ansible-synapse/roles/setup-synapse/templates/nginx.conf.j2

server {
    listen         80;
    server_name    {{ server_name }};
    return         301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;
    listen 8448 ssl http2;  # for federation (skip if pointing SRV or .well-known to port 443)
    gzip off;
    server_name {{ server_name }};

    ssl_certificate     "/etc/letsencrypt/live/{{ server_name }}/fullchain.pem";
    ssl_certificate_key "/etc/letsencrypt/live/{{ server_name }}/privkey.pem";
    ssl_session_cache   shared:NGX_SSL_CACHE:10m;
    ssl_session_timeout 12h;
    ssl_protocols       TLSv1.3 TLSv1.2;
    ssl_ciphers		"TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256";
    ssl_dhparam         "/etc/letsencrypt/live/{{ server_name }}/dhparam2048.pem";
    ssl_ecdh_curve      X25519:secp521r1:secp384r1:prime256v1;

    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains" always;
    add_header X-Content-Type-Options "nosniff" always;

    location / {  
        return 301 https://element.{{ server_name }};
    }

    location /_matrix {
        proxy_pass http://127.0.0.1:8008;
        proxy_set_header X-Forwarded-For $remote_addr;
    }

    # This can be skipped if you're using port 8448 on {{ server_name }} for federation:
    location /.well-known/matrix/server {
        return 200 '{ "m.server": "{{ server_name }}:8448" }';
        add_header content-type application/json;
    }

    location /.well-known/matrix/client {
        return 200 '{ "m.homeserver": { "base_url": "https://{{ server_name }}" }, "im.vector.riot.jitsi": { "preferredDomain": "jitsi.riot.im" } }';
        add_header access-control-allow-origin *;
        add_header content-type application/json;
    }

}
initial version, gets a Synapse server setup with an Element web-client 2023-08-08 14:27:20 -04:00			`server {`
			`listen 80;`
			`server_name {{ server_name }};`
			`return 301 https://$server_name$request_uri;`
			`}`

			`server {`
			`listen 443 ssl http2;`
			`listen 8448 ssl http2; # for federation (skip if pointing SRV or .well-known to port 443)`
			`gzip off;`
			`server_name {{ server_name }};`

			`ssl_certificate "/etc/letsencrypt/live/{{ server_name }}/fullchain.pem";`
			`ssl_certificate_key "/etc/letsencrypt/live/{{ server_name }}/privkey.pem";`
			`ssl_session_cache shared:NGX_SSL_CACHE:10m;`
			`ssl_session_timeout 12h;`
			`ssl_protocols TLSv1.3 TLSv1.2;`
			`ssl_ciphers "TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256";`
			`ssl_dhparam "/etc/letsencrypt/live/{{ server_name }}/dhparam2048.pem";`
			`ssl_ecdh_curve X25519:secp521r1:secp384r1:prime256v1;`

			`add_header Strict-Transport-Security "max-age=31536000; includeSubdomains" always;`
			`add_header X-Content-Type-Options "nosniff" always;`

			`location / {`
			`return 301 https://element.{{ server_name }};`
			`}`

			`location /_matrix {`
			`proxy_pass http://127.0.0.1:8008;`
			`proxy_set_header X-Forwarded-For $remote_addr;`
			`}`

			`# This can be skipped if you're using port 8448 on {{ server_name }} for federation:`
			`location /.well-known/matrix/server {`
			`return 200 '{ "m.server": "{{ server_name }}:8448" }';`
			`add_header content-type application/json;`
			`}`

			`location /.well-known/matrix/client {`
			`return 200 '{ "m.homeserver": { "base_url": "https://{{ server_name }}" }, "im.vector.riot.jitsi": { "preferredDomain": "jitsi.riot.im" } }';`
			`add_header access-control-allow-origin *;`
			`add_header content-type application/json;`
			`}`

			`}`