diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index fbc620bbc..e60eeee3c 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -2064,6 +2064,11 @@ matrix_mautrix_telegram_metrics_proxying_enabled: "{{ matrix_mautrix_telegram_me matrix_mautrix_telegram_metrics_proxying_hostname: "{{ matrix_metrics_exposure_hostname }}" matrix_mautrix_telegram_metrics_proxying_path_prefix: "{{ matrix_metrics_exposure_path_prefix }}/mautrix-telegram" +matrix_mautrix_telegram_scheme: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}" +matrix_mautrix_telegram_exposure_enabled: "{{ matrix_bridges_exposure_enabled }}" +matrix_mautrix_telegram_exposure_hostname: "{{ matrix_bridges_exposure_hostname }}" +matrix_mautrix_telegram_exposure_path_prefix: "{{ matrix_bridges_exposure_path_prefix }}/telegram" + # Postgres is the default, except if not using internal Postgres server matrix_mautrix_telegram_database_engine: "{{ 'postgres' if postgres_enabled else 'sqlite' }}" matrix_mautrix_telegram_database_hostname: "{{ postgres_connection_hostname if postgres_enabled else '' }}" diff --git a/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml index c79e9df24..17206fe5b 100644 --- a/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml @@ -46,6 +46,13 @@ matrix_mautrix_telegram_homeserver_domain: '{{ matrix_domain }}' matrix_mautrix_telegram_homeserver_async_media: false matrix_mautrix_telegram_appservice_address: 'http://matrix-mautrix-telegram:8080' +# Scheme of the bridge's public address (see `matrix_mautrix_telegram_bridge_public_address`). +matrix_mautrix_telegram_scheme: https + +# The public base URL at which this bridge's HTTP API is reachable from outside (when exposed). +# Used for the provisioning API's external-server (OpenID) flow and for public media links. +matrix_mautrix_telegram_bridge_public_address: "{{ (matrix_mautrix_telegram_scheme + '://' + matrix_mautrix_telegram_exposure_hostname + matrix_mautrix_telegram_exposure_path_prefix) if matrix_mautrix_telegram_exposure_enabled else '' }}" + matrix_mautrix_telegram_msc4190_enabled: "{{ matrix_bridges_msc4190_enabled }}" matrix_mautrix_telegram_self_sign_enabled: "{{ matrix_bridges_self_sign_enabled }}" @@ -81,6 +88,15 @@ matrix_mautrix_telegram_container_labels_metrics_middleware_basic_auth_enabled: # See: https://doc.traefik.io/traefik/middlewares/http/basicauth/#users matrix_mautrix_telegram_container_labels_metrics_middleware_basic_auth_users: '' +# Controls whether labels will be added that expose mautrix-telegram's HTTP API +# (used by tools like mautrix-manager for bridge login) at `https://`. +matrix_mautrix_telegram_container_labels_exposure_enabled: "{{ matrix_mautrix_telegram_exposure_enabled }}" +matrix_mautrix_telegram_container_labels_exposure_traefik_rule: "Host(`{{ matrix_mautrix_telegram_exposure_hostname }}`) && PathPrefix(`{{ matrix_mautrix_telegram_exposure_path_prefix }}`)" +matrix_mautrix_telegram_container_labels_exposure_traefik_priority: 0 +matrix_mautrix_telegram_container_labels_exposure_traefik_entrypoints: "{{ matrix_mautrix_telegram_container_labels_traefik_entrypoints }}" +matrix_mautrix_telegram_container_labels_exposure_traefik_tls: "{{ matrix_mautrix_telegram_container_labels_exposure_traefik_entrypoints != 'web' }}" +matrix_mautrix_telegram_container_labels_exposure_traefik_tls_certResolver: "{{ matrix_mautrix_telegram_container_labels_traefik_tls_certResolver }}" # noqa var-naming + # matrix_mautrix_telegram_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. # See `../templates/labels.j2` for details. # @@ -125,6 +141,11 @@ matrix_mautrix_telegram_metrics_proxying_enabled: false matrix_mautrix_telegram_metrics_proxying_hostname: '' matrix_mautrix_telegram_metrics_proxying_path_prefix: '' +# Controls whether mautrix-telegram's HTTP API is exposed publicly (used by tools like mautrix-manager for bridge login). +matrix_mautrix_telegram_exposure_enabled: false +matrix_mautrix_telegram_exposure_hostname: '' +matrix_mautrix_telegram_exposure_path_prefix: '' + # Database-related configuration fields. # # To use SQLite, stick to these defaults. diff --git a/roles/custom/matrix-bridge-mautrix-telegram/templates/config.yaml.j2 b/roles/custom/matrix-bridge-mautrix-telegram/templates/config.yaml.j2 index 55f5ff0fe..5ba88ffaa 100644 --- a/roles/custom/matrix-bridge-mautrix-telegram/templates/config.yaml.j2 +++ b/roles/custom/matrix-bridge-mautrix-telegram/templates/config.yaml.j2 @@ -281,7 +281,7 @@ appservice: # A public address that external services can use to reach this appservice. # This is only needed for things like public media. A reverse proxy is generally necessary when using this field. # This value doesn't affect the registration file. - public_address: "" + public_address: {{ matrix_mautrix_telegram_bridge_public_address | to_json }} # The hostname and port where this appservice should listen. # For Docker, you generally have to change the hostname to 0.0.0.0. diff --git a/roles/custom/matrix-bridge-mautrix-telegram/templates/labels.j2 b/roles/custom/matrix-bridge-mautrix-telegram/templates/labels.j2 index f887f8960..c0aafff32 100644 --- a/roles/custom/matrix-bridge-mautrix-telegram/templates/labels.j2 +++ b/roles/custom/matrix-bridge-mautrix-telegram/templates/labels.j2 @@ -46,6 +46,39 @@ traefik.http.routers.matrix-mautrix-telegram-metrics.tls.certResolver={{ matrix_ ############################################################ {% endif %} +{% if matrix_mautrix_telegram_container_labels_exposure_enabled %} +############################################################ +# # +# Bridge API exposure # +# # +############################################################ + +traefik.http.services.matrix-mautrix-telegram-exposure.loadbalancer.server.port=8080 + +traefik.http.middlewares.matrix-mautrix-telegram-exposure-strip-prefix.stripprefix.prefixes={{ matrix_mautrix_telegram_exposure_path_prefix }} +traefik.http.routers.matrix-mautrix-telegram-exposure.middlewares=matrix-mautrix-telegram-exposure-strip-prefix + +traefik.http.routers.matrix-mautrix-telegram-exposure.rule={{ matrix_mautrix_telegram_container_labels_exposure_traefik_rule }} + +{% if matrix_mautrix_telegram_container_labels_exposure_traefik_priority | int > 0 %} +traefik.http.routers.matrix-mautrix-telegram-exposure.priority={{ matrix_mautrix_telegram_container_labels_exposure_traefik_priority }} +{% endif %} + +traefik.http.routers.matrix-mautrix-telegram-exposure.service=matrix-mautrix-telegram-exposure +traefik.http.routers.matrix-mautrix-telegram-exposure.entrypoints={{ matrix_mautrix_telegram_container_labels_exposure_traefik_entrypoints }} + +traefik.http.routers.matrix-mautrix-telegram-exposure.tls={{ matrix_mautrix_telegram_container_labels_exposure_traefik_tls | to_json }} +{% if matrix_mautrix_telegram_container_labels_exposure_traefik_tls %} +traefik.http.routers.matrix-mautrix-telegram-exposure.tls.certResolver={{ matrix_mautrix_telegram_container_labels_exposure_traefik_tls_certResolver }} +{% endif %} + +############################################################ +# # +# /Bridge API exposure # +# # +############################################################ +{% endif %} + {% endif %}