From ab59cc50bd70bc7b14ff577748f2e0672022963b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 25 May 2019 07:41:04 +0900 Subject: [PATCH] Add support for more flexible container port exposing Fixes #171 (Github Issue). --- CHANGELOG.md | 35 ++++++++++++++ group_vars/matrix_servers | 46 +++++++++++-------- .../defaults/main.yml | 6 ++- .../tasks/validate_config.yml | 9 ++++ .../matrix-appservice-discord.service.j2 | 4 +- .../defaults/main.yml | 6 ++- .../tasks/validate_config.yml | 8 ++++ .../systemd/matrix-appservice-irc.service.j2 | 4 +- roles/matrix-corporal/defaults/main.yml | 11 ++++- .../matrix-corporal/tasks/validate_config.yml | 12 ++++- .../systemd/matrix-corporal.service.j2 | 8 ++-- roles/matrix-coturn/tasks/validate_config.yml | 2 +- roles/matrix-dimension/defaults/main.yml | 5 +- .../tasks/validate_config.yml | 9 ++++ .../systemd/matrix-dimension.service.j2 | 4 +- roles/matrix-mxisd/defaults/main.yml | 9 +++- roles/matrix-mxisd/tasks/validate_config.yml | 10 ++++ .../templates/systemd/matrix-mxisd.service.j2 | 4 +- .../tasks/validate_config.yml | 2 +- roles/matrix-riot-web/defaults/main.yml | 5 +- .../matrix-riot-web/tasks/validate_config.yml | 5 +- .../systemd/matrix-riot-web.service.j2 | 4 +- roles/matrix-riot-web/vars/main.yml | 2 +- roles/matrix-synapse/defaults/main.yml | 36 +++++++++++---- .../matrix-synapse/tasks/validate_config.yml | 5 +- .../synapse/systemd/matrix-synapse.service.j2 | 16 +++---- 26 files changed, 199 insertions(+), 68 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 27e83dc4..999280b5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,38 @@ +# 2019-05-25 + +## Support for exposing container ports publicly (not just to the host) + +Until now, various roles supported a `matrix_*_expose_port` variable, which would expose their container's port to the host. This was mostly useful for reverse-proxying manually (in case `matrix-nginx-proxy` was disabled). It could also be used for installing some playbook services (e.g. bridges, etc.) and wiring them to a separate (manual) Matrix setup. + +`matrix_*_expose_port` variables were not granular enough - sometimes they would expose one port, other times multiple. They also didn't provide control over **where** to expose (to which port number and to which network interface), because they would usually hardcode something like `127.0.0.1:8080`. + +All such variables have been superseded by a better (more flexible) way to do it. + +**Most** people (including those not using `matrix-nginx-proxy`), **don't need** to bother with this. + +Porting examples follow for people having more customized setups: + +- **from** `matrix_synapse_container_expose_client_api_port: true` **to** `matrix_synapse_container_client_api_host_bind_port: '127.0.0.1:8008'` + +- **from** `matrix_synapse_container_expose_federation_api_port: true` **to** `matrix_synapse_container_federation_api_plain_host_bind_port: '127.0.0.1:8048'` and possibly `matrix_synapse_container_federation_api_tls_host_bind_port: '8448'` + +- **from** `matrix_synapse_container_expose_metrics_port: true` **to** `matrix_synapse_container_metrics_api_host_bind_port: '127.0.0.1:9100'` + +- **from** `matrix_riot_web_container_expose_port: true` **to** `matrix_riot_web_container_http_host_bind_port: '127.0.0.1:8765'` + +- **from** `matrix_mxisd_container_expose_port: true` **to** `matrix_mxisd_container_http_host_bind_port: '127.0.0.1:8090'` + +- **from** `matrix_dimension_container_expose_port: true` **to** `matrix_dimension_container_http_host_bind_port: '127.0.0.1:8184'` + +- **from** `matrix_corporal_container_expose_ports: true` **to** `matrix_corporal_container_http_gateway_host_bind_port: '127.0.0.1:41080'` and possibly `matrix_corporal_container_http_api_host_bind_port: '127.0.0.1:41081'` + +- **from** `matrix_appservice_irc_container_expose_client_server_api_port: true` **to** `matrix_appservice_irc_container_http_host_bind_port: '127.0.0.1:9999'` + +- **from** `matrix_appservice_discord_container_expose_client_server_api_port: true` **to** `matrix_appservice_discord_container_http_host_bind_port: '127.0.0.1:9005'` + +As always, if you forget to remove usage of some outdated variable, the playbook will warn you. + + # 2019-05-23 ## Ansible 2.8 compatibility diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 9defecae..dc96c209 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -36,8 +36,8 @@ matrix_appservice_discord_enabled: false # Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-appservice-discord over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose -# matrix-appservice-discord's client-server port to the local host (`127.0.0.1:9005`). -matrix_appservice_discord_container_expose_client_server_api_port: "{{ not matrix_nginx_proxy_enabled }}" +# matrix-appservice-discord's client-server port to the local host. +matrix_appservice_discord_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9005' }}" matrix_appservice_discord_systemd_required_services_list: | {{ @@ -64,8 +64,8 @@ matrix_appservice_irc_enabled: false # Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-appservice-irc over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose -# matrix-appservice-irc's client-server port to the local host (`127.0.0.1:9999`). -matrix_appservice_irc_container_expose_client_server_api_port: "{{ not matrix_nginx_proxy_enabled }}" +# matrix-appservice-irc's client-server port to the local host. +matrix_appservice_irc_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9999' }}" matrix_appservice_irc_systemd_required_services_list: | {{ @@ -162,8 +162,9 @@ matrix_corporal_enabled: false # Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-corporal over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose -# matrix-corporal's web-server ports to the local host (`127.0.0.1:41080` and `127.0.0.1:41081`). -matrix_corporal_container_expose_ports: "{{ not matrix_nginx_proxy_enabled }}" +# matrix-corporal's web-server ports to the local host. +matrix_corporal_container_http_gateway_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:41080' }}" +matrix_corporal_container_http_api_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:41081' }}" matrix_corporal_systemd_required_services_list: | {{ @@ -222,8 +223,8 @@ matrix_dimension_enabled: false # Normally, matrix-nginx-proxy is enabled and nginx can reach Dimension over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose -# the Dimension HTTP port to the local host (`127.0.0.1:8184`). -matrix_dimension_container_expose_port: "{{ not matrix_nginx_proxy_enabled }}" +# the Dimension HTTP port to the local host. +matrix_dimension_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8184' }}" ###################################################################### # @@ -264,8 +265,8 @@ matrix_mxisd_enabled: true # Normally, matrix-nginx-proxy is enabled and nginx can reach mxisd over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose -# mxisd's web-server port to the local host (`127.0.0.1:8090`). -matrix_mxisd_container_expose_port: "{{ not matrix_nginx_proxy_enabled }}" +# mxisd's web-server port. +matrix_mxisd_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8090' }}" # We enable Synapse integration via its Postgres database by default. # When using another Identity store, you might wish to disable this and define @@ -408,8 +409,8 @@ matrix_riot_web_enabled: true # Normally, matrix-nginx-proxy is enabled and nginx can reach riot-web over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose -# the riot-web HTTP port to the local host (`127.0.0.1:80`). -matrix_riot_web_container_expose_port: "{{ not matrix_nginx_proxy_enabled }}" +# the riot-web HTTP port to the local host. +matrix_riot_web_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8765' }}" matrix_riot_web_default_hs_url: "{{ matrix_homeserver_url }}" matrix_riot_web_default_is_url: "{{ matrix_identity_server_url }}" @@ -449,15 +450,20 @@ matrix_riot_web_enable_presence_by_hs_url: | matrix_synapse_trusted_third_party_id_servers: "{{ [matrix_server_fqn_matrix] if matrix_mxisd_enabled else matrix_synapse_id_servers_public }}" # Normally, matrix-nginx-proxy is enabled and nginx can reach Synapse over the container network. -# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose its ports -# to the local host. +# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, +# you can expose Synapse's ports to the host. # -# For exposing the Matrix Client API's port (plain HTTP) to the local host (`127.0.0.1:8008`). -matrix_synapse_container_expose_client_api_port: "{{ not matrix_nginx_proxy_enabled }}" -# For exposing the Matrix Federation API's port (plain HTTP) to the local host (`127.0.0.1:8048`). -matrix_synapse_container_expose_federation_api_port: "{{ not matrix_nginx_proxy_enabled }}" - -matrix_synapse_container_expose_metrics_port: "{{ not matrix_nginx_proxy_enabled }}" +# For exposing the Matrix Client API's port (plain HTTP) to the local host. +matrix_synapse_container_client_api_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8008' }}" +# +# For exposing the Matrix Federation API's plain port (plain HTTP) to the local host. +matrix_synapse_container_federation_api_plain_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8048' }}" +# +# For exposing the Matrix Federation API's TLS port (HTTPS) to the internet on all network interfaces. +matrix_synapse_container_federation_api_tls_host_bind_port: "{{ '8448' if (matrix_synapse_federation_enabled and matrix_synapse_tls_federation_listener_enabled) else '' }}" +# +# For exposing the Synapse Metrics API's port (plain HTTP) to the local host. +matrix_synapse_container_metrics_api_host_bind_port: "{{ '127.0.0.1:9100' if (matrix_synapse_metrics_enabled and not matrix_nginx_proxy_enabled) else '' }}" matrix_synapse_database_host: "{{ matrix_postgres_connection_hostname }}" matrix_synapse_database_user: "{{ matrix_postgres_connection_username }}" diff --git a/roles/matrix-bridge-appservice-discord/defaults/main.yml b/roles/matrix-bridge-appservice-discord/defaults/main.yml index d9406774..23c5df25 100644 --- a/roles/matrix-bridge-appservice-discord/defaults/main.yml +++ b/roles/matrix-bridge-appservice-discord/defaults/main.yml @@ -11,8 +11,10 @@ matrix_appservice_discord_base_path: "{{ matrix_base_data_path }}/appservice-dis matrix_appservice_discord_client_id: '' matrix_appservice_discord_bot_token: '' -# Controls whether the Appservice Discord container exposes the Client/Server API port (tcp/9005). -matrix_appservice_discord_container_expose_client_server_api_port: false +# Controls whether the matrix-appservice-discord container exposes its HTTP port (tcp/9005 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:9005"), or empty string to not expose. +matrix_appservice_discord_container_http_host_bind_port: '' # A list of extra arguments to pass to the container matrix_appservice_discord_container_extra_arguments: [] diff --git a/roles/matrix-bridge-appservice-discord/tasks/validate_config.yml b/roles/matrix-bridge-appservice-discord/tasks/validate_config.yml index 0afe9a0d..fc321237 100644 --- a/roles/matrix-bridge-appservice-discord/tasks/validate_config.yml +++ b/roles/matrix-bridge-appservice-discord/tasks/validate_config.yml @@ -8,3 +8,12 @@ with_items: - "matrix_appservice_discord_client_id" - "matrix_appservice_discord_bot_token" + +- name: (Deprecation) Catch and report renamed appservice-discord variables + fail: + msg: >- + Your configuration contains a variable, which now has a different name. + Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). + when: "item.old in vars" + with_items: + - {'old': 'matrix_appservice_discord_container_expose_client_server_api_port', 'new': ''} diff --git a/roles/matrix-bridge-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2 b/roles/matrix-bridge-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2 index 627c7ed6..4ae408c5 100644 --- a/roles/matrix-bridge-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2 +++ b/roles/matrix-bridge-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2 @@ -19,8 +19,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-appservice-discord \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ --network={{ matrix_docker_network }} \ - {% if matrix_appservice_discord_container_expose_client_server_api_port %} - -p 127.0.0.1:9005:9005 \ + {% if matrix_appservice_discord_container_http_host_bind_port %} + -p {{ matrix_appservice_discord_container_http_host_bind_port }}:9005 \ {% endif %} -v {{ matrix_appservice_discord_base_path }}:/data \ {% for arg in matrix_appservice_discord_container_extra_arguments %} diff --git a/roles/matrix-bridge-appservice-irc/defaults/main.yml b/roles/matrix-bridge-appservice-irc/defaults/main.yml index 138fd369..a4b1ef22 100644 --- a/roles/matrix-bridge-appservice-irc/defaults/main.yml +++ b/roles/matrix-bridge-appservice-irc/defaults/main.yml @@ -7,8 +7,10 @@ matrix_appservice_irc_docker_image: "tedomum/matrix-appservice-irc:latest" matrix_appservice_irc_base_path: "{{ matrix_base_data_path }}/appservice-irc" -# Controls whether the Appservice IRC container exposes the Client/Server API port (tcp/9999). -matrix_appservice_irc_container_expose_client_server_api_port: false +# Controls whether the matrix-appservice-discord container exposes its HTTP port (tcp/9999 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:9999"), or empty string to not expose. +matrix_appservice_irc_container_http_host_bind_port: '' # A list of extra arguments to pass to the container matrix_appservice_irc_container_extra_arguments: [] diff --git a/roles/matrix-bridge-appservice-irc/tasks/validate_config.yml b/roles/matrix-bridge-appservice-irc/tasks/validate_config.yml index 952487e9..cd4c1a31 100644 --- a/roles/matrix-bridge-appservice-irc/tasks/validate_config.yml +++ b/roles/matrix-bridge-appservice-irc/tasks/validate_config.yml @@ -14,3 +14,11 @@ You need to define additional configuration in `matrix_appservice_irc_configuration_extension_yaml` or to override `matrix_appservice_irc_configuration`. when: "matrix_appservice_irc_configuration.ircService|default(none) is none" +- name: (Deprecation) Catch and report renamed appservice-irc variables + fail: + msg: >- + Your configuration contains a variable, which now has a different name. + Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). + when: "item.old in vars" + with_items: + - {'old': 'matrix_appservice_irc_container_expose_client_server_api_port', 'new': ''} diff --git a/roles/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 b/roles/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 index 1a2b2153..b50f058e 100644 --- a/roles/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 +++ b/roles/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 @@ -19,8 +19,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-appservice-irc \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ --network={{ matrix_docker_network }} \ - {% if matrix_appservice_irc_container_expose_client_server_api_port %} - -p 127.0.0.1:9999:9999 \ + {% if matrix_appservice_irc_container_http_host_bind_port %} + -p {{ matrix_appservice_irc_container_http_host_bind_port }}:9999 \ {% endif %} -v {{ matrix_appservice_irc_base_path }}:/data:z \ {% for arg in matrix_appservice_irc_container_extra_arguments %} diff --git a/roles/matrix-corporal/defaults/main.yml b/roles/matrix-corporal/defaults/main.yml index 09bdbb56..47e834a4 100644 --- a/roles/matrix-corporal/defaults/main.yml +++ b/roles/matrix-corporal/defaults/main.yml @@ -3,8 +3,15 @@ matrix_corporal_enabled: true -# Controls whether the matrix-corporal web server's ports (`41080` and `41081`) are exposed outside of the container. -matrix_corporal_container_expose_ports: false +# Controls whether the matrix-corporal container exposes its gateway HTTP port (tcp/41080 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:41080"), or empty string to not expose. +matrix_corporal_container_http_gateway_host_bind_port: '' + +# Controls whether the matrix-corporal container exposes its API HTTP port (tcp/41081 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:41081"), or empty string to not expose. +matrix_corporal_container_http_api_host_bind_port: '' # A list of extra arguments to pass to the container matrix_corporal_container_extra_arguments: [] diff --git a/roles/matrix-corporal/tasks/validate_config.yml b/roles/matrix-corporal/tasks/validate_config.yml index ace2eb1f..9c6b295e 100644 --- a/roles/matrix-corporal/tasks/validate_config.yml +++ b/roles/matrix-corporal/tasks/validate_config.yml @@ -2,7 +2,7 @@ - name: Fail if required matrix-corporal settings not defined fail: - msg: > + msg: >- You need to define a required configuration setting (`{{ item }}`) for using matrix-corporal. when: "vars[item] == ''" with_items: @@ -15,3 +15,13 @@ fail: msg: "The Matrix Corporal HTTP API is enabled (`matrix_corporal_http_api_enabled`), but no auth token has been set in `matrix_corporal_http_api_auth_token`" when: "matrix_corporal_http_api_enabled|bool and matrix_corporal_http_api_auth_token == ''" + + +- name: (Deprecation) Catch and report renamed corporal variables + fail: + msg: >- + Your configuration contains a variable, which now has a different name. + Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). + when: "item.old in vars" + with_items: + - {'old': 'matrix_corporal_container_expose_ports', 'new': ''} diff --git a/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 b/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 index 4979166e..ae4830ff 100644 --- a/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 +++ b/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2 @@ -17,9 +17,11 @@ ExecStart=/usr/bin/docker run --rm --name matrix-corporal \ --cap-drop=ALL \ --read-only \ --network={{ matrix_docker_network }} \ - {% if matrix_corporal_container_expose_ports %} - -p 127.0.0.1:41080:41080 \ - -p 127.0.0.1:41081:41081 \ + {% if matrix_corporal_container_http_gateway_host_bind_port %} + -p {{ matrix_corporal_container_http_gateway_host_bind_port }}:41080 \ + {% endif %} + {% if matrix_corporal_container_http_api_host_bind_port %} + -p {{ matrix_corporal_container_http_api_host_bind_port }}:41081 \ {% endif %} -v {{ matrix_corporal_config_dir_path }}:/etc/matrix-corporal:ro \ -v {{ matrix_corporal_cache_dir_path }}:/var/cache/matrix-corporal:rw \ diff --git a/roles/matrix-coturn/tasks/validate_config.yml b/roles/matrix-coturn/tasks/validate_config.yml index 39019982..d8276d3a 100644 --- a/roles/matrix-coturn/tasks/validate_config.yml +++ b/roles/matrix-coturn/tasks/validate_config.yml @@ -2,7 +2,7 @@ - name: Fail if required Coturn settings not defined fail: - msg: > + msg: >- You need to define a required configuration setting (`{{ item }}`) for using Coturn. when: "vars[item] == ''" with_items: diff --git a/roles/matrix-dimension/defaults/main.yml b/roles/matrix-dimension/defaults/main.yml index bae6aa10..d2c5a011 100644 --- a/roles/matrix-dimension/defaults/main.yml +++ b/roles/matrix-dimension/defaults/main.yml @@ -18,7 +18,10 @@ matrix_dimension_docker_image: "turt2live/matrix-dimension:latest" matrix_dimension_user_uid: 1000 matrix_dimension_user_gid: 1000 -matrix_dimension_container_expose_port: false +# Controls whether the matrix-dimension container exposes its HTTP port (tcp/8184 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:8184"), or empty string to not expose. +matrix_dimension_container_http_host_bind_port: '' # A list of extra arguments to pass to the container matrix_dimension_container_extra_arguments: [] diff --git a/roles/matrix-dimension/tasks/validate_config.yml b/roles/matrix-dimension/tasks/validate_config.yml index 59a4c050..62f23e33 100644 --- a/roles/matrix-dimension/tasks/validate_config.yml +++ b/roles/matrix-dimension/tasks/validate_config.yml @@ -13,3 +13,12 @@ with_items: - "matrix_synapse_federation_enabled" when: "matrix_dimension_enabled|bool and not matrix_synapse_federation_enabled|bool" + +- name: (Deprecation) Catch and report renamed Dimension variables + fail: + msg: >- + Your configuration contains a variable, which now has a different name. + Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). + when: "item.old in vars" + with_items: + - {'old': 'matrix_dimension_container_expose_port', 'new': ''} diff --git a/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 b/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 index a95e1ca0..c32027b1 100644 --- a/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 +++ b/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2 @@ -17,8 +17,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-dimension \ {% if matrix_dimension_widgets_allow_self_signed_ssl_certificates %} -e NODE_TLS_REJECT_UNAUTHORIZED=0 \ {% endif %} - {% if matrix_dimension_container_expose_port %} - -p 127.0.0.1:8184:8184 \ + {% if matrix_dimension_container_http_host_bind_port %} + -p {{ matrix_dimension_container_http_host_bind_port }}:8184 \ {% endif %} -v {{ matrix_dimension_base_path }}:/data:rw \ {% for arg in matrix_dimension_container_extra_arguments %} diff --git a/roles/matrix-mxisd/defaults/main.yml b/roles/matrix-mxisd/defaults/main.yml index df2cc78b..ec9c0bda 100644 --- a/roles/matrix-mxisd/defaults/main.yml +++ b/roles/matrix-mxisd/defaults/main.yml @@ -1,3 +1,6 @@ +# mxisd is a Federated Matrix Identity Server +# See: https://github.com/kamax-matrix/mxisd + matrix_mxisd_enabled: true matrix_mxisd_docker_image: "kamax/mxisd:1.4.3" @@ -5,8 +8,10 @@ matrix_mxisd_base_path: "{{ matrix_base_data_path }}/mxisd" matrix_mxisd_config_path: "{{ matrix_mxisd_base_path }}/config" matrix_mxisd_data_path: "{{ matrix_mxisd_base_path }}/data" -# Controls whether the mxisd web server's port (`8090`) is exposed outside of the container. -matrix_mxisd_container_expose_port: false +# Controls whether the matrix-mxisd container exposes its HTTP port (tcp/8090 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:8090"), or empty string to not expose. +matrix_mxisd_container_http_host_bind_port: '' # A list of extra arguments to pass to the container matrix_mxisd_container_extra_arguments: [] diff --git a/roles/matrix-mxisd/tasks/validate_config.yml b/roles/matrix-mxisd/tasks/validate_config.yml index 3b125b3f..200a43a3 100644 --- a/roles/matrix-mxisd/tasks/validate_config.yml +++ b/roles/matrix-mxisd/tasks/validate_config.yml @@ -45,3 +45,13 @@ when: "vars[item] == ''" with_items: - "matrix_mxisd_threepid_medium_email_connectors_smtp_host" + + +- name: (Deprecation) Catch and report renamed mxisd variables + fail: + msg: >- + Your configuration contains a variable, which now has a different name. + Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). + when: "item.old in vars" + with_items: + - {'old': 'matrix_mxisd_container_expose_port', 'new': ''} diff --git a/roles/matrix-mxisd/templates/systemd/matrix-mxisd.service.j2 b/roles/matrix-mxisd/templates/systemd/matrix-mxisd.service.j2 index 892e565c..09ebb05d 100644 --- a/roles/matrix-mxisd/templates/systemd/matrix-mxisd.service.j2 +++ b/roles/matrix-mxisd/templates/systemd/matrix-mxisd.service.j2 @@ -23,8 +23,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-mxisd \ --read-only \ --tmpfs=/tmp:rw,exec,nosuid,size=10m \ --network={{ matrix_docker_network }} \ - {% if matrix_mxisd_container_expose_port %} - -p 127.0.0.1:8090:8090 \ + {% if matrix_mxisd_container_http_host_bind_port %} + -p {{ matrix_mxisd_container_http_host_bind_port }}:8090 \ {% endif %} -v {{ matrix_mxisd_config_path }}:/etc/mxisd:ro \ -v {{ matrix_mxisd_data_path }}:/var/mxisd:rw \ diff --git a/roles/matrix-nginx-proxy/tasks/validate_config.yml b/roles/matrix-nginx-proxy/tasks/validate_config.yml index 9316fc4e..e5b672ed 100644 --- a/roles/matrix-nginx-proxy/tasks/validate_config.yml +++ b/roles/matrix-nginx-proxy/tasks/validate_config.yml @@ -2,7 +2,7 @@ - name: (Deprecation) Catch and report renamed settings fail: - msg: > + msg: >- Your configuration contains a variable, which now has a different name. Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). when: "item.old in vars" diff --git a/roles/matrix-riot-web/defaults/main.yml b/roles/matrix-riot-web/defaults/main.yml index 7208d1b3..0b4b9931 100644 --- a/roles/matrix-riot-web/defaults/main.yml +++ b/roles/matrix-riot-web/defaults/main.yml @@ -4,7 +4,10 @@ matrix_riot_web_docker_image: "bubuntux/riot-web:v1.1.2" matrix_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web" -matrix_riot_web_container_expose_port: false +# Controls whether the matrix-riot-web container exposes its HTTP port (tcp/8080 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:8765"), or empty string to not expose. +matrix_riot_web_container_http_host_bind_port: '' # A list of extra arguments to pass to the container matrix_riot_web_container_extra_arguments: [] diff --git a/roles/matrix-riot-web/tasks/validate_config.yml b/roles/matrix-riot-web/tasks/validate_config.yml index 0a96afc0..611eb947 100644 --- a/roles/matrix-riot-web/tasks/validate_config.yml +++ b/roles/matrix-riot-web/tasks/validate_config.yml @@ -8,9 +8,9 @@ with_items: - "matrix_riot_web_default_hs_url" -- name: (Deprecation) Catch and report renamed settings +- name: (Deprecation) Catch and report renamed riot-web variables fail: - msg: > + msg: >- Your configuration contains a variable, which now has a different name. Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). when: "item.old in vars" @@ -20,3 +20,4 @@ - {'old': 'matrix_riot_web_homepage_template_technical', 'new': ''} - {'old': 'matrix_riot_web_homepage_template_building', 'new': ''} - {'old': 'matrix_riot_web_homepage_template_contributing', 'new': ''} + - {'old': 'matrix_riot_web_container_expose_port', 'new': ''} diff --git a/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2 b/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2 index 59bcf340..20e17354 100644 --- a/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2 +++ b/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2 @@ -17,8 +17,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-riot-web \ --cap-drop=ALL \ --read-only \ --network={{ matrix_docker_network }} \ - {% if matrix_riot_web_container_expose_port %} - -p 127.0.0.1:8765:8080 \ + {% if matrix_riot_web_container_http_host_bind_port %} + -p {{ matrix_riot_web_container_http_host_bind_port }}:8080 \ {% endif %} --tmpfs=/tmp:rw,noexec,nosuid,size=10m \ -v {{ matrix_riot_web_data_path }}/nginx.conf:/etc/nginx/nginx.conf:ro \ diff --git a/roles/matrix-riot-web/vars/main.yml b/roles/matrix-riot-web/vars/main.yml index 201b5bdd..4c556310 100644 --- a/roles/matrix-riot-web/vars/main.yml +++ b/roles/matrix-riot-web/vars/main.yml @@ -1,3 +1,3 @@ --- -matrix_riot_web_embedded_pages_home_url: "{{ (none if matrix_riot_web_embedded_pages_home_path is none else 'home.html') }}" +matrix_riot_web_embedded_pages_home_url: "{{ ('' if matrix_riot_web_embedded_pages_home_path is none else 'home.html') }}" diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 1a854f2f..a5a33ba6 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -12,16 +12,32 @@ matrix_synapse_storage_path: "{{ matrix_synapse_base_path }}/storage" matrix_synapse_media_store_path: "{{ matrix_synapse_storage_path }}/media-store" matrix_synapse_ext_path: "{{ matrix_synapse_base_path }}/ext" -# Controls whether the Synapse container exposes the Client/Server API port (tcp/8008). -matrix_synapse_container_expose_client_api_port: false - -# Controls whether the Synapse container exposes the Server/Server (Federation) API port (tcp/8048). -# This is for the plain HTTP API. If you need Synapse to handle TLS encryption, -# that would be on another port (tcp/8448) controlled by `matrix_synapse_tls_federation_listener_enabled`. -matrix_synapse_container_expose_federation_api_port: false - -# Controls whether the matrix-synapse container exposes the metrics port (tcp/9100). -matrix_synapse_container_expose_metrics_port: false +# Controls whether the matrix-synapse container exposes the Client/Server API port (tcp/8008 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:8008"), or empty string to not expose. +matrix_synapse_container_client_api_host_bind_port: '' + +# Controls whether the matrix-synapse container exposes the plain (unencrypted) Server/Server (Federation) API port (tcp/8048 in the container). +# +# Takes effect only if federation is enabled (matrix_synapse_federation_enabled). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:8048"), or empty string to not expose. +matrix_synapse_container_federation_api_plain_host_bind_port: '' + +# Controls whether the matrix-synapse container exposes the tls (encrypted) Server/Server (Federation) API port (tcp/8448 in the container). +# +# Takes effect only if federation is enabled (matrix_synapse_federation_enabled) +# and TLS support is enabled (matrix_synapse_tls_federation_listener_enabled). +# +# Takes an ":" or "" value (e.g. "8448"), or empty string to not expose. +matrix_synapse_container_federation_api_tls_host_bind_port: '' + +# Controls whether the matrix-synapse container exposes the metrics port (tcp/9100 in the container). +# +# Takes effect only if metrics are enabled (matrix_synapse_metrics_enabled). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:9100"), or empty string to not expose. +matrix_synapse_container_metrics_api_host_bind_port: '' # A list of extra arguments to pass to the container matrix_synapse_container_extra_arguments: [] diff --git a/roles/matrix-synapse/tasks/validate_config.yml b/roles/matrix-synapse/tasks/validate_config.yml index d4efad9d..fa496642 100644 --- a/roles/matrix-synapse/tasks/validate_config.yml +++ b/roles/matrix-synapse/tasks/validate_config.yml @@ -15,7 +15,7 @@ Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). when: "item.old in vars" with_items: - - {'old': 'matrix_synapse_container_expose_api_port', 'new': 'matrix_synapse_container_expose_client_api_port'} + - {'old': 'matrix_synapse_container_expose_api_port', 'new': ''} - {'old': 'matrix_synapse_no_tls', 'new': ''} - {'old': 'matrix_enable_room_list_search', 'new': 'matrix_synapse_enable_room_list_search'} - {'old': 'matrix_alias_creation_rules', 'new': 'matrix_synapse_alias_creation_rules'} @@ -27,3 +27,6 @@ - {'old': 'matrix_synapse_federation_rc_sleep_delay', 'new': ''} - {'old': 'matrix_synapse_federation_rc_reject_limit', 'new': ''} - {'old': 'matrix_synapse_federation_rc_concurrent', 'new': ''} + - {'old': 'matrix_synapse_container_expose_client_api_port', 'new': ''} + - {'old': 'matrix_synapse_container_expose_federation_api_port', 'new': ''} + - {'old': 'matrix_synapse_container_expose_metrics_port', 'new': ''} diff --git a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 index f0ea3d06..071a0eda 100644 --- a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 +++ b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2 @@ -29,17 +29,17 @@ ExecStart=/usr/bin/docker run --rm --name matrix-synapse \ --tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_synapse_tmp_directory_size_mb }}m \ --network={{ matrix_docker_network }} \ -e SYNAPSE_CACHE_FACTOR={{ matrix_synapse_cache_factor }} \ - {% if matrix_synapse_container_expose_client_api_port %} - -p 127.0.0.1:8008:8008 \ + {% if matrix_synapse_container_client_api_host_bind_port %} + -p {{ matrix_synapse_container_client_api_host_bind_port }}:8008 \ {% endif %} - {% if matrix_synapse_federation_enabled and matrix_synapse_tls_federation_listener_enabled %} - -p 8448:8448 \ + {% if matrix_synapse_federation_enabled and matrix_synapse_tls_federation_listener_enabled and matrix_synapse_container_federation_api_tls_host_bind_port %} + -p {{ matrix_synapse_container_federation_api_tls_host_bind_port }}:8448 \ {% endif %} - {% if matrix_synapse_federation_enabled and matrix_synapse_container_expose_federation_api_port %} - -p 127.0.0.1:8048:8048 \ + {% if matrix_synapse_federation_enabled and matrix_synapse_container_federation_api_plain_host_bind_port %} + -p {{ matrix_synapse_container_federation_api_plain_host_bind_port }}:8048 \ {% endif %} - {% if matrix_synapse_container_expose_metrics_port %} - -p 127.0.0.1:{{ matrix_synapse_metrics_port }}:{{ matrix_synapse_metrics_port }} \ + {% if matrix_synapse_metrics_enabled and matrix_synapse_container_metrics_api_host_bind_port %} + -p {{ matrix_synapse_container_metrics_api_host_bind_port }}:{{ matrix_synapse_metrics_port }} \ {% endif %} -v {{ matrix_synapse_config_dir_path }}:/data:ro \ -v {{ matrix_synapse_run_path }}:/matrix-run:rw \