Add (native) Traefik support to matrix-client-element

Previously, it had to go through matrix-nginx-proxy.
It's exposed to Traefik directly via container labels now

group_vars/matrix_servers

@@ -2378,7 +2378,7 @@ matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_
 matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain: "{{ matrix_server_fqn_element if matrix_client_element_enabled else '' }}"
 
 matrix_nginx_proxy_proxy_matrix_enabled: true
-matrix_nginx_proxy_proxy_element_enabled: "{{ matrix_client_element_enabled }}"
+matrix_nginx_proxy_proxy_element_enabled: "{{ matrix_client_element_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}"
 matrix_nginx_proxy_proxy_hydrogen_enabled: "{{ matrix_client_hydrogen_enabled }}"
 matrix_nginx_proxy_proxy_cinny_enabled: "{{ matrix_client_cinny_enabled }}"
 matrix_nginx_proxy_proxy_buscarron_enabled: "{{ matrix_bot_buscarron_enabled }}"
@@ -2398,7 +2398,6 @@ matrix_nginx_proxy_container_labels_traefik_docker_network: "{{ matrix_playbook_
 matrix_nginx_proxy_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}"
 
 matrix_nginx_proxy_container_labels_traefik_proxy_matrix_enabled: true
-matrix_nginx_proxy_container_labels_traefik_proxy_element_enabled: "{{ matrix_client_element_enabled }}"
 matrix_nginx_proxy_container_labels_traefik_proxy_hydrogen_enabled: "{{ matrix_client_hydrogen_enabled }}"
 matrix_nginx_proxy_container_labels_traefik_proxy_cinny_enabled: "{{ matrix_client_cinny_enabled }}"
 matrix_nginx_proxy_container_labels_traefik_proxy_buscarron_enabled: "{{ matrix_bot_buscarron_enabled }}"
@@ -2935,6 +2934,14 @@ matrix_client_element_container_image_self_build: "{{ matrix_architecture not in
 # the Element HTTP port to the local host.
 matrix_client_element_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '8765') if matrix_playbook_service_host_bind_interface_prefix else '' }}"
 
+matrix_client_element_container_network: "{{ matrix_nginx_proxy_container_network if matrix_playbook_reverse_proxy_type == 'playbook-managed-nginx' else 'matrix-client-element' }}"
+
+matrix_client_element_container_additional_networks: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else [] }}"
+
+matrix_client_element_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}"
+matrix_client_element_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
+matrix_client_element_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary if devture_traefik_enabled else '' }}"
+
 matrix_client_element_default_hs_url: "{{ matrix_homeserver_url }}"
 matrix_client_element_default_is_url: "{{ matrix_identity_server_url }}"
 

roles/custom/matrix-client-element/defaults/main.yml

@@ -18,11 +18,40 @@ matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_
 matrix_client_element_data_path: "{{ matrix_base_data_path }}/client-element"
 matrix_client_element_docker_src_files_path: "{{ matrix_client_element_data_path }}/docker-src"
 
+# The base container network
+matrix_client_element_container_network: matrix-client-element
+
+# A list of additional container networks that the container would be connected to.
+# The role does not create these networks, so make sure they already exist.
+# Use this to expose this container to a reverse proxy, which runs in a different container network.
+matrix_client_element_container_additional_networks: []
+
 # Controls whether the matrix-client-element container exposes its HTTP port (tcp/8080 in the container).
 #
 # Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8765"), or empty string to not expose.
 matrix_client_element_container_http_host_bind_port: ''
 
+# matrix_client_element_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container.
+# See `../templates/labels.j2` for details.
+#
+# To inject your own other container labels, see `matrix_client_element_container_labels_additional_labels`.
+matrix_client_element_container_labels_traefik_enabled: true
+matrix_client_element_container_labels_traefik_docker_network: "{{ matrix_client_element_container_network }}"
+matrix_client_element_container_labels_traefik_hostname: "{{ matrix_server_fqn_element }}"
+matrix_client_element_container_labels_traefik_rule: "Host(`{{ matrix_client_element_container_labels_traefik_hostname }}`)"
+matrix_client_element_container_labels_traefik_entrypoints: web-secure
+matrix_client_element_container_labels_traefik_tls: "{{ matrix_client_element_container_labels_traefik_entrypoints != 'web' }}"
+matrix_client_element_container_labels_traefik_tls_certResolver: default  # noqa var-naming
+
+# matrix_client_element_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
+# See `../templates/labels.j2` for details.
+#
+# Example:
+# matrix_client_element_container_labels_additional_labels: |
+#   my.label=1
+#   another.label="here"
+matrix_client_element_container_labels_additional_labels: ''
+
 # A list of extra arguments to pass to the container
 matrix_client_element_container_extra_arguments: []
 

roles/custom/matrix-client-element/tasks/setup_install.yml

@@ -84,6 +84,7 @@
     group: "{{ matrix_user_groupname }}"
   with_items:
     - {src: "{{ role_path }}/templates/nginx.conf.j2", name: "nginx.conf"}
+    - {src: "{{ role_path }}/templates/labels.j2", name: "labels"}
     - {src: "{{ matrix_client_element_page_template_welcome_path }}", name: "welcome.html"}
     - {src: "{{ matrix_client_element_embedded_pages_home_path }}", name: "home.html"}
   when: "item.src is not none"
@@ -96,6 +97,11 @@
     - {src: "{{ matrix_client_element_embedded_pages_home_path }}", name: "home.html"}
   when: "item.src is none"
 
+- name: Ensure Element container network is created
+  community.general.docker_network:
+    name: "{{ matrix_client_element_container_network }}"
+    driver: bridge
+
 - name: Ensure matrix-client-element.service installed
   ansible.builtin.template:
     src: "{{ role_path }}/templates/systemd/matrix-client-element.service.j2"

roles/custom/matrix-client-element/tasks/setup_uninstall.yml

@@ -19,7 +19,7 @@
         path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-client-element.service"
         state: absent
 
-    - name: Ensure Element paths doesn't exist
+    - name: Ensure Element path doesn't exist
       ansible.builtin.file:
         path: "{{ matrix_client_element_data_path }}"
         state: absent

roles/custom/matrix-client-element/templates/labels.j2

@@ -0,0 +1,19 @@
+{% if matrix_client_element_container_labels_traefik_enabled %}
+traefik.enable=true
+
+{% if matrix_client_element_container_labels_traefik_docker_network %}
+traefik.docker.network={{ matrix_client_element_container_labels_traefik_docker_network }}
+{% endif %}
+
+traefik.http.routers.matrix-client-element.rule={{ matrix_client_element_container_labels_traefik_rule }}
+traefik.http.routers.matrix-client-element.service=matrix-client-element
+traefik.http.routers.matrix-client-element.entrypoints={{ matrix_client_element_container_labels_traefik_entrypoints }}
+traefik.http.routers.matrix-client-element.tls={{ matrix_client_element_container_labels_traefik_tls | to_json }}
+{% if matrix_client_element_container_labels_traefik_tls %}
+traefik.http.routers.matrix-client-element.tls.certResolver={{ matrix_client_element_container_labels_traefik_tls_certResolver }}
+{% endif %}
+
+traefik.http.services.matrix-client-element.loadbalancer.server.port=8080
+{% endif %}
+
+{{ matrix_client_element_container_labels_additional_labels }}

roles/custom/matrix-client-element/templates/systemd/matrix-client-element.service.j2

@@ -13,15 +13,18 @@ Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
 ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-client-element 2>/dev/null || true'
 ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-client-element 2>/dev/null || true'
 
-ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-client-element \
+ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
+			--rm \
+			--name=matrix-client-element \
 			--log-driver=none \
 			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
 			--cap-drop=ALL \
 			--read-only \
-			--network={{ matrix_docker_network }} \
+			--network={{ matrix_client_element_container_network }} \
 			{% if matrix_client_element_container_http_host_bind_port %}
 			-p {{ matrix_client_element_container_http_host_bind_port }}:8080 \
 			{% endif %}
+			--label-file={{ matrix_client_element_data_path }}/labels \
 			--tmpfs=/tmp:rw,noexec,nosuid,size=10m \
 			--mount type=bind,src={{ matrix_client_element_data_path }}/nginx.conf,dst=/etc/nginx/nginx.conf,ro \
 			--mount type=bind,src={{ matrix_client_element_data_path }}/config.json,dst=/app/config.json,ro \
@@ -38,8 +41,15 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name
 			{% endfor %}
 			{{ matrix_client_element_docker_image }}
 
+{% for network in matrix_client_element_container_additional_networks %}
+ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-client-element
+{% endfor %}
+
+ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-client-element
+
 ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-client-element 2>/dev/null || true'
 ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-client-element 2>/dev/null || true'
+
 Restart=always
 RestartSec=30
 SyslogIdentifier=matrix-client-element

roles/custom/matrix-nginx-proxy/defaults/main.yml

@@ -61,11 +61,6 @@ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_rule: "Host(`{{ matrix_
 matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_entrypoint: "{{ matrix_federation_traefik_entrypoint }}"
 matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_entrypoints: "{{ matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_entrypoint }}"
 
-matrix_nginx_proxy_container_labels_traefik_proxy_element_enabled: false
-matrix_nginx_proxy_container_labels_traefik_proxy_element_hostname: "{{ matrix_server_fqn_element }}"
-matrix_nginx_proxy_container_labels_traefik_proxy_element_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}"
-matrix_nginx_proxy_container_labels_traefik_proxy_element_rule: "Host(`{{ matrix_nginx_proxy_container_labels_traefik_proxy_element_hostname }}`)"
-
 matrix_nginx_proxy_container_labels_traefik_proxy_hydrogen_enabled: false
 matrix_nginx_proxy_container_labels_traefik_proxy_hydrogen_hostname: "{{ matrix_server_fqn_hydrogen }}"
 matrix_nginx_proxy_container_labels_traefik_proxy_hydrogen_tls: "{{ matrix_nginx_proxy_container_labels_traefik_entrypoints != 'web' }}"

roles/custom/matrix-nginx-proxy/templates/labels.j2

@@ -39,18 +39,6 @@ traefik.http.routers.matrix-nginx-proxy-matrix-federation.entrypoints={{ matrix_
 {% endif %}
 
 
-{% if matrix_nginx_proxy_container_labels_traefik_proxy_element_enabled %}
-# Element
-traefik.http.routers.matrix-nginx-proxy-element.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_element_rule }}
-traefik.http.routers.matrix-nginx-proxy-element.service=matrix-nginx-proxy-web
-traefik.http.routers.matrix-nginx-proxy-element.tls={{ matrix_nginx_proxy_container_labels_traefik_proxy_element_tls | to_json }}
-{% if matrix_nginx_proxy_container_labels_traefik_proxy_element_tls %}
-traefik.http.routers.matrix-nginx-proxy-element.tls.certResolver={{ matrix_nginx_proxy_container_labels_traefik_tls_certResolver }}
-{% endif %}
-traefik.http.routers.matrix-nginx-proxy-element.entrypoints={{ matrix_nginx_proxy_container_labels_traefik_entrypoints }}
-{% endif %}
-
-
 {% if matrix_nginx_proxy_container_labels_traefik_proxy_hydrogen_enabled %}
 # Hydrogen
 traefik.http.routers.matrix-nginx-proxy-hydrogen.rule={{ matrix_nginx_proxy_container_labels_traefik_proxy_hydrogen_rule }}

roles/custom/matrix-synapse-admin/defaults/main.yml

@@ -24,9 +24,7 @@ matrix_synapse_admin_container_network: matrix-synapse-admin
 
 # A list of additional container networks that the container would be connected to.
 # The role does not create these networks, so make sure they already exist.
-#
-# Use this to expose this container to another reverse proxy, which runs in a different container network,
-# without exposing all other container services to that other reverse-proxy.
+# Use this to expose this container to a reverse proxy, which runs in a different container network.
 matrix_synapse_admin_container_additional_networks: []
 
 # A list of extra arguments to pass to the container