From 017e3680352677c8b6b6531c44c5a50db19b107e Mon Sep 17 00:00:00 2001
From: Hans van Zijst <hans@procolix.com>
Date: Mon, 2 Dec 2024 17:55:49 +0100
Subject: [PATCH] Cleaned up stuff that isn't necessary.

---
 matrix/nginx/README.md    | 17 ++++++----------
 matrix/nginx/proxy.conf   | 16 +++++++++++++++
 matrix/nginx/synapse.conf | 43 +++++++++++++++++++++++++++++++++++++--
 3 files changed, 63 insertions(+), 13 deletions(-)

diff --git a/matrix/nginx/README.md b/matrix/nginx/README.md
index 03715b9..498be43 100644
--- a/matrix/nginx/README.md
+++ b/matrix/nginx/README.md
@@ -28,7 +28,7 @@ apt install nginx python3-certbot-nginx
 Get your certificate:
 
 ```
-certbot certonly --nginx --agree-tos -m systeemmail@procolix.com --non-interactive -d matrixdev.procolix.com
+certbot certonly --nginx --agree-tos -m system@example.com --non-interactive -d matrixdev.example.com
 ```
 
 Substitute the correct e-mailaddress and FQDN, or course.
@@ -53,27 +53,22 @@ server {
     listen 443 ssl;
     listen [::]:443 ssl;
 
-    ssl_certificate /etc/letsencrypt/live/matrixdev.procolix.com/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/matrixdev.procolix.com/privkey.pem;
+    ssl_certificate /etc/letsencrypt/live/matrixdev.example.com/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/matrixdev.example.com/privkey.pem;
     include /etc/letsencrypt/options-ssl-nginx.conf;
     ssl_dhparam /etc/ssl/dhparams.pem;
 
-    server_name matrixdev.procolix.com;
+    server_name matrixdev.example.com;
 
     location /.well-known/matrix/client {
        return 200 '{
-          "m.homeserver": {"base_url": "https://vm02199.procolix.com"},
-          "org.matrix.msc3575.proxy": {"url": "https://vm02199.procolix.com"}
+          "m.homeserver": {"base_url": "https://vm02199.examples.com"},
        }';
        default_type application/json;
-
-       add_header 'Access-Control-Allow-Origin' '*';
-       add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS';
-       add_header 'Access-Control-Allow-Headers' 'X-Requested-With, Content-Type, Authorization';
     }
 
     location /.well-known/matrix/server {
-       return 200 '{"m.server": "vm02199.procolix.com"}';
+       return 200 '{"m.server": "vm02199.examples.com"}';
        default_type application/json;
     }
 
diff --git a/matrix/nginx/proxy.conf b/matrix/nginx/proxy.conf
index a48e13e..105e40c 100644
--- a/matrix/nginx/proxy.conf
+++ b/matrix/nginx/proxy.conf
@@ -28,6 +28,22 @@ server {
         return 200 '{"m.server": "vm02199.example.com"}';
         default_type application/json;
     }
+
+    location /.well-known/matrix/support {
+        return 200 '{ "contacts":
+            [
+                { "email_address": "admin@example.com",
+                "matrix_id": "@admin:example.com",
+                "role": "m.role.admin" },
+                { "email_address": "security@example.com",
+                "matrix_id": "@john:example.com",
+                "role": "m.role.security" }
+            ],
+                "support_page": "https://www.example.com/matrix-support"
+        }';
+        default_type application/json;
+    }
+
     
     location /.well-known/element/element.json {
         return 200 '{"call": {"widget_url": "https://call.example.com"}}';
diff --git a/matrix/nginx/synapse.conf b/matrix/nginx/synapse.conf
index 0cd1d2a..fd94204 100644
--- a/matrix/nginx/synapse.conf
+++ b/matrix/nginx/synapse.conf
@@ -13,11 +13,50 @@ server {
 
 	server_name vm02199.example.com;
 
+	# Abuse reports get forwarded to Draupnir, listening on port 8082
+	location ~ ^/_matrix/client/(r0|v3)/rooms/([^/]*)/report/(.*)$ {
+		# The r0 endpoint is deprecated but still used by many clients.
+		# As of this writing, the v3 endpoint is the up-to-date version.
+		
+		# Alias the regexps, to ensure that they're not rewritten.
+		set $room_id $2;
+		set $event_id $3;
+		proxy_pass http://[::1]:8082/api/1/report/$room_id/$event_id;
+	}
+
+	# Reports that need to reach Synapse (not sure...)
+	location /_synapse/admin/v1/event_reports {
+		proxy_pass http://localhost:8008;
+		proxy_set_header X-Forwarded-For $remote_addr;
+		proxy_set_header X-Forwarded-Proto $scheme;
+		proxy_set_header Host $host;
+		client_max_body_size 50M;
+		proxy_http_version 1.1;
+	}
+	location ~ ^/_synapse/admin/v1/rooms/[^/]*/context/(.*)$ {
+		proxy_pass http://localhost:8008;
+		proxy_set_header X-Forwarded-For $remote_addr;
+		proxy_set_header X-Forwarded-Proto $scheme;
+		proxy_set_header Host $host;
+		client_max_body_size 50M;
+		proxy_http_version 1.1;
+	}
+	# If you want the server version to be public:
+	location ~ ^/_synapse/admin/v1/server_version$ {
+		proxy_pass http://localhost:8008;
+		proxy_set_header X-Forwarded-For $remote_addr;
+		proxy_set_header X-Forwarded-Proto $scheme;
+		proxy_set_header Host $host;
+		client_max_body_size 50M;
+		proxy_http_version 1.1;
+	}
+		
+	# The rest of the admin endpoint shouldn't be public
 	location ~ ^/_synapse/admin {
 		allow 127.0.0.1;
 		allow ::1;
 		allow 111.222.111.222;
-		allow dead:beef::/64;
+		allow dead:beef::/48;
 		deny all;
 
 		proxy_pass http://localhost:8008;
@@ -39,5 +78,5 @@ server {
 
 	access_log /var/log/nginx/vm02199-access.log;
 	error_log /var/log/nginx/vm02199-error.log;
-
 }
+