From 11b3595a853ee319a4ed19337f6b73fec31fb8e3 Mon Sep 17 00:00:00 2001 From: mustard Date: Tue, 27 Aug 2024 00:08:01 +0200 Subject: [PATCH] Synapse config. --- config/nginx/docker-compose-synapse.yaml | 74 +++++++++++++++++++++ config/nginx/synapse.conf | 68 +++++++++++++++++++ config/synapse/homeserver.yaml | 83 ++++++++++++++++++++++++ 3 files changed, 225 insertions(+) create mode 100644 config/nginx/docker-compose-synapse.yaml create mode 100644 config/nginx/synapse.conf create mode 100644 config/synapse/homeserver.yaml diff --git a/config/nginx/docker-compose-synapse.yaml b/config/nginx/docker-compose-synapse.yaml new file mode 100644 index 0000000..40f2d34 --- /dev/null +++ b/config/nginx/docker-compose-synapse.yaml @@ -0,0 +1,74 @@ +services: + reverse-proxy: + image: ghcr.io/nginxinc/nginx-unprivileged:mainline-alpine-slim + container_name: reverse_proxy + restart: always + ports: + - "443:8443" + volumes: + - ./config/nginx/nginx.conf:/etc/nginx/nginx.conf:ro + - ./config/nginx/tls.conf:/etc/nginx/conf.d/tls.conf:ro + - ./data/certs:/etc/nginx/ssl:ro + networks: + - frontend + synapse: + depends_on: + - postgres + restart: always + image: "ghcr.io/polarix-containers/synapse:latest" + user: "${UID:-3000}:${GID:-3000}" + container_name: "synapse" + volumes: + - ./config/synapse/homeserver.yaml:/config/homeserver.yaml:ro,z + - ./data/synapse:/data:z +# - ./data/certs:/certs:ro + networks: + backend: + frontend: + aliases: + - synapse + ports: + - "8448:8448" + secrets: + - database.yml + - experimental-synapse.homelab0ne.xyz.signing.key + environment: + SYNAPSE_SERVER_NAME: "experimental-synapse.homelab0ne.xyz" + SYNAPSE_REPORT_STATS: "yes" + SYNAPSE_HTTP_PORT: "8448" + command: + - run + - "--config-path" + - "/config/homeserver.yaml" + - "--config-path" + - "/var/run/secrets/database.yml" + acme.sh: + command: + - daemon + container_name: acme.sh + environment: + DEDYN_TOKEN: "${DEDYN_TOKEN}" + image: 'ghcr.io/polarix-containers/acme.sh:latest' + restart: always + volumes: + - ./data/acme.sh:/acme.sh:Z + - ./data/certs:/certs:z + postgres: + container_name: postgres + image: cgr.dev/chainguard/postgres:latest + volumes: + - ./data/postgres:/var/lib/postgresql/data:Z + restart: unless-stopped + environment: + POSTGRES_PASSWORD: "${POSTGRES_PASSWORD}" + networks: + - backend +networks: + backend: + frontend: + driver: bridge +secrets: + experimental-synapse.homelab0ne.xyz.signing.key: + file: ./secrets/experimental-synapse.homelab0ne.xyz.signing.key + database.yml: + file: ./secrets/synapse_database.yaml diff --git a/config/nginx/synapse.conf b/config/nginx/synapse.conf new file mode 100644 index 0000000..934cf32 --- /dev/null +++ b/config/nginx/synapse.conf @@ -0,0 +1,68 @@ +worker_processes auto; + +error_log /var/log/nginx/error.log notice; +pid /tmp/nginx.pid; + + +events +{ + worker_connections 1024; +} + + +http +{ + proxy_temp_path /tmp/proxy_temp; + client_body_temp_path /tmp/client_temp; + fastcgi_temp_path /tmp/fastcgi_temp; + uwsgi_temp_path /tmp/uwsgi_temp; + scgi_temp_path /tmp/scgi_temp; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65; + + #gzip on; + + include /etc/nginx/conf.d/*.conf; + + + server + { + listen 8443 ssl; + listen [::]:8443 ssl; + ssl_certificate /etc/nginx/ssl/cert.pem; + ssl_certificate_key /etc/nginx/ssl/key.pem; + server_name experimental-synapse.homelab0ne.xyz; + location / + { + proxy_pass http://synapse:8448; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $host; + + # Nginx by default only allows file uploads up to 1M in size + # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml + client_max_body_size 50M; + proxy_http_version 1.1; + } + + location /.well-known/_matrix/server { + return 200 '{ "m.homeserver": "experimental-synapse.homelab0ne.xyz:443" }'; + } + + } + + +} + diff --git a/config/synapse/homeserver.yaml b/config/synapse/homeserver.yaml new file mode 100644 index 0000000..48e4cb9 --- /dev/null +++ b/config/synapse/homeserver.yaml @@ -0,0 +1,83 @@ +# Configuration file for Synapse. +# +# This is a YAML file: see [1] for a quick introduction. Note in particular +# that *indentation is important*: all the elements of a list or dictionary +# should have the same indentation. +# +# [1] https://docs.ansible.com/ansible/latest/reference_appendices/YAMLSyntax.html +# +# For more information on how to configure Synapse, including a complete accounting of +# each option, go to docs/usage/configuration/config_documentation.md or +# https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html +server_name: "experimental-synapse.homelab0ne.xyz" +pid_file: /data/homeserver.pid +serve_server_wellknown: true +listeners: + - port: 8448 + tls: false + type: http + x_forwarded: true +# bind_addresses: ['::1', '127.0.0.1'] + resources: + - names: [client, federation] + compress: false +log_config: "/data/experimental-synapse.homelab0ne.xyz.log.config" +media_store_path: /data/media_store +report_stats: true +signing_key_path: "/var/run/secrets/experimental-synapse.homelab0ne.xyz.signing.key" +trusted_key_servers: + - server_name: "matrix.org" +experimental_features: + msc3026_enabled: true # "Busy" presence state + msc3266_enabled: true # Room summary API + msc3720_enabled: false # Account status endpoint + msc2654_enabled: true # Unread counts + msc2815_enabled: true # Allow room moderators to view redacted event content + msc3391_enabled: true # Deleting account data + msc3773_enabled: true # Notifications for threads + msc3664_enabled: true # Notifications for relations + msc3848_enabled: true # Introduce errcodes for specific event sending failures + msc3881_enabled: true # Remotely toggle push notifications for another client + msc3874_enabled: true # Filtering the /messages API by relation type + msc3890_enabled: true # Remotely silence local notifications + msc3381_polls_enabled: true # MSC3930: Polls push rules/notifications + msc3912_enabled: true # Relation-based redactions + msc1767_enabled: true # Extensible events + msc3967_enabled: false # Do not require UIA when first uploading cross signing keys + msc3981_recurse_relations: true # Recurse relations + msc4010_push_rules_account_data: true # Do +media_retention: + local_media_lifetime: 1y + remote_media_lifetime: 1y +url_preview_enabled: true +url_preview_ip_range_blacklist: + - '127.0.0.0/8' + - '10.0.0.0/8' + - '172.16.0.0/12' + - '192.168.0.0/16' + - '100.64.0.0/10' + - '192.0.0.0/24' + - '169.254.0.0/16' + - '192.88.99.0/24' + - '198.18.0.0/15' + - '192.0.2.0/24' + - '198.51.100.0/24' + - '203.0.113.0/24' + - '224.0.0.0/4' + - '::1/128' + - 'fe80::/10' + - 'fc00::/7' + - '2001:db8::/32' + - 'ff00::/8' + - 'fec0::/10' +allow_device_name_lookup_over_federation: true +enable_registration: false +retention: + enabled: false +redaction_retention_period: 30d +forgotten_room_retention_period: 7d +user_ips_max_age: 60d +delete_stale_devices_after: 120d +forget_rooms_on_leave: true + +# vim:ft=yaml