mirror of
https://github.com/spantaleev/matrix-docker-ansible-deploy.git
synced 2024-12-24 05:25:56 +00:00
219 lines
7.6 KiB
Plaintext
219 lines
7.6 KiB
Plaintext
|
# SOME DESCRIPTIVE TITLE.
|
||
|
# Copyright (C) 2018-2024, Slavi Pantaleev, Aine Etke, MDAD community
|
||
|
# members
|
||
|
# This file is distributed under the same license as the
|
||
|
# matrix-docker-ansible-deploy package.
|
||
|
# FIRST AUTHOR <EMAIL@ADDRESS>, 2024.
|
||
|
#
|
||
|
#, fuzzy
|
||
|
msgid ""
|
||
|
msgstr ""
|
||
|
"Project-Id-Version: matrix-docker-ansible-deploy \n"
|
||
|
"Report-Msgid-Bugs-To: \n"
|
||
|
"POT-Creation-Date: 2024-12-16 12:05+0900\n"
|
||
|
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
|
||
|
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
|
||
|
"Language: jp\n"
|
||
|
"Language-Team: jp <LL@li.org>\n"
|
||
|
"MIME-Version: 1.0\n"
|
||
|
"Content-Type: text/plain; charset=utf-8\n"
|
||
|
"Content-Transfer-Encoding: 8bit\n"
|
||
|
"Generated-By: Babel 2.16.0\n"
|
||
|
|
||
|
#: ../../../docs/howto-srv-server-delegation.md:1
|
||
|
msgid "Server Delegation via a DNS SRV record (advanced)"
|
||
|
msgstr ""
|
||
|
|
||
|
#: ../../../docs/howto-srv-server-delegation.md:3
|
||
|
msgid ""
|
||
|
"**Reminder** : unless you are affected by the [Downsides of well-known-"
|
||
|
"based Server Delegation](howto-server-delegation.md#downsides-of-well-"
|
||
|
"known-based-server-delegation), we suggest you **stay on the "
|
||
|
"simple/default path**: [Server Delegation](howto-server-delegation.md) by"
|
||
|
" [configuring well-known files](configuring-well-known.md) at the base "
|
||
|
"domain."
|
||
|
msgstr ""
|
||
|
|
||
|
#: ../../../docs/howto-srv-server-delegation.md:5
|
||
|
msgid ""
|
||
|
"This guide is about configuring Server Delegation using DNS SRV records "
|
||
|
"(for the [Traefik](https://doc.traefik.io/traefik/) webserver). This "
|
||
|
"method has special requirements when it comes to SSL certificates, so "
|
||
|
"various changes are required."
|
||
|
msgstr ""
|
||
|
|
||
|
#: ../../../docs/howto-srv-server-delegation.md:7
|
||
|
msgid "Prerequisites"
|
||
|
msgstr ""
|
||
|
|
||
|
#: ../../../docs/howto-srv-server-delegation.md:9
|
||
|
msgid ""
|
||
|
"SRV delegation while still using the playbook provided Traefik to get / "
|
||
|
"renew the certificate requires a wildcard certificate."
|
||
|
msgstr ""
|
||
|
|
||
|
#: ../../../docs/howto-srv-server-delegation.md:11
|
||
|
msgid ""
|
||
|
"To obtain / renew one from [Let's Encrypt](https://letsencrypt.org/), one"
|
||
|
" needs to use a [DNS-01 challenge](https://letsencrypt.org/docs"
|
||
|
"/challenge-types/#dns-01-challenge) method instead of the default "
|
||
|
"[HTTP-01](https://letsencrypt.org/docs/challenge-"
|
||
|
"types/#http-01-challenge)."
|
||
|
msgstr ""
|
||
|
|
||
|
#: ../../../docs/howto-srv-server-delegation.md:13
|
||
|
msgid ""
|
||
|
"This means that this is **limited to the list of DNS providers supported "
|
||
|
"by Traefik**, unless you bring in your own certificate."
|
||
|
msgstr ""
|
||
|
|
||
|
#: ../../../docs/howto-srv-server-delegation.md:15
|
||
|
msgid ""
|
||
|
"The up-to-date list can be accessed on [traefik's "
|
||
|
"documentation](https://doc.traefik.io/traefik/https/acme/#providers)"
|
||
|
msgstr ""
|
||
|
|
||
|
#: ../../../docs/howto-srv-server-delegation.md:17
|
||
|
msgid "The changes"
|
||
|
msgstr ""
|
||
|
|
||
|
#: ../../../docs/howto-srv-server-delegation.md:19
|
||
|
msgid ""
|
||
|
"**Note**: the changes below instruct you how to do this for a basic "
|
||
|
"Synapse installation. You will need to adapt the variable name and the "
|
||
|
"content of the labels:"
|
||
|
msgstr ""
|
||
|
|
||
|
#: ../../../docs/howto-srv-server-delegation.md:21
|
||
|
msgid ""
|
||
|
"if you're using another homeserver implementation (e.g. [Conduit"
|
||
|
"](./configuring-playbook-conduit.md) or [Dendrite](./configuring-"
|
||
|
"playbook-dendrite.md))"
|
||
|
msgstr ""
|
||
|
|
||
|
#: ../../../docs/howto-srv-server-delegation.md:22
|
||
|
msgid ""
|
||
|
"if you're using [Synapse with workers enabled](./configuring-playbook-"
|
||
|
"synapse.md#load-balancing-with-workers) (`matrix_synapse_workers_enabled:"
|
||
|
" true`). In that case, it's actually the `matrix-synapse-reverse-proxy-"
|
||
|
"companion` service which has Traefik labels attached"
|
||
|
msgstr ""
|
||
|
|
||
|
#: ../../../docs/howto-srv-server-delegation.md:24
|
||
|
msgid ""
|
||
|
"Also, all instructions below are from an older version of the playbook "
|
||
|
"and may not work anymore."
|
||
|
msgstr ""
|
||
|
|
||
|
#: ../../../docs/howto-srv-server-delegation.md:26
|
||
|
msgid "Federation Endpoint"
|
||
|
msgstr ""
|
||
|
|
||
|
#: ../../../docs/howto-srv-server-delegation.md:33
|
||
|
msgid ""
|
||
|
"This is because with SRV federation, some servers / tools (one of which "
|
||
|
"being the federation tester) try to access the federation API using the "
|
||
|
"resolved IP address instead of the domain name (or they are not using "
|
||
|
"SNI). This change will make Traefik route all traffic for which the path "
|
||
|
"match this rule go to the federation endpoint."
|
||
|
msgstr ""
|
||
|
|
||
|
#: ../../../docs/howto-srv-server-delegation.md:35
|
||
|
msgid "Tell Traefik which certificate to serve for the federation endpoint"
|
||
|
msgstr ""
|
||
|
|
||
|
#: ../../../docs/howto-srv-server-delegation.md:37
|
||
|
msgid ""
|
||
|
"Now that the federation endpoint is not bound to a domain anymore we need"
|
||
|
" to explicitely tell Traefik to use a wildcard certificate in addition to"
|
||
|
" one containing the base name."
|
||
|
msgstr ""
|
||
|
|
||
|
#: ../../../docs/howto-srv-server-delegation.md:39
|
||
|
msgid ""
|
||
|
"This is because the Matrix specification expects the federation endpoint "
|
||
|
"to be served using a certificate compatible with the base domain, "
|
||
|
"however, the other resources on the endpoint still need a valid "
|
||
|
"certificate to work."
|
||
|
msgstr ""
|
||
|
|
||
|
#: ../../../docs/howto-srv-server-delegation.md:48
|
||
|
msgid "Configure the DNS-01 challenge for let's encrypt"
|
||
|
msgstr ""
|
||
|
|
||
|
#: ../../../docs/howto-srv-server-delegation.md:50
|
||
|
msgid ""
|
||
|
"Since we're now requesting a wildcard certificate, we need to change the "
|
||
|
"ACME challenge method. To request a wildcard certificate from Let's "
|
||
|
"Encrypt we are required to use the DNS-01 challenge."
|
||
|
msgstr ""
|
||
|
|
||
|
#: ../../../docs/howto-srv-server-delegation.md:52
|
||
|
msgid "This will need 3 changes:"
|
||
|
msgstr ""
|
||
|
|
||
|
#: ../../../docs/howto-srv-server-delegation.md:53
|
||
|
msgid "Add a new certificate resolver that works with DNS-01"
|
||
|
msgstr ""
|
||
|
|
||
|
#: ../../../docs/howto-srv-server-delegation.md:54
|
||
|
msgid ""
|
||
|
"Configure the resolver to allow access to the DNS zone to configure the "
|
||
|
"records to answer the challenge (refer to [Traefik's "
|
||
|
"documentation](https://doc.traefik.io/traefik/https/acme/#providers) to "
|
||
|
"know which environment variables to set)"
|
||
|
msgstr ""
|
||
|
|
||
|
#: ../../../docs/howto-srv-server-delegation.md:55
|
||
|
msgid "Tell the playbook to use the new resolver as default"
|
||
|
msgstr ""
|
||
|
|
||
|
#: ../../../docs/howto-srv-server-delegation.md:57
|
||
|
msgid ""
|
||
|
"We cannot just disable the default resolver as that would disable SSL in "
|
||
|
"quite a few places in the playbook."
|
||
|
msgstr ""
|
||
|
|
||
|
#: ../../../docs/howto-srv-server-delegation.md:86
|
||
|
msgid "Adjust Coturn's configuration"
|
||
|
msgstr ""
|
||
|
|
||
|
#: ../../../docs/howto-srv-server-delegation.md:88
|
||
|
msgid "The last step is to alter the generated Coturn configuration."
|
||
|
msgstr ""
|
||
|
|
||
|
#: ../../../docs/howto-srv-server-delegation.md:90
|
||
|
msgid ""
|
||
|
"By default, Coturn is configured to wait on the certificate for the "
|
||
|
"`matrix.` subdomain using an [instantiated systemd "
|
||
|
"service](https://www.freedesktop.org/software/systemd/man/systemd.service.html#Service%20Templates)"
|
||
|
" using the domain name as the parameter for this service. However, we "
|
||
|
"need to serve the wildcard certificate, which is incompatible with "
|
||
|
"systemd, it will try to expand the `*`, which will break and prevent "
|
||
|
"Coturn from starting."
|
||
|
msgstr ""
|
||
|
|
||
|
#: ../../../docs/howto-srv-server-delegation.md:92
|
||
|
msgid "We also need to indicate to Coturn where the wildcard certificate is."
|
||
|
msgstr ""
|
||
|
|
||
|
#: ../../../docs/howto-srv-server-delegation.md:94
|
||
|
msgid ""
|
||
|
"**⚠️ WARNING ⚠️** : On first start of the services, Coturn might still "
|
||
|
"fail to start because Traefik is still in the process of obtaining the "
|
||
|
"certificates. If you still get an error, make sure Traefik obtained the "
|
||
|
"certificates and restart the Coturn service (`just start-group coturn`)."
|
||
|
msgstr ""
|
||
|
|
||
|
#: ../../../docs/howto-srv-server-delegation.md:96
|
||
|
msgid ""
|
||
|
"This should not happen again afterwards as Traefik will renew "
|
||
|
"certificates well before their expiry date, and the Coturn service is "
|
||
|
"setup to restart periodically."
|
||
|
msgstr ""
|
||
|
|
||
|
#: ../../../docs/howto-srv-server-delegation.md:122
|
||
|
msgid "Full example of a working configuration"
|
||
|
msgstr ""
|
||
|
|