From fe897152f545a60cde8ff9edd85f532a9a645805 Mon Sep 17 00:00:00 2001
From: Erik Stambaugh <erik@erikstambaugh.com>
Date: Sat, 20 Jan 2024 19:06:00 -0800
Subject: [PATCH] Open up certbot to everyone and mastodon to my-ip only

---
 ansible/roles/mastodon/templates/nginx.conf | 68 ++++++++++-----------
 terraform/main.tf                           | 16 ++---
 2 files changed, 42 insertions(+), 42 deletions(-)

diff --git a/ansible/roles/mastodon/templates/nginx.conf b/ansible/roles/mastodon/templates/nginx.conf
index 2ae31cb..12cd3fa 100644
--- a/ansible/roles/mastodon/templates/nginx.conf
+++ b/ansible/roles/mastodon/templates/nginx.conf
@@ -18,7 +18,7 @@ server {
   server_name {{ domain_name }};
   listen 80;
   listen [::]:80;
-  root /srv/mastodon/live/public;
+  root /srv/mastodon/src/live/public;
   location /.well-known/acme-challenge/ {
       allow all;
       root /var/www/certbot;
@@ -36,10 +36,10 @@ server {
   allow {{ my_ip }}/32;
   deny all;
 
-  ssl_trusted_certificate   /etc/letsencrypt/live/{{ domain_name }}/chain.pem;
+#  ssl_trusted_certificate   /etc/letsencrypt/live/{{ domain_name }}/chain.pem;
   ssl_certificate           /etc/letsencrypt/live/{{ domain_name }}/fullchain.pem;
   ssl_certificate_key       /etc/letsencrypt/live/{{ domain_name }}/privkey.pem;
-  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+#  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
 
   ssl_protocols TLSv1.2 TLSv1.3;
   ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
@@ -54,7 +54,7 @@ server {
   sendfile             on;
   client_max_body_size 80m;
 
-  root /srv/mastodon/live/public;
+  root /srv/mastodon/src/live/public;
 
   gzip on;
   gzip_disable "msie6";
@@ -147,36 +147,36 @@ server {
     tcp_nodelay on;
   }
 
-  location ~ ^(/_matrix|/_synapse/client) {
-      # note: do not add a path (even a single /) after the port in `proxy_pass`,
-      # otherwise nginx will canonicalise the URI and cause signature verification
-      # errors.
-      proxy_pass http://synapse:8008;
-      proxy_set_header X-Forwarded-For $remote_addr;
-      proxy_set_header X-Forwarded-Proto $scheme;
-      proxy_set_header Host $host;
-
-      # Nginx by default only allows file uploads up to 1M in size
-      # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
-      client_max_body_size 50M;
-
-  # Synapse responses may be chunked, which is an HTTP/1.1 feature.
-  proxy_http_version 1.1;
-  }
-
-  location /.well-known/matrix/server {
-      access_log off;
-      add_header Access-Control-Allow-Origin *;
-      default_type application/json;
-      return 200 '{"m.server": "{{ domain_name }}:443"}';
-  }
-
-  location /.well-known/matrix/client {
-      access_log off;
-      add_header Access-Control-Allow-Origin *;
-      default_type application/json;
-      return 200 '{"m.homeserver": {"base_url": "https://{{ domain_name }}"}}';
-  }
+#  location ~ ^(/_matrix|/_synapse/client) {
+#      # note: do not add a path (even a single /) after the port in `proxy_pass`,
+#      # otherwise nginx will canonicalise the URI and cause signature verification
+#      # errors.
+#      proxy_pass http://synapse:8008;
+#      proxy_set_header X-Forwarded-For $remote_addr;
+#      proxy_set_header X-Forwarded-Proto $scheme;
+#      proxy_set_header Host $host;
+#
+#      # Nginx by default only allows file uploads up to 1M in size
+#      # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
+#      client_max_body_size 50M;
+#
+#  # Synapse responses may be chunked, which is an HTTP/1.1 feature.
+#  proxy_http_version 1.1;
+#  }
+#
+#  location /.well-known/matrix/server {
+#      access_log off;
+#      add_header Access-Control-Allow-Origin *;
+#      default_type application/json;
+#      return 200 '{"m.server": "{{ domain_name }}:443"}';
+#  }
+#
+#  location /.well-known/matrix/client {
+#      access_log off;
+#      add_header Access-Control-Allow-Origin *;
+#      default_type application/json;
+#      return 200 '{"m.homeserver": {"base_url": "https://{{ domain_name }}"}}';
+#  }
 
   location @proxy {
     proxy_set_header Host $host;
diff --git a/terraform/main.tf b/terraform/main.tf
index a627bca..a2fc8dd 100644
--- a/terraform/main.tf
+++ b/terraform/main.tf
@@ -61,14 +61,14 @@ module "sg" {
   egress_rules = [ "all-all" ]
 
   ingress_with_cidr_blocks = [
-#    {
-#      rule        = "http-80-tcp"
-#      cidr_blocks = "0.0.0.0/0"
-#    },
-#    {
-#    },
-#    {
-#    }
+    {
+      rule        = "http-80-tcp"
+      cidr_blocks = "0.0.0.0/0"
+    },
+    {
+      rule        = "https-443-tcp"
+      cidr_blocks = "${chomp(data.http.myip.body)}/32"
+    }
   ]
 }