setup proxys
This commit is contained in:
parent
1e84a01689
commit
9036f2da77
GPG key ID:
67486F107F62E9E9
6 changed files with 100 additions and 2 deletions
|
|
@ -1,5 +1,6 @@
|
||||||
---
|
---
|
||||||
matrix_server_name: pp.intra
|
matrix_server_name: deso-palaiseau.fr
|
||||||
|
matrix_local_server_name: synapse.pp.intra
|
||||||
synapse_postgre_user_pwd: "{{ vault_synapse_postgre_user_pwd }}"
|
synapse_postgre_user_pwd: "{{ vault_synapse_postgre_user_pwd }}"
|
||||||
matrix_max_upload_size: 50M
|
matrix_max_upload_size: 50M
|
||||||
matrix_registration_shared_secret: "{{ vault_matrix_registration_shared_secret }}"
|
matrix_registration_shared_secret: "{{ vault_matrix_registration_shared_secret }}"
|
||||||
|
|
|
||||||
2
roles/rp_synapse/meta/main.yml
Normal file
2
roles/rp_synapse/meta/main.yml
Normal file
|
|
@ -0,0 +1,2 @@
|
||||||
|
dependencies:
|
||||||
|
- role: install_nginx
|
||||||
46
roles/rp_synapse/tasks/main.yml
Normal file
46
roles/rp_synapse/tasks/main.yml
Normal file
|
|
@ -0,0 +1,46 @@
|
||||||
|
---
|
||||||
|
# Almost a copy of the reverse proxy http role.
|
||||||
|
# There is probably a cleaner way to do that using the
|
||||||
|
# rp proxy http role.
|
||||||
|
|
||||||
|
- name: Install certbot
|
||||||
|
apt:
|
||||||
|
update_cache: true
|
||||||
|
name:
|
||||||
|
- certbot
|
||||||
|
- python3-certbot-nginx
|
||||||
|
state: latest
|
||||||
|
register: apt_result
|
||||||
|
retries: 3
|
||||||
|
until: apt_result is succeeded
|
||||||
|
|
||||||
|
- name: Ensure the cert directory exists
|
||||||
|
file:
|
||||||
|
path: /etc/nginx/certs
|
||||||
|
state: directory
|
||||||
|
|
||||||
|
- name: Copy reverse proxy sites
|
||||||
|
template:
|
||||||
|
src: nginx/config_synapse
|
||||||
|
dest: /etc/nginx/sites-available/synapse
|
||||||
|
notify: Reload nginx
|
||||||
|
|
||||||
|
- name: Activate sites
|
||||||
|
file:
|
||||||
|
src: "/etc/nginx/sites-available/synapse"
|
||||||
|
dest: "/etc/nginx/sites-enabled/synapse"
|
||||||
|
state: link
|
||||||
|
force: yes
|
||||||
|
notify: Reload nginx
|
||||||
|
|
||||||
|
- name: Generate Certificate for Domains
|
||||||
|
shell: certbot certonly --standalone -d {{ matrix_server_name }} -m {{ vault_email }} --noninteractive --agree-tos --redirect --pre-hook "sudo systemctl stop nginx" --post-hook "sudo systemctl start nginx"
|
||||||
|
args:
|
||||||
|
creates: "/etc/letsencrypt/live/{{ matrix_server_name }}/cert.pem"
|
||||||
|
|
||||||
|
- name: Copy certificates
|
||||||
|
file:
|
||||||
|
src: "/etc/letsencrypt/live/{{ matrix_server_name }}/fullchain.pem"
|
||||||
|
dest: "/etc/nginx/certs/{{ matrix_server_name }}.crt"
|
||||||
|
state: link
|
||||||
|
force: yes
|
||||||
26
roles/rp_synapse/templates/reverse_proxy
Normal file
26
roles/rp_synapse/templates/reverse_proxy
Normal file
|
|
@ -0,0 +1,26 @@
|
||||||
|
{{ ansible_managed | comment }}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl http2;
|
||||||
|
listen [::]:443 ssl http2;
|
||||||
|
|
||||||
|
# For the federation port
|
||||||
|
listen 8448 ssl http2 default_server;
|
||||||
|
listen [::]:8448 ssl http2 default_server;
|
||||||
|
|
||||||
|
server_name {{ matrix_server_name }};
|
||||||
|
|
||||||
|
ssl_certificate /var/certificates/{{ matrix_server_name }}_cert.pem;
|
||||||
|
ssl_certificate_key /var/certificates/{{ matrix_server_name }}_privkey.pem;
|
||||||
|
|
||||||
|
location ~* ^(\/_matrix|\/_synapse\/client) {
|
||||||
|
proxy_pass http://{{ matrix_local_server_name }}:80;
|
||||||
|
proxy_set_header X-Forwarded-For $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
|
||||||
|
# Nginx by default only allows file uploads up to 1M in size
|
||||||
|
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
|
||||||
|
client_max_body_size {{ matrix_max_upload_size }};
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
@ -74,7 +74,7 @@
|
||||||
include_role:
|
include_role:
|
||||||
name: generate_self_signed_certificate
|
name: generate_self_signed_certificate
|
||||||
vars:
|
vars:
|
||||||
server_hostname: "{{ matrix_server_name }}"
|
server_hostname: "{{ matrix_local_server_name }}"
|
||||||
|
|
||||||
- name: Copy reverse proxy sites
|
- name: Copy reverse proxy sites
|
||||||
template:
|
template:
|
||||||
|
|
|
||||||
23
roles/synapse/templates/nginx/config_synapse
Normal file
23
roles/synapse/templates/nginx/config_synapse
Normal file
|
|
@ -0,0 +1,23 @@
|
||||||
|
{{ ansible_managed | comment }}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl http2;
|
||||||
|
listen [::]:443 ssl http2;
|
||||||
|
|
||||||
|
# For the federation port
|
||||||
|
listen 8448 ssl http2 default_server;
|
||||||
|
listen [::]:8448 ssl http2 default_server;
|
||||||
|
|
||||||
|
server_name {{ matrix_local_server_name }};
|
||||||
|
|
||||||
|
ssl_certificate /var/certificates/{{ matrix_local_server_name }}_cert.pem;
|
||||||
|
ssl_certificate_key /var/certificates/{{ matrix_local_server_name }}_privkey.pem;
|
||||||
|
|
||||||
|
location ~* ^(\/_matrix|\/_synapse\/client) {
|
||||||
|
proxy_pass http://localhost:8008;
|
||||||
|
|
||||||
|
# Nginx by default only allows file uploads up to 1M in size
|
||||||
|
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
|
||||||
|
client_max_body_size {{ matrix_max_upload_size }};
|
||||||
|
}
|
||||||
|
}
|
||||||
Loading…
Reference in a new issue