From 9036f2da77de28b09a438e85aa0bb1cdba9e823b Mon Sep 17 00:00:00 2001
From: Jean-Marie Mineau <jean-marie.mineau@protonmail.com>
Date: Mon, 2 Aug 2021 03:49:36 +0200
Subject: [PATCH] setup proxys

---
 group_vars/all/matrix.yml                    |  3 +-
 roles/rp_synapse/meta/main.yml               |  2 +
 roles/rp_synapse/tasks/main.yml              | 46 ++++++++++++++++++++
 roles/rp_synapse/templates/reverse_proxy     | 26 +++++++++++
 roles/synapse/tasks/main.yml                 |  2 +-
 roles/synapse/templates/nginx/config_synapse | 23 ++++++++++
 6 files changed, 100 insertions(+), 2 deletions(-)
 create mode 100644 roles/rp_synapse/meta/main.yml
 create mode 100644 roles/rp_synapse/tasks/main.yml
 create mode 100644 roles/rp_synapse/templates/reverse_proxy
 create mode 100644 roles/synapse/templates/nginx/config_synapse

diff --git a/group_vars/all/matrix.yml b/group_vars/all/matrix.yml
index 3dbd0a3..64128bd 100644
--- a/group_vars/all/matrix.yml
+++ b/group_vars/all/matrix.yml
@@ -1,5 +1,6 @@
 ---
-matrix_server_name: pp.intra
+matrix_server_name: deso-palaiseau.fr
+matrix_local_server_name: synapse.pp.intra
 synapse_postgre_user_pwd: "{{ vault_synapse_postgre_user_pwd }}"
 matrix_max_upload_size: 50M
 matrix_registration_shared_secret: "{{ vault_matrix_registration_shared_secret }}"
diff --git a/roles/rp_synapse/meta/main.yml b/roles/rp_synapse/meta/main.yml
new file mode 100644
index 0000000..ff0926f
--- /dev/null
+++ b/roles/rp_synapse/meta/main.yml
@@ -0,0 +1,2 @@
+dependencies:
+  - role: install_nginx
diff --git a/roles/rp_synapse/tasks/main.yml b/roles/rp_synapse/tasks/main.yml
new file mode 100644
index 0000000..8b721c9
--- /dev/null
+++ b/roles/rp_synapse/tasks/main.yml
@@ -0,0 +1,46 @@
+---
+# Almost a copy of the reverse proxy http role.
+# There is probably a cleaner way to do that using the 
+# rp proxy http role.
+
+- name: Install certbot
+  apt:
+    update_cache: true
+    name:
+      - certbot
+      - python3-certbot-nginx
+    state: latest
+  register: apt_result
+  retries: 3
+  until: apt_result is succeeded
+
+- name: Ensure the cert directory exists
+  file:
+    path: /etc/nginx/certs
+    state: directory
+
+- name: Copy reverse proxy sites
+  template:
+    src: nginx/config_synapse
+    dest: /etc/nginx/sites-available/synapse
+  notify: Reload nginx
+
+- name: Activate sites
+  file:
+    src: "/etc/nginx/sites-available/synapse"
+    dest: "/etc/nginx/sites-enabled/synapse"
+    state: link
+    force: yes
+  notify: Reload nginx
+
+- name: Generate Certificate for Domains
+  shell: certbot certonly --standalone -d {{ matrix_server_name }} -m {{ vault_email }}  --noninteractive --agree-tos --redirect --pre-hook "sudo systemctl stop nginx" --post-hook "sudo systemctl start nginx"
+  args:
+    creates: "/etc/letsencrypt/live/{{ matrix_server_name }}/cert.pem"
+
+- name: Copy certificates
+  file:
+    src: "/etc/letsencrypt/live/{{ matrix_server_name }}/fullchain.pem"
+    dest: "/etc/nginx/certs/{{ matrix_server_name }}.crt"
+    state: link
+    force: yes
diff --git a/roles/rp_synapse/templates/reverse_proxy b/roles/rp_synapse/templates/reverse_proxy
new file mode 100644
index 0000000..8c59c9c
--- /dev/null
+++ b/roles/rp_synapse/templates/reverse_proxy
@@ -0,0 +1,26 @@
+{{ ansible_managed | comment }}
+
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+
+    # For the federation port
+    listen 8448 ssl http2 default_server;
+    listen [::]:8448 ssl http2 default_server;
+
+    server_name {{ matrix_server_name }};
+
+	ssl_certificate /var/certificates/{{ matrix_server_name }}_cert.pem;
+	ssl_certificate_key /var/certificates/{{ matrix_server_name }}_privkey.pem;
+
+    location ~* ^(\/_matrix|\/_synapse\/client) {
+        proxy_pass http://{{ matrix_local_server_name }}:80;
+        proxy_set_header X-Forwarded-For $remote_addr;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header Host $host;
+
+        # Nginx by default only allows file uploads up to 1M in size
+        # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
+        client_max_body_size {{ matrix_max_upload_size }};
+    }
+}
diff --git a/roles/synapse/tasks/main.yml b/roles/synapse/tasks/main.yml
index b1a43c9..61b4411 100644
--- a/roles/synapse/tasks/main.yml
+++ b/roles/synapse/tasks/main.yml
@@ -74,7 +74,7 @@
   include_role:
     name: generate_self_signed_certificate
   vars:
-    server_hostname: "{{ matrix_server_name }}"
+    server_hostname: "{{ matrix_local_server_name }}"
 
 - name: Copy reverse proxy sites
   template:
diff --git a/roles/synapse/templates/nginx/config_synapse b/roles/synapse/templates/nginx/config_synapse
new file mode 100644
index 0000000..f313116
--- /dev/null
+++ b/roles/synapse/templates/nginx/config_synapse
@@ -0,0 +1,23 @@
+{{ ansible_managed | comment }}
+
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+
+    # For the federation port
+    listen 8448 ssl http2 default_server;
+    listen [::]:8448 ssl http2 default_server;
+
+    server_name {{ matrix_local_server_name }};
+
+	ssl_certificate /var/certificates/{{ matrix_local_server_name }}_cert.pem;
+	ssl_certificate_key /var/certificates/{{ matrix_local_server_name }}_privkey.pem;
+
+    location ~* ^(\/_matrix|\/_synapse\/client) {
+        proxy_pass http://localhost:8008;
+
+        # Nginx by default only allows file uploads up to 1M in size
+        # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
+        client_max_body_size {{ matrix_max_upload_size }};
+    }
+}