Cleanup
This commit is contained in:
parent
e95a4004a8
commit
1f3f719032
|
@ -2,7 +2,7 @@
|
||||||
|
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
|
|
||||||
vault write database/roles/matrix-synapse \
|
vault write /database/roles/matrix-synapse \
|
||||||
db_name="postgres" \
|
db_name="postgres" \
|
||||||
creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \
|
creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \
|
||||||
GRANT \"matrix-synapse\" TO \"{{name}}\"; \
|
GRANT \"matrix-synapse\" TO \"{{name}}\"; \
|
||||||
|
|
|
@ -41,15 +41,15 @@ job "matrix" {
|
||||||
|
|
||||||
"traefik.enable=true",
|
"traefik.enable=true",
|
||||||
"traefik.http.routers.matrix-admin.entrypoints=https",
|
"traefik.http.routers.matrix-admin.entrypoints=https",
|
||||||
"traefik.http.middlewares.matrix-csp.headers.contentsecuritypolicy=connect-src 'self' https://scalar.vector.im https://api.maptiler.com;default-src 'self';font-src 'self' data:;frame-src 'self' blob: https://scalar.vector.im/ https://meet.element.io;img-src 'self' data: blob: https://img.youtube.com https://*.ytimg.com;script-src 'self' https://usercontent.riot.im https://scalar.vector.im;style-src 'self' 'unsafe-inline';worker-src 'self' blob:;",
|
"traefik.http.middlewares.csp-matrix-admin.headers.contentsecuritypolicy=connect-src 'self' https://scalar.vector.im https://api.maptiler.com;default-src 'self';font-src 'self' data:;frame-src 'self' blob: https://scalar.vector.im/ https://meet.element.io;img-src 'self' data: blob: https://img.youtube.com https://*.ytimg.com;script-src 'self' https://usercontent.riot.im https://scalar.vector.im;style-src 'self' 'unsafe-inline';worker-src 'self' blob:;",
|
||||||
"traefik.http.routers.matrix-admin.middlewares=security-headers@file,rate-limit-std@file,forward-proto@file,inflight-std@file,hsts@file,compression@file,matrix-csp",
|
"traefik.http.routers.matrix-admin.middlewares=security-headers@file,rate-limit-std@file,forward-proto@file,inflight-std@file,hsts@file,compression@file,csp-matrix-admin",
|
||||||
|
|
||||||
"traefik.http.routers.matrix.rule=Host(`matrix.consul`) || (Host(`matrix.consul`) && PathRegexp(`^/(_(synapse|matrix)|\\.well-known/matrix)/.*`))",
|
"traefik.http.routers.matrix.rule=Host(`matrix.consul`) || (Host(`matrix.consul`) && PathRegexp(`^/(_(synapse|matrix)|\\.well-known/matrix)/.*`))",
|
||||||
|
|
||||||
"traefik.enable=true",
|
"traefik.enable=true",
|
||||||
"traefik.http.routers.matrix.entrypoints=https",
|
"traefik.http.routers.matrix.entrypoints=https",
|
||||||
"traefik.http.middlewares.matrix-csp.headers.contentsecuritypolicy=connect-src 'self' https://scalar.vector.im https://api.maptiler.com;default-src 'self';font-src 'self' data:;frame-src 'self' blob: https://scalar.vector.im/ https://meet.element.io;img-src 'self' data: blob: https://img.youtube.com https://*.ytimg.com;script-src 'self' https://usercontent.riot.im https://scalar.vector.im;style-src 'self' 'unsafe-inline';worker-src 'self' blob:;",
|
"traefik.http.middlewares.csp-matrix.headers.contentsecuritypolicy=connect-src 'self' https://scalar.vector.im https://api.maptiler.com;default-src 'self';font-src 'self' data:;frame-src 'self' blob: https://scalar.vector.im/ https://meet.element.io;img-src 'self' data: blob: https://img.youtube.com https://*.ytimg.com;script-src 'self' https://usercontent.riot.im https://scalar.vector.im;style-src 'self' 'unsafe-inline';worker-src 'self' blob:;",
|
||||||
"traefik.http.routers.matrix.middlewares=security-headers@file,rate-limit-std@file,forward-proto@file,inflight-std@file,hsts@file,compression@file,matrix-csp",
|
"traefik.http.routers.matrix.middlewares=security-headers@file,rate-limit-std@file,forward-proto@file,inflight-std@file,hsts@file,compression@file,csp-matrix",
|
||||||
|
|
||||||
]
|
]
|
||||||
|
|
||||||
|
@ -136,6 +136,7 @@ job "matrix" {
|
||||||
|
|
||||||
env {
|
env {
|
||||||
SYNAPSE_CONFIG = "/secrets/homeserver.yml"
|
SYNAPSE_CONFIG = "/secrets/homeserver.yml"
|
||||||
|
TMPDIR = "/data/tmp"
|
||||||
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
@ -144,7 +145,6 @@ job "matrix" {
|
||||||
template {
|
template {
|
||||||
data = <<_EOT
|
data = <<_EOT
|
||||||
LANG=fr_FR.utf8
|
LANG=fr_FR.utf8
|
||||||
TMPDIR=/data/tmp
|
|
||||||
TZ=Europe/Paris
|
TZ=Europe/Paris
|
||||||
_EOT
|
_EOT
|
||||||
destination = "secrets/.env"
|
destination = "secrets/.env"
|
||||||
|
@ -168,9 +168,9 @@ database:
|
||||||
args:
|
args:
|
||||||
database: matrix-synapse
|
database: matrix-synapse
|
||||||
host: 127.0.0.1
|
host: 127.0.0.1
|
||||||
password: '{{ with secret "database/creds/matrix-synapse" }}{{ .Data.password }}{{ end }}'
|
password: '{{ with secret "/database/matrix" }}{{ .Data.password }}{{ end }}'
|
||||||
port: "5432"
|
port: "5432"
|
||||||
user: '{{ with secret "database/creds/matrix-synapse" }}{{ .Data.username }}{{ end }}'
|
user: '{{ with secret "/database/matrix" }}{{ .Data.username }}{{ end }}'
|
||||||
name: psycopg2
|
name: psycopg2
|
||||||
default_identity_server: https://matrix.org
|
default_identity_server: https://matrix.org
|
||||||
delete_stale_devices_after: 180d
|
delete_stale_devices_after: 180d
|
||||||
|
@ -183,7 +183,7 @@ email:
|
||||||
smtp_host: 127.0.0.1
|
smtp_host: 127.0.0.1
|
||||||
smtp_port: 25
|
smtp_port: 25
|
||||||
forgotten_room_retention_period: 15d
|
forgotten_room_retention_period: 15d
|
||||||
form_secret: '{{ with secret "kv/service/matrix" }}{{ .Data.data.form_secret }}{{ end }}'
|
form_secret: '{{- with secret "/kv/service/matrix" }}{{ .Data.data.form_secret }}{{ end }}'
|
||||||
listeners:
|
listeners:
|
||||||
- path: /alloc/tmp/synapse.sock
|
- path: /alloc/tmp/synapse.sock
|
||||||
resources:
|
resources:
|
||||||
|
@ -193,7 +193,7 @@ listeners:
|
||||||
- federation
|
- federation
|
||||||
type: http
|
type: http
|
||||||
log_config: /secrets/logging.conf
|
log_config: /secrets/logging.conf
|
||||||
macaroon_secret_key: '{{ with secret "kv/service/matrix" }}{{ .Data.data.macaroon_secret_key }}{{ end }}'
|
macaroon_secret_key: '{{- with secret "/kv/service/matrix" }}{{ .Data.data.macaroon_secret_key }}{{ end }}'
|
||||||
max_avatar_size: 4M
|
max_avatar_size: 4M
|
||||||
media_retention:
|
media_retention:
|
||||||
local_media_lifetime: 730d
|
local_media_lifetime: 730d
|
||||||
|
|
|
@ -1,19 +0,0 @@
|
||||||
#!/bin/sh
|
|
||||||
|
|
||||||
set -eu
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
if [ "matrix" != "matrix" ]; then
|
|
||||||
for DIR in vault consul nomad; do
|
|
||||||
if [ -d output/${DIR} ]; then
|
|
||||||
for FILE in $(find output/${DIR} -name "*matrix*.hcl" -type f); do
|
|
||||||
NEW_FILE=$(echo "${FILE}" | sed -E "s/matrix/matrix/g")
|
|
||||||
mv "${FILE}" "${NEW_FILE}"
|
|
||||||
done
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
fi
|
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -2,17 +2,22 @@
|
||||||
|
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
|
|
||||||
# Initialize random passwords if needed
|
# vim: syntax=sh
|
||||||
|
|
||||||
|
export LC_ALL=C
|
||||||
|
VAULT_KV_PATH=/kv/service/matrix
|
||||||
|
RAND_CMD="tr -dc A-Za-z0-9\-_\/=~\.+ < /dev/urandom | head -c 50"
|
||||||
|
if ! vault kv list $(dirname ${VAULT_KV_PATH}) 2>/dev/null | grep -q -E "^$(basename ${VAULT_KV_PATH})\$"; then
|
||||||
|
vault kv put ${VAULT_KV_PATH} \
|
||||||
|
macaroon_secret_key="$(sh -c "${RAND_CMD}")" \
|
||||||
|
form_secret="$(sh -c "${RAND_CMD}")" \
|
||||||
|
|
||||||
if ! vault kv list kv/service 2>/dev/null | grep -q -E '^matrix$'; then
|
|
||||||
vault kv put kv/service/matrix \
|
|
||||||
macaroon_secret_key=$(pwgen -s -n 50 1) \
|
|
||||||
form_secret=$(pwgen -s -n 50 1)
|
|
||||||
fi
|
fi
|
||||||
|
for SECRET in macaroon_secret_key form_secret; do
|
||||||
for PWD in macaroon_secret_key form_secret; do
|
if ! vault kv get -field ${SECRET} ${VAULT_KV_PATH} >/dev/null 2>&1; then
|
||||||
if ! vault kv get -field ${PWD} kv/service/matrix >/dev/null 2>&1; then
|
vault kv patch ${VAULT_KV_PATH} \
|
||||||
vault kv patch kv/service/matrix \
|
${SECRET}=$(sh -c "${RAND_CMD}")
|
||||||
${PWD}=$(pwgen -s -n 50 1)
|
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
path "kv/data/service/matrix" {
|
path "/kv/data/service/matrix" {
|
||||||
capabilities = ["read"]
|
capabilities = ["read"]
|
||||||
}
|
}
|
||||||
|
|
||||||
path "database/creds/matrix-synapse" {
|
path "/database/creds/matrix-synapse" {
|
||||||
capabilities = ["read"]
|
capabilities = ["read"]
|
||||||
}
|
}
|
||||||
|
|
|
@ -2,7 +2,4 @@
|
||||||
|
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
|
|
||||||
[[- template "common/vault.mkpgrole.sh.tpl"
|
[[ template "common/vault.mkpgrole.sh.tpl" merge .matrix.synapse . ]]
|
||||||
dict "ctx" .
|
|
||||||
"config" (dict "role" (printf "%s-synapse" .instance) "database" "postgres")
|
|
||||||
]]
|
|
||||||
|
|
|
@ -38,7 +38,7 @@ job "[[ .instance ]]" {
|
||||||
[[ template "common/traefik_tags" $w ]]
|
[[ template "common/traefik_tags" $w ]]
|
||||||
]
|
]
|
||||||
|
|
||||||
[[ template "common/connect" merge $c ]]
|
[[ template "common/connect" $c ]]
|
||||||
}
|
}
|
||||||
|
|
||||||
[[ template "common/task.wait_for" $c ]]
|
[[ template "common/task.wait_for" $c ]]
|
||||||
|
@ -58,10 +58,11 @@ job "[[ .instance ]]" {
|
||||||
|
|
||||||
env {
|
env {
|
||||||
SYNAPSE_CONFIG = "/secrets/homeserver.yml"
|
SYNAPSE_CONFIG = "/secrets/homeserver.yml"
|
||||||
|
TMPDIR = "/data/tmp"
|
||||||
[[ template "common/proxy_env" $c ]]
|
[[ template "common/proxy_env" $c ]]
|
||||||
}
|
}
|
||||||
|
|
||||||
[[ template "common/file_env" $c.env ]]
|
[[ template "common/file_env" $c ]]
|
||||||
|
|
||||||
template {
|
template {
|
||||||
data =<<_EOT
|
data =<<_EOT
|
||||||
|
|
|
@ -1 +0,0 @@
|
||||||
[[ template "common/mv_conf.sh.tpl" dict "ctx" . "services" (dict "matrix" .instance) ]]
|
|
|
@ -2,17 +2,4 @@
|
||||||
|
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
|
|
||||||
# Initialize random passwords if needed
|
[[ template "common/vault.rand_secrets" merge .matrix.synapse . ]]
|
||||||
|
|
||||||
if ! vault kv list [[ .vault.prefix ]]kv/service 2>/dev/null | grep -q -E '^[[ .instance ]]$'; then
|
|
||||||
vault kv put [[ .vault.prefix ]]kv/service/[[ .instance ]] \
|
|
||||||
macaroon_secret_key=$(pwgen -s -n 50 1) \
|
|
||||||
form_secret=$(pwgen -s -n 50 1)
|
|
||||||
fi
|
|
||||||
|
|
||||||
for PWD in macaroon_secret_key form_secret; do
|
|
||||||
if ! vault kv get -field ${PWD} [[ .vault.prefix ]]kv/service/[[ .instance ]] >/dev/null 2>&1; then
|
|
||||||
vault kv patch [[ .vault.prefix ]]kv/service/[[ .instance ]] \
|
|
||||||
${PWD}=$(pwgen -s -n 50 1)
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
|
|
|
@ -74,8 +74,8 @@ default_identity_server: https://matrix.org
|
||||||
|
|
||||||
allow_guest_access: [[ .matrix.allow_guests ]]
|
allow_guest_access: [[ .matrix.allow_guests ]]
|
||||||
|
|
||||||
macaroon_secret_key: '[[ .matrix.synapse.macaroon_secret_key ]]'
|
macaroon_secret_key: '{{- with secret "[[ .vault.root ]]kv/service/[[ .instance ]]" }}{{ .Data.data.macaroon_secret_key }}{{ end }}'
|
||||||
form_secret: '[[ .matrix.synapse.form_secret ]]'
|
form_secret: '{{- with secret "[[ .vault.root ]]kv/service/[[ .instance ]]" }}{{ .Data.data.form_secret }}{{ end }}'
|
||||||
|
|
||||||
sso:
|
sso:
|
||||||
client_whitelist:
|
client_whitelist:
|
||||||
|
|
|
@ -28,8 +28,7 @@ matrix:
|
||||||
image: '[[ .docker.repo ]]matrix-synapse:1.99.0-1'
|
image: '[[ .docker.repo ]]matrix-synapse:1.99.0-1'
|
||||||
|
|
||||||
# Additional env var to set in the container
|
# Additional env var to set in the container
|
||||||
env:
|
env: {}
|
||||||
TMPDIR: /data/tmp
|
|
||||||
|
|
||||||
# You can define a custom yaml config which will be merged over the default one.
|
# You can define a custom yaml config which will be merged over the default one.
|
||||||
# Eg, to setup OIDC auth
|
# Eg, to setup OIDC auth
|
||||||
|
@ -50,10 +49,6 @@ matrix:
|
||||||
# email_template: '{{"{{"}} user.email {{"}}"}}'
|
# email_template: '{{"{{"}} user.email {{"}}"}}'
|
||||||
config: {}
|
config: {}
|
||||||
|
|
||||||
# Secrets used by Synapse
|
|
||||||
macaroon_secret_key: '{{ with secret "[[ .vault.prefix ]]kv/service/[[ .instance ]]" }}{{ .Data.data.macaroon_secret_key }}{{ end }}'
|
|
||||||
form_secret: '{{ with secret "[[ .vault.prefix ]]kv/service/[[ .instance ]]" }}{{ .Data.data.form_secret }}{{ end }}'
|
|
||||||
|
|
||||||
# URL preview settings
|
# URL preview settings
|
||||||
url_preview:
|
url_preview:
|
||||||
enabled: true
|
enabled: true
|
||||||
|
@ -75,18 +70,26 @@ matrix:
|
||||||
- username: '*'
|
- username: '*'
|
||||||
- netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$'
|
- netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$'
|
||||||
|
|
||||||
# Vault policies
|
|
||||||
vault:
|
vault:
|
||||||
|
# Vault policies
|
||||||
policies:
|
policies:
|
||||||
- '[[ .instance ]]-synapse[[ .consul.suffix ]]'
|
- '[[ .instance ]]-synapse[[ .consul.suffix ]]'
|
||||||
|
# Random secrets to generate and store in vault KV
|
||||||
|
rand_secrets:
|
||||||
|
fields:
|
||||||
|
- macaroon_secret_key
|
||||||
|
- form_secret
|
||||||
|
database:
|
||||||
|
role: '[[ .instance ]]-synapse'
|
||||||
|
pgrole: '[[ .instance ]]-synapse'
|
||||||
|
|
||||||
# Postgres database to use
|
# Postgres database to use
|
||||||
postgres:
|
postgres:
|
||||||
host: 127.0.0.1
|
host: 127.0.0.1
|
||||||
port: 5432
|
port: 5432
|
||||||
database: '[[ .instance ]]-synapse'
|
database: '[[ .instance ]]-synapse'
|
||||||
user: '{{ with secret "[[ .vault.prefix ]]database/creds/[[ .instance ]]-synapse" }}{{ .Data.username }}{{ end }}'
|
#user: '{{ with secret "[[ .vault.root ]]database/creds/[[ .instance ]]-synapse" }}{{ .Data.username }}{{ end }}'
|
||||||
password: '{{ with secret "[[ .vault.prefix ]]database/creds/[[ .instance ]]-synapse" }}{{ .Data.password }}{{ end }}'
|
#password: '{{ with secret "[[ .vault.root ]]database/creds/[[ .instance ]]-synapse" }}{{ .Data.password }}{{ end }}'
|
||||||
|
|
||||||
# Wait for the postgres service to be ready before starting
|
# Wait for the postgres service to be ready before starting
|
||||||
wait_for:
|
wait_for:
|
||||||
|
@ -132,7 +135,7 @@ matrix:
|
||||||
admin:
|
admin:
|
||||||
traefik:
|
traefik:
|
||||||
auto_rule: false
|
auto_rule: false
|
||||||
router: '[[ .instance ]]-admin[[ .consul.suffix ]]'
|
router: admin
|
||||||
|
|
||||||
# Volumes used for data persistance
|
# Volumes used for data persistance
|
||||||
volumes:
|
volumes:
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
path "[[ .vault.prefix ]]kv/data/service/[[ .instance ]]" {
|
path "[[ .vault.root ]]kv/data/service/[[ .instance ]]" {
|
||||||
capabilities = ["read"]
|
capabilities = ["read"]
|
||||||
}
|
}
|
||||||
|
|
||||||
path "[[ .vault.prefix ]]database/creds/[[ .instance ]]-synapse" {
|
path "[[ .vault.root ]]database/creds/[[ .instance ]]-synapse" {
|
||||||
capabilities = ["read"]
|
capabilities = ["read"]
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue