From e65d198841b4bcd84224fae9c739bdd71c8537eb Mon Sep 17 00:00:00 2001
From: Slavi Pantaleev <slavi@devture.com>
Date: Tue, 11 Mar 2025 22:21:47 +0200
Subject: [PATCH] Run Element Web in tightened/read-only mode without a custom
 nginx config

Newer Element Web versions allow for the nginx port to be
overriden, etc., and provide instructions for running in read-only mode.

This makes our custom `nginx.conf` patches unnecessary.

Passing the correct `ELEMENT_WEB_PORT` environment variable
also helps with future changes.

Another benefit of this (besides keeping closer to upstream
recommendations and the improved simplicity) is that:

- the container can run its entrypoint env-substitutions code now,
  without reporting errors

- IPv6 for nginx works, so `matrix-client-element:8080` is accessible
  via IPv6 on the container network now
  (this affects only for Traefik's communicaton with Element Web
  internally; public connectivity was handled by Traefik and IPv6 was
  available there even before)

Ref:

- https://github.com/element-hq/element-web/blob/2052080d7d8a213064910cac491ec5cf9057610e/docs/install.md#docker
- https://github.com/element-hq/element-web/pull/28849
- https://github.com/element-hq/element-web/pull/28840
---
 .../matrix-client-element/defaults/main.yml   |  7 ++
 .../tasks/setup_install.yml                   |  7 +-
 .../matrix-client-element/templates/env.j2    |  1 +
 .../templates/nginx.conf.j2                   | 66 -------------------
 .../templates/nginx.conf.j2.license           |  4 --
 .../systemd/matrix-client-element.service.j2  |  8 ++-
 6 files changed, 20 insertions(+), 73 deletions(-)
 create mode 100644 roles/custom/matrix-client-element/templates/env.j2
 delete mode 100644 roles/custom/matrix-client-element/templates/nginx.conf.j2
 delete mode 100644 roles/custom/matrix-client-element/templates/nginx.conf.j2.license

diff --git a/roles/custom/matrix-client-element/defaults/main.yml b/roles/custom/matrix-client-element/defaults/main.yml
index 237214cf1..28309355e 100644
--- a/roles/custom/matrix-client-element/defaults/main.yml
+++ b/roles/custom/matrix-client-element/defaults/main.yml
@@ -48,9 +48,16 @@ matrix_client_element_container_network: ''
 # Use this to expose this container to a reverse proxy, which runs in a different container network.
 matrix_client_element_container_additional_networks: []
 
+# Controls the in-container port that Element will use.
+#
+# Also see: `matrix_client_element_container_http_host_bind_port`
+matrix_client_element_container_port: 8080
+
 # Controls whether the matrix-client-element container exposes its HTTP port (tcp/8080 in the container).
 #
 # Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8765"), or empty string to not expose.
+#
+# Also see: `matrix_client_element_container_port`
 matrix_client_element_container_http_host_bind_port: ''
 
 # matrix_client_element_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container.
diff --git a/roles/custom/matrix-client-element/tasks/setup_install.yml b/roles/custom/matrix-client-element/tasks/setup_install.yml
index 730e50282..10a8b61ae 100644
--- a/roles/custom/matrix-client-element/tasks/setup_install.yml
+++ b/roles/custom/matrix-client-element/tasks/setup_install.yml
@@ -95,12 +95,17 @@
     owner: "{{ matrix_user_username }}"
     group: "{{ matrix_user_groupname }}"
   with_items:
-    - {src: "{{ role_path }}/templates/nginx.conf.j2", name: "nginx.conf"}
     - {src: "{{ role_path }}/templates/labels.j2", name: "labels"}
+    - {src: "{{ role_path }}/templates/env.j2", name: "env"}
     - {src: "{{ matrix_client_element_page_template_welcome_path }}", name: "welcome.html"}
     - {src: "{{ matrix_client_element_embedded_pages_home_path }}", name: "home.html"}
   when: "item.src is not none"
 
+- name: Ensure Element Web nginx.conf file is removed
+  ansible.builtin.file:
+    path: "{{ matrix_client_element_data_path }}/nginx.conf"
+    state: absent
+
 - name: Ensure Element Web config files removed
   ansible.builtin.file:
     path: "{{ matrix_client_element_data_path }}/{{ item.name }}"
diff --git a/roles/custom/matrix-client-element/templates/env.j2 b/roles/custom/matrix-client-element/templates/env.j2
new file mode 100644
index 000000000..a142b6205
--- /dev/null
+++ b/roles/custom/matrix-client-element/templates/env.j2
@@ -0,0 +1 @@
+ELEMENT_WEB_PORT={{ matrix_client_element_container_port }}
diff --git a/roles/custom/matrix-client-element/templates/nginx.conf.j2 b/roles/custom/matrix-client-element/templates/nginx.conf.j2
deleted file mode 100644
index fba16bbdc..000000000
--- a/roles/custom/matrix-client-element/templates/nginx.conf.j2
+++ /dev/null
@@ -1,66 +0,0 @@
-#jinja2: lstrip_blocks: "True"
-# This is a custom nginx configuration file that we use in the container (instead of the default one),
-# because it allows us to run nginx with a non-root user.
-#
-# For this to work, the default vhost file (`/etc/nginx/conf.d/default.conf`) also needs to be removed.
-# (mounting `/dev/null` over `/etc/nginx/conf.d/default.conf` works well)
-#
-# The following changes have been done compared to a default nginx configuration file:
-# - default server port is changed (80 -> 8080), so that a non-root user can bind it
-# - various temp paths are changed to `/tmp`, so that a non-root user can write to them
-# - the `user` directive was removed, as we don't want nginx to switch users
-
-worker_processes 1;
-
-error_log /var/log/nginx/error.log warn;
-pid /tmp/nginx.pid;
-
-
-events {
-	worker_connections 1024;
-}
-
-
-http {
-	proxy_temp_path /tmp/proxy_temp;
-	client_body_temp_path /tmp/client_temp;
-	fastcgi_temp_path /tmp/fastcgi_temp;
-	uwsgi_temp_path /tmp/uwsgi_temp;
-	scgi_temp_path /tmp/scgi_temp;
-
-	include /etc/nginx/mime.types;
-	default_type application/octet-stream;
-
-	log_format main '$remote_addr - $remote_user [$time_local] "$request" '
-					'$status $body_bytes_sent "$http_referer" '
-					'"$http_user_agent" "$http_x_forwarded_for"';
-
-	access_log /var/log/nginx/access.log main;
-
-	sendfile on;
-	#tcp_nopush on;
-
-	keepalive_timeout 65;
-
-	#gzip on;
-
-	server {
-		listen 8080;
-		server_name localhost;
-
-		root /usr/share/nginx/html;
-
-		location / {
-			index index.html index.htm;
-		}
-
-		location ~* ^/(config(.+)?\.json$|(.+)\.html$|i18n) {
-			expires -1;
-		}
-
-		error_page 500 502 503 504 /50x.html;
-		location = /50x.html {
-			root /usr/share/nginx/html;
-		}
-	}
-}
diff --git a/roles/custom/matrix-client-element/templates/nginx.conf.j2.license b/roles/custom/matrix-client-element/templates/nginx.conf.j2.license
deleted file mode 100644
index f54d32e63..000000000
--- a/roles/custom/matrix-client-element/templates/nginx.conf.j2.license
+++ /dev/null
@@ -1,4 +0,0 @@
-SPDX-FileCopyrightText: 2019 - 2022 Slavi Pantaleev
-SPDX-FileCopyrightText: 2019 Hugues De Keyzer
-
-SPDX-License-Identifier: AGPL-3.0-or-later
diff --git a/roles/custom/matrix-client-element/templates/systemd/matrix-client-element.service.j2 b/roles/custom/matrix-client-element/templates/systemd/matrix-client-element.service.j2
index 834e5cb87..1b1903b49 100644
--- a/roles/custom/matrix-client-element/templates/systemd/matrix-client-element.service.j2
+++ b/roles/custom/matrix-client-element/templates/systemd/matrix-client-element.service.j2
@@ -22,11 +22,15 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
 			--read-only \
 			--network={{ matrix_client_element_container_network }} \
 			{% if matrix_client_element_container_http_host_bind_port %}
-			-p {{ matrix_client_element_container_http_host_bind_port }}:8080 \
+			-p {{ matrix_client_element_container_http_host_bind_port }}:{{ matrix_client_element_container_port }} \
 			{% endif %}
 			--label-file={{ matrix_client_element_data_path }}/labels \
+			--env-file={{ matrix_client_element_data_path }}/env \
 			--tmpfs=/tmp:rw,noexec,nosuid,size=10m \
-			--mount type=bind,src={{ matrix_client_element_data_path }}/nginx.conf,dst=/etc/nginx/nginx.conf,ro \
+			--tmpfs=/var/cache/nginx:rw,mode=777 \
+			--tmpfs=/var/run:rw,mode=777 \
+			--tmpfs=/tmp/element-web-config:rw,mode=777 \
+			--tmpfs=/etc/nginx/conf.d:rw,mode=777 \
 			--mount type=bind,src={{ matrix_client_element_data_path }}/config.json,dst=/app/config.json,ro \
 			--mount type=bind,src={{ matrix_client_element_data_path }}/config.json,dst=/app/config.{{ matrix_server_fqn_element }}.json,ro \
 			{% if matrix_client_element_location_sharing_enabled %}