systems/infrastructure
1
Fork 0
Code Issues 1 Pull Requests 14 Actions Activity

Fix matrix federation

Browse Source 
Apparently this has been broken since like March...

It seems communication over port 8448 is required for server-to-server
comms, even if the client doesn't use it.
This commit is contained in:
Jake Howard 2021-06-12 16:47:51 +01:00
parent 94e4592db6
commit 33fcf1a9e5
Signed by: jake
GPG Key ID: 57AFB45680EDD477
5 changed files with 5 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
ansible/roles/gateway/files/haproxy-fail2ban-jail.conf
View File

@ -6,11 +6,11 @@ maxretry = 100
filter = haproxy-basic filter = haproxy-basic
backend = systemd backend = systemd
journalmatch = _COMM=haproxy journalmatch = _COMM=haproxy
port = http,https,{{ haproxy.exposed_ports | join(",") }} port = http,https,8448
ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }} ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }}
[traefik] [traefik]
enabled = true enabled = true
filter = haproxy-basic # Not actually used filter = haproxy-basic # Not actually used
port = http,https,{{ haproxy.exposed_ports | join(",") }} port = http,https,8448
ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }} ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }}

10
ansible/roles/gateway/files/haproxy.cfg
View File

@ -35,11 +35,7 @@ listen http
timeout server 10m timeout server 10m
server default {{ wireguard.clients.ingress.ip }}:880 check server default {{ wireguard.clients.ingress.ip }}:880 check
{% for port in haproxy.exposed_ports %} listen matrix
bind *:8448
listen expose_{{ port }}
bind *:{{ port }}
mode tcp mode tcp
server default {{ wireguard.clients.ingress.ip }}:{{ port }} server default {{ wireguard.clients.ingress.ip }}:8443 send-proxy
{% endfor %}

1
ansible/roles/pve_docker/files/synapse/docker-compose.yml
View File

@ -21,7 +21,6 @@ services:
- traefik.enable=true - traefik.enable=true
- traefik.http.routers.synapse.rule=Host(`matrix.jakehoward.tech`) - traefik.http.routers.synapse.rule=Host(`matrix.jakehoward.tech`)
- traefik.http.routers.synapse.tls.certresolver=le - traefik.http.routers.synapse.tls.certresolver=le
- traefik.http.routers.synapse.entrypoints=web-secure,matrix
db: db:
image: postgres:12-alpine image: postgres:12-alpine

3
ansible/roles/traefik/files/file-provider-main.yml
View File

@ -1,8 +1,5 @@
http: http:
middlewares: middlewares:
tls-redirect:
redirectScheme:
scheme: https
compress: compress:
compress: {} compress: {}

11
ansible/roles/traefik/files/traefik.yml
View File

@ -15,23 +15,12 @@ entryPoints:
address: :443 address: :443
http: http:
middlewares: middlewares:
- tls-redirect@file
- floc-block@file - floc-block@file
proxyProtocol: proxyProtocol:
trustedIPs: trustedIPs:
- "{{ wireguard.cidr }}" - "{{ wireguard.cidr }}"
- "{{ pve_hosts.internal_cidr }}" - "{{ pve_hosts.internal_cidr }}"
- "{{ nebula.cidr }}" - "{{ nebula.cidr }}"
matrix:
address: :8448
http:
middlewares:
- tls-redirect@file
proxyProtocol:
trustedIPs:
- "{{ wireguard.cidr }}"
- "{{ pve_hosts.internal_cidr }}"
- "{{ nebula.cidr }}"
traefik: traefik:
address: "{{ private_ip }}:8080" address: "{{ private_ip }}:8080"