From 313d777c8451dee6f476b4502fccc5a03fbdaa77 Mon Sep 17 00:00:00 2001
From: Apple <apple@MacBook-Pro.local>
Date: Thu, 5 Mar 2026 00:42:28 -0800
Subject: [PATCH] ops(nginx): finalize matrix.daarion.space HTTPS config with
 Synapse proxy

Made-with: Cursor
---
 ops/nginx/matrix.daarion.space.conf | 116 ++++++++++++----------------
 1 file changed, 51 insertions(+), 65 deletions(-)

diff --git a/ops/nginx/matrix.daarion.space.conf b/ops/nginx/matrix.daarion.space.conf
index afec0181..99c5f341 100644
--- a/ops/nginx/matrix.daarion.space.conf
+++ b/ops/nginx/matrix.daarion.space.conf
@@ -1,15 +1,7 @@
 # matrix.daarion.space — Synapse Matrix Homeserver (Phase M1)
-# Synapse: host 127.0.0.1:8008 (dagi-synapse-node1 container mapped)
-#
-# Deploy:
-#   cp ops/nginx/matrix.daarion.space.conf /etc/nginx/sites-enabled/
-#   nginx -t && nginx -s reload
-#   certbot --nginx -d matrix.daarion.space   # after DNS A-record is live
-#
-# After certbot runs it appends the HTTPS block automatically.
-# The HTTPS block below is the expected final state.
+# Active on NODA1 since 2026-03-05
+# TLS: Let's Encrypt (auto-renew via certbot cron), expires 2026-06-03
 
-# ── HTTP: certbot challenge + redirect ────────────────────────────────────────
 server {
     listen 80;
     listen [::]:80;
@@ -25,58 +17,52 @@ server {
     }
 }
 
-# ── HTTPS: added by certbot / manually after cert is issued ──────────────────
-# Uncomment after: certbot --nginx -d matrix.daarion.space
-#
-# server {
-#     listen 443 ssl http2;
-#     listen [::]:443 ssl http2;
-#     server_name matrix.daarion.space;
-#
-#     ssl_certificate /etc/letsencrypt/live/matrix.daarion.space/fullchain.pem;
-#     ssl_certificate_key /etc/letsencrypt/live/matrix.daarion.space/privkey.pem;
-#     ssl_protocols TLSv1.2 TLSv1.3;
-#     ssl_ciphers HIGH:!aNULL:!MD5;
-#     ssl_prefer_server_ciphers on;
-#     ssl_session_cache shared:SSL_MATRIX:10m;
-#     ssl_session_timeout 10m;
-#
-#     add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
-#     add_header X-Content-Type-Options nosniff always;
-#     add_header X-Frame-Options SAMEORIGIN always;
-#
-#     # Matrix file uploads (media, avatars)
-#     client_max_body_size 50m;
-#
-#     # Matrix Client-Server API (/_matrix/*)
-#     location /_matrix {
-#         proxy_pass http://127.0.0.1:8008;
-#         proxy_set_header Host $host;
-#         proxy_set_header X-Real-IP $remote_addr;
-#         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-#         proxy_set_header X-Forwarded-Proto https;
-#         proxy_read_timeout 600s;
-#         proxy_connect_timeout 10s;
-#     }
-#
-#     # Synapse admin API (/_synapse/*)
-#     location /_synapse {
-#         proxy_pass http://127.0.0.1:8008;
-#         proxy_set_header Host $host;
-#         proxy_set_header X-Real-IP $remote_addr;
-#         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-#         proxy_set_header X-Forwarded-Proto https;
-#         proxy_read_timeout 600s;
-#     }
-#
-#     # Client auto-discovery (Element uses this)
-#     location /.well-known/matrix {
-#         default_type application/json;
-#         add_header Access-Control-Allow-Origin *;
-#         return 200 '{"m.homeserver":{"base_url":"https://matrix.daarion.space"}}';
-#     }
-#
-#     location /.well-known/acme-challenge/ {
-#         root /var/www/certbot;
-#     }
-# }
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name matrix.daarion.space;
+
+    ssl_certificate /etc/letsencrypt/live/matrix.daarion.space/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/matrix.daarion.space/privkey.pem;
+    include /etc/letsencrypt/options-ssl-nginx.conf;
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+    add_header X-Content-Type-Options nosniff always;
+    add_header X-Frame-Options SAMEORIGIN always;
+
+    # Matrix file uploads (media, avatars)
+    client_max_body_size 50m;
+
+    # Matrix Client-Server API
+    location /_matrix {
+        proxy_pass http://127.0.0.1:8008;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto https;
+        proxy_read_timeout 600s;
+        proxy_connect_timeout 10s;
+    }
+
+    # Synapse admin API
+    location /_synapse {
+        proxy_pass http://127.0.0.1:8008;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto https;
+        proxy_read_timeout 600s;
+    }
+
+    # Element auto-discovery
+    location /.well-known/matrix {
+        default_type application/json;
+        add_header Access-Control-Allow-Origin *;
+        return 200 '{"m.homeserver":{"base_url":"https://matrix.daarion.space"}}';
+    }
+
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+}