diff --git a/.drone.yml b/.drone.yml index 12af34f..2fae7c8 100644 --- a/.drone.yml +++ b/.drone.yml @@ -27,7 +27,7 @@ steps: PG_BACKUP_VERSION: v1 WK_CLIENT_VERSION: v1 WK_SERVER_VERSION: v1 - NGINX_CONFIG_VERSION: v7 + NGINX_CONFIG_VERSION: v8 SECRET_DB_PASSWORD_VERSION: v1 SECRET_FORM_SECRET_VERSION: v1 SECRET_MACAROON_VERSION: v1 diff --git a/.env.sample b/.env.sample index b6fcd64..47d53da 100644 --- a/.env.sample +++ b/.env.sample @@ -174,3 +174,8 @@ RETENTION_MAX_LIFETIME=4w ## Web Client (Redirect) #WEB_CLIENT_LOCATION=https://element-web.example.com + + +## Admin interface at /admin +#COMPOSE_FILE="$COMPOSE_FILE:compose.admin.yml" +#ADMIN_INTERFACE_ENABLED=1 diff --git a/abra.sh b/abra.sh index e39da4b..0c129a2 100644 --- a/abra.sh +++ b/abra.sh @@ -5,10 +5,11 @@ export LOG_CONFIG_VERSION=v2 export SHARED_SECRET_AUTH_VERSION=v1 export SIGNAL_BRIDGE_YAML_VERSION=v6 export TELEGRAM_BRIDGE_YAML_VERSION=v6 -export NGINX_CONFIG_VERSION=v7 +export NGINX_CONFIG_VERSION=v8 export WK_SERVER_VERSION=v1 export WK_CLIENT_VERSION=v1 export PG_BACKUP_VERSION=v1 +export ADMIN_CONFIG_VERSION=v1 set_admin () { admin=akadmin diff --git a/admin.conf.tmpl b/admin.conf.tmpl new file mode 100644 index 0000000..9d27750 --- /dev/null +++ b/admin.conf.tmpl @@ -0,0 +1,3 @@ +{ + "restrictBaseUrl": "https://{{ env "DOMAIN" }}" +} diff --git a/compose.admin.yml b/compose.admin.yml new file mode 100644 index 0000000..a8b3c07 --- /dev/null +++ b/compose.admin.yml @@ -0,0 +1,46 @@ +--- +version: "3.8" + +services: + admin: + image: awesometechnologies/synapse-admin:0.10.3 + networks: + - proxy + deploy: + labels: + - "traefik.enable=true" + - "traefik.docker.network=proxy" + - "traefik.http.services.${STACK_NAME}_admin.loadbalancer.server.port=80" + - "traefik.http.routers.${STACK_NAME}_admin.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})&&PathPrefix(`/admin`)" + - "traefik.http.routers.${STACK_NAME}_admin.entrypoints=web-secure" + - "traefik.http.routers.${STACK_NAME}_admin.tls.certresolver=${LETS_ENCRYPT_ENV}" + - "traefik.http.routers.${STACK_NAME}_admin.middlewares=admin,admin_path" + - "traefik.http.middlewares.admin.redirectregex.regex=^(.*)/admin/?" + - "traefik.http.middlewares.admin.redirectregex.replacement=$${1}/admin/" + - "traefik.http.middlewares.admin_path.stripprefix.prefixes=/admin" + environment: + - DOMAIN + configs: + - source: admin_config + target: /app/config.json + healthcheck: + test: ["CMD", "curl", "-f", "http://localhost"] + interval: 30s + timeout: 10s + retries: 10 + start_period: 1m + web: + environment: + - ADMIN_INTERFACE_ENABLED + + +networks: + proxy: + external: true + +configs: + admin_config: + name: ${STACK_NAME}_admin_config_${ADMIN_CONFIG_VERSION} + file: admin.conf.tmpl + template_driver: golang + diff --git a/nginx.conf.tmpl b/nginx.conf.tmpl index 64fea22..db5514b 100644 --- a/nginx.conf.tmpl +++ b/nginx.conf.tmpl @@ -36,5 +36,20 @@ http { default_type application/json; add_header Access-Control-Allow-Origin *; } + +{{ if eq (env "ADMIN_INTERFACE_ENABLED") "1" }} + location ^~ /_synapse/admin { + if ($http_referer !~ "^https://{{ env "DOMAIN" }}/admin/") { + return 403; + } + proxy_pass http://{{ env "STACK_NAME"}}_app:8008; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header Host $host; + client_max_body_size 50M; + proxy_http_version 1.1; + } +{{ end }} + } }