fix up nginx

data-template/nginx/app.conf

@@ -1,112 +0,0 @@
-# taken from https://element-hq.github.io/synapse/latest/reverse_proxy.html
-# mixed with https://github.com/wmnnd/nginx-certbot/tree/master/data/nginx
-
-server {
-    server_name example.com;
-    server_tokens off;
-
-    listen 80;
-
-    location /.well-known/acme-challenge/ {
-        root /var/www/certbot;
-    }
-
-    location / {
-        return 301 https://$host$request_uri;
-    }
-}
-
-server {
-    server_name element.example.com;
-    server_tokens off;
-
-    listen 443 ssl default_server;
-    listen [::]:443 ssl default_server;
-
-    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
-    include /etc/letsencrypt/options-ssl-nginx.conf;
-    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
-
-    location / {
-        proxy_pass http://element-web:8080;
-    }
-}
-
-server {
-    server_name call.example.com;
-    server_tokens off;
-
-    listen 443 ssl default_server;
-    listen [::]:443 ssl default_server;
-
-    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
-    include /etc/letsencrypt/options-ssl-nginx.conf;
-    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
-
-    location / {
-        proxy_pass http://element-call:8082;
-    }
-}
-
-server {
-    server_name auth.example.com;
-    server_tokens off;
-
-    listen 443 ssl default_server;
-    listen [::]:443 ssl default_server;
-
-    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
-    include /etc/letsencrypt/options-ssl-nginx.conf;
-    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
-
-    location / {
-        proxy_pass http://auth:8083;
-    }
-}
-
-server {
-    server_name matrix.example.com;
-    server_tokens off;
-
-    listen 443 ssl default_server;
-    listen [::]:443 ssl default_server;
-
-    # For the federation port
-    listen 8448 ssl default_server;
-    listen [::]:8448 ssl default_server;
-
-    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
-    include /etc/letsencrypt/options-ssl-nginx.conf;
-    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
-
-    # pass auth to MAS
-    location ~ ^/_matrix/client/(.*)/(login|logout|refresh)             { proxy_pass http://auth:8083 }
-
-    # use the generic worker as a synchrotron:
-    # taken from https://element-hq.github.io/synapse/latest/workers.html#synapseappgeneric_worker
-    location ~ ^/_matrix/client/(r0|v3)/sync$                           { proxy_pass http://synapse-generic-worker-1:8081 }
-    location ~ ^/_matrix/client/(api/v1|r0|v3)/events$                  { proxy_pass http://synapse-generic-worker-1:8081 }
-    location ~ ^/_matrix/client/(api/v1|r0|v3)/initialSync$             { proxy_pass http://synapse-generic-worker-1:8081 }
-    location ~ ^/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync$ { proxy_pass http://synapse-generic-worker-1:8081 }
-
-    location / {
-        proxy_pass http://synapse:8008;
-        proxy_set_header X-Forwarded-For $remote_addr;
-        proxy_set_header X-Forwarded-Proto $scheme;
-        proxy_set_header Host $host;
-
-        # Nginx by default only allows file uploads up to 1M in size
-        # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
-        client_max_body_size 50M;
-    }
-
-    location /.well-known {}
-
-    # Synapse responses may be chunked, which is an HTTP/1.1 feature.
-    proxy_http_version 1.1;
-}
-

data-template/nginx/conf.d/app.conf

@@ -0,0 +1,90 @@
+${CONFIG_HEADER}
+
+# taken from https://element-hq.github.io/synapse/latest/reverse_proxy.html
+# mixed with https://github.com/wmnnd/nginx-certbot/tree/master/etc/nginx/conf.d/nginx
+
+server {
+    server_name ${DOMAIN};
+    server_tokens off;
+
+    listen 80;
+
+    # location /.well-known/acme-challenge/ {
+    #    root /var/www/certbot;
+    # }
+
+    location / {
+        return 301 https://${DOLLAR}host${DOLLAR}request_uri;
+    }
+}
+
+server {
+    server_name ${ELEMENT_WEB_FQDN};
+    server_tokens off;
+
+    include /etc/nginx/conf.d/include/ssl.conf;
+
+    location / {
+        proxy_pass http://element-web:8080;
+    }
+}
+
+server {
+    server_name ${ELEMENT_CALL_FQDN};
+    server_tokens off;
+
+    include /etc/nginx/conf.d/include/ssl.conf;
+
+    location / {
+        proxy_pass http://element-call:8082;
+    }
+}
+
+server {
+    server_name ${MAS_FQDN};
+    server_tokens off;
+
+    include /etc/nginx/conf.d/include/ssl.conf;
+
+    location / {
+        proxy_pass http://auth:8083;
+    }
+}
+
+server {
+    server_name ${HOMESERVER_FQDN};
+    server_tokens off;
+
+    include /etc/nginx/conf.d/include/ssl.conf;
+
+    # For the federation port
+    listen 8448 ssl default_server;
+    listen [::]:8448 ssl default_server;
+
+    # pass auth to MAS
+    location ~ ^/_matrix/client/(.*)/(login|logout|refresh)             { proxy_pass http://auth:8083; }
+
+    # use the generic worker as a synchrotron:
+    # taken from https://element-hq.github.io/synapse/latest/workers.html#synapseappgeneric_worker
+    location ~ ^/_matrix/client/(r0|v3)/sync${DOLLAR}                           { proxy_pass http://synapse-generic-worker-1:8081; }
+    location ~ ^/_matrix/client/(api/v1|r0|v3)/events${DOLLAR}                  { proxy_pass http://synapse-generic-worker-1:8081; }
+    location ~ ^/_matrix/client/(api/v1|r0|v3)/initialSync${DOLLAR}             { proxy_pass http://synapse-generic-worker-1:8081; }
+    location ~ ^/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync${DOLLAR} { proxy_pass http://synapse-generic-worker-1:8081; }
+
+    location / {
+        proxy_pass http://synapse:8008;
+        proxy_set_header X-Forwarded-For ${DOLLAR}remote_addr;
+        proxy_set_header X-Forwarded-Proto ${DOLLAR}scheme;
+        proxy_set_header Host ${DOLLAR}host;
+
+        # Nginx by default only allows file uploads up to 1M in size
+        # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
+        client_max_body_size 50M;
+    }
+
+    location /.well-known {}
+
+    # Synapse responses may be chunked, which is an HTTP/1.1 feature.
+    proxy_http_version 1.1;
+}
+

data-template/nginx/conf.d/include/ssl.conf

@@ -0,0 +1,10 @@
+    listen 443 ssl;
+    listen [::]:443 ssl;
+
+    # ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
+    # ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
+    # include /etc/letsencrypt/options-ssl-nginx.conf;
+    # ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+
+    ssl_certificate /etc/nginx/ssl/client.pem;
+    ssl_certificate_key /etc/nginx/ssl/key.pem;

data-template/synapse/homeserver.yaml

@@ -48,6 +48,8 @@ trusted_key_servers:
 # please keep config above this point as close as possible to the original generated config
 # so that upstream generated config changes can be detected
 
+suppress_key_server_warning: true
+
 send_federation: false
 federation_sender_instances:
   - synapse-federation-sender-1

data-template/synapse/log.config

@@ -1,3 +1,5 @@
+${CONFIG_HEADER}
+
 # Log configuration for Synapse.
 #
 # This is a YAML file containing a standard Python logging configuration

data-template/synapse/workers/synapse-federation-sender-1.yaml

@@ -1,3 +1,5 @@
+${CONFIG_HEADER}
+
 worker_app: synapse.app.federation_sender
 worker_name: synapse-federation-sender-1
 

data-template/synapse/workers/synapse-generic-worker-1.yaml

@@ -1,3 +1,5 @@
+${CONFIG_HEADER}
+
 worker_app: synapse.app.generic_worker
 worker_name: synapse-generic-worker-1