From 71ccebb6eb0921d2a1a4f1d09b40ef42966b797f Mon Sep 17 00:00:00 2001 From: Mac Chaffee Date: Sun, 25 May 2025 13:58:24 -0400 Subject: [PATCH] Remove dependency on nginx --- .env.sample | 15 +++++----- README.md | 29 +++++++++++-------- compose.admin.yml | 4 --- compose.yml | 52 ++++++----------------------------- nginx.conf.tmpl | 55 ------------------------------------- well_known_client.conf.tmpl | 5 ---- well_known_server.conf.tmpl | 3 -- 7 files changed, 33 insertions(+), 130 deletions(-) delete mode 100644 nginx.conf.tmpl delete mode 100644 well_known_client.conf.tmpl delete mode 100644 well_known_server.conf.tmpl diff --git a/.env.sample b/.env.sample index 4cffa95..905ccdd 100644 --- a/.env.sample +++ b/.env.sample @@ -23,7 +23,7 @@ SECRET_REGISTRATION_VERSION=v1 #DISABLE_FEDERATION=1 -# Set "true" to enable federation endpoint on $DOMAIN/.well-known/matrix/server +# See https://matrix-org.github.io/synapse/v1.98/delegate.html SERVE_SERVER_WELLKNOWN=false ALLOW_PUBLIC_ROOMS_FEDERATION=false @@ -47,17 +47,18 @@ PASSWORD_LOGIN_ENABLED=true SQL_LOG_LEVEL=WARN ROOT_LOG_LEVEL=WARN -# for nginx -NGINX_ACCESS_LOG_LOCATION="/dev/null" -NGINX_ERROR_LOG_LOCATION="/dev/null" -# Comment the previous two lines and uncomment these to enable logging -#NGINX_ACCESS_LOG_LOCATION="/dev/stdout" -#NGINX_ERROR_LOG_LOCATION="/dev/stderr" + +## Traefik + +# Synapse always stores IPs, so we don't send it any real IPs (via x-forwarded-for) by default. See #38 +TRAEFIK_MIDDLEWARES=remove-xff,max-body +TRAEFIK_MAX_REQUEST_BODY_BYTES=50000000 ## Privacy ENABLE_3PID_LOOKUP=true +# Real IPs are hidden by default unless you change TRAEFIK_MIDDLEWARES USER_IPS_MAX_AGE=1d ENCRYPTED_BY_DEFAULT=all diff --git a/README.md b/README.md index b737ee3..862161a 100644 --- a/README.md +++ b/README.md @@ -18,9 +18,9 @@ 1. Set up Docker Swarm and [`abra`](https://docs.coopcloud.tech/abra/) 2. Deploy [`coop-cloud/traefik`](https://git.coopcloud.tech/coop-cloud/traefik) 3. `abra app new matrix-synapse --secrets` (optionally with `--pass` if you'd like to save secrets in `pass`) -4. `abra app config YOURAPPDOMAIN` - be sure to change `$DOMAIN` to something that resolves to your Docker swarm box +4. `abra app config YOURAPPDOMAIN` - be sure to change `YOURAPPDOMAIN` to something that resolves to your server running coop-cloud. 5. `abra app deploy YOURAPPDOMAIN` -6. Create an initial user: `abra app run YOURAPPDOMAIN app register_new_matrix_user -c /data/homeserver.yaml http://localhost:8008` +6. Create an initial user: `abra app run YOURAPPDOMAIN app -- register_new_matrix_user -c /data/homeserver.yaml http://localhost:8008` ## Tips & Tricks @@ -32,18 +32,23 @@ `abra app cmd YOURAPPDOMAIN db set_admin ` +## Federation + +Federation is how users on different servers can participate in the same chat room. Enabling federation involves allowing other Matrix servers to connect to yours, generally over port 8448. Once enabled, you can test federation at https://federationtester.matrix.org/ + +### Enabling federation on port 8448 + +In this recipe, federation is enabled by default, but you have to configure traefik to expose the federation port (8448) by adding [`COMPOSE_FILE="$COMPOSE_FILE:compose.matrix.yml"`](https://git.coopcloud.tech/coop-cloud/traefik/src/commit/830559895e3eb680d72211118c9af8eb6f026060/.env.sample#L143) to your traefik config. You may also have to update port-forwarding rules or firewall rules to open port 8448. + +### Enabling federation on port 443 + +Alternatively, it might be easier to use a feature called [delegation](https://element-hq.github.io/synapse/latest/delegate.html), which tells other Matrix servers to use port 443 for federation instead of port 8448. To use this method, set `SERVE_SERVER_WELLKNOWN=true` in the app config. + +Note that if your synapse instance is running on a subdomain like `matrix.example.com` but you want your Matrix usernames to use the base domain (`example.com`), you will need to set `SERVER_NAME=` and configure your base domain to redirect requests to `/.well-known/matrix/*` to your synapse instance. More details [here](https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-well-known.md#option-2-setting-up-reverse-proxying-of-the-well-known-files-from-the-base-domains-server-to-the-matrix-server). + ### Disabling federation -- Use `DISABLE_FEDERATION=1` to turn off federation listeners -- Don't use [`compose.matrix.yml`](https://git.coopcloud.tech/coop-cloud/traefik/src/branch/master/compose.matrix.yml) in your traefik config to keep the federation ports closed - -### Enabling federation - -See [`#27`](https://git.coopcloud.tech/coop-cloud/matrix-synapse/pulls/27) for more. Depending on your setup, using `SERVE_SERVER_WELLKNOWN=true` might work to start federating. Make sure you don't leave `DISABLE_FEDERATION=1` set! - -### Getting client discovery on a custom domain - -You'll need to deploy something like [this](https://git.autonomic.zone/ruangrupa/well-known-uris). This could be implemented in this recipe but we haven't merged it in yet. Change sets are welcome. +If you want to completely block federation, set `DISABLE_FEDERATION=1` and do not do either of steps mentioned in the previous two sections. ## Bridges For all Bridges: diff --git a/compose.admin.yml b/compose.admin.yml index a8b3c07..d335eac 100644 --- a/compose.admin.yml +++ b/compose.admin.yml @@ -29,9 +29,6 @@ services: timeout: 10s retries: 10 start_period: 1m - web: - environment: - - ADMIN_INTERFACE_ENABLED networks: @@ -43,4 +40,3 @@ configs: name: ${STACK_NAME}_admin_config_${ADMIN_CONFIG_VERSION} file: admin.conf.tmpl template_driver: golang - diff --git a/compose.yml b/compose.yml index 0ddd2ac..948b5b4 100644 --- a/compose.yml +++ b/compose.yml @@ -2,38 +2,6 @@ version: "3.8" services: - web: - image: nginx:1.27.4 - networks: - - proxy - - internal - environment: - - DOMAIN - - STACK_NAME - - NGINX_ACCESS_LOG_LOCATION - - NGINX_ERROR_LOG_LOCATION - configs: - - source: nginx_config - target: /etc/nginx/nginx.conf - - source: wk_server - target: /var/www/.well-known/matrix/server - - source: wk_client - target: /var/www/.well-known/matrix/client - deploy: - restart_policy: - condition: on-failure - labels: - - "traefik.enable=true" - - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80" - - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)" - - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure" - - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}" - healthcheck: - test: curl -f http://${STACK_NAME}_app:8008/health || exit 1 - interval: 20s - timeout: 15s - retries: 20 - app: image: "matrixdotorg/synapse:v1.124.0" volumes: @@ -92,6 +60,14 @@ services: restart_policy: condition: on-failure labels: + - "traefik.enable=true" + - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=8008" + - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)" + - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure" + - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}" + - "traefik.http.middlewares.max-body.buffering.maxRequestBodyBytes=${TRAEFIK_MAX_REQUEST_BODY_BYTES}" + - "traefik.http.middlewares.remove-xff.headers.customrequestheaders.X-Forwarded-For=" + - "traefik.http.routers.${STACK_NAME}.middlewares=${TRAEFIK_MIDDLEWARES}" - "coop-cloud.${STACK_NAME}.version=6.6.1+v1.124.0" - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}" healthcheck: @@ -156,18 +132,6 @@ configs: name: ${STACK_NAME}_log_config_${LOG_CONFIG_VERSION} file: log.config.tmpl template_driver: golang - nginx_config: - name: ${STACK_NAME}_nginx_config_${NGINX_CONFIG_VERSION} - file: nginx.conf.tmpl - template_driver: golang - wk_server: - name: ${STACK_NAME}_wk_server_${WK_SERVER_VERSION} - file: well_known_server.conf.tmpl - template_driver: golang - wk_client: - name: ${STACK_NAME}_wk_client_${WK_CLIENT_VERSION} - file: well_known_client.conf.tmpl - template_driver: golang pg_backup: name: ${STACK_NAME}_pg_backup_${PG_BACKUP_VERSION} file: pg_backup.sh diff --git a/nginx.conf.tmpl b/nginx.conf.tmpl deleted file mode 100644 index db5514b..0000000 --- a/nginx.conf.tmpl +++ /dev/null @@ -1,55 +0,0 @@ -user www-data; - -events { - worker_connections 768; -} - -http { - server { - listen 80; - - access_log {{ or (env "NGINX_ACCESS_LOG_LOCATION") "/dev/null" }}; - error_log {{ or (env "NGINX_ERROR_LOG_LOCATION") "/dev/null" }}; - - server_name {{ env "DOMAIN" }}; - - location = / { - proxy_pass http://{{ env "STACK_NAME"}}_app:8008; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Forwarded-Proto https; - proxy_set_header Host $host; - client_max_body_size 50M; - proxy_http_version 1.1; - } - - location ~* ^(\/_matrix|\/_synapse\/client) { - proxy_pass http://{{ env "STACK_NAME"}}_app:8008; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Forwarded-Proto https; - proxy_set_header Host $host; - client_max_body_size 50M; - proxy_http_version 1.1; - } - - location /.well-known/matrix/ { - root /var/www/; - default_type application/json; - add_header Access-Control-Allow-Origin *; - } - -{{ if eq (env "ADMIN_INTERFACE_ENABLED") "1" }} - location ^~ /_synapse/admin { - if ($http_referer !~ "^https://{{ env "DOMAIN" }}/admin/") { - return 403; - } - proxy_pass http://{{ env "STACK_NAME"}}_app:8008; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Forwarded-Proto https; - proxy_set_header Host $host; - client_max_body_size 50M; - proxy_http_version 1.1; - } -{{ end }} - - } -} diff --git a/well_known_client.conf.tmpl b/well_known_client.conf.tmpl deleted file mode 100644 index 8cacb96..0000000 --- a/well_known_client.conf.tmpl +++ /dev/null @@ -1,5 +0,0 @@ -{ - "m.homeserver": { - "base_url": "https://{{ env "DOMAIN" }}" - } -} diff --git a/well_known_server.conf.tmpl b/well_known_server.conf.tmpl deleted file mode 100644 index af17da2..0000000 --- a/well_known_server.conf.tmpl +++ /dev/null @@ -1,3 +0,0 @@ -{ - "m.server": "{{ env "DOMAIN" }}:443" -} -- 2.47.2