diff --git a/example/images/matrix-element/Dockerfile b/example/images/matrix-element/Dockerfile index 654f0b7..722f60d 100644 --- a/example/images/matrix-element/Dockerfile +++ b/example/images/matrix-element/Dockerfile @@ -1,3 +1,17 @@ +FROM danielberteaud/alpine:24.4-1 AS builder +MAINTAINER Daniel Berteaud + +ARG SYNAPSE_ADMIN_VERSION=0.10.1 + +RUN set -euxo pipefail &&\ + apk --no-cache update &&\ + apk --no-cache add yarn git &&\ + cd /tmp &&\ + git clone --depth=1 --branch=${SYNAPSE_ADMIN_VERSION} https://github.com/Awesome-Technologies/synapse-admin.git &&\ + cd synapse-admin &&\ + yarn install &&\ + yarn build --base=./ + FROM nginxinc/nginx-unprivileged:alpine MAINTAINER Daniel Berteaud @@ -14,6 +28,7 @@ RUN set -eux &&\ curl -sSL https://github.com/element-hq/element-web/releases/download/v${ELEMENT_VERSION}/element-v${ELEMENT_VERSION}.tar.gz |\ tar xvz -C /opt/element/ --strip-components 1 &&\ chown -R root: /opt/element +COPY --from=builder /tmp/synapse-admin/dist /opt/synapse-admin USER nginx EXPOSE ${ELEMENT_BIND_PORT} diff --git a/example/matrix.nomad.hcl b/example/matrix.nomad.hcl index 3dc481b..d486c8f 100644 --- a/example/matrix.nomad.hcl +++ b/example/matrix.nomad.hcl @@ -67,6 +67,13 @@ job "matrix" { "traefik.http.middlewares.csp-matrix-admin.headers.contentsecuritypolicy=connect-src 'self' https://scalar.vector.im https://api.maptiler.com;default-src 'self';font-src 'self' data:;frame-src 'self' blob: https://scalar.vector.im/ https://meet.element.io;img-src 'self' data: blob: https://img.youtube.com https://*.ytimg.com;script-src 'self' https://usercontent.riot.im https://scalar.vector.im;style-src 'self' 'unsafe-inline';worker-src 'self' blob:;", "traefik.http.routers.matrix-admin.middlewares=security-headers@file,rate-limit-std@file,forward-proto@file,inflight-std@file,hsts@file,compression@file,csp-matrix-admin", + "traefik.http.routers.matrix-admin.rule=Host(`matrix.consul`) && PathPrefix(`/_admin`)", + + "traefik.enable=true", + "traefik.http.routers.matrix-synapse-admin.entrypoints=https", + "traefik.http.middlewares.csp-matrix-synapse-admin.headers.contentsecuritypolicy=connect-src 'self' https://scalar.vector.im https://api.maptiler.com;default-src 'self';font-src 'self' data:;frame-src 'self' blob: https://scalar.vector.im/ https://meet.element.io;img-src 'self' data: blob: https://img.youtube.com https://*.ytimg.com;script-src 'self' 'unsafe-inline';style-src 'self' 'unsafe-inline';worker-src 'self' blob:;", + "traefik.http.routers.matrix-synapse-admin.middlewares=security-headers@file,rate-limit-std@file,forward-proto@file,inflight-std@file,hsts@file,compression@file,csp-matrix-synapse-admin", + "traefik.http.routers.matrix.rule=Host(`matrix.consul`) || (Host(`matrix.consul`) && PathRegexp(`^/(_(synapse|matrix)|\\.well-known/matrix)/.*`))", "traefik.enable=true", @@ -326,7 +333,7 @@ _EOT driver = "docker" config { - image = "danielberteaud/matrix-element:1.11.65-2" + image = "danielberteaud/matrix-element:1.11.65-3" readonly_rootfs = true pids_limit = 100 volumes = [ diff --git a/images/matrix-element/Dockerfile b/images/matrix-element/Dockerfile index 10d68d5..c008bc2 100644 --- a/images/matrix-element/Dockerfile +++ b/images/matrix-element/Dockerfile @@ -1,3 +1,17 @@ +FROM [[ .docker.repo ]][[ .docker.base_images.alpine.image ]] AS builder +MAINTAINER [[ .docker.maintainer ]] + +ARG SYNAPSE_ADMIN_VERSION=[[ .matrix.synapse_admin.version ]] + +RUN set -euxo pipefail &&\ + apk --no-cache update &&\ + apk --no-cache add yarn git &&\ + cd /tmp &&\ + git clone --depth=1 --branch=${SYNAPSE_ADMIN_VERSION} https://github.com/Awesome-Technologies/synapse-admin.git &&\ + cd synapse-admin &&\ + yarn install &&\ + yarn build --base=./ + FROM nginxinc/nginx-unprivileged:alpine MAINTAINER [[ .docker.maintainer ]] @@ -14,6 +28,7 @@ RUN set -eux &&\ curl -sSL https://github.com/element-hq/element-web/releases/download/v${ELEMENT_VERSION}/element-v${ELEMENT_VERSION}.tar.gz |\ tar xvz -C /opt/element/ --strip-components 1 &&\ chown -R root: /opt/element +COPY --from=builder /tmp/synapse-admin/dist /opt/synapse-admin USER nginx EXPOSE ${ELEMENT_BIND_PORT} diff --git a/matrix.nomad.hcl b/matrix.nomad.hcl index 6d4e024..f8fa616 100644 --- a/matrix.nomad.hcl +++ b/matrix.nomad.hcl @@ -40,8 +40,11 @@ job "[[ .instance ]]" { tags = [ [[- $w := merge .matrix.nginx .matrix . ]] [[- $a := merge .matrix.nginx.admin $w ]] +[[- $sa := merge .matrix.nginx.synapse_admin $w ]] "[[ $a.traefik.instance ]].http.routers.[[ .instance ]]-admin[[ .consul.suffix ]].rule=Host(`[[ (urlParse .matrix.public_url).Hostname ]]`) && PathPrefix(`/_synapse/admin`)", [[ template "common/traefik_tags" $a ]] + "[[ $a.traefik.instance ]].http.routers.[[ .instance ]]-admin[[ .consul.suffix ]].rule=Host(`[[ (urlParse .matrix.public_url).Hostname ]]`) && PathPrefix(`/_admin`)", +[[ template "common/traefik_tags" $sa ]] "[[ $w.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].rule=Host(`[[ (urlParse .matrix.public_url).Hostname ]]`) || (Host(`[[ .matrix.server_name ]]`) && PathRegexp(`^/(_(synapse|matrix)|\\.well-known/matrix)/.*`))", [[ template "common/traefik_tags" $w ]] ] diff --git a/variables.yml b/variables.yml index 1afd6e5..1f65696 100644 --- a/variables.yml +++ b/variables.yml @@ -112,11 +112,15 @@ matrix: map_style_url: https://api.maptiler.com/maps/streets/style.json?key=fU3vlMsMn4Jb6dnEIFsx version: 1.11.65 + # Synapse Admin is the admin interface for Synapse + synapse_admin: + version: 0.10.1 + # Nginx will servce static files (well-known, element, synapse-admin), and proxy requests to synapse nginx: # The image to use - image: '[[ .docker.repo ]]matrix-element:[[ .matrix.element.version ]]-2' + image: '[[ .docker.repo ]]matrix-element:[[ .matrix.element.version ]]-3' # Resource allocation resources: @@ -144,6 +148,14 @@ matrix: auto_rule: false router: admin + # Synapse admin + synapse_admin: + traefik: + auto_rule: false + router: synapse-admin + csp: + script-src: "'self' 'unsafe-inline'" + # Volumes used for data persistance volumes: # Synapse will use this volume to store media, signing keys etc.