mautrix-gmessages: expose bridge HTTP API (for mautrix-manager and similar)

Add a generic mechanism for exposing bridges' HTTP API (the provisioning API, etc.) publicly on the Matrix domain, so tools like mautrix-manager (https://github.com/mautrix/manager) can drive bridge login. - Introduce global matrix_bridges_exposure_* vars (on by default), exposing each supported bridge under `<matrix-fqn>/bridges/<bridge>`. - mautrix-gmessages: make the provisioning shared secret configurable (auto-generated in group_vars) so the provisioning API is enabled, route the whole bridge HTTP port via Traefik, and populate appservice.public_address. Requests are authenticated by the bridge itself (per-user Matrix access token for the provisioning API, homeserver token for the appservice endpoints), not by the reverse proxy. This is the first bridge converted; the other mautrix bridges will follow. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-30 15:31:18 +00:00 · 2026-06-28 19:52:24 +03:00
parent d61979a0b9
commit a4ddba3989
5 changed files with 76 additions and 2 deletions
@@ -46,6 +46,39 @@ traefik.http.routers.matrix-mautrix-gmessages-metrics.tls.certResolver={{ matrix
 ############################################################
 {% endif %}

+{% if matrix_mautrix_gmessages_container_labels_exposure_enabled %}
+############################################################
+#                                                          #
+# Bridge API exposure                                      #
+#                                                          #
+############################################################
+
+traefik.http.services.matrix-mautrix-gmessages-exposure.loadbalancer.server.port=8080
+
+traefik.http.middlewares.matrix-mautrix-gmessages-exposure-strip-prefix.stripprefix.prefixes={{ matrix_mautrix_gmessages_exposure_path_prefix }}
+traefik.http.routers.matrix-mautrix-gmessages-exposure.middlewares=matrix-mautrix-gmessages-exposure-strip-prefix
+
+traefik.http.routers.matrix-mautrix-gmessages-exposure.rule={{ matrix_mautrix_gmessages_container_labels_exposure_traefik_rule }}
+
+{% if matrix_mautrix_gmessages_container_labels_exposure_traefik_priority | int > 0 %}
+traefik.http.routers.matrix-mautrix-gmessages-exposure.priority={{ matrix_mautrix_gmessages_container_labels_exposure_traefik_priority }}
+{% endif %}
+
+traefik.http.routers.matrix-mautrix-gmessages-exposure.service=matrix-mautrix-gmessages-exposure
+traefik.http.routers.matrix-mautrix-gmessages-exposure.entrypoints={{ matrix_mautrix_gmessages_container_labels_exposure_traefik_entrypoints }}
+
+traefik.http.routers.matrix-mautrix-gmessages-exposure.tls={{ matrix_mautrix_gmessages_container_labels_exposure_traefik_tls | to_json }}
+{% if matrix_mautrix_gmessages_container_labels_exposure_traefik_tls %}
+traefik.http.routers.matrix-mautrix-gmessages-exposure.tls.certResolver={{ matrix_mautrix_gmessages_container_labels_exposure_traefik_tls_certResolver }}
+{% endif %}
+
+############################################################
+#                                                          #
+# /Bridge API exposure                                     #
+#                                                          #
+############################################################
+{% endif %}
+

 {% endif %}