From abf70f777258de8c75aa4a758f0074ed07f3043f Mon Sep 17 00:00:00 2001
From: Olaf Schoenwald <olaf.schoenwald@akquinet.de>
Date: Sat, 12 Sep 2020 10:52:25 +0200
Subject: [PATCH 1/7] Adds example for Caddy2 Caddyfile

---
 .DS_Store                 | Bin 0 -> 6148 bytes
 examples/caddy2/Caddyfile | 126 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 126 insertions(+)
 create mode 100644 .DS_Store
 create mode 100644 examples/caddy2/Caddyfile

diff --git a/.DS_Store b/.DS_Store
new file mode 100644
index 0000000000000000000000000000000000000000..7ca3f0dd3376c60b62a895fce41d817aca687d8c
GIT binary patch
literal 6148
zcmeHK%Wl&^6ur~B)JcoT0;yekgT$hWQbCCjLQ2y_5Q&#Cf(4+|uHDp<V@I~r5JFHk
z`~&a@d<tK{hwuS#<^i&uutkW@m1fR7?iqW|9nW}(h_%PwK2eQ`OeBs*71;{o{X8w%
znrhhwGBJirA^B9N6FOb;)(u(#t-!yg0RMKk$f1Z*3Ml{m4timH;)byc557IzLAw4!
z7)nIjbVT>*kRH)J>e2&x46M_Tyb|wAiD!^UF?NWw=*M<SekOL3H+Zuljl`}}_Ww}w
zuhM`Lj68;apU%NdmY(sw#HnD;5qy2*8Mp~ei*F@n{V_M|6%2Qhj+9Pc-BB2%S)=id
zt*sjymo`naYE~~-U)yK##Lk>-oVK0hC9gekvNKnepT%+byX?5n1Ao%5T|J7U%n2et
z5#+%0;qvN55P9*W9gia~730{l!!#>qrC-~f&2Aqw_pF<ZgZZ8{Yc?Aw-?%lOSInJj
z`*(ZC!|B`EyZQT15CX=qZ40}i@E3eWVZ~I>?Ia50Xn<bM+(g)WSO#4z0-L%e>3HCa
z(mjReA$8~>aK%y)OCZnK5CP>!%BtY!Ju6tgK0?TYU#BS+O;~&z#zUWHpnB0w1>fAd
z=tAiEYX!6dOA7G)!9wELQn-*Pwhm<C3IH_FEDUA-v%oo)!j{5?MD)Ozqyi<CsVfGP
zbhKN_ucdGyQPPR2%Lh|WX6lB*#M3dpCESU%B<fr%pcN=8ur8}Le*Sm=eE%<!bWJOu
z75J|dU`EI8v@s=hwk}PMpS2d!F%mcKw~#0($kcHx3j8SEMG}TSix+?`g$s#jf$1Ls
MA%o7e0)JJ3pV=eV$N&HU

literal 0
HcmV?d00001

diff --git a/examples/caddy2/Caddyfile b/examples/caddy2/Caddyfile
new file mode 100644
index 00000000..09b3367e
--- /dev/null
+++ b/examples/caddy2/Caddyfile
@@ -0,0 +1,126 @@
+matrix.DOMAIN.tld {
+
+  tls {$CADDY_TLS}
+
+  @identity {
+        path /_matrix/identity/*
+  }
+
+  @noidentity {
+        not path /_matrix/identity/*
+  }
+
+  @search {
+        path /_matrix/client/r0/user_directory/search/*
+  }
+
+  @nosearch {
+        not path /_matrix/client/r0/user_directory/search/*
+  }
+
+  @static {
+        path /matrix/static-files/*
+  }
+
+  @nostatic {
+        not path /matrix/static-files/*
+  }
+
+  header {
+          Access-Control-Allow-Origin *
+          Strict-Transport-Security "mag=age=31536000;"
+          X-Frame-Options "DENY"
+                                                                                                                                                                                                                      167,9         79%
+          Strict-Transport-Security "mag=age=31536000;"
+          X-Frame-Options "DENY"
+          X-XSS-Protection "1; mode=block"
+  }
+
+  # Cache
+  header @static {
+        # Cache
+    Cache-Control "public, max-age=31536000"
+    defer
+  }
+
+  # identity
+  handle @identity {
+        reverse_proxy localhost:8090/_matrix/identity  {
+               header_up X-Forwarded-Port {http.request.port}
+               header_up X-Forwarded-Proto {http.request.scheme}
+               header_up X-Forwarded-TlsProto {tls_protocol}
+               header_up X-Forwarded-TlsCipher {tls_cipher}
+               header_up X-Forwarded-HttpsProto {proto}
+        }
+  }
+
+  # search
+  handle @search {
+        reverse_proxy localhost:8090/_matrix/client/r0/user_directory/search   {
+               header_up X-Forwarded-Port {http.request.port}
+               header_up X-Forwarded-Proto {http.request.scheme}
+               header_up X-Forwarded-TlsProto {tls_protocol}
+               header_up X-Forwarded-TlsCipher {tls_cipher}
+               header_up X-Forwarded-HttpsProto {proto}
+        }
+  }
+
+  handle {
+        encode zstd gzip
+
+        reverse_proxy localhost:8008  {
+               header_up X-Forwarded-Port {http.request.port}
+               header_up X-Forwarded-Proto {http.request.scheme}
+               header_up X-Forwarded-TlsProto {tls_protocol}
+               header_up X-Forwarded-TlsCipher {tls_cipher}
+               header_up X-Forwarded-HttpsProto {proto}
+        }
+  }
+}
+
+:8448 {
+	handle {
+        	encode zstd gzip
+
+        	reverse_proxy localhost:8448 {
+               		header_up X-Forwarded-Port {http.request.port}
+               		header_up X-Forwarded-Proto {http.request.scheme}
+               		header_up X-Forwarded-TlsProto {tls_protocol}
+               		header_up X-Forwarded-TlsCipher {tls_cipher}
+               		header_up X-Forwarded-HttpsProto {proto}
+        	}
+  	}
+}
+
+dimension.DOMAIN.tld {
+
+        tls {$CADDY_TLS}
+
+    	handle {
+        	encode zstd gzip
+
+        	reverse_proxy localhost:8184  {
+               		header_up X-Forwarded-Port {http.request.port}
+               		header_up X-Forwarded-Proto {http.request.scheme}
+               		header_up X-Forwarded-TlsProto {tls_protocol}
+               		header_up X-Forwarded-TlsCipher {tls_cipher}
+               		header_up X-Forwarded-HttpsProto {proto}
+        	}
+  	}
+}
+
+element.DOMAIN.tld {
+
+        tls {$CADDY_TLS}
+
+        handle {
+              encode zstd gzip
+
+              reverse_proxy localhost:8765 {
+                     header_up X-Forwarded-Port {http.request.port}
+                     header_up X-Forwarded-Proto {http.request.scheme}
+                     header_up X-Forwarded-TlsProto {tls_protocol}
+                     header_up X-Forwarded-TlsCipher {tls_cipher}
+                     header_up X-Forwarded-HttpsProto {proto}
+        }
+}
\ No newline at end of file

From e7921e305bd9effa377e61473c16fe373b4407c0 Mon Sep 17 00:00:00 2001
From: Olaf Schoenwald <olaf.schoenwald@akquinet.de>
Date: Sat, 12 Sep 2020 11:04:16 +0200
Subject: [PATCH 2/7] Comment in host-cars

---
 examples/host-vars.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/examples/host-vars.yml b/examples/host-vars.yml
index 64d12097..e4e08bda 100644
--- a/examples/host-vars.yml
+++ b/examples/host-vars.yml
@@ -4,6 +4,9 @@
 # Note: this playbook does not touch the server referenced here.
 # Installation happens on another server ("matrix.<matrix-domain>").
 #
+# Plesae remember, if you've deployed the wrong URL, you have to run the Uninstalling step, 
+# cause you can't change the Domain after deployment.
+#
 # Example value: example.com
 matrix_domain: YOUR_BARE_DOMAIN_NAME_HERE
 

From a49718632a9cd56372bf3d5aad20f9805b409210 Mon Sep 17 00:00:00 2001
From: 0hlov3 <36544727+0hlov3@users.noreply.github.com>
Date: Sat, 12 Sep 2020 23:26:11 +0200
Subject: [PATCH 3/7] Delete .DS_Store

Removes DS-Store
---
 .DS_Store | Bin 6148 -> 0 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)
 delete mode 100644 .DS_Store

diff --git a/.DS_Store b/.DS_Store
deleted file mode 100644
index 7ca3f0dd3376c60b62a895fce41d817aca687d8c..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 6148
zcmeHK%Wl&^6ur~B)JcoT0;yekgT$hWQbCCjLQ2y_5Q&#Cf(4+|uHDp<V@I~r5JFHk
z`~&a@d<tK{hwuS#<^i&uutkW@m1fR7?iqW|9nW}(h_%PwK2eQ`OeBs*71;{o{X8w%
znrhhwGBJirA^B9N6FOb;)(u(#t-!yg0RMKk$f1Z*3Ml{m4timH;)byc557IzLAw4!
z7)nIjbVT>*kRH)J>e2&x46M_Tyb|wAiD!^UF?NWw=*M<SekOL3H+Zuljl`}}_Ww}w
zuhM`Lj68;apU%NdmY(sw#HnD;5qy2*8Mp~ei*F@n{V_M|6%2Qhj+9Pc-BB2%S)=id
zt*sjymo`naYE~~-U)yK##Lk>-oVK0hC9gekvNKnepT%+byX?5n1Ao%5T|J7U%n2et
z5#+%0;qvN55P9*W9gia~730{l!!#>qrC-~f&2Aqw_pF<ZgZZ8{Yc?Aw-?%lOSInJj
z`*(ZC!|B`EyZQT15CX=qZ40}i@E3eWVZ~I>?Ia50Xn<bM+(g)WSO#4z0-L%e>3HCa
z(mjReA$8~>aK%y)OCZnK5CP>!%BtY!Ju6tgK0?TYU#BS+O;~&z#zUWHpnB0w1>fAd
z=tAiEYX!6dOA7G)!9wELQn-*Pwhm<C3IH_FEDUA-v%oo)!j{5?MD)Ozqyi<CsVfGP
zbhKN_ucdGyQPPR2%Lh|WX6lB*#M3dpCESU%B<fr%pcN=8ur8}Le*Sm=eE%<!bWJOu
z75J|dU`EI8v@s=hwk}PMpS2d!F%mcKw~#0($kcHx3j8SEMG}TSix+?`g$s#jf$1Ls
MA%o7e0)JJ3pV=eV$N&HU


From 48a6525aca8519435bbae48f6541fe3fe9326b91 Mon Sep 17 00:00:00 2001
From: Olaf Schoenwald <olaf.schoenwald@akquinet.de>
Date: Sat, 12 Sep 2020 23:26:27 +0200
Subject: [PATCH 4/7] Removes DS_Store

---
 .gitignore | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.gitignore b/.gitignore
index 32ab139f..d6068088 100644
--- a/.gitignore
+++ b/.gitignore
@@ -3,3 +3,4 @@
 !/inventory/host_vars/.gitkeep
 !/inventory/scripts
 /roles/*/files/scratchpad
+.DS_Store

From c366e2636009a9668611b8d2a61e1ec1038ad2a5 Mon Sep 17 00:00:00 2001
From: 0hlov3 <olaf.schoenwald@akquinet.de>
Date: Sun, 13 Sep 2020 03:11:37 +0200
Subject: [PATCH 5/7] Updates exempes/caddy2/Caddyfile to SSL Grade A+

---
 examples/caddy2/Caddyfile | 68 ++++++++++++++++++++++++++++-----------
 1 file changed, 49 insertions(+), 19 deletions(-)

diff --git a/examples/caddy2/Caddyfile b/examples/caddy2/Caddyfile
index 09b3367e..0abb25af 100644
--- a/examples/caddy2/Caddyfile
+++ b/examples/caddy2/Caddyfile
@@ -27,13 +27,17 @@ matrix.DOMAIN.tld {
   }
 
   header {
-          Access-Control-Allow-Origin *
-          Strict-Transport-Security "mag=age=31536000;"
-          X-Frame-Options "DENY"
+        # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
+        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+        # Enable cross-site filter (XSS) and tell browser to block detected attacks
+        X-XSS-Protection "1; mode=block"
+        # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
+        X-Content-Type-Options "nosniff"
+        # Disallow the site to be rendered within a frame (clickjacking protection)
+        X-Frame-Options "DENY"
+        # X-Robots-Tag
+        X-Robots-Tag "noindex, noarchive, nofollow"
                                                                                                                                                                                                                       167,9         79%
-          Strict-Transport-Security "mag=age=31536000;"
-          X-Frame-Options "DENY"
-          X-XSS-Protection "1; mode=block"
   }
 
   # Cache
@@ -78,23 +82,36 @@ matrix.DOMAIN.tld {
   }
 }
 
-:8448 {
-	handle {
-        	encode zstd gzip
+matrix.DOMAIN.tld:8448 {
+    handle {
+        encode zstd gzip
 
-        	reverse_proxy localhost:8448 {
-               		header_up X-Forwarded-Port {http.request.port}
-               		header_up X-Forwarded-Proto {http.request.scheme}
-               		header_up X-Forwarded-TlsProto {tls_protocol}
-               		header_up X-Forwarded-TlsCipher {tls_cipher}
-               		header_up X-Forwarded-HttpsProto {proto}
-        	}
-  	}
+        reverse_proxy 127.0.0.1:8048 {
+               header_up X-Forwarded-Port {http.request.port}
+               header_up X-Forwarded-Proto {http.request.scheme}
+               header_up X-Forwarded-TlsProto {tls_protocol}
+               header_up X-Forwarded-TlsCipher {tls_cipher}
+               header_up X-Forwarded-HttpsProto {proto}
+        }
+    }
 }
 
 dimension.DOMAIN.tld {
 
-        tls {$CADDY_TLS}
+      tls {$CADDY_TLS}
+
+      header {
+         	# Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
+        	Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+        	# Enable cross-site filter (XSS) and tell browser to block detected attacks
+        	X-XSS-Protection "1; mode=block"
+        	# Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
+        	X-Content-Type-Options "nosniff"
+        	# Disallow the site to be rendered within a frame (clickjacking protection)
+        	X-Frame-Options "DENY"
+        	# X-Robots-Tag
+        	X-Robots-Tag "noindex, noarchive, nofollow"
+  	}
 
     	handle {
         	encode zstd gzip
@@ -111,7 +128,20 @@ dimension.DOMAIN.tld {
 
 element.DOMAIN.tld {
 
-        tls {$CADDY_TLS}
+    tls {$CADDY_TLS}
+
+ 	header {
+         	# Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
+        	Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+        	# Enable cross-site filter (XSS) and tell browser to block detected attacks
+        	X-XSS-Protection "1; mode=block"
+        	# Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
+        	X-Content-Type-Options "nosniff"
+        	# Disallow the site to be rendered within a frame (clickjacking protection)
+        	X-Frame-Options "DENY"
+        	# X-Robots-Tag
+        	X-Robots-Tag "noindex, noarchive, nofollow"
+  	}
 
         handle {
               encode zstd gzip

From c19abe4a76cdb2d9285f63d2cbf43005658fefe7 Mon Sep 17 00:00:00 2001
From: 0hlov3 <olaf.schoenwald@akquinet.de>
Date: Sun, 13 Sep 2020 04:19:19 +0200
Subject: [PATCH 6/7] Changes matrix_dimension_integrations_ui_url from /riot
 to /element https://dimension.t2bot.io/

---
 roles/matrix-dimension/defaults/main.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/matrix-dimension/defaults/main.yml b/roles/matrix-dimension/defaults/main.yml
index 770f5bcb..33e7212c 100644
--- a/roles/matrix-dimension/defaults/main.yml
+++ b/roles/matrix-dimension/defaults/main.yml
@@ -27,7 +27,7 @@ matrix_dimension_container_http_host_bind_port: ''
 # A list of extra arguments to pass to the container
 matrix_dimension_container_extra_arguments: []
 
-matrix_dimension_integrations_ui_url: "https://{{ matrix_server_fqn_dimension }}/riot"
+matrix_dimension_integrations_ui_url: "https://{{ matrix_server_fqn_dimension }}/element"
 matrix_dimension_integrations_rest_url: "https://{{ matrix_server_fqn_dimension }}/api/v1/scalar"
 matrix_dimension_integrations_widgets_urls: ["https://{{ matrix_server_fqn_dimension }}/widgets"]
 matrix_dimension_integrations_jitsi_widget_url: "https://{{ matrix_server_fqn_dimension }}/widgets/jitsi"

From 6fefbc248abbc8e2d1666d4a26b8caa8e3229dcb Mon Sep 17 00:00:00 2001
From: Slavi Pantaleev <slavi@devture.com>
Date: Sun, 13 Sep 2020 09:51:04 +0300
Subject: [PATCH 7/7] Fix typo and wording

---
 examples/host-vars.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/examples/host-vars.yml b/examples/host-vars.yml
index e4e08bda..409f344a 100644
--- a/examples/host-vars.yml
+++ b/examples/host-vars.yml
@@ -4,8 +4,8 @@
 # Note: this playbook does not touch the server referenced here.
 # Installation happens on another server ("matrix.<matrix-domain>").
 #
-# Plesae remember, if you've deployed the wrong URL, you have to run the Uninstalling step, 
-# cause you can't change the Domain after deployment.
+# If you've deployed using the wrong domain, you'll have to run the Uninstalling step, 
+# because you can't change the Domain after deployment.
 #
 # Example value: example.com
 matrix_domain: YOUR_BARE_DOMAIN_NAME_HERE