Skip to content
Snippets Groups Projects
Commit 5582c78b authored by nimrod's avatar nimrod
Browse files

Merge branch 'matrix'

parents 3bbd6c9a 0c9178f2
Branches
No related tags found
No related merge requests found
Pipeline #3675 passed
Showing
with 314 additions and 20 deletions
...@@ -101,3 +101,29 @@ web-proxy host01 run: ...@@ -101,3 +101,29 @@ web-proxy host01 run:
WORKDIR: Compose/web-proxy/host01 WORKDIR: Compose/web-proxy/host01
when: manual when: manual
rules: *compose-rules rules: *compose-rules
# Matrix Compose deployment.
matrix-build:
extends: .compose-build
tags: &matrix-tags [host01.shore.co.il]
variables: &matrix-vars
WORKDIR: Compose/matrix
matrix-pull:
extends: .compose-pull
tags: *matrix-tags
variables: *matrix-vars
matrix-run:
extends: .compose-run
tags: *matrix-tags
variables: *matrix-vars
needs:
- job: matrix-build
- job: matrix-pull
after_script:
# yamllint disable rule:line-length
- docker-compose exec synapse sh -c "while [ ! -f /conf/homeserver.yaml ]; do echo Waiting for the config file.; sleep 1; done"
- docker-compose exec synapse update_synapse_database --run-background-updates --database-config /conf/homeserver.yaml
# yamllint enable rule:line-length
...@@ -12,7 +12,8 @@ repos: ...@@ -12,7 +12,8 @@ repos:
- id: check-toml - id: check-toml
- id: check-xml - id: check-xml
- id: check-yaml - id: check-yaml
exclude: ^Ansible/roles/(wap|router)/vars/main\.yaml$ # yamllint disable-line rule:line-length
exclude: ^Ansible/roles/(wap|router)/vars/main\.yaml$|^Compose/matrix/synapse/homeserver\.yaml$
- id: detect-private-key - id: detect-private-key
- id: end-of-file-fixer - id: end-of-file-fixer
- id: trailing-whitespace - id: trailing-whitespace
...@@ -50,6 +51,7 @@ repos: ...@@ -50,6 +51,7 @@ repos:
rev: v1.26.3 rev: v1.26.3
hooks: hooks:
- id: yamllint - id: yamllint
exclude: ^Compose/matrix/synapse/homeserver\.yaml$$
- repo: https://github.com/executablebooks/mdformat.git - repo: https://github.com/executablebooks/mdformat.git
rev: 0.7.10 rev: 0.7.10
......
...@@ -69,6 +69,7 @@ ...@@ -69,6 +69,7 @@
- nextcloud.shore.co.il - nextcloud.shore.co.il
- ns1.shore.co.il - ns1.shore.co.il
- notify.shore.co.il - notify.shore.co.il
- matrix.shore.co.il
- sogo.shore.co.il - sogo.shore.co.il
- vouch.shore.co.il - vouch.shore.co.il
- zpush.shore.co.il - zpush.shore.co.il
......
...@@ -2,11 +2,12 @@ ...@@ -2,11 +2,12 @@
$TTL 1h $TTL 1h
$ORIGIN shore.co.il. $ORIGIN shore.co.il.
@ IN SOA ns1 hostmaster ( @ IN SOA ns1 hostmaster (
2023040801 2023121501 ; Serial
4h 4h ; Refresh
1h 1h ; Retry
4w 4w ; Expire
3h ) 3h ; Negative response cache TTL
)
IN NS ns1 IN NS ns1
IN NS ns4 IN NS ns4
...@@ -63,6 +64,7 @@ kibana IN CNAME ns4 ...@@ -63,6 +64,7 @@ kibana IN CNAME ns4
kodi IN CNAME ns1 kodi IN CNAME ns1
lam IN CNAME ns1 lam IN CNAME ns1
library IN CNAME ns1 library IN CNAME ns1
matrix IN CNAME ns1
mta-sts IN CNAME smtp mta-sts IN CNAME smtp
myip IN CNAME ns4 myip IN CNAME ns4
nextcloud IN CNAME ns1 nextcloud IN CNAME ns1
......
COMPOSE_PROJECT_NAME=matrix
# Matrix
Deploy a Matrix homeserver using
[Synapse](https://element-hq.github.io/synapse/latest/).
---
version: '3.5'
services:
postgres:
environment:
POSTGRES_DB: &postgres_db synapse
POSTGRES_INITDB_ARGS: --encoding=UTF-8 --lc-collate=C --lc-ctype=C
POSTGRES_PASSWORD: &postgres_password "${SYNAPSE_DB_PASS}"
POSTGRES_USER: &postgres_user synapse
image: registry.shore.co.il/postgres
restart: always
volumes:
- postgres:/var/lib/postgresql/data
synapse:
build:
context: synapse/
depends_on:
- postgres
environment:
LDAP_URI: ldap://ldap:389
POSTGRES_DB: *postgres_db
POSTGRES_HOST: postgres
POSTGRES_PASSWORD: *postgres_password
POSTGRES_USER: *postgres_user
SYNAPSE_SERVER_NAME: shore.co.il
SIGNING_KEY: "${SYNAPSE_SIGNING_KEY}"
SYNAPSE_ADMIN_CONTACT: "mailto:postmaster@shore.co.il"
SYNAPSE_LOG_LEVEL: WARNING
SYNAPSE_MACAROON_SECRET_KEY: "${SYNAPSE_MACAROON_SECRET_KEY}"
# yamllint disable-line rule:line-length
SYNAPSE_REGISTRATION_SHARED_SECRET: "${SYNAPSE_REGISTRATION_SHARED_SECRET}"
SYNAPSE_SMTP_HOST: smtp
restart: always
volumes:
- data:/data
- _run_slapd:/run/slapd
volumes:
data:
postgres:
_run_slapd:
external: true
name: run_slapd
networks:
default:
name: shore
external: true
*.md
FROM docker.io/matrixdotorg/synapse:v1.98.0
ENV SYNAPSE_CONFIG_DIR=/conf
ENV SYNAPSE_REPORT_STATS=yes
COPY --chown=root:root entrypoint_wrapper /
COPY --chown=root:root homeserver.yaml /conf/
ENTRYPOINT ["/entrypoint_wrapper"]
# Synapse
The Synapse Matrix homeserver. Tweaked to generate the configuration and
secret files from environment variables.
#!/bin/sh
set -eux
# We wrap the default entrypoint script and generate the configuration file and
# other secret files from environment variables, but only if we're running the
# homeserver.
if [ "$#" -eq 0 ] || [ "$1" = run ]
then
if [ -n "${SIGNING_KEY:-}" ]
then
echo "$SIGNING_KEY" > "/conf/${SYNAPSE_SERVER_NAME}.signing.key"
chmod 644 "/conf/${SYNAPSE_SERVER_NAME}.signing.key"
fi
/start.py migrate_config
cat /conf/homeserver.yaml
python3 -m synapse.config -c /conf/homeserver.yaml
fi
exec /start.py "$@"
# vim:ft=yaml
---
# For more information on how to configure Synapse, including a complete accounting of
# each option, go to
# https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html
# For the original version of this file go to
# https://github.com/element-hq/synapse/blob/master/docker/conf/homeserver.yaml
server_name: "{{ SYNAPSE_SERVER_NAME }}"
pid_file: /homeserver.pid
web_client: false
soft_file_limit: 0
log_config: "{{ SYNAPSE_LOG_CONFIG }}"
admin_contact: "{{ SYNAPSE_ADMIN_CONTACT }}"
registration_shared_secret: "{{ SYNAPSE_REGISTRATION_SHARED_SECRET }}"
enable_registration: false
## Ports ##
listeners:
- port: {{ SYNAPSE_HTTP_PORT or 8008 }}
tls: false
bind_addresses: ['::']
type: http
x_forwarded: true
resources:
- names: [client]
compress: true
- names: [federation]
compress: false
## Database ##
database:
name: "psycopg2"
args:
user: '{{ POSTGRES_USER or "synapse" }}'
password: '{{ POSTGRES_PASSWORD }}'
database: '{{ POSTGRES_DB or "synapse" }}'
host: '{{ POSTGRES_HOST or "db" }}'
port: '{{ POSTGRES_PORT or "5432" }}'
cp_min: {{ POSTGRES_CP_MIN or 5 }}
cp_max: {{ POSTGRES_CP_MAX or 10 }}
## email ##
email:
notif_from: "Your Friendly %(app)s homeserver <noreply@{{ SYNAPSE_SERVER_NAME }}>"
smtp_host: "{{ SYNAPSE_SMTP_HOST }}"
smtp_pass: "{{ SYNAPSE_SMTP_PASS }}"
smtp_port: "{{ SYNAPSE_SMTP_PORT }}"
smtp_user: "{{ SYNAPSE_SMTP_USER }}"
## Performance ##
event_cache_size: '{{ SYNAPSE_EVENT_CACHE_SIZE or "10K" }}'
## Ratelimiting ##
rc_messages_per_second: 0.2
rc_message_burst_count: 10.0
federation_rc_window_size: 1000
federation_rc_sleep_limit: 10
federation_rc_sleep_delay: 500
federation_rc_reject_limit: 50
federation_rc_concurrent: 3
## Files ##
media_store_path: "/data/media"
max_upload_size: '{{ SYNAPSE_MAX_UPLOAD_SIZE or "50M" }}'
max_image_pixels: "32M"
dynamic_thumbnails: false
# List of thumbnail to precalculate when an image is uploaded.
thumbnail_sizes:
- width: 32
height: 32
method: crop
- width: 96
height: 96
method: crop
- width: 320
height: 240
method: scale
- width: 640
height: 480
method: scale
- width: 800
height: 600
method: scale
url_preview_enabled: false
max_spider_size: "10M"
## Metrics ###
enable_metrics: '{{ SYNAPSE_REPORT_STATS.lower() == "yes" }}'
report_stats: '{{ SYNAPSE_REPORT_STATS.lower() == "yes" }}'
## API Configuration ##
{% if SYNAPSE_APPSERVICES %}
app_service_config_files:
{% for appservice in SYNAPSE_APPSERVICES %}
- "{{ appservice }}"
{% endfor %}
{% endif %}
macaroon_secret_key: "{{ SYNAPSE_MACAROON_SECRET_KEY }}"
expire_access_token: false
## Signing Keys ##
signing_key_path: "/conf/{{ SYNAPSE_SERVER_NAME }}.signing.key"
old_signing_keys: {}
key_refresh_interval: "1d" # 1 Day.
# The trusted servers to download signing keys from.
suppress_key_server_warning: true
trusted_key_servers:
- server_name: matrix.org
verify_keys:
"ed25519:auto": "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw" # pragma: allowlist secret
password_config:
enabled: true
modules:
- module: "ldap_auth_provider.LdapAuthProviderModule"
config:
enabled: true
uri: '{{ LDAP_URI or "ldapi:///run/slapd/ldapi" }}'
start_tls: {{ LDAP_TLS or False }}
base: '{{ LDAP_BASE_DN or "ou=People,dc=shore,dc=co,dc=il" }}'
attributes:
uid: "cn"
mail: "mail"
name: "givenName"
...@@ -16,8 +16,9 @@ server { ...@@ -16,8 +16,9 @@ server {
} }
server { server {
listen 443 ssl http2; listen 443 ssl;
listen [::]:443 ssl http2; listen [::]:443 ssl;
http2 on;
server_name auth.shore.co.il; server_name auth.shore.co.il;
include snippets/robots-disallow-all.conf; include snippets/robots-disallow-all.conf;
include snippets/ads-txt.conf; include snippets/ads-txt.conf;
......
...@@ -13,8 +13,9 @@ server { ...@@ -13,8 +13,9 @@ server {
} }
server { server {
listen 443 ssl http2; listen 443 ssl;
listen [::]:443 ssl http2; listen [::]:443 ssl;
http2 on;
server_name code.shore.co.il; server_name code.shore.co.il;
include snippets/robots-disallow-all.conf; include snippets/robots-disallow-all.conf;
include snippets/ads-txt.conf; include snippets/ads-txt.conf;
......
...@@ -13,8 +13,9 @@ server { ...@@ -13,8 +13,9 @@ server {
} }
server { server {
listen 443 ssl http2; listen 443 ssl;
listen [::]:443 ssl http2; listen [::]:443 ssl;
http2 on;
server_name git.shore.co.il; server_name git.shore.co.il;
include snippets/robots-allow-all.conf; include snippets/robots-allow-all.conf;
include snippets/ads-txt.conf; include snippets/ads-txt.conf;
......
...@@ -13,8 +13,9 @@ server { ...@@ -13,8 +13,9 @@ server {
} }
server { server {
listen 443 ssl http2; listen 443 ssl;
listen [::]:443 ssl http2; listen [::]:443 ssl;
http2 on;
server_name lam.shore.co.il; server_name lam.shore.co.il;
include snippets/robots-disallow-all.conf; include snippets/robots-disallow-all.conf;
include snippets/ads-txt.conf; include snippets/ads-txt.conf;
......
...@@ -10,8 +10,9 @@ server { ...@@ -10,8 +10,9 @@ server {
} }
server { server {
listen 443 ssl http2; listen 443 ssl;
listen [::]:443 ssl http2; listen [::]:443 ssl;
http2 on;
server_name mta-sts.shore.co.il mta-sts.nehe.sr; server_name mta-sts.shore.co.il mta-sts.nehe.sr;
root /var/www/mail.shore.co.il/; root /var/www/mail.shore.co.il/;
include snippets/robots-disallow-all.conf; include snippets/robots-disallow-all.conf;
......
# vim: ft=nginx
map $host $matrix { default synapse; }
server {
listen 80;
listen [::]:80;
server_name matrix.shore.co.il;
include snippets/robots-disallow-all.conf;
include snippets/ads-txt.conf;
include snippets/security-txt.conf;
include snippets/www-acme-challenge.conf;
include snippets/redirect-https.conf;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name matrix.shore.co.il;
include snippets/robots-disallow-all.conf;
include snippets/ads-txt.conf;
include snippets/security-txt.conf;
include snippets/ssl-modern.conf;
location / {
proxy_pass http://$matrix:8008$request_uri;
proxy_http_version 1.1;
include snippets/proxy-headers.conf;
client_max_body_size 50m;
}
}
...@@ -13,8 +13,9 @@ server { ...@@ -13,8 +13,9 @@ server {
} }
server { server {
listen 443 ssl http2; listen 443 ssl;
listen [::]:443 ssl http2; listen [::]:443 ssl;
http2 on;
server_name nextcloud.shore.co.il; server_name nextcloud.shore.co.il;
include snippets/robots-disallow-all.conf; include snippets/robots-disallow-all.conf;
include snippets/ads-txt.conf; include snippets/ads-txt.conf;
......
...@@ -13,8 +13,9 @@ server { ...@@ -13,8 +13,9 @@ server {
} }
server { server {
listen 443 ssl http2; listen 443 ssl;
listen [::]:443 ssl http2; listen [::]:443 ssl;
http2 on;
server_name notify.shore.co.il; server_name notify.shore.co.il;
include snippets/robots-disallow-all.conf; include snippets/robots-disallow-all.conf;
include snippets/ads-txt.conf; include snippets/ads-txt.conf;
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment