More work on Synapse + Element + Synapse admin
This commit is contained in:
parent
c6a728fa70
commit
d20774f507
|
@ -10,6 +10,12 @@ Sources = [
|
|||
PathRegex = "^/_(matrix|synapse)/.*"
|
||||
Methods = ["GET", "HEAD", "POST", "OPTIONS", "PUT", "DELETE"]
|
||||
}
|
||||
},
|
||||
{
|
||||
Action = "allow"
|
||||
HTTP {
|
||||
Methods = ["GET", "HEAD"]
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
|
@ -1,7 +1,8 @@
|
|||
FROM nginxinc/nginx-unprivileged:alpine
|
||||
MAINTAINER [[ .docker.maintainer ]]
|
||||
|
||||
ARG ELEMENT_VERSION=1.11.51
|
||||
ARG ELEMENT_VERSION=1.11.52 \
|
||||
SYNAPSE_ADMIN_VERSION=0.8.7
|
||||
|
||||
ENV ELEMENT_NGINX_BIND_ADDR=0.0.0.0 \
|
||||
ELEMENT_NGINX_BIND_PORT=8710
|
||||
|
@ -10,8 +11,13 @@ USER root
|
|||
|
||||
RUN set -eux &&\
|
||||
mkdir -p /opt/element &&\
|
||||
mkdir -p /opt/synapse-admin &&\
|
||||
curl -sSL https://github.com/element-hq/element-web/releases/download/v${ELEMENT_VERSION}/element-v${ELEMENT_VERSION}.tar.gz |\
|
||||
tar xvz -C /opt/element/ --strip-components 1
|
||||
tar xvz -C /opt/element/ --strip-components 1 &&\
|
||||
curl -sSL https://github.com/Awesome-Technologies/synapse-admin/releases/download/${SYNAPSE_ADMIN_VERSION}/synapse-admin-${SYNAPSE_ADMIN_VERSION}-dirty.tar.gz |\
|
||||
tar xvz -C /opt/synapse-admin --strip-components 1 &&\
|
||||
rm -rf /opt/synapse-admin/data/* &&\
|
||||
chown -R root: /opt/element /opt/synapse-admin
|
||||
|
||||
USER nginx
|
||||
EXPOSE ${ELEMENT_BIND_PORT}
|
||||
|
|
|
@ -4,6 +4,8 @@ set -euo pipefail
|
|||
|
||||
source /opt/synapse/venv/bin/activate
|
||||
|
||||
umask 007
|
||||
|
||||
if [ ! -e "${SYNAPSE_CONFIG}" ]; then
|
||||
echo "Generating a default ${SYNAPSE_CONFIG}"
|
||||
if [ -z "${SYNAPSE_SERVER_NAME}" ]; then
|
||||
|
|
|
@ -3,4 +3,8 @@
|
|||
set -euo pipefail
|
||||
|
||||
source /opt/synapse/venv/bin/activate
|
||||
exec python3 -m synapse.app.homeserver -c ${SYNAPSE_CONFIG}
|
||||
exec python3 -m synapse.app.homeserver \
|
||||
--config-path ${SYNAPSE_CONFIG} \
|
||||
--config-directory=/data/conf \
|
||||
--keys-directory=/data/conf \
|
||||
--data-directory=/data
|
||||
|
|
|
@ -29,6 +29,21 @@ job [[ .instance | toJSON ]] {
|
|||
}
|
||||
}
|
||||
|
||||
tags = [
|
||||
[[- $w := merge .matrix.nginx . ]]
|
||||
"[[ $w.traefik.instance ]].enable=[[ $w.traefik.enabled ]]",
|
||||
|
||||
"[[ $c.traefik.instance ]].http.middlewares.[[ .instance ]]-headers[[ .consul.suffix ]].headers.contentsecuritypolicy=[[ range $k, $v := $w.traefik.csp ]][[ $k ]] [[ $v ]];[[ end ]]",
|
||||
|
||||
"[[ $w.traefik.instance ]].http.routers.[[ .instance ]]-admin[[ .consul.suffix ]].rule=Host(`[[ (urlParse .matrix.public_url).Hostname ]]`) && (PathPrefix(`/_admin/`) || PathPrefix(`/_synapse/admin`))",
|
||||
"[[ $w.traefik.instance ]].http.routers.[[ .instance ]]-admin[[ .consul.suffix ]].entrypoints=[[ join $w.traefik.entrypoints "," ]]",
|
||||
"[[ $w.traefik.instance ]].http.routers.[[ .instance ]]-admin[[ .consul.suffix ]].middlewares=[[ template "common/traefik_middlewares" $w.traefik.admin ]]",
|
||||
|
||||
"[[ $w.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].rule=Host(`[[ (urlParse .matrix.public_url).Hostname ]]`) || (Host(`[[ .matrix.server_name ]]`) && PathRegexp(`^/(_(synapse|matrix)|\\.well-known/matrix)/.*`))",
|
||||
"[[ $w.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].entrypoints=[[ join $w.traefik.entrypoints "," ]]",
|
||||
"[[ $w.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].middlewares=[[ template "common/traefik_middlewares" $w.traefik ]]",
|
||||
]
|
||||
|
||||
[[ template "common/connect" merge .matrix . ]]
|
||||
}
|
||||
|
||||
|
@ -67,6 +82,13 @@ _EOT
|
|||
perms = 0640
|
||||
}
|
||||
|
||||
template {
|
||||
data =<<_EOT
|
||||
[[ template "matrix/logging.conf.tpl" . ]]
|
||||
_EOT
|
||||
destination = "secrets/logging.conf"
|
||||
}
|
||||
|
||||
volume_mount {
|
||||
volume = "data"
|
||||
destination = "/data"
|
||||
|
@ -75,55 +97,34 @@ _EOT
|
|||
[[ template "common/resources" $c.resources ]]
|
||||
}
|
||||
|
||||
[[ $c = merge .matrix.element . ]]
|
||||
task "element" {
|
||||
driver = [[ $c.nomad.driver | toJSON ]]
|
||||
|
||||
lifecycle {
|
||||
hook = "prestart"
|
||||
sidecar = true
|
||||
}
|
||||
|
||||
config {
|
||||
image = [[ $c.image | toJSON ]]
|
||||
readonly_rootfs = true
|
||||
pids_limit = 100
|
||||
[[ template "common/tmpfs" dict "size" "5000000" "target" "/tmp" ]]
|
||||
}
|
||||
|
||||
env {
|
||||
ELEMENT_BIND_ADDR = "127.0.0.1"
|
||||
ELEMENT_NGINX_BIND_PORT = "8710"
|
||||
}
|
||||
|
||||
[[ template "common/resources" $c.resources ]]
|
||||
}
|
||||
|
||||
[[ $c = merge .matrix.nginx . ]]
|
||||
task "nginx" {
|
||||
driver = [[ $c.nomad.driver | toJSON ]]
|
||||
|
||||
lifecycle {
|
||||
hook = "prestart"
|
||||
sidecar = true
|
||||
}
|
||||
|
||||
config {
|
||||
image = [[ $c.image | toJSON ]]
|
||||
readonly_rootfs = true
|
||||
pids_limit = 100
|
||||
volumes = [
|
||||
"local/nginx.conf:/etc/nginx/conf.d/default.conf"
|
||||
"local/nginx.conf:/etc/nginx/conf.d/default.conf:ro",
|
||||
]
|
||||
[[ template "common/tmpfs" dict "size" "5000000" "target" "/tmp" ]]
|
||||
}
|
||||
|
||||
template {
|
||||
data =<<_EOT
|
||||
[[ template "matrix/nginx.conf.tpl" ]]
|
||||
[[ template "matrix/nginx.conf.tpl" . ]]
|
||||
_EOT
|
||||
destination = "local/nginx.conf"
|
||||
}
|
||||
|
||||
template {
|
||||
data =<<_EOT
|
||||
[[ template "matrix/element.json.tpl" . ]]
|
||||
_EOT
|
||||
destination = "local/element.json"
|
||||
}
|
||||
|
||||
[[ template "common/resources" $c.resources ]]
|
||||
}
|
||||
}
|
||||
|
|
|
@ -0,0 +1,39 @@
|
|||
{
|
||||
"default_server_config": {
|
||||
"m.homeserver": {
|
||||
"base_url": "[[ .matrix.public_url ]]",
|
||||
"server_name": "[[ .matrix.server_name ]]"
|
||||
},
|
||||
"m.identity_server": {
|
||||
"base_url": "https://vector.im"
|
||||
}
|
||||
},
|
||||
"brand": "Element",
|
||||
"integrations_ui_url": "https://scalar.vector.im/",
|
||||
"integrations_rest_url": "https://scalar.vector.im/api",
|
||||
"integrations_widgets_urls": [
|
||||
"https://scalar.vector.im/_matrix/integrations/v1",
|
||||
"https://scalar.vector.im/api",
|
||||
"https://scalar-staging.vector.im/_matrix/integrations/v1",
|
||||
"https://scalar-staging.vector.im/api",
|
||||
"https://scalar-staging.element.im/scalar/api"
|
||||
],
|
||||
"show_labs_settings": true,
|
||||
"roomDirectory": {
|
||||
"servers": [
|
||||
"matrix.org"
|
||||
]
|
||||
},
|
||||
"disable_guests": [[ .matrix.allow_guests | ternary "false" "true" ]],
|
||||
[[ if and (has .matrix "jitsi") (has .matrix.jitsi "domain") ]]
|
||||
"jitsi": {
|
||||
"preferredDomain": "[[ .matrix.jitsi.domain ]]"
|
||||
},
|
||||
[[ end ]]
|
||||
"settingDefaults": {
|
||||
"UIFeature.feedback": false,
|
||||
"UIFeature.thirdPartyId": false
|
||||
},
|
||||
"map_style_url": "[[ .matrix.element.map_style_url ]]",
|
||||
"happyJson": true
|
||||
}
|
|
@ -2,7 +2,6 @@
|
|||
|
||||
server_name: [[ .matrix.server_name ]]
|
||||
public_baseurl: [[ .matrix.public_url ]]
|
||||
serve_server_wellknown: true
|
||||
report_stats: false
|
||||
|
||||
web_client: false
|
||||
|
@ -52,27 +51,22 @@ media_retention:
|
|||
local_media_lifetime: 730d
|
||||
remote_media_lifetime: 14d
|
||||
|
||||
[[ if .matrix.synapse.url_preview.enabled ]]
|
||||
url_preview_enabled: true
|
||||
url_preview_ip_range_blacklist:
|
||||
- '127.0.0.0/8'
|
||||
- '10.0.0.0/8'
|
||||
- '172.16.0.0/12'
|
||||
- '192.168.0.0/16'
|
||||
- '100.64.0.0/10'
|
||||
- '192.0.0.0/24'
|
||||
- '169.254.0.0/16'
|
||||
- '192.88.99.0/24'
|
||||
- '198.18.0.0/15'
|
||||
- '192.0.2.0/24'
|
||||
- '198.51.100.0/24'
|
||||
- '203.0.113.0/24'
|
||||
- '224.0.0.0/4'
|
||||
[[- range $idx, $black := .matrix.synapse.url_preview.ip_range_blacklist ]]
|
||||
- [[ $black ]]
|
||||
[[- end ]]
|
||||
url_preview_url_blacklist:
|
||||
- username: '*'
|
||||
- netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$'
|
||||
[[- range $idx, $black := .matrix.synapse.url_preview.url_blacklist ]]
|
||||
- [[ $black | toYAML ]]
|
||||
[[- end ]]
|
||||
[[- end ]]
|
||||
|
||||
default_identity_server: https://matrix.org
|
||||
|
||||
allow_guest_access: [[ .matrix.allow_guests ]]
|
||||
|
||||
macaroon_secret_key: '[[ .matrix.synapse.macaroon_secret_key ]]'
|
||||
form_secret: '[[ .matrix.synapse.form_secret ]]'
|
||||
|
||||
|
@ -96,3 +90,5 @@ alias_creation_rules:
|
|||
alias: '*'
|
||||
action: allow
|
||||
|
||||
log_config: /secrets/logging.conf
|
||||
signing_key_path: /data/conf/[[ .matrix.server_name ]].signing.key
|
||||
|
|
|
@ -0,0 +1,27 @@
|
|||
version: 1
|
||||
|
||||
formatters:
|
||||
precise:
|
||||
format: '%(name)s - %(lineno)d - %(levelname)s - %(request)s- %(message)s'
|
||||
|
||||
filters:
|
||||
context:
|
||||
(): synapse.util.logcontext.LoggingContextFilter
|
||||
request: ""
|
||||
|
||||
handlers:
|
||||
console:
|
||||
class: logging.StreamHandler
|
||||
formatter: precise
|
||||
filters: [context]
|
||||
|
||||
loggers:
|
||||
synapse.storage.SQL:
|
||||
# beware: increasing this to DEBUG will make synapse log sensitive
|
||||
# information such as access tokens.
|
||||
level: INFO
|
||||
|
||||
root:
|
||||
level: INFO
|
||||
handlers: [console]
|
||||
|
|
@ -2,10 +2,6 @@ upstream synapse {
|
|||
server unix:/alloc/tmp/synapse.sock;
|
||||
}
|
||||
|
||||
upstream element {
|
||||
server 127.0.0.1:8710;
|
||||
}
|
||||
|
||||
map $http_upgrade $connection_upgrade {
|
||||
default upgrade;
|
||||
'' close;
|
||||
|
@ -14,13 +10,18 @@ map $http_upgrade $connection_upgrade {
|
|||
server {
|
||||
listen 127.0.0.1:8008 default_server;
|
||||
server_tokens off;
|
||||
root /usr/share/html;
|
||||
root /opt/element;
|
||||
index index.html;
|
||||
include /etc/nginx/mime.types;
|
||||
default_type application/octet-stream;
|
||||
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection $connection_upgrade;
|
||||
proxy_set_header Host $host;
|
||||
proxy_socket_keepalive on;
|
||||
proxy_buffering off;
|
||||
proxy_request_buffering off;
|
||||
client_max_body_size 100m;
|
||||
set_real_ip_from 127.0.0.1;
|
||||
real_ip_header X-Forwarded-For;
|
||||
|
@ -30,14 +31,49 @@ server {
|
|||
proxy_pass http://synapse;
|
||||
proxy_read_timeout 600;
|
||||
}
|
||||
|
||||
location /_synapse {
|
||||
proxy_pass http://synapse;
|
||||
proxy_read_timeout 600;
|
||||
}
|
||||
location /health {
|
||||
|
||||
location = /health {
|
||||
proxy_pass http://synapse;
|
||||
}
|
||||
|
||||
location /index.html {
|
||||
add_header Cache-Control "no-cache";
|
||||
}
|
||||
|
||||
location /version {
|
||||
add_header Cache-Control "no-cache";
|
||||
}
|
||||
|
||||
location /config.json {
|
||||
add_header Cache-Control "no-cache";
|
||||
alias /local/element.json;
|
||||
}
|
||||
|
||||
location /.well-known/matrix/server {
|
||||
add_header Access-Control-Allow-Origin *;
|
||||
default_type application/json;
|
||||
expires 6h;
|
||||
return 200 '{"m.server": "[[ (urlParse .matrix.public_url).Hostname ]]:[[ if eq (urlParse .matrix.public_url).Port "" ]]443[[ else ]][[ (urlParse .matrix.public_url).Port ]][[ end ]]"}';
|
||||
}
|
||||
location /.well-known/matrix/client {
|
||||
add_header Access-Control-Allow-Origin *;
|
||||
default_type application/json;
|
||||
expires 6h;
|
||||
return 200 '{"m.homeserver": {"base_url": "[[ .matrix.public_url ]]"}}';
|
||||
}
|
||||
|
||||
# Expose synapse admin
|
||||
location /_admin/ {
|
||||
alias /opt/synapse-admin/;
|
||||
expires 30d;
|
||||
}
|
||||
# default files
|
||||
location / {
|
||||
proxy_pass http://element;
|
||||
expires 30d;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -6,6 +6,7 @@ matrix:
|
|||
|
||||
server_name: matrix.[[ .consul.domain ]]
|
||||
public_url: https://matrix.[[ .consul.domain ]]
|
||||
allow_guests: false
|
||||
|
||||
consul:
|
||||
connect:
|
||||
|
@ -15,7 +16,7 @@ matrix:
|
|||
|
||||
synapse:
|
||||
|
||||
image: '[[ .docker.repo ]]matrix-synapse:latest'
|
||||
image: '[[ .docker.repo ]]matrix-synapse:1.98.0-1'
|
||||
|
||||
env: {}
|
||||
|
||||
|
@ -23,6 +24,26 @@ matrix:
|
|||
|
||||
macaroon_secret_key: '{{ with secret "[[ .vault.prefix ]]kv/service/[[ .instance ]]" }}{{ .Data.data.macaroon_secret_key }}{{ end }}'
|
||||
form_secret: '{{ with secret "[[ .vault.prefix ]]kv/service/[[ .instance ]]" }}{{ .Data.data.form_secret }}{{ end }}'
|
||||
|
||||
url_preview:
|
||||
enabled: true
|
||||
ip_range_blacklist:
|
||||
- 127.0.0.0/8
|
||||
- 10.0.0.0/8
|
||||
- 172.16.0.0/12
|
||||
- 192.168.0.0/16
|
||||
- 100.64.0.0/10
|
||||
- 192.0.0.0/24
|
||||
- 169.254.0.0/16
|
||||
- 192.88.99.0/24
|
||||
- 198.18.0.0/15
|
||||
- 192.0.2.0/24
|
||||
- 198.51.100.0/24
|
||||
- 203.0.113.0/24
|
||||
- 224.0.0.0/4
|
||||
url_blacklist:
|
||||
- username: '*'
|
||||
- netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$'
|
||||
|
||||
db:
|
||||
host: 127.0.0.1
|
||||
|
@ -37,23 +58,43 @@ matrix:
|
|||
resources:
|
||||
cpu: 500
|
||||
memory: 384
|
||||
|
||||
|
||||
element:
|
||||
image: '[[ .docker.repo ]]matrix-element:latest'
|
||||
map_style_url: https://api.maptiler.com/maps/streets/style.json?key=fU3vlMsMn4Jb6dnEIFsx
|
||||
|
||||
env: {}
|
||||
|
||||
resources:
|
||||
cpu: 20
|
||||
memory: 16
|
||||
|
||||
nginx:
|
||||
image: nginxinc/nginx-unprivileged:alpine
|
||||
image: '[[ .docker.repo ]]matrix-element:1.11.52-1'
|
||||
|
||||
resources:
|
||||
cpu: 20
|
||||
memory: 16
|
||||
|
||||
traefik:
|
||||
enabled: true
|
||||
csp:
|
||||
script-src: "'self' https://usercontent.riot.im https://scalar.vector.im"
|
||||
worker-src: "'self' blob:"
|
||||
connect-src: "'self' https://scalar.vector.im https://api.maptiler.com"
|
||||
img-src: "'self' data: blob: https://img.youtube.com https://*.ytimg.com"
|
||||
frame-src: "'self' blob: https://scalar.vector.im/ https://meet.element.io"
|
||||
middlewares: []
|
||||
# Override base_middlewares to remove csp-relaxed@file
|
||||
base_middlewares:
|
||||
- rate-limit-high@file
|
||||
- inflight-high@file
|
||||
- security-headers@file
|
||||
- hsts@file
|
||||
- compression@file
|
||||
|
||||
admin:
|
||||
base_middlewares:
|
||||
- rate-limit-high@file
|
||||
- inflight-high@file
|
||||
- security-headers@file
|
||||
- hsts@file
|
||||
- compression@file
|
||||
middlewares: []
|
||||
|
||||
volumes:
|
||||
data:
|
||||
type: csi
|
||||
|
|
Loading…
Reference in New Issue