Pains-Perdus/ansible
3
1
Fork 0
Code Issues Pull requests 1 Releases Wiki Activity

setup proxys

Browse source
This commit is contained in:
histausse 2021-08-02 03:49:36 +02:00
parent 1e84a01689
commit 9036f2da77
Signed by: histausse
GPG key ID: 67486F107F62E9E9
6 changed files with 100 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
group_vars/all/matrix.yml
View file

@ -1,5 +1,6 @@
---
matrix_server_name: pp.intra
matrix_server_name: deso-palaiseau.fr
matrix_local_server_name: synapse.pp.intra
synapse_postgre_user_pwd: "{{ vault_synapse_postgre_user_pwd }}"
matrix_max_upload_size: 50M
matrix_registration_shared_secret: "{{ vault_matrix_registration_shared_secret }}"

2
roles/rp_synapse/meta/main.yml Normal file
View file

@ -0,0 +1,2 @@
dependencies:
- role: install_nginx

46
roles/rp_synapse/tasks/main.yml Normal file
View file

@ -0,0 +1,46 @@
---
# Almost a copy of the reverse proxy http role.
# There is probably a cleaner way to do that using the
# rp proxy http role.
- name: Install certbot
apt:
update_cache: true
name:
- certbot
- python3-certbot-nginx
state: latest
register: apt_result
retries: 3
until: apt_result is succeeded
- name: Ensure the cert directory exists
file:
path: /etc/nginx/certs
state: directory
- name: Copy reverse proxy sites
template:
src: nginx/config_synapse
dest: /etc/nginx/sites-available/synapse
notify: Reload nginx
- name: Activate sites
file:
src: "/etc/nginx/sites-available/synapse"
dest: "/etc/nginx/sites-enabled/synapse"
state: link
force: yes
notify: Reload nginx
- name: Generate Certificate for Domains
shell: certbot certonly --standalone -d {{ matrix_server_name }} -m {{ vault_email }} --noninteractive --agree-tos --redirect --pre-hook "sudo systemctl stop nginx" --post-hook "sudo systemctl start nginx"
args:
creates: "/etc/letsencrypt/live/{{ matrix_server_name }}/cert.pem"
- name: Copy certificates
file:
src: "/etc/letsencrypt/live/{{ matrix_server_name }}/fullchain.pem"
dest: "/etc/nginx/certs/{{ matrix_server_name }}.crt"
state: link
force: yes

26
roles/rp_synapse/templates/reverse_proxy Normal file
View file

@ -0,0 +1,26 @@
{{ ansible_managed | comment }}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
# For the federation port
listen 8448 ssl http2 default_server;
listen [::]:8448 ssl http2 default_server;
server_name {{ matrix_server_name }};
ssl_certificate /var/certificates/{{ matrix_server_name }}_cert.pem;
ssl_certificate_key /var/certificates/{{ matrix_server_name }}_privkey.pem;
location ~* ^(\/_matrix|\/_synapse\/client) {
proxy_pass http://{{ matrix_local_server_name }}:80;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
# Nginx by default only allows file uploads up to 1M in size
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
client_max_body_size {{ matrix_max_upload_size }};
}
}

2
roles/synapse/tasks/main.yml
View file

@ -74,7 +74,7 @@
include_role:
name: generate_self_signed_certificate
vars:
server_hostname: "{{ matrix_server_name }}"
server_hostname: "{{ matrix_local_server_name }}"
- name: Copy reverse proxy sites
template:

23
roles/synapse/templates/nginx/config_synapse Normal file
View file

@ -0,0 +1,23 @@
{{ ansible_managed | comment }}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
# For the federation port
listen 8448 ssl http2 default_server;
listen [::]:8448 ssl http2 default_server;
server_name {{ matrix_local_server_name }};
ssl_certificate /var/certificates/{{ matrix_local_server_name }}_cert.pem;
ssl_certificate_key /var/certificates/{{ matrix_local_server_name }}_privkey.pem;
location ~* ^(\/_matrix|\/_synapse\/client) {
proxy_pass http://localhost:8008;
# Nginx by default only allows file uploads up to 1M in size
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
client_max_body_size {{ matrix_max_upload_size }};
}
}