mirror of
https://git.sr.ht/~magic_rb/dotfiles
synced 2024-12-04 22:14:58 +01:00
ee654f2d06
Signed-off-by: magic_rb <magic_rb@redalder.org>
364 lines
No EOL
14 KiB
Text
364 lines
No EOL
14 KiB
Text
upstream gitea {
|
|
server {{ env "NOMAD_UPSTREAM_ADDR_gitea" }};
|
|
}
|
|
|
|
upstream hydra {
|
|
server {{ env "NOMAD_UPSTREAM_ADDR_hydra" }};
|
|
}
|
|
|
|
upstream nextcloud {
|
|
server {{ env "NOMAD_UPSTREAM_ADDR_nextcloud" }};
|
|
}
|
|
|
|
upstream website {
|
|
server {{ env "NOMAD_UPSTREAM_ADDR_website" }};
|
|
}
|
|
|
|
upstream reicio {
|
|
server {{ env "NOMAD_UPSTREAM_ADDR_reicio" }};
|
|
}
|
|
|
|
upstream matrix-synapse {
|
|
server {{ env "NOMAD_UPSTREAM_ADDR_matrix_synapse" }};
|
|
}
|
|
|
|
upstream matrix-synapse-federation-receiver {
|
|
server {{ env "NOMAD_UPSTREAM_ADDR_matrix_synapse_federation_receiver" }};
|
|
}
|
|
|
|
upstream matrix-synapse-client {
|
|
server {{ env "NOMAD_UPSTREAM_ADDR_matrix_synapse_client" }};
|
|
}
|
|
|
|
upstream matrix-synapse-sync {
|
|
server {{ env "NOMAD_UPSTREAM_ADDR_matrix_synapse_sync" }};
|
|
}
|
|
|
|
server {
|
|
listen 443 ssl http2;
|
|
|
|
server_name _;
|
|
|
|
include /local/ssl.conf;
|
|
|
|
return 404;
|
|
}
|
|
|
|
server {
|
|
listen 443 ssl http2;
|
|
|
|
server_name gitea.redalder.org;
|
|
|
|
include /local/security.conf;
|
|
include /local/ssl.conf;
|
|
|
|
client_max_body_size 0;
|
|
|
|
location / {
|
|
include /local/headers.conf;
|
|
proxy_pass http://gitea;
|
|
}
|
|
}
|
|
|
|
server {
|
|
listen 443 ssl http2;
|
|
|
|
server_name hydra.redalder.org;
|
|
|
|
include /local/security.conf;
|
|
include /local/ssl.conf;
|
|
|
|
location / {
|
|
include /local/headers.conf;
|
|
proxy_pass http://hydra;
|
|
}
|
|
}
|
|
|
|
server {
|
|
listen 443 ssl http2;
|
|
|
|
server_name redalder.org nixng.org;
|
|
|
|
include /local/security.conf;
|
|
include /local/ssl.conf;
|
|
|
|
location /nextcloud/ {
|
|
include /local/headers.conf;
|
|
proxy_pass http://nextcloud/;
|
|
}
|
|
|
|
location /reicio/ {
|
|
include /local/headers.conf;
|
|
proxy_pass http://reicio/;
|
|
}
|
|
|
|
location / {
|
|
include /local/headers.conf;
|
|
proxy_pass http://website;
|
|
}
|
|
}
|
|
|
|
server {
|
|
listen 443 ssl http2;
|
|
listen 8448 ssl http2;
|
|
|
|
server_name matrix.redalder.org;
|
|
merge_slashes off;
|
|
|
|
# sync
|
|
location ~ ^/_matrix/client/(r0|v3)/sync$|^/_matrix/client/(api/v1|r0|v3)/events$|^/_matrix/client/(api/v1|r0|v3)/initialSync$|^/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync$ {
|
|
# note: do not add a path (even a single /) after the port in `proxy_pass`,
|
|
# otherwise nginx will canonicalise the URI and cause signature verification
|
|
# errors.
|
|
proxy_pass http://matrix-synapse-sync;
|
|
proxy_set_header X-Forwarded-For $remote_addr;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_set_header Host $host;
|
|
|
|
# Nginx by default only allows file uploads up to 1M in size
|
|
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
|
|
client_max_body_size 50M;
|
|
|
|
# Synapse responses may be chunked, which is an HTTP/1.1 feature.
|
|
proxy_http_version 1.1;
|
|
}
|
|
|
|
# federation
|
|
location ~ ^/_matrix/federation/v1/event/|^/_matrix/federation/v1/state/|^/_matrix/federation/v1/state_ids/|^/_matrix/federation/v1/backfill/|^/_matrix/federation/v1/get_missing_events/|^/_matrix/federation/v1/publicRooms|^/_matrix/federation/v1/query/|^/_matrix/federation/v1/make_join/|^/_matrix/federation/v1/make_leave/|^/_matrix/federation/(v1|v2)/send_join/|^/_matrix/federation/(v1|v2)/send_leave/|^/_matrix/federation/(v1|v2)/invite/|^/_matrix/federation/v1/event_auth/|^/_matrix/federation/v1/timestamp_to_event/|^/_matrix/federation/v1/exchange_third_party_invite/|^/_matrix/federation/v1/user/devices/|^/_matrix/key/v2/query|^/_matrix/federation/v1/hierarchy/ {
|
|
# note: do not add a path (even a single /) after the port in `proxy_pass`,
|
|
# otherwise nginx will canonicalise the URI and cause signature verification
|
|
# errors.
|
|
proxy_pass http://matrix-synapse-federation-receiver;
|
|
proxy_set_header X-Forwarded-For $remote_addr;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_set_header Host $host;
|
|
|
|
# Nginx by default only allows file uploads up to 1M in size
|
|
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
|
|
client_max_body_size 50M;
|
|
|
|
# Synapse responses may be chunked, which is an HTTP/1.1 feature.
|
|
proxy_http_version 1.1;
|
|
}
|
|
|
|
# inbound federation requests
|
|
location ~ ^/_matrix/federation/v1/send/ {
|
|
# note: do not add a path (even a single /) after the port in `proxy_pass`,
|
|
# otherwise nginx will canonicalise the URI and cause signature verification
|
|
# errors.
|
|
proxy_pass http://matrix-synapse-federation-receiver;
|
|
proxy_set_header X-Forwarded-For $remote_addr;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_set_header Host $host;
|
|
|
|
# Nginx by default only allows file uploads up to 1M in size
|
|
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
|
|
client_max_body_size 50M;
|
|
|
|
# Synapse responses may be chunked, which is an HTTP/1.1 feature.
|
|
proxy_http_version 1.1;
|
|
}
|
|
|
|
# client api
|
|
location ~ ^/_matrix/client/(api/v1|r0|v3|unstable)/createRoom$|^/_matrix/client/(api/v1|r0|v3|unstable)/publicRooms$|^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/joined_members$|^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/context/.*$|^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/members$|^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state$|^/_matrix/client/v1/rooms/.*/hierarchy$|^/_matrix/client/(v1|unstable)/rooms/.*/relations/|^/_matrix/client/v1/rooms/.*/threads$|^/_matrix/client/unstable/org.matrix.msc2716/rooms/.*/batch_send$|^/_matrix/client/unstable/im.nheko.summary/rooms/.*/summary$|^/_matrix/client/(r0|v3|unstable)/account/3pid$|^/_matrix/client/(r0|v3|unstable)/account/whoami$|^/_matrix/client/(r0|v3|unstable)/devices$|^/_matrix/client/versions$|^/_matrix/client/(api/v1|r0|v3|unstable)/voip/turnServer$|^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/event/|^/_matrix/client/(api/v1|r0|v3|unstable)/joined_rooms$|^/_matrix/client/v1/rooms/.*/timestamp_to_event$|^/_matrix/client/(api/v1|r0|v3|unstable/.*)/rooms/.*/aliases|^/_matrix/client/(api/v1|r0|v3|unstable)/search$|^/_matrix/client/(r0|v3|unstable)/user/.*/filter(/|$) {
|
|
# note: do not add a path (even a single /) after the port in `proxy_pass`,
|
|
# otherwise nginx will canonicalise the URI and cause signature verification
|
|
# errors.
|
|
proxy_pass http://matrix-synapse-client;
|
|
proxy_set_header X-Forwarded-For $remote_addr;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_set_header Host $host;
|
|
|
|
# Nginx by default only allows file uploads up to 1M in size
|
|
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
|
|
client_max_body_size 50M;
|
|
|
|
# Synapse responses may be chunked, which is an HTTP/1.1 feature.
|
|
proxy_http_version 1.1;
|
|
}
|
|
|
|
# encryption
|
|
location ~ ^/_matrix/client/(r0|v3|unstable)/keys/query$|^/_matrix/client/(r0|v3|unstable)/keys/changes$|^/_matrix/client/(r0|v3|unstable)/keys/claim$|^/_matrix/client/(r0|v3|unstable)/room_keys/|^/_matrix/client/(r0|v3|unstable)/keys/upload/ {
|
|
# note: do not add a path (even a single /) after the port in `proxy_pass`,
|
|
# otherwise nginx will canonicalise the URI and cause signature verification
|
|
# errors.
|
|
proxy_pass http://matrix-synapse-client;
|
|
proxy_set_header X-Forwarded-For $remote_addr;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_set_header Host $host;
|
|
|
|
# Nginx by default only allows file uploads up to 1M in size
|
|
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
|
|
client_max_body_size 50M;
|
|
|
|
# Synapse responses may be chunked, which is an HTTP/1.1 feature.
|
|
proxy_http_version 1.1;
|
|
}
|
|
|
|
# registration login
|
|
location ~ ^/_matrix/client/(api/v1|r0|v3|unstable)/login$|^/_matrix/client/(r0|v3|unstable)/register$|^/_matrix/client/(r0|v3|unstable)/register/available$|^/_matrix/client/v1/register/m.login.registration_token/validity$|^/_matrix/client/(r0|v3|unstable)/password_policy$ {
|
|
# note: do not add a path (even a single /) after the port in `proxy_pass`,
|
|
# otherwise nginx will canonicalise the URI and cause signature verification
|
|
# errors.
|
|
proxy_pass http://matrix-synapse-client;
|
|
proxy_set_header X-Forwarded-For $remote_addr;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_set_header Host $host;
|
|
|
|
# Nginx by default only allows file uploads up to 1M in size
|
|
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
|
|
client_max_body_size 50M;
|
|
|
|
# Synapse responses may be chunked, which is an HTTP/1.1 feature.
|
|
proxy_http_version 1.1;
|
|
}
|
|
|
|
# event sending
|
|
location ~ ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/redact|^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/send|^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state/|^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/(join|invite|leave|ban|unban|kick)$|^/_matrix/client/(api/v1|r0|v3|unstable)/join/|^/_matrix/client/(api/v1|r0|v3|unstable)/knock/|^/_matrix/client/(api/v1|r0|v3|unstable)/profile/ {
|
|
# note: do not add a path (even a single /) after the port in `proxy_pass`,
|
|
# otherwise nginx will canonicalise the URI and cause signature verification
|
|
# errors.
|
|
proxy_pass http://matrix-synapse-client;
|
|
proxy_set_header X-Forwarded-For $remote_addr;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_set_header Host $host;
|
|
|
|
# Nginx by default only allows file uploads up to 1M in size
|
|
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
|
|
client_max_body_size 50M;
|
|
|
|
# Synapse responses may be chunked, which is an HTTP/1.1 feature.
|
|
proxy_http_version 1.1;
|
|
}
|
|
|
|
# account data
|
|
location ~ ^/_matrix/client/(r0|v3|unstable)/.*/tags|^/_matrix/client/(r0|v3|unstable)/.*/account_data {
|
|
# note: do not add a path (even a single /) after the port in `proxy_pass`,
|
|
# otherwise nginx will canonicalise the URI and cause signature verification
|
|
# errors.
|
|
proxy_pass http://matrix-synapse;
|
|
proxy_set_header X-Forwarded-For $remote_addr;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_set_header Host $host;
|
|
|
|
# Nginx by default only allows file uploads up to 1M in size
|
|
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
|
|
client_max_body_size 50M;
|
|
|
|
# Synapse responses may be chunked, which is an HTTP/1.1 feature.
|
|
proxy_http_version 1.1;
|
|
}
|
|
|
|
# receipts requests
|
|
location ~ ^/_matrix/client/(r0|v3|unstable)/rooms/.*/receipt|^/_matrix/client/(r0|v3|unstable)/rooms/.*/read_markers {
|
|
# note: do not add a path (even a single /) after the port in `proxy_pass`,
|
|
# otherwise nginx will canonicalise the URI and cause signature verification
|
|
# errors.
|
|
proxy_pass http://matrix-synapse;
|
|
proxy_set_header X-Forwarded-For $remote_addr;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_set_header Host $host;
|
|
|
|
# Nginx by default only allows file uploads up to 1M in size
|
|
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
|
|
client_max_body_size 50M;
|
|
|
|
# Synapse responses may be chunked, which is an HTTP/1.1 feature.
|
|
proxy_http_version 1.1;
|
|
}
|
|
|
|
# presence requests
|
|
location ~ ^/_matrix/client/(api/v1|r0|v3|unstable)/presence/ {
|
|
# note: do not add a path (even a single /) after the port in `proxy_pass`,
|
|
# otherwise nginx will canonicalise the URI and cause signature verification
|
|
# errors.
|
|
proxy_pass http://matrix-synapse;
|
|
proxy_set_header X-Forwarded-For $remote_addr;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_set_header Host $host;
|
|
|
|
# Nginx by default only allows file uploads up to 1M in size
|
|
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
|
|
client_max_body_size 50M;
|
|
|
|
# Synapse responses may be chunked, which is an HTTP/1.1 feature.
|
|
proxy_http_version 1.1;
|
|
}
|
|
|
|
# user directory search
|
|
location ~ ^/_matrix/client/(r0|v3|unstable)/user_directory/search$ {
|
|
# note: do not add a path (even a single /) after the port in `proxy_pass`,
|
|
# otherwise nginx will canonicalise the URI and cause signature verification
|
|
# errors.
|
|
proxy_pass http://matrix-synapse-client;
|
|
proxy_set_header X-Forwarded-For $remote_addr;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_set_header Host $host;
|
|
|
|
# Nginx by default only allows file uploads up to 1M in size
|
|
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
|
|
client_max_body_size 50M;
|
|
|
|
# Synapse responses may be chunked, which is an HTTP/1.1 feature.
|
|
proxy_http_version 1.1;
|
|
}
|
|
|
|
# the rest
|
|
location ~ ^(/.well-known|/_matrix|/_synapse/client) {
|
|
# note: do not add a path (even a single /) after the port in `proxy_pass`,
|
|
# otherwise nginx will canonicalise the URI and cause signature verification
|
|
# errors.
|
|
proxy_pass http://matrix-synapse;
|
|
proxy_set_header X-Forwarded-For $remote_addr;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_set_header Host $host;
|
|
|
|
# Nginx by default only allows file uploads up to 1M in size
|
|
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
|
|
client_max_body_size 50M;
|
|
|
|
# Synapse responses may be chunked, which is an HTTP/1.1 feature.
|
|
proxy_http_version 1.1;
|
|
}
|
|
|
|
location /mufb/ {
|
|
proxy_pass http://matrix-mautrix-facebook$request_uri;
|
|
proxy_set_header Host $http_host;
|
|
proxy_buffering off;
|
|
}
|
|
|
|
location / {
|
|
return 404;
|
|
}
|
|
|
|
include /local/security.conf;
|
|
include /local/ssl.conf;
|
|
}
|
|
|
|
server {
|
|
listen 443 ssl http2;
|
|
|
|
server_name buildbot.redalder.org;
|
|
|
|
include /local/security.conf;
|
|
include /local/ssl.conf;
|
|
|
|
location / {
|
|
include /local/headers.conf;
|
|
proxy_pass http://10.64.2.1:8833/;
|
|
}
|
|
|
|
location /sse {
|
|
include /local/headers.conf;
|
|
proxy_pass http://10.64.2.1:8833/sse;
|
|
proxy_buffering off;
|
|
}
|
|
|
|
location /ws {
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "Upgrade";
|
|
include /local/headers.conf;
|
|
proxy_pass http://10.64.2.1:8833/ws;
|
|
proxy_read_timeout 6000s;
|
|
}
|
|
} |