nginx

matrix.yml

@@ -9,7 +9,13 @@
     template:
       src: templates/homeserver.yaml.j2
       dest: /etc/matrix-synapse/homeserver.yaml
-      
+
+  - name: On copie la conf du matrix
+    template: 
+      src: templates/nginx/matrix.yaml.j2
+      dest: /etc/nginx/sites_enabled/matrix
+
+
   vars:
     - matrix_server_name: matrix.fuz.re
     - synapse_postgres_password: !vault |

nginx.yml

@@ -1,10 +1,12 @@
 - hosts: octo.fuz.re
+  become: yes
   tasks:
-    - apt: Nginx installé
+    - name: Nginx installé
+      apt: 
         name: nginx
 
     - name: On charge Nginx
       service:
         name: nginx
         state: started
-        enabled: enabled
+        enabled: yes

templates/nginx.conf

@@ -1,214 +0,0 @@
-
-### FUZ.RE ###
-## TODO: Wiki pas encore hébergé ici ###
-# $HTTP["host"] == "wiki.fuz.re" {
-#     server.document-root = "/var/www/fuz.re/dokuwiki/"
-#     $HTTP["scheme"] == "http" {
-#         url.redirect = (".*" => "https://wiki.fuz.re$0")
-    # }
-
-# FIXME: Redirect www -> https without www
-# $HTTP["host"] == "www.fuz.re" {
-#     $HTTP["scheme"] == "http" {
-#         url.redirect = (".*" => "https://fuz.re$0")
-#     }
-# }
-# Redirect http -> https without www
-# FIXME: Redirect www -> https without www
-# $HTTP["host"] == "fuz.re" {
-#     $HTTP["scheme"] == "http" {
-#         url.redirect = (".*" => "https://fuz.re$0")
-#     }
-# FIXME: HTTPS :
-    # $HTTP["scheme"] == "https" {
-    #     $SERVER["socket"] == ":443" {
-	# 		ssl.engine  = "enable"
-	# server.document-root = "/var/www/fuz.re/newsite/public"
-	# 		ssl.pemfile = "/etc/letsencrypt/live/fuz.re/fullchain.pem"
-	# 		ssl.privkey = "/etc/letsencrypt/live/fuz.re/privkey.pem"
-	# 	}
-    
-# Old Jack.tf
-$HTTP["host"] == "jack.fuz.re" {
-    server.document-root = "/var/www/fuz.re/jack/site"
-    $HTTP["scheme"] == "http" {
-         $HTTP["url"] !~ "^/.well-known/acme-challenge/" {
-         url.redirect = (".*" => "https://jack.fuz.re$0")
-         }
-    }
-    $HTTP["scheme"] == "https" {
-	$SERVER["socket"] == ":443" {
-             ssl.engine  = "enable"
-		ssl.pemfile = "/etc/letsencrypt/live/jack.fuz.re/fullchain.pem"
-		ssl.privkey = "/etc/letsencrypt/live/jack.fuz.re/privkey.pem"
-        }
-    }
-}
-
-
-$HTTP["host"] == "riot.fuz.re" {
-    server.document-root = "/var/www/fuz.re/riot/site"
-    $HTTP["scheme"] == "http" {
-		$HTTP["url"] !~ "^/.well-known/acme-challenge/" {
-	            url.redirect = (".*" => "https://riot.fuz.re$0")
-		}
-    }
-    $HTTP["scheme"] == "https" {
-        alias.url = (
-                "/rc" => "/var/www/fuz.re/riot/rc"
-        )
-
-	$SERVER["socket"] == ":443" {
-                ssl.engine  = "enable"
-		ssl.pemfile = "/etc/letsencrypt/live/riot.fuz.re/fullchain.pem"
-		ssl.privkey = "/etc/letsencrypt/live/riot.fuz.re/privkey.pem"
-        }
-    }
-}
-
-$HTTP["host"] == "matrix.fuz.re" {
-    server.document-root = "/var/www/fuz.re/matrix/site"
-    $HTTP["scheme"] == "http" {
-		$HTTP["url"] !~ "^/.well-known/acme-challenge/" {
-			url.redirect = (".*" => "https://matrix.fuz.re$0")
-		}
-    }
-    $SERVER["socket"] == ":443" {
-    	ssl.engine  = "enable"
-	ssl.pemfile = "/etc/letsencrypt/live/matrix.fuz.re/fullchain.pem"
-	ssl.privkey = "/etc/letsencrypt/live/matrix.fuz.re/privkey.pem"
-    	proxy.server = ( "" => (( "host" => "127.0.0.1", "port" => 8008 )))
-    	proxy.header = ( "map-host-request" => ( "-" => "matrix.fuz.re"),
-    			     "map-host-response" => ("-" => "-"))
-    }
-    $SERVER["socket"] == ":8448" {
-    	ssl.engine  = "enable"
-	ssl.pemfile = "/etc/letsencrypt/live/matrix.fuz.re/fullchain.pem"
-	ssl.privkey = "/etc/letsencrypt/live/matrix.fuz.re/privkey.pem"
-    	proxy.server = ( "" => (( "host" => "127.0.0.1", "port" => 8008 )))
-    	proxy.header = ( "map-host-request" => ( "-" => "matrix.fuz.re"),
-    			     "map-host-response" => ("-" => "-"))
-    }
-}
-
-$HTTP["host"] == "mumble.fuz.re" {
-    $HTTP["scheme"] == "http" {
-    	server.document-root = "/var/www/fuz.re/mumble/site"
-	$HTTP["url"] !~ "^/.well-known/acme-challenge/" {
-		url.redirect = (".*" => "https://mumble.fuz.re$0")
-	}
-    }
-
-    $SERVER["socket"] == ":443" {
-    	ssl.engine  = "enable"
-	ssl.pemfile = "/etc/letsencrypt/live/mumble.fuz.re/fullchain.pem"
-	ssl.privkey = "/etc/letsencrypt/live/mumble.fuz.re/privkey.pem"
-    	url.redirect-code = 302 # it's a workaround for retarded lighttpd unable to handle websockets, hence a temp 302 redirection -- Lomanic 20200606
-    	url.redirect = (".*" => "https://mumble.fuz.re:64737$0")
-    }
-}
-
-
-
-$HTTP["host"] == "presence.fuz.re" { # added by Lomanic 20200606
-    $HTTP["scheme"] == "http" {
-    	server.document-root = "/var/www/fuz.re/presence/site"
-		$HTTP["url"] !~ "^/.well-known/acme-challenge/" {
-			url.redirect = (".*" => "https://${url.authority}${url.path}${qsa}")
-		}
-    }
-
-	$SERVER["socket"] == ":443" {
-		ssl.engine  = "enable"
-		proxy.server = ( "" => (("host" => "127.0.0.1", "port" => 3000)) )
-		#ssl.ca-file = "/etc/letsencrypt/live/presence.fuz.re/chain.pem"
-		#ssl.pemfile = "/etc/lighttpd/certs/presence.fuz.re.pem"
-
-		ssl.pemfile = "/etc/letsencrypt/live/presence.fuz.re/fullchain.pem"
-		ssl.privkey = "/etc/letsencrypt/live/presence.fuz.re/privkey.pem"
-	}
-}
-$HTTP["host"] == "spaceapi.fuz.re" { # added by Lomanic 20201017
-	$HTTP["scheme"] == "http" {
-		server.document-root = "/var/www/fuz.re/spaceapi/site"
-		$HTTP["url"] !~ "^/.well-known/acme-challenge/" {
-			url.redirect = (".*" => "https://${url.authority}${url.path}${qsa}")
-		}
-	}
-
-	$SERVER["socket"] == ":443" {
-		ssl.engine  = "enable"
-		proxy.server = ( "" => (("host" => "127.0.0.1", "port" => 3001)) )
-		ssl.pemfile = "/etc/letsencrypt/live/spaceapi.fuz.re/fullchain.pem"
-		ssl.privkey = "/etc/letsencrypt/live/spaceapi.fuz.re/privkey.pem"
-	}
-}
-
-$HTTP["host"] == "sonic.fuz.re" {
-	server.document-root = "/var/www/sonic.fuz.re/"
-}
-
-### Mailman ###
-$HTTP["host"] == "liste.fuz.re" {
-	server.document-root = "/var/www/fuz.re/liste/site"
-	$HTTP["scheme"] == "http" {
-		$HTTP["url"] !~ "^/.well-known/acme-challenge/" {
-			url.redirect = (".*" => "https://liste.fuz.re$0")
-		}
-	}
-	$SERVER["socket"] == ":443" {
-		ssl.engine  = "enable"
-		#ssl.ca-file = "/etc/letsencrypt/live/liste.fuz.re/chain.pem"
-		#ssl.pemfile = "/etc/letsencrypt/live/liste.fuz.re/combined.pem"
-		ssl.pemfile = "/etc/letsencrypt/live/liste.fuz.re/fullchain.pem"
-		ssl.privkey = "/etc/letsencrypt/live/liste.fuz.re/privkey.pem"
-	}
-	alias.url = (
-        "/mailman/" => "/usr/lib/cgi-bin/mailman/",
-        "/cgi-bin/mailman/" => "/usr/lib/cgi-bin/mailman/",
-        "/images/mailman/" => "/usr/share/images/mailman/",
-        #"/pipermail/" => "/var/lib/mailman/archives/public/"
-    )
-    cgi.assign = (
-        "/admin" => "",
-        "/admindb" => "",
-        "/confirm" => "",
-        "/create" => "",
-        "/edithtml" => "",
-        "/listinfo" => "",
-        "/options" => "",
-        "/private" => "",
-        "/rmlist" => "",
-        "/roster" => "",
-        "/subscribe" => "")
-}
-
-## Datapaulette - Pas hébérgé ici non plus
-# $HTTP["host"] =~ "www.datapaulette.org" {
-# 	url.redirect = (".*" => "http://datapaulette.org")
-# }
-# $HTTP["host"] =~ "datapaulette.org" {
-#         server.error-handler-404 = "/index.php"
-#         server.document-root = "/var/www/datapaulette.org/dp-wp"
-#        $SERVER["socket"] == ":443" {
-#                ssl.engine  = "enable"
-#                ssl.ca-file = "/etc/letsencrypt/live/datapaulette.org/fullchain.pem"
-#                ssl.pemfile = "/etc/lighttpd/certs/datapaulette.org.pem"
-#        }
-        #url.rewrite = (
-        #       "^/(.*)\.(.+)$" => "$0",
-        #       ###"^/(wp-admin|wp-includes|wp-content|gallery2)/(.*)" => "$0",
-        #       "^/(.+)/?$" => "/index.php/$1"
-        #)
-}
-
-### WOOTDEVICES.IO  - https à activer après copie des certs
-$HTTP["host"] == "wootdevices.io" {
-        server.document-root = "/var/www/wootdevices.io/site/"
-#        $SERVER["socket"] == ":443" {
-#                ssl.engine  = "enable"
-#                ssl.ca-file = "/etc/letsencrypt/live/wootdevices.io/fullchain.pem"
-#                ssl.pemfile = "/etc/lighttpd/certs/wootdevices.io.pem"
-#        }
-}
-

templates/nginx/matrix.yaml.j2

@@ -0,0 +1,24 @@
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+
+    # For the federation port
+    listen 8448 ssl http2 default_server;
+    listen [::]:8448 ssl http2 default_server;
+
+    server_name matrix.fuz.re;
+
+    location ~ ^(/_matrix|/_synapse/client) {
+        # note: do not add a path (even a single /) after the port in `proxy_pass`,
+        # otherwise nginx will canonicalise the URI and cause signature verification
+        # errors.
+        proxy_pass http://localhost:8008;
+        proxy_set_header X-Forwarded-For $remote_addr;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header Host $host;
+
+        # Nginx by default only allows file uploads up to 1M in size
+        # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
+        client_max_body_size 50M;
+    }
+}