ansol/matrix-docker-ansible-deploy
7
0
Fork 0
mirror of https://github.com/spantaleev/matrix-docker-ansible-deploy.git synced 2025-03-12 16:31:27 +00:00
Code Issues Projects Releases Wiki Activity

Run Element Web in tightened/read-only mode without a custom nginx config

Browse Source 
Newer Element Web versions allow for the nginx port to be
overriden, etc., and provide instructions for running in read-only mode.

This makes our custom `nginx.conf` patches unnecessary.

Passing the correct `ELEMENT_WEB_PORT` environment variable
also helps with future changes.

Another benefit of this (besides keeping closer to upstream
recommendations and the improved simplicity) is that:

- the container can run its entrypoint env-substitutions code now,
  without reporting errors

- IPv6 for nginx works, so `matrix-client-element:8080` is accessible
  via IPv6 on the container network now
  (this affects only for Traefik's communicaton with Element Web
  internally; public connectivity was handled by Traefik and IPv6 was
  available there even before)

Ref:

- 2052080d7d/docs/install.md (docker)
- https://github.com/element-hq/element-web/pull/28849
- https://github.com/element-hq/element-web/pull/28840
This commit is contained in:
Slavi Pantaleev 2025-03-11 22:21:47 +02:00
parent 16f9e7dd46
commit e65d198841
6 changed files with 20 additions and 73 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
roles/custom/matrix-client-element/defaults/main.yml
View File

@ -48,9 +48,16 @@ matrix_client_element_container_network: ''
# Use this to expose this container to a reverse proxy, which runs in a different container network. # Use this to expose this container to a reverse proxy, which runs in a different container network.
matrix_client_element_container_additional_networks: [] matrix_client_element_container_additional_networks: []
# Controls the in-container port that Element will use.
#
# Also see: `matrix_client_element_container_http_host_bind_port`
matrix_client_element_container_port: 8080
# Controls whether the matrix-client-element container exposes its HTTP port (tcp/8080 in the container). # Controls whether the matrix-client-element container exposes its HTTP port (tcp/8080 in the container).
# #
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8765"), or empty string to not expose. # Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8765"), or empty string to not expose.
#
# Also see: `matrix_client_element_container_port`
matrix_client_element_container_http_host_bind_port: '' matrix_client_element_container_http_host_bind_port: ''
# matrix_client_element_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container. # matrix_client_element_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container.

7
roles/custom/matrix-client-element/tasks/setup_install.yml
View File

@ -95,12 +95,17 @@
owner: "{{ matrix_user_username }}" owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}" group: "{{ matrix_user_groupname }}"
with_items: with_items:
- {src: "{{ role_path }}/templates/nginx.conf.j2", name: "nginx.conf"}
- {src: "{{ role_path }}/templates/labels.j2", name: "labels"} - {src: "{{ role_path }}/templates/labels.j2", name: "labels"}
- {src: "{{ role_path }}/templates/env.j2", name: "env"}
- {src: "{{ matrix_client_element_page_template_welcome_path }}", name: "welcome.html"} - {src: "{{ matrix_client_element_page_template_welcome_path }}", name: "welcome.html"}
- {src: "{{ matrix_client_element_embedded_pages_home_path }}", name: "home.html"} - {src: "{{ matrix_client_element_embedded_pages_home_path }}", name: "home.html"}
when: "item.src is not none" when: "item.src is not none"
- name: Ensure Element Web nginx.conf file is removed
ansible.builtin.file:
path: "{{ matrix_client_element_data_path }}/nginx.conf"
state: absent
- name: Ensure Element Web config files removed - name: Ensure Element Web config files removed
ansible.builtin.file: ansible.builtin.file:
path: "{{ matrix_client_element_data_path }}/{{ item.name }}" path: "{{ matrix_client_element_data_path }}/{{ item.name }}"

1
roles/custom/matrix-client-element/templates/env.j2 Normal file
View File

@ -0,0 +1 @@
ELEMENT_WEB_PORT={{ matrix_client_element_container_port }}

66
roles/custom/matrix-client-element/templates/nginx.conf.j2
View File

@ -1,66 +0,0 @@
#jinja2: lstrip_blocks: "True"
# This is a custom nginx configuration file that we use in the container (instead of the default one),
# because it allows us to run nginx with a non-root user.
#
# For this to work, the default vhost file (`/etc/nginx/conf.d/default.conf`) also needs to be removed.
# (mounting `/dev/null` over `/etc/nginx/conf.d/default.conf` works well)
#
# The following changes have been done compared to a default nginx configuration file:
# - default server port is changed (80 -> 8080), so that a non-root user can bind it
# - various temp paths are changed to `/tmp`, so that a non-root user can write to them
# - the `user` directive was removed, as we don't want nginx to switch users
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /tmp/nginx.pid;
events {
worker_connections 1024;
}
http {
proxy_temp_path /tmp/proxy_temp;
client_body_temp_path /tmp/client_temp;
fastcgi_temp_path /tmp/fastcgi_temp;
uwsgi_temp_path /tmp/uwsgi_temp;
scgi_temp_path /tmp/scgi_temp;
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
server {
listen 8080;
server_name localhost;
root /usr/share/nginx/html;
location / {
index index.html index.htm;
}
location ~* ^/(config(.+)?\.json$|(.+)\.html$|i18n) {
expires -1;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
}

4
roles/custom/matrix-client-element/templates/nginx.conf.j2.license
View File

@ -1,4 +0,0 @@
SPDX-FileCopyrightText: 2019 - 2022 Slavi Pantaleev
SPDX-FileCopyrightText: 2019 Hugues De Keyzer
SPDX-License-Identifier: AGPL-3.0-or-later

8
roles/custom/matrix-client-element/templates/systemd/matrix-client-element.service.j2
View File

@ -22,11 +22,15 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
--read-only \ --read-only \
--network={{ matrix_client_element_container_network }} \ --network={{ matrix_client_element_container_network }} \
{% if matrix_client_element_container_http_host_bind_port %} {% if matrix_client_element_container_http_host_bind_port %}
-p {{ matrix_client_element_container_http_host_bind_port }}:8080 \ -p {{ matrix_client_element_container_http_host_bind_port }}:{{ matrix_client_element_container_port }} \
{% endif %} {% endif %}
--label-file={{ matrix_client_element_data_path }}/labels \ --label-file={{ matrix_client_element_data_path }}/labels \
--env-file={{ matrix_client_element_data_path }}/env \
--tmpfs=/tmp:rw,noexec,nosuid,size=10m \ --tmpfs=/tmp:rw,noexec,nosuid,size=10m \
--mount type=bind,src={{ matrix_client_element_data_path }}/nginx.conf,dst=/etc/nginx/nginx.conf,ro \ --tmpfs=/var/cache/nginx:rw,mode=777 \
--tmpfs=/var/run:rw,mode=777 \
--tmpfs=/tmp/element-web-config:rw,mode=777 \
--tmpfs=/etc/nginx/conf.d:rw,mode=777 \
--mount type=bind,src={{ matrix_client_element_data_path }}/config.json,dst=/app/config.json,ro \ --mount type=bind,src={{ matrix_client_element_data_path }}/config.json,dst=/app/config.json,ro \
--mount type=bind,src={{ matrix_client_element_data_path }}/config.json,dst=/app/config.{{ matrix_server_fqn_element }}.json,ro \ --mount type=bind,src={{ matrix_client_element_data_path }}/config.json,dst=/app/config.{{ matrix_server_fqn_element }}.json,ro \
{% if matrix_client_element_location_sharing_enabled %} {% if matrix_client_element_location_sharing_enabled %}