Pin docker image tag

[ci skip]

.envrc.sample

@@ -1,6 +1,11 @@
-export DOMAIN=matrix.example.com
 export STACK_NAME=matrix
+export APP=matrix
 
+export DOMAIN=matrix.example.com
 export LETS_ENCRYPT_ENV=production
 
 export ENTRYPOINT_CONF_VERSION=v1
+
+## TURN server
+#export TURNSERVER_CONF_VERSION=v1
+#export COTURN_SHARED_SECRET_VERSION=v1

README.md

@@ -9,9 +9,10 @@ image][synapse-docker].
 3. Edit `.envrc` - be sure to change `$DOMAIN` to something that resolves to
    your Docker swarm box
 4. `direnv allow` (or `. .envrc`)
+4. `abra secret_generate coturn_shared_secret`
 5. `abra deploy`
 6. `abra service_run synapse` to open a shell
-7. `register_new_matrix_user -c /data/homeserver.yaml http://localhost:8008`
+7. `abra register_new_matrix_user`
 
 [synapse-docker]: https://hub.docker.com/r/matrixdotorg/synapse
 [abra]: https://git.autonomic.zone/autonomic-cooperative/abra

abra-commands.sh

@@ -0,0 +1,3 @@
+sub_register_new_matrix_user() {
+	abra run synapse register_new_matrix_user -c /data/homeserver.yaml http://localhost:8008
+}

compose.coturn.yml

@@ -0,0 +1,35 @@
+services:
+  app:
+    environment:
+      - TURN_SERVER=${DOMAIN}
+      - TURN_PORT=3478
+    secrets:
+      - coturn_shared_secret
+
+  coturn:
+    image: instrumentisto/coturn:latest
+    networks:
+     - swarm_host
+    secrets:
+      - coturn_shared_secret
+    configs:
+      - source: turnserver_conf
+        target: /etc/coturn/turnserver.conf
+
+configs:
+  turnserver_conf:
+    name: ${STACK_NAME}_turnserver_conf_${TURNSERVER_CONF_VERSION}
+    file: turnserver.conf.tmpl
+    template_driver: golang
+
+secrets:
+  coturn_shared_secret:    
+    external: true 
+    name: ${STACK_NAME}_coturn_shared_secret_${COTURN_SHARED_SECRET_VERSION}
+
+networks:
+  # use host-mode networking until Docker can handle mass port-forwards:
+  # https://github.com/moby/moby/issues/11185
+  swarm_host:
+    external:
+      name: 'host'

compose.yml

@@ -2,10 +2,10 @@
 version: "3.8"
 
 services:
-  synapse:
+  app:
-    image: "matrixdotorg/synapse:latest"
+    image: "matrixdotorg/synapse:v1.9.1"
     volumes:
-      - "data:/data"
+      - "synapse:/data"
     environment:
       - VIRTUAL_HOST=${DOMAIN}
       - VIRTUAL_PORT=8008
@@ -14,31 +14,33 @@ services:
       - SYNAPSE_REPORT_STATS=no
     networks: 
       - proxy
+    configs:
+      - source: entrypoint_conf
+        target: /docker-entrypoint.sh
+        mode: 0555
+    entrypoint: /docker-entrypoint.sh
     deploy:
-      labels:
-        - "traefik.enable=true"
-        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=8008"
-        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
-        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
-        - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
       restart_policy:
         condition: on-failure
         delay: "60s"
         max_attempts: 3
         window: 120s
-    entrypoint: /docker-entrypoint.sh
+      labels:
-    configs:
+        - "traefik.enable=true"
-      - source: entrypoint_conf
+        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=8008"
-        target: /docker-entrypoint.sh
+        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
-        mode: 0555
+        - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
+        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
+        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
 
 volumes:
-  data:
+  synapse:
 
 networks:
   proxy:
     external: true
-  internal:
 
 configs:
   entrypoint_conf:

entrypoint.sh.tmpl

@@ -2,6 +2,17 @@
 
 if [[ ! -f /data/homeserver.yaml ]]; then
 	/start.py generate
+
+	apt update && apt install -y wget
+	wget https://github.com/mikefarah/yq/releases/download/3.3.2/yq_linux_amd64 && \
+		chmod +x yq_linux_amd64 && \
+		mv yq_linux_amd64 /bin/yq
+
+	# turn (https://github.com/matrix-org/synapse/blob/master/docs/turn-howto.md#synapse-setup)
+	yq w -i /data/homeserver.yaml turn_uris "[]"
+	yq w -i /data/homeserver.yaml turn_uris\[0\] "turn:${TURN_SERVER}:${TURN_PORT}?transport=udp"
+	yq w -i /data/homeserver.yaml turn_uris\[1\] "turn:${TURN_SERVER}:${TURN_PORT}?transport=tcp"
+	yq w -i /data/homeserver.yaml coturn_shared_secret "$(tr -d \"\n\" < /run/secrets/coturn_shared_secret)"
 fi
 
 /start.py

gen.sh

@@ -0,0 +1,6 @@
+secret="screw\$naval5seem!herb" && \
+time=$(date +%s) && \
+expiry=8400 && \
+username=$(( $time + $expiry )) &&\
+echo username:$username && \
+echo password : $(echo -n $username | openssl dgst -binary -sha1 -hmac $secret | openssl base64)

turnserver.conf.tmpl

@@ -0,0 +1,15 @@
+use-auth-secret
+static-auth-secret={{ secret "coturn_shared_secret" }}
+realm=turn.{{ env "DOMAIN" }}
+
+log-file=stdout
+pidfile=/var/tmp/turnserver.pid
+userdb=/var/tmp/turnserver.db
+
+no-cli
+
+no-tls
+no-dtls
+
+prod
+no-tcp-relay