Compare commits
7 Commits
Author | SHA1 | Date |
---|---|---|
3wc | e9f84f8fd8 | |
3wc | ef719bcee4 | |
3wc | 309122240a | |
3wc | fd3c7a606a | |
3wc | ad6a1c87dd | |
3wc | cfbd809761 | |
3wc | 2d78fff08f |
|
@ -1,6 +1,11 @@
|
||||||
export DOMAIN=matrix.example.com
|
|
||||||
export STACK_NAME=matrix
|
export STACK_NAME=matrix
|
||||||
|
export APP=matrix
|
||||||
|
|
||||||
|
export DOMAIN=matrix.example.com
|
||||||
export LETS_ENCRYPT_ENV=production
|
export LETS_ENCRYPT_ENV=production
|
||||||
|
|
||||||
export ENTRYPOINT_CONF_VERSION=v1
|
export ENTRYPOINT_CONF_VERSION=v1
|
||||||
|
|
||||||
|
## TURN server
|
||||||
|
#export TURNSERVER_CONF_VERSION=v1
|
||||||
|
#export COTURN_SHARED_SECRET_VERSION=v1
|
||||||
|
|
|
@ -9,9 +9,10 @@ image][synapse-docker].
|
||||||
3. Edit `.envrc` - be sure to change `$DOMAIN` to something that resolves to
|
3. Edit `.envrc` - be sure to change `$DOMAIN` to something that resolves to
|
||||||
your Docker swarm box
|
your Docker swarm box
|
||||||
4. `direnv allow` (or `. .envrc`)
|
4. `direnv allow` (or `. .envrc`)
|
||||||
|
4. `abra secret_generate coturn_shared_secret`
|
||||||
5. `abra deploy`
|
5. `abra deploy`
|
||||||
6. `abra service_run synapse` to open a shell
|
6. `abra service_run synapse` to open a shell
|
||||||
7. `register_new_matrix_user -c /data/homeserver.yaml http://localhost:8008`
|
7. `abra register_new_matrix_user`
|
||||||
|
|
||||||
[synapse-docker]: https://hub.docker.com/r/matrixdotorg/synapse
|
[synapse-docker]: https://hub.docker.com/r/matrixdotorg/synapse
|
||||||
[abra]: https://git.autonomic.zone/autonomic-cooperative/abra
|
[abra]: https://git.autonomic.zone/autonomic-cooperative/abra
|
||||||
|
|
|
@ -0,0 +1,3 @@
|
||||||
|
sub_register_new_matrix_user() {
|
||||||
|
abra run synapse register_new_matrix_user -c /data/homeserver.yaml http://localhost:8008
|
||||||
|
}
|
|
@ -0,0 +1,35 @@
|
||||||
|
services:
|
||||||
|
app:
|
||||||
|
environment:
|
||||||
|
- TURN_SERVER=${DOMAIN}
|
||||||
|
- TURN_PORT=3478
|
||||||
|
secrets:
|
||||||
|
- coturn_shared_secret
|
||||||
|
|
||||||
|
coturn:
|
||||||
|
image: instrumentisto/coturn:latest
|
||||||
|
networks:
|
||||||
|
- swarm_host
|
||||||
|
secrets:
|
||||||
|
- coturn_shared_secret
|
||||||
|
configs:
|
||||||
|
- source: turnserver_conf
|
||||||
|
target: /etc/coturn/turnserver.conf
|
||||||
|
|
||||||
|
configs:
|
||||||
|
turnserver_conf:
|
||||||
|
name: ${STACK_NAME}_turnserver_conf_${TURNSERVER_CONF_VERSION}
|
||||||
|
file: turnserver.conf.tmpl
|
||||||
|
template_driver: golang
|
||||||
|
|
||||||
|
secrets:
|
||||||
|
coturn_shared_secret:
|
||||||
|
external: true
|
||||||
|
name: ${STACK_NAME}_coturn_shared_secret_${COTURN_SHARED_SECRET_VERSION}
|
||||||
|
|
||||||
|
networks:
|
||||||
|
# use host-mode networking until Docker can handle mass port-forwards:
|
||||||
|
# https://github.com/moby/moby/issues/11185
|
||||||
|
swarm_host:
|
||||||
|
external:
|
||||||
|
name: 'host'
|
34
compose.yml
34
compose.yml
|
@ -2,10 +2,10 @@
|
||||||
version: "3.8"
|
version: "3.8"
|
||||||
|
|
||||||
services:
|
services:
|
||||||
synapse:
|
app:
|
||||||
image: "matrixdotorg/synapse:latest"
|
image: "matrixdotorg/synapse:v1.9.1"
|
||||||
volumes:
|
volumes:
|
||||||
- "data:/data"
|
- "synapse:/data"
|
||||||
environment:
|
environment:
|
||||||
- VIRTUAL_HOST=${DOMAIN}
|
- VIRTUAL_HOST=${DOMAIN}
|
||||||
- VIRTUAL_PORT=8008
|
- VIRTUAL_PORT=8008
|
||||||
|
@ -14,31 +14,33 @@ services:
|
||||||
- SYNAPSE_REPORT_STATS=no
|
- SYNAPSE_REPORT_STATS=no
|
||||||
networks:
|
networks:
|
||||||
- proxy
|
- proxy
|
||||||
|
configs:
|
||||||
|
- source: entrypoint_conf
|
||||||
|
target: /docker-entrypoint.sh
|
||||||
|
mode: 0555
|
||||||
|
entrypoint: /docker-entrypoint.sh
|
||||||
deploy:
|
deploy:
|
||||||
labels:
|
|
||||||
- "traefik.enable=true"
|
|
||||||
- "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=8008"
|
|
||||||
- "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
|
|
||||||
- "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
|
|
||||||
- "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
|
|
||||||
restart_policy:
|
restart_policy:
|
||||||
condition: on-failure
|
condition: on-failure
|
||||||
delay: "60s"
|
delay: "60s"
|
||||||
max_attempts: 3
|
max_attempts: 3
|
||||||
window: 120s
|
window: 120s
|
||||||
entrypoint: /docker-entrypoint.sh
|
labels:
|
||||||
configs:
|
- "traefik.enable=true"
|
||||||
- source: entrypoint_conf
|
- "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=8008"
|
||||||
target: /docker-entrypoint.sh
|
- "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
|
||||||
mode: 0555
|
- "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
|
||||||
|
- "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
|
||||||
|
- "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
|
||||||
|
- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
|
||||||
|
- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
|
||||||
|
|
||||||
volumes:
|
volumes:
|
||||||
data:
|
synapse:
|
||||||
|
|
||||||
networks:
|
networks:
|
||||||
proxy:
|
proxy:
|
||||||
external: true
|
external: true
|
||||||
internal:
|
|
||||||
|
|
||||||
configs:
|
configs:
|
||||||
entrypoint_conf:
|
entrypoint_conf:
|
||||||
|
|
|
@ -2,6 +2,17 @@
|
||||||
|
|
||||||
if [[ ! -f /data/homeserver.yaml ]]; then
|
if [[ ! -f /data/homeserver.yaml ]]; then
|
||||||
/start.py generate
|
/start.py generate
|
||||||
|
|
||||||
|
apt update && apt install -y wget
|
||||||
|
wget https://github.com/mikefarah/yq/releases/download/3.3.2/yq_linux_amd64 && \
|
||||||
|
chmod +x yq_linux_amd64 && \
|
||||||
|
mv yq_linux_amd64 /bin/yq
|
||||||
|
|
||||||
|
# turn (https://github.com/matrix-org/synapse/blob/master/docs/turn-howto.md#synapse-setup)
|
||||||
|
yq w -i /data/homeserver.yaml turn_uris "[]"
|
||||||
|
yq w -i /data/homeserver.yaml turn_uris\[0\] "turn:${TURN_SERVER}:${TURN_PORT}?transport=udp"
|
||||||
|
yq w -i /data/homeserver.yaml turn_uris\[1\] "turn:${TURN_SERVER}:${TURN_PORT}?transport=tcp"
|
||||||
|
yq w -i /data/homeserver.yaml coturn_shared_secret "$(tr -d \"\n\" < /run/secrets/coturn_shared_secret)"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
/start.py
|
/start.py
|
||||||
|
|
|
@ -0,0 +1,6 @@
|
||||||
|
secret="screw\$naval5seem!herb" && \
|
||||||
|
time=$(date +%s) && \
|
||||||
|
expiry=8400 && \
|
||||||
|
username=$(( $time + $expiry )) &&\
|
||||||
|
echo username:$username && \
|
||||||
|
echo password : $(echo -n $username | openssl dgst -binary -sha1 -hmac $secret | openssl base64)
|
|
@ -0,0 +1,15 @@
|
||||||
|
use-auth-secret
|
||||||
|
static-auth-secret={{ secret "coturn_shared_secret" }}
|
||||||
|
realm=turn.{{ env "DOMAIN" }}
|
||||||
|
|
||||||
|
log-file=stdout
|
||||||
|
pidfile=/var/tmp/turnserver.pid
|
||||||
|
userdb=/var/tmp/turnserver.db
|
||||||
|
|
||||||
|
no-cli
|
||||||
|
|
||||||
|
no-tls
|
||||||
|
no-dtls
|
||||||
|
|
||||||
|
prod
|
||||||
|
no-tcp-relay
|
Loading…
Reference in New Issue