3
0
mirror of https://github.com/spantaleev/matrix-docker-ansible-deploy.git synced 2025-10-24 00:53:23 +00:00
Commit Graph

49 Commits

Author SHA1 Message Date
renovate[bot]
36687c4747 Update nginx Docker tag to v1.29.1 2025-08-14 06:10:09 +03:00
renovate[bot]
133ba64375 Update nginx Docker tag to v1.29.0 2025-06-25 07:03:43 +03:00
renovate[bot]
2b50a0e6a0 Update nginx Docker tag to v1.28.0 2025-04-24 09:23:13 +03:00
renovate[bot]
d48867c07e Update nginx Docker tag to v1.27.5 2025-04-16 21:48:54 +03:00
Catalan Lover
cd60cf1199 Internal Admin API and Draupnir Hjack Command Config (#3389)
* Enable Internal Admin API Access separately from Public access.

* Add Config variable for Draupnir Hijack command

And also make the internal admin API be automatically  activated when this capability is used.

* Apply suggestions from code review

Co-authored-by: Slavi Pantaleev <slavi@devture.com>

* Further Refine Internal Admin API

* Add Non Worker Labels for Internal Admin API

* Variable Rename

* Add validation rules for Internal Synapse admin API

* Add Draupnir Admin API required config validation.

* Override `matrix_synapse_reverse_proxy_companion_container_labels_internal_client_synapse_admin_api_traefik_entrypoints` via group vars

* Wire `matrix_bot_draupnir_admin_api_enabled` to `matrix_bot_draupnir_config_admin_enableMakeRoomAdminCommand` in Draupnir's `defaults/main.yml`

* Remove unnecessary `matrix_bot_draupnir_admin_api_enabled` override from `group_vars/matrix_servers`

The same value is now (more appropriately) defined in Draupnir's `defaults/main.yml` file anyway.

* Add additional condition (`matrix_bot_draupnir_enabled`) for enabling `matrix_synapse_container_labels_internal_client_synapse_admin_api_enabled`

* Use a separate task for validating `matrix_bot_draupnir_admin_api_enabled` when `matrix_bot_draupnir_config_admin_enableMakeRoomAdminCommand`

The other task deals with checking for null and not-blank and can't handle booleans properly.

---------

Co-authored-by: Slavi Pantaleev <slavi@devture.com>
2025-03-15 09:14:55 +02:00
Suguru Hirahara
aae64ebde4 Add license information to files for matrix-synapse-reverse-proxy-companion
Signed-off-by: Suguru Hirahara <acioustick@noreply.codeberg.org>
2025-03-03 00:18:04 +09:00
Slavi Pantaleev
10fabc32bc Rework client_body_buffer_size/client_max_body_size and proxy_max_temp_file_size configuration for matrix-synapse-reverse-proxy-companion
Until now, most sections were specifying their own values for these.
For `client_max_body_size`, a value of 25MB was hardcoded in most places.

This was generally OK, but..
Some sections (those generated by the `render_locations_to_upstream` macro), were not specifying these options
and were ending up with a default value for configuration options for `client_max_body_size` (likely 1MB), etc.

From now on:

- we use individual variables for defining these for the Client-Server
  and Federation API and apply these once at the `server` level

- we keep auto-determining the `client_max_body_size` for the
  Client-Server API based on `matrix_synapse_max_upload_size_mb`

- we keep auto-calculating the `client_max_body_size` for the Federation
  API based on the one for the Client API, but now also add a "minimum"
  value (`matrix_synapse_reverse_proxy_companion_federation_api_client_max_body_size_mb_minimum: 100`)
  to ensure we don't go too low

Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/4100
2025-02-27 18:53:56 +02:00
Slavi Pantaleev
c47eca389b Rework all roles to include component_(docker|container)_image_registry_prefix* variables
This:

- brings consistency - no more mixing `_name_prefix` and `_registry_prefix`
- adds extensibility - a future patch will allow reconfiguring all registry prefixes for all roles in the playbook

We still have `_docker_` vs `_container_` inconsistencies.
These may be worked on later.
2025-02-24 11:38:47 +02:00
Slavi Pantaleev
d6bf789710 Remove matrix_container_global_registry_prefix variable
This is done for a few reasons:

- less globals and more indepdendence for each role is better. We rely
  on various externally-hosted roles and they don't rely on this global
  either.

- `matrix_container_global_registry_prefix` could make people think they
  could just override this variable and have all their images pull from
  elsewhere. This is rarely the case, unless you've taken special care
  to mirror all the various components (from their respective
  registries) to your own. In such a case, you probably know what you're
  mirroring and can adjust individual variables.

- nowadays, various components live on different registries.
  With Docker Inc tightening rate limits for Docker Hub, it's even more
  likely that we'll see increased diversity in where images are hosted
2025-02-23 10:15:41 +02:00
renovate[bot]
f40b26d3d3 Update nginx Docker tag to v1.27.4 2025-02-06 05:17:01 +00:00
Suguru Hirahara
c1c1b3ada0 Replace triple dots with horizontal ellipsis (U+2026)
Signed-off-by: Suguru Hirahara <acioustick@noreply.codeberg.org>
2024-12-06 13:34:50 +09:00
renovate[bot]
d08f1dcaff Update nginx Docker tag to v1.27.3 2024-11-27 00:51:10 +00:00
Slavi Pantaleev
57c5271d9d Enable (Traefik compression middleware)-assisted compression for synapse-reverse-proxy-companion
This likely breaks QR code login for Synapse-worker setups.

See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/3749
2024-11-14 16:30:09 +02:00
Slavi Pantaleev
8a6b822bbd Always send /rendezvous routes to the same Synapse worker process (main) to fix QR code login
Related to https://github.com/matrix-org/matrix-spec-proposals/pull/4108
2024-11-01 09:52:41 +02:00
renovate[bot]
7f5f44ed47 Update nginx Docker tag to v1.27.2 2024-10-03 05:33:03 +00:00
renovate[bot]
e3d489c5fe chore(deps): update nginx docker tag to v1.27.1 2024-08-15 23:04:44 +00:00
Slavi Pantaleev
9f2eff2ac7 Respect devture_systemd_docker_base_docker_service_name
Related to 0241c71a4c

Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/3270#issuecomment-2143782962

With this change, it should be possible for people to adjust the Docker
dependency from `docker.service` to something else (e.g. `pkg-ContainerManager-dockerd.service`),
or to completely eliminate it by setting `devture_systemd_docker_base_docker_service_name` to an empty string.

This makes it easier for people to use the playbook against a Synology DSM server.
2024-06-04 13:14:34 +03:00
renovate[bot]
3d1ff4e489 chore(deps): update nginx docker tag to v1.27.0 2024-05-30 20:10:25 +00:00
Aine
6526a16e12 Add project source url to synapse reverse proxy companion 2024-04-21 00:07:28 +03:00
renovate[bot]
55a81ac368 chore(deps): update nginx docker tag to v1.25.5 2024-04-17 20:08:40 +00:00
David Mehren
e2643a317c Ensure reports always land on the synapse main process
We noticed that the reporting function in Element is broken, at least when using the 'specialized-workers' preset.

This changes the `main_override_locations_regex` of the reverse proxy companion to ensure that requests to `/_matrix/client/v3/rooms/<roomid>/report/<message>` always land on the main process.
2024-02-23 22:10:00 +01:00
renovate[bot]
e19db8a563 Update nginx Docker tag to v1.25.4 2024-02-14 22:41:48 +00:00
Slavi Pantaleev
a1179289a1 Split some homeserver _additional_networks variables into _auto and _custom 2024-01-26 12:55:01 +02:00
Michael Hollister
bd027159b1 Added extra systemd service arguments to synapse workers and proxy companion 2024-01-24 13:14:34 -06:00
Slavi Pantaleev
7cb33da46a Add some clarification comment in matrix-synapse-reverse-proxy-companion/defaults/main.yml 2024-01-20 11:35:20 +02:00
Charles Wright
025a7e5c66 Merge branch 'spantaleev:master' into cvwright/room-workers-v2 2024-01-17 08:02:47 -06:00
Slavi Pantaleev
042c74f90c Remove some useless oidc variables and /_synapse/oidc route handling
After some checking, it seems like there's `/_synapse/client/oidc`,
but no such thing as `/_synapse/oidc`.

I'm not sure why we've been reverse-proxying these paths for so long
(even in as far back as the `matrix-nginx-proxy` days), but it's time we
put a stop to it.

The OIDC docs have been simplified. There's no need to ask people to
expose the useless `/_synapse/oidc` endpoint. OIDC requires
`/_synapse/client/oidc` and `/_synapse/client` is exposed by default
already.
2024-01-17 14:45:19 +02:00
Slavi Pantaleev
c0afcaa2e3 Replace (almost) all matrix-org/synapse references with element-hq/synapse
Issues and Pull Requests were not migrated to the new
organization/repository, so `matrix-org/synapse/pull` and
`matrix-org/synapse/issues` references were kept as-is.

`matrix-org/synapse-s3-storage-provider` references were also kept,
as that module still continues living under the `matrix-org` organization.

This patch mainly aims to change documentation-related things, not actual
usage in full yet. For polish that, another more comprehensive patch is coming later.
2024-01-17 08:02:47 +02:00
Charles Wright
a1cbe7f39b Add overrides for locations that must go to the main Synapse process 2024-01-16 16:32:32 -06:00
Charles Wright
db70230ae1 Add room-workers as a new preset, with new room workers, sync workers, client readers, and federation readers. Based on https://tcpipuk.github.io/synapse/index.html 2024-01-16 09:17:24 -06:00
Slavi Pantaleev
b91ad453be Adjust TLS variables for homeservers to follow devture_traefik_config_entrypoint_web_secure_enabled (via matrix_federation_traefik_entrypoint_tls) 2024-01-15 09:39:36 +02:00
Slavi Pantaleev
f4f3d57520 Remove all traces of matrix-nginx-proxy, add validation & uninstallation tasks 2024-01-14 18:42:14 +02:00
Slavi Pantaleev
df5d8bfc04 Remove matrix-homeserver-proxy role in favor of the new internal Traefik entrypoint
This was meant to serve as an intermediary for services needing to reach
the homeserver. It was used like that for a while in this
`bye-bye-nginx-proxy` branch, but was never actually public.

It has recently been superseded by homeserver-like services injecting
themselves into a new internal Traefik entrypoint
(see `matrix_playbook_internal_matrix_client_api_traefik_entrypoint_*`),
so `matrix-homeserver-proxy` is no longer necessary.

---

This is probably a good moment to share some benchmarks and reasons
for going with the internal Traefik entrypoint as opposed to this nginx
service.

1. (1400 rps) Directly to Synapse (`ab -n 1000 -c 100 http://matrix-synapse:8008/_matrix/client/versions`
2. (~900 rps) Via `matrix-homeserver-proxy` (nginx) proxying to Synapse (`ab -n 1000 -c 100 http://matrix-homeserver-proxy:8008/_matrix/client/versions`)
3. (~1200 rps) Via the new internal entrypoint of Traefik (`matrix-internal-matrix-client-api`) proxying to Synapse (`ab -n 1000 -c 100 http://matrix-traefik:8008/_matrix/client/versions`)

Besides Traefik being quicker for some reason, there are also other
benefits to not having this `matrix-homeserver-proxy` component:

- we can reuse what we have in terms of labels. Services can register a few extra labels on the new Traefik entrypoint
- we don't need services (like `matrix-media-repo`) to inject custom nginx configs into `matrix-homeserver-proxy`. They just need to register labels, like they do already.
- Traefik seems faster than nginx on this benchmark for some reason, which is a nice bonus
- no need to run one extra container (`matrix-homeserver-proxy`) and execute one extra Ansible role
- no need to maintain a setup where some people run the `matrix-homeserver-proxy` component (because they have route-stealing services like `matrix-media-repo` enabled) and others run an optimized setup without this component and everything needs to be rewired to talk to the homeserver directly. Now, everyone can go through Traefik and we can all run an identical setup

Downsides of the new Traefik entrypoint setup are that:

- all addon services that need to talk to the homeserver now depend on Traefik
- people running their own Traefik setup will be inconvenienced - they
  need to manage one additional entrypoint
2024-01-14 10:53:14 +02:00
Slavi Pantaleev
17c9e3f168 Add support for the internal Traefik entrypoint to synapse-reverse-proxy-companion 2024-01-14 10:48:55 +02:00
Slavi Pantaleev
b2aeb8cde9 Rename label-related variables for homeservers
We'd be adding integration with an internal Traefik entrypoint
(`matrix_playbook_internal_matrix_client_api_traefik_entrypoint`),
so renaming helps disambiguate things.

There's no need for deperecation tasks, because the old names
have only been part of this `bye-bye-nginx-proxy` branch and not used by
anyone publicly.
2024-01-14 10:48:54 +02:00
Slavi Pantaleev
a78a749f75 Define matrix_synapse_reverse_proxy_companion_access_log_syslog_integration_server_port in the role defaults and make the tag configurable 2024-01-13 16:43:46 +02:00
Slavi Pantaleev
41a52945d6 Add support for exposing metrics for Synapse workers 2024-01-12 12:16:06 +02:00
Slavi Pantaleev
d262ca0fe6 Only enable matrix-synapse-reverse-proxy-companion when Synapse workers are enabled
This allows us to eliminate the companion and decrease overhead for
simple servers which do not use workers.
2024-01-05 07:00:50 +02:00
Slavi Pantaleev
ab15991814 Fix some ansible-lint-reported errors 2024-01-04 13:00:46 +02:00
Slavi Pantaleev
54fb153acf Expose /_synapse/* APIs via matrix-synapse-reverse-proxy-companion
This also updates validation tasks and documentation, pointing to
variables in the matrix-synapse role which don't currently exist yet
(e.g. `matrix_synapse_container_labels_client_synapse_admin_api_enabled`).

These variables will be added soon, as Traefik labels are added to the
`matrix-synapse` role. At that point, the `matrix-synapse-reverse-proxy-companion` role
will be updated to also use them.
2024-01-04 11:37:17 +02:00
Slavi Pantaleev
0ea3fa0e85 Add matrix_synapse_reverse_proxy_companion_container_labels_traefik_hostname to simplify wiring 2024-01-04 10:53:43 +02:00
Slavi Pantaleev
e678adfeda Add root path (/) handling to matrix-synapse-reverse-proxy-companion (redirect or /_matrix/static/ serving) 2024-01-04 10:24:33 +02:00
Slavi Pantaleev
bbd9493b8f Handle /_matrix Client-Server and Federation APIs directly at matrix-synapse-reverse-proxy-companion 2024-01-03 17:05:59 +02:00
renovate[bot]
7c12c508d7 Update nginx Docker tag to v1.25.3 2023-10-25 03:59:15 +00:00
Samuel Meenzen
c846ed199b Annotate version numbers with renovate metadata 2023-10-06 14:14:03 +02:00
Aine
e7e81f7828 update nginx 1.25.1 -> 1.25.2 2023-08-16 10:09:30 +03:00
Dan Arnfield
05faf1f73f Update synapse reverse proxy companion 2023-06-23 18:05:47 -05:00
Slavi Pantaleev
f2e68469cb Upgrade nginx (1.23.2 -> 1.23.3) 2022-12-19 12:32:43 +02:00
Slavi Pantaleev
e9e84341a9 Reverse-proxy to Synapse via matrix-synapse-reverse-proxy-companion
Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/2090
2022-11-20 16:43:33 +02:00