Adapt to new middlewares model

2024-01-29 00:10:03 +01:00 · 2024-01-29 00:10:03 +01:00 · e95a4004a8
parent 69b4b24758
commit e95a4004a8
3 changed files with 30 additions and 15 deletions
--- a/example/matrix.nomad.hcl
+++ b/example/matrix.nomad.hcl
@ -37,16 +37,20 @@ job "matrix" {
      }

      tags = [
-        "traefik.enable=true",
-
-        "traefik.http.middlewares.matrix-headers.headers.contentsecuritypolicy=connect-src 'self' https://scalar.vector.im https://api.maptiler.com;frame-src 'self' blob: https://scalar.vector.im/ https://meet.element.io;img-src 'self' data: blob: https://img.youtube.com https://*.ytimg.com;script-src 'self' https://usercontent.riot.im https://scalar.vector.im;worker-src 'self' blob:;",
        "traefik.http.routers.matrix-admin.rule=Host(`matrix.consul`) && (PathPrefix(`/_admin/`) || PathPrefix(`/_synapse/admin`))",
+
+        "traefik.enable=true",
        "traefik.http.routers.matrix-admin.entrypoints=https",
-        "traefik.http.routers.matrix-admin.middlewares=matrix-headers,rate-limit-std@file,inflight-std@file,security-headers@file,hsts@file",
+        "traefik.http.middlewares.matrix-csp.headers.contentsecuritypolicy=connect-src 'self' https://scalar.vector.im https://api.maptiler.com;default-src 'self';font-src 'self' data:;frame-src 'self' blob: https://scalar.vector.im/ https://meet.element.io;img-src 'self' data: blob: https://img.youtube.com https://*.ytimg.com;script-src 'self' https://usercontent.riot.im https://scalar.vector.im;style-src 'self' 'unsafe-inline';worker-src 'self' blob:;",
+        "traefik.http.routers.matrix-admin.middlewares=security-headers@file,rate-limit-std@file,forward-proto@file,inflight-std@file,hsts@file,compression@file,matrix-csp",

        "traefik.http.routers.matrix.rule=Host(`matrix.consul`) || (Host(`matrix.consul`) && PathRegexp(`^/(_(synapse|matrix)|\\.well-known/matrix)/.*`))",
+
+        "traefik.enable=true",
        "traefik.http.routers.matrix.entrypoints=https",
-        "traefik.http.routers.matrix.middlewares=matrix-headers,rate-limit-std@file,inflight-std@file,security-headers@file,hsts@file",
+        "traefik.http.middlewares.matrix-csp.headers.contentsecuritypolicy=connect-src 'self' https://scalar.vector.im https://api.maptiler.com;default-src 'self';font-src 'self' data:;frame-src 'self' blob: https://scalar.vector.im/ https://meet.element.io;img-src 'self' data: blob: https://img.youtube.com https://*.ytimg.com;script-src 'self' https://usercontent.riot.im https://scalar.vector.im;style-src 'self' 'unsafe-inline';worker-src 'self' blob:;",
+        "traefik.http.routers.matrix.middlewares=security-headers@file,rate-limit-std@file,forward-proto@file,inflight-std@file,hsts@file,compression@file,matrix-csp",
+
      ]

      connect {
@ -59,6 +63,18 @@ job "matrix" {
          }
        }
        sidecar_task {
+          config {
+            args = [
+              "-c",
+              "${NOMAD_SECRETS_DIR}/envoy_bootstrap.json",
+              "-l",
+              "${meta.connect.log_level}",
+              "--concurrency",
+              "${meta.connect.proxy_concurrency}",
+              "--disable-hot-restart"
+            ]
+          }
+
          resources {
            cpu    = 50
            memory = 64
@ -268,6 +284,7 @@ _EOT
        destination = "/data"
      }

+
      resources {
        cpu    = 500
        memory = 384
@ -425,6 +442,7 @@ _EOT
        destination = "local/element.json"
      }

+
      resources {
        cpu    = 20
        memory = 16
--- a/matrix.nomad.hcl
+++ b/matrix.nomad.hcl
@ -31,18 +31,11 @@ job "[[ .instance ]]" {

      tags = [
 [[- $w := merge .matrix.nginx .matrix . ]]
-        "[[ $w.traefik.instance ]].enable=[[ $w.traefik.enabled ]]",
-
-        "[[ $w.traefik.instance ]].http.middlewares.[[ .instance ]]-headers[[ .consul.suffix ]].headers.contentsecuritypolicy=[[ range $k, $v := $w.traefik.csp ]][[ $k ]] [[ $v ]];[[ end ]]",
-
 [[- $a := merge .matrix.nginx.admin $w ]]
        "[[ $a.traefik.instance ]].http.routers.[[ .instance ]]-admin[[ .consul.suffix ]].rule=Host(`[[ (urlParse .matrix.public_url).Hostname ]]`) && (PathPrefix(`/_admin/`) || PathPrefix(`/_synapse/admin`))",
-        "[[ $a.traefik.instance ]].http.routers.[[ .instance ]]-admin[[ .consul.suffix ]].entrypoints=[[ join $a.traefik.entrypoints "," ]]",
-        "[[ $a.traefik.instance ]].http.routers.[[ .instance ]]-admin[[ .consul.suffix ]].middlewares=[[ .instance ]]-headers[[ .consul.suffix ]],[[ template "common/traefik_middlewares" $a ]]",
-
+[[ template "common/traefik_tags" $a ]]
        "[[ $w.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].rule=Host(`[[ (urlParse .matrix.public_url).Hostname ]]`) || (Host(`[[ .matrix.server_name ]]`) && PathRegexp(`^/(_(synapse|matrix)|\\.well-known/matrix)/.*`))",
-        "[[ $w.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].entrypoints=[[ join $w.traefik.entrypoints "," ]]",
-        "[[ $w.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].middlewares=[[ .instance ]]-headers[[ .consul.suffix ]],[[ template "common/traefik_middlewares" $w ]]",
+[[ template "common/traefik_tags" $w ]]
      ]

 [[ template "common/connect" merge $c ]]
--- a/variables.yml
+++ b/variables.yml
@ -125,10 +125,14 @@ matrix:
        img-src: "'self' data: blob: https://img.youtube.com https://*.ytimg.com"
        frame-src: "'self' blob: https://scalar.vector.im/ https://meet.element.io"

+      auto_rule: false
+
    # Admin will apply to requests directed to /_admin/ (synapse-admin) and /_synapse/admin (admin API)
    # so you can restrict it further
    admin:
-      traefik: {}
+      traefik:
+        auto_rule: false
+        router: '[[ .instance ]]-admin[[ .consul.suffix ]]'

  # Volumes used for data persistance
  volumes: