Fix CSP and cleanup

example/matrix.nomad.hcl

@@ -1,6 +1,5 @@
 job "matrix" {
 
-
   datacenters = ["dc1"]
 
 
@@ -41,14 +40,13 @@ job "matrix" {
         "traefik.enable=true",
 
         "traefik.http.middlewares.matrix-headers.headers.contentsecuritypolicy=connect-src 'self' https://scalar.vector.im https://api.maptiler.com;frame-src 'self' blob: https://scalar.vector.im/ https://meet.element.io;img-src 'self' data: blob: https://img.youtube.com https://*.ytimg.com;script-src 'self' https://usercontent.riot.im https://scalar.vector.im;worker-src 'self' blob:;",
-
         "traefik.http.routers.matrix-admin.rule=Host(`matrix.consul`) && (PathPrefix(`/_admin/`) || PathPrefix(`/_synapse/admin`))",
         "traefik.http.routers.matrix-admin.entrypoints=https",
-        "traefik.http.routers.matrix-admin.middlewares=rate-limit-high@file,inflight-high@file,security-headers@file,hsts@file,compression@file",
+        "traefik.http.routers.matrix-admin.middlewares=matrix-headers,rate-limit-std@file,inflight-std@file,security-headers@file,hsts@file",
 
         "traefik.http.routers.matrix.rule=Host(`matrix.consul`) || (Host(`matrix.consul`) && PathRegexp(`^/(_(synapse|matrix)|\\.well-known/matrix)/.*`))",
         "traefik.http.routers.matrix.entrypoints=https",
-        "traefik.http.routers.matrix.middlewares=rate-limit-high@file,inflight-high@file,security-headers@file,hsts@file",
+        "traefik.http.routers.matrix.middlewares=matrix-headers,rate-limit-std@file,inflight-std@file,security-headers@file,hsts@file",
       ]
 
       connect {

matrix.nomad.hcl

@@ -1,5 +1,5 @@
-[[ $c := merge .matrix.synapse . -]]
-job [[ .instance | toJSON ]] {
+job "[[ .instance ]]" {
+[[ $c := merge .matrix.synapse .matrix . -]]
 
 [[ template "common/job_start" $c ]]
 
@@ -9,7 +9,7 @@ job [[ .instance | toJSON ]] {
       mode = "bridge"
     }
 
-[[ template "common/volumes" .matrix.volumes ]]
+[[ template "common/volumes" $c ]]
 
     service {
       name = "[[ .instance ]][[ .consul.suffix ]]"
@@ -30,32 +30,33 @@ job [[ .instance | toJSON ]] {
       }
 
       tags = [
-[[- $w := merge .matrix.nginx . ]]
+[[- $w := merge .matrix.nginx .matrix . ]]
         "[[ $w.traefik.instance ]].enable=[[ $w.traefik.enabled ]]",
 
-        "[[ $c.traefik.instance ]].http.middlewares.[[ .instance ]]-headers[[ .consul.suffix ]].headers.contentsecuritypolicy=[[ range $k, $v := $w.traefik.csp ]][[ $k ]] [[ $v ]];[[ end ]]",
+        "[[ $w.traefik.instance ]].http.middlewares.[[ .instance ]]-headers[[ .consul.suffix ]].headers.contentsecuritypolicy=[[ range $k, $v := $w.traefik.csp ]][[ $k ]] [[ $v ]];[[ end ]]",
 
-        "[[ $w.traefik.instance ]].http.routers.[[ .instance ]]-admin[[ .consul.suffix ]].rule=Host(`[[ (urlParse .matrix.public_url).Hostname ]]`) && (PathPrefix(`/_admin/`) || PathPrefix(`/_synapse/admin`))",
-        "[[ $w.traefik.instance ]].http.routers.[[ .instance ]]-admin[[ .consul.suffix ]].entrypoints=[[ join $w.traefik.entrypoints "," ]]",
-        "[[ $w.traefik.instance ]].http.routers.[[ .instance ]]-admin[[ .consul.suffix ]].middlewares=[[ template "common/traefik_middlewares" $w.traefik.admin ]]",
+[[- $a := merge .matrix.nginx.admin $w ]]
+        "[[ $a.traefik.instance ]].http.routers.[[ .instance ]]-admin[[ .consul.suffix ]].rule=Host(`[[ (urlParse .matrix.public_url).Hostname ]]`) && (PathPrefix(`/_admin/`) || PathPrefix(`/_synapse/admin`))",
+        "[[ $a.traefik.instance ]].http.routers.[[ .instance ]]-admin[[ .consul.suffix ]].entrypoints=[[ join $a.traefik.entrypoints "," ]]",
+        "[[ $a.traefik.instance ]].http.routers.[[ .instance ]]-admin[[ .consul.suffix ]].middlewares=[[ .instance ]]-headers[[ .consul.suffix ]],[[ template "common/traefik_middlewares" $a ]]",
 
         "[[ $w.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].rule=Host(`[[ (urlParse .matrix.public_url).Hostname ]]`) || (Host(`[[ .matrix.server_name ]]`) && PathRegexp(`^/(_(synapse|matrix)|\\.well-known/matrix)/.*`))",
         "[[ $w.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].entrypoints=[[ join $w.traefik.entrypoints "," ]]",
-        "[[ $w.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].middlewares=[[ template "common/traefik_middlewares" $w.traefik ]]",
+        "[[ $w.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].middlewares=[[ .instance ]]-headers[[ .consul.suffix ]],[[ template "common/traefik_middlewares" $w ]]",
       ]
 
-[[ template "common/connect" merge .matrix . ]]
+[[ template "common/connect" merge $c ]]
     }
 
 [[ template "common/task.wait_for" $c ]]
 [[ template "common/task.pgpooler" $c ]]
 
     task "synapse" {
-      driver = [[ $c.nomad.driver | toJSON ]]
+      driver = "[[ $c.nomad.driver ]]"
       leader = true
 
       config {
-        image           = [[ $c.image | toJSON ]]
+        image           = "[[ $c.image ]]"
         pids_limit      = 200
         readonly_rootfs = true
       }
@@ -91,38 +92,38 @@ _EOT
         destination = "/data"
       }
 
-[[ template "common/resources" $c.resources ]]
+[[ template "common/resources" $c ]]
     }
 
 [[ $c = merge .matrix.nginx . ]]
     task "nginx" {
-      driver = [[ $c.nomad.driver | toJSON ]]
+      driver = "[[ $c.nomad.driver ]]"
 
       config {
-        image           = [[ $c.image | toJSON ]]
+        image           = "[[ $c.image ]]"
         readonly_rootfs = true
         pids_limit      = 100
         volumes         = [
           "local/nginx.conf:/etc/nginx/conf.d/default.conf:ro",
         ]
-        [[ template "common/tmpfs" dict "size" "5000000" "target" "/tmp" ]]
+[[ template "common/tmpfs" dict "size" "5000000" "target" "/tmp" ]]
       }
 
       template {
         data =<<_EOT
-[[ template "matrix/nginx.conf.tpl" . ]]
+[[ template "matrix/nginx.conf.tpl" $c ]]
 _EOT
         destination = "local/nginx.conf"
       }
 
       template {
         data =<<_EOT
-[[ template "matrix/element.json.tpl" . ]]
+[[ template "matrix/element.json.tpl" $c ]]
 _EOT
         destination = "local/element.json"
       }
 
-[[ template "common/resources" $c.resources ]]
+[[ template "common/resources" $c ]]
     }
   }
 }

variables.yml

@@ -125,27 +125,10 @@ matrix:
         img-src: "'self' data: blob: https://img.youtube.com https://*.ytimg.com"
         frame-src: "'self' blob: https://scalar.vector.im/ https://meet.element.io"
 
-      # List of middleware to apply
-      middlewares: []
-
-      # Override base_middlewares to remove csp-relaxed@file
-      base_middlewares:
-        - rate-limit-high@file
-        - inflight-high@file
-        - security-headers@file
-        - hsts@file
-        #- compression@file
-
-      # Admin will apply to requests directed to /_admin/ (synapse-admin) and /_synapse/admin (admin API)
-      # so you can restrict it further
-      admin:
-        base_middlewares:
-          - rate-limit-high@file
-          - inflight-high@file
-          - security-headers@file
-          - hsts@file
-          - compression@file
-        middlewares: []
+    # Admin will apply to requests directed to /_admin/ (synapse-admin) and /_synapse/admin (admin API)
+    # so you can restrict it further
+    admin:
+      traefik: {}
 
   # Volumes used for data persistance
   volumes: