upstream gitea { server {{ env "NOMAD_UPSTREAM_ADDR_gitea" }}; } upstream hydra { server {{ env "NOMAD_UPSTREAM_ADDR_hydra" }}; } upstream nextcloud { server {{ env "NOMAD_UPSTREAM_ADDR_nextcloud" }}; } upstream website { server {{ env "NOMAD_UPSTREAM_ADDR_website" }}; } upstream reicio { server {{ env "NOMAD_UPSTREAM_ADDR_reicio" }}; } upstream matrix-synapse { server {{ env "NOMAD_UPSTREAM_ADDR_matrix_synapse" }}; } upstream matrix-synapse-federation-receiver { server {{ env "NOMAD_UPSTREAM_ADDR_matrix_synapse_federation_receiver" }}; } upstream matrix-synapse-client { server {{ env "NOMAD_UPSTREAM_ADDR_matrix_synapse_client" }}; } upstream matrix-synapse-sync { server {{ env "NOMAD_UPSTREAM_ADDR_matrix_synapse_sync" }}; } server { listen 443 ssl http2; server_name _; include /local/ssl.conf; return 404; } server { listen 443 ssl http2; server_name gitea.redalder.org; include /local/security.conf; include /local/ssl.conf; client_max_body_size 0; location / { include /local/headers.conf; proxy_pass http://gitea; } } server { listen 443 ssl http2; server_name hydra.redalder.org; include /local/security.conf; include /local/ssl.conf; location / { include /local/headers.conf; proxy_pass http://hydra; } } server { listen 443 ssl http2; server_name redalder.org nixng.org; include /local/security.conf; include /local/ssl.conf; location /nextcloud/ { include /local/headers.conf; proxy_pass http://nextcloud/; } location /reicio/ { include /local/headers.conf; proxy_pass http://reicio/; } location / { include /local/headers.conf; proxy_pass http://website; } } server { listen 443 ssl http2; listen 8448 ssl http2; server_name matrix.redalder.org; merge_slashes off; # sync location ~ ^/_matrix/client/(r0|v3)/sync$|^/_matrix/client/(api/v1|r0|v3)/events$|^/_matrix/client/(api/v1|r0|v3)/initialSync$|^/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync$ { # note: do not add a path (even a single /) after the port in `proxy_pass`, # otherwise nginx will canonicalise the URI and cause signature verification # errors. proxy_pass http://matrix-synapse-sync; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $host; # Nginx by default only allows file uploads up to 1M in size # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml client_max_body_size 50M; # Synapse responses may be chunked, which is an HTTP/1.1 feature. proxy_http_version 1.1; } # federation location ~ ^/_matrix/federation/v1/event/|^/_matrix/federation/v1/state/|^/_matrix/federation/v1/state_ids/|^/_matrix/federation/v1/backfill/|^/_matrix/federation/v1/get_missing_events/|^/_matrix/federation/v1/publicRooms|^/_matrix/federation/v1/query/|^/_matrix/federation/v1/make_join/|^/_matrix/federation/v1/make_leave/|^/_matrix/federation/(v1|v2)/send_join/|^/_matrix/federation/(v1|v2)/send_leave/|^/_matrix/federation/(v1|v2)/invite/|^/_matrix/federation/v1/event_auth/|^/_matrix/federation/v1/timestamp_to_event/|^/_matrix/federation/v1/exchange_third_party_invite/|^/_matrix/federation/v1/user/devices/|^/_matrix/key/v2/query|^/_matrix/federation/v1/hierarchy/ { # note: do not add a path (even a single /) after the port in `proxy_pass`, # otherwise nginx will canonicalise the URI and cause signature verification # errors. proxy_pass http://matrix-synapse-federation-receiver; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $host; # Nginx by default only allows file uploads up to 1M in size # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml client_max_body_size 50M; # Synapse responses may be chunked, which is an HTTP/1.1 feature. proxy_http_version 1.1; } # inbound federation requests location ~ ^/_matrix/federation/v1/send/ { # note: do not add a path (even a single /) after the port in `proxy_pass`, # otherwise nginx will canonicalise the URI and cause signature verification # errors. proxy_pass http://matrix-synapse-federation-receiver; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $host; # Nginx by default only allows file uploads up to 1M in size # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml client_max_body_size 50M; # Synapse responses may be chunked, which is an HTTP/1.1 feature. proxy_http_version 1.1; } # client api location ~ ^/_matrix/client/(api/v1|r0|v3|unstable)/createRoom$|^/_matrix/client/(api/v1|r0|v3|unstable)/publicRooms$|^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/joined_members$|^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/context/.*$|^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/members$|^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state$|^/_matrix/client/v1/rooms/.*/hierarchy$|^/_matrix/client/(v1|unstable)/rooms/.*/relations/|^/_matrix/client/v1/rooms/.*/threads$|^/_matrix/client/unstable/org.matrix.msc2716/rooms/.*/batch_send$|^/_matrix/client/unstable/im.nheko.summary/rooms/.*/summary$|^/_matrix/client/(r0|v3|unstable)/account/3pid$|^/_matrix/client/(r0|v3|unstable)/account/whoami$|^/_matrix/client/(r0|v3|unstable)/devices$|^/_matrix/client/versions$|^/_matrix/client/(api/v1|r0|v3|unstable)/voip/turnServer$|^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/event/|^/_matrix/client/(api/v1|r0|v3|unstable)/joined_rooms$|^/_matrix/client/v1/rooms/.*/timestamp_to_event$|^/_matrix/client/(api/v1|r0|v3|unstable/.*)/rooms/.*/aliases|^/_matrix/client/(api/v1|r0|v3|unstable)/search$|^/_matrix/client/(r0|v3|unstable)/user/.*/filter(/|$) { # note: do not add a path (even a single /) after the port in `proxy_pass`, # otherwise nginx will canonicalise the URI and cause signature verification # errors. proxy_pass http://matrix-synapse-client; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $host; # Nginx by default only allows file uploads up to 1M in size # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml client_max_body_size 50M; # Synapse responses may be chunked, which is an HTTP/1.1 feature. proxy_http_version 1.1; } # encryption location ~ ^/_matrix/client/(r0|v3|unstable)/keys/query$|^/_matrix/client/(r0|v3|unstable)/keys/changes$|^/_matrix/client/(r0|v3|unstable)/keys/claim$|^/_matrix/client/(r0|v3|unstable)/room_keys/|^/_matrix/client/(r0|v3|unstable)/keys/upload/ { # note: do not add a path (even a single /) after the port in `proxy_pass`, # otherwise nginx will canonicalise the URI and cause signature verification # errors. proxy_pass http://matrix-synapse-client; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $host; # Nginx by default only allows file uploads up to 1M in size # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml client_max_body_size 50M; # Synapse responses may be chunked, which is an HTTP/1.1 feature. proxy_http_version 1.1; } # registration login location ~ ^/_matrix/client/(api/v1|r0|v3|unstable)/login$|^/_matrix/client/(r0|v3|unstable)/register$|^/_matrix/client/(r0|v3|unstable)/register/available$|^/_matrix/client/v1/register/m.login.registration_token/validity$|^/_matrix/client/(r0|v3|unstable)/password_policy$ { # note: do not add a path (even a single /) after the port in `proxy_pass`, # otherwise nginx will canonicalise the URI and cause signature verification # errors. proxy_pass http://matrix-synapse-client; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $host; # Nginx by default only allows file uploads up to 1M in size # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml client_max_body_size 50M; # Synapse responses may be chunked, which is an HTTP/1.1 feature. proxy_http_version 1.1; } # event sending location ~ ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/redact|^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/send|^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state/|^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/(join|invite|leave|ban|unban|kick)$|^/_matrix/client/(api/v1|r0|v3|unstable)/join/|^/_matrix/client/(api/v1|r0|v3|unstable)/knock/|^/_matrix/client/(api/v1|r0|v3|unstable)/profile/ { # note: do not add a path (even a single /) after the port in `proxy_pass`, # otherwise nginx will canonicalise the URI and cause signature verification # errors. proxy_pass http://matrix-synapse-client; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $host; # Nginx by default only allows file uploads up to 1M in size # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml client_max_body_size 50M; # Synapse responses may be chunked, which is an HTTP/1.1 feature. proxy_http_version 1.1; } # account data location ~ ^/_matrix/client/(r0|v3|unstable)/.*/tags|^/_matrix/client/(r0|v3|unstable)/.*/account_data { # note: do not add a path (even a single /) after the port in `proxy_pass`, # otherwise nginx will canonicalise the URI and cause signature verification # errors. proxy_pass http://matrix-synapse; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $host; # Nginx by default only allows file uploads up to 1M in size # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml client_max_body_size 50M; # Synapse responses may be chunked, which is an HTTP/1.1 feature. proxy_http_version 1.1; } # receipts requests location ~ ^/_matrix/client/(r0|v3|unstable)/rooms/.*/receipt|^/_matrix/client/(r0|v3|unstable)/rooms/.*/read_markers { # note: do not add a path (even a single /) after the port in `proxy_pass`, # otherwise nginx will canonicalise the URI and cause signature verification # errors. proxy_pass http://matrix-synapse; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $host; # Nginx by default only allows file uploads up to 1M in size # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml client_max_body_size 50M; # Synapse responses may be chunked, which is an HTTP/1.1 feature. proxy_http_version 1.1; } # presence requests location ~ ^/_matrix/client/(api/v1|r0|v3|unstable)/presence/ { # note: do not add a path (even a single /) after the port in `proxy_pass`, # otherwise nginx will canonicalise the URI and cause signature verification # errors. proxy_pass http://matrix-synapse; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $host; # Nginx by default only allows file uploads up to 1M in size # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml client_max_body_size 50M; # Synapse responses may be chunked, which is an HTTP/1.1 feature. proxy_http_version 1.1; } # user directory search location ~ ^/_matrix/client/(r0|v3|unstable)/user_directory/search$ { # note: do not add a path (even a single /) after the port in `proxy_pass`, # otherwise nginx will canonicalise the URI and cause signature verification # errors. proxy_pass http://matrix-synapse-client; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $host; # Nginx by default only allows file uploads up to 1M in size # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml client_max_body_size 50M; # Synapse responses may be chunked, which is an HTTP/1.1 feature. proxy_http_version 1.1; } # the rest location ~ ^(/.well-known|/_matrix|/_synapse/client) { # note: do not add a path (even a single /) after the port in `proxy_pass`, # otherwise nginx will canonicalise the URI and cause signature verification # errors. proxy_pass http://matrix-synapse; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $host; # Nginx by default only allows file uploads up to 1M in size # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml client_max_body_size 50M; # Synapse responses may be chunked, which is an HTTP/1.1 feature. proxy_http_version 1.1; } location /mufb/ { proxy_pass http://matrix-mautrix-facebook$request_uri; proxy_set_header Host $http_host; proxy_buffering off; } location / { return 404; } include /local/security.conf; include /local/ssl.conf; }