WIP: Remove dependency on nginx #48
15
.env.sample
15
.env.sample
@ -23,7 +23,7 @@ SECRET_REGISTRATION_VERSION=v1
|
||||
|
||||
#DISABLE_FEDERATION=1
|
||||
|
||||
# Set "true" to enable federation endpoint on $DOMAIN/.well-known/matrix/server
|
||||
# See https://matrix-org.github.io/synapse/v1.98/delegate.html
|
||||
SERVE_SERVER_WELLKNOWN=false
|
||||
|
||||
ALLOW_PUBLIC_ROOMS_FEDERATION=false
|
||||
@ -47,17 +47,18 @@ PASSWORD_LOGIN_ENABLED=true
|
||||
SQL_LOG_LEVEL=WARN
|
||||
ROOT_LOG_LEVEL=WARN
|
||||
|
||||
# for nginx
|
||||
NGINX_ACCESS_LOG_LOCATION="/dev/null"
|
||||
NGINX_ERROR_LOG_LOCATION="/dev/null"
|
||||
# Comment the previous two lines and uncomment these to enable logging
|
||||
#NGINX_ACCESS_LOG_LOCATION="/dev/stdout"
|
||||
#NGINX_ERROR_LOG_LOCATION="/dev/stderr"
|
||||
|
||||
## Traefik
|
||||
|
||||
# Synapse always stores IPs, so we don't send it any real IPs (via x-forwarded-for) by default. See #38
|
||||
TRAEFIK_MIDDLEWARES=remove-xff,max-body
|
||||
TRAEFIK_MAX_REQUEST_BODY_BYTES=50000000
|
||||
|
||||
## Privacy
|
||||
|
||||
ENABLE_3PID_LOOKUP=true
|
||||
|
||||
# Real IPs are hidden by default unless you change TRAEFIK_MIDDLEWARES
|
||||
USER_IPS_MAX_AGE=1d
|
||||
|
||||
ENCRYPTED_BY_DEFAULT=all
|
||||
|
||||
29
README.md
29
README.md
@ -18,9 +18,9 @@
|
||||
1. Set up Docker Swarm and [`abra`](https://docs.coopcloud.tech/abra/)
|
||||
2. Deploy [`coop-cloud/traefik`](https://git.coopcloud.tech/coop-cloud/traefik)
|
||||
3. `abra app new matrix-synapse --secrets` (optionally with `--pass` if you'd like to save secrets in `pass`)
|
||||
4. `abra app config YOURAPPDOMAIN` - be sure to change `$DOMAIN` to something that resolves to your Docker swarm box
|
||||
4. `abra app config YOURAPPDOMAIN` - be sure to change `YOURAPPDOMAIN` to something that resolves to your server running coop-cloud.
|
||||
5. `abra app deploy YOURAPPDOMAIN`
|
||||
6. Create an initial user: `abra app run YOURAPPDOMAIN app register_new_matrix_user -c /data/homeserver.yaml http://localhost:8008`
|
||||
6. Create an initial user: `abra app run YOURAPPDOMAIN app -- register_new_matrix_user -c /data/homeserver.yaml http://localhost:8008`
|
||||
|
||||
## Tips & Tricks
|
||||
|
||||
@ -32,18 +32,23 @@
|
||||
|
||||
`abra app cmd YOURAPPDOMAIN db set_admin <adminuser>`
|
||||
|
||||
## Federation
|
||||
|
||||
Federation is how users on different servers can participate in the same chat room. Enabling federation involves allowing other Matrix servers to connect to yours, generally over port 8448. Once enabled, you can test federation at https://federationtester.matrix.org/
|
||||
|
||||
### Enabling federation on port 8448
|
||||
|
||||
In this recipe, federation is enabled by default, but you have to configure traefik to expose the federation port (8448) by adding [`COMPOSE_FILE="$COMPOSE_FILE:compose.matrix.yml"`](https://git.coopcloud.tech/coop-cloud/traefik/src/commit/830559895e3eb680d72211118c9af8eb6f026060/.env.sample#L143) to your traefik config. You may also have to update port-forwarding rules or firewall rules to open port 8448.
|
||||
|
||||
### Enabling federation on port 443
|
||||
|
||||
Alternatively, it might be easier to use a feature called [delegation](https://element-hq.github.io/synapse/latest/delegate.html), which tells other Matrix servers to use port 443 for federation instead of port 8448. To use this method, set `SERVE_SERVER_WELLKNOWN=true` in the app config.
|
||||
|
||||
Note that if your synapse instance is running on a subdomain like `matrix.example.com` but you want your Matrix usernames to use the base domain (`example.com`), you will need to set `SERVER_NAME=<your base domain>` and configure your base domain to redirect requests to `/.well-known/matrix/*` to your synapse instance. More details [here](https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-well-known.md#option-2-setting-up-reverse-proxying-of-the-well-known-files-from-the-base-domains-server-to-the-matrix-server).
|
||||
|
||||
### Disabling federation
|
||||
|
||||
- Use `DISABLE_FEDERATION=1` to turn off federation listeners
|
||||
- Don't use [`compose.matrix.yml`](https://git.coopcloud.tech/coop-cloud/traefik/src/branch/master/compose.matrix.yml) in your traefik config to keep the federation ports closed
|
||||
|
||||
### Enabling federation
|
||||
|
||||
See [`#27`](https://git.coopcloud.tech/coop-cloud/matrix-synapse/pulls/27) for more. Depending on your setup, using `SERVE_SERVER_WELLKNOWN=true` might work to start federating. Make sure you don't leave `DISABLE_FEDERATION=1` set!
|
||||
|
||||
### Getting client discovery on a custom domain
|
||||
|
||||
You'll need to deploy something like [this](https://git.autonomic.zone/ruangrupa/well-known-uris). This could be implemented in this recipe but we haven't merged it in yet. Change sets are welcome.
|
||||
If you want to completely block federation, set `DISABLE_FEDERATION=1` and do not do either of steps mentioned in the previous two sections.
|
||||
|
||||
## Bridges
|
||||
For all Bridges:
|
||||
|
||||
@ -29,9 +29,6 @@ services:
|
||||
timeout: 10s
|
||||
retries: 10
|
||||
start_period: 1m
|
||||
web:
|
||||
environment:
|
||||
- ADMIN_INTERFACE_ENABLED
|
||||
|
||||
|
||||
networks:
|
||||
@ -43,4 +40,3 @@ configs:
|
||||
name: ${STACK_NAME}_admin_config_${ADMIN_CONFIG_VERSION}
|
||||
file: admin.conf.tmpl
|
||||
template_driver: golang
|
||||
|
||||
|
||||
52
compose.yml
52
compose.yml
@ -2,38 +2,6 @@
|
||||
version: "3.8"
|
||||
|
||||
services:
|
||||
web:
|
||||
image: nginx:1.27.4
|
||||
networks:
|
||||
- proxy
|
||||
- internal
|
||||
environment:
|
||||
- DOMAIN
|
||||
- STACK_NAME
|
||||
- NGINX_ACCESS_LOG_LOCATION
|
||||
- NGINX_ERROR_LOG_LOCATION
|
||||
configs:
|
||||
- source: nginx_config
|
||||
target: /etc/nginx/nginx.conf
|
||||
- source: wk_server
|
||||
target: /var/www/.well-known/matrix/server
|
||||
- source: wk_client
|
||||
target: /var/www/.well-known/matrix/client
|
||||
deploy:
|
||||
restart_policy:
|
||||
condition: on-failure
|
||||
labels:
|
||||
- "traefik.enable=true"
|
||||
- "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80"
|
||||
- "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
|
||||
- "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
|
||||
- "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
|
||||
healthcheck:
|
||||
test: curl -f http://${STACK_NAME}_app:8008/health || exit 1
|
||||
interval: 20s
|
||||
timeout: 15s
|
||||
retries: 20
|
||||
|
||||
app:
|
||||
image: "matrixdotorg/synapse:v1.124.0"
|
||||
volumes:
|
||||
@ -92,6 +60,14 @@ services:
|
||||
restart_policy:
|
||||
condition: on-failure
|
||||
labels:
|
||||
- "traefik.enable=true"
|
||||
- "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=8008"
|
||||
- "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
|
||||
- "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
|
||||
- "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
|
||||
- "traefik.http.middlewares.max-body.buffering.maxRequestBodyBytes=${TRAEFIK_MAX_REQUEST_BODY_BYTES}"
|
||||
- "traefik.http.middlewares.remove-xff.headers.customrequestheaders.X-Forwarded-For="
|
||||
- "traefik.http.routers.${STACK_NAME}.middlewares=${TRAEFIK_MIDDLEWARES}"
|
||||
- "coop-cloud.${STACK_NAME}.version=6.6.1+v1.124.0"
|
||||
- "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
|
||||
healthcheck:
|
||||
@ -156,18 +132,6 @@ configs:
|
||||
name: ${STACK_NAME}_log_config_${LOG_CONFIG_VERSION}
|
||||
file: log.config.tmpl
|
||||
template_driver: golang
|
||||
nginx_config:
|
||||
name: ${STACK_NAME}_nginx_config_${NGINX_CONFIG_VERSION}
|
||||
file: nginx.conf.tmpl
|
||||
template_driver: golang
|
||||
wk_server:
|
||||
name: ${STACK_NAME}_wk_server_${WK_SERVER_VERSION}
|
||||
file: well_known_server.conf.tmpl
|
||||
template_driver: golang
|
||||
wk_client:
|
||||
name: ${STACK_NAME}_wk_client_${WK_CLIENT_VERSION}
|
||||
file: well_known_client.conf.tmpl
|
||||
template_driver: golang
|
||||
pg_backup:
|
||||
name: ${STACK_NAME}_pg_backup_${PG_BACKUP_VERSION}
|
||||
file: pg_backup.sh
|
||||
|
||||
@ -1,55 +0,0 @@
|
||||
user www-data;
|
||||
|
||||
events {
|
||||
worker_connections 768;
|
||||
}
|
||||
|
||||
http {
|
||||
server {
|
||||
listen 80;
|
||||
|
||||
access_log {{ or (env "NGINX_ACCESS_LOG_LOCATION") "/dev/null" }};
|
||||
error_log {{ or (env "NGINX_ERROR_LOG_LOCATION") "/dev/null" }};
|
||||
|
||||
server_name {{ env "DOMAIN" }};
|
||||
|
||||
location = / {
|
||||
proxy_pass http://{{ env "STACK_NAME"}}_app:8008;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
proxy_set_header Host $host;
|
||||
client_max_body_size 50M;
|
||||
proxy_http_version 1.1;
|
||||
}
|
||||
|
||||
location ~* ^(\/_matrix|\/_synapse\/client) {
|
||||
proxy_pass http://{{ env "STACK_NAME"}}_app:8008;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
proxy_set_header Host $host;
|
||||
client_max_body_size 50M;
|
||||
proxy_http_version 1.1;
|
||||
}
|
||||
|
||||
location /.well-known/matrix/ {
|
||||
root /var/www/;
|
||||
default_type application/json;
|
||||
add_header Access-Control-Allow-Origin *;
|
||||
}
|
||||
|
||||
{{ if eq (env "ADMIN_INTERFACE_ENABLED") "1" }}
|
||||
location ^~ /_synapse/admin {
|
||||
if ($http_referer !~ "^https://{{ env "DOMAIN" }}/admin/") {
|
||||
return 403;
|
||||
}
|
||||
proxy_pass http://{{ env "STACK_NAME"}}_app:8008;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
proxy_set_header Host $host;
|
||||
client_max_body_size 50M;
|
||||
proxy_http_version 1.1;
|
||||
}
|
||||
{{ end }}
|
||||
|
||||
}
|
||||
}
|
||||
@ -1,5 +0,0 @@
|
||||
{
|
||||
"m.homeserver": {
|
||||
"base_url": "https://{{ env "DOMAIN" }}"
|
||||
}
|
||||
}
|
||||
@ -1,3 +0,0 @@
|
||||
{
|
||||
"m.server": "{{ env "DOMAIN" }}:443"
|
||||
}
|
||||
Loading…
x
Reference in New Issue
Block a user