begin certificate integration for hosts

ansible/playbook/runa.yml

@@ -12,6 +12,11 @@
       tags:
         - synapse
       when: '"synapse" in docker_compose'
+    - name: SSL Certs
+      include_role:
+        name: ssl-certificates
+      tags:
+        - ssl
     - name: Add docker-compose
       include_role:
         name: docker-compose

ansible/roles/docker-compose/files/synapse/.env

@@ -1,4 +1,5 @@
 SYNAPSE_VERSION=v1.92.3
+NGINX_VERSION=1.25.2-alpine
 
 SYNAPSE_SERVER_NAME=corp-serv.net
 NGINX_SYNAPSE_FQDN=synapse.corp-apps.com

ansible/roles/docker-compose/files/synapse/docker-compose.yaml

@@ -12,3 +12,11 @@ services:
       - --config-path=/config/homeserver.yaml
 #      - --config-path=/config/generic_worker.yaml
     restart: always
+  nginx:
+    image: nginx:${NGINX_VERSION}
+    ports:
+      - "80:80/tcp"
+      - "443:443/tcp"
+    volumes:
+      - ./nginx:/etc/nginx/conf.d
+      - /ssl:/ssl

ansible/roles/docker-compose/files/synapse/nginx/synapse.conf

@@ -0,0 +1,39 @@
+server {
+
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+
+    ssl_certificate      /ssl/chain.crt;
+    ssl_certificate_key  /ssl/certificate.keyplain;
+
+    client_max_body_size 100m;
+
+    error_page 403 404 /403_404.html;
+    location = /403_404.html {
+	    default_type application/json;
+	    return 200 'You are not authorized to access this page.';
+    }
+
+    location /.well-known/matrix/server {
+      default_type application/json;
+      return 200 '{"m.server": "ungleich.matrix.ungleich.cloud:443" }';
+    }
+    location /.well-known/matrix/client {
+      default_type application/json;
+      return 200 '{ "m.homeserver": { "base_url": "https://ungleich.matrix.ungleich.cloud" } }';
+    }
+
+
+    location ~ /_matrix|/_synapse {
+      proxy_set_header X-Forwarded-For $remote_addr;
+      proxy_set_header X-Forwarded-Proto $scheme;
+      proxy_set_header Host $http_host;
+
+      proxy_connect_timeout 600s;
+      proxy_send_timeout 600s;
+      proxy_read_timeout 600s;
+      send_timeout 600s;
+
+      proxy_pass http://localhost:8008;
+    }
+}

ansible/roles/ssl-certificates/tasks/main.yml

@@ -0,0 +1,18 @@
+- name: Create ssl directory
+  ansible.builtin.file:
+    path: /ssl
+    state: directory
+    mode: '0755'
+    owner: root
+  tags:
+    - dir
+    - ssl
+- name: Copy SSL certificate
+  ansible.builtin.copy:
+    src: files/{{ inventory_hostname }}/
+    dest: /ssl
+    owner: root
+    mode: '0644'
+  tags:
+    - files
+    - ssl

ansible/roles/synapse-base/tasks/main.yml

@@ -9,7 +9,7 @@
     path: /mnt/synapse_data
     state: directory
     mode: '0700'
-    owner: "{{ ansible_user }}"
+    owner: 991
   tags:
     - directory
 # - name: Create homeserver.yaml file