mirror of
https://git.sr.ht/~magic_rb/dotfiles
synced 2024-11-25 09:36:14 +01:00
Add terranix config for ingress-toothpick container
Signed-off-by: Magic_RB <magic_rb@redalder.org>
This commit is contained in:
parent
87d5a87067
commit
084c85e436
29
terranix/containers/ingress-toothpick/default.nix
Normal file
29
terranix/containers/ingress-toothpick/default.nix
Normal file
|
@ -0,0 +1,29 @@
|
|||
{ elib, secret, ... }:
|
||||
let
|
||||
inherit (elib)
|
||||
nfsVolume
|
||||
nomadJob;
|
||||
|
||||
flake_host = "";
|
||||
flake_rev = "";
|
||||
flake_ref = "";
|
||||
flake_sha = "";
|
||||
in
|
||||
{
|
||||
resource."nomad_volume"."ingress-letsencrypt" = nfsVolume {
|
||||
volume_name = "ingress-letsencrypt";
|
||||
access_mode = "single-node-writer";
|
||||
server = secret.network.ips.blowhole.ip;
|
||||
share = "/var/nfs/ingress-letsencrypt";
|
||||
mount_flags = [ "nolock" "hard" ];
|
||||
};
|
||||
|
||||
resource."nomad_job"."ingress" = nomadJob {
|
||||
jobspec = ./job.hcl;
|
||||
vars = {
|
||||
flake_ref = "${flake_host}?rev=${flake_rev}&ref=${flake_ref}";
|
||||
flake_sha = flake_sha;
|
||||
upstreams = "\${file(\"${./upstreams.conf}\")}";
|
||||
};
|
||||
};
|
||||
}
|
259
terranix/containers/ingress-toothpick/job.hcl
Normal file
259
terranix/containers/ingress-toothpick/job.hcl
Normal file
|
@ -0,0 +1,259 @@
|
|||
variable "flake_ref" {
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "flake_sha" {
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "upstreams" {
|
||||
type = string
|
||||
}
|
||||
|
||||
job "ingress" {
|
||||
datacenters = [ "do-1" ]
|
||||
region = "do-1"
|
||||
type = "service"
|
||||
|
||||
group "ingress" {
|
||||
count = 1
|
||||
|
||||
constraint {
|
||||
attribute = "${attr.unique.hostname}"
|
||||
value = "toothpick"
|
||||
}
|
||||
|
||||
volume "ingress-letsencrypt" {
|
||||
type = "csi"
|
||||
source = "ingress-letsencrypt"
|
||||
read_only = false
|
||||
|
||||
attachment_mode = "file-system"
|
||||
access_mode = "single-node-writer"
|
||||
}
|
||||
|
||||
network {
|
||||
mode = "bridge"
|
||||
port "http" {
|
||||
static = 80
|
||||
to = 80
|
||||
host_network = "public"
|
||||
}
|
||||
|
||||
port "http-matrix" {
|
||||
static = 8448
|
||||
to = 8448
|
||||
host_network = "public"
|
||||
}
|
||||
|
||||
port "https" {
|
||||
static = 443
|
||||
to = 443
|
||||
host_network = "public"
|
||||
}
|
||||
|
||||
port "minecraft" {
|
||||
static = 25565
|
||||
to = 25565
|
||||
host_network = "public"
|
||||
}
|
||||
}
|
||||
|
||||
service {
|
||||
name = "ingress-toothpick"
|
||||
port = "http"
|
||||
|
||||
connect {
|
||||
sidecar_service {
|
||||
proxy {
|
||||
upstreams {
|
||||
destination_name = "gitea"
|
||||
local_bind_port = 3000
|
||||
datacenter = "homelab-1"
|
||||
|
||||
mesh_gateway {
|
||||
mode = "local"
|
||||
}
|
||||
}
|
||||
|
||||
upstreams {
|
||||
destination_name = "hydra"
|
||||
local_bind_port = 8666
|
||||
datacenter = "homelab-1"
|
||||
|
||||
mesh_gateway {
|
||||
mode = "local"
|
||||
}
|
||||
}
|
||||
|
||||
upstreams {
|
||||
destination_name = "nextcloud"
|
||||
local_bind_port = 8777
|
||||
datacenter = "homelab-1"
|
||||
|
||||
mesh_gateway {
|
||||
mode = "local"
|
||||
}
|
||||
}
|
||||
|
||||
upstreams {
|
||||
destination_name = "website"
|
||||
local_bind_port = 8080
|
||||
datacenter = "homelab-1"
|
||||
|
||||
mesh_gateway {
|
||||
mode = "local"
|
||||
}
|
||||
}
|
||||
|
||||
upstreams {
|
||||
destination_name = "minecraft"
|
||||
local_bind_port = 2666
|
||||
datacenter = "homelab-1"
|
||||
|
||||
mesh_gateway {
|
||||
mode = "local"
|
||||
}
|
||||
}
|
||||
|
||||
upstreams {
|
||||
destination_name = "reicio"
|
||||
local_bind_port = 8000
|
||||
datacenter = "homelab-1"
|
||||
|
||||
mesh_gateway {
|
||||
mode = "local"
|
||||
}
|
||||
}
|
||||
|
||||
upstreams {
|
||||
destination_name = "matrix-synapse"
|
||||
local_bind_port = 6167
|
||||
datacenter = "homelab-1"
|
||||
|
||||
mesh_gateway {
|
||||
mode = "local"
|
||||
}
|
||||
}
|
||||
|
||||
upstreams {
|
||||
destination_name = "matrix-synapse-client"
|
||||
local_bind_port = 6168
|
||||
datacenter = "homelab-1"
|
||||
|
||||
mesh_gateway {
|
||||
mode = "local"
|
||||
}
|
||||
}
|
||||
|
||||
upstreams {
|
||||
destination_name = "matrix-synapse-federation-receiver"
|
||||
local_bind_port = 6169
|
||||
datacenter = "homelab-1"
|
||||
|
||||
mesh_gateway {
|
||||
mode = "local"
|
||||
}
|
||||
}
|
||||
|
||||
upstreams {
|
||||
destination_name = "matrix-synapse-sync"
|
||||
local_bind_port = 6170
|
||||
datacenter = "homelab-1"
|
||||
|
||||
mesh_gateway {
|
||||
mode = "local"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
task "nginx" {
|
||||
driver = "docker"
|
||||
|
||||
volume_mount {
|
||||
volume = "ingress-letsencrypt"
|
||||
destination = "/etc/letsencrypt"
|
||||
read_only = false
|
||||
}
|
||||
|
||||
config {
|
||||
nix_flake_ref = "${var.flake_ref}#nixngSystems.ingressToothpick.config.system.build.toplevel"
|
||||
nix_flake_sha = var.flake_sha
|
||||
entrypoint = [ "init" ]
|
||||
}
|
||||
|
||||
resources {
|
||||
cpu = 200
|
||||
memory = 128
|
||||
}
|
||||
|
||||
template {
|
||||
data = <<EOF
|
||||
ssl_certificate_key /etc/letsencrypt/live/redalder.org/privkey.pem;
|
||||
ssl_certificate /etc/letsencrypt/live/redalder.org/fullchain.pem;
|
||||
|
||||
ssl_session_cache shared:le_nginx_SSL:10m;
|
||||
ssl_session_timeout 1440m;
|
||||
ssl_session_tickets off;
|
||||
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_prefer_server_ciphers off;
|
||||
|
||||
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
|
||||
EOF
|
||||
destination = "local/ssl.conf"
|
||||
change_mode = "signal"
|
||||
change_signal = "SIGHUP"
|
||||
}
|
||||
|
||||
template {
|
||||
data = <<EOF
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
EOF
|
||||
destination = "local/headers.conf"
|
||||
change_mode = "signal"
|
||||
change_signal = "SIGHUP"
|
||||
}
|
||||
|
||||
template {
|
||||
data = <<EOF
|
||||
add_header X-Frame-Options "SAMEORIGIN";
|
||||
add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
|
||||
EOF
|
||||
destination = "local/security.conf"
|
||||
change_mode = "signal"
|
||||
change_signal = "SIGHUP"
|
||||
}
|
||||
|
||||
template {
|
||||
data = <<EOF
|
||||
upstream minecraft {
|
||||
server {{ env "NOMAD_UPSTREAM_ADDR_minecraft" }};
|
||||
}
|
||||
|
||||
server {
|
||||
listen 25565;
|
||||
|
||||
proxy_pass minecraft;
|
||||
}
|
||||
EOF
|
||||
destination = "local/streams.conf"
|
||||
change_mode = "signal"
|
||||
change_signal = "SIGHUP"
|
||||
}
|
||||
|
||||
template {
|
||||
data = var.upstreams
|
||||
destination = "local/upstreams.conf"
|
||||
change_mode = "signal"
|
||||
change_signal = "SIGHUP"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
340
terranix/containers/ingress-toothpick/upstreams.conf
Normal file
340
terranix/containers/ingress-toothpick/upstreams.conf
Normal file
|
@ -0,0 +1,340 @@
|
|||
upstream gitea {
|
||||
server {{ env "NOMAD_UPSTREAM_ADDR_gitea" }};
|
||||
}
|
||||
|
||||
upstream hydra {
|
||||
server {{ env "NOMAD_UPSTREAM_ADDR_hydra" }};
|
||||
}
|
||||
|
||||
upstream nextcloud {
|
||||
server {{ env "NOMAD_UPSTREAM_ADDR_nextcloud" }};
|
||||
}
|
||||
|
||||
upstream website {
|
||||
server {{ env "NOMAD_UPSTREAM_ADDR_website" }};
|
||||
}
|
||||
|
||||
upstream reicio {
|
||||
server {{ env "NOMAD_UPSTREAM_ADDR_reicio" }};
|
||||
}
|
||||
|
||||
upstream matrix-synapse {
|
||||
server {{ env "NOMAD_UPSTREAM_ADDR_matrix_synapse" }};
|
||||
}
|
||||
|
||||
upstream matrix-synapse-federation-receiver {
|
||||
server {{ env "NOMAD_UPSTREAM_ADDR_matrix_synapse_federation_receiver" }};
|
||||
}
|
||||
|
||||
upstream matrix-synapse-client {
|
||||
server {{ env "NOMAD_UPSTREAM_ADDR_matrix_synapse_client" }};
|
||||
}
|
||||
|
||||
upstream matrix-synapse-sync {
|
||||
server {{ env "NOMAD_UPSTREAM_ADDR_matrix_synapse_sync" }};
|
||||
}
|
||||
|
||||
upstream matrix-mautrix-facebook {
|
||||
server {{ env "NOMAD_UPSTREAM_ADDR_matrix-mautrix-facebook" }};
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
|
||||
server_name _;
|
||||
|
||||
include /local/ssl.conf;
|
||||
|
||||
return 404;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
|
||||
server_name gitea.redalder.org;
|
||||
|
||||
include /local/security.conf;
|
||||
include /local/ssl.conf;
|
||||
|
||||
client_max_body_size 100M;
|
||||
|
||||
location / {
|
||||
include /local/headers.conf;
|
||||
proxy_pass http://gitea;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
|
||||
server_name hydra.redalder.org;
|
||||
|
||||
include /local/security.conf;
|
||||
include /local/ssl.conf;
|
||||
|
||||
location / {
|
||||
include /local/headers.conf;
|
||||
proxy_pass http://hydra;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
|
||||
server_name redalder.org nixng.org;
|
||||
|
||||
include /local/security.conf;
|
||||
include /local/ssl.conf;
|
||||
|
||||
location /nextcloud/ {
|
||||
include /local/headers.conf;
|
||||
proxy_pass http://nextcloud/;
|
||||
}
|
||||
|
||||
location /reicio/ {
|
||||
include /local/headers.conf;
|
||||
proxy_pass http://reicio/;
|
||||
}
|
||||
|
||||
location / {
|
||||
include /local/headers.conf;
|
||||
proxy_pass http://website;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen 8448 ssl http2;
|
||||
|
||||
server_name matrix.redalder.org;
|
||||
merge_slashes off;
|
||||
|
||||
# sync
|
||||
location ~ ^/_matrix/client/(r0|v3)/sync$|^/_matrix/client/(api/v1|r0|v3)/events$|^/_matrix/client/(api/v1|r0|v3)/initialSync$|^/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync$ {
|
||||
# note: do not add a path (even a single /) after the port in `proxy_pass`,
|
||||
# otherwise nginx will canonicalise the URI and cause signature verification
|
||||
# errors.
|
||||
proxy_pass http://matrix-synapse-sync;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header Host $host;
|
||||
|
||||
# Nginx by default only allows file uploads up to 1M in size
|
||||
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
|
||||
client_max_body_size 50M;
|
||||
|
||||
# Synapse responses may be chunked, which is an HTTP/1.1 feature.
|
||||
proxy_http_version 1.1;
|
||||
}
|
||||
|
||||
# federation
|
||||
location ~ ^/_matrix/federation/v1/event/|^/_matrix/federation/v1/state/|^/_matrix/federation/v1/state_ids/|^/_matrix/federation/v1/backfill/|^/_matrix/federation/v1/get_missing_events/|^/_matrix/federation/v1/publicRooms|^/_matrix/federation/v1/query/|^/_matrix/federation/v1/make_join/|^/_matrix/federation/v1/make_leave/|^/_matrix/federation/(v1|v2)/send_join/|^/_matrix/federation/(v1|v2)/send_leave/|^/_matrix/federation/(v1|v2)/invite/|^/_matrix/federation/v1/event_auth/|^/_matrix/federation/v1/timestamp_to_event/|^/_matrix/federation/v1/exchange_third_party_invite/|^/_matrix/federation/v1/user/devices/|^/_matrix/key/v2/query|^/_matrix/federation/v1/hierarchy/ {
|
||||
# note: do not add a path (even a single /) after the port in `proxy_pass`,
|
||||
# otherwise nginx will canonicalise the URI and cause signature verification
|
||||
# errors.
|
||||
proxy_pass http://matrix-synapse-federation-receiver;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header Host $host;
|
||||
|
||||
# Nginx by default only allows file uploads up to 1M in size
|
||||
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
|
||||
client_max_body_size 50M;
|
||||
|
||||
# Synapse responses may be chunked, which is an HTTP/1.1 feature.
|
||||
proxy_http_version 1.1;
|
||||
}
|
||||
|
||||
# inbound federation requests
|
||||
location ~ ^/_matrix/federation/v1/send/ {
|
||||
# note: do not add a path (even a single /) after the port in `proxy_pass`,
|
||||
# otherwise nginx will canonicalise the URI and cause signature verification
|
||||
# errors.
|
||||
proxy_pass http://matrix-synapse-federation-receiver;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header Host $host;
|
||||
|
||||
# Nginx by default only allows file uploads up to 1M in size
|
||||
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
|
||||
client_max_body_size 50M;
|
||||
|
||||
# Synapse responses may be chunked, which is an HTTP/1.1 feature.
|
||||
proxy_http_version 1.1;
|
||||
}
|
||||
|
||||
# client api
|
||||
location ~ ^/_matrix/client/(api/v1|r0|v3|unstable)/createRoom$|^/_matrix/client/(api/v1|r0|v3|unstable)/publicRooms$|^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/joined_members$|^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/context/.*$|^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/members$|^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state$|^/_matrix/client/v1/rooms/.*/hierarchy$|^/_matrix/client/(v1|unstable)/rooms/.*/relations/|^/_matrix/client/v1/rooms/.*/threads$|^/_matrix/client/unstable/org.matrix.msc2716/rooms/.*/batch_send$|^/_matrix/client/unstable/im.nheko.summary/rooms/.*/summary$|^/_matrix/client/(r0|v3|unstable)/account/3pid$|^/_matrix/client/(r0|v3|unstable)/account/whoami$|^/_matrix/client/(r0|v3|unstable)/devices$|^/_matrix/client/versions$|^/_matrix/client/(api/v1|r0|v3|unstable)/voip/turnServer$|^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/event/|^/_matrix/client/(api/v1|r0|v3|unstable)/joined_rooms$|^/_matrix/client/v1/rooms/.*/timestamp_to_event$|^/_matrix/client/(api/v1|r0|v3|unstable/.*)/rooms/.*/aliases|^/_matrix/client/(api/v1|r0|v3|unstable)/search$|^/_matrix/client/(r0|v3|unstable)/user/.*/filter(/|$) {
|
||||
# note: do not add a path (even a single /) after the port in `proxy_pass`,
|
||||
# otherwise nginx will canonicalise the URI and cause signature verification
|
||||
# errors.
|
||||
proxy_pass http://matrix-synapse-client;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header Host $host;
|
||||
|
||||
# Nginx by default only allows file uploads up to 1M in size
|
||||
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
|
||||
client_max_body_size 50M;
|
||||
|
||||
# Synapse responses may be chunked, which is an HTTP/1.1 feature.
|
||||
proxy_http_version 1.1;
|
||||
}
|
||||
|
||||
# encryption
|
||||
location ~ ^/_matrix/client/(r0|v3|unstable)/keys/query$|^/_matrix/client/(r0|v3|unstable)/keys/changes$|^/_matrix/client/(r0|v3|unstable)/keys/claim$|^/_matrix/client/(r0|v3|unstable)/room_keys/|^/_matrix/client/(r0|v3|unstable)/keys/upload/ {
|
||||
# note: do not add a path (even a single /) after the port in `proxy_pass`,
|
||||
# otherwise nginx will canonicalise the URI and cause signature verification
|
||||
# errors.
|
||||
proxy_pass http://matrix-synapse-client;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header Host $host;
|
||||
|
||||
# Nginx by default only allows file uploads up to 1M in size
|
||||
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
|
||||
client_max_body_size 50M;
|
||||
|
||||
# Synapse responses may be chunked, which is an HTTP/1.1 feature.
|
||||
proxy_http_version 1.1;
|
||||
}
|
||||
|
||||
# registration login
|
||||
location ~ ^/_matrix/client/(api/v1|r0|v3|unstable)/login$|^/_matrix/client/(r0|v3|unstable)/register$|^/_matrix/client/(r0|v3|unstable)/register/available$|^/_matrix/client/v1/register/m.login.registration_token/validity$|^/_matrix/client/(r0|v3|unstable)/password_policy$ {
|
||||
# note: do not add a path (even a single /) after the port in `proxy_pass`,
|
||||
# otherwise nginx will canonicalise the URI and cause signature verification
|
||||
# errors.
|
||||
proxy_pass http://matrix-synapse-client;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header Host $host;
|
||||
|
||||
# Nginx by default only allows file uploads up to 1M in size
|
||||
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
|
||||
client_max_body_size 50M;
|
||||
|
||||
# Synapse responses may be chunked, which is an HTTP/1.1 feature.
|
||||
proxy_http_version 1.1;
|
||||
}
|
||||
|
||||
# event sending
|
||||
location ~ ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/redact|^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/send|^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state/|^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/(join|invite|leave|ban|unban|kick)$|^/_matrix/client/(api/v1|r0|v3|unstable)/join/|^/_matrix/client/(api/v1|r0|v3|unstable)/knock/|^/_matrix/client/(api/v1|r0|v3|unstable)/profile/ {
|
||||
# note: do not add a path (even a single /) after the port in `proxy_pass`,
|
||||
# otherwise nginx will canonicalise the URI and cause signature verification
|
||||
# errors.
|
||||
proxy_pass http://matrix-synapse-client;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header Host $host;
|
||||
|
||||
# Nginx by default only allows file uploads up to 1M in size
|
||||
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
|
||||
client_max_body_size 50M;
|
||||
|
||||
# Synapse responses may be chunked, which is an HTTP/1.1 feature.
|
||||
proxy_http_version 1.1;
|
||||
}
|
||||
|
||||
# account data
|
||||
location ~ ^/_matrix/client/(r0|v3|unstable)/.*/tags|^/_matrix/client/(r0|v3|unstable)/.*/account_data {
|
||||
# note: do not add a path (even a single /) after the port in `proxy_pass`,
|
||||
# otherwise nginx will canonicalise the URI and cause signature verification
|
||||
# errors.
|
||||
proxy_pass http://matrix-synapse;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header Host $host;
|
||||
|
||||
# Nginx by default only allows file uploads up to 1M in size
|
||||
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
|
||||
client_max_body_size 50M;
|
||||
|
||||
# Synapse responses may be chunked, which is an HTTP/1.1 feature.
|
||||
proxy_http_version 1.1;
|
||||
}
|
||||
|
||||
# receipts requests
|
||||
location ~ ^/_matrix/client/(r0|v3|unstable)/rooms/.*/receipt|^/_matrix/client/(r0|v3|unstable)/rooms/.*/read_markers {
|
||||
# note: do not add a path (even a single /) after the port in `proxy_pass`,
|
||||
# otherwise nginx will canonicalise the URI and cause signature verification
|
||||
# errors.
|
||||
proxy_pass http://matrix-synapse;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header Host $host;
|
||||
|
||||
# Nginx by default only allows file uploads up to 1M in size
|
||||
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
|
||||
client_max_body_size 50M;
|
||||
|
||||
# Synapse responses may be chunked, which is an HTTP/1.1 feature.
|
||||
proxy_http_version 1.1;
|
||||
}
|
||||
|
||||
# presence requests
|
||||
location ~ ^/_matrix/client/(api/v1|r0|v3|unstable)/presence/ {
|
||||
# note: do not add a path (even a single /) after the port in `proxy_pass`,
|
||||
# otherwise nginx will canonicalise the URI and cause signature verification
|
||||
# errors.
|
||||
proxy_pass http://matrix-synapse;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header Host $host;
|
||||
|
||||
# Nginx by default only allows file uploads up to 1M in size
|
||||
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
|
||||
client_max_body_size 50M;
|
||||
|
||||
# Synapse responses may be chunked, which is an HTTP/1.1 feature.
|
||||
proxy_http_version 1.1;
|
||||
}
|
||||
|
||||
# user directory search
|
||||
location ~ ^/_matrix/client/(r0|v3|unstable)/user_directory/search$ {
|
||||
# note: do not add a path (even a single /) after the port in `proxy_pass`,
|
||||
# otherwise nginx will canonicalise the URI and cause signature verification
|
||||
# errors.
|
||||
proxy_pass http://matrix-synapse-client;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header Host $host;
|
||||
|
||||
# Nginx by default only allows file uploads up to 1M in size
|
||||
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
|
||||
client_max_body_size 50M;
|
||||
|
||||
# Synapse responses may be chunked, which is an HTTP/1.1 feature.
|
||||
proxy_http_version 1.1;
|
||||
}
|
||||
|
||||
# the rest
|
||||
location ~ ^(/.well-known|/_matrix|/_synapse/client) {
|
||||
# note: do not add a path (even a single /) after the port in `proxy_pass`,
|
||||
# otherwise nginx will canonicalise the URI and cause signature verification
|
||||
# errors.
|
||||
proxy_pass http://matrix-synapse;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header Host $host;
|
||||
|
||||
# Nginx by default only allows file uploads up to 1M in size
|
||||
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
|
||||
client_max_body_size 50M;
|
||||
|
||||
# Synapse responses may be chunked, which is an HTTP/1.1 feature.
|
||||
proxy_http_version 1.1;
|
||||
}
|
||||
|
||||
location /mufb/ {
|
||||
proxy_pass http://matrix-mautrix-facebook$request_uri;
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_buffering off;
|
||||
}
|
||||
|
||||
location / {
|
||||
return 404;
|
||||
}
|
||||
|
||||
include /local/security.conf;
|
||||
include /local/ssl.conf;
|
||||
}
|
Loading…
Reference in a new issue