From 0c7273b5bd15ef4f2a9f9843c864f8cdcd986c3f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 11 Jul 2024 07:03:14 +0300 Subject: [PATCH] Add Traefik labels for handling authenticated media (MSC3916) in matrix-media-repo Related to: - https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/3409 - https://github.com/t2bot/matrix-media-repo/releases/tag/v1.3.5 - https://github.com/matrix-org/matrix-spec-proposals/pull/3916 Support for authenticated media routes is enabled by default, but variables are in place to disable it if necessary. This change has not been tested. --- group_vars/matrix_servers | 3 + .../matrix-media-repo/defaults/main.yml | 59 ++++++++++-- .../tasks/validate_config.yml | 1 + .../templates/media-repo/labels.j2 | 94 +++++++++++++++++++ 4 files changed, 148 insertions(+), 9 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 94866d4976b..45b22def436 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -3604,6 +3604,9 @@ matrix_media_repo_container_labels_traefik_tls_certResolver: "{{ devture_traefik matrix_media_repo_container_labels_traefik_internal_media_enabled: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_enabled }}" matrix_media_repo_container_labels_traefik_internal_media_entrypoints: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_name }}" +matrix_media_repo_container_labels_traefik_internal_matrix_client_media_enabled: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_enabled }}" +matrix_media_repo_container_labels_traefik_internal_matrix_client_media_entrypoints: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_name }}" + matrix_media_repo_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}" matrix_media_repo_database_username: matrix_media_repo matrix_media_repo_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mediarepo.db', rounds=655555) | to_uuid }}" diff --git a/roles/custom/matrix-media-repo/defaults/main.yml b/roles/custom/matrix-media-repo/defaults/main.yml index 6abceb1e6c0..3b37ea2fe5e 100755 --- a/roles/custom/matrix-media-repo/defaults/main.yml +++ b/roles/custom/matrix-media-repo/defaults/main.yml @@ -65,6 +65,8 @@ matrix_media_repo_container_labels_traefik_enabled: true matrix_media_repo_container_labels_traefik_docker_network: "{{ matrix_media_repo_container_network }}" matrix_media_repo_container_labels_traefik_entrypoints: web-secure +# Traefik labels handling the old `/_matrix/media` endpoints on the Client-API (web-secure) entrypoint. +# These are being superseded by `/_matrix/client/VERSION/media` endpoints - see `matrix_media_repo_container_labels_traefik_client_matrix_client_media_*`. matrix_media_repo_container_labels_traefik_media_path_prefix: "/_matrix/media" matrix_media_repo_container_labels_traefik_media_rule: "Host(`{{ matrix_server_fqn_matrix }}`) && PathPrefix(`{{ matrix_media_repo_container_labels_traefik_media_path_prefix | quote }}`)" matrix_media_repo_container_labels_traefik_media_priority: 0 @@ -72,15 +74,36 @@ matrix_media_repo_container_labels_traefik_media_entrypoints: "{{ matrix_media_r matrix_media_repo_container_labels_traefik_media_tls: "{{ matrix_media_repo_container_labels_traefik_media_entrypoints != 'web' }}" matrix_media_repo_container_labels_traefik_media_tls_certResolver: default # noqa var-naming +# Traefik labels handling the new `/_matrix/client/VERSION/media` endpoints on the Client-API (web-secure) entrypoint. +# See: https://github.com/matrix-org/matrix-spec-proposals/pull/3916 +matrix_media_repo_container_labels_traefik_client_matrix_client_media_enabled: true +matrix_media_repo_container_labels_traefik_client_matrix_client_media_path_regexp: "/_matrix/client/(?P(v1))/media" +matrix_media_repo_container_labels_traefik_client_matrix_client_media_rule: "Host(`{{ matrix_server_fqn_matrix }}`) && PathRegexp(`{{ matrix_media_repo_container_labels_traefik_client_matrix_client_media_path_regexp | quote }}`)" +matrix_media_repo_container_labels_traefik_client_matrix_client_media_priority: 0 +matrix_media_repo_container_labels_traefik_client_matrix_client_media_entrypoints: "{{ matrix_media_repo_container_labels_traefik_entrypoints }}" +matrix_media_repo_container_labels_traefik_client_matrix_client_media_tls: "{{ matrix_media_repo_container_labels_traefik_client_matrix_client_media_entrypoints != 'web' }}" +matrix_media_repo_container_labels_traefik_client_matrix_client_media_tls_certResolver: default # noqa var-naming + +# Traefik labels handling the old `/_matrix/media` endpoints on the internal entrypoint. # This is like `matrix_media_repo_container_labels_traefik_media_*`, but on an internal Traefik entrypoint. +# These are being superseded by `/_matrix/client/VERSION/media` endpoints - see `matrix_media_repo_container_labels_traefik_internal_matrix_client_media_*`. matrix_media_repo_container_labels_traefik_internal_media_enabled: false matrix_media_repo_container_labels_traefik_internal_media_path_prefix: "{{ matrix_media_repo_container_labels_traefik_media_path_prefix }}" matrix_media_repo_container_labels_traefik_internal_media_rule: "PathPrefix(`{{ matrix_media_repo_container_labels_traefik_internal_media_path_prefix | quote }}`)" matrix_media_repo_container_labels_traefik_internal_media_priority: "{{ matrix_media_repo_container_labels_traefik_media_priority }}" matrix_media_repo_container_labels_traefik_internal_media_entrypoints: "" -# /_matrix/client/r0/logout -# /_matrix/client/r0/logout/all +# Traefik labels handling the new `/_matrix/client/VERSION/media` endpoints on the internal entrypoint. +# See: https://github.com/matrix-org/matrix-spec-proposals/pull/3916 +matrix_media_repo_container_labels_traefik_internal_matrix_client_media_enabled: false +matrix_media_repo_container_labels_traefik_internal_matrix_client_media_path_regexp: "{{ matrix_media_repo_container_labels_traefik_client_matrix_client_media_path_regexp }}" +matrix_media_repo_container_labels_traefik_internal_matrix_client_media_rule: "PathRegexp(`{{ matrix_media_repo_container_labels_traefik_internal_matrix_client_media_path_regexp | quote }}`)" +matrix_media_repo_container_labels_traefik_internal_matrix_client_media_priority: "{{ matrix_media_repo_container_labels_traefik_client_matrix_client_media_priority }}" +matrix_media_repo_container_labels_traefik_internal_matrix_client_media_entrypoints: "" + +# Traefik labels handling some additional routes on the Client-API (web-secure) entrypoint: +# - /_matrix/client/r0/logout +# - /_matrix/client/r0/logout/all matrix_media_repo_container_labels_traefik_logout_path_regexp: "^/_matrix/client/(?Pr0|v1|v3|unstable)/(?Plogout|logout/all)" matrix_media_repo_container_labels_traefik_logout_rule: "Host(`{{ matrix_server_fqn_matrix }}`) && PathRegexp(`{{ matrix_media_repo_container_labels_traefik_logout_path_regexp }}`)" matrix_media_repo_container_labels_traefik_logout_priority: 0 @@ -88,8 +111,9 @@ matrix_media_repo_container_labels_traefik_logout_entrypoints: "{{ matrix_media_ matrix_media_repo_container_labels_traefik_logout_tls: "{{ matrix_media_repo_container_labels_traefik_logout_entrypoints != 'web' }}" matrix_media_repo_container_labels_traefik_logout_tls_certResolver: default # noqa var-naming -# /_matrix/client/r0/admin/purge_media_cache -# /_matrix/client/r0/admin/quarantine_media/{roomId:[^/]+} +# Traefik labels handling some additional routes on the Client-API (web-secure) entrypoint: +# - /_matrix/client/r0/admin/purge_media_cache +# - /_matrix/client/r0/admin/quarantine_media/{roomId:[^/]+} matrix_media_repo_container_labels_traefik_admin_path_regexp: "^/_matrix/client/(?P(r0|v1|v3|unstable))/admin/(?P(purge_media_cache|quarantine_media/.*))" matrix_media_repo_container_labels_traefik_admin_rule: "Host(`{{ matrix_server_fqn_matrix }}`) && PathRegexp(`{{ matrix_media_repo_container_labels_traefik_admin_path_regexp }}`)" matrix_media_repo_container_labels_traefik_admin_priority: 0 @@ -97,6 +121,8 @@ matrix_media_repo_container_labels_traefik_admin_entrypoints: "{{ matrix_media_r matrix_media_repo_container_labels_traefik_admin_tls: "{{ matrix_media_repo_container_labels_traefik_admin_entrypoints != 'web' }}" matrix_media_repo_container_labels_traefik_admin_tls_certResolver: default # noqa var-naming +# Traefik labels handling some additional routes on the Client-API (web-secure) entrypoint: +# - /_matrix/client/unstable/io.t2bot.media matrix_media_repo_container_labels_traefik_t2bot_path_prefix: "/_matrix/client/unstable/io.t2bot.media" matrix_media_repo_container_labels_traefik_t2bot_rule: "Host(`{{ matrix_server_fqn_matrix }}`) && PathPrefix(`{{ matrix_media_repo_container_labels_traefik_t2bot_path_prefix | quote }}`)" matrix_media_repo_container_labels_traefik_t2bot_priority: 0 @@ -104,7 +130,8 @@ matrix_media_repo_container_labels_traefik_t2bot_entrypoints: "{{ matrix_media_r matrix_media_repo_container_labels_traefik_t2bot_tls: "{{ matrix_media_repo_container_labels_traefik_t2bot_entrypoints != 'web' }}" matrix_media_repo_container_labels_traefik_t2bot_tls_certResolver: default # noqa var-naming -# Traefik federation labels +# Traefik labels handling the old `/_matrix/media` endpoints on the federation entrypint. +# These are being superseded by `/_matrix/federation/VERSION/media` endpoints - see `matrix_media_repo_container_labels_traefik_federation_matrix_federation_media_*`. matrix_media_repo_container_labels_traefik_media_federation_path_prefix: "/_matrix/media" matrix_media_repo_container_labels_traefik_media_federation_rule: "Host(`{{ matrix_server_fqn_matrix }}`) && PathPrefix(`{{ matrix_media_repo_container_labels_traefik_media_path_prefix | quote }}`)" matrix_media_repo_container_labels_traefik_media_federation_priority: 0 @@ -112,8 +139,19 @@ matrix_media_repo_container_labels_traefik_media_federation_entrypoints: "{{ mat matrix_media_repo_container_labels_traefik_media_federation_tls: "{{ matrix_media_repo_container_labels_traefik_media_entrypoints != 'web' }}" matrix_media_repo_container_labels_traefik_media_federation_tls_certResolver: default # noqa var-naming -# /_matrix/client/r0/logout -# /_matrix/client/r0/logout/all +# Traefik labels handling the new `/_matrix/federation/VERSION/media` endpoints on the federation entrypint. +# See: https://github.com/matrix-org/matrix-spec-proposals/pull/3916 +matrix_media_repo_container_labels_traefik_federation_matrix_federation_media_enabled: true +matrix_media_repo_container_labels_traefik_federation_matrix_federation_media_path_regexp: "/_matrix/federation/(?P(v1))/media" +matrix_media_repo_container_labels_traefik_federation_matrix_federation_media_rule: "Host(`{{ matrix_server_fqn_matrix }}`) && PathRegexp(`{{ matrix_media_repo_container_labels_traefik_federation_matrix_federation_media_path_regexp | quote }}`)" +matrix_media_repo_container_labels_traefik_federation_matrix_federation_media_priority: 0 +matrix_media_repo_container_labels_traefik_federation_matrix_federation_media_entrypoints: "{{ matrix_federation_traefik_entrypoint_name }}" +matrix_media_repo_container_labels_traefik_federation_matrix_federation_media_tls: "{{ matrix_media_repo_container_labels_traefik_federation_matrix_federation_media_entrypoints != 'web' }}" +matrix_media_repo_container_labels_traefik_federation_matrix_federation_media_tls_certResolver: default # noqa var-naming + +# Traefik labels handling some additional routes on the federation entrypoint: +# - /_matrix/client/r0/logout +# - /_matrix/client/r0/logout/all matrix_media_repo_container_labels_traefik_logout_federation_path_regexp: "{{ matrix_media_repo_container_labels_traefik_logout_path_regexp }}" matrix_media_repo_container_labels_traefik_logout_federation_rule: "Host(`{{ matrix_server_fqn_matrix }}`) && PathRegexp(`{{ matrix_media_repo_container_labels_traefik_logout_federation_path_regexp }}`)" matrix_media_repo_container_labels_traefik_logout_federation_priority: 0 @@ -121,8 +159,9 @@ matrix_media_repo_container_labels_traefik_logout_federation_entrypoints: "{{ ma matrix_media_repo_container_labels_traefik_logout_federation_tls: "{{ matrix_media_repo_container_labels_traefik_logout_entrypoints != 'web' }}" matrix_media_repo_container_labels_traefik_logout_federation_tls_certResolver: default # noqa var-naming -# /_matrix/client/r0/admin/purge_media_cache -# /_matrix/client/r0/admin/quarantine_media/{roomId:[^/]+} +# Traefik labels handling some additional routes on the federation entrypoint: +# - /_matrix/client/r0/admin/purge_media_cache +# - /_matrix/client/r0/admin/quarantine_media/{roomId:[^/]+} matrix_media_repo_container_labels_traefik_admin_federation_path_regexp: "{{ matrix_media_repo_container_labels_traefik_admin_path_regexp }}" matrix_media_repo_container_labels_traefik_admin_federation_rule: "Host(`{{ matrix_server_fqn_matrix }}`) && PathRegexp(`{{ matrix_media_repo_container_labels_traefik_admin_federation_path_regexp }}`)" matrix_media_repo_container_labels_traefik_admin_federation_priority: 0 @@ -130,6 +169,8 @@ matrix_media_repo_container_labels_traefik_admin_federation_entrypoints: "{{ mat matrix_media_repo_container_labels_traefik_admin_federation_tls: "{{ matrix_media_repo_container_labels_traefik_admin_entrypoints != 'web' }}" matrix_media_repo_container_labels_traefik_admin_federation_tls_certResolver: default # noqa var-naming +# Traefik labels handling some additional routes on the federation entrypoint: +# - /_matrix/client/unstable/io.t2bot.media matrix_media_repo_container_labels_traefik_t2bot_federation_path_prefix: "/_matrix/client/unstable/io.t2bot.media" matrix_media_repo_container_labels_traefik_t2bot_federation_rule: "Host(`{{ matrix_server_fqn_matrix }}`) && PathPrefix(`{{ matrix_media_repo_container_labels_traefik_t2bot_path_prefix | quote }}`)" matrix_media_repo_container_labels_traefik_t2bot_federation_priority: 0 diff --git a/roles/custom/matrix-media-repo/tasks/validate_config.yml b/roles/custom/matrix-media-repo/tasks/validate_config.yml index 57fdf8595fd..8b0ecb7cd62 100644 --- a/roles/custom/matrix-media-repo/tasks/validate_config.yml +++ b/roles/custom/matrix-media-repo/tasks/validate_config.yml @@ -8,6 +8,7 @@ with_items: - {'name': 'matrix_media_repo_database_hostname', when: true} - {'name': 'matrix_media_repo_container_labels_traefik_internal_media_entrypoints', when: "{{ matrix_media_repo_container_labels_traefik_internal_media_enabled }}"} + - {'name': 'matrix_media_repo_container_labels_traefik_internal_matrix_client_media_entrypoints', when: "{{ matrix_media_repo_container_labels_traefik_internal_matrix_client_media_enabled }}"} - name: (Deprecation) Catch and report renamed matrix-media-repo settings ansible.builtin.fail: diff --git a/roles/custom/matrix-media-repo/templates/media-repo/labels.j2 b/roles/custom/matrix-media-repo/templates/media-repo/labels.j2 index 297fd72c216..9f45c512518 100755 --- a/roles/custom/matrix-media-repo/templates/media-repo/labels.j2 +++ b/roles/custom/matrix-media-repo/templates/media-repo/labels.j2 @@ -49,6 +49,39 @@ traefik.http.routers.matrix-media-repo-public-media.tls.certResolver={{ matrix_m ############################################################ +{% if matrix_media_repo_container_labels_traefik_client_matrix_client_media_enabled %} +########################################################################## +# # +# Public Client Media (/_matrix/client/VERSION/media) - MSC3916 # +# # +########################################################################## + +traefik.http.routers.matrix-media-repo-public-client-matrix-client-media.rule={{ matrix_media_repo_container_labels_traefik_client_matrix_client_media_rule }} + +{% if matrix_media_repo_container_labels_traefik_client_matrix_client_media_priority | int > 0 %} +traefik.http.routers.matrix-media-repo-public-client-matrix-client-media.priority={{ matrix_media_repo_container_labels_traefik_client_matrix_client_media_priority }} +{% endif %} + +{% if middlewares | length > 0 %} +traefik.http.routers.matrix-media-repo-public-client-matrix-client-media.middlewares={{ middlewares | join(',') }} +{% endif %} + +traefik.http.routers.matrix-media-repo-public-client-matrix-client-media.service=matrix-media-repo +traefik.http.routers.matrix-media-repo-public-client-matrix-client-media.entrypoints={{ matrix_media_repo_container_labels_traefik_client_matrix_client_media_entrypoints }} + +traefik.http.routers.matrix-media-repo-public-client-matrix-client-media.tls={{ matrix_media_repo_container_labels_traefik_client_matrix_client_media_tls | to_json }} +{% if matrix_media_repo_container_labels_traefik_client_matrix_client_media_tls %} +traefik.http.routers.matrix-media-repo-public-client-matrix-client-media.tls.certResolver={{ matrix_media_repo_container_labels_traefik_client_matrix_client_media_tls_certResolver }} +{% endif %} + +########################################################################## +# # +# /Public Client Media (/_matrix/client/VERSION/media) - MSC3916 # +# # +########################################################################## +{% endif %} + + {% if matrix_media_repo_container_labels_traefik_internal_media_enabled %} ############################################################ # # @@ -77,6 +110,34 @@ traefik.http.routers.matrix-media-repo-internal-media.entrypoints={{ matrix_medi {% endif %} +{% if matrix_media_repo_container_labels_traefik_internal_matrix_client_media_enabled %} +########################################################################## +# # +# Internal Client Media (/_matrix/client/VERSION/media) - MSC3916 # +# # +########################################################################## + +traefik.http.routers.matrix-media-repo-internal-matrix-client-media.rule={{ matrix_media_repo_container_labels_traefik_internal_matrix_client_media_rule }} + +{% if matrix_media_repo_container_labels_traefik_internal_matrix_client_media_priority | int > 0 %} +traefik.http.routers.matrix-media-repo-internal-matrix-client-media.priority={{ matrix_media_repo_container_labels_traefik_internal_matrix_client_media_priority }} +{% endif %} + +{% if middlewares | length > 0 %} +traefik.http.routers.matrix-media-repo-internal-matrix-client-media.middlewares={{ middlewares | join(',') }} +{% endif %} + +traefik.http.routers.matrix-media-repo-internal-matrix-client-media.service=matrix-media-repo +traefik.http.routers.matrix-media-repo-internal-matrix-client-media.entrypoints={{ matrix_media_repo_container_labels_traefik_internal_matrix_client_media_entrypoints }} + +########################################################################## +# # +# /Internal Client Media (/_matrix/client/VERSION/media) - MSC3916 # +# # +########################################################################## +{% endif %} + + {% if matrix_media_repo_access_tokens_max_cache_time_seconds > 0 %} ############################################################ # # @@ -210,6 +271,39 @@ traefik.http.routers.matrix-media-repo-public-media-federation.tls.certResolver= ############################################################ +{% if matrix_media_repo_container_labels_traefik_federation_matrix_federation_media_enabled %} +########################################################################## +# # +# Public Federation Media (/_matrix/federation/VERSION/media) - MSC3916 # +# # +########################################################################## + +traefik.http.routers.matrix-media-repo-public-federation-matrix-federation-media.rule={{ matrix_media_repo_container_labels_traefik_federation_matrix_federation_media_rule }} + +{% if matrix_media_repo_container_labels_traefik_federation_matrix_federation_media_priority | int > 0 %} +traefik.http.routers.matrix-media-repo-public-federation-matrix-federation-media.priority={{ matrix_media_repo_container_labels_traefik_federation_matrix_federation_media_priority }} +{% endif %} + +{% if middlewares | length > 0 %} +traefik.http.routers.matrix-media-repo-public-federation-matrix-federation-media.middlewares={{ middlewares | join(',') }} +{% endif %} + +traefik.http.routers.matrix-media-repo-public-federation-matrix-federation-media.service=matrix-media-repo +traefik.http.routers.matrix-media-repo-public-federation-matrix-federation-media.entrypoints={{ matrix_media_repo_container_labels_traefik_federation_matrix_federation_media_entrypoints }} + +traefik.http.routers.matrix-media-repo-public-federation-matrix-federation-media.tls={{ matrix_media_repo_container_labels_traefik_federation_matrix_federation_media_tls | to_json }} +{% if matrix_media_repo_container_labels_traefik_federation_matrix_federation_media_tls %} +traefik.http.routers.matrix-media-repo-public-federation-matrix-federation-media.tls.certResolver={{ matrix_media_repo_container_labels_traefik_federation_matrix_federation_media_tls_certResolver }} +{% endif %} + +########################################################################## +# # +# /Public Federation Media (/_matrix/federation/VERSION/media) - MSC3916 # +# # +########################################################################## +{% endif %} + + {% if matrix_media_repo_access_tokens_max_cache_time_seconds > 0 %} ############################################################ # #