From f3bbb349d78a60c35b3f250be6604b04b4438027 Mon Sep 17 00:00:00 2001
From: transcaffeine <transcaffeine@finallycoffee.eu>
Date: Sun, 18 Apr 2021 11:55:40 +0200
Subject: [PATCH] feat: add automatic creation of reverse-proxy routing

---
 .../matrix.finallycoffee.eu/vars.yml          |  22 ++--
 .../defaults/main.yml                         |   2 +-
 setup.yml                                     |  30 +++++
 templates/Caddyfile.j2                        | 110 ++++++++++++++++++
 4 files changed, 156 insertions(+), 8 deletions(-)
 create mode 100644 templates/Caddyfile.j2

diff --git a/inventory/host_vars/matrix.finallycoffee.eu/vars.yml b/inventory/host_vars/matrix.finallycoffee.eu/vars.yml
index 80b21b1bd..085a57ad5 100644
--- a/inventory/host_vars/matrix.finallycoffee.eu/vars.yml
+++ b/inventory/host_vars/matrix.finallycoffee.eu/vars.yml
@@ -18,8 +18,12 @@ matrix_base_data_path: "{{ vault_matrix_base_data_path }}"
 matrix_server_fqn_element: "chat.{{ matrix_domain }}"
 matrix_docker_installation_enabled: false
 
-matrix_synapse_docker_image: "{{ matrix_synapse_docker_image_name_prefix }}matrixdotorg/synapse:v1.32.0"
-#matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:v1.7.21"
+web_user: "web"
+revproxy_autoload_dir: "/vault/services/web/sites.d"
+
+#matrix_client_element_version: v1.8.4
+#matrix_synapse_docker_image: "{{ matrix_synapse_docker_image_name_prefix }}matrixdotorg/synapse:v1.37.1"
+#matrix_mautrix_telegram_version: v0.10.0
 
 #
 # General Synapse config
@@ -178,6 +182,7 @@ matrix_mautrix_telegram_configuration_extension_yaml: |
             default: true
         permissions:
             "@transcaffeine:finallycoffee.eu": "admin"
+            "gruenhage.xyz": "full"
     logging:
         root:
             level: INFO
@@ -239,15 +244,16 @@ matrix_mx_puppet_instagram_configuration_extension_yaml: |
 # mx-puppet-skype configuration
 #
 matrix_mx_puppet_skype_enabled: true
+matrix_mx_puppet_skype_container_http_monitoring_host_bind_port: 9405
 matrix_mx_puppet_skype_container_extra_arguments:
-  - "-p 127.0.0.1:9405:9405"
+  - "-p 127.0.0.1:{{ matrix_mx_puppet_skype_container_http_monitoring_host_bind_port }}:{{ matrix_mx_puppet_skype_container_http_monitoring_host_bind_port }}"
 matrix_mx_puppet_skype_configuration_extension_yaml: |
     bridge:
         enableGroupSync: true
         avatarUrl: mxc://finallycoffee.eu/jjXDuFqtpFOBOnywoHgzTuYt
     metrics:
         enabled: true
-        port: 9405
+        port: {{ matrix_mx_puppet_skype_container_http_monitoring_host_bind_port }}
         path: /metrics
 
 
@@ -283,15 +289,17 @@ matrix_mx_puppet_slack_enabled: true
 matrix_mx_puppet_slack_client_id: "{{ vault_matrix_mx_puppet_slack_client_id }}"
 matrix_mx_puppet_slack_client_secret: "{{ vault_matrix_mx_puppet_slack_client_secret }}"
 matrix_mx_puppet_slack_redirect_path: '/bridge/slack/oauth'
+matrix_mx_puppet_slack_container_http_auth_host_bind_port: 8981
+matrix_mx_puppet_slack_container_http_monitoring_host_bind_port: 9406
 matrix_mx_puppet_slack_container_extra_arguments:
-  - "-p 127.0.0.1:9406:9406"
-  - "-p 127.0.0.1:8981:8008"
+  - "-p 127.0.0.1:{{ matrix_mx_puppet_slack_container_http_monitoring_host_bind_port }}:{{ matrix_mx_puppet_slack_container_http_monitoring_host_bind_port }}"
+  - "-p 127.0.0.1:{{ matrix_mx_puppet_slack_container_http_auth_host_bind_port }}:8008"
 matrix_mx_puppet_slack_configuration_extension_yaml: |
     bridge:
         enableGroupSync: true
     metrics:
         enabled: true
-        port: 9406
+        port: {{ matrix_mx_puppet_slack_container_http_monitoring_host_bind_port }}
         path: /metrics
     limits:
         maxAutojoinUsers: 500
diff --git a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml
index 6e8526583..a8ee84f3b 100644
--- a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml
+++ b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml
@@ -135,9 +135,9 @@ matrix_mautrix_telegram_registration_yaml: |
         regex: '^#telegram_.+:{{ matrix_mautrix_telegram_homeserver_domain|regex_escape }}$'
   sender_localpart: _bot_{{ matrix_mautrix_telegram_appservice_bot_username }}
   url: {{ matrix_mautrix_telegram_appservice_address }}
-#  sender_localpart: "bridges_{{ matrix_mautrix_telegram_sender_localpart }}"
   rate_limited: false
   de.sorunome.msc2409.push_ephemeral: true
+#  sender_localpart: "bridges_{{ matrix_mautrix_telegram_sender_localpart }}"
 
 matrix_mautrix_telegram_registration: "{{ matrix_mautrix_telegram_registration_yaml|from_yaml }}"
 
diff --git a/setup.yml b/setup.yml
index 1573c7a09..5032db45c 100755
--- a/setup.yml
+++ b/setup.yml
@@ -66,3 +66,33 @@
     - matrix-prometheus-postgres-exporter
     - matrix-backup-borg
     - matrix-common-after
+
+  tasks:
+    - name: Ensure web-user is present
+      user:
+        name: "{{ web_user }}"
+        state: present
+        system: yes
+      register: web_user_res
+      tags: [ setup-caddy, setup-all, start ]
+    - name: Ensure directory for revproxy config is present
+      file:
+        path: "{{ revproxy_autoload_dir }}/matrix"
+        state: directory
+        owner: "{{ web_user_res.uid }}"
+        group: "{{ web_user_res.group }}"
+        mode: 0750
+      tags: [ setup-caddy, setup-all, start ]
+    - name: Template reverse proxy configuration
+      template:
+        src: Caddyfile.j2
+        dest: "{{ revproxy_autoload_dir }}/matrix/Caddyfile"
+        owner: "{{ web_user_res.uid }}"
+        group: "{{ web_user_res.group }}"
+        mode: 0640
+      tags: [ setup-caddy, setup-all, start ]
+    - name: Restart reverse proxy
+      docker_container:
+        name: web
+        state: started
+        restart: yes
diff --git a/templates/Caddyfile.j2 b/templates/Caddyfile.j2
new file mode 100644
index 000000000..c09504a7a
--- /dev/null
+++ b/templates/Caddyfile.j2
@@ -0,0 +1,110 @@
+https://{{ matrix_server_fqn_matrix }} {
+	tls /tls_certs/finallycoffee.eu/fullchain.pem /tls_certs/finallycoffee.eu/privkey.pem
+	encode zstd gzip
+	header {
+		Strict-Transport-Security "max-age=31536000;"
+		X-Frame-Options "DENY"
+		X-XSS-Protection "1; mode=block"
+	}
+        basicauth /metrics/* bcrypt monitoring {
+                monitoring JDJhJDE0JGdQRlNHVFpSQmRiaWlPem9LdXlkS09HN2E3LklZS05YZmtXTEY1NlFXbkMxd3hBUmwwbVZl
+        }
+        route /metrics/synapse {
+                uri replace /metrics/synapse /_synapse/metrics
+                reverse_proxy * http://{{ matrix_nginx_proxy_container_http_host_bind_port }}
+        }
+        route /metrics/synapse/worker/appservice {
+                uri replace /metrics/synapse/worker/appservice /_synapse-worker-appservice-0/metrics
+                reverse_proxy * http://{{ matrix_nginx_proxy_container_http_host_bind_port }}
+        }
+        route /metrics/synapse/worker/federation-sender-0 {
+                uri replace /metrics/synapse/worker/federation-sender-0 /_synapse-worker-federation_sender-0/metrics
+                reverse_proxy * http://{{ matrix_nginx_proxy_container_http_host_bind_port }}
+        }
+        route /metrics/synapse/worker/federation-sender-1 {
+                uri replace /metrics/synapse/worker/federation-sender-1 /_synapse-worker-federation_sender-1/metrics
+                reverse_proxy * http://{{ matrix_nginx_proxy_container_http_host_bind_port }}
+        }
+        route /metrics/synapse/worker/federation-sender-2 {
+                uri replace /metrics/synapse/worker/federation-sender-2 /_synapse-worker-federation_sender-2/metrics
+                reverse_proxy * http://{{ matrix_nginx_proxy_container_http_host_bind_port }}
+        }
+        route /metrics/synapse/worker/generic-0 {
+                uri replace /metrics/synapse/worker/generic-0 /_synapse-worker-generic_worker-{{ (matrix_synapse_workers_generic_workers_port_range_start)|int}}/metrics
+                reverse_proxy * http://{{ matrix_nginx_proxy_container_http_host_bind_port }}
+        }
+        route /metrics/synapse/worker/generic-1 {
+                uri replace /metrics/synapse/worker/generic-1 /_synapse-worker-generic_worker-{{ (matrix_synapse_workers_generic_workers_port_range_start + 1)|int}}/metrics
+                reverse_proxy * http://{{ matrix_nginx_proxy_container_http_host_bind_port }}
+        }
+        route /metrics/synapse/worker/media-0 {
+                uri replace /metrics/synapse/worker/media-0 /_synapse-worker-media_repository-{{ (matrix_synapse_workers_media_repository_workers_port_range_start)|int }}/metrics
+                reverse_proxy * http://{{ matrix_nginx_proxy_container_http_host_bind_port }}
+        }
+        route /metrics/synapse/worker/media-1 {
+                uri replace /metrics/synapse/worker/media-1 /_synapse-worker-media_repository-{{ (matrix_synapse_workers_media_repository_workers_port_range_start + 1)|int }}/metrics
+                reverse_proxy * http://{{ matrix_nginx_proxy_container_http_host_bind_port }}
+        }
+        route /metrics/bridge/* {
+                uri strip_prefix /metrics/bridge
+                route /mautrix-telegram {
+                    uri replace /mautrix-telegram /metrics
+                    reverse_proxy http://127.0.0.1:{{ matrix_mautrix_telegram_container_http_monitoring_host_bind_port }}
+                }
+                route /mautrix-whatsapp {
+                    uri replace /mautrix-whatsapp /metrics
+                    reverse_proxy http://127.0.0.1:{{ matrix_mautrix_whatsapp_container_http_monitoring_host_bind_port }}
+                }
+                route /mautrix-signal {
+                    uri replace /mautrix-signal /metrics
+                    reverse_proxy http://127.0.0.1:{{ matrix_mautrix_signal_container_http_monitoring_host_bind_port }}
+                }
+                route /mx-puppet-instagram {
+                    uri replace /mx-puppet-instagram /metrics
+                    reverse_proxy http://127.0.0.1:{{ matrix_mx_puppet_instagram_container_http_monitoring_host_bind_port }}
+                }
+                route /mx-puppet-discord {
+                    uri replace /mx-puppet-discord /metrics
+                    reverse_proxy http://127.0.0.1:{{ matrix_mx_puppet_discord_container_http_monitoring_host_bind_port }}
+                }
+                route /mx-puppet-skype {
+                    uri replace /mx-puppet-skype /metrics
+                    reverse_proxy http://127.0.0.1:{{ matrix_mx_puppet_skype_container_http_monitoring_host_bind_port }}
+                }
+                route /mx-puppet-slack {
+                    uri replace /mx-puppet-slack /metrics
+                    reverse_proxy http://127.0.0.1:{{ matrix_mx_puppet_slack_container_http_monitoring_host_bind_port }}
+                }
+        }
+	reverse_proxy /_matrix/federation/* http://{{ matrix_nginx_proxy_container_federation_host_bind_port }}
+	reverse_proxy /_matrix/key/* http://{{ matrix_nginx_proxy_container_federation_host_bind_port }}
+        reverse_proxy * http://{{ matrix_nginx_proxy_container_http_host_bind_port }}
+}
+
+https://{{ matrix_server_fqn_dimension }} {
+	tls /tls_certs/finallycoffee.eu/fullchain.pem /tls_certs/finallycoffee.eu/privkey.pem
+	encode zstd gzip
+        reverse_proxy * http://{{ matrix_nginx_proxy_container_http_host_bind_port }}
+}
+
+https://{{ matrix_server_fqn_element }} {
+	tls /tls_certs/chat.finallycoffee.eu/fullchain.pem /tls_certs/chat.finallycoffee.eu/privkey.pem
+	encode zstd gzip
+        reverse_proxy * http://{{ matrix_nginx_proxy_container_http_host_bind_port }}
+}
+
+https://{{ matrix_domain }}/.well-known/matrix/* {
+	tls /tls_certs/finallycoffee.eu/fullchain.pem /tls_certs/finallycoffee.eu/privkey.pem
+	route {
+		uri strip_prefix /.well-known/matrix
+		root * /matrix_static
+		file_server
+	}
+	header {
+		Content-Type "application/json"
+		X-Content-Type-Options "nosniff"
+		Access-Control-Allow-Origin *
+		Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
+		Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization"
+	}
+}