ansible-base/roles/synapse-and-nginx/templates/conf.j2

{% macro synapse_common() %}
	location ~ ^(/_matrix|/_synapse/client) {
		proxy_pass http://localhost:8008;
		proxy_set_header X-Forwarded-For $remote_addr;
		proxy_set_header X-Forwarded-Proto $scheme;
		proxy_set_header Host $host;
		
		client_max_body_size 50M;
		
		proxy_http_version 1.1;
	}
{% endmacro %}

server {
	server_name {{var_synapse_and_nginx_domain}};
	
	listen 80;
	listen [::]:80;
	
{% if (var_synapse_and_nginx_tls_mode == 'force') %}
	return 301 https://$http_host$request_uri;
{% else %}
{{ synapse_common() }}
{% endif %}
}

{% if (var_synapse_and_nginx_tls_mode != 'disable') %}
server {
	server_name {{var_synapse_and_nginx_domain}};
	
	listen 443 ssl http2;
	listen [::]:443 ssl http2;
	
	## For the federation port
	listen 8448 ssl http2 default_server;
	listen [::]:8448 ssl http2 default_server;
	
	ssl_certificate_key /etc/ssl/private/{{var_synapse_and_nginx_domain}}.pem;
	ssl_certificate /etc/ssl/fullchains/{{var_synapse_and_nginx_domain}}.pem;
	include /etc/nginx/ssl-hardening.conf;
	
{{ synapse_common() }}
}
{% endif %}
[mod] roles:synapse-and-nginx:tls mode 2024-07-03 22:31:49 +02:00			`{% macro synapse_common() %}`
			`location ~ ^(/_matrix\|/_synapse/client) {`
			`proxy_pass http://localhost:8008;`
			`proxy_set_header X-Forwarded-For $remote_addr;`
			`proxy_set_header X-Forwarded-Proto $scheme;`
			`proxy_set_header Host $host;`

			`client_max_body_size 50M;`

			`proxy_http_version 1.1;`
			`}`
[fix] role:synapse-and-nginx 2024-07-09 09:11:53 +02:00			`{% endmacro %}`
[mod] roles:synapse-and-nginx:tls mode 2024-07-03 22:31:49 +02:00
[ini] 2023-11-20 02:07:08 +01:00			`server {`
[mod] roles:synapse-and-nginx:tls mode 2024-07-03 22:31:49 +02:00			`server_name {{var_synapse_and_nginx_domain}};`

[ini] 2023-11-20 02:07:08 +01:00			`listen 80;`
			`listen [::]:80;`
[mod] roles:synapse-and-nginx:tls mode 2024-07-03 22:31:49 +02:00
[mod] nginx-connector-roles:conf formatting 2024-07-09 10:38:28 +02:00			`{% if (var_synapse_and_nginx_tls_mode == 'force') %}`
[mod] roles:synapse-and-nginx:tls mode 2024-07-03 22:31:49 +02:00			`return 301 https://$http_host$request_uri;`
			`{% else %}`
[mod] nginx-connector-roles:conf formatting 2024-07-09 09:19:57 +02:00			`{{ synapse_common() }}`
[mod] roles:synapse-and-nginx:tls mode 2024-07-03 22:31:49 +02:00			`{% endif %}`
			`}`

[fix] role:synapse-and-nginx 2024-07-09 11:14:19 +02:00			`{% if (var_synapse_and_nginx_tls_mode != 'disable') %}`
[mod] roles:synapse-and-nginx:tls mode 2024-07-03 22:31:49 +02:00			`server {`
			`server_name {{var_synapse_and_nginx_domain}};`

			`listen 443 ssl http2;`
			`listen [::]:443 ssl http2;`
[sty] roles:tls hardening:format 2024-06-01 18:14:21 +02:00
[ini] 2023-11-20 02:07:08 +01:00			`## For the federation port`
			`listen 8448 ssl http2 default_server;`
			`listen [::]:8448 ssl http2 default_server;`
[sty] roles:tls hardening:format 2024-06-01 18:14:21 +02:00
[mod] rename roles according to new guidelines 2023-11-22 15:35:12 +01:00			`ssl_certificate_key /etc/ssl/private/{{var_synapse_and_nginx_domain}}.pem;`
[mod] roles:synapse-and-nginx:tls mode 2024-07-03 22:31:49 +02:00			`ssl_certificate /etc/ssl/fullchains/{{var_synapse_and_nginx_domain}}.pem;`
Harden nginx ssl/tls config According to https://ssl-config.mozilla.org/ 2024-04-19 00:20:46 +02:00			`include /etc/nginx/ssl-hardening.conf;`
[sty] roles:tls hardening:format 2024-06-01 18:14:21 +02:00
[mod] nginx-connector-roles:conf formatting 2024-07-09 09:19:57 +02:00			`{{ synapse_common() }}`
[ini] 2023-11-20 02:07:08 +01:00			`}`
[mod] roles:synapse-and-nginx:tls mode 2024-07-03 22:31:49 +02:00			`{% endif %}`