Add Traefik labels for handling authenticated media (MSC3916) in matrix-media-repo

Related to: - https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/3409 - https://github.com/t2bot/matrix-media-repo/releases/tag/v1.3.5 - https://github.com/matrix-org/matrix-spec-proposals/pull/3916 Support for authenticated media routes is enabled by default, but variables are in place to disable it if necessary. This change has not been tested.
2024-09-08 03:21:59 +00:00 · 2024-07-11 07:03:14 +03:00 · 2024-07-11 07:03:14 +03:00 · de91fe933d
commit de91fe933d
parent 663e545cda
4 changed files with 148 additions and 9 deletions
--- a/group_vars/matrix_servers
+++ b/group_vars/matrix_servers
@ -3604,6 +3604,9 @@ matrix_media_repo_container_labels_traefik_tls_certResolver: "{{ devture_traefik
 matrix_media_repo_container_labels_traefik_internal_media_enabled: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_enabled }}"
 matrix_media_repo_container_labels_traefik_internal_media_entrypoints: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_name }}"

+matrix_media_repo_container_labels_traefik_internal_matrix_client_media_enabled: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_enabled }}"
+matrix_media_repo_container_labels_traefik_internal_matrix_client_media_entrypoints: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_name }}"
+
 matrix_media_repo_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}"
 matrix_media_repo_database_username: matrix_media_repo
 matrix_media_repo_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mediarepo.db', rounds=655555) | to_uuid }}"
--- a/roles/custom/matrix-media-repo/defaults/main.yml
+++ b/roles/custom/matrix-media-repo/defaults/main.yml
@ -65,6 +65,8 @@ matrix_media_repo_container_labels_traefik_enabled: true
 matrix_media_repo_container_labels_traefik_docker_network: "{{ matrix_media_repo_container_network }}"
 matrix_media_repo_container_labels_traefik_entrypoints: web-secure

+# Traefik labels handling the old `/_matrix/media` endpoints on the Client-API (web-secure) entrypoint.
+# These are being superseded by `/_matrix/client/VERSION/media` endpoints - see `matrix_media_repo_container_labels_traefik_client_matrix_client_media_*`.
 matrix_media_repo_container_labels_traefik_media_path_prefix: "/_matrix/media"
 matrix_media_repo_container_labels_traefik_media_rule: "Host(`{{ matrix_server_fqn_matrix }}`) && PathPrefix(`{{ matrix_media_repo_container_labels_traefik_media_path_prefix | quote }}`)"
 matrix_media_repo_container_labels_traefik_media_priority: 0
@ -72,15 +74,36 @@ matrix_media_repo_container_labels_traefik_media_entrypoints: "{{ matrix_media_r
 matrix_media_repo_container_labels_traefik_media_tls: "{{ matrix_media_repo_container_labels_traefik_media_entrypoints != 'web' }}"
 matrix_media_repo_container_labels_traefik_media_tls_certResolver: default  # noqa var-naming

+# Traefik labels handling the new `/_matrix/client/VERSION/media` endpoints on the Client-API (web-secure) entrypoint.
+# See: https://github.com/matrix-org/matrix-spec-proposals/pull/3916
+matrix_media_repo_container_labels_traefik_client_matrix_client_media_enabled: true
+matrix_media_repo_container_labels_traefik_client_matrix_client_media_path_regexp: "/_matrix/client/(?P<version>(v1))/media"
+matrix_media_repo_container_labels_traefik_client_matrix_client_media_rule: "Host(`{{ matrix_server_fqn_matrix }}`) && PathRegexp(`{{ matrix_media_repo_container_labels_traefik_client_matrix_client_media_path_regexp | quote }}`)"
+matrix_media_repo_container_labels_traefik_client_matrix_client_media_priority: 0
+matrix_media_repo_container_labels_traefik_client_matrix_client_media_entrypoints: "{{ matrix_media_repo_container_labels_traefik_entrypoints }}"
+matrix_media_repo_container_labels_traefik_client_matrix_client_media_tls: "{{ matrix_media_repo_container_labels_traefik_client_matrix_client_media_entrypoints != 'web' }}"
+matrix_media_repo_container_labels_traefik_client_matrix_client_media_tls_certResolver: default  # noqa var-naming
+
+# Traefik labels handling the old `/_matrix/media` endpoints on the internal entrypoint.
 # This is like `matrix_media_repo_container_labels_traefik_media_*`, but on an internal Traefik entrypoint.
+# These are being superseded by `/_matrix/client/VERSION/media` endpoints - see `matrix_media_repo_container_labels_traefik_internal_matrix_client_media_*`.
 matrix_media_repo_container_labels_traefik_internal_media_enabled: false
 matrix_media_repo_container_labels_traefik_internal_media_path_prefix: "{{ matrix_media_repo_container_labels_traefik_media_path_prefix }}"
 matrix_media_repo_container_labels_traefik_internal_media_rule: "PathPrefix(`{{ matrix_media_repo_container_labels_traefik_internal_media_path_prefix | quote }}`)"
 matrix_media_repo_container_labels_traefik_internal_media_priority: "{{ matrix_media_repo_container_labels_traefik_media_priority }}"
 matrix_media_repo_container_labels_traefik_internal_media_entrypoints: ""

-# /_matrix/client/r0/logout
-# /_matrix/client/r0/logout/all
+# Traefik labels handling the new `/_matrix/client/VERSION/media` endpoints on the internal entrypoint.
+# See: https://github.com/matrix-org/matrix-spec-proposals/pull/3916
+matrix_media_repo_container_labels_traefik_internal_matrix_client_media_enabled: false
+matrix_media_repo_container_labels_traefik_internal_matrix_client_media_path_regexp: "{{ matrix_media_repo_container_labels_traefik_client_matrix_client_media_path_regexp }}"
+matrix_media_repo_container_labels_traefik_internal_matrix_client_media_rule: "PathRegexp(`{{ matrix_media_repo_container_labels_traefik_internal_matrix_client_media_path_regexp | quote }}`)"
+matrix_media_repo_container_labels_traefik_internal_matrix_client_media_priority: "{{ matrix_media_repo_container_labels_traefik_client_matrix_client_media_priority }}"
+matrix_media_repo_container_labels_traefik_internal_matrix_client_media_entrypoints: ""
+
+# Traefik labels handling some additional routes on the Client-API (web-secure) entrypoint:
+# - /_matrix/client/r0/logout
+# - /_matrix/client/r0/logout/all
 matrix_media_repo_container_labels_traefik_logout_path_regexp: "^/_matrix/client/(?P<version>r0|v1|v3|unstable)/(?P<endpoint>logout|logout/all)"
 matrix_media_repo_container_labels_traefik_logout_rule: "Host(`{{ matrix_server_fqn_matrix }}`) && PathRegexp(`{{ matrix_media_repo_container_labels_traefik_logout_path_regexp }}`)"
 matrix_media_repo_container_labels_traefik_logout_priority: 0
@ -88,8 +111,9 @@ matrix_media_repo_container_labels_traefik_logout_entrypoints: "{{ matrix_media_
 matrix_media_repo_container_labels_traefik_logout_tls: "{{ matrix_media_repo_container_labels_traefik_logout_entrypoints != 'web' }}"
 matrix_media_repo_container_labels_traefik_logout_tls_certResolver: default  # noqa var-naming

-# /_matrix/client/r0/admin/purge_media_cache
-# /_matrix/client/r0/admin/quarantine_media/{roomId:[^/]+}
+# Traefik labels handling some additional routes on the Client-API (web-secure) entrypoint:
+# - /_matrix/client/r0/admin/purge_media_cache
+# - /_matrix/client/r0/admin/quarantine_media/{roomId:[^/]+}
 matrix_media_repo_container_labels_traefik_admin_path_regexp: "^/_matrix/client/(?P<version>(r0|v1|v3|unstable))/admin/(?P<endpoint>(purge_media_cache|quarantine_media/.*))"
 matrix_media_repo_container_labels_traefik_admin_rule: "Host(`{{ matrix_server_fqn_matrix }}`) && PathRegexp(`{{ matrix_media_repo_container_labels_traefik_admin_path_regexp }}`)"
 matrix_media_repo_container_labels_traefik_admin_priority: 0
@ -97,6 +121,8 @@ matrix_media_repo_container_labels_traefik_admin_entrypoints: "{{ matrix_media_r
 matrix_media_repo_container_labels_traefik_admin_tls: "{{ matrix_media_repo_container_labels_traefik_admin_entrypoints != 'web' }}"
 matrix_media_repo_container_labels_traefik_admin_tls_certResolver: default  # noqa var-naming

+# Traefik labels handling some additional routes on the Client-API (web-secure) entrypoint:
+# - /_matrix/client/unstable/io.t2bot.media
 matrix_media_repo_container_labels_traefik_t2bot_path_prefix: "/_matrix/client/unstable/io.t2bot.media"
 matrix_media_repo_container_labels_traefik_t2bot_rule: "Host(`{{ matrix_server_fqn_matrix }}`) && PathPrefix(`{{ matrix_media_repo_container_labels_traefik_t2bot_path_prefix | quote }}`)"
 matrix_media_repo_container_labels_traefik_t2bot_priority: 0
@ -104,7 +130,8 @@ matrix_media_repo_container_labels_traefik_t2bot_entrypoints: "{{ matrix_media_r
 matrix_media_repo_container_labels_traefik_t2bot_tls: "{{ matrix_media_repo_container_labels_traefik_t2bot_entrypoints != 'web' }}"
 matrix_media_repo_container_labels_traefik_t2bot_tls_certResolver: default  # noqa var-naming

-# Traefik federation labels
+# Traefik labels handling the old `/_matrix/media` endpoints on the federation entrypint.
+# These are being superseded by `/_matrix/federation/VERSION/media` endpoints - see `matrix_media_repo_container_labels_traefik_federation_matrix_federation_media_*`.
 matrix_media_repo_container_labels_traefik_media_federation_path_prefix: "/_matrix/media"
 matrix_media_repo_container_labels_traefik_media_federation_rule: "Host(`{{ matrix_server_fqn_matrix }}`) && PathPrefix(`{{ matrix_media_repo_container_labels_traefik_media_path_prefix | quote }}`)"
 matrix_media_repo_container_labels_traefik_media_federation_priority: 0
@ -112,8 +139,19 @@ matrix_media_repo_container_labels_traefik_media_federation_entrypoints: "{{ mat
 matrix_media_repo_container_labels_traefik_media_federation_tls: "{{ matrix_media_repo_container_labels_traefik_media_entrypoints != 'web' }}"
 matrix_media_repo_container_labels_traefik_media_federation_tls_certResolver: default  # noqa var-naming

-# /_matrix/client/r0/logout
-# /_matrix/client/r0/logout/all
+# Traefik labels handling the new `/_matrix/federation/VERSION/media` endpoints on the federation entrypint.
+# See: https://github.com/matrix-org/matrix-spec-proposals/pull/3916
+matrix_media_repo_container_labels_traefik_federation_matrix_federation_media_enabled: true
+matrix_media_repo_container_labels_traefik_federation_matrix_federation_media_path_regexp: "/_matrix/federation/(?P<version>(v1))/media"
+matrix_media_repo_container_labels_traefik_federation_matrix_federation_media_rule: "Host(`{{ matrix_server_fqn_matrix }}`) && PathRegexp(`{{ matrix_media_repo_container_labels_traefik_federation_matrix_federation_media_path_regexp | quote }}`)"
+matrix_media_repo_container_labels_traefik_federation_matrix_federation_media_priority: 0
+matrix_media_repo_container_labels_traefik_federation_matrix_federation_media_entrypoints: "{{ matrix_federation_traefik_entrypoint_name }}"
+matrix_media_repo_container_labels_traefik_federation_matrix_federation_media_tls: "{{ matrix_media_repo_container_labels_traefik_federation_matrix_federation_media_entrypoints != 'web' }}"
+matrix_media_repo_container_labels_traefik_federation_matrix_federation_media_tls_certResolver: default  # noqa var-naming
+
+# Traefik labels handling some additional routes on the federation entrypoint:
+# - /_matrix/client/r0/logout
+# - /_matrix/client/r0/logout/all
 matrix_media_repo_container_labels_traefik_logout_federation_path_regexp: "{{ matrix_media_repo_container_labels_traefik_logout_path_regexp }}"
 matrix_media_repo_container_labels_traefik_logout_federation_rule: "Host(`{{ matrix_server_fqn_matrix }}`) && PathRegexp(`{{ matrix_media_repo_container_labels_traefik_logout_federation_path_regexp }}`)"
 matrix_media_repo_container_labels_traefik_logout_federation_priority: 0
@ -121,8 +159,9 @@ matrix_media_repo_container_labels_traefik_logout_federation_entrypoints: "{{ ma
 matrix_media_repo_container_labels_traefik_logout_federation_tls: "{{ matrix_media_repo_container_labels_traefik_logout_entrypoints != 'web' }}"
 matrix_media_repo_container_labels_traefik_logout_federation_tls_certResolver: default  # noqa var-naming

-# /_matrix/client/r0/admin/purge_media_cache
-# /_matrix/client/r0/admin/quarantine_media/{roomId:[^/]+}
+# Traefik labels handling some additional routes on the federation entrypoint:
+# - /_matrix/client/r0/admin/purge_media_cache
+# - /_matrix/client/r0/admin/quarantine_media/{roomId:[^/]+}
 matrix_media_repo_container_labels_traefik_admin_federation_path_regexp: "{{ matrix_media_repo_container_labels_traefik_admin_path_regexp }}"
 matrix_media_repo_container_labels_traefik_admin_federation_rule: "Host(`{{ matrix_server_fqn_matrix }}`) && PathRegexp(`{{ matrix_media_repo_container_labels_traefik_admin_federation_path_regexp }}`)"
 matrix_media_repo_container_labels_traefik_admin_federation_priority: 0
@ -130,6 +169,8 @@ matrix_media_repo_container_labels_traefik_admin_federation_entrypoints: "{{ mat
 matrix_media_repo_container_labels_traefik_admin_federation_tls: "{{ matrix_media_repo_container_labels_traefik_admin_entrypoints != 'web' }}"
 matrix_media_repo_container_labels_traefik_admin_federation_tls_certResolver: default  # noqa var-naming

+# Traefik labels handling some additional routes on the federation entrypoint:
+# - /_matrix/client/unstable/io.t2bot.media
 matrix_media_repo_container_labels_traefik_t2bot_federation_path_prefix: "/_matrix/client/unstable/io.t2bot.media"
 matrix_media_repo_container_labels_traefik_t2bot_federation_rule: "Host(`{{ matrix_server_fqn_matrix }}`) && PathPrefix(`{{ matrix_media_repo_container_labels_traefik_t2bot_path_prefix | quote }}`)"
 matrix_media_repo_container_labels_traefik_t2bot_federation_priority: 0
--- a/roles/custom/matrix-media-repo/tasks/validate_config.yml
+++ b/roles/custom/matrix-media-repo/tasks/validate_config.yml
@ -8,6 +8,7 @@
  with_items:
    - {'name': 'matrix_media_repo_database_hostname', when: true}
    - {'name': 'matrix_media_repo_container_labels_traefik_internal_media_entrypoints', when: "{{ matrix_media_repo_container_labels_traefik_internal_media_enabled }}"}
+    - {'name': 'matrix_media_repo_container_labels_traefik_internal_matrix_client_media_entrypoints', when: "{{ matrix_media_repo_container_labels_traefik_internal_matrix_client_media_enabled }}"}

 - name: (Deprecation) Catch and report renamed matrix-media-repo settings
  ansible.builtin.fail:
--- a/roles/custom/matrix-media-repo/templates/media-repo/labels.j2
+++ b/roles/custom/matrix-media-repo/templates/media-repo/labels.j2
@ -49,6 +49,39 @@ traefik.http.routers.matrix-media-repo-public-media.tls.certResolver={{ matrix_m
 ############################################################


+{% if matrix_media_repo_container_labels_traefik_client_matrix_client_media_enabled %}
+##########################################################################
+#                                                                        #
+# Public Client Media (/_matrix/client/VERSION/media) - MSC3916          #
+#                                                                        #
+##########################################################################
+
+traefik.http.routers.matrix-media-repo-public-client-matrix-client-media.rule={{ matrix_media_repo_container_labels_traefik_client_matrix_client_media_rule }}
+
+{% if matrix_media_repo_container_labels_traefik_client_matrix_client_media_priority | int > 0 %}
+traefik.http.routers.matrix-media-repo-public-client-matrix-client-media.priority={{ matrix_media_repo_container_labels_traefik_client_matrix_client_media_priority }}
+{% endif %}
+
+{% if middlewares | length > 0 %}
+traefik.http.routers.matrix-media-repo-public-client-matrix-client-media.middlewares={{ middlewares | join(',') }}
+{% endif %}
+
+traefik.http.routers.matrix-media-repo-public-client-matrix-client-media.service=matrix-media-repo
+traefik.http.routers.matrix-media-repo-public-client-matrix-client-media.entrypoints={{ matrix_media_repo_container_labels_traefik_client_matrix_client_media_entrypoints }}
+
+traefik.http.routers.matrix-media-repo-public-client-matrix-client-media.tls={{ matrix_media_repo_container_labels_traefik_client_matrix_client_media_tls | to_json }}
+{% if matrix_media_repo_container_labels_traefik_client_matrix_client_media_tls %}
+traefik.http.routers.matrix-media-repo-public-client-matrix-client-media.tls.certResolver={{ matrix_media_repo_container_labels_traefik_client_matrix_client_media_tls_certResolver }}
+{% endif %}
+
+##########################################################################
+#                                                                        #
+# /Public Client Media (/_matrix/client/VERSION/media) - MSC3916         #
+#                                                                        #
+##########################################################################
+{% endif %}
+
+
 {% if matrix_media_repo_container_labels_traefik_internal_media_enabled %}
 ############################################################
 #                                                          #
@ -77,6 +110,34 @@ traefik.http.routers.matrix-media-repo-internal-media.entrypoints={{ matrix_medi
 {% endif %}


+{% if matrix_media_repo_container_labels_traefik_internal_matrix_client_media_enabled %}
+##########################################################################
+#                                                                        #
+# Internal Client Media (/_matrix/client/VERSION/media) - MSC3916        #
+#                                                                        #
+##########################################################################
+
+traefik.http.routers.matrix-media-repo-internal-matrix-client-media.rule={{ matrix_media_repo_container_labels_traefik_internal_matrix_client_media_rule }}
+
+{% if matrix_media_repo_container_labels_traefik_internal_matrix_client_media_priority | int > 0 %}
+traefik.http.routers.matrix-media-repo-internal-matrix-client-media.priority={{ matrix_media_repo_container_labels_traefik_internal_matrix_client_media_priority }}
+{% endif %}
+
+{% if middlewares | length > 0 %}
+traefik.http.routers.matrix-media-repo-internal-matrix-client-media.middlewares={{ middlewares | join(',') }}
+{% endif %}
+
+traefik.http.routers.matrix-media-repo-internal-matrix-client-media.service=matrix-media-repo
+traefik.http.routers.matrix-media-repo-internal-matrix-client-media.entrypoints={{ matrix_media_repo_container_labels_traefik_internal_matrix_client_media_entrypoints }}
+
+##########################################################################
+#                                                                        #
+# /Internal Client Media (/_matrix/client/VERSION/media) - MSC3916       #
+#                                                                        #
+##########################################################################
+{% endif %}
+
+
 {% if matrix_media_repo_access_tokens_max_cache_time_seconds > 0 %}
 ############################################################
 #                                                          #
@ -210,6 +271,39 @@ traefik.http.routers.matrix-media-repo-public-media-federation.tls.certResolver=
 ############################################################


+{% if matrix_media_repo_container_labels_traefik_federation_matrix_federation_media_enabled %}
+##########################################################################
+#                                                                        #
+# Public Federation Media (/_matrix/federation/VERSION/media) - MSC3916  #
+#                                                                        #
+##########################################################################
+
+traefik.http.routers.matrix-media-repo-public-federation-matrix-federation-media.rule={{ matrix_media_repo_container_labels_traefik_federation_matrix_federation_media_rule }}
+
+{% if matrix_media_repo_container_labels_traefik_federation_matrix_federation_media_priority | int > 0 %}
+traefik.http.routers.matrix-media-repo-public-federation-matrix-federation-media.priority={{ matrix_media_repo_container_labels_traefik_federation_matrix_federation_media_priority }}
+{% endif %}
+
+{% if middlewares | length > 0 %}
+traefik.http.routers.matrix-media-repo-public-federation-matrix-federation-media.middlewares={{ middlewares | join(',') }}
+{% endif %}
+
+traefik.http.routers.matrix-media-repo-public-federation-matrix-federation-media.service=matrix-media-repo
+traefik.http.routers.matrix-media-repo-public-federation-matrix-federation-media.entrypoints={{ matrix_media_repo_container_labels_traefik_federation_matrix_federation_media_entrypoints }}
+
+traefik.http.routers.matrix-media-repo-public-federation-matrix-federation-media.tls={{ matrix_media_repo_container_labels_traefik_federation_matrix_federation_media_tls | to_json }}
+{% if matrix_media_repo_container_labels_traefik_federation_matrix_federation_media_tls %}
+traefik.http.routers.matrix-media-repo-public-federation-matrix-federation-media.tls.certResolver={{ matrix_media_repo_container_labels_traefik_federation_matrix_federation_media_tls_certResolver }}
+{% endif %}
+
+##########################################################################
+#                                                                        #
+# /Public Federation Media (/_matrix/federation/VERSION/media) - MSC3916 #
+#                                                                        #
+##########################################################################
+{% endif %}
+
+
 {% if matrix_media_repo_access_tokens_max_cache_time_seconds > 0 %}
 ############################################################
 #                                                          #