Compare commits

...
This repository has been archived on 2023-04-26. You can view files and clone it, but cannot push or open issues or pull requests.

1 commit

Author SHA1 Message Date
b638cd7310 WIP: matrix 2023-02-25 15:06:17 +01:00
21 changed files with 249 additions and 14 deletions

View file

@ -40,6 +40,8 @@ All services below are running under Docker, except NSD and Borg.
- move Mastodon to pim.kunis.nl - move Mastodon to pim.kunis.nl
- Podman - Podman
- Replace watchtower with Podman features - Replace watchtower with Podman features
- Move nginx static content server to this repo
- Move dataserver to its own repo
### NSD ### NSD

View file

@ -6,5 +6,7 @@ jitsi_videobridge_port: 54562
git_ssh_port: 56287 git_ssh_port: 56287
prometheus_port: 8081 prometheus_port: 8081
traefik_api_port: 8080 traefik_api_port: 8080
internal_forgejo_port: 3000 # Needed to pull from a repository from another docker container.
internal_matrix_port: 3001 # Needed for proxying through NGINX
domain_name_pim: pim.kunis.nl domain_name_pim: pim.kunis.nl

View file

@ -16,6 +16,7 @@
- {role: 'static', tags: 'static'} - {role: 'static', tags: 'static'}
- {role: 'inbucket', tags: 'inbucket'} - {role: 'inbucket', tags: 'inbucket'}
- {role: 'prometheus', tags: 'prometheus'} - {role: 'prometheus', tags: 'prometheus'}
- {role: 'matrix', tags: 'matrix'}
- name: Setup dataserver - name: Setup dataserver
hosts: dataserver hosts: dataserver
roles: roles:

View file

@ -12,6 +12,8 @@ services:
- USER_UID=1000 - USER_UID=1000
- USER_GID=1000 - USER_GID=1000
restart: always restart: always
ports:
- "{{ internal_forgejo_port }}:3000"
networks: networks:
- traefik - traefik
volumes: volumes:

View file

@ -0,0 +1,32 @@
version: 1
formatters:
precise:
format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s'
handlers:
console:
class: logging.StreamHandler
formatter: precise
loggers:
synapse.storage.SQL:
# beware: increasing this to DEBUG will make synapse log sensitive
# information such as access tokens.
level: INFO
root:
level: INFO
handlers: [console]
disable_existing_loggers: false

View file

@ -0,0 +1,8 @@
$ANSIBLE_VAULT;1.1;AES256
38363633306139626564313833363364653037613238396266303133663231643739373237666662
6639636136303666353639353632373530326263633264350a616465313137663731393464383263
65373565343462633733366636343766656666396531383638363232363565646364663035353333
3236383136353065660a353631326630623165366631666639343864633531383238643131373363
64303565363439343064393039323265623364633738373163373339376134643966333032326564
61646536633335633938336438663430643461623230666163636561303430393732663062393461
346332333463636566326364663465306565

View file

@ -0,0 +1,31 @@
- name: Create app directory
file:
path: "{{ service_dir }}"
state: directory
- name: Copy signing key
copy:
src: "{{ role_path }}/files/matrix.log.config"
dest: "{{ service_dir }}/matrix.log.config"
- name: Copy Docker Compose script
template:
src: "{{ role_path }}/templates/docker-compose.yml.j2"
dest: "{{ service_dir }}/docker-compose.yml"
- name: Copy homeserver.yaml
template:
src: "{{ role_path }}/templates/homeserver.yaml.j2"
dest: "{{ service_dir }}/homeserver.yaml"
register: homeserver
- name: Copy signing key
copy:
src: "{{ role_path }}/files/matrix.signing.key"
dest: "{{ service_dir }}/matrix.signing.key"
- name: Create data directory
file:
path: "{{ data_dir }}"
state: directory
- name: Start the Docker Compose
docker_compose:
project_src: "{{ service_dir }}"
pull: true
remove_orphans: true
restarted: "{{ homeserver.changed }}"

View file

@ -0,0 +1,41 @@
version: '3'
services:
synapse:
image: docker.io/matrixdotorg/synapse:v1.77.0
restart: unless-stopped
environment:
- SYNAPSE_CONFIG_PATH=/data/homeserver.yaml
volumes:
- /data/matrix/uploads:/data/uploads
- /data/matrix/media:/data/media
- /srv/matrix/homeserver.yaml:/data/homeserver.yaml
- /srv/matrix/matrix.log.config:/data/matrix.log.config
- /srv/matrix/matrix.signing.key:/data/matrix.signing.key
depends_on:
- db
networks:
- traefik
ports:
- "{{ internal_matrix_port }}:8008"
labels:
- traefik.enable=true
- traefik.http.routers.matrix.entryPoints=websecure
- traefik.http.routers.matrix.rule=Host(`{{ matrix_domain }}`)
- traefik.http.routers.matrix.tls=true
- traefik.http.routers.matrix.tls.certResolver=letsencrypt
- traefik.http.routers.matrix.service=matrix
- traefik.http.services.matrix.loadbalancer.server.port=8008
db:
image: docker.io/postgres:12-alpine
environment:
- POSTGRES_USER=synapse
- POSTGRES_PASSWORD={{ database_password }}
- POSTGRES_INITDB_ARGS=--encoding=UTF-8 --lc-collate=C --lc-ctype=C
volumes:
- /data/matrix/schemas:/var/lib/postgresql/data
networks:
traefik:
external: true

View file

@ -0,0 +1,35 @@
# Configuration file for Synapse.
#
# For more information on how to configure Synapse, including a complete accounting of
# each option, go to docs/usage/configuration/config_documentation.md or
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html
server_name: "{{ matrix_domain }}"
pid_file: /data/homeserver.pid
listeners:
- port: 8008
tls: false
type: http
x_forwarded: true
resources:
- names: [client, federation]
compress: false
database:
name: psycopg2
args:
user: synapse
password: "{{ database_password }}"
host: db
cp_min: 5
cp_max: 10
log_config: "/data/matrix.log.config"
media_store_path: "/data/media"
registration_shared_secret: "{{ registration_shared_secret }}"
report_stats: false
macaroon_secret_key: "{{ macaroon_secret_key }}"
form_secret: "{{ form_secret }}"
signing_key_path: "/data/matrix.signing.key"
trusted_key_servers:
- server_name: "matrix.org"
# vim:ft=yaml

View file

@ -0,0 +1,41 @@
service_name: matrix
data_dir: "{{ base_data_dir }}/{{ service_name }}"
service_dir: "{{ base_service_dir }}/{{ service_name }}"
matrix_domain: "matrix.{{ domain_name_pim }}"
registration_shared_secret: !vault |
$ANSIBLE_VAULT;1.1;AES256
66643364393432353763666361383331316635356431636530663162643134653939306438366533
3463393262623364336430363638356439393461393237650a626630633963343530643565323633
35613636386365393035666366636534306266613935653136666430366330323032653164363066
6531323364383131360a616465336164303030643132336264646333346666626138386331636164
65366438356238383234386662363631316334613439613739303165613363636261643934656665
32653764373939373739666263653261343036636365316566623934343261653436613962343335
343132326461336338323938326264666630
macaroon_secret_key: !vault |
$ANSIBLE_VAULT;1.1;AES256
61656638626162383134356238393031346464623930363636376136633038623836323737633463
3733383661663339313965636134373037366235613562340a376334666266623438313066346166
64333564613438313861396632633464386236356236313461373461613632346538343837343264
3363623135613063300a333932363036353063653931616361363934633239653732343737373536
31366265383939303664623565633435626530316430323036663261353334336264306162653361
38306437616333316638396161393164393766356566323362343565663630306465663133333733
343039623366313961393136356239373837
form_secret: !vault |
$ANSIBLE_VAULT;1.1;AES256
38646165646636353331323565343033396431623338633734653838633032363930323637656637
3931643733343537343534386137313737383562346534300a353535633239626332393831613661
39366230313234663930363962386336646639393566356437623937393062353134303138363734
6430653164656339660a613234313464653138313331333137646331323338346230643630636466
35383837356633303061663362626439653030333063383532373663316330373737323736326562
37313034363262346333343166343231316264303934366565643466396164333166643561373365
656533393033356363303933353231376466
database_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
38393732313834343631626234353261653536646434343561613264626162363839303432333133
3635333330626263666430353931666635393738643163300a633231343334666331373936333565
36376164396464623233613033636562626630623730633730666333363437613234636638356630
3336373235336232630a353732653331623963313865333765633965353630363733386534313639
38643839323733393031373139376662326134653965646366663631396464393861636538313563
3934363539366139346633626433396438663739393332663030

View file

@ -1,7 +1,7 @@
$ORIGIN pim.kunis.nl. $ORIGIN pim.kunis.nl.
$TTL 60 $TTL 60
pim.kunis.nl. IN SOA ns.pim.kunis.nl. pim.kunis.nl. 2023020800 1800 3600 1209600 3600 pim.kunis.nl. IN SOA ns.pim.kunis.nl. pim.kunis.nl. 2023022500 1800 3600 1209600 3600
NS ns.pim.kunis.nl. NS ns.pim.kunis.nl.
A 84.245.14.149 A 84.245.14.149
@ -17,3 +17,4 @@ dav IN CNAME www.pim.kunis.nl.
git IN CNAME www.pim.kunis.nl. git IN CNAME www.pim.kunis.nl.
meet IN CNAME www.pim.kunis.nl. meet IN CNAME www.pim.kunis.nl.
rss IN CNAME www.pim.kunis.nl. rss IN CNAME www.pim.kunis.nl.
matrix IN CNAME www.pim.kunis.nl.

View file

@ -0,0 +1,5 @@
{
"m.homeserver": {
"base_url": "https://matrix.pim.kunis.nl"
}
}

View file

@ -0,0 +1,3 @@
{
"m.server": "matrix.pim.kunis.nl:443"
}

View file

@ -1 +0,0 @@
testje

View file

@ -17,10 +17,10 @@
cmd: "docker run --rm --volume=\"{{ service_dir }}/git:/srv/jekyll:Z\" -it jekyll/minimal jekyll build" cmd: "docker run --rm --volume=\"{{ service_dir }}/git:/srv/jekyll:Z\" -it jekyll/minimal jekyll build"
chdir: "{{ service_dir }}" chdir: "{{ service_dir }}"
when: repo.changed when: repo.changed
- name: Copy security.txt - name: Copy Matrix static files
copy: copy:
src: "{{ role_path }}/files/security.txt" src: "{{ role_path }}/files/matrix/"
dest: "{{ service_dir }}/security.txt" dest: "{{ service_dir }}/matrix/"
- name: Copy docker compose file - name: Copy docker compose file
template: template:
src: "{{ role_path }}/templates/docker-compose.yml.j2" src: "{{ role_path }}/templates/docker-compose.yml.j2"

View file

@ -12,15 +12,24 @@ services:
- {{ service_dir }}/security.txt:/var/www/blog/security.txt - {{ service_dir }}/security.txt:/var/www/blog/security.txt
networks: networks:
- traefik - traefik
extra_hosts:
- "host.docker.internal:host-gateway"
labels: labels:
- traefik.enable=true - traefik.enable=true
- traefik.http.routers.blog.entrypoints=websecure - traefik.http.routers.blog.entrypoints=websecure
- "traefik.http.routers.blog.rule=(Host(`{{ domain_name_pim }}`) || Path(`/security.txt`, `/.well-known/security.txt`))" - "traefik.http.routers.blog.rule=(Host(`{{ domain_name_pim }}`) || Path(`/security.txt`, `/.well-known/security.txt`, `/_matrix`, `/.well-known/matrix/`))"
- traefik.http.routers.blog.tls=true - traefik.http.routers.blog.tls=true
- traefik.http.routers.blog.tls.certresolver=letsencrypt - traefik.http.routers.blog.tls.certresolver=letsencrypt
- traefik.http.routers.blog.service=blog - traefik.http.routers.blog.service=blog
- traefik.http.services.blog.loadbalancer.server.port=80 - traefik.http.services.blog.loadbalancer.server.port=80
- traefik.http.routers.matrix-fed.entrypoints=matrix
- traefik.http.routers.matrix-fed.rule=Host(`matrix.pim.kunis.nl`)
- traefik.http.routers.matrix-fed.tls=true
- traefik.http.routers.matrix-fed.tls.certresolver=letsencrypt
- traefik.http.routers.matrix-fed.service=matrix-fed
- traefik.http.services.matrix-fed.loadbalancer.server.port=8448
networks: networks:
traefik: traefik:
external: true external: true

View file

@ -2,19 +2,39 @@ server {
listen 80 default_server; listen 80 default_server;
location /security.txt { location /security.txt {
return 301 https://$host/.well-known/security.txt; return 301 https://{{ domain_name_pim }}/.well-known/security.txt;
} }
location /.well-known/security.txt { location /.well-known/security.txt {
add_header Content-Type 'text/plain'; return 301 https://{{ domain_name_pim }}/.well-known/security.txt;
add_header Cache-Control 'no-cache, no-store, must-revalidate';
add_header Pragma 'no-cache';
add_header Expires '0';
add_header Vary '*';
return 200 "Contact: mailto:pim@kunis.nl\nExpires: 1970-01-01T00:00:00.000Z\nPreferred-Languages: en,nl\n";
} }
} }
server {
# For the federation port
listen 8448 http2 default_server;
listen [::]:8448 http2 default_server;
server_name matrix.pim.kunis.nl;
location ~ ^(/_matrix|/_synapse/client) {
# note: do not add a path (even a single /) after the port in `proxy_pass`,
# otherwise nginx will canonicalise the URI and cause signature verification
# errors.
proxy_pass http://host.docker.internal:{{ internal_matrix_port }};
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
# Nginx by default only allows file uploads up to 1M in size
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
client_max_body_size 50M;
# Synapse responses may be chunked, which is an HTTP/1.1 feature.
proxy_http_version 1.1;
}
}
server { server {
listen 80; listen 80;
server_name {{ domain_name_pim }}; server_name {{ domain_name_pim }};

View file

@ -1,3 +1,3 @@
service_name: static service_name: static
service_dir: "{{ base_service_dir }}/{{ service_name }}" service_dir: "{{ base_service_dir }}/{{ service_name }}"
git_origin: https://git.pim.kunis.nl/pim/static.git git_origin: "http://localhost:{{ internal_forgejo_port }}/pim/static.git"

View file

@ -14,6 +14,7 @@ services:
- "80:80" - "80:80"
- "{{ git_ssh_port }}:{{ git_ssh_port }}" - "{{ git_ssh_port }}:{{ git_ssh_port }}"
- "{{ traefik_api_port }}:{{ traefik_api_port }}" - "{{ traefik_api_port }}:{{ traefik_api_port }}"
- "8448:8448"
volumes: volumes:
- /var/run/docker.sock:/var/run/docker.sock - /var/run/docker.sock:/var/run/docker.sock
- {{ service_dir }}/traefik.toml:/etc/traefik/traefik.toml - {{ service_dir }}/traefik.toml:/etc/traefik/traefik.toml

View file

@ -15,6 +15,8 @@ loglevel = "DEBUG"
address = ":{{ jitsi_videobridge_port }}/udp" address = ":{{ jitsi_videobridge_port }}/udp"
[entryPoints.internal] [entryPoints.internal]
address = ":{{ traefik_api_port }}" address = ":{{ traefik_api_port }}"
[entryPoints.matrix]
address = ":8448"
[api] [api]
insecure = false insecure = false

0
util/secret-service-client.sh Normal file → Executable file
View file