mirror of
https://github.com/spantaleev/matrix-docker-ansible-deploy.git
synced 2025-03-12 16:31:27 +00:00
Run Element Web in tightened/read-only mode without a custom nginx config
Newer Element Web versions allow for the nginx port to be
overriden, etc., and provide instructions for running in read-only mode.
This makes our custom `nginx.conf` patches unnecessary.
Passing the correct `ELEMENT_WEB_PORT` environment variable
also helps with future changes.
Another benefit of this (besides keeping closer to upstream
recommendations and the improved simplicity) is that:
- the container can run its entrypoint env-substitutions code now,
without reporting errors
- IPv6 for nginx works, so `matrix-client-element:8080` is accessible
via IPv6 on the container network now
(this affects only for Traefik's communicaton with Element Web
internally; public connectivity was handled by Traefik and IPv6 was
available there even before)
Ref:
- 2052080d7d/docs/install.md (docker)
- https://github.com/element-hq/element-web/pull/28849
- https://github.com/element-hq/element-web/pull/28840
This commit is contained in:
Slavi Pantaleev
parent
16f9e7dd46
commit
e65d198841
@ -48,9 +48,16 @@ matrix_client_element_container_network: ''
|
||||
# Use this to expose this container to a reverse proxy, which runs in a different container network.
|
||||
matrix_client_element_container_additional_networks: []
|
||||
|
||||
# Controls the in-container port that Element will use.
|
||||
#
|
||||
# Also see: `matrix_client_element_container_http_host_bind_port`
|
||||
matrix_client_element_container_port: 8080
|
||||
|
||||
# Controls whether the matrix-client-element container exposes its HTTP port (tcp/8080 in the container).
|
||||
#
|
||||
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8765"), or empty string to not expose.
|
||||
#
|
||||
# Also see: `matrix_client_element_container_port`
|
||||
matrix_client_element_container_http_host_bind_port: ''
|
||||
|
||||
# matrix_client_element_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container.
|
||||
|
||||
@ -95,12 +95,17 @@
|
||||
owner: "{{ matrix_user_username }}"
|
||||
group: "{{ matrix_user_groupname }}"
|
||||
with_items:
|
||||
- {src: "{{ role_path }}/templates/nginx.conf.j2", name: "nginx.conf"}
|
||||
- {src: "{{ role_path }}/templates/labels.j2", name: "labels"}
|
||||
- {src: "{{ role_path }}/templates/env.j2", name: "env"}
|
||||
- {src: "{{ matrix_client_element_page_template_welcome_path }}", name: "welcome.html"}
|
||||
- {src: "{{ matrix_client_element_embedded_pages_home_path }}", name: "home.html"}
|
||||
when: "item.src is not none"
|
||||
|
||||
- name: Ensure Element Web nginx.conf file is removed
|
||||
ansible.builtin.file:
|
||||
path: "{{ matrix_client_element_data_path }}/nginx.conf"
|
||||
state: absent
|
||||
|
||||
- name: Ensure Element Web config files removed
|
||||
ansible.builtin.file:
|
||||
path: "{{ matrix_client_element_data_path }}/{{ item.name }}"
|
||||
|
||||
1
roles/custom/matrix-client-element/templates/env.j2
Normal file
1
roles/custom/matrix-client-element/templates/env.j2
Normal file
@ -0,0 +1 @@
|
||||
ELEMENT_WEB_PORT={{ matrix_client_element_container_port }}
|
||||
@ -1,66 +0,0 @@
|
||||
#jinja2: lstrip_blocks: "True"
|
||||
# This is a custom nginx configuration file that we use in the container (instead of the default one),
|
||||
# because it allows us to run nginx with a non-root user.
|
||||
#
|
||||
# For this to work, the default vhost file (`/etc/nginx/conf.d/default.conf`) also needs to be removed.
|
||||
# (mounting `/dev/null` over `/etc/nginx/conf.d/default.conf` works well)
|
||||
#
|
||||
# The following changes have been done compared to a default nginx configuration file:
|
||||
# - default server port is changed (80 -> 8080), so that a non-root user can bind it
|
||||
# - various temp paths are changed to `/tmp`, so that a non-root user can write to them
|
||||
# - the `user` directive was removed, as we don't want nginx to switch users
|
||||
|
||||
worker_processes 1;
|
||||
|
||||
error_log /var/log/nginx/error.log warn;
|
||||
pid /tmp/nginx.pid;
|
||||
|
||||
|
||||
events {
|
||||
worker_connections 1024;
|
||||
}
|
||||
|
||||
|
||||
http {
|
||||
proxy_temp_path /tmp/proxy_temp;
|
||||
client_body_temp_path /tmp/client_temp;
|
||||
fastcgi_temp_path /tmp/fastcgi_temp;
|
||||
uwsgi_temp_path /tmp/uwsgi_temp;
|
||||
scgi_temp_path /tmp/scgi_temp;
|
||||
|
||||
include /etc/nginx/mime.types;
|
||||
default_type application/octet-stream;
|
||||
|
||||
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
||||
'$status $body_bytes_sent "$http_referer" '
|
||||
'"$http_user_agent" "$http_x_forwarded_for"';
|
||||
|
||||
access_log /var/log/nginx/access.log main;
|
||||
|
||||
sendfile on;
|
||||
#tcp_nopush on;
|
||||
|
||||
keepalive_timeout 65;
|
||||
|
||||
#gzip on;
|
||||
|
||||
server {
|
||||
listen 8080;
|
||||
server_name localhost;
|
||||
|
||||
root /usr/share/nginx/html;
|
||||
|
||||
location / {
|
||||
index index.html index.htm;
|
||||
}
|
||||
|
||||
location ~* ^/(config(.+)?\.json$|(.+)\.html$|i18n) {
|
||||
expires -1;
|
||||
}
|
||||
|
||||
error_page 500 502 503 504 /50x.html;
|
||||
location = /50x.html {
|
||||
root /usr/share/nginx/html;
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -1,4 +0,0 @@
|
||||
SPDX-FileCopyrightText: 2019 - 2022 Slavi Pantaleev
|
||||
SPDX-FileCopyrightText: 2019 Hugues De Keyzer
|
||||
|
||||
SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
@ -22,11 +22,15 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
|
||||
--read-only \
|
||||
--network={{ matrix_client_element_container_network }} \
|
||||
{% if matrix_client_element_container_http_host_bind_port %}
|
||||
-p {{ matrix_client_element_container_http_host_bind_port }}:8080 \
|
||||
-p {{ matrix_client_element_container_http_host_bind_port }}:{{ matrix_client_element_container_port }} \
|
||||
{% endif %}
|
||||
--label-file={{ matrix_client_element_data_path }}/labels \
|
||||
--env-file={{ matrix_client_element_data_path }}/env \
|
||||
--tmpfs=/tmp:rw,noexec,nosuid,size=10m \
|
||||
--mount type=bind,src={{ matrix_client_element_data_path }}/nginx.conf,dst=/etc/nginx/nginx.conf,ro \
|
||||
--tmpfs=/var/cache/nginx:rw,mode=777 \
|
||||
--tmpfs=/var/run:rw,mode=777 \
|
||||
--tmpfs=/tmp/element-web-config:rw,mode=777 \
|
||||
--tmpfs=/etc/nginx/conf.d:rw,mode=777 \
|
||||
--mount type=bind,src={{ matrix_client_element_data_path }}/config.json,dst=/app/config.json,ro \
|
||||
--mount type=bind,src={{ matrix_client_element_data_path }}/config.json,dst=/app/config.{{ matrix_server_fqn_element }}.json,ro \
|
||||
{% if matrix_client_element_location_sharing_enabled %}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user