This was meant to serve as an intermediary for services needing to reach
the homeserver. It was used like that for a while in this
`bye-bye-nginx-proxy` branch, but was never actually public.
It has recently been superseded by homeserver-like services injecting
themselves into a new internal Traefik entrypoint
(see `matrix_playbook_internal_matrix_client_api_traefik_entrypoint_*`),
so `matrix-homeserver-proxy` is no longer necessary.
---
This is probably a good moment to share some benchmarks and reasons
for going with the internal Traefik entrypoint as opposed to this nginx
service.
1. (1400 rps) Directly to Synapse (`ab -n 1000 -c 100 http://matrix-synapse:8008/_matrix/client/versions`
2. (~900 rps) Via `matrix-homeserver-proxy` (nginx) proxying to Synapse (`ab -n 1000 -c 100 http://matrix-homeserver-proxy:8008/_matrix/client/versions`)
3. (~1200 rps) Via the new internal entrypoint of Traefik (`matrix-internal-matrix-client-api`) proxying to Synapse (`ab -n 1000 -c 100 http://matrix-traefik:8008/_matrix/client/versions`)
Besides Traefik being quicker for some reason, there are also other
benefits to not having this `matrix-homeserver-proxy` component:
- we can reuse what we have in terms of labels. Services can register a few extra labels on the new Traefik entrypoint
- we don't need services (like `matrix-media-repo`) to inject custom nginx configs into `matrix-homeserver-proxy`. They just need to register labels, like they do already.
- Traefik seems faster than nginx on this benchmark for some reason, which is a nice bonus
- no need to run one extra container (`matrix-homeserver-proxy`) and execute one extra Ansible role
- no need to maintain a setup where some people run the `matrix-homeserver-proxy` component (because they have route-stealing services like `matrix-media-repo` enabled) and others run an optimized setup without this component and everything needs to be rewired to talk to the homeserver directly. Now, everyone can go through Traefik and we can all run an identical setup
Downsides of the new Traefik entrypoint setup are that:
- all addon services that need to talk to the homeserver now depend on Traefik
- people running their own Traefik setup will be inconvenienced - they
need to manage one additional entrypoint
We'd be adding integration with an internal Traefik entrypoint
(`matrix_playbook_internal_matrix_client_api_traefik_entrypoint`),
so renaming helps disambiguate things.
There's no need for deperecation tasks, because the old names
have only been part of this `bye-bye-nginx-proxy` branch and not used by
anyone publicly.
This is a bit of a compatibility break.
The role was defaulting the Postgres password to `some-password` and we
auto-generate it now.
However, rebuilding both Postgres and this service should unify the
database credentials and the service configs to the new value.
This reverts commit bf95ad2235.
This was a bad idea.
It's better to have people manually define the password.
Otherwise, `matrix_homeserver_generic_secret_key` changing some day in
the future would break the bot and one would have to figure out how to
reset its password manually.
Using an explicit password is more stable.
A lot of services are yet to be updated to start connecting to
`devture_postgres_container_network` as an additional network.
Many are already done, but I'll go through all the others later.
Downsides: decreasing security slightly due to less networking isolation
Benefits:
- decreased complexity
- having a generically-named `matrix-addons` network we may use for other things now (client apps, etc.)
- not exhausting the container networks pool with 2 (or more) networks and using just 1
This also updates validation tasks and documentation, pointing to
variables in the matrix-synapse role which don't currently exist yet
(e.g. `matrix_synapse_container_labels_client_synapse_admin_api_enabled`).
These variables will be added soon, as Traefik labels are added to the
`matrix-synapse` role. At that point, the `matrix-synapse-reverse-proxy-companion` role
will be updated to also use them.
matrix-nginx-proxy is going away and this is one of the features it
offered.
This feature will have no equivalent in our new Traefik-only
setup, although it's possible to implement it manually by using
`matrix_client_element_container_labels_additional_labels`
This is still very far from usable.
Various bridges and bots are still talking to
`matrix-nginx-proxy` instead of the new `matrix-homeserver-proxy` role.
These services need to be reworked. While reworking them,
various cleanups are being done as well as adding Traefik-labels to
those that need them.
It seems like connectivity is problematic, even though the networks
appear to be configured correctly:
> [ioredis] Unhandled error event: Error: connect ECONNREFUSED 172.22.0.2:6739
> at TCPConnectWrap.afterConnect [as oncomplete] (node:net:1595:16)
For now, I disable pointing the queue host to Redis to avoid it.
It should be investigated.
People who enable Hookshot's new experimental encryption may encounter
this also.
Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/3042
Squashed based on the work done in https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/3042
commit 49932b8f3c
Author: Slavi Pantaleev <slavi@devture.com>
Date: Sat Dec 16 09:21:31 2023 +0200
Fix syntax in matrix-bridge-hookshot/tasks/reset_encryption.yml
Also, this task always does work and side-effects, so it should always report changes
(`changed_when: true`).
commit 6bdf7a9dcb
Author: Slavi Pantaleev <slavi@devture.com>
Date: Sat Dec 16 09:12:41 2023 +0200
Add Hookshot validation task to ensure queue settings are set when encryption is enabled
commit 8c531b7971
Author: Slavi Pantaleev <slavi@devture.com>
Date: Sat Dec 16 09:10:17 2023 +0200
Add missing variables rewiring in group_vars/matrix_servers for Hookshot
commit 7d26dabc2f
Author: Slavi Pantaleev <slavi@devture.com>
Date: Sat Dec 16 09:08:19 2023 +0200
Add defaults for matrix_hookshot_queue_host and matrix_hookshot_queue_port
commit 74f91138c9
Author: Slavi Pantaleev <slavi@devture.com>
Date: Sat Dec 16 09:06:17 2023 +0200
Fix syntax for connecting to additional networks for Hookshot
commit ca7b41f3f2
Author: Slavi Pantaleev <slavi@devture.com>
Date: Sat Dec 16 09:05:28 2023 +0200
Fix indentation and remove unnecessary if-statements
commit ac4a918d58
Author: Slavi Pantaleev <slavi@devture.com>
Date: Sat Dec 16 09:04:44 2023 +0200
Add missing --network for Hookshot
This seems to have been removed by accident.
commit 6a81fa208f
Author: Slavi Pantaleev <slavi@devture.com>
Date: Sat Dec 16 09:02:47 2023 +0200
Make automatic Redis enabling safer, when Hookshot encryption enabled
If we ever default encryption to enabled for Hookshot, we only wish to force-enable Redis if Hookshot is actually enabled.
commit 75a8e0f2a6
Author: Slavi Pantaleev <slavi@devture.com>
Date: Sat Dec 16 09:01:10 2023 +0200
Fix typo
commit 98ad182eac
Author: Joshua Hoffmann <joshua.hoffmann@b1-systems.de>
Date: Fri Dec 15 22:37:40 2023 +0100
Add defaults for Hookshot's encryption
commit 29fa9fab15
Author: Joshua Hoffmann <joshua.hoffmann@b1-systems.de>
Date: Fri Dec 15 22:35:11 2023 +0100
Improve wording of Hookshot's encryption section
commit 4f835e0560
Author: Joshua Hoffmann <joshua.hoffmann@b1-systems.de>
Date: Fri Dec 15 22:28:52 2023 +0100
use safer mount options for the container's files
commit 8c93327e25
Author: Joshua Hoffmann <joshua.hoffmann@b1-systems.de>
Date: Fri Dec 15 22:26:01 2023 +0100
fix filename
commit 03a7bb6e77
Merge: e55d769406047763
Author: Joshua Hoffmann <joshua.hoffmann@b1-systems.de>
Date: Fri Dec 15 22:23:44 2023 +0100
Merge branch 'HarHarLinks/hookshot-encryption' of https://github.com/real-joshua/matrix-docker-ansible-deploy into HarHarLinks/hookshot-encryption
commit 06047763bb
Author: Joshua Hoffmann <joshua.hoffmann@b1-systems.de>
Date: Fri Dec 15 22:15:54 2023 +0100
Update roles/custom/matrix-bridge-hookshot/templates/config.yml.j2
change the if statement to not require a variable with a length > 0 and add a filter to json for the redis host
Co-authored-by: Slavi Pantaleev <slavi@devture.com>
commit e55d769465
Author: Joshua Hoffmann <joshua.hoffmann@b1-systems.de>
Date: Fri Dec 15 22:13:50 2023 +0100
clarify that Redis is required, standardadise on Hookshot with an upper-case first letter for consistency
commit 66706e4535
Author: Joshua Hoffmann <joshua.hoffmann@b1-systems.de>
Date: Fri Dec 15 22:08:20 2023 +0100
Update roles/custom/matrix-bridge-hookshot/templates/config.yml.j2
fix for a typo
Co-authored-by: Slavi Pantaleev <slavi@devture.com>
commit f6aaeb9a16
Merge: e5d34002869dd33f
Author: Joshua Hoffmann <joshua.hoffmann@b1-systems.de>
Date: Fri Dec 15 00:22:34 2023 +0100
Merge branch 'master' into HarHarLinks/hookshot-encryption
commit e5d34002fd
Author: Joshua Hoffmann <joshua.hoffmann@b1-systems.de>
Date: Fri Dec 15 00:09:27 2023 +0100
Add Jinja loop to allow adding multiple networks
commit 69f947782d
Author: Joshua Hoffmann <joshua.hoffmann@b1-systems.de>
Date: Thu Dec 14 23:52:41 2023 +0100
split if statements for the message queue and experimental encryption support into seperate statements
commit 4c13be1c89
Author: Joshua Hoffmann <joshua.hoffmann@b1-systems.de>
Date: Thu Dec 14 23:31:19 2023 +0100
change variable name per spantaleev's suggestion (https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2979#discussion_r1379015551)
commit 9905309aa9
Author: HarHarLinks <kim.brose@rwth-aachen.de>
Date: Wed Nov 1 16:14:04 2023 +0100
amend docs
commit 94abf2d5bd
Author: HarHarLinks <kim.brose@rwth-aachen.de>
Date: Wed Nov 1 16:05:22 2023 +0100
draft encryption support for hookshot
Currently v3.0.0 tested with no issues.
So remove matrix_user_verification_service_docker_image from groups_vars.
/.npm must be writable or an error will be reported.
* Inital work, copeid from mautrix-amp PR
* Some fixes leftover code copeid over from whatsapp
* Got it to run and register
* Fixed service issue with docker image
* I now realize I need 2 roles wsproxy and imessage
* Got someting working, still rough
* Closer to working but still not working
* reverting ports
* Update main.yml
* Add matrix-nginx-proxy config for mautrix-wsproxy
* Changed
* Add back file
* fix for error hopefully
* Changed the the way nginx was recieved
* basically did not add anything ugh
* Added some arguments
* just trying stuff now
* Ugh i messed up port number
* Changed docs
* Change dns config
* changed generic secret key
* Testing new nginx proxy
* test
* Fix linting errors
* Add mautrix syncproxy to wsproxy for Android SMS
* WIP
* Move wsproxy to custom
* Squashed commit of the following:
commit 943189a9aa
Merge: 4a229d68f5a09f30
Author: Slavi Pantaleev <slavi@devture.com>
Date: Sun Nov 13 08:54:32 2022 +0200
Merge pull request #2259 from throny/patch-3
warn users about upgrading to pg15 when using borg
commit 4a229d6870
Merge: 9b326e08c68def08
Author: Slavi Pantaleev <slavi@devture.com>
Date: Sun Nov 13 08:53:13 2022 +0200
Merge pull request #2260 from etkecc/patch-117
Update ntfy 1.28.0 -> 1.29.0
commit f5a09f30b7
Author: throny <m.throne12@gmail.com>
Date: Sat Nov 12 23:48:57 2022 +0100
Update maintenance-postgres.md
commit b12cdbd99d
Author: throny <m.throne12@gmail.com>
Date: Sat Nov 12 23:40:46 2022 +0100
Update maintenance-postgres.md
commit c68def0809
Author: Aine <97398200+etkecc@users.noreply.github.com>
Date: Sat Nov 12 22:01:31 2022 +0000
Update ntfy 1.28.0 -> 1.29.0
commit adbc09f152
Author: throny <m.throne12@gmail.com>
Date: Sat Nov 12 11:20:43 2022 +0100
warn users about upgrading to pg15 when using borg
* Fix linting errors
* Cleanup after merge
* Correct outdated variable names
* Enable both Android and iMessage with wsproxy
* Restructure wsproxy service defs and nginx config
* Fix linter errors
* Apply suggestions from code review
Co-authored-by: Slavi Pantaleev <slavi@devture.com>
* Fix comments for documentation, volumes and ports
* Correct mount syntax
* Complete network and traefik support for wsproxy
* Remove wsproxy data_path
* Fix wsproxy service definitions
* Actually include syncproxy service
* Remove wsproxy PathPrefix, it needs a subdomain
There's no setting in the iMessage bridge that allows a path.
Also don't bind port by default, wsproxy has no TLS.
Syncproxy should never expose a port, it's only internal.
---------
Co-authored-by: hanthor <jreilly112@gmail.com>
Co-authored-by: Miguel Alatzar <miguel@natrx.io>
Co-authored-by: Shreyas Ajjarapu <github.tzarina@aleeas.com>
Co-authored-by: Slavi Pantaleev <slavi@devture.com>
* intial commit
* changed
* Reorderd
* merge old changes
* added changes to matrix_servers
* Remove duplicate discord
* Update main.yml
* added google message to configuring-playbook.md
* Changed docs to add new changes
* Changed bug?
* Removed problem j2 values
* Rename a service files
* change how password hash string
* Changed port number
* Change how the local part works
* Revert "Merge pull request #8 from shreyasajj/wsproxy"
This reverts commit bb1b8fc67c, reversing
changes made to cce6ba5f9d.
---------
Co-authored-by: Shreyas Ajjarapu <github.tzarina@aleeas.com>
Making the group match the Ansible task tags allows people to do `just install-service matrix-media-repo` and have that trigger both `--tags=matrix-media-repo` and also restart just that single group (`matrix-media-repo`).
Previously `just install-service buscarron` would not fully work,
because:
- the systemd services were indeed tagged with `buscarron`
- however, the actual installation tasks are not
`install-buscarron`/`setup-buscarron`, but rather
`install-bot-buscarron`/`setup-bot-buscarron`
Services are now tagged with the `bot-` prefix to match the tags.
