From d397dd6e54ba73003635b712ad03d0d6e45bc727 Mon Sep 17 00:00:00 2001 From: Dennis Hjort Date: Tue, 1 Jul 2025 22:09:51 +0200 Subject: [PATCH 1/2] Add nginx proxy and service usage details --- README.md | 23 +++++++++++++++++++++++ deploymatrix.yml | 34 ++++++++++++++++++++++++++++++++++ 2 files changed, 57 insertions(+) diff --git a/README.md b/README.md index 26aab7c..4069f48 100644 --- a/README.md +++ b/README.md @@ -12,6 +12,7 @@ The deployment provisions the following services: - **Element Web** – web interface for chat. - **Element Call** – WebRTC calling client. - **Keycloak** – optional SSO provider. +- **Nginx** – reverse proxy providing friendly URLs for the services. Server-side services (Synapse, PostgreSQL, Coturn) run inside a single container. Client-facing services (Element Web and Element Call) run in a separate container. Both containers are managed by Podman in rootless mode. @@ -43,6 +44,28 @@ Most variables have sensible defaults. Wherever possible, credentials (such as P The playbook supports running on the local machine or targeting a remote server via SSH. Because containers are rootless, the same playbook can be executed under a normal user account or a dedicated service account. +## Usage and Administration + +After deployment, an Nginx reverse proxy listens on port `80` and routes +requests to each service: + +- `http:///` → Element Web +- `http:///call/` → Element Call +- `http:///synapse/` → Synapse +- `http:///keycloak/` → Keycloak + +Open these firewall ports on the host: + +- `80/tcp` for the Nginx proxy +- `3478/udp` for Coturn +- Optionally `8008/tcp`, `8080/tcp`, `8081/tcp` and `5082/tcp` for direct access + to individual containers. + +Administrative endpoints include the Synapse admin API at +`/synapse/_synapse/admin` and the Keycloak console at `/keycloak/` using the +default `admin` credentials. Element Web and Element Call require no additional +administration. + ## Linting and Tests This project uses `ansible-lint` and `ansible-playbook --syntax-check` to validate playbooks. Continuous integration will run these checks automatically. When making documentation‑only changes, testing is optional. diff --git a/deploymatrix.yml b/deploymatrix.yml index 33802db..57cc797 100644 --- a/deploymatrix.yml +++ b/deploymatrix.yml @@ -9,6 +9,7 @@ element_web_image: docker.io/vectorim/element-web:latest element_call_image: docker.io/elementcall/element-call:latest keycloak_image: docker.io/bitnami/keycloak:latest + nginx_image: docker.io/library/nginx:latest tasks: - name: Ensure Podman is installed ansible.builtin.package: @@ -28,6 +29,7 @@ - postgres_data:/var/lib/postgresql/data when: not ansible_check_mode + - name: Run Synapse container containers.podman.podman_container: name: synapse @@ -80,3 +82,35 @@ ports: - "8081:8080" when: not ansible_check_mode + + - name: Create Nginx configuration + ansible.builtin.copy: + dest: "{{ ansible_env.HOME }}/nginx.conf" + content: | + server { + listen 80; + location / { + proxy_pass http://localhost:8080; + } + location /call/ { + proxy_pass http://localhost:5082/; + } + location /synapse/ { + proxy_pass http://localhost:8008/; + } + location /keycloak/ { + proxy_pass http://localhost:8081/; + } + } + when: not ansible_check_mode + + - name: Run Nginx container + containers.podman.podman_container: + name: nginx + image: "{{ nginx_image }}" + state: started + ports: + - "80:80" + volumes: + - "{{ ansible_env.HOME }}/nginx.conf:/etc/nginx/conf.d/default.conf:ro" + when: not ansible_check_mode From 3ce25a6d996cca94144958b12284d2cd4095e4bd Mon Sep 17 00:00:00 2001 From: Dennis Hjort Date: Tue, 1 Jul 2025 22:15:45 +0200 Subject: [PATCH 2/2] Specify mode for nginx config --- deploymatrix.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/deploymatrix.yml b/deploymatrix.yml index 57cc797..504777c 100644 --- a/deploymatrix.yml +++ b/deploymatrix.yml @@ -86,6 +86,7 @@ - name: Create Nginx configuration ansible.builtin.copy: dest: "{{ ansible_env.HOME }}/nginx.conf" + mode: '0644' content: | server { listen 80;