Add Matrix-to

Signed-off-by: Tommy <contact@tommytran.io>

README.md

@@ -2,7 +2,7 @@
 Matrix Synapse Docker-Compose
 
 1. Update `docker-compose.yml`
-2. Update the hostname in `swag/nginx/proxy-confs/synapse.subdomain.conf` and `swag/nginx/proxy-confs/element.subdomain.conf`approprieately.
+2. Update the hostname in `swag/nginx/proxy-confs/synapse.subdomain.conf`, `swag/nginx/proxy-confs/element.subdomain.conf`, and `swag/nginx/proxy-confs/matrix-to.subdomain.conf` approprieately.
 3. Run `docker-compose run --rm -e SYNAPSE_SERVER_NAME=yourdomain.tld -e SYNAPSE_REPORT_STATS=no synapse generate`
 4. Update ./files/homeserver.yaml
    - Update web_client_location to app.yourdomain.tld (Remember to remove the comment #)
@@ -10,12 +10,12 @@ Matrix Synapse Docker-Compose
    - Uncomment serve_server_wellknown to enable it and configure https://yourdoman.tld/.well-known/matrix/server for federation
    - Change `pepper` in your password config. Uncomment the setting to enable it.
    - Change the default database from SQLite to PostgreSQL
-   - Configure the mail credentials if you have a mail server 
+   - Configure the mail credentials if you have a mail server
    - Configure `admin_contact` in the homeserver blocking section
    - Enable `encryption_enabled_by_default_for_room_type` by default
    - Edit whatever else you might want to
 5. Copy config.sample.json from https://github.com/vector-im/element-web to `./element/config.json` and make the approriate adjustments
-6. Tighten the Content Security Policy in `swag/nginx/ssl.conf` to suit your needs
+6. Tighten the Content Security Policy in `swag/nginx/proxy-confs/element.subdomain.conf` to suit your needs
 7. Copy the config from https://github.com/matrix-org/pantalaimon to `./pantalaimon/pantalaimon.conf` and edit it accordingly
 8. Run `docker-compose up` and make sure nothing errors out. You can use `docker-compose up -d` to start it in the background if you want.
 9. Uncomment the security options for postgres. Run `docker-compose up -d` again.
@@ -24,7 +24,7 @@ Matrix Synapse Docker-Compose
 
 ## Notes
 
-The CSP policies in `swag/nginx/ssl.conf` is slightly stricter on [ArcticFoxes Element](https://element.arcticfoxes.net) as it does not support third party servers:
+The CSP policies in `swag/nginx/proxy-confs/element.subdomain.conf` is slightly stricter on [ArcticFoxes Element](https://element.arcticfoxes.net) as it does not support third party servers:
 
 ```
 add_header Content-Security-Policy "default-src 'none'; connect-src 'self' https://arcticfoxes.net https://matrix.arcticfoxes.net; font-src 'self'; img-src 'self' https://arcticfoxes.net https://matrix.arcticfoxes.net blob: data:; manifest-src 'self'; media-src https://matrix.arcticfoxes.net; script-src 'self' 'unsafe-eval' https://www.recaptcha.net https://www.gstatic.com; style-src 'self' 'unsafe-inline'; frame-src 'self' https://www.recaptcha.net blob:; frame-ancestors 'self'; block-all-mixed-content; base-uri 'none'";

docker-compose.yml

@@ -81,6 +81,19 @@ services:
       - /var/run:size=50M,mode=0770,noexec,nosuid,nodev
       - /var/cache/nginx:size=50M,mode=0770,noexec,nosuid,nodev
 
+  matrix-to:
+    image: ghcr.io/tommytran732/matrix.to
+    container_name: matrix-to
+    restart: unless-stopped
+    networks:
+      - matrix-to
+    user: 992:992
+    security_opt:
+      - no-new-privileges:true
+      - label:disable
+    cap_drop:
+      - ALL
+
   swag:
     image: ghcr.io/linuxserver/swag
     container_name: swag

swag/nginx/proxy-confs/element.subdomain.conf

@@ -18,6 +18,9 @@ server {
     location / {
         include /config/nginx/proxy.conf;
         include /config/nginx/resolver.conf;
+
+        add_header Content-Security-Policy "default-src 'none'; connect-src * https:; font-src 'self'; img-src https: blob: data:; manifest-src 'self'; media-src *; script-src 'self' 'unsafe-eval' https://www.recaptcha.net https://www.gstatic.com; style-src 'self' 'unsafe-inline'; frame-src 'self' https://www.recaptcha.net blob:; frame-ancestors 'self'; block-all-mixed-content; base-uri 'none'";
+
         set $upstream_app element;
         set $upstream_port 80;
         set $upstream_proto http;

swag/nginx/proxy-confs/matrix-to.subdomain.conf

@@ -0,0 +1,33 @@
+## Version 2021/05/18
+# make sure that your dns has a cname set for element
+# if element is running in bridge mode and the container is named "element", the below config should work as is
+# if not, replace the line "set $upstream_app element;" with "set $upstream_app <containername>;"
+# or "set $upstream_app <HOSTIP>;" for host mode, HOSTIP being the IP address of element
+
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+
+    server_name invite.*;
+
+    include /config/nginx/ssl.conf;
+    add_header X-Frame-Options "SAMEORIGIN" always;
+
+    client_max_body_size 0;
+
+    location / {
+        include /config/nginx/proxy.conf;
+        include /config/nginx/resolver.conf;
+
+        add_header Content-Security-Policy "default-src 'none'; connect-src *; img-src *; script-src 'self' 'unsafe-inline'; style-src 'self'";
+
+        set $upstream_app matrix-to;
+        set $upstream_port 5000;
+        set $upstream_proto http;
+        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
+
+        proxy_set_header Range $http_range;
+        proxy_set_header If-Range $http_if_range;
+    }
+
+}