mirror of
				https://github.com/spantaleev/matrix-docker-ansible-deploy.git
				synced 2025-10-26 10:03:25 +00:00 
			
		
		
		
	Merge branch 'master' of https://github.com/spantaleev/matrix-docker-ansible-deploy into node_postgres_reverse_proxy
This commit is contained in:
		| @@ -192,6 +192,58 @@ matrix_nginx_proxy_proxy_grafana_hostname: "{{ matrix_server_fqn_grafana }}" | ||||
| matrix_nginx_proxy_proxy_sygnal_enabled: false | ||||
| matrix_nginx_proxy_proxy_sygnal_hostname: "{{ matrix_server_fqn_sygnal }}" | ||||
|  | ||||
| # Controls whether proxying for (Prometheus) metrics (`/metrics/*`) for the various services should be done (on the matrix domain) | ||||
| # If the internal Prometheus server (`matrix-prometheus` role) is used, proxying is not necessary, since Prometheus can access each container directly. | ||||
| # This is only useful when an external Prometheus will be collecting metrics. | ||||
| # | ||||
| # To control what kind of metrics are exposed under `/metrics/` (e.g `/metrics/node-exporter`, `/metrics/postgres-exporter`, etc.), | ||||
| # use `matrix_SERVICE_metrics_proxying_enabled` variables in each respective role. | ||||
| # Roles inject themselves into the matrix-nginx-proxy configuration. | ||||
| # | ||||
| # To protect the metrics endpoints, see `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_enabled` | ||||
| matrix_nginx_proxy_proxy_matrix_metrics_enabled: false | ||||
|  | ||||
| # Controls whether Basic Auth is enabled for all `/metrics/*` endpoints. | ||||
| # | ||||
| # You can provide the Basic Auth credentials in 2 ways: | ||||
| # 1. A single username/password pair using `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_username` and `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_password` | ||||
| # 2. Using raw content (`htpasswd`-generated file) provided in `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_raw_content` | ||||
| matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_enabled: false | ||||
|  | ||||
| # `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_username` and `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_password` specify | ||||
| # the Basic Auth username/password for protecting `/metrics/*` endpoints. | ||||
| # Alternatively, use `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_raw_content`. | ||||
| matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_username: "" | ||||
| matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_password: "" | ||||
|  | ||||
| # `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_raw_content` value will be written verbatim to the htpasswd file protecting `/metrics/*` endpoints. | ||||
| # Use this when a single username/password is not enough and you'd like to get more control over credentials. | ||||
| # | ||||
| # Read the manpage at `man 1 htpasswd` to learn more, then encrypt your password, and paste the encrypted value here. | ||||
| # e.g. `htpasswd -c mypass.htpasswd prometheus` and enter `mysecurepw` when prompted yields `prometheus:$apr1$wZhqsn.U$7LC3kMmjUbjNAZjyMyvYv/` | ||||
| # The whole thing is needed here. matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_raw_content: "prometheus:$apr1$wZhqsn.U$7LC3kMmjUbjNAZjyMyvYv/" | ||||
| matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_raw_content: "" | ||||
|  | ||||
| # Specifies the path to the htpasswd file holding the htpasswd credentials for protecting `/metrics/*` endpoints | ||||
| # This is not meant to be modified. | ||||
| matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_path: "{{ matrix_nginx_proxy_data_path_in_container if matrix_nginx_proxy_enabled else matrix_nginx_proxy_data_path }}/matrix-metrics-htpasswd" | ||||
|  | ||||
| # Specifies the Apache container image to use | ||||
| # when `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_username` and `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_password` are provided. | ||||
| # This image provides the `htpasswd` tool which we use for generating the htpasswd file protecting `/metrics/*`. | ||||
| # To avoid using this, use `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_raw_content` instead of supplying username/password. | ||||
| # Learn more in: `roles/matrix-nginx-proxy/tasks/nginx-proxy/setup_metrics_auth.yml`. | ||||
| matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_apache_container_image: "{{ matrix_container_global_registry_prefix }}httpd:{{ matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_apache_container_image_tag }}" | ||||
| matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_apache_container_image_tag: "2.4.54-alpine3.16" | ||||
| matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_apache_container_force_pull: "{{ matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_apache_container_image_tag.endswith(':latest') }}" | ||||
|  | ||||
| # A list of strings containing additional configuration blocks to add to the `location /metrics` configuration (matrix-domain.conf). | ||||
| # Do not modify `matrix_nginx_proxy_proxy_matrix_metrics_additional_location_configuration_blocks` and `matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks`. | ||||
| # If you'd like to inject your own configuration blocks, use `matrix_nginx_proxy_proxy_matrix_metrics_additional_user_location_configuration_blocks`. | ||||
| matrix_nginx_proxy_proxy_matrix_metrics_additional_location_configuration_blocks: "{{ matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks + matrix_nginx_proxy_proxy_matrix_metrics_additional_user_location_configuration_blocks }}" | ||||
| matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks: [] | ||||
| matrix_nginx_proxy_proxy_matrix_metrics_additional_user_location_configuration_blocks: [] | ||||
|  | ||||
| # Controls whether proxying for the matrix-corporal API (`/_matrix/corporal`) should be done (on the matrix domain) | ||||
| matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: false | ||||
| matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081" | ||||
| @@ -216,17 +268,6 @@ matrix_nginx_proxy_proxy_matrix_identity_api_enabled: false | ||||
| matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-ma1sd:{{ matrix_ma1sd_container_port }}" | ||||
| matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:{{ matrix_ma1sd_container_port }}" | ||||
|  | ||||
| # Controls whether proxying for metrics (`/_synapse/metrics`) should be done (on the matrix domain) | ||||
| matrix_nginx_proxy_proxy_synapse_metrics: false | ||||
| matrix_nginx_proxy_synapse_workers_enabled_list: [] | ||||
| matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled: false | ||||
| # The following value will be written verbatim to the htpasswd file that stores the password for nginx to check against and needs to be encoded appropriately. | ||||
| # Read the manpage at `man 1 htpasswd` to learn more, then encrypt your password, and paste the encrypted value here. | ||||
| # e.g. `htpasswd -c mypass.htpasswd prometheus` and enter `mysecurepw` when prompted yields `prometheus:$apr1$wZhqsn.U$7LC3kMmjUbjNAZjyMyvYv/` | ||||
| # The part after `prometheus:` is needed here. matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key: "$apr1$wZhqsn.U$7LC3kMmjUbjNAZjyMyvYv/" | ||||
| matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key: "" | ||||
| matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_path: "{{ matrix_nginx_proxy_data_path_in_container if matrix_nginx_proxy_enabled else matrix_nginx_proxy_data_path }}/matrix-synapse-metrics-htpasswd" | ||||
|  | ||||
| # The addresses where the Matrix Client API is. | ||||
| # Certain extensions (like matrix-corporal) may override this in order to capture all traffic. | ||||
| matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container: "matrix-nginx-proxy:12080" | ||||
| @@ -259,8 +300,6 @@ matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefix_regexes: | | ||||
|     (['/_synapse/oidc'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_oidc_api_enabled else []) | ||||
|     + | ||||
|     (['/_synapse/admin'] if matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled else []) | ||||
|     + | ||||
|     (['/_synapse.*/metrics'] if matrix_nginx_proxy_proxy_synapse_metrics else []) | ||||
|   }} | ||||
|  | ||||
| # Specifies where requests for the root URI (`/`) on the `matrix.` domain should be redirected. | ||||
| @@ -485,7 +524,7 @@ matrix_ssl_lets_encrypt_staging: false | ||||
| # Learn more here: https://eff-certbot.readthedocs.io/en/stable/using.html#changing-the-acme-server | ||||
| matrix_ssl_lets_encrypt_server: '' | ||||
|  | ||||
| matrix_ssl_lets_encrypt_certbot_docker_image: "{{ matrix_container_global_registry_prefix }}certbot/certbot:{{ matrix_ssl_architecture }}-v1.27.0" | ||||
| matrix_ssl_lets_encrypt_certbot_docker_image: "{{ matrix_container_global_registry_prefix }}certbot/certbot:{{ matrix_ssl_architecture }}-v1.28.0" | ||||
| matrix_ssl_lets_encrypt_certbot_docker_image_force_pull: "{{ matrix_ssl_lets_encrypt_certbot_docker_image.endswith(':latest') }}" | ||||
| matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402 | ||||
| matrix_ssl_lets_encrypt_support_email: ~ | ||||
|   | ||||
| @@ -0,0 +1,55 @@ | ||||
| --- | ||||
|  | ||||
| # When we're dealing with raw htpasswd content, we just store it in the file directly. | ||||
| - name: Ensure matrix-metrics-htpasswd is present when generated from raw content (protecting /metrics/* URIs) | ||||
|   copy: | ||||
|     content: "{{ matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_raw_content }}" | ||||
|     dest: "{{ matrix_nginx_proxy_data_path }}/matrix-metrics-htpasswd" | ||||
|     owner: "{{ matrix_user_username }}" | ||||
|     group: "{{ matrix_user_groupname }}" | ||||
|     mode: 0600 | ||||
|   when: not matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_username | ||||
|  | ||||
| # Alternatively, we need to use the `htpasswd` tool to generate the htpasswd file. | ||||
| # There's an Ansible module that helps with that, but it requires passlib (a Python module) to be installed on the server. | ||||
| # See: https://docs.ansible.com/ansible/2.3/htpasswd_module.html#requirements-on-host-that-executes-module | ||||
| # We support various distros, with various versions of Python. Installing additional Python modules can be a hassle. | ||||
| # As a workaround, we run `htpasswd` from an Apache container image. | ||||
| - block: | ||||
|     - name: Ensure Apache Docker image is pulled for generating matrix-metrics-htpasswd from username/password (protecting /metrics/* URIs) | ||||
|       docker_image: | ||||
|         name: "{{ matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_apache_container_image }}" | ||||
|         source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" | ||||
|         force_source: "{{ matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_apache_container_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" | ||||
|         force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_apache_container_force_pull }}" | ||||
|  | ||||
|     # We store the password in a file and make the `htpasswd` tool read it from there, | ||||
|     # as opposed to passing it directly on stdin (which will expose it to other processes on the server). | ||||
|     - name: Store metrics password in a temporary file | ||||
|       copy: | ||||
|         content: "{{ matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_password }}" | ||||
|         dest: "/tmp/matrix-nginx-proxy-metrics-password" | ||||
|         mode: 0400 | ||||
|         owner: "{{ matrix_user_uid }}" | ||||
|         group: "{{ matrix_user_gid }}" | ||||
|  | ||||
|     - name: Generate matrix-metrics-htpasswd from username/password (protecting /metrics/* URIs) | ||||
|       command: | ||||
|         cmd: >- | ||||
|           {{ matrix_host_command_docker }} run | ||||
|           --rm | ||||
|           --user={{ matrix_user_uid }}:{{ matrix_user_gid }} | ||||
|           --cap-drop=ALL | ||||
|           --network=none | ||||
|           --mount type=bind,src={{ matrix_nginx_proxy_data_path }},dst=/data | ||||
|           --mount type=bind,src=/tmp/matrix-nginx-proxy-metrics-password,dst=/password,ro | ||||
|           --entrypoint=/bin/sh | ||||
|           {{ matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_apache_container_image }} | ||||
|           -c | ||||
|           'cat /password | htpasswd -i -c /data/matrix-metrics-htpasswd {{ matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_username }} && chmod 600 /data/matrix-metrics-htpasswd' | ||||
|  | ||||
|     - name: Delete temporary metrics password file | ||||
|       file: | ||||
|         path: /tmp/matrix-nginx-proxy-metrics-password | ||||
|         state: absent | ||||
|   when: matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_username != '' | ||||
| @@ -31,23 +31,9 @@ | ||||
|     mode: 0644 | ||||
|   when: matrix_nginx_proxy_enabled|bool | ||||
|  | ||||
| - name: Ensure matrix-synapse-metrics-htpasswd is present (protecting /_synapse/metrics URI) | ||||
|   template: | ||||
|     src: "{{ role_path }}/templates/nginx/matrix-synapse-metrics-htpasswd.j2" | ||||
|     dest: "{{ matrix_nginx_proxy_data_path }}/matrix-synapse-metrics-htpasswd" | ||||
|     owner: "{{ matrix_user_username }}" | ||||
|     group: "{{ matrix_user_groupname }}" | ||||
|     mode: 0400 | ||||
|   when: "matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled|bool and matrix_nginx_proxy_proxy_synapse_metrics|bool" | ||||
|  | ||||
| - name: Generate sample prometheus.yml for external scraping | ||||
|   template: | ||||
|     src: "{{ role_path }}/templates/prometheus/external_prometheus.yml.example.j2" | ||||
|     dest: "{{ matrix_base_data_path }}/external_prometheus.yml.example" | ||||
|     owner: "{{ matrix_user_username }}" | ||||
|     group: "{{ matrix_user_groupname }}" | ||||
|     mode: 0644 | ||||
|   when: matrix_nginx_proxy_proxy_synapse_metrics|bool | ||||
| - name: Setup metrics | ||||
|   include_tasks: "{{ role_path }}/tasks/nginx-proxy/setup_metrics_auth.yml" | ||||
|   when: matrix_nginx_proxy_proxy_matrix_metrics_enabled|bool and matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_enabled|bool | ||||
|  | ||||
| - name: Ensure Matrix nginx-proxy configured (generic) | ||||
|   template: | ||||
| @@ -324,10 +310,15 @@ | ||||
|   file: | ||||
|     path: "{{ matrix_nginx_proxy_data_path }}/matrix-synapse-metrics-htpasswd" | ||||
|     state: absent | ||||
|   when: "not matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled|bool or not matrix_nginx_proxy_proxy_synapse_metrics|bool" | ||||
|  | ||||
| - name: Ensure sample prometheus.yml for external scraping is deleted | ||||
| # This file is now generated by the matrix-synapse role and saved in the Synapse directory | ||||
| - name: (Cleanup) Ensure old sample prometheus.yml for external scraping is deleted | ||||
|   file: | ||||
|     path: "{{ matrix_base_data_path }}/external_prometheus.yml.example" | ||||
|     state: absent | ||||
|   when: "not matrix_nginx_proxy_proxy_synapse_metrics|bool" | ||||
|  | ||||
| - name: Ensure Matrix nginx-proxy htpasswd is deleted (protecting /metrics/* URIs) | ||||
|   file: | ||||
|     path: "{{ matrix_nginx_proxy_data_path }}/matrix-metrics-htpasswd" | ||||
|     state: absent | ||||
|   when: "not matrix_nginx_proxy_proxy_matrix_metrics_enabled|bool or not matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_enabled|bool" | ||||
|   | ||||
| @@ -27,6 +27,14 @@ | ||||
|       `matrix_nginx_proxy_ssl_preset` needs to be set to a known value. | ||||
|   when: "matrix_nginx_proxy_ssl_preset not in ['modern', 'intermediate', 'old']" | ||||
|  | ||||
| - name: Fail if Basic Auth enabled for metrics, but no credentials supplied | ||||
|   fail: | ||||
|     msg: | | ||||
|       Enabling Basic Auth for metrics (`matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_enabled`) requires: | ||||
|       - either a username/password (provided in `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_username` and `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_password`) | ||||
|       - or raw htpasswd content (provided in `matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_raw_content`) | ||||
|   when: "matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_enabled|bool and (matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_raw_content == '' and (matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_username == '' or matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_password == ''))" | ||||
|  | ||||
| - block: | ||||
|     - name: (Deprecation) Catch and report renamed settings | ||||
|       fail: | ||||
| @@ -36,6 +44,7 @@ | ||||
|       with_items: | ||||
|         - {'old': 'host_specific_matrix_ssl_support_email', 'new': 'matrix_ssl_lets_encrypt_support_email'} | ||||
|         - {'old': 'host_specific_matrix_ssl_lets_encrypt_support_email', 'new': 'matrix_ssl_lets_encrypt_support_email'} | ||||
|         - {'old': 'matrix_nginx_proxy_proxy_synapse_workers_enabled_list', 'new': '<no longer used>'} | ||||
|       when: "item.old in vars" | ||||
|  | ||||
|     - name: Fail if required variables are undefined | ||||
| @@ -49,3 +58,17 @@ | ||||
|         - "matrix_nginx_proxy_proxy_synapse_client_api_addr_sans_container" | ||||
|       when: "vars[item] == '' or vars[item] is none" | ||||
|   when: "matrix_ssl_retrieval_method == 'lets-encrypt'" | ||||
|  | ||||
| - name: (Deprecation) Catch and report old metrics usage | ||||
|   fail: | ||||
|     msg: >- | ||||
|       Your configuration contains a variable (`{{ item }}`), which refers to the old metrics collection system for Synapse, | ||||
|       which exposed metrics on `https://matrix.DOMAIN/_synapse/metrics` and `https://matrix.DOMAIN/_synapse-worker-TYPE-ID/metrics`. | ||||
|  | ||||
|       We now recommend exposing Synapse metrics in another way, from another URL. | ||||
|       Refer to the changelog for more details: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/CHANGELOG.md#2022-06-22 | ||||
|   with_items: | ||||
|     - matrix_nginx_proxy_proxy_synapse_metrics | ||||
|     - matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled | ||||
|     - matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key | ||||
|   when: "item in vars" | ||||
|   | ||||
| @@ -56,6 +56,17 @@ | ||||
|         resolver 127.0.0.11 valid=5s; | ||||
|         proxy_pass http://matrix-prometheus-postgres-exporter:9187/; | ||||
|   } | ||||
| 	{% if matrix_nginx_proxy_proxy_matrix_metrics_enabled %} | ||||
| 	location /metrics { | ||||
| 		{% if matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_enabled %} | ||||
| 			auth_basic "protected"; | ||||
| 			auth_basic_user_file {{ matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_path }}; | ||||
| 		{% endif %} | ||||
|  | ||||
| 		{% for configuration_block in matrix_nginx_proxy_proxy_matrix_metrics_additional_location_configuration_blocks %} | ||||
| 			{{- configuration_block }} | ||||
| 		{% endfor %} | ||||
| 	} | ||||
| 	{% endif %} | ||||
|  | ||||
| 	{% if matrix_nginx_proxy_proxy_matrix_corporal_api_enabled %} | ||||
|   | ||||
| @@ -145,45 +145,6 @@ server { | ||||
| 		{{- configuration_block }} | ||||
| 	{% endfor %} | ||||
|  | ||||
| 	{% if matrix_nginx_proxy_proxy_synapse_metrics %} | ||||
| 	location /_synapse/metrics { | ||||
| 		{% if matrix_nginx_proxy_enabled %} | ||||
| 			{# Use the embedded DNS resolver in Docker containers to discover the service #} | ||||
| 			resolver 127.0.0.11 valid=5s; | ||||
| 			set $backend "{{ matrix_nginx_proxy_proxy_synapse_metrics_addr_with_container }}"; | ||||
| 			proxy_pass http://$backend; | ||||
| 		{% else %} | ||||
| 			{# Generic configuration for use outside of our container setup #} | ||||
| 			proxy_pass http://{{ matrix_nginx_proxy_proxy_synapse_metrics_addr_sans_container }}; | ||||
| 		{% endif %} | ||||
|  | ||||
| 		proxy_set_header Host $host; | ||||
|  | ||||
| 		{% if matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled %} | ||||
| 			auth_basic "protected"; | ||||
| 			auth_basic_user_file {{ matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_path }}; | ||||
| 		{% endif %} | ||||
| 	} | ||||
| 	{% endif %} | ||||
|  | ||||
| 	{% if matrix_nginx_proxy_enabled and matrix_nginx_proxy_proxy_synapse_metrics %} | ||||
| 		{% for worker in matrix_nginx_proxy_proxy_synapse_workers_enabled_list %} | ||||
| 			{% if worker.metrics_port != 0 %} | ||||
| 				location /_synapse-worker-{{ worker.type }}-{{ worker.instanceId }}/metrics { | ||||
| 					resolver 127.0.0.11 valid=5s; | ||||
| 					set $backend "matrix-synapse-worker-{{ worker.type }}-{{ worker.instanceId }}:{{ worker.metrics_port }}"; | ||||
| 					proxy_pass http://$backend/_synapse/metrics; | ||||
| 					proxy_set_header Host $host; | ||||
|  | ||||
| 					{% if matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled %} | ||||
| 						auth_basic "protected"; | ||||
| 						auth_basic_user_file {{ matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_path }}; | ||||
| 					{% endif %} | ||||
| 				} | ||||
| 			{% endif %} | ||||
| 		{% endfor %} | ||||
| 	{% endif %} | ||||
|  | ||||
| 	{# Everything else just goes to the API server ##} | ||||
| 	location / { | ||||
| 		{% if matrix_nginx_proxy_enabled %} | ||||
|   | ||||
| @@ -1,3 +0,0 @@ | ||||
| #jinja2: lstrip_blocks: "True" | ||||
| # User and password for protecting /_synapse/metrics URI | ||||
| prometheus:{{ matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key }} | ||||
| @@ -1,40 +0,0 @@ | ||||
| global: | ||||
|   scrape_interval: 5s | ||||
|  | ||||
|   # Attach these labels to any time series or alerts when communicating with | ||||
|   # external systems (federation, remote storage, Alertmanager). | ||||
|   external_labels: | ||||
|     monitor: 'synapse-{{ matrix_domain }}' | ||||
|  | ||||
| rule_files: | ||||
|   - /etc/prometheus/synapse-v2.rules | ||||
|  | ||||
| scrape_configs: | ||||
|   - job_name: 'synapse' | ||||
|     metrics_path: /_synapse/metrics | ||||
|     scheme: {{ 'https' if matrix_nginx_proxy_https_enabled else 'http' }} | ||||
| {% if matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled %} | ||||
|     basic_auth: | ||||
|       username: prometheus | ||||
|       password_file: /path/to/your/passwordfile.pwd | ||||
| {% endif %} | ||||
|     static_configs: | ||||
|       - targets: ['{{ matrix_server_fqn_matrix }}:{{ matrix_nginx_proxy_container_https_host_bind_port if matrix_nginx_proxy_https_enabled else matrix_nginx_proxy_container_http_host_bind_port }}'] | ||||
|         labels: | ||||
|           job: "master" | ||||
|           index: "0" | ||||
| {% for worker in matrix_nginx_proxy_proxy_synapse_workers_enabled_list %} | ||||
|   - job_name: 'synapse-{{ worker.type }}-{{ worker.instanceId }}' | ||||
|     metrics_path: /_synapse-worker-{{ worker.type }}-{{ worker.instanceId }}/metrics | ||||
|     scheme: {{ 'https' if matrix_nginx_proxy_https_enabled else 'http' }} | ||||
| {% if matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled %} | ||||
|     basic_auth: | ||||
|       username: prometheus | ||||
|       password_file: /path/to/your/passwordfile.pwd | ||||
| {% endif %} | ||||
|     static_configs: | ||||
|       - targets: ['{{ matrix_server_fqn_matrix }}:{{ matrix_nginx_proxy_container_https_host_bind_port if matrix_nginx_proxy_https_enabled else matrix_nginx_proxy_container_http_host_bind_port }}'] | ||||
|         labels: | ||||
|           job: "{{ worker.type }}" | ||||
|           index: "{{ worker.instanceId }}" | ||||
| {% endfor %} | ||||
		Reference in New Issue
	
	Block a user