websites/proxy-matrix: Add Synapse rev proxy setup

The *websites/proxy-matrix* role configures the Internet-facing reverse
proxy to handle the *hatch.chat* domain.  Most Matrix communication
happens over the default HTTPS port, and as such will be directed
through the reverse proxy.

certs/websites/hatch.chat.cer

@@ -0,0 +1 @@
+../lego/hatch.chat.crt

certs/websites/hatch.chat.key

@@ -0,0 +1 @@
+../lego/hatch.chat.key

roles/websites/proxy-matrix/tasks/main.yml

@@ -0,0 +1,6 @@
+- name: ensure apache is configured to proxy for matrix
+  template:
+    src: matrix.httpd.conf.j2
+    dest: /etc/httpd/conf.d/matrix.conf
+    mode: '0644'
+  notify: reload httpd

roles/websites/proxy-matrix/templates/matrix.httpd.conf.j2

@@ -0,0 +1,13 @@
+<VirtualHost *:443>
+ServerName hatch.chat
+
+Include conf.d/ssl.include
+SSLCertificateFile /etc/pki/tls/certs/hatch.chat.cer
+SSLCertificateKeyFile /etc/pki/tls/private/hatch.chat.key
+
+SSLProxyEngine On
+ProxyRequests Off
+AllowEncodedSlashes NoDecode
+ProxyPass / https://matrix0.pyrocufflink.blue/ nocanon
+ProxyPassReverse / https://matrix0.pyrocufflink.blue/
+</VirtualHost>

websites.yml

@@ -35,6 +35,16 @@
     tags:
     - websites/proxy
     - websites/proxy-openvpn
+  - role: cert
+    cert_src: websites/hatch.chat.cer
+    cert_dest: /etc/pki/tls/certs/hatch.chat.cer
+    cert_key_src: websites/hatch.chat.key
+    cert_key_dest: /etc/pki/tls/private/hatch.chat.key
+    tags: websites/hatch.chat
+  - role: websites/proxy-matrix
+    tags:
+    - websites/proxy
+    - websites/hatch.chat
   tasks:
   - name: ensure httpd service is running
     service: