matrix_nginx_proxy_enabled : true
# We use an official nginx image, which we fix-up to run unprivileged.
# An alternative would be an `nginxinc/nginx-unprivileged` image, but
# that is frequently out of date.
matrix_nginx_proxy_docker_image : "nginx:1.19.2-alpine"
matrix_nginx_proxy_docker_image_force_pull : "{{ matrix_nginx_proxy_docker_image.endswith(':latest') }}"
matrix_nginx_proxy_base_path : "{{ matrix_base_data_path }}/nginx-proxy"
matrix_nginx_proxy_data_path : "{{ matrix_nginx_proxy_base_path }}/data"
matrix_nginx_proxy_confd_path : "{{ matrix_nginx_proxy_base_path }}/conf.d"
# List of systemd services that matrix-nginx-proxy.service depends on
matrix_nginx_proxy_systemd_required_services_list : [ 'docker.service' ]
# List of systemd services that matrix-nginx-proxy.service wants
matrix_nginx_proxy_systemd_wanted_services_list : [ ]
# A list of additional "volumes" to mount in the container.
# This list gets populated dynamically at runtime. You can provide a different default value,
# if you wish to mount your own files into the container.
# Contains definition objects like this: `{"src": "/outside", "dst": "/inside", "options": "rw|ro|slave|.."}
matrix_nginx_proxy_container_additional_volumes : [ ]
# A list of extra arguments to pass to the container
matrix_nginx_proxy_container_extra_arguments : [ ]
# Controls whether matrix-nginx-proxy serves its vhosts over HTTPS or HTTP.
#
# If enabled:
# - SSL certificates would be expected to be available (see `matrix_ssl_retrieval_method`)
# - the HTTP vhost would be made a redirect to the HTTPS vhost
#
# If not enabled:
# - you don't need any SSL certificates (you can set `matrix_ssl_retrieval_method: none`)
# - naturally, there's no HTTPS vhost
# - services are served directly from the HTTP vhost
matrix_nginx_proxy_https_enabled : true
# Controls whether the matrix-nginx-proxy container exposes its HTTP port (tcp/8080 in the container).
#
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:80"), or empty string to not expose.
matrix_nginx_proxy_container_http_host_bind_port : '80'
# Controls whether the matrix-nginx-proxy container exposes its HTTPS port (tcp/8443 in the container).
#
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:443"), or empty string to not expose.
#
# This only makes sense and applies if `matrix_nginx_proxy_https_enabled` is set to `true`.
# Otherwise, there are no HTTPS vhosts to expose.
matrix_nginx_proxy_container_https_host_bind_port : '443'
# Controls whether the matrix-nginx-proxy container exposes the Matrix Federation port (tcp/8448 in the container).
#
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8448"), or empty string to not expose.
#
# This only makes sense and applies if `matrix_nginx_proxy_proxy_matrix_federation_api_enabled` is set to `true`.
# Otherwise, there is no Matrix Federation port to expose.
#
# This port can take HTTP or HTTPS traffic, depending on `matrix_nginx_proxy_https_enabled`.
# When HTTPS is disabled, you'd likely want to only expose the port locally, and front it with another HTTPS-enabled reverse-proxy.
matrix_nginx_proxy_container_federation_host_bind_port : '8448'
# Controls whether matrix-nginx-proxy should serve the base domain.
#
# This is useful for when you only have your Matrix server, but you need to serve
# to serve `/.well-known/matrix/*` files from the base domain for the needs of
# Server-Discovery (Federation) and for Client-Discovery.
#
# Besides serving these Matrix files, a homepage would be served with content
# as specified in the `matrix_nginx_proxy_base_domain_homepage_template` variable.
# You can also put additional files to use for this webpage
# in the `{{ matrix_nginx_proxy_data_path }}/matrix-domain` (`/matrix/nginx-proxy/data/matrix-domain`) directory.
matrix_nginx_proxy_base_domain_serving_enabled : false
matrix_nginx_proxy_base_domain_hostname : "{{ matrix_domain }}"
# Controls whether `matrix_nginx_proxy_base_domain_homepage_template` would be dumped to an `index.html` file
# in the `/matrix/nginx-proxy/data/matrix-domain` directory.
#
# If you would instead like to serve a static website by yourself, you can disable this.
# When disabled, you're expected to put website files in `/matrix/nginx-proxy/data/matrix-domain` manually
# and can expect that the playbook won't intefere with the `index.html` file.
matrix_nginx_proxy_base_domain_homepage_enabled : true
matrix_nginx_proxy_base_domain_homepage_template : |-
<!doctype html>
<meta charset="utf-8" />
<html>
<body>
Hello from {{ matrix_domain }}!
</body>
</html>
# Controls whether proxying the riot domain should be done.
matrix_nginx_proxy_proxy_riot_compat_redirect_enabled : false
matrix_nginx_proxy_proxy_riot_compat_redirect_hostname : "riot.{{ matrix_domain }}"
# Controls whether proxying the Element domain should be done.
matrix_nginx_proxy_proxy_element_enabled : false
matrix_nginx_proxy_proxy_element_hostname : "{{ matrix_server_fqn_element }}"
# Controls whether proxying the matrix domain should be done.
matrix_nginx_proxy_proxy_matrix_enabled : false
matrix_nginx_proxy_proxy_matrix_hostname : "{{ matrix_server_fqn_matrix }}"
# Controls whether proxying the dimension domain should be done.
matrix_nginx_proxy_proxy_dimension_enabled : false
matrix_nginx_proxy_proxy_dimension_hostname : "{{ matrix_server_fqn_dimension }}"
# Controls whether proxying the jitsi domain should be done.
matrix_nginx_proxy_proxy_jitsi_enabled : false
matrix_nginx_proxy_proxy_jitsi_hostname : "{{ matrix_server_fqn_jitsi }}"
# Controls whether proxying for the matrix-corporal API (`/_matrix/corporal`) should be done (on the matrix domain)
matrix_nginx_proxy_proxy_matrix_corporal_api_enabled : false
matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container : "matrix-corporal:41081"
matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container : "127.0.0.1:41081"
# Controls whether proxying for the User Directory Search API (`/_matrix/client/r0/user_directory/search`) should be done (on the matrix domain).
# This can be used to forward the API endpoint to another service, augmenting the functionality of Synapse's own User Directory Search.
# To learn more, see: https://github.com/ma1uta/ma1sd/blob/master/docs/features/directory.md
matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled : false
matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container : "matrix-ma1sd:8090"
matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container : "127.0.0.1:8090"
# Controls whether proxying for 3PID-based registration (`/_matrix/client/r0/register/(email|msisdn)/requestToken`) should be done (on the matrix domain).
# This allows another service to control registrations involving 3PIDs.
# To learn more, see: https://github.com/ma1uta/ma1sd/blob/master/docs/features/registration.md
matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled : false
matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_with_container : "matrix-ma1sd:8090"
matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_sans_container : "127.0.0.1:8090"
# Controls whether proxying for the Identity API (`/_matrix/identity`) should be done (on the matrix domain)
matrix_nginx_proxy_proxy_matrix_identity_api_enabled : false
matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container : "matrix-ma1sd:8090"
matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container : "127.0.0.1:8090"
# Controls whether proxying for metrics (`/_synapse/metrics`) should be done (on the matrix domain)
matrix_nginx_proxy_proxy_synapse_metrics : false
matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled : false
matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key : ""
# The addresses where the Matrix Client API is.
# Certain extensions (like matrix-corporal) may override this in order to capture all traffic.
matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container : "matrix-synapse:8008"
matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container : "127.0.0.1:8008"
# This needs to be equal or higher than the maximum upload size accepted by Synapse.
matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb : 25
# Controls whether proxying for the Matrix Federation API should be done.
matrix_nginx_proxy_proxy_matrix_federation_api_enabled : false
matrix_nginx_proxy_proxy_matrix_federation_api_addr_with_container : "matrix-synapse:8048"
matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container : "localhost:8048"
matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb : "{{ (matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb | int) * 3 }}"
matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate : "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/fullchain.pem"
matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key : "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/privkey.pem"
# The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads.
matrix_nginx_proxy_tmp_directory_size_mb : "{{ (matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb | int) * 50 }}"
# A list of strings containing additional configuration blocks to add to the nginx http's server configuration.
matrix_nginx_proxy_proxy_http_additional_server_configuration_blocks : [ ]
# A list of strings containing additional configuration blocks to add to the matrix synapse's server configuration.
matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks : [ ]
# A list of strings containing additional configuration blocks to add to Riot's server configuration.
matrix_nginx_proxy_proxy_riot_additional_server_configuration_blocks : [ ]
# A list of strings containing additional configuration blocks to add to Element's server configuration.
matrix_nginx_proxy_proxy_element_additional_server_configuration_blocks : [ ]
# A list of strings containing additional configuration blocks to add to Dimension's server configuration.
matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks : [ ]
# A list of strings containing additional configuration blocks to add to Jitsi's server configuration.
matrix_nginx_proxy_proxy_jitsi_additional_server_configuration_blocks : [ ]
# A list of strings containing additional configuration blocks to add to the base domain server configuration.
matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks : [ ]
# Specifies when to reload the matrix-nginx-proxy service so that
# a new SSL certificate could go into effect.
matrix_nginx_proxy_reload_cron_time_definition : "20 4 */5 * *"
# Specifies which SSL protocols to use when serving all the various vhosts
matrix_nginx_proxy_ssl_protocols : "TLSv1.2 TLSv1.3"
# Controls whether the self-check feature should validate SSL certificates.
matrix_nginx_proxy_self_check_validate_certificates : true
# Controls whether redirects will be followed when checking the `/.well-known/matrix/client` resource.
#
# As per the spec (https://matrix.org/docs/spec/client_server/r0.6.0#well-known-uri), it shouldn't be,
# so we default to not following redirects as well.
matrix_nginx_proxy_self_check_well_known_matrix_client_follow_redirects : none
# By default, this playbook automatically retrieves and auto-renews
# free SSL certificates from Let's Encrypt.
#
# The following retrieval methods are supported:
# - "lets-encrypt" - the playbook obtains free SSL certificates from Let's Encrypt
# - "self-signed" - the playbook generates and self-signs certificates
# - "manually-managed" - lets you manage certificates by yourself (manually; see below)
# - "none" - like "manually-managed", but doesn't care if you don't drop certificates in the location it expects
#
# If you decide to manage certificates by yourself (`matrix_ssl_retrieval_method: manually-managed`),
# you'd need to drop them into the directory specified by `matrix_ssl_config_dir_path`
# obeying the following hierarchy:
# - <matrix_ssl_config_dir_path>/live/<domain>/fullchain.pem
# - <matrix_ssl_config_dir_path>/live/<domain>/privkey.pem
# where <domain> refers to the domains that you need (usually `matrix_server_fqn_matrix` and `matrix_server_fqn_element`).
#
# The "none" type (`matrix_ssl_retrieval_method: none`), simply means that no certificate retrieval will happen.
# It's useful for when you've disabled the nginx proxy (`matrix_nginx_proxy_enabled: false`)
# and you'll be using another reverse-proxy server (like Apache) with your own certificates, managed by yourself.
# It's also useful if you're using `matrix_nginx_proxy_https_enabled: false` to make this nginx proxy serve
# plain HTTP traffic only (usually, on the loopback interface only) and you'd be terminating SSL using another reverse-proxy.
matrix_ssl_retrieval_method : "lets-encrypt"
matrix_ssl_architecture : "amd64"
# The list of domains that this role will obtain certificates for.
matrix_ssl_domains_to_obtain_certificates_for : [ ]
# Controls whether to obtain production or staging certificates from Let's Encrypt.
matrix_ssl_lets_encrypt_staging : false
matrix_ssl_lets_encrypt_certbot_docker_image : "certbot/certbot:{{ matrix_ssl_architecture }}-v1.7.0"
matrix_ssl_lets_encrypt_certbot_docker_image_force_pull : "{{ matrix_ssl_lets_encrypt_certbot_docker_image.endswith(':latest') }}"
matrix_ssl_lets_encrypt_certbot_standalone_http_port : 2402
matrix_ssl_lets_encrypt_support_email : ~
# Tells which interface and port the Let's Encrypt (certbot) container should try to bind to
# when it tries to obtain initial certificates in standalone mode.
#
# This should normally be a public interface and port.
# If you'd like to not bind on all IP addresses, specify one explicitly (e.g. `a.b.c.d:80`)
matrix_ssl_lets_encrypt_container_standalone_http_host_bind_port : '80'
matrix_ssl_base_path : "{{ matrix_base_data_path }}/ssl"
matrix_ssl_config_dir_path : "{{ matrix_ssl_base_path }}/config"
matrix_ssl_log_dir_path : "{{ matrix_ssl_base_path }}/log"
# nginx status page configurations.
matrix_nginx_proxy_proxy_matrix_nginx_status_enabled : false
matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses : [ '{{ ansible_default_ipv4.address }}' ]
# worker
matrix_nginx_proxy_synapse_workers_enabled : "{{ matrix_synapse_workers_enabled }}"
matrix_nginx_proxy_synapse_workers_enabled_list : "{{ matrix_synapse_workers_enabled_list }}"
matrix_nginx_proxy_synapse_generic_worker_locations : [
# Sync requests
'^/_matrix/client/(v2_alpha|r0)/sync$' ,
'^/_matrix/client/(api/v1|v2_alpha|r0)/events$' ,
'^/_matrix/client/(api/v1|r0)/initialSync$' ,
'^/_matrix/client/(api/v1|r0)/rooms/[^/]+/initialSync$' ,
# Federation requests
'^/_matrix/federation/v1/event/' ,
'^/_matrix/federation/v1/state/' ,
'^/_matrix/federation/v1/state_ids/' ,
'^/_matrix/federation/v1/backfill/' ,
'^/_matrix/federation/v1/get_missing_events/' ,
'^/_matrix/federation/v1/publicRooms' ,
'^/_matrix/federation/v1/query/' ,
'^/_matrix/federation/v1/make_join/' ,
'^/_matrix/federation/v1/make_leave/' ,
'^/_matrix/federation/v1/send_join/' ,
'^/_matrix/federation/v2/send_join/' ,
'^/_matrix/federation/v1/send_leave/' ,
'^/_matrix/federation/v2/send_leave/' ,
'^/_matrix/federation/v1/invite/' ,
'^/_matrix/federation/v2/invite/' ,
'^/_matrix/federation/v1/query_auth/' ,
'^/_matrix/federation/v1/event_auth/' ,
'^/_matrix/federation/v1/exchange_third_party_invite/' ,
'^/_matrix/federation/v1/user/devices/' ,
'^/_matrix/federation/v1/get_groups_publicised$' ,
'^/_matrix/key/v2/query' ,
# Inbound federation transaction request
'^/_matrix/federation/v1/send/' ,
# Client API requests
'^/_matrix/client/(api/v1|r0|unstable)/publicRooms$' ,
'^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/joined_members$' ,
'^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/context/.*$' ,
'^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/members$' ,
'^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/state$' ,
'^/_matrix/client/(api/v1|r0|unstable)/account/3pid$' ,
'^/_matrix/client/(api/v1|r0|unstable)/keys/query$' ,
'^/_matrix/client/(api/v1|r0|unstable)/keys/changes$' ,
'^/_matrix/client/versions$' ,
'^/_matrix/client/(api/v1|r0|unstable)/voip/turnServer$' ,
'^/_matrix/client/(api/v1|r0|unstable)/joined_groups$' ,
'^/_matrix/client/(api/v1|r0|unstable)/publicised_groups$' ,
'^/_matrix/client/(api/v1|r0|unstable)/publicised_groups/' ,
# Registration/login requests
'^/_matrix/client/(api/v1|r0|unstable)/login$' ,
'^/_matrix/client/(r0|unstable)/register$' ,
'^/_matrix/client/(r0|unstable)/auth/.*/fallback/web$' ,
# Event sending requests
'^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/send' ,
'^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/state/' ,
'^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/(join|invite|leave|ban|unban|kick)$' ,
'^/_matrix/client/(api/v1|r0|unstable)/join/' ,
'^/_matrix/client/(api/v1|r0|unstable)/profile/' ,
]
matrix_nginx_proxy_synapse_media_repository_locations : [
'^/_matrix/media/' ,
'^/_synapse/admin/v1/purge_media_cache$' ,
'^/_synapse/admin/v1/room/.*/media.*$' ,
'^/_synapse/admin/v1/user/.*/media.*$' ,
'^/_synapse/admin/v1/media/.*$' ,
'^/_synapse/admin/v1/quarantine_media/.*$' ,
]
matrix_nginx_proxy_synapse_user_dir_locations : [
'^/_matrix/client/(api/v1|r0|unstable)/user_directory/search$' ,
]