From 410db58c94e0e7010e80b298eebdfbc842a9a931 Mon Sep 17 00:00:00 2001
From: Johanna Dorothea Reichmann <johanna.reichmann@delta-industries.de>
Date: Fri, 3 Jul 2020 11:32:39 +0200
Subject: [PATCH] certs: split into smaller certs, update infra layout

---
 docker-compose.yml        |  5 +----
 webhosts/cloud/Caddyfile  |  4 ++--
 webhosts/git/Caddyfile    |  2 +-
 webhosts/infra/Caddyfile  | 11 ++++++++---
 webhosts/matrix/Caddyfile | 16 +++++++---------
 5 files changed, 19 insertions(+), 19 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index a2d7fcf..b8131b5 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -8,17 +8,14 @@ services:
       - /opt/docker/Caddy/Caddyfile:/etc/caddy/Caddyfile:z
       - /vault/services/web/webhosts:/webhosts:z
       - /vault/services/certMgmt/certData/certs:/tls_certs:z
-      - /vault/services/matrix/ssl/config:/matrix_tls_certs:z
       - /vault/services/matrix/static-files:/matrix_static:z
       - /vault/users/jreichmann/public:/public/transcaffeine:z
       - /opt/docker/Caddy/webroot:/var/webroot:z
-      - /vault/services/masto_dark/public:/services/mastodon/public:z
     environment:
       - GID=1001
       - UID=1001
     ports:
-      - "443:443"
-      - "8448:8448"
+      - "192.168.0.53:443:443"
     networks:
       - frontend
       - matrix
diff --git a/webhosts/cloud/Caddyfile b/webhosts/cloud/Caddyfile
index 2804ad1..7567204 100755
--- a/webhosts/cloud/Caddyfile
+++ b/webhosts/cloud/Caddyfile
@@ -1,6 +1,6 @@
 https://cloud.finallycoffee.eu {
 	gzip
-	tls /tls_certs/finallycoffee.eu/fullchain.pem /tls_certs/finallycoffee.eu/privkey.pem
+	tls /tls_certs/cloud.finallycoffee.eu/fullchain.pem /tls_certs/cloud.finallycoffee.eu/privkey.pem
 	header / {
 		Referrer-Policy no-referrer
 		Strict-Transport-Security "max-age=15552000;"
@@ -17,7 +17,7 @@ https://cloud.finallycoffee.eu {
 
 https://office.cloud.finallycoffee.eu {
 	gzip
-	tls /tls_certs/finallycoffee.eu/fullchain.pem /tls_certs/finallycoffee.eu/privkey.pem
+	tls /tls_certs/cloud.finallycoffee.eu/fullchain.pem /tls_certs/cloud.finallycoffee.eu/privkey.pem
 	header / {
 		Access-Control-Allow-Origin *
 	}
diff --git a/webhosts/git/Caddyfile b/webhosts/git/Caddyfile
index 1c81f66..34e467e 100644
--- a/webhosts/git/Caddyfile
+++ b/webhosts/git/Caddyfile
@@ -1,5 +1,5 @@
 https://git.finallycoffee.eu {
-        tls /tls_certs/finallycoffee.eu/fullchain.pem /tls_certs/finallycoffee.eu/privkey.pem
+        tls /tls_certs/git.finallycoffee.eu/fullchain.pem /tls_certs/git.finallycoffee.eu/privkey.pem
         proxy / git:3000 {
                 transparent
                 websocket
diff --git a/webhosts/infra/Caddyfile b/webhosts/infra/Caddyfile
index d32e955..9f44a5c 100644
--- a/webhosts/infra/Caddyfile
+++ b/webhosts/infra/Caddyfile
@@ -1,5 +1,5 @@
 https://admin.finallycoffee.eu {
-        tls /tls_certs/finallycoffee.eu/fullchain.pem /tls_certs/finallycoffee.eu/privkey.pem
+        tls /tls_certs/admin.finallycoffee.eu/fullchain.pem /tls_certs/admin.finallycoffee.eu/privkey.pem
         proxy / https://172.21.0.1:9090 {
                 transparent
                 websocket
@@ -7,8 +7,13 @@ https://admin.finallycoffee.eu {
         }
 }
 
+https://gateway.finallycoffee.eu {
+        tls /tls_certs/gateway.finallycoffee.eu/fullchain.pem /tls_certs/gateway.finallycoffee.eu/privkey.pem
+
+}
+
 https://dsl.gateway.finallycoffee.eu {
-        tls /tls_certs/finallycoffee.eu/fullchain.pem /tls_certs/finallycoffee.eu/privkey.pem
+        tls /tls_certs/gateway.finallycoffee.eu/fullchain.pem /tls_certs/gateway.finallycoffee.eu/privkey.pem
         basicauth jdreichmann $pass {
                 realm "Intranet karlsruhe.flauschekatze.space"
                 /
@@ -20,7 +25,7 @@ https://dsl.gateway.finallycoffee.eu {
 }
 
 https://docsis.gateway.finallycoffee.eu {
-        tls /tls_certs/finallycoffee.eu/fullchain.pem /tls_certs/finallycoffee.eu/privkey.pem
+        tls /tls_certs/gateway.finallycoffee.eu/fullchain.pem /tls_certs/gateway.finallycoffee.eu/privkey.pem
         basicauth jdreichmann $pass {
                 realm "Intranet karlsruhe.flauschekatze.space"
                 /
diff --git a/webhosts/matrix/Caddyfile b/webhosts/matrix/Caddyfile
index 0c1a750..f9245a2 100755
--- a/webhosts/matrix/Caddyfile
+++ b/webhosts/matrix/Caddyfile
@@ -11,6 +11,11 @@ https://matrix.finallycoffee.eu {
 		header_downstream Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization"
 		transparent
 	}
+        proxy /_matrix/client/r0/user_directory/search matrix-ma1sd:8090 {
+		header_downstream Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
+                header_downstream Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization"
+                transparent
+	}
 	proxy /_matrix/federation matrix-synapse:8048 {
 		transparent
 	}
@@ -22,6 +27,7 @@ https://matrix.finallycoffee.eu {
 		header_downstream Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization"
 		transparent
 	}
+	proxy /metrics http://matrix-synapse:9100/_synapse/metrics
 	proxy / https://finallycoffee.eu/.well-known/matrix {
 		except /_matrix
 	}
@@ -41,7 +47,7 @@ https://dimension.matrix.finallycoffee.eu {
 }
 
 https://chat.finallycoffee.eu {
-	tls /tls_certs/finallycoffee.eu/fullchain.pem /tls_certs/finallycoffee.eu/privkey.pem
+	tls /tls_certs/chat.finallycoffee.eu/fullchain.pem /tls_certs/chat.finallycoffee.eu/privkey.pem
 	proxy / http://matrix-riot-web:8080 {
 		transparent
 	}
@@ -61,12 +67,4 @@ https://finallycoffee.eu/.well-known/matrix/ {
 	}
 }
 
-# Federation listens on all IPs because older Synapse versions do not support SNI
-https://:8448 {
-	tls /tls_certs/finallycoffee.eu/fullchain.pem /tls_certs/finallycoffee.eu/privkey.pem
-	proxy /_matrix matrix-synapse:8048 {
-		transparent
-	}
-}
-