From 08b49c14d940ebfd6ea08d67f715b72958fed4f0 Mon Sep 17 00:00:00 2001 From: decentral1se Date: Sun, 8 Oct 2023 01:41:29 +0200 Subject: [PATCH] feat: use nginx proxy, config for public rooms (fedi) See https://git.coopcloud.tech/coop-cloud/matrix-synapse/issues/38. --- .env.sample | 2 ++ abra.sh | 5 ++- compose.discord.yml | 2 +- compose.keycloak.yml | 2 +- compose.keycloak2.yml | 2 +- compose.keycloak3.yml | 2 +- compose.shared_secret_auth.yml | 2 +- compose.signal.yml | 2 +- compose.smtp.yml | 2 +- compose.telegram.yml | 2 +- compose.turn.yml | 2 +- compose.yml | 58 ++++++++++++++++++++++++++-------- homeserver.yaml.tmpl | 2 +- nginx.conf.tmpl | 31 ++++++++++++++++++ release/5.0.0+v1.93.0 | 17 ++++++++++ well_known_client.conf.tmpl | 5 +++ well_known_server.conf.tmpl | 3 ++ 17 files changed, 116 insertions(+), 25 deletions(-) create mode 100644 nginx.conf.tmpl create mode 100644 release/5.0.0+v1.93.0 create mode 100644 well_known_client.conf.tmpl create mode 100644 well_known_server.conf.tmpl diff --git a/.env.sample b/.env.sample index 2480977..b7275d3 100644 --- a/.env.sample +++ b/.env.sample @@ -24,6 +24,8 @@ SECRET_REGISTRATION_VERSION=v1 # Set "true" to enable federation endpoint on $DOMAIN/.well-known/matrix/server SERVE_SERVER_WELLKNOWN=false +ALLOW_PUBLIC_ROOMS_FEDERATION=false + ## Registration ENABLE_REGISTRATION=false diff --git a/abra.sh b/abra.sh index 971af6b..0565de1 100644 --- a/abra.sh +++ b/abra.sh @@ -1,10 +1,13 @@ export DISCORD_BRIDGE_YAML_VERSION=v2 export ENTRYPOINT_CONF_VERSION=v1 -export HOMESERVER_YAML_VERSION=v23 +export HOMESERVER_YAML_VERSION=v24 export LOG_CONFIG_VERSION=v2 export SHARED_SECRET_AUTH_VERSION=v1 export SIGNAL_BRIDGE_YAML_VERSION=v4 export TELEGRAM_BRIDGE_YAML_VERSION=v6 +export NGINX_CONFIG_VERSION=v4 +export WK_SERVER_VERSION=v1 +export WK_CLIENT_VERSION=v1 set_admin () { admin=akadmin diff --git a/compose.discord.yml b/compose.discord.yml index 84bc62d..a6ec3f1 100644 --- a/compose.discord.yml +++ b/compose.discord.yml @@ -2,7 +2,7 @@ version: "3.8" services: - app: + synapse: environment: - APP_SERVICES_ENABLED - APP_SERVICE_CONFIGS diff --git a/compose.keycloak.yml b/compose.keycloak.yml index be86fe0..ac72742 100644 --- a/compose.keycloak.yml +++ b/compose.keycloak.yml @@ -2,7 +2,7 @@ version: "3.8" services: - app: + synapse: secrets: - db_password - form_secret diff --git a/compose.keycloak2.yml b/compose.keycloak2.yml index 971b6cc..471c548 100644 --- a/compose.keycloak2.yml +++ b/compose.keycloak2.yml @@ -2,7 +2,7 @@ version: "3.8" services: - app: + synapse: secrets: - keycloak2_client_secret environment: diff --git a/compose.keycloak3.yml b/compose.keycloak3.yml index ec8514c..a89af2c 100644 --- a/compose.keycloak3.yml +++ b/compose.keycloak3.yml @@ -2,7 +2,7 @@ version: "3.8" services: - app: + synapse: secrets: - keycloak3_client_secret environment: diff --git a/compose.shared_secret_auth.yml b/compose.shared_secret_auth.yml index 784b452..efa0c33 100644 --- a/compose.shared_secret_auth.yml +++ b/compose.shared_secret_auth.yml @@ -2,7 +2,7 @@ version: "3.8" services: - app: + synapse: environment: - SHARED_SECRET_AUTH_ENABLED secrets: diff --git a/compose.signal.yml b/compose.signal.yml index d6ee6be..82ef95c 100644 --- a/compose.signal.yml +++ b/compose.signal.yml @@ -2,7 +2,7 @@ version: "3.8" services: - app: + synapse: environment: - APP_SERVICES_ENABLED - APP_SERVICE_CONFIGS diff --git a/compose.smtp.yml b/compose.smtp.yml index 329faef..d38ca03 100644 --- a/compose.smtp.yml +++ b/compose.smtp.yml @@ -2,7 +2,7 @@ version: "3.8" services: - app: + synapse: secrets: - db_password - form_secret diff --git a/compose.telegram.yml b/compose.telegram.yml index 6c0d34c..3ee7756 100644 --- a/compose.telegram.yml +++ b/compose.telegram.yml @@ -2,7 +2,7 @@ version: "3.8" services: - app: + synapse: environment: - APP_SERVICES_ENABLED - APP_SERVICE_CONFIGS diff --git a/compose.turn.yml b/compose.turn.yml index 783a878..ae213e3 100644 --- a/compose.turn.yml +++ b/compose.turn.yml @@ -2,7 +2,7 @@ version: "3.8" services: - app: + synapse: secrets: - db_password - form_secret diff --git a/compose.yml b/compose.yml index d1c6d9d..6fae057 100644 --- a/compose.yml +++ b/compose.yml @@ -3,11 +3,40 @@ version: "3.8" services: app: + image: nginx:1.23.3 + networks: + - proxy + - internal + environment: + - STACK_NAME + configs: + - source: nginx_config + target: /etc/nginx/nginx.conf + - source: wk_server + target: /var/www/.well-known/matrix/server + - source: wk_client + target: /var/www/.well-known/matrix/client + deploy: + restart_policy: + condition: on-failure + labels: + - "traefik.enable=true" + - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80" + - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)" + - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure" + - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}" + - "coop-cloud.${STACK_NAME}.version=5.0.0+v1.93.0" + - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}" + healthcheck: + test: curl -f http://synapse:8008/health || exit 1 + interval: 5s + timeout: 3s + retries: 20 + + synapse: image: "matrixdotorg/synapse:v1.93.0" volumes: - "data:/data" - depends_on: - - db secrets: - db_password - registration_shared_secret @@ -15,6 +44,7 @@ services: - form_secret environment: - ALLOWED_LIFETIME_MAX + - ALLOW_PUBLIC_ROOMS_FEDERATION - AUTO_JOIN_ROOM - AUTO_JOIN_ROOM_ENABLED - DISABLE_FEDERATION @@ -41,7 +71,6 @@ services: - VIRTUAL_HOST=${DOMAIN} - VIRTUAL_PORT=8008 networks: - - proxy - internal entrypoint: /docker-entrypoint.sh configs: @@ -52,17 +81,6 @@ services: - source: entrypoint_conf target: /docker-entrypoint.sh mode: 0555 - deploy: - restart_policy: - condition: on-failure - labels: - - "traefik.enable=true" - - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=8008" - - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)" - - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure" - - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}" - - "coop-cloud.${STACK_NAME}.version=4.0.0+v1.93.0" - - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}" healthcheck: test: ["CMD", "curl", "-f", "http://localhost:8008/health"] interval: 30s @@ -121,6 +139,18 @@ configs: name: ${STACK_NAME}_log_config_${LOG_CONFIG_VERSION} file: log.config.tmpl template_driver: golang + nginx_config: + name: ${STACK_NAME}_nginx_config_${NGINX_CONFIG_VERSION} + file: nginx.conf.tmpl + template_driver: golang + wk_server: + name: ${STACK_NAME}_wk_server_${WK_SERVER_VERSION} + file: well_known_server.conf.tmpl + template_driver: golang + wk_client: + name: ${STACK_NAME}_wk_client_${WK_CLIENT_VERSION} + file: well_known_client.conf.tmpl + template_driver: golang secrets: db_password: diff --git a/homeserver.yaml.tmpl b/homeserver.yaml.tmpl index aa20354..53a435b 100644 --- a/homeserver.yaml.tmpl +++ b/homeserver.yaml.tmpl @@ -78,7 +78,7 @@ allow_public_rooms_without_auth: false # If set to 'true', allows any other homeserver to fetch the server's public # rooms directory via federation. Defaults to 'false'. # -allow_public_rooms_over_federation: false +allow_public_rooms_over_federation: {{ env "ALLOW_PUBLIC_ROOMS_FEDERATION" }} listeners: # Unsecure HTTP listener: for when matrix traffic passes through a reverse proxy diff --git a/nginx.conf.tmpl b/nginx.conf.tmpl new file mode 100644 index 0000000..56b3987 --- /dev/null +++ b/nginx.conf.tmpl @@ -0,0 +1,31 @@ +user www-data; + +events { + worker_connections 768; +} + +http { + server { + listen 80; + + access_log off; + error_log /dev/null; + + server_name {{ env "DOMAIN" }}; + + location ~* ^(\/_matrix|\/_synapse\/client) { + proxy_pass http://{{ env "STACK_NAME"}}_synapse:8008; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $host; + client_max_body_size 50M; + proxy_http_version 1.1; + } + + location /.well-known/matrix/ { + root /var/www/; + default_type application/json; + add_header Access-Control-Allow-Origin *; + } + } +} diff --git a/release/5.0.0+v1.93.0 b/release/5.0.0+v1.93.0 new file mode 100644 index 0000000..4c97b8b --- /dev/null +++ b/release/5.0.0+v1.93.0 @@ -0,0 +1,17 @@ +An Nginx proxy has been configured as the entrypoint for Synapse. This is not +optional. This is done to counteract IP collection in Synapse itself. See more: + +!!! You MUST undeploy your Synapse install before upgrading to this version !!! + +This is because there have been a service rename in the recipe configuration: + +* `app` -> `synapse` + +This could break stuff in the recipe, so please report issues if you run into +anything! + + https://git.coopcloud.tech/coop-cloud/matrix-synapse/issues/38 + +Thanks! + +-- d1 diff --git a/well_known_client.conf.tmpl b/well_known_client.conf.tmpl new file mode 100644 index 0000000..8cacb96 --- /dev/null +++ b/well_known_client.conf.tmpl @@ -0,0 +1,5 @@ +{ + "m.homeserver": { + "base_url": "https://{{ env "DOMAIN" }}" + } +} diff --git a/well_known_server.conf.tmpl b/well_known_server.conf.tmpl new file mode 100644 index 0000000..af17da2 --- /dev/null +++ b/well_known_server.conf.tmpl @@ -0,0 +1,3 @@ +{ + "m.server": "{{ env "DOMAIN" }}:443" +}