix.org/v1.9/server-server-api/#tls) says that the federation API must use HTTPS. +matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_tls: "{{ matrix_synapse_container_labels_public_federation_api_traefik_tls }}" +matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_tls_certResolver: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver }}" # noqa var-naming + +# matrix_synapse_reverse_proxy_companion_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. +# See `../templates/labels.j2` for details. +# +# Example: +# matrix_synapse_reverse_proxy_companion_container_labels_additional_labels: | +# my.label=1 +# another.label="here" +matrix_synapse_reverse_proxy_companion_container_labels_additional_labels: '' + +# A list of extra arguments to pass to the container +# Also see `matrix_synapse_reverse_proxy_companion_container_arguments` +matrix_synapse_reverse_proxy_companion_container_extra_arguments: [] + +# matrix_synapse_reverse_proxy_companion_container_extra_arguments_auto is a list of extra arguments to pass to the container. +# This list is managed by the playbook. You're not meant to override this variable. +# If you'd like to inject your own arguments, see `matrix_synapse_reverse_proxy_companion_container_extra_arguments`. +matrix_synapse_reverse_proxy_companion_container_extra_arguments_auto: [] + +# matrix_synapse_reverse_proxy_companion_container_arguments holds the final list of extra arguments to pass to the container. +# You're not meant to override this variable. +# If you'd like to inject your own arguments, see `matrix_synapse_reverse_proxy_companion_container_extra_arguments`. +matrix_synapse_reverse_proxy_companion_container_arguments: "{{ matrix_synapse_reverse_proxy_companion_container_extra_arguments + matrix_synapse_reverse_proxy_companion_container_extra_arguments_auto }}" + +# The amount of worker processes and connections +# Consider increasing these when you are expecting high amounts of traffic +# http://nginx.org/en/docs/ngx_core_module.html#worker_connections +matrix_synapse_reverse_proxy_companion_worker_processes: auto +matrix_synapse_reverse_proxy_companion_worker_connections: 1024 + +# Option to disable the access log +matrix_synapse_reverse_proxy_companion_access_log_enabled: true + +# Controls whether to send access logs to a remote syslog-compatible server +matrix_synapse_reverse_proxy_companion_access_log_syslog_integration_enabled: false +matrix_synapse_reverse_proxy_companion_access_log_syslog_integration_server_port: '' +# This is intentionally different. The maximum allowed length is 32 characters and dashes are not allowed. +matrix_synapse_reverse_proxy_companion_access_log_syslog_integration_tag: matrix_synapse_rev_proxy_comp + +# The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads. +matrix_synapse_reverse_proxy_companion_tmp_directory_size_mb: "{{ (matrix_synapse_reverse_proxy_companion_federation_api_client_max_body_size_mb | int) * 50 }}" +matrix_synapse_reverse_proxy_companion_tmp_cache_directory_size_mb: "{{ (matrix_synapse_reverse_proxy_companion_synapse_cache_max_size_mb | int) * 2 }}" + +# A list of strings containing additional configuration blocks to add to the nginx server configuration (nginx.conf). +# for big matrixservers to enlarge the number of open files to prevent timeouts +# matrix_synapse_reverse_proxy_companion_additional_configuration_blocks: +# - 'worker_rlimit_nofile 30000;' +matrix_synapse_reverse_proxy_companion_additional_configuration_blocks: [] + +# A list of strings containing additional configuration blocks to add to the nginx event server configuration (nginx.conf). +matrix_synapse_reverse_proxy_companion_event_additional_configuration_blocks: [] + +# A list of strings containing additional configuration blocks to add to the nginx http's server configuration (nginx-http.conf). +matrix_synapse_reverse_proxy_companion_http_additional_server_configuration_blocks: [] + +# To increase request timeout in NGINX using proxy_read_timeout, proxy_connect_timeout, proxy_send_timeout, send_timeout directives +# Nginx Default: proxy_connect_timeout 60s; #Defines a timeout for establishing a connection with a proxied server +# Nginx Default: proxy_send_timeout 60s; #Sets a timeout for transmitting a request to the proxied server. +# Nginx Default: proxy_read_timeout 60s; #Defines a timeout for reading a response from the proxied server. +# Nginx Default: send_timeout 60s; #Sets a timeout for transmitting a response to the client. +# +# For more information visit: +# http://nginx.org/en/docs/http/ngx_http_proxy_module.html +# http://nginx.org/en/docs/http/ngx_http_core_module.html#send_timeout +# https://www.nginx.com/resources/wiki/start/topics/examples/fullexample2/ +# +# Here we are sticking with nginx default values change this value carefully. +matrix_synapse_reverse_proxy_companion_proxy_connect_timeout: 60 +matrix_synapse_reverse_proxy_companion_proxy_send_timeout: 60 +matrix_synapse_reverse_proxy_companion_proxy_read_timeout: 60 +matrix_synapse_reverse_proxy_companion_send_timeout: 60 + +# For OCSP purposes, we need to define a resolver at the `server{}` level or `http{}` level (we do the latter). +# +# Otherwise, we get warnings like this: +# > [warn] 22#22: no resolver defined to resolve r3.o.lencr.org while requesting certificate status, responder: r3.o.lencr.org, certificate: "/matrix/ssl/config/live/…/fullchain.pem" +# +# We point it to the internal Docker resolver, which likely delegates to nameservers defined in `/etc/resolv.conf`. +matrix_synapse_reverse_proxy_companion_http_level_resolver: 127.0.0.11 + +matrix_synapse_reverse_proxy_companion_hostname: "matrix-synapse-reverse-proxy-companion" + +# matrix_synapse_reverse_proxy_companion_client_api_addr specifies the address where the Client-Server API is +matrix_synapse_reverse_proxy_companion_client_api_addr: 'matrix-synapse:{{ matrix_synapse_container_client_api_port }}' + +# The maximum body size for client requests to any of the endpoints on the Client-Server API. +# This needs to be equal or higher than the maximum upload size accepted by Synapse. +matrix_synapse_reverse_proxy_companion_client_api_client_max_body_size_mb: "{{ matrix_synapse_max_upload_size_mb }}" + +# The buffer size for client requests to any of the endpoints on the Client-Server API. +matrix_synapse_reverse_proxy_companion_client_api_client_body_buffer_size_mb: "{{ matrix_synapse_reverse_proxy_companion_client_api_client_max_body_size_mb }}" + +# matrix_synapse_reverse_proxy_companion_federation_api_enabled specifies whether reverse proxying for the Federation (Server-Server) API should be done +matrix_synapse_reverse_proxy_companion_federation_api_enabled: true +# matrix_synapse_reverse_proxy_companion_federation_api_addr specifies the address where the Federation (Server-Server) API is +matrix_synapse_reverse_proxy_companion_federation_api_addr: 'matrix-synapse:{{ matrix_synapse_container_federation_api_plain_port }}' + +# The maximum body size for client requests to any of the endpoints on the Federation API. +# We auto-calculate this based on the Client-Server API's maximum body size, but use a minimum value to ensure we don't go to low. +matrix_synapse_reverse_proxy_companion_federation_api_client_max_body_size_mb: "{{ [matrix_synapse_reverse_proxy_companion_federation_api_client_max_body_size_mb_minimum, (matrix_synapse_reverse_proxy_companion_client_api_client_max_body_size_mb | int) * 3] | max }}" +matrix_synapse_reverse_proxy_companion_federation_api_client_max_body_size_mb_minimum: 100 + +# The buffer size for client requests to any of the endpoints on the Federation API. +matrix_synapse_reverse_proxy_companion_federation_api_client_body_buffer_size_mb: "{{ matrix_synapse_reverse_proxy_companion_federation_api_client_max_body_size_mb }}" + +# A list of strings containing additional configuration blocks to add to the nginx vhost handling the Synapse Client-Server API +matrix_synapse_reverse_proxy_companion_synapse_client_api_additional_server_configuration_blocks: [] + +# A list of strings containing additional configuration blocks to add to the nginx vhost handling the Synapse Federation (Server-Server) API +matrix_synapse_reverse_proxy_companion_synapse_federation_api_additional_server_configuration_blocks: [] + + +# synapse worker activation and endpoint mappings. +# These are all populated via Ansible group variables. +# (or fall back to role-level Synapse worker defaults when not overridden) +matrix_synapse_reverse_proxy_companion_synapse_workers_enabled: "{{ matrix_synapse_workers_enabled }}" +matrix_synapse_reverse_proxy_companion_synapse_workers_list: "{{ matrix_synapse_workers_enabled_list }}" +matrix_synapse_reverse_proxy_companion_synapse_room_worker_client_server_locations: "{{ matrix_synapse_workers_room_worker_client_server_endpoints }}" +matrix_synapse_reverse_proxy_companion_synapse_room_worker_federation_locations: "{{ matrix_synapse_workers_room_worker_federation_endpoints }}" +matrix_synapse_reverse_proxy_companion_synapse_sync_worker_client_server_locations: "{{ matrix_synapse_workers_sync_worker_client_server_endpoints }}" +matrix_synapse_reverse_proxy_companion_synapse_client_reader_client_server_locations: "{{ matrix_synapse_workers_client_reader_client_server_endpoints }}" +matrix_synapse_reverse_proxy_companion_synapse_federation_reader_federation_locations: "{{ matrix_synapse_workers_federation_reader_federation_endpoints }}" +matrix_synapse_reverse_proxy_companion_synapse_generic_worker_client_server_locations: "{{ matrix_synapse_workers_generic_worker_client_server_endpoints }}" +matrix_synapse_reverse_proxy_companion_synapse_generic_worker_federation_locations: "{{ matrix_synapse_workers_generic_worker_federation_endpoints }}" +matrix_synapse_reverse_proxy_companion_synapse_stream_writer_typing_stream_worker_client_server_locations: "{{ matrix_synapse_workers_stream_writer_typing_stream_worker_client_server_endpoints }}" +matrix_synapse_reverse_proxy_companion_synapse_stream_writer_to_device_stream_worker_client_server_locations: "{{ matrix_synapse_workers_stream_writer_to_device_stream_worker_client_server_endpoints }}" +matrix_synapse_reverse_proxy_companion_synapse_stream_writer_account_data_stream_worker_client_server_locations: "{{ matrix_synapse_workers_stream_writer_account_data_stream_worker_client_server_endpoints }}" +matrix_synapse_reverse_proxy_companion_synapse_stream_writer_receipts_stream_worker_client_server_locations: "{{ matrix_synapse_workers_stream_writer_receipts_stream_worker_client_server_endpoints }}" +matrix_synapse_reverse_proxy_companion_synapse_stream_writer_presence_stream_worker_client_server_locations: "{{ matrix_synapse_workers_stream_writer_presence_stream_worker_client_server_endpoints }}" +matrix_synapse_reverse_proxy_companion_synapse_media_repository_locations: "{{ matrix_synapse_workers_media_repository_endpoints | default([]) }}" +matrix_synapse_reverse_proxy_companion_synapse_user_dir_locations: "{{ matrix_synapse_workers_user_dir_worker_client_server_endpoints | default([]) }}" +matrix_synapse_reverse_proxy_companion_client_server_main_override_locations_regex: ^/_matrix/client/(api/v1|r0|v3|unstable)/(account/3pid/|directory/list/room/|pushrules/|rooms/[^/]+/(forget|upgrade|report)|login/sso/redirect/|register) +matrix_synapse_reverse_proxy_companion_client_server_sso_override_locations_regex: ^(/_matrix/client/(api/v1|r0|v3|unstable)/login/sso/redirect|/_synapse/client/(pick_username|(new_user_consent|oidc/callback|pick_idp|sso_register)$)) +# Related to MSC4108 (https://github.com/matrix-org/matrix-spec-proposals/pull/4108) +matrix_synapse_reverse_proxy_companion_client_server_qr_code_login_locations_regex: ^(/_matrix/client/(unstable|v1)/org.matrix.msc4108/rendezvous|/_synapse/client/rendezvous)$ + +matrix_synapse_reverse_proxy_companion_federation_override_locations_regex: ^/_matrix/federation/v1/openid/userinfo$ + +# synapse content caching +matrix_synapse_reverse_proxy_companion_synapse_cache_enabled: false +matrix_synapse_reverse_proxy_companion_synapse_cache_path: /tmp/synapse-cache +matrix_synapse_reverse_proxy_companion_synapse_cache_keys_zone_name: "STATIC" +matrix_synapse_reverse_proxy_companion_synapse_cache_keys_zone_size: "10m" +matrix_synapse_reverse_proxy_companion_synapse_cache_inactive_time: "48h" +matrix_synapse_reverse_proxy_companion_synapse_cache_max_size_mb: 1024 +matrix_synapse_reverse_proxy_companion_synapse_cache_proxy_cache_valid_time: "24h" + + +# Controls whether matrix-synapse-reverse-proxy-companion trusts an upstream server's X-Forwarded-Proto header. +# The `matrix-synapse-reverse-proxy-companion` does not terminate SSL and always expects to be fronted by another reverse-proxy server. +# As such, it trusts the protocol scheme forwarded by the upstream proxy. +matrix_synapse_reverse_proxy_companion_trust_forwarded_proto: true +matrix_synapse_reverse_proxy_companion_x_forwarded_proto_value: "{{ '$http_x_forwarded_proto' if matrix_synapse_reverse_proxy_companion_trust_forwarded_proto else '$scheme' }}" + +######################################################################################## +# # +# /Synapse reverse-proxy companion core settings # +# # +######################################################################################## + + +######################################################################################## +# # +# njs module # +# # +######################################################################################## + +# Controls whether the njs module is loaded. +matrix_synapse_reverse_proxy_companion_njs_enabled: "{{ matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_enabled }}" + +######################################################################################## +# # +# /njs module # +# # +######################################################################################## + + +######################################################################################## +# # +# Whoami-based sync worker routing # +# # +######################################################################################## + +# Controls whether the whoami-based sync worker router is enabled. +# When enabled, the reverse proxy will call Synapse's /_matrix/client/v3/account/whoami endpoint +# to resolve access tokens to usernames, allowing consistent routing of requests from the same user +# to the same sync worker regardless of which device or token they use. +# +# This works with any authentication system (native Synapse auth, MAS, etc.) because Synapse +# handles the token validation internally. +# +# Enabled by default when there are sync workers, because sync workers benefit from user-level +# stickiness due to their per-user in-memory caches. +matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_enabled: "{{ matrix_synapse_reverse_proxy_companion_synapse_workers_list | selectattr('type', 'equalto', 'sync_worker') | list | length > 0 }}" + +# The whoami endpoint path (Matrix spec endpoint). +matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_endpoint: /_matrix/client/v3/account/whoami + +# The full URL to the whoami endpoint. +matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_url: "http://{{ matrix_synapse_reverse_proxy_companion_client_api_addr }}{{ matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_endpoint }}" + +# Cache duration (in seconds) for whoami lookup results. +# Token -> username mappings are cached to avoid repeated whoami calls. +# A longer TTL reduces load on Synapse but means username changes take longer to take effect. +matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_cache_ttl_seconds: 3600 + +# Size of the shared memory zone for caching whoami results (in megabytes). +# Each cached entry is approximately 100-200 bytes. +matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_cache_size_mb: 1 + +# Controls whether verbose logging is enabled for the whoami sync worker router. +# When enabled, logs cache hits/misses and routing decisions. +# Useful for debugging, but should be disabled in production. +matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_logging_enabled: false + +# The length of the access token to show in logs when logging is enabled. +# Keeping this short is a good idea from a security perspective. +matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_logging_token_length: 12 + +# Controls whether debug response headers are added to sync requests. +# When enabled, adds X-Sync-Worker-Router-User-Identifier and X-Sync-Worker-Router-Upstream headers. +# Useful for debugging routing behavior, but should be disabled in production. +matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_debug_headers_enabled: false + +######################################################################################## +# # +# /Whoami-based sync worker routing # +# # +######################################################################################## + +# matrix_synapse_reverse_proxy_companion_restart_necessary controls whether the service +# will be restarted (when true) or merely started (when false) by the +# systemd service manager role (when conditional restart is enabled). +# +# This value is automatically computed during installation based on whether +# any configuration files, the systemd service file, or the container image changed. +# The default of `false` means "no restart needed" — appropriate when the role's +# installation tasks haven't run (e.g., due to --tags skipping them). +matrix_synapse_reverse_proxy_companion_restart_necessary: false diff --git a/roles/custom/matrix-synapse/defaults/main.yml.license b/roles/custom/matrix-synapse/defaults/main.yml.license index f44030cd8..fbfef4b26 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml.license +++ b/roles/custom/matrix-synapse/defaults/main.yml.license @@ -30,11 +30,13 @@ SPDX-FileCopyrightText: 2022 Quentin Young SPDX-FileCopyrightText: 2022 Shaleen Jain SPDX-FileCopyrightText: 2022 Yan Minagawa SPDX-FileCopyrightText: 2023 - 2024 Michael Hollister +SPDX-FileCopyrightText: 2023 Dan Arnfield SPDX-FileCopyrightText: 2023 Aeris One SPDX-FileCopyrightText: 2023 Luke D Iremadze SPDX-FileCopyrightText: 2023 Samuel Meenzen SPDX-FileCopyrightText: 2024 - 2025 Suguru Hirahara SPDX-FileCopyrightText: 2024 Charles Wright -SPDX-FileCopyrightText: 2025 Catalan Lover +SPDX-FileCopyrightText: 2024 David Mehren +SPDX-FileCopyrightText: 2024 - 2025 Catalan Lover SPDX-License-Identifier: AGPL-3.0-or-later diff --git a/roles/custom/matrix-synapse/tasks/main.yml b/roles/custom/matrix-synapse/tasks/main.yml index 14fa2a645..35337cae8 100644 --- a/roles/custom/matrix-synapse/tasks/main.yml +++ b/roles/custom/matrix-synapse/tasks/main.yml @@ -47,6 +47,16 @@ # This always runs because it handles uninstallation for sub-components too. - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" +- tags: + - setup-all + - setup-synapse-reverse-proxy-companion + - setup-synapse + - install-all + - install-synapse-reverse-proxy-companion + - install-synapse + block: + - ansible.builtin.include_tasks: "{{ role_path }}/tasks/reverse_proxy_companion/main.yml" + - tags: - import-synapse-media-store block: diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/main.yml b/roles/custom/matrix-synapse/tasks/reverse_proxy_companion/main.yml similarity index 65% rename from roles/custom/matrix-synapse-reverse-proxy-companion/tasks/main.yml rename to roles/custom/matrix-synapse/tasks/reverse_proxy_companion/main.yml index bd8c3f680..389291989 100644 --- a/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/main.yml +++ b/roles/custom/matrix-synapse/tasks/reverse_proxy_companion/main.yml @@ -13,10 +13,10 @@ - install-synapse block: - when: matrix_synapse_reverse_proxy_companion_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + ansible.builtin.include_tasks: "{{ role_path }}/tasks/reverse_proxy_companion/validate_config.yml" - when: matrix_synapse_reverse_proxy_companion_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + ansible.builtin.include_tasks: "{{ role_path }}/tasks/reverse_proxy_companion/setup_install.yml" - tags: - setup-all @@ -24,4 +24,4 @@ - setup-synapse block: - when: not matrix_synapse_reverse_proxy_companion_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + ansible.builtin.include_tasks: "{{ role_path }}/tasks/reverse_proxy_companion/setup_uninstall.yml" diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/setup_install.yml b/roles/custom/matrix-synapse/tasks/reverse_proxy_companion/setup_install.yml similarity index 87% rename from roles/custom/matrix-synapse-reverse-proxy-companion/tasks/setup_install.yml rename to roles/custom/matrix-synapse/tasks/reverse_proxy_companion/setup_install.yml index 84cd23aea..1dd0116a8 100644 --- a/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/setup_install.yml +++ b/roles/custom/matrix-synapse/tasks/reverse_proxy_companion/setup_install.yml @@ -26,19 +26,19 @@ group: "{{ matrix_group_name }}" mode: '0644' with_items: - - src: "{{ role_path }}/templates/nginx/nginx.conf.j2" + - src: "{{ role_path }}/templates/reverse_proxy_companion/nginx/nginx.conf.j2" dest: "{{ matrix_synapse_reverse_proxy_companion_base_path }}/nginx.conf" - - src: "{{ role_path }}/templates/nginx/conf.d/nginx-http.conf.j2" + - src: "{{ role_path }}/templates/reverse_proxy_companion/nginx/conf.d/nginx-http.conf.j2" dest: "{{ matrix_synapse_reverse_proxy_companion_confd_path }}/nginx-http.conf" - - src: "{{ role_path }}/templates/nginx/conf.d/matrix-synapse-reverse-proxy-companion.conf.j2" + - src: "{{ role_path }}/templates/reverse_proxy_companion/nginx/conf.d/matrix-synapse-reverse-proxy-companion.conf.j2" dest: "{{ matrix_synapse_reverse_proxy_companion_confd_path }}/matrix-synapse-reverse-proxy-companion.conf" - - src: "{{ role_path }}/templates/labels.j2" + - src: "{{ role_path }}/templates/reverse_proxy_companion/labels.j2" dest: "{{ matrix_synapse_reverse_proxy_companion_base_path }}/labels" register: matrix_synapse_reverse_proxy_companion_config_result - name: Ensure matrix-synapse-reverse-proxy-companion whoami sync worker router njs script is deployed ansible.builtin.template: - src: "{{ role_path }}/templates/nginx/njs/whoami_sync_worker_router.js.j2" + src: "{{ role_path }}/templates/reverse_proxy_companion/nginx/njs/whoami_sync_worker_router.js.j2" dest: "{{ matrix_synapse_reverse_proxy_companion_njs_path }}/whoami_sync_worker_router.js" owner: "{{ matrix_user_name }}" group: "{{ matrix_group_name }}" @@ -71,7 +71,7 @@ - name: Ensure matrix-synapse-reverse-proxy-companion.service installed ansible.builtin.template: - src: "{{ role_path }}/templates/systemd/matrix-synapse-reverse-proxy-companion.service.j2" + src: "{{ role_path }}/templates/reverse_proxy_companion/systemd/matrix-synapse-reverse-proxy-companion.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-synapse-reverse-proxy-companion.service" mode: '0644' register: matrix_synapse_reverse_proxy_companion_systemd_service_result diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/setup_uninstall.yml b/roles/custom/matrix-synapse/tasks/reverse_proxy_companion/setup_uninstall.yml similarity index 100% rename from roles/custom/matrix-synapse-reverse-proxy-companion/tasks/setup_uninstall.yml rename to roles/custom/matrix-synapse/tasks/reverse_proxy_companion/setup_uninstall.yml diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/validate_config.yml b/roles/custom/matrix-synapse/tasks/reverse_proxy_companion/validate_config.yml similarity index 100% rename from roles/custom/matrix-synapse-reverse-proxy-companion/tasks/validate_config.yml rename to roles/custom/matrix-synapse/tasks/reverse_proxy_companion/validate_config.yml diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/templates/labels.j2 b/roles/custom/matrix-synapse/templates/reverse_proxy_companion/labels.j2 similarity index 100% rename from roles/custom/matrix-synapse-reverse-proxy-companion/templates/labels.j2 rename to roles/custom/matrix-synapse/templates/reverse_proxy_companion/labels.j2 diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/conf.d/matrix-synapse-reverse-proxy-companion.conf.j2 b/roles/custom/matrix-synapse/templates/reverse_proxy_companion/nginx/conf.d/matrix-synapse-reverse-proxy-companion.conf.j2 similarity index 100% rename from roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/conf.d/matrix-synapse-reverse-proxy-companion.conf.j2 rename to roles/custom/matrix-synapse/templates/reverse_proxy_companion/nginx/conf.d/matrix-synapse-reverse-proxy-companion.conf.j2 diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/conf.d/matrix-synapse-reverse-proxy-companion.conf.j2.license b/roles/custom/matrix-synapse/templates/reverse_proxy_companion/nginx/conf.d/matrix-synapse-reverse-proxy-companion.conf.j2.license similarity index 100% rename from roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/conf.d/matrix-synapse-reverse-proxy-companion.conf.j2.license rename to roles/custom/matrix-synapse/templates/reverse_proxy_companion/nginx/conf.d/matrix-synapse-reverse-proxy-companion.conf.j2.license diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/conf.d/nginx-http.conf.j2 b/roles/custom/matrix-synapse/templates/reverse_proxy_companion/nginx/conf.d/nginx-http.conf.j2 similarity index 100% rename from roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/conf.d/nginx-http.conf.j2 rename to roles/custom/matrix-synapse/templates/reverse_proxy_companion/nginx/conf.d/nginx-http.conf.j2 diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/conf.d/nginx-http.conf.j2.license b/roles/custom/matrix-synapse/templates/reverse_proxy_companion/nginx/conf.d/nginx-http.conf.j2.license similarity index 100% rename from roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/conf.d/nginx-http.conf.j2.license rename to roles/custom/matrix-synapse/templates/reverse_proxy_companion/nginx/conf.d/nginx-http.conf.j2.license diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/nginx.conf.j2 b/roles/custom/matrix-synapse/templates/reverse_proxy_companion/nginx/nginx.conf.j2 similarity index 100% rename from roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/nginx.conf.j2 rename to roles/custom/matrix-synapse/templates/reverse_proxy_companion/nginx/nginx.conf.j2 diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/nginx.conf.j2.license b/roles/custom/matrix-synapse/templates/reverse_proxy_companion/nginx/nginx.conf.j2.license similarity index 100% rename from roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/nginx.conf.j2.license rename to roles/custom/matrix-synapse/templates/reverse_proxy_companion/nginx/nginx.conf.j2.license diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/njs/whoami_sync_worker_router.js.j2 b/roles/custom/matrix-synapse/templates/reverse_proxy_companion/nginx/njs/whoami_sync_worker_router.js.j2 similarity index 100% rename from roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/njs/whoami_sync_worker_router.js.j2 rename to roles/custom/matrix-synapse/templates/reverse_proxy_companion/nginx/njs/whoami_sync_worker_router.js.j2 diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/njs/whoami_sync_worker_router.js.j2.license b/roles/custom/matrix-synapse/templates/reverse_proxy_companion/nginx/njs/whoami_sync_worker_router.js.j2.license similarity index 100% rename from roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/njs/whoami_sync_worker_router.js.j2.license rename to roles/custom/matrix-synapse/templates/reverse_proxy_companion/nginx/njs/whoami_sync_worker_router.js.j2.license diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/templates/systemd/matrix-synapse-reverse-proxy-companion.service.j2 b/roles/custom/matrix-synapse/templates/reverse_proxy_companion/systemd/matrix-synapse-reverse-proxy-companion.service.j2 similarity index 100% rename from roles/custom/matrix-synapse-reverse-proxy-companion/templates/systemd/matrix-synapse-reverse-proxy-companion.service.j2 rename to roles/custom/matrix-synapse/templates/reverse_proxy_companion/systemd/matrix-synapse-reverse-proxy-companion.service.j2 diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/templates/systemd/matrix-synapse-reverse-proxy-companion.service.j2.license b/roles/custom/matrix-synapse/templates/reverse_proxy_companion/systemd/matrix-synapse-reverse-proxy-companion.service.j2.license similarity index 100% rename from roles/custom/matrix-synapse-reverse-proxy-companion/templates/systemd/matrix-synapse-reverse-proxy-companion.service.j2.license rename to roles/custom/matrix-synapse/templates/reverse_proxy_companion/systemd/matrix-synapse-reverse-proxy-companion.service.j2.license diff --git a/setup.yml b/setup.yml index d6890adef..3face8a68 100644 --- a/setup.yml +++ b/setup.yml @@ -93,7 +93,6 @@ - custom/matrix-rageshake - custom/matrix-synapse - custom/matrix-synapse-auto-compressor - - custom/matrix-synapse-reverse-proxy-companion - custom/matrix-dendrite - custom/matrix-conduit - custom/matrix-continuwuity