Improvements around Synapse worker/metrics ports exposure

There was a `matrix_nginx_proxy_enabled|default(False)` check, but: - it didn't seem to work reliably for some reason (hmm) - referring to a `matrix_nginx_proxy_*` variable from within the `matrix-synapse` role is not ideal - exposing always happened on `127.0.0.1`, which may not be good enough for some rarer setups (where the own webserver is external to the host)
2021-01-25 08:25:43 +02:00 · 2021-01-25 08:25:43 +02:00 · 63301b0ef1
parent f66a6b066b
commit 63301b0ef1
3 changed files with 15 additions and 7 deletions
--- a/group_vars/matrix_servers
+++ b/group_vars/matrix_servers
@ -1276,6 +1276,9 @@ matrix_synapse_container_metrics_api_host_bind_port: "{{ '127.0.0.1:9100' if (ma
 #
 # For exposing the Synapse Manhole port (plain HTTP) to the local host.
 matrix_synapse_container_manhole_api_host_bind_port: "{{ '127.0.0.1:9000' if matrix_synapse_manhole_enabled else '' }}"
+#
+# For exposing the Synapse worker (and metrics) ports to the local host.
+matrix_synapse_workers_container_host_bind_address: "{{ '127.0.0.1' if (matrix_synapse_workers_enabled and not matrix_nginx_proxy_enabled) else '' }}"

 matrix_synapse_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'synapse.db') | to_uuid }}"

--- a/roles/matrix-synapse/defaults/main.yml
+++ b/roles/matrix-synapse/defaults/main.yml
@ -301,6 +301,14 @@ matrix_synapse_manhole_enabled: false
 # Enable support for Synapse workers
 matrix_synapse_workers_enabled: false

+
+# Controls whether the matrix-synapse container exposes the various worker ports
+# (see `port` and `metrics_port` in `matrix_synapse_workers_enabled_list`) outside of the container.
+#
+# Takes an "<ip>" value (e.g. "127.0.0.1", "0.0.0.0", etc), or empty string to not expose.
+# It takes "*" to signify "bind on all interfaces" ("0.0.0.0" is IPv4-only).
+matrix_synapse_workers_container_host_bind_address: ''
+
 # Default list of workers to spawn (order in accord to docs)
 # - no endpoints / doesn't need port mapping if port ends on 0
 # - single-instance-only if 2nd last digit of port number is 0
--- a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2
+++ b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2
@ -45,19 +45,16 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-synapse \
 			{% if matrix_synapse_manhole_enabled and matrix_synapse_container_manhole_api_host_bind_port %}
 			-p {{ matrix_synapse_container_manhole_api_host_bind_port }}:9000 \
 			{% endif %}
+			{% if matrix_synapse_workers_enabled and matrix_synapse_workers_container_host_bind_address %}
 			{% for worker in matrix_synapse_workers_enabled_list %}
-			{% if matrix_synapse_workers_enabled and not matrix_nginx_proxy_enabled|default(False) %}
-			{# Expose worker ports (by default in 18xxx range) on localhost, f.e. when using
-			   an external reverse proxy outside the matrix docker network #}
 			{% if worker.port != 0 %}
-			-p 127.0.0.1:{{ worker.port }}:{{ worker.port }} \
+			-p {{ '' if matrix_synapse_workers_container_host_bind_address == '*' else (matrix_synapse_workers_container_host_bind_address + ':') }}{{ worker.port }}:{{ worker.port }} \
 			{% endif %}
-			{% endif %}
-			{# Expose worker metrics ports on localhost #}
 			{% if worker.metrics_port != 0 %}
-			-p 127.0.0.1:{{ worker.metrics_port }}:{{ worker.metrics_port }} \
+			-p {{ '' if matrix_synapse_workers_container_host_bind_address == '*' else (matrix_synapse_workers_container_host_bind_address + ':') }}{{ worker.metrics_port }}:{{ worker.metrics_port }} \
 			{% endif %}
 			{% endfor %}
+			{% endif %}
 			--mount type=bind,src={{ matrix_synapse_config_dir_path }},dst=/data,ro \
 			--mount type=bind,src={{ matrix_synapse_storage_path }},dst=/matrix-media-store-parent,bind-propagation=slave \
 			{% for volume in matrix_synapse_container_additional_volumes %}