From 0bb2093a001a0a4a18fd2b9569f21560dbc8cb04 Mon Sep 17 00:00:00 2001
From: Hans van Zijst <hans@procolix.com>
Date: Mon, 18 Nov 2024 16:21:22 +0100
Subject: [PATCH] Added Synapse-Admin, and nginx's configuration for it.

---
 matrix/nginx/README.md         | 59 ++++++++++++++++++++++++++++++++++
 matrix/synapse-admin/README.md | 33 +++++++++++++++++++
 2 files changed, 92 insertions(+)
 create mode 100644 matrix/synapse-admin/README.md

diff --git a/matrix/nginx/README.md b/matrix/nginx/README.md
index 4c11fb22..2a7b8787 100644
--- a/matrix/nginx/README.md
+++ b/matrix/nginx/README.md
@@ -133,6 +133,65 @@ Again, substitute the correct values. Don't forget to open the relevant ports
 in the firewall. Ports 80 and 443 may already be open, 8448 is probably not.
 
 
+# Synapse-admin {#synapse-admin}
+
+If you also [install Synapse-Admin](../synapse-admin), you'll want to create
+another vhost, something like this:
+
+```
+server {
+	listen 443 ssl;
+	listen [::]:443 ssl;
+
+	ssl_certificate
+/etc/letsencrypt/live/admin.example.procolix.com/fullchain.pem;
+	ssl_certificate_key
+/etc/letsencrypt/live/admin.example.procolix.com/privkey.pem;
+	include /etc/letsencrypt/options-ssl-nginx.conf;
+	ssl_dhparam /etc/ssl/dhparams.pem;
+
+        server_name admin.example.procolix.com;
+
+	root /var/www/synapse-admin;
+
+        access_log /var/log/nginx/admin-example-access.log;
+        error_log /var/log/nginx/admin-example-error.log;
+}
+```
+
+You'll need an SSL certificate for this, of course. But you'll also need to
+give it access to the `/_synapse/admin` endpoint in Synapse.
+
+You don't want this endpoint to be available for just anybody on the Internet,
+so restrict access to the IP-addresses from which you expect to use
+Synapse-Admin.
+
+In `/etc/nginx/sites-available/synapse` you want to add this bit:
+
+```
+location ~ ^/_synapse/admin {
+	allow 127.0.0.1;
+	allow ::1;
+	allow 185.206.232.60;		# this host
+	allow 2a00:51c0:12:1201::2a;	# this host
+	allow 45.142.234.216;		# kantoor
+	allow 2a10:3781:2bc3::/64;	# kantoor
+	deny all;
+
+	proxy_pass http://localhost:8008;
+	proxy_set_header X-Forwarded-For $remote_addr;
+	proxy_set_header X-Forwarded-Proto $scheme;
+	proxy_set_header Host $host;
+	client_max_body_size 50M;
+	proxy_http_version 1.1;
+}
+```
+
+This means access to `/_synapse/admin` is only allowed for the addresses
+mentioned, but will be forwarded to Synapse in exactly the same way as
+"normal" requests.
+
+
 # Firewall
 
 For normal use, at least ports 80 and 443 must be openend, see [Firewall](../firewall).
diff --git a/matrix/synapse-admin/README.md b/matrix/synapse-admin/README.md
new file mode 100644
index 00000000..31e6dd3d
--- /dev/null
+++ b/matrix/synapse-admin/README.md
@@ -0,0 +1,33 @@
+# Synapse-admin
+
+This is the webgui for Synapse.
+
+Installation can be done in 3 ways
+([see Github](https://github.com/Awesome-Technologies/synapse-admin)), we'll
+pick the easiest one: using the precompiled tar.
+
+Unpack it under `/var/www`, link `synapse-admin` to the directory that the
+archive creates. This is to make sure you can easily unpack a newer version,
+prepare that, and then change the symlink.
+
+```
+# ls -l /var/www
+total 8
+drwxr-xr-x 2 root root 4096 Nov  4 18:05 html
+lrwxrwxrwx 1 root root   20 Nov 18 13:24 synapse-admin -> synapse-admin-0.10.3
+drwxr-xr-x 5 root root 4096 Nov 18 15:54 synapse-admin-0.10.3
+```
+
+We use 0.10.3, but point nginx to '/var/www/synapse-admin'. Configuring nginx
+is fairly straightforward, [see here](../nginx/README.md#synapse-admin}.
+
+You should probably restrict Synapse-Admin to your own Synapse-server, instead
+of letting users fill in whatever they want. Do this by adding this bit to
+`config.json`. In our config we've moved that file to
+`/etc/synapse-admin` and link to that from `/var/www/synapse-admin`.
+
+```
+{
+  "restrictBaseUrl": "https://vm02199.procolix.com"
+}
+```