mirror of
https://github.com/spantaleev/matrix-docker-ansible-deploy.git
synced 2026-02-08 15:00:52 +03:00
364 lines
30 KiB
YAML
364 lines
30 KiB
YAML
# SPDX-FileCopyrightText: 2022 - 2024 Slavi Pantaleev
|
|
# SPDX-FileCopyrightText: 2023 - 2024 Nikita Chernyi
|
|
# SPDX-FileCopyrightText: 2023 Dan Arnfield
|
|
# SPDX-FileCopyrightText: 2023 Samuel Meenzen
|
|
# SPDX-FileCopyrightText: 2024 Charles Wright
|
|
# SPDX-FileCopyrightText: 2024 David Mehren
|
|
# SPDX-FileCopyrightText: 2024 Michael Hollister
|
|
# SPDX-FileCopyrightText: 2024 - 2025 Catalan Lover <catalanlover@protonmail.com>
|
|
#
|
|
# SPDX-License-Identifier: AGPL-3.0-or-later
|
|
|
|
---
|
|
|
|
# matrix-synapse-reverse-proxy-companion is a role which brings up a containerized nginx webserver which helps with reverse-proxying to Synapse when workers are enabled.
|
|
#
|
|
# When Synapse is NOT running in worker-mode, reverse-proxying is relatively simple (everything goes to `matrix-synapse:XXXX`).
|
|
# In such cases, using this reverse-proxy companion is possible, but unnecessary - it's one more service in the stack, which also impacts performance a bit.
|
|
#
|
|
# When Synapse workers are enabled, however, the reverse-proxying configuration is much more complicated - certain requests need to go to certain workers, etc.
|
|
# matrix-synapse-reverse-proxy-companion is the central place services that need to reach Synapse could be pointed to.
|
|
#
|
|
# Project source code URL: https://github.com/nginx/nginx
|
|
|
|
matrix_synapse_reverse_proxy_companion_enabled: true
|
|
|
|
# renovate: datasource=docker depName=nginx
|
|
matrix_synapse_reverse_proxy_companion_version: 1.29.5-alpine
|
|
|
|
matrix_synapse_reverse_proxy_companion_base_path: "{{ matrix_synapse_base_path }}/reverse-proxy-companion"
|
|
matrix_synapse_reverse_proxy_companion_confd_path: "{{ matrix_synapse_reverse_proxy_companion_base_path }}/conf.d"
|
|
matrix_synapse_reverse_proxy_companion_njs_path: "{{ matrix_synapse_reverse_proxy_companion_base_path }}/njs"
|
|
|
|
# List of systemd services that matrix-synapse-reverse-proxy-companion.service depends on
|
|
matrix_synapse_reverse_proxy_companion_systemd_required_services_list: "{{ matrix_synapse_reverse_proxy_companion_systemd_required_services_list_default + matrix_synapse_reverse_proxy_companion_systemd_required_services_list_auto + matrix_synapse_reverse_proxy_companion_systemd_required_services_list_custom }}"
|
|
matrix_synapse_reverse_proxy_companion_systemd_required_services_list_default: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}"
|
|
matrix_synapse_reverse_proxy_companion_systemd_required_services_list_auto: []
|
|
matrix_synapse_reverse_proxy_companion_systemd_required_services_list_custom: []
|
|
|
|
# List of systemd services that matrix-synapse-reverse-proxy-companion.service wants
|
|
matrix_synapse_reverse_proxy_companion_systemd_wanted_services_list: ['matrix-synapse.service']
|
|
|
|
# We use an official nginx image, which we fix-up to run unprivileged.
|
|
# An alternative would be an `nginxinc/nginx-unprivileged` image, but
|
|
# that is frequently out of date.
|
|
matrix_synapse_reverse_proxy_companion_container_image: "{{ matrix_synapse_reverse_proxy_companion_container_image_registry_prefix }}nginx:{{ matrix_synapse_reverse_proxy_companion_container_image_tag }}"
|
|
matrix_synapse_reverse_proxy_companion_container_image_registry_prefix: "{{ matrix_synapse_reverse_proxy_companion_container_image_registry_prefix_upstream }}"
|
|
matrix_synapse_reverse_proxy_companion_container_image_registry_prefix_upstream: "{{ matrix_synapse_reverse_proxy_companion_container_image_registry_prefix_upstream_default }}"
|
|
matrix_synapse_reverse_proxy_companion_container_image_registry_prefix_upstream_default: "docker.io/"
|
|
matrix_synapse_reverse_proxy_companion_container_image_tag: "{{ matrix_synapse_reverse_proxy_companion_version }}"
|
|
matrix_synapse_reverse_proxy_companion_container_image_force_pull: "{{ matrix_synapse_reverse_proxy_companion_container_image.endswith(':latest') }}"
|
|
|
|
matrix_synapse_reverse_proxy_companion_container_network: ""
|
|
|
|
# A list of additional container networks that matrix-synapse-reverse-proxy-companion would be connected to.
|
|
# The playbook does not create these networks, so make sure they already exist.
|
|
matrix_synapse_reverse_proxy_companion_container_additional_networks: "{{ matrix_synapse_reverse_proxy_companion_container_additional_networks_auto + matrix_synapse_reverse_proxy_companion_container_additional_networks_custom }}"
|
|
matrix_synapse_reverse_proxy_companion_container_additional_networks_auto: []
|
|
matrix_synapse_reverse_proxy_companion_container_additional_networks_custom: []
|
|
|
|
# Controls whether the matrix-synapse-reverse-proxy-companion container exposes its HTTP Client-Server API port (tcp/8008 in the container).
|
|
#
|
|
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8008"), or empty string to not expose.
|
|
matrix_synapse_reverse_proxy_companion_container_client_api_host_bind_port: ''
|
|
|
|
# Controls whether the matrix-synapse-reverse-proxy-companion container exposes its HTTP Federation (Server-Server) API port (tcp/8048 in the container).
|
|
#
|
|
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8048"), or empty string to not expose.
|
|
matrix_synapse_reverse_proxy_companion_container_federation_api_host_bind_port: ''
|
|
|
|
# matrix_synapse_reverse_proxy_companion_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container.
|
|
# See `../templates/labels.j2` for details.
|
|
#
|
|
# To inject your own other container labels, see `matrix_synapse_reverse_proxy_companion_container_labels_additional_labels`.
|
|
matrix_synapse_reverse_proxy_companion_container_labels_traefik_enabled: true
|
|
matrix_synapse_reverse_proxy_companion_container_labels_traefik_docker_network: "{{ matrix_synapse_reverse_proxy_companion_container_network }}"
|
|
matrix_synapse_reverse_proxy_companion_container_labels_traefik_entrypoints: web-secure
|
|
matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver: default # noqa var-naming
|
|
matrix_synapse_reverse_proxy_companion_container_labels_traefik_hostname: ''
|
|
|
|
# Controls whether a compression middleware will be injected into the middlewares list.
|
|
# This compression middleware is supposed to be defined elsewhere (using labels or a File provider, etc.) and is merely referenced by this router.
|
|
matrix_synapse_reverse_proxy_companion_container_labels_traefik_compression_middleware_enabled: false
|
|
matrix_synapse_reverse_proxy_companion_container_labels_traefik_compression_middleware_name: ""
|
|
|
|
# Controls whether labels will be added that expose the Client-Server API on a public Traefik entrypoint.
|
|
matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_enabled: true
|
|
matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_hostname: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_hostname }}"
|
|
matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_path_prefix: /_matrix
|
|
matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_rule: "Host(`{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_path_prefix }}`)"
|
|
matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_priority: 0
|
|
matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_entrypoints: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_entrypoints }}"
|
|
matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_tls: "{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_entrypoints != 'web' }}"
|
|
matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_tls_certResolver: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver }}" # noqa var-naming
|
|
|
|
# Controls whether labels will be added that expose the Client-Server API on the internal Traefik entrypoint.
|
|
# This is similar to `matrix_synapse_container_labels_public_client_api_enabled`, but the entrypoint and intent is different.
|
|
matrix_synapse_reverse_proxy_companion_container_labels_internal_client_api_enabled: false
|
|
matrix_synapse_reverse_proxy_companion_container_labels_internal_client_api_traefik_path_prefix: "{{ matrix_synapse_container_labels_public_client_api_traefik_path_prefix }}"
|
|
matrix_synapse_reverse_proxy_companion_container_labels_internal_client_api_traefik_rule: "PathPrefix(`{{ matrix_synapse_reverse_proxy_companion_container_labels_internal_client_api_traefik_path_prefix }}`)"
|
|
matrix_synapse_reverse_proxy_companion_container_labels_internal_client_api_traefik_priority: "{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_api_traefik_priority }}"
|
|
matrix_synapse_reverse_proxy_companion_container_labels_internal_client_api_traefik_entrypoints: ""
|
|
|
|
# Controls whether labels will be added that expose the /_synapse/client paths
|
|
matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_enabled: true
|
|
matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_hostname: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_hostname }}"
|
|
matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_path_prefix: /_synapse/client
|
|
matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_rule: "Host(`{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_path_prefix }}`)"
|
|
matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_priority: 0
|
|
matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_entrypoints: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_entrypoints }}"
|
|
matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_tls: "{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_entrypoints != 'web' }}"
|
|
matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_client_api_traefik_tls_certResolver: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver }}" # noqa var-naming
|
|
|
|
# Controls whether labels will be added that expose the /_synapse/admin paths
|
|
# Following these recommendations (https://github.com/element-hq/synapse/blob/master/docs/reverse_proxy.md), by default, we don't.
|
|
matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_enabled: false
|
|
matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_hostname: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_hostname }}"
|
|
matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_path_prefix: /_synapse/admin
|
|
matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_rule: "Host(`{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_path_prefix }}`)"
|
|
matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_priority: 0
|
|
matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_entrypoints: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_entrypoints }}"
|
|
matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_tls: "{{ matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_entrypoints != 'web' }}"
|
|
matrix_synapse_reverse_proxy_companion_container_labels_public_client_synapse_admin_api_traefik_tls_certResolver: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver }}" # noqa var-naming
|
|
|
|
# Controls whether labels will be added that expose the /_synapse/admin paths on the internal Traefik entrypoint.
|
|
# This is similar to `matrix_synapse_container_labels_public_client_api_enabled`, but the entrypoint and intent is different.
|
|
matrix_synapse_reverse_proxy_companion_container_labels_internal_client_synapse_admin_api_enabled: false
|
|
matrix_synapse_reverse_proxy_companion_container_labels_internal_client_synapse_admin_api_traefik_path_prefix: "{{ matrix_synapse_container_labels_internal_client_synapse_admin_api_traefik_path_prefix }}"
|
|
matrix_synapse_reverse_proxy_companion_container_labels_internal_client_synapse_admin_api_traefik_rule: "PathPrefix(`{{ matrix_synapse_reverse_proxy_companion_container_labels_internal_client_synapse_admin_api_traefik_path_prefix }}`)"
|
|
matrix_synapse_reverse_proxy_companion_container_labels_internal_client_synapse_admin_api_traefik_priority: 0
|
|
matrix_synapse_reverse_proxy_companion_container_labels_internal_client_synapse_admin_api_traefik_entrypoints: ""
|
|
|
|
# Controls whether labels will be added that expose the Server-Server API (Federation API).
|
|
matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_enabled: "{{ matrix_synapse_reverse_proxy_companion_federation_api_enabled }}"
|
|
matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_hostname: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_hostname }}"
|
|
matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_path_prefix: /_matrix
|
|
matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_rule: "Host(`{{ matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_path_prefix }}`)"
|
|
matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_priority: 0
|
|
matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_entrypoints: ''
|
|
# TLS is force-enabled here, because the spec (https://spec.matrix.org/v1.9/server-server-api/#tls) says that the federation API must use HTTPS.
|
|
matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_tls: true
|
|
matrix_synapse_reverse_proxy_companion_container_labels_public_federation_api_traefik_tls_certResolver: "{{ matrix_synapse_reverse_proxy_companion_container_labels_traefik_tls_certResolver }}" # noqa var-naming
|
|
|
|
# matrix_synapse_reverse_proxy_companion_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
|
|
# See `../templates/labels.j2` for details.
|
|
#
|
|
# Example:
|
|
# matrix_synapse_reverse_proxy_companion_container_labels_additional_labels: |
|
|
# my.label=1
|
|
# another.label="here"
|
|
matrix_synapse_reverse_proxy_companion_container_labels_additional_labels: ''
|
|
|
|
# A list of extra arguments to pass to the container
|
|
# Also see `matrix_synapse_reverse_proxy_companion_container_arguments`
|
|
matrix_synapse_reverse_proxy_companion_container_extra_arguments: []
|
|
|
|
# matrix_synapse_reverse_proxy_companion_container_extra_arguments_auto is a list of extra arguments to pass to the container.
|
|
# This list is managed by the playbook. You're not meant to override this variable.
|
|
# If you'd like to inject your own arguments, see `matrix_synapse_reverse_proxy_companion_container_extra_arguments`.
|
|
matrix_synapse_reverse_proxy_companion_container_extra_arguments_auto: []
|
|
|
|
# matrix_synapse_reverse_proxy_companion_container_arguments holds the final list of extra arguments to pass to the container.
|
|
# You're not meant to override this variable.
|
|
# If you'd like to inject your own arguments, see `matrix_synapse_reverse_proxy_companion_container_extra_arguments`.
|
|
matrix_synapse_reverse_proxy_companion_container_arguments: "{{ matrix_synapse_reverse_proxy_companion_container_extra_arguments + matrix_synapse_reverse_proxy_companion_container_extra_arguments_auto }}"
|
|
|
|
# The amount of worker processes and connections
|
|
# Consider increasing these when you are expecting high amounts of traffic
|
|
# http://nginx.org/en/docs/ngx_core_module.html#worker_connections
|
|
matrix_synapse_reverse_proxy_companion_worker_processes: auto
|
|
matrix_synapse_reverse_proxy_companion_worker_connections: 1024
|
|
|
|
# Option to disable the access log
|
|
matrix_synapse_reverse_proxy_companion_access_log_enabled: true
|
|
|
|
# Controls whether to send access logs to a remote syslog-compatible server
|
|
matrix_synapse_reverse_proxy_companion_access_log_syslog_integration_enabled: false
|
|
matrix_synapse_reverse_proxy_companion_access_log_syslog_integration_server_port: ''
|
|
# This is intentionally different. The maximum allowed length is 32 characters and dashes are not allowed.
|
|
matrix_synapse_reverse_proxy_companion_access_log_syslog_integration_tag: matrix_synapse_rev_proxy_comp
|
|
|
|
# The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads.
|
|
matrix_synapse_reverse_proxy_companion_tmp_directory_size_mb: "{{ (matrix_synapse_reverse_proxy_companion_federation_api_client_max_body_size_mb | int) * 50 }}"
|
|
matrix_synapse_reverse_proxy_companion_tmp_cache_directory_size_mb: "{{ (matrix_synapse_reverse_proxy_companion_synapse_cache_max_size_mb | int) * 2 }}"
|
|
|
|
# A list of strings containing additional configuration blocks to add to the nginx server configuration (nginx.conf).
|
|
# for big matrixservers to enlarge the number of open files to prevent timeouts
|
|
# matrix_synapse_reverse_proxy_companion_additional_configuration_blocks:
|
|
# - 'worker_rlimit_nofile 30000;'
|
|
matrix_synapse_reverse_proxy_companion_additional_configuration_blocks: []
|
|
|
|
# A list of strings containing additional configuration blocks to add to the nginx event server configuration (nginx.conf).
|
|
matrix_synapse_reverse_proxy_companion_event_additional_configuration_blocks: []
|
|
|
|
# A list of strings containing additional configuration blocks to add to the nginx http's server configuration (nginx-http.conf).
|
|
matrix_synapse_reverse_proxy_companion_http_additional_server_configuration_blocks: []
|
|
|
|
# To increase request timeout in NGINX using proxy_read_timeout, proxy_connect_timeout, proxy_send_timeout, send_timeout directives
|
|
# Nginx Default: proxy_connect_timeout 60s; #Defines a timeout for establishing a connection with a proxied server
|
|
# Nginx Default: proxy_send_timeout 60s; #Sets a timeout for transmitting a request to the proxied server.
|
|
# Nginx Default: proxy_read_timeout 60s; #Defines a timeout for reading a response from the proxied server.
|
|
# Nginx Default: send_timeout 60s; #Sets a timeout for transmitting a response to the client.
|
|
#
|
|
# For more information visit:
|
|
# http://nginx.org/en/docs/http/ngx_http_proxy_module.html
|
|
# http://nginx.org/en/docs/http/ngx_http_core_module.html#send_timeout
|
|
# https://www.nginx.com/resources/wiki/start/topics/examples/fullexample2/
|
|
#
|
|
# Here we are sticking with nginx default values change this value carefully.
|
|
matrix_synapse_reverse_proxy_companion_proxy_connect_timeout: 60
|
|
matrix_synapse_reverse_proxy_companion_proxy_send_timeout: 60
|
|
matrix_synapse_reverse_proxy_companion_proxy_read_timeout: 60
|
|
matrix_synapse_reverse_proxy_companion_send_timeout: 60
|
|
|
|
# For OCSP purposes, we need to define a resolver at the `server{}` level or `http{}` level (we do the latter).
|
|
#
|
|
# Otherwise, we get warnings like this:
|
|
# > [warn] 22#22: no resolver defined to resolve r3.o.lencr.org while requesting certificate status, responder: r3.o.lencr.org, certificate: "/matrix/ssl/config/live/…/fullchain.pem"
|
|
#
|
|
# We point it to the internal Docker resolver, which likely delegates to nameservers defined in `/etc/resolv.conf`.
|
|
matrix_synapse_reverse_proxy_companion_http_level_resolver: 127.0.0.11
|
|
|
|
matrix_synapse_reverse_proxy_companion_hostname: "matrix-synapse-reverse-proxy-companion"
|
|
|
|
# matrix_synapse_reverse_proxy_companion_client_api_addr specifies the address where the Client-Server API is
|
|
matrix_synapse_reverse_proxy_companion_client_api_addr: 'matrix-synapse:{{ matrix_synapse_container_client_api_port }}'
|
|
|
|
# The maximum body size for client requests to any of the endpoints on the Client-Server API.
|
|
# This needs to be equal or higher than the maximum upload size accepted by Synapse.
|
|
matrix_synapse_reverse_proxy_companion_client_api_client_max_body_size_mb: 100
|
|
|
|
# The buffer size for client requests to any of the endpoints on the Client-Server API.
|
|
matrix_synapse_reverse_proxy_companion_client_api_client_body_buffer_size_mb: "{{ matrix_synapse_reverse_proxy_companion_client_api_client_max_body_size_mb }}"
|
|
|
|
# matrix_synapse_reverse_proxy_companion_federation_api_enabled specifies whether reverse proxying for the Federation (Server-Server) API should be done
|
|
matrix_synapse_reverse_proxy_companion_federation_api_enabled: true
|
|
# matrix_synapse_reverse_proxy_companion_federation_api_addr specifies the address where the Federation (Server-Server) API is
|
|
matrix_synapse_reverse_proxy_companion_federation_api_addr: 'matrix-synapse:{{ matrix_synapse_container_federation_api_plain_port }}'
|
|
|
|
# The maximum body size for client requests to any of the endpoints on the Federation API.
|
|
# We auto-calculate this based on the Client-Server API's maximum body size, but use a minimum value to ensure we don't go to low.
|
|
matrix_synapse_reverse_proxy_companion_federation_api_client_max_body_size_mb: "{{ [matrix_synapse_reverse_proxy_companion_federation_api_client_max_body_size_mb_minimum, (matrix_synapse_reverse_proxy_companion_client_api_client_max_body_size_mb | int) * 3] | max }}"
|
|
matrix_synapse_reverse_proxy_companion_federation_api_client_max_body_size_mb_minimum: 100
|
|
|
|
# The buffer size for client requests to any of the endpoints on the Federation API.
|
|
matrix_synapse_reverse_proxy_companion_federation_api_client_body_buffer_size_mb: "{{ matrix_synapse_reverse_proxy_companion_federation_api_client_max_body_size_mb }}"
|
|
|
|
# A list of strings containing additional configuration blocks to add to the nginx vhost handling the Synapse Client-Server API
|
|
matrix_synapse_reverse_proxy_companion_synapse_client_api_additional_server_configuration_blocks: []
|
|
|
|
# A list of strings containing additional configuration blocks to add to the nginx vhost handling the Synapse Federation (Server-Server) API
|
|
matrix_synapse_reverse_proxy_companion_synapse_federation_api_additional_server_configuration_blocks: []
|
|
|
|
|
|
# synapse worker activation and endpoint mappings.
|
|
# These are all populated via Ansible group variables.
|
|
matrix_synapse_reverse_proxy_companion_synapse_workers_enabled: false
|
|
matrix_synapse_reverse_proxy_companion_synapse_workers_list: []
|
|
matrix_synapse_reverse_proxy_companion_synapse_room_worker_client_server_locations: []
|
|
matrix_synapse_reverse_proxy_companion_synapse_room_worker_federation_locations: []
|
|
matrix_synapse_reverse_proxy_companion_synapse_sync_worker_client_server_locations: []
|
|
matrix_synapse_reverse_proxy_companion_synapse_client_reader_client_server_locations: []
|
|
matrix_synapse_reverse_proxy_companion_synapse_federation_reader_federation_locations: []
|
|
matrix_synapse_reverse_proxy_companion_synapse_generic_worker_client_server_locations: []
|
|
matrix_synapse_reverse_proxy_companion_synapse_generic_worker_federation_locations: []
|
|
matrix_synapse_reverse_proxy_companion_synapse_stream_writer_typing_stream_worker_client_server_locations: []
|
|
matrix_synapse_reverse_proxy_companion_synapse_stream_writer_to_device_stream_worker_client_server_locations: []
|
|
matrix_synapse_reverse_proxy_companion_synapse_stream_writer_account_data_stream_worker_client_server_locations: []
|
|
matrix_synapse_reverse_proxy_companion_synapse_stream_writer_receipts_stream_worker_client_server_locations: []
|
|
matrix_synapse_reverse_proxy_companion_synapse_stream_writer_presence_stream_worker_client_server_locations: []
|
|
matrix_synapse_reverse_proxy_companion_synapse_media_repository_locations: []
|
|
matrix_synapse_reverse_proxy_companion_synapse_user_dir_locations: []
|
|
matrix_synapse_reverse_proxy_companion_client_server_main_override_locations_regex: ^/_matrix/client/(api/v1|r0|v3|unstable)/(account/3pid/|directory/list/room/|pushrules/|rooms/[^/]+/(forget|upgrade|report)|login/sso/redirect/|register)
|
|
matrix_synapse_reverse_proxy_companion_client_server_sso_override_locations_regex: ^(/_matrix/client/(api/v1|r0|v3|unstable)/login/sso/redirect|/_synapse/client/(pick_username|(new_user_consent|oidc/callback|pick_idp|sso_register)$))
|
|
# Related to MSC4108 (https://github.com/matrix-org/matrix-spec-proposals/pull/4108)
|
|
matrix_synapse_reverse_proxy_companion_client_server_qr_code_login_locations_regex: ^(/_matrix/client/(unstable|v1)/org.matrix.msc4108/rendezvous|/_synapse/client/rendezvous)$
|
|
|
|
matrix_synapse_reverse_proxy_companion_federation_override_locations_regex: ^/_matrix/federation/v1/openid/userinfo$
|
|
|
|
# synapse content caching
|
|
matrix_synapse_reverse_proxy_companion_synapse_cache_enabled: false
|
|
matrix_synapse_reverse_proxy_companion_synapse_cache_path: /tmp/synapse-cache
|
|
matrix_synapse_reverse_proxy_companion_synapse_cache_keys_zone_name: "STATIC"
|
|
matrix_synapse_reverse_proxy_companion_synapse_cache_keys_zone_size: "10m"
|
|
matrix_synapse_reverse_proxy_companion_synapse_cache_inactive_time: "48h"
|
|
matrix_synapse_reverse_proxy_companion_synapse_cache_max_size_mb: 1024
|
|
matrix_synapse_reverse_proxy_companion_synapse_cache_proxy_cache_valid_time: "24h"
|
|
|
|
|
|
# Controls whether matrix-synapse-reverse-proxy-companion trusts an upstream server's X-Forwarded-Proto header.
|
|
# The `matrix-synapse-reverse-proxy-companion` does not terminate SSL and always expects to be fronted by another reverse-proxy server.
|
|
# As such, it trusts the protocol scheme forwarded by the upstream proxy.
|
|
matrix_synapse_reverse_proxy_companion_trust_forwarded_proto: true
|
|
matrix_synapse_reverse_proxy_companion_x_forwarded_proto_value: "{{ '$http_x_forwarded_proto' if matrix_synapse_reverse_proxy_companion_trust_forwarded_proto else '$scheme' }}"
|
|
|
|
|
|
########################################################################################
|
|
# #
|
|
# njs module #
|
|
# #
|
|
########################################################################################
|
|
|
|
# Controls whether the njs module is loaded.
|
|
matrix_synapse_reverse_proxy_companion_njs_enabled: "{{ matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_enabled }}"
|
|
|
|
########################################################################################
|
|
# #
|
|
# /njs module #
|
|
# #
|
|
########################################################################################
|
|
|
|
|
|
########################################################################################
|
|
# #
|
|
# Whoami-based sync worker routing #
|
|
# #
|
|
########################################################################################
|
|
|
|
# Controls whether the whoami-based sync worker router is enabled.
|
|
# When enabled, the reverse proxy will call Synapse's /_matrix/client/v3/account/whoami endpoint
|
|
# to resolve access tokens to usernames, allowing consistent routing of requests from the same user
|
|
# to the same sync worker regardless of which device or token they use.
|
|
#
|
|
# This works with any authentication system (native Synapse auth, MAS, etc.) because Synapse
|
|
# handles the token validation internally.
|
|
#
|
|
# Enabled by default when there are sync workers, because sync workers benefit from user-level
|
|
# stickiness due to their per-user in-memory caches.
|
|
matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_enabled: "{{ matrix_synapse_reverse_proxy_companion_synapse_workers_list | selectattr('type', 'equalto', 'sync_worker') | list | length > 0 }}"
|
|
|
|
# The whoami endpoint path (Matrix spec endpoint).
|
|
matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_endpoint: /_matrix/client/v3/account/whoami
|
|
|
|
# The full URL to the whoami endpoint.
|
|
matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_url: "http://{{ matrix_synapse_reverse_proxy_companion_client_api_addr }}{{ matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_endpoint }}"
|
|
|
|
# Cache duration (in seconds) for whoami lookup results.
|
|
# Token -> username mappings are cached to avoid repeated whoami calls.
|
|
# A longer TTL reduces load on Synapse but means username changes take longer to take effect.
|
|
matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_cache_ttl_seconds: 3600
|
|
|
|
# Size of the shared memory zone for caching whoami results (in megabytes).
|
|
# Each cached entry is approximately 100-200 bytes.
|
|
matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_cache_size_mb: 1
|
|
|
|
# Controls whether verbose logging is enabled for the whoami sync worker router.
|
|
# When enabled, logs cache hits/misses and routing decisions.
|
|
# Useful for debugging, but should be disabled in production.
|
|
matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_logging_enabled: false
|
|
|
|
# The length of the access token to show in logs when logging is enabled.
|
|
# Keeping this short is a good idea from a security perspective.
|
|
matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_logging_token_length: 12
|
|
|
|
# Controls whether debug response headers are added to sync requests.
|
|
# When enabled, adds X-Sync-Worker-Router-User-Identifier and X-Sync-Worker-Router-Upstream headers.
|
|
# Useful for debugging routing behavior, but should be disabled in production.
|
|
matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_debug_headers_enabled: false
|
|
|
|
########################################################################################
|
|
# #
|
|
# /Whoami-based sync worker routing #
|
|
# #
|
|
########################################################################################
|