This is still very far from usable.
Various bridges and bots are still talking to
`matrix-nginx-proxy` instead of the new `matrix-homeserver-proxy` role.
These services need to be reworked. While reworking them,
various cleanups are being done as well as adding Traefik-labels to
those that need them.
(['/matrix-cactus-comments.yaml'] if matrix_cactus_comments_enabled else [])
}}
matrix_bridges_homeserver_container_network: "{{ matrix_homeserver_proxy_container_network if matrix_homeserver_proxy_enabled else matrix_homeserver_container_network }}"
matrix_bridges_homeserver_client_api_url: "{{ matrix_homeserver_proxy_client_api_url if matrix_homeserver_proxy_enabled else matrix_homeserver_container_url }}"
matrix_bridges_homeserver_systemd_services_list: "{{ ([matrix_homeserver_proxy_ident + '.service']) if matrix_homeserver_proxy_enabled else matrix_homeserver_systemd_services_list }}"
matrix_bots_homeserver_container_network: "{{ matrix_homeserver_proxy_container_network if matrix_homeserver_proxy_enabled else matrix_homeserver_container_network }}"
matrix_bots_homeserver_client_api_url: "{{ matrix_homeserver_proxy_client_api_url if matrix_homeserver_proxy_enabled else matrix_homeserver_container_url }}"
matrix_bots_homeserver_systemd_services_list: "{{ ([matrix_homeserver_proxy_ident + '.service']) if matrix_homeserver_proxy_enabled else matrix_homeserver_systemd_services_list }}"
# Starting from version `0.6.0` conduit natively supports some sync v3 (sliding-sync) features.
matrix_homeserver_sliding_sync_url: "{{ matrix_sliding_sync_base_url if matrix_sliding_sync_enabled else (matrix_homeserver_url if matrix_homeserver_implementation in ['conduit'] else '') }}"
([('matrix-' + matrix_homeserver_implementation + '.service')] if matrix_homeserver_implementation == 'synapse' and not matrix_synapse_reverse_proxy_companion_enabled else [])
+
(['matrix-synapse-reverse-proxy-companion.service'] if matrix_synapse_reverse_proxy_companion_enabled else [])
([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else [])
(
([] if matrix_bridges_homeserver_container_network == '' else [matrix_bridges_homeserver_container_network])
+
([devture_postgres_container_network] if devture_postgres_enabled and matrix_mautrix_facebook_database_hostname == devture_postgres_connection_hostname else [])
+
([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network and matrix_mautrix_facebook_container_labels_traefik_enabled else [])
([] if matrix_bots_homeserver_container_network == '' else [matrix_bots_homeserver_container_network])
+
([devture_postgres_container_network] if devture_postgres_enabled and matrix_bot_matrix_reminder_bot_database_hostname == devture_postgres_connection_hostname else [])
([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else [])
+
(['matrix-synapse.service'] if matrix_synapse_enabled else [])
([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled and matrix_bot_postmoogle_database_hostname == matrix_bot_postmoogle_database_hostname else [])
+
(matrix_playbook_bot_postmoogle_traefik_certs_dumper_waiter_services | trim | split(' ') if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and devture_traefik_certs_dumper_enabled else [])
}}
@ -1954,6 +2017,19 @@ matrix_bot_postmoogle_database_engine: "{{ 'postgres' if devture_postgres_enable
matrix_bot_postmoogle_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}"
([] if matrix_bots_homeserver_container_network == '' else [matrix_bots_homeserver_container_network])
+
([devture_postgres_container_network] if devture_postgres_enabled and matrix_bot_matrix_reminder_bot_database_hostname == devture_postgres_connection_hostname else [])
([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else [])
+
([matrix_nginx_proxy_container_network] if matrix_nginx_proxy_enabled and matrix_nginx_proxy_container_network != matrix_sliding_sync_container_network else [])
([] if matrix_homeserver_container_network in ['', matrix_sliding_sync_container_network] else [matrix_homeserver_container_network])
+
([devture_postgres_container_network] if devture_postgres_enabled and devture_postgres_container_network != matrix_sliding_sync_container_network else [])
# matrix_mautrix_facebook_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container.
# See `../templates/labels.j2` for details.
#
# To inject your own other container labels, see `matrix_mautrix_facebook_container_labels_additional_labels`.
# Controls whether labels will be added that expose mautrix-facebook's metrics
matrix_mautrix_facebook_container_labels_metrics_enabled:"{{ matrix_mautrix_facebook_metrics_enabled and matrix_mautrix_facebook_metrics_proxying_enabled }}"
# If metrics need to be consumed by another (external) Prometheus server, consider exposing them via `matrix_mautrix_facebook_metrics_proxying_enabled`.
matrix_mautrix_facebook_metrics_enabled:false
# Controls whether metrics should be proxied (exposed) on `matrix.DOMAIN/metrics/mautrix-facebook`.
# This will only work take effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`.
# See the `matrix-nginx-proxy` role for details about enabling `matrix_nginx_proxy_proxy_matrix_metrics_enabled`.
# Controls whether metrics should be exposed on `matrix.DOMAIN/metrics/mautrix-facebook`.
- when:"matrix_mautrix_facebook_database_engine == 'sqlite' and matrix_mautrix_facebook_docker_image.endswith(':da1b4ec596e334325a1589e70829dea46e73064b')"
@ -23,3 +37,4 @@
"NOTE: Your mautrix-facebook bridge is still on SQLite and on the last version that supported it, before support was dropped. Support has been subsequently re-added in v0.3.2, so we advise you to upgrade (by removing your `matrix_mautrix_facebook_docker_image` definition from vars.yml)"
# matrix-homeserver-proxy is a role which brings up a containerized nginx webserver which helps with reverse-proxying to the Matrix homeserver (Synapse, etc.).
#
# Certain services (like matrix-media-repo, matrix-corporal, identity servers, etc.) may need to capture some requests destined for the homeserver
# and handle them instead of it.
#
# This role helps other services (bots, bridges, etc.) reach the homeserver in a way that:
# - is not very direct, so as to allow for some routes (media repo, etc.) to actually go elsewhere
# - is not via the public network and/or via HTTPS, which introduces major performance penalties
#
# Performance-wise, benchmarks show that:
# - each local (container) nginx hop adds about a 200 rps penalty
# - SSL termination (on the Traefik side) adds a 350 rps penalty
# - going over the public network adds another 70 rps penalty
#
# It's something like this for an existing flow (which will be gone soon):
# Here we are sticking with nginx default values change this value carefully.
matrix_homeserver_proxy_proxy_connect_timeout:60
matrix_homeserver_proxy_proxy_send_timeout:60
matrix_homeserver_proxy_proxy_read_timeout:60
matrix_homeserver_proxy_send_timeout:60
# For OCSP purposes, we need to define a resolver at the `server{}` level or `http{}` level (we do the latter).
#
# Otherwise, we get warnings like this:
# > [warn] 22#22: no resolver defined to resolve r3.o.lencr.org while requesting certificate status, responder: r3.o.lencr.org, certificate: "/matrix/ssl/config/live/.../fullchain.pem"
#
# We point it to the internal Docker resolver, which likely delegates to nameservers defined in `/etc/resolv.conf`.