ops(nginx): finalize matrix.daarion.space HTTPS config with Synapse proxy

Made-with: Cursor
2026-03-05 00:42:28 -08:00
parent e5480e92db
commit 313d777c84
1 changed files with 51 additions and 65 deletions
--- a/ops/nginx/matrix.daarion.space.conf
+++ b/ops/nginx/matrix.daarion.space.conf
@@ -1,15 +1,7 @@
 # matrix.daarion.space — Synapse Matrix Homeserver (Phase M1)
-# Synapse: host 127.0.0.1:8008 (dagi-synapse-node1 container mapped)
-#
-# Deploy:
-#   cp ops/nginx/matrix.daarion.space.conf /etc/nginx/sites-enabled/
-#   nginx -t && nginx -s reload
-#   certbot --nginx -d matrix.daarion.space   # after DNS A-record is live
-#
-# After certbot runs it appends the HTTPS block automatically.
-# The HTTPS block below is the expected final state.
+# Active on NODA1 since 2026-03-05
+# TLS: Let's Encrypt (auto-renew via certbot cron), expires 2026-06-03

-# ── HTTP: certbot challenge + redirect ────────────────────────────────────────
 server {
    listen 80;
    listen [::]:80;
@@ -25,58 +17,52 @@ server {
    }
 }

-# ── HTTPS: added by certbot / manually after cert is issued ──────────────────
-# Uncomment after: certbot --nginx -d matrix.daarion.space
-#
-# server {
-#     listen 443 ssl http2;
-#     listen [::]:443 ssl http2;
-#     server_name matrix.daarion.space;
-#
-#     ssl_certificate /etc/letsencrypt/live/matrix.daarion.space/fullchain.pem;
-#     ssl_certificate_key /etc/letsencrypt/live/matrix.daarion.space/privkey.pem;
-#     ssl_protocols TLSv1.2 TLSv1.3;
-#     ssl_ciphers HIGH:!aNULL:!MD5;
-#     ssl_prefer_server_ciphers on;
-#     ssl_session_cache shared:SSL_MATRIX:10m;
-#     ssl_session_timeout 10m;
-#
-#     add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
-#     add_header X-Content-Type-Options nosniff always;
-#     add_header X-Frame-Options SAMEORIGIN always;
-#
-#     # Matrix file uploads (media, avatars)
-#     client_max_body_size 50m;
-#
-#     # Matrix Client-Server API (/_matrix/*)
-#     location /_matrix {
-#         proxy_pass http://127.0.0.1:8008;
-#         proxy_set_header Host $host;
-#         proxy_set_header X-Real-IP $remote_addr;
-#         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-#         proxy_set_header X-Forwarded-Proto https;
-#         proxy_read_timeout 600s;
-#         proxy_connect_timeout 10s;
-#     }
-#
-#     # Synapse admin API (/_synapse/*)
-#     location /_synapse {
-#         proxy_pass http://127.0.0.1:8008;
-#         proxy_set_header Host $host;
-#         proxy_set_header X-Real-IP $remote_addr;
-#         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-#         proxy_set_header X-Forwarded-Proto https;
-#         proxy_read_timeout 600s;
-#     }
-#
-#     # Client auto-discovery (Element uses this)
-#     location /.well-known/matrix {
-#         default_type application/json;
-#         add_header Access-Control-Allow-Origin *;
-#         return 200 '{"m.homeserver":{"base_url":"https://matrix.daarion.space"}}';
-#     }
-#
-#     location /.well-known/acme-challenge/ {
-#         root /var/www/certbot;
-#     }
-# }
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name matrix.daarion.space;
+
+    ssl_certificate /etc/letsencrypt/live/matrix.daarion.space/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/matrix.daarion.space/privkey.pem;
+    include /etc/letsencrypt/options-ssl-nginx.conf;
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+    add_header X-Content-Type-Options nosniff always;
+    add_header X-Frame-Options SAMEORIGIN always;
+
+    # Matrix file uploads (media, avatars)
+    client_max_body_size 50m;
+
+    # Matrix Client-Server API
+    location /_matrix {
+        proxy_pass http://127.0.0.1:8008;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto https;
+        proxy_read_timeout 600s;
+        proxy_connect_timeout 10s;
+    }
+
+    # Synapse admin API
+    location /_synapse {
+        proxy_pass http://127.0.0.1:8008;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto https;
+        proxy_read_timeout 600s;
+    }
+
+    # Element auto-discovery
+    location /.well-known/matrix {
+        default_type application/json;
+        add_header Access-Control-Allow-Origin *;
+        return 200 '{"m.homeserver":{"base_url":"https://matrix.daarion.space"}}';
+    }
+
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+}