From 5a114eecf04409ca1475fd7d5d086b2add1f5c32 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Wed, 30 Dec 2020 21:43:46 -0600
Subject: [PATCH] websites/proxy-matrix: Add Synapse rev proxy setup

The *websites/proxy-matrix* role configures the Internet-facing reverse
proxy to handle the *hatch.chat* domain.  Most Matrix communication
happens over the default HTTPS port, and as such will be directed
through the reverse proxy.
---
 certs/websites/hatch.chat.cer                       |  1 +
 certs/websites/hatch.chat.key                       |  1 +
 roles/websites/proxy-matrix/tasks/main.yml          |  6 ++++++
 .../proxy-matrix/templates/matrix.httpd.conf.j2     | 13 +++++++++++++
 websites.yml                                        | 10 ++++++++++
 5 files changed, 31 insertions(+)
 create mode 120000 certs/websites/hatch.chat.cer
 create mode 120000 certs/websites/hatch.chat.key
 create mode 100644 roles/websites/proxy-matrix/tasks/main.yml
 create mode 100644 roles/websites/proxy-matrix/templates/matrix.httpd.conf.j2

diff --git a/certs/websites/hatch.chat.cer b/certs/websites/hatch.chat.cer
new file mode 120000
index 0000000..0f61f5e
--- /dev/null
+++ b/certs/websites/hatch.chat.cer
@@ -0,0 +1 @@
+../lego/hatch.chat.crt
\ No newline at end of file
diff --git a/certs/websites/hatch.chat.key b/certs/websites/hatch.chat.key
new file mode 120000
index 0000000..38fea13
--- /dev/null
+++ b/certs/websites/hatch.chat.key
@@ -0,0 +1 @@
+../lego/hatch.chat.key
\ No newline at end of file
diff --git a/roles/websites/proxy-matrix/tasks/main.yml b/roles/websites/proxy-matrix/tasks/main.yml
new file mode 100644
index 0000000..1e4cfb1
--- /dev/null
+++ b/roles/websites/proxy-matrix/tasks/main.yml
@@ -0,0 +1,6 @@
+- name: ensure apache is configured to proxy for matrix
+  template:
+    src: matrix.httpd.conf.j2
+    dest: /etc/httpd/conf.d/matrix.conf
+    mode: '0644'
+  notify: reload httpd
diff --git a/roles/websites/proxy-matrix/templates/matrix.httpd.conf.j2 b/roles/websites/proxy-matrix/templates/matrix.httpd.conf.j2
new file mode 100644
index 0000000..bc1b0fa
--- /dev/null
+++ b/roles/websites/proxy-matrix/templates/matrix.httpd.conf.j2
@@ -0,0 +1,13 @@
+<VirtualHost *:443>
+ServerName hatch.chat
+
+Include conf.d/ssl.include
+SSLCertificateFile /etc/pki/tls/certs/hatch.chat.cer
+SSLCertificateKeyFile /etc/pki/tls/private/hatch.chat.key
+
+SSLProxyEngine On
+ProxyRequests Off
+AllowEncodedSlashes NoDecode
+ProxyPass / https://matrix0.pyrocufflink.blue/ nocanon
+ProxyPassReverse / https://matrix0.pyrocufflink.blue/
+</VirtualHost>
diff --git a/websites.yml b/websites.yml
index 542853a..3fdfb49 100644
--- a/websites.yml
+++ b/websites.yml
@@ -35,6 +35,16 @@
     tags:
     - websites/proxy
     - websites/proxy-openvpn
+  - role: cert
+    cert_src: websites/hatch.chat.cer
+    cert_dest: /etc/pki/tls/certs/hatch.chat.cer
+    cert_key_src: websites/hatch.chat.key
+    cert_key_dest: /etc/pki/tls/private/hatch.chat.key
+    tags: websites/hatch.chat
+  - role: websites/proxy-matrix
+    tags:
+    - websites/proxy
+    - websites/hatch.chat
   tasks:
   - name: ensure httpd service is running
     service: