Run matrix federation also over apache to get proper TLS. For some reason not working with tls from synapse itself.

roles/matrix/tasks/synapse.yml

 - name: Add cert postrenew task
   copy: src=etc_letsencrypt_postrenew_synapse.sh dest=/etc/letsencrypt/postrenew/synapse.sh mode=0755
 
-- name: Set firewall rules for Synapse
-  ufw: rule=allow port={{ item }} proto=tcp
-  with_items:
-    - 8448  # matrix federation
-  tags: ufw
-
 - name: Register new Synapse service
   systemd: name=matrix-synapse daemon_reload=yes enabled=yes
 

roles/matrix/templates/etc_matrix-synapse_homeserver.j2

   # will also need to give Synapse a TLS key and certificate: see the TLS section
   # below.)
   #
-  - port: 8448
-    type: http
-    tls: true
-    bind_addresses:
-      - '::'
-    
-    resources:
-      - names: [client, federation, webclient]
+  #- port: 8448
+  #  type: http
+  #  tls: true
+  #  bind_addresses:
+  #    - '::'
+  #
+  #  resources:
+  #    - names: [client, federation, webclient]
 
   # Unsecure HTTP listener: for when matrix traffic passes through a reverse proxy
   # that unwraps TLS.

roles/matrix/templates/var_www_well-known_matrix_server.j2

 {
-    "m.server": "{{ matrix_domain }}:8448"
+    "m.server": "{{ matrix_domain }}:443"
 }

roles/monitoring/files/etc_monit_conf.d_matrix

   group social
   start program = "/bin/systemctl start matrix-synapse"
   stop program = "/bin/systemctl stop matrix-synapse"
-  if failed port 8448 type tcp
+  if failed port 8008 type tcp
     with timeout 10 seconds
     then restart
   if 5 restarts within 5 cycles then timeout