Commit 0c0753ff authored by Jan-Oliver Opdenhövel's avatar Jan-Oliver Opdenhövel
Browse files

Splitting synpase, element and nginx

parent f64579e0
......@@ -283,6 +283,7 @@
- name: configure fsmi-matrix
hosts: fsmi-matrix
roles:
- role: element-web
- role: sync-files
sync:
mount_src: "karo.upb.de:/backup/matrix"
......@@ -309,4 +310,5 @@
user: synapse_user
address: "::1/128"
method: "scram-sha-256"
- role: fsmi-matrix
- role: synapse
- role: nginx
---
- name: install all required packages
package:
name:
- element-web
- name: copy configurations
template:
dest: "{{ item.value }}"
src: "{{ item.key }}"
loop: "{{ file_data | dict2items }}"
vars:
file_data:
element.json: /etc/webapps/element/config.json
vhost.conf: /etc/nginx/vhosts/element.conf
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name element.die-fachschaft.de;
include /etc/nginx/tls.conf;
location / {
root /usr/share/webapps/element;
index index.html;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "frame-ancestors 'none'";
}
}
{{ ansible_managed | comment }}
worker_processes 2;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
# HTTP to HTTPS redirect and certbot proxy.
server {
listen 80;
listen [::]:80;
server_name localhost;
location /.well-known/acme-challenge/ {
proxy_pass http://localhost:8080;
proxy_set_header X-Forwarded-For $remote_addr;
}
location / {
return 301 https://$host$request_uri;
}
}
# Element Web Client.
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name element.die-fachschaft.de;
include /etc/nginx/tls.conf;
location / {
root /usr/share/webapps/element;
index index.html;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "frame-ancestors 'none'";
}
}
# Synapse Reverse Proxy
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
# Federation port
listen 8448 ssl default_server;
listen [::]:8448 ssl default_server;
server_name matrix.die-fachschaft.de;
include /etc/nginx/tls.conf;
location ~* ^(\/_matrix|\/_synapse|\/client) {
proxy_pass http://localhost:8008;
proxy_set_header X-Forwarded-For $remote_addr;
# Nginx by default only allows file uploads up to 1M in size
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
client_max_body_size 50M;
}
location / {
return 307 https://element.die-fachschaft.de/;
}
}
}
---
- name: install all required packages
package:
name:
- nginx-mainline
- name: copy configurations
template:
dest: "{{ item.value }}"
src: "{{ item.key }}"
loop: "{{ file_data | dict2items }}"
vars:
file_data:
tls.conf: /etc/nginx/tls.conf
nginx.conf: /etc/nginx/conf
dhparam: /etc/nginx/dhparam
- name: enable nginx
service:
name: nginx.service
state: reloaded
enabled: yes
......@@ -7,4 +7,4 @@ MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
-----END DH PARAMETERS-----
\ No newline at end of file
-----END DH PARAMETERS-----
{{ ansible_managed | comment }}
worker_processes 2;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
# HTTP to HTTPS redirect and acme forward
server {
listen 80;
listen [::]:80;
server_name localhost;
# Included here because this has to be placed in front the of the general "redirect everything" rule.
location /.well-known/acme-challenge/ {
proxy_pass http://localhost:8080;
proxy_set_header X-Forwarded-For $remote_addr;
}
location / {
return 301 https://$host$request_uri;
}
}
include /etc/nginx/vhosts/*.conf;
}
......@@ -3,8 +3,6 @@
- name: install all required packages
package:
name:
- nginx-mainline
- element-web
- matrix-synapse
- python-psycopg2
- python-authlib
......@@ -14,7 +12,7 @@
- name: copy synapse config
copy:
dest: /etc/synapse/homeserver.yaml
src: synapse/homeserver.yaml
src: homeserver.yaml
owner: synapse
group: synapse
mode: '600'
......@@ -22,10 +20,15 @@
- name: copy synapse log config
template:
dest: /etc/synapse/synapse.log.config
src: synapse/synapse.log.config
src: synapse.log.config
owner: synapse
group: synapse
mode: '600'
- name: copy virtual host configuration
template:
dest: /etc/nginx/vhosts/synapse.conf
src: vhost.conf
- name: insert secrets
shell:
......@@ -36,38 +39,3 @@
name: synapse.service
state: restarted
enabled: yes
# Creation of initial admin account is omitted.
# This requires querying whether the admin account is already created and requires to set a password.
# Both are non-trivial tasks that have to be done later or eliminated by other measures. The login
# details for the admin account can be found in the password database.
# Element Web
- name: copy element web configuration
template:
dest: /etc/webapps/element/config.json
src: element.json
# Nginx
- name: copy nginx tls configuration
template:
dest: /etc/nginx/tls.conf
src: nginx/tls.conf
- name: copy nginx configuration
template:
dest: /etc/nginx/nginx.conf
src: nginx/nginx.conf
- name: copy dhparam
template:
dest: /etc/nginx/dhparam
src: nginx/dhparam
- name: enable nginx
service:
name: nginx.service
state: reloaded
enabled: yes
\ No newline at end of file
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
# Federation port
listen 8448 ssl default_server;
listen [::]:8448 ssl default_server;
server_name matrix.die-fachschaft.de;
include /etc/nginx/tls.conf;
location ~* ^(\/_matrix|\/_synapse|\/client) {
proxy_pass http://localhost:8008;
proxy_set_header X-Forwarded-For $remote_addr;
# Nginx by default only allows file uploads up to 1M in size
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
client_max_body_size 50M;
}
location / {
return 307 https://element.die-fachschaft.de/;
}
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment