.gitlab-ci.yml

@@ -101,3 +101,24 @@ web-proxy host01 run:
     WORKDIR: Compose/web-proxy/host01
   when: manual
   rules: *compose-rules
+
+# Matrix Compose deployment.
+
+matrix-build:
+  extends: .compose-build
+  tags: &matrix-tags [host01.shore.co.il]
+  variables: &matrix-vars
+    WORKDIR: Compose/matrix
+
+matrix-pull:
+  extends: .compose-pull
+  tags: *matrix-tags
+  variables: *matrix-vars
+
+matrix-run:
+  extends: .compose-run
+  tags: *matrix-tags
+  variables: *matrix-vars
+  needs:
+    - job: matrix-build
+    - job: matrix-pull

.pre-commit-config.yaml

@@ -12,7 +12,8 @@ repos:
       - id: check-toml
       - id: check-xml
       - id: check-yaml
-        exclude: ^Ansible/roles/(wap|router)/vars/main\.yaml$
+        # yamllint disable-line rule:line-length
+        exclude: ^Ansible/roles/(wap|router)/vars/main\.yaml$|^Compose/matrix/synapse/homeserver\.yaml$
       - id: detect-private-key
       - id: end-of-file-fixer
       - id: trailing-whitespace
@@ -50,6 +51,7 @@ repos:
     rev: v1.26.3
     hooks:
       - id: yamllint
+        exclude: ^Compose/matrix/synapse/homeserver\.yaml$$
 
   - repo: https://github.com/executablebooks/mdformat.git
     rev: 0.7.10

Compose/matrix/.env

+COMPOSE_PROJECT_NAME=matrix

Compose/matrix/README.md

+# Matrix
+
+Deploy a Matrix homeserver using
+[Synapse](https://element-hq.github.io/synapse/latest/).

Compose/matrix/docker-compose.yaml

+---
+version: '3.5'
+
+services:
+  postgres:
+    environment:
+      POSTGRES_DB: &postgres_db synapse
+      POSTGRES_INITDB_ARGS: --encoding=UTF-8 --lc-collate=C --lc-ctype=C
+      POSTGRES_PASSWORD: &postgres_password "${SYNAPSE_DB_PASS}"
+      POSTGRES_USER: &postgres_user synapse
+    image: registry.shore.co.il/postgres
+    restart: always
+    volumes:
+      - postgres:/var/lib/postgresql/data
+
+  synapse:
+    build:
+      context: synapse/
+    depends_on:
+      - postgres
+    environment:
+      LDAP_URI: ldap://ldap:389
+      POSTGRES_DB: *postgres_db
+      POSTGRES_HOST: postgres
+      POSTGRES_PASSWORD: *postgres_password
+      POSTGRES_USER: *postgres_user
+      SYNAPSE_SERVER_NAME: shore.co.il
+      SIGNING_KEY: "${SYNAPSE_SIGNING_KEY}"
+      SYNAPSE_LOG_LEVEL: WARNING
+      SYNAPSE_MACAROON_SECRET_KEY: "${SYNAPSE_MACAROON_SECRET_KEY}"
+    restart: always
+    volumes:
+      - data:/data
+      - _run_slapd:/run/slapd
+
+volumes:
+  data:
+  postgres:
+  _run_slapd:
+    external: true
+    name: run_slapd
+
+networks:
+  default:
+    name: shore
+    external: true

Compose/matrix/synapse/.dockerignore

+*.md

Compose/matrix/synapse/Dockerfile

+FROM docker.io/matrixdotorg/synapse:v1.98.0
+ENV SYNAPSE_CONFIG_DIR=/conf
+ENV SYNAPSE_REPORT_STATS=yes
+COPY --chown=root:root entrypoint_wrapper /
+COPY --chown=root:root homeserver.yaml /conf/
+ENTRYPOINT ["/entrypoint_wrapper"]

Compose/matrix/synapse/README.md

+# Synapse
+
+The Synapse Matrix homeserver. Tweaked to generate the configuration and
+secret files from environment variables.

Compose/matrix/synapse/entrypoint_wrapper

+#!/bin/sh
+set -eux
+
+# We wrap the default entrypoint script and generate the configuration file and
+# other secret files from environment variables, but only if we're running the
+# homeserver.
+if [ "$#" -eq 0 ] || [ "$1" = run ]
+then
+    if [ -n "${SIGNING_KEY:-}" ]
+    then
+        echo "$SIGNING_KEY" > "/conf/${SYNAPSE_SERVER_NAME}.signing.key"
+        chmod 644 "/conf/${SYNAPSE_SERVER_NAME}.signing.key"
+    fi
+    /start.py migrate_config
+    cat /conf/homeserver.yaml
+    ls -la /conf
+fi
+
+exec /start.py "$@"

Compose/matrix/synapse/homeserver.yaml

+# vim:ft=yaml
+---
+# For more information on how to configure Synapse, including a complete accounting of
+# each option, go to
+# https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html
+# For the original version of this file go to
+# https://github.com/element-hq/synapse/blob/master/docker/conf/homeserver.yaml
+
+server_name: "{{ SYNAPSE_SERVER_NAME }}"
+pid_file: /homeserver.pid
+web_client: false
+soft_file_limit: 0
+log_config: "{{ SYNAPSE_LOG_CONFIG }}"
+
+## Ports ##
+
+listeners:
+  - port: {{ SYNAPSE_HTTP_PORT or 8008 }}
+    tls: false
+    bind_addresses: ['::']
+    type: http
+    x_forwarded: true
+    resources:
+      - names: [client]
+        compress: true
+      - names: [federation]
+        compress: false
+
+## Database ##
+
+database:
+  name: "psycopg2"
+  args:
+    user: '{{ POSTGRES_USER or "synapse" }}'
+    password: '{{ POSTGRES_PASSWORD }}'
+    database: '{{ POSTGRES_DB or "synapse" }}'
+    host: '{{ POSTGRES_HOST or "db" }}'
+    port: '{{ POSTGRES_PORT or "5432" }}'
+    cp_min: {{ POSTGRES_CP_MIN or 5 }}
+    cp_max: {{ POSTGRES_CP_MAX or 10 }}
+
+## Performance ##
+
+event_cache_size: '{{ SYNAPSE_EVENT_CACHE_SIZE or "10K" }}'
+
+## Ratelimiting ##
+
+rc_messages_per_second: 0.2
+rc_message_burst_count: 10.0
+federation_rc_window_size: 1000
+federation_rc_sleep_limit: 10
+federation_rc_sleep_delay: 500
+federation_rc_reject_limit: 50
+federation_rc_concurrent: 3
+
+## Files ##
+
+media_store_path: "/data/media"
+max_upload_size: '{{ SYNAPSE_MAX_UPLOAD_SIZE or "50M" }}'
+max_image_pixels: "32M"
+dynamic_thumbnails: false
+
+# List of thumbnail to precalculate when an image is uploaded.
+thumbnail_sizes:
+- width: 32
+  height: 32
+  method: crop
+- width: 96
+  height: 96
+  method: crop
+- width: 320
+  height: 240
+  method: scale
+- width: 640
+  height: 480
+  method: scale
+- width: 800
+  height: 600
+  method: scale
+
+url_preview_enabled: false
+max_spider_size: "10M"
+
+
+## Metrics ###
+
+enable_metrics: '{{ SYNAPSE_REPORT_STATS.lower() == "yes" }}'
+report_stats: '{{ SYNAPSE_REPORT_STATS.lower() == "yes" }}'
+
+## API Configuration ##
+
+{% if SYNAPSE_APPSERVICES %}
+app_service_config_files:
+{% for appservice in SYNAPSE_APPSERVICES %}
+    - "{{ appservice }}"
+{% endfor %}
+{% endif %}
+
+macaroon_secret_key: "{{ SYNAPSE_MACAROON_SECRET_KEY }}"
+expire_access_token: false
+
+## Signing Keys ##
+
+signing_key_path: "/conf/{{ SYNAPSE_SERVER_NAME }}.signing.key"
+old_signing_keys: {}
+key_refresh_interval: "1d" # 1 Day.
+
+# The trusted servers to download signing keys from.
+trusted_key_servers:
+  - server_name: matrix.org
+    verify_keys:
+      "ed25519:auto": "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw"  # pragma: allowlist secret
+
+password_config:
+   enabled: true
+
+modules:
+  - module: "ldap_auth_provider.LdapAuthProviderModule"
+    config:
+      enabled: true
+      uri: '{{ LDAP_URI or "ldapi:///run/slapd/ldapi" }}'
+      start_tls: {{ LDAP_TLS or False }}
+      base: '{{ LDAP_BASE_DN or "ou=People,dc=shore,dc=co,dc=il" }}'
+      attributes:
+        uid: "cn"
+        mail: "mail"
+        name: "givenName"

Compose/web-proxy/host01/conf.d/auth.shore.co.il.conf

@@ -16,8 +16,9 @@ server {
 }
 
 server {
-    listen      443 ssl http2;
-    listen      [::]:443 ssl http2;
+    listen      443 ssl;
+    listen      [::]:443 ssl;
+    http2       on;
     server_name auth.shore.co.il;
     include     snippets/robots-disallow-all.conf;
     include     snippets/ads-txt.conf;

Compose/web-proxy/host01/conf.d/code.shore.co.il.conf

@@ -13,8 +13,9 @@ server {
 }
 
 server {
-    listen      443 ssl http2;
-    listen      [::]:443 ssl http2;
+    listen      443 ssl;
+    listen      [::]:443 ssl;
+    http2       on;
     server_name code.shore.co.il;
     include     snippets/robots-disallow-all.conf;
     include     snippets/ads-txt.conf;

Compose/web-proxy/host01/conf.d/git.shore.co.il.conf

@@ -13,8 +13,9 @@ server {
 }
 
 server {
-    listen      443 ssl http2;
-    listen      [::]:443 ssl http2;
+    listen      443 ssl;
+    listen      [::]:443 ssl;
+    http2       on;
     server_name git.shore.co.il;
     include     snippets/robots-allow-all.conf;
     include     snippets/ads-txt.conf;

Compose/web-proxy/host01/conf.d/lam.shore.co.il.conf

@@ -13,8 +13,9 @@ server {
 }
 
 server {
-    listen      443 ssl http2;
-    listen      [::]:443 ssl http2;
+    listen      443 ssl;
+    listen      [::]:443 ssl;
+    http2       on;
     server_name lam.shore.co.il;
     include     snippets/robots-disallow-all.conf;
     include     snippets/ads-txt.conf;

Compose/web-proxy/host01/conf.d/mail.shore.co.il.conf

@@ -10,8 +10,9 @@ server {
 }
 
 server {
-    listen                      443 ssl http2;
-    listen                      [::]:443 ssl http2;
+    listen                      443 ssl;
+    listen                      [::]:443 ssl;
+    http2                       on;
     server_name                 mta-sts.shore.co.il mta-sts.nehe.sr;
     root                        /var/www/mail.shore.co.il/;
     include                     snippets/robots-disallow-all.conf;

Compose/web-proxy/host01/conf.d/matrix.shore.co.il.conf

+# vim: ft=nginx
+map $host $matrix { default synapse; }
+
+server {
+    listen      80;
+    listen      [::]:80;
+    server_name matrix.shore.co.il;
+    include     snippets/robots-disallow-all.conf;
+    include     snippets/ads-txt.conf;
+    include     snippets/security-txt.conf;
+    include     snippets/www-acme-challenge.conf;
+    include     snippets/redirect-https.conf;
+}
+
+server {
+    listen      443 ssl;
+    listen      [::]:443 ssl;
+    http2       on;
+    server_name matrix.shore.co.il;
+    include     snippets/robots-disallow-all.conf;
+    include     snippets/ads-txt.conf;
+    include     snippets/security-txt.conf;
+    include     snippets/ssl-modern.conf;
+
+    location / {
+        proxy_pass              http://$matrix:8008$request_uri;
+        proxy_http_version      1.1;
+        include                 snippets/proxy-headers.conf;
+        client_max_body_size    50m;
+    }
+}

Compose/web-proxy/host01/conf.d/nextcloud.shore.co.il.conf

@@ -13,8 +13,9 @@ server {
 }
 
 server {
-    listen      443 ssl http2;
-    listen      [::]:443 ssl http2;
+    listen      443 ssl;
+    listen      [::]:443 ssl;
+    http2       on;
     server_name nextcloud.shore.co.il;
     include     snippets/robots-disallow-all.conf;
     include     snippets/ads-txt.conf;

Compose/web-proxy/host01/conf.d/notify.shore.co.il.conf

@@ -13,8 +13,9 @@ server {
 }
 
 server {
-    listen      443 ssl http2;
-    listen      [::]:443 ssl http2;
+    listen      443 ssl;
+    listen      [::]:443 ssl;
+    http2       on;
     server_name notify.shore.co.il;
     include     snippets/robots-disallow-all.conf;
     include     snippets/ads-txt.conf;

Compose/web-proxy/host01/conf.d/sogo.shore.co.il.conf

@@ -13,8 +13,9 @@ server {
 }
 
 server {
-    listen      443 ssl http2;
-    listen      [::]:443 ssl http2;
+    listen      443 ssl;
+    listen      [::]:443 ssl;
+    http2       on;
     server_name sogo.shore.co.il;
     include     snippets/robots-disallow-all.conf;
     include     snippets/ads-txt.conf;

Compose/web-proxy/host01/conf.d/vouch.shore.co.il.conf

@@ -13,8 +13,9 @@ server {
 }
 
 server {
-    listen      443 ssl http2;
-    listen      [::]:443 ssl http2;
+    listen      443 ssl;
+    listen      [::]:443 ssl;
+    http2       on;
     server_name vouch.shore.co.il;
     include     snippets/robots-disallow-all.conf;
     include     snippets/ads-txt.conf;