From 7b73f948fb361550ec7d740e73c42ecd1cf1a118 Mon Sep 17 00:00:00 2001 From: Nico Schottelius Date: Sat, 25 Dec 2021 17:59:12 +0100 Subject: [PATCH] [matrix] add well known ours to both servers --- apps/matrix/README.md | 44 +++++++------------ .../element-web-nginx-proxy/element-web.conf | 6 +++ apps/matrix/synapse-nginx/synapse.conf | 11 ++++- 3 files changed, 32 insertions(+), 29 deletions(-) diff --git a/apps/matrix/README.md b/apps/matrix/README.md index fc779aa..c141cff 100644 --- a/apps/matrix/README.md +++ b/apps/matrix/README.md @@ -1,31 +1,4 @@ -## Components - -### element-web - -* Needs config: /app/config.json -* Needs FQDN for HTTPS / nginx -* Maybe limit the builtin webserver to localhost? - * Configmap to /etc/nginx/conf.d/default.conf - * Entrypoint `nginx -g daemon off`D - -To add: - -``` -add_header X-Frame-Options SAMEORIGIN; -add_header X-Content-Type-Options nosniff; -add_header X-XSS-Protection "1; mode=block"; -add_header Content-Security-Policy "frame-ancestors 'none'"; -``` - -## Missing - -- SMTP settings / secrets (ungleich mail + sops?) - -### admin user - -docker exec -it synapse register_new_matrix_user http://localhost:8008 -c /data/homeserver.yaml --help - -## Usage +## Usage and Components ### Element-Web @@ -33,6 +6,8 @@ docker exec -it synapse register_new_matrix_user http://localhost:8008 -c /data/ * Includes nginx on port localhost:8080 (http) * Includes nginx proxy on port 80+443 (http redirect, https) +The service is reachable as `{{ .Release.Name }}-element-web`. + ### Synapse * homeserver.yaml is created from a ConfigMap in /config-ro @@ -40,12 +15,25 @@ docker exec -it synapse register_new_matrix_user http://localhost:8008 -c /data/ stored in /config/homeserver.yaml * Logging configured to stdout +The service is reachable as `{{ .Release.Name }}`. + ### Postgres Tuned with `--no-locale --encoding=UTF8` using `POSTGRES_INITDB_ARGS` (required by synapse). +The service is reachable as `{{ .Release.Name }}-postgres`. + See * https://www.postgresql.org/docs/9.5/app-initdb.html * https://hub.docker.com/_/postgres * https://github.com/matrix-org/synapse/blob/develop/docs/postgres.md + + +## Missing + +- SMTP settings / secrets (ungleich mail + sops?) + +### admin user + +docker exec -it synapse register_new_matrix_user http://localhost:8008 -c /data/homeserver.yaml --help diff --git a/apps/matrix/element-web-nginx-proxy/element-web.conf b/apps/matrix/element-web-nginx-proxy/element-web.conf index 9216a58..dae97d8 100644 --- a/apps/matrix/element-web-nginx-proxy/element-web.conf +++ b/apps/matrix/element-web-nginx-proxy/element-web.conf @@ -23,6 +23,12 @@ server { proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; + + add_header X-Frame-Options SAMEORIGIN; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header Content-Security-Policy "frame-ancestors 'none'"; + proxy_pass http://localhost:8080; } } diff --git a/apps/matrix/synapse-nginx/synapse.conf b/apps/matrix/synapse-nginx/synapse.conf index 3589168..2ec1828 100644 --- a/apps/matrix/synapse-nginx/synapse.conf +++ b/apps/matrix/synapse-nginx/synapse.conf @@ -7,7 +7,16 @@ server { ssl_certificate /etc/letsencrypt/live/{{ tpl .Values.synapseFQDN . }}/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/{{ tpl .Values.synapseFQDN . }}/privkey.pem; - client_max_body_size 0; + client_max_body_size {{ .Values.max_filesize_in_mb}}m; + + location /.well-known/matrix/server { + default_type application/json; + return 200 '{"m.server": "{{ tpl .Values.synapseFQDN . }}:443" }'; + } + location /.well-known/matrix/client { + default_type application/json; + return 200 '{ "m.homeserver": { "base_url": "https://{{ tpl .Values.synapseFQDN . }}" } }'; + } location ~ /_matrix|/_synapse { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;