diff options
-rw-r--r-- | matrix-server/certbot/Dockerfile | 1 | ||||
-rw-r--r-- | matrix-server/certbot/scripts/concatenate-certificates.sh | 8 | ||||
-rw-r--r-- | matrix-server/certbot/scripts/create-certificates.sh | 9 | ||||
-rw-r--r-- | matrix-server/certbot/scripts/renew-certificates.sh | 5 | ||||
-rw-r--r-- | matrix-server/certbot/scripts/update-haproxy-certificates.sh | 9 | ||||
-rw-r--r-- | matrix-server/docker-compose.yml | 59 | ||||
-rw-r--r-- | matrix-server/haproxy/haproxy.cfg | 44 |
7 files changed, 82 insertions, 53 deletions
diff --git a/matrix-server/certbot/Dockerfile b/matrix-server/certbot/Dockerfile index dc6369b..cd1c6bd 100644 --- a/matrix-server/certbot/Dockerfile +++ b/matrix-server/certbot/Dockerfile @@ -1,4 +1,5 @@ FROM certbot/certbot:v1.11.0 RUN apk update && apk add socat COPY ./scripts/ /etc/scripts/ +RUN chmod +x /etc/scripts/*.sh EXPOSE 380 diff --git a/matrix-server/certbot/scripts/concatenate-certificates.sh b/matrix-server/certbot/scripts/concatenate-certificates.sh index 5238a9b..242f5e5 100644 --- a/matrix-server/certbot/scripts/concatenate-certificates.sh +++ b/matrix-server/certbot/scripts/concatenate-certificates.sh @@ -1,5 +1,7 @@ -#!/bin/bash +#!/bin/sh -if [ -f /etc/letsencrypt/live/davole.com/fullchain.pem -a -f /etc/letsencrypt/live/davole.com/privkey.pem ]; then - cat /etc/letsencrypt/live/davole.com/fullchain.pem /etc/letsencrypt/live/davole.com/privkey.pem > /etc/certificates/davole.com.pem +echo "running concat certs..." +if [ -f /etc/letsencrypt/live/terminaldweller.com/fullchain.pem -a -f /etc/letsencrypt/live/terminaldweller.com/privkey.pem ]; then + echo "when you're out, we're in...''" + cat /etc/letsencrypt/live/terminaldweller.com/fullchain.pem /etc/letsencrypt/live/terminaldweller.com/privkey.pem > /etc/certificates/terminaldweller.com.pem fi diff --git a/matrix-server/certbot/scripts/create-certificates.sh b/matrix-server/certbot/scripts/create-certificates.sh index 5fb6345..1bc1094 100644 --- a/matrix-server/certbot/scripts/create-certificates.sh +++ b/matrix-server/certbot/scripts/create-certificates.sh @@ -1,9 +1,10 @@ -#!/bin/bash +#!/bin/sh +echo "running create certs..." # Request certificates certbot certonly --standalone \ - --non-interactive --agree-tos --email info@davole.com --http-01-port=380 \ - --cert-name davole.com \ - -d davole.com + --non-interactive --agree-tos --email thabogre@gmail.com --http-01-port=380 \ + --cert-name terminaldweller.com \ + -d terminaldweller.com # Concatenate certificates . /etc/scripts/concatenate-certificates.sh # Update certificates in HAProxy diff --git a/matrix-server/certbot/scripts/renew-certificates.sh b/matrix-server/certbot/scripts/renew-certificates.sh index e46d412..ff56115 100644 --- a/matrix-server/certbot/scripts/renew-certificates.sh +++ b/matrix-server/certbot/scripts/renew-certificates.sh @@ -1,7 +1,8 @@ -#!/bin/bash +#!/bin/sh +echo "running renew certs..." # Certificates exist -if [ -d /etc/letsencrypt/live/davole.com ]; then +if [ -d /etc/letsencrypt/live/terminaldweller.com ]; then # Check certificates and renew them certbot renew --http-01-port=380 diff --git a/matrix-server/certbot/scripts/update-haproxy-certificates.sh b/matrix-server/certbot/scripts/update-haproxy-certificates.sh index a1f9fc6..9eaae7c 100644 --- a/matrix-server/certbot/scripts/update-haproxy-certificates.sh +++ b/matrix-server/certbot/scripts/update-haproxy-certificates.sh @@ -1,10 +1,11 @@ -#!/bin/bash +#!/bin/sh +echo "running update certs..." # Start transaction -echo -e "set ssl cert /usr/local/etc/haproxy/certificates/davole.com.pem <<\n$(cat /etc/certificates/davole.com.pem)\n" | socat tcp-connect:haproxy:9999 - +echo -e "set ssl cert /etc/letsencrypt/live/terminaldweller.com/fullchain.pem <<\n$(cat /etc/certificates/terminaldweller.com.pem)\n" | socat tcp-connect:haproxy:9999 - # Commit transaction -echo "commit ssl cert /usr/local/etc/haproxy/certificates/davole.com.pem" | socat tcp-connect:haproxy:9999 - +echo "commit ssl cert /etc/letsencrypt/live/terminaldweller.com/fullchain.pem" | socat tcp-connect:haproxy:9999 - # Show certification info (not essential) -echo "show ssl cert /usr/local/etc/haproxy/certificates/davole.com.pem" | socat tcp-connect:haproxy:9999 - +echo "show ssl cert /etc/letsencrypt/live/terminaldweller.com/fullchain.pem" | socat tcp-connect:haproxy:9999 - diff --git a/matrix-server/docker-compose.yml b/matrix-server/docker-compose.yml index 42083c2..eb0f354 100644 --- a/matrix-server/docker-compose.yml +++ b/matrix-server/docker-compose.yml @@ -1,4 +1,4 @@ -version: "3.8" +version: "3.4" services: postgres: image: postgres:13-alpine @@ -28,20 +28,26 @@ services: - dbnet volumes: - synapse-data:/data/ - - cert-data:/etc/letsencrypt/live/ - - ./synapse/homeserver.yaml:/data/homeserver.yaml:ro + # - cert-data:/etc/letsencrypt/live/ + # - ./synapse/homeserver.yaml:/data/homeserver.yaml + # - ./synapse/terminaldweller.com.signing.key:/data/terminaldweller.com.signing.key + # - ./synapse/terminaldweller.com.log.config:/data/terminaldweller.com.log.config + # entrypoint: ["tail", "-f", "/dev/null"] + # command: ["generate"] depends_on: - postgres - haproxy ports: - "8008:8008" - - "8484:8484/tcp" - - "8443:443" + # - "8484:8484/tcp" + # - "443:443" environment: + - SYNAPSE_SERVER_NAME=terminaldweller.com + - SYNAPSE_REPORT_STATS=yes - SYNAPSE_DATA_DIR=/data/ - SYNAPSE_CONFIG_DIR=/data/ - SYNAPSE_CONFIG_PATH=/data/homeserver.yaml - - TZ=Tehran/Asia + # - TZ=Tehran/Asia healthcheck: test: ["CMD", "curl", "-fSs", "http://localhost:8008/health"] interval: 1m @@ -50,42 +56,49 @@ services: haproxy: image: haproxy:lts-alpine ports: - - "9080:80" + - "80:80" - "443:443" - "9999:9999" + - "8448:8448/tcp" networks: - matrixnet - turnnet + - certnet volumes: - ./haproxy/haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg:ro - - cert-data:/usr/local/etc/haproxy/certificates:ro + # - cert-data:/usr/local/etc/haproxy/certificates:ro + # - cert-data:/etc/certificates:ro + - certificates:/etc/certificates depends_on: - certbot - restart: on-failure + # restart: on-failure certbot: image: certbot build: context: ./certbot ports: - - "80:80" + - "9080:80" - "9443:443" networks: - certnet volumes: - - cert-data:/etc/certificates + # - cert-data:/etc/certificates + - certificates:/etc/certificates + - certbot-data:/etc/letsencrypt entrypoint: "/bin/sh -c 'trap exit TERM; while :; do . /etc/scripts/renew-certificates.sh ; sleep 12h & wait $${!}; done;'" restart: always - coturn: - image: coturn/coturn:latest - networks: - - turnnet - volumes: - - ./coturn/turnserver.conf:/etc/turnserver.conf:ro - ports: - - "3478:3478" - - "5349:5349" - depends_on: - - synapse + command: ["certonly"] + # coturn: + # image: coturn/coturn:latest + # networks: + # - turnnet + # volumes: + # - ./coturn/turnserver.conf:/etc/turnserver.conf:ro + # ports: + # - "3478:3478" + # - "5349:5349" + # depends_on: + # - synapse networks: matrixnet: certnet: @@ -95,6 +108,8 @@ volumes: db-data: synapse-data: cert-data: + certificates: + certbot-data: secrets: pg_pass_secret: file: ./postgres/pg_pass_secret diff --git a/matrix-server/haproxy/haproxy.cfg b/matrix-server/haproxy/haproxy.cfg index 2afa3fb..c619259 100644 --- a/matrix-server/haproxy/haproxy.cfg +++ b/matrix-server/haproxy/haproxy.cfg @@ -1,30 +1,38 @@ global - stats socket :9999 level admin expose-fd listeners - log stdout format raw local0 - ssl-default-bind-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL +stats socket :9999 level admin expose-fd listeners +log stdout format raw local0 +ssl-default-bind-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL + +defaults +timeout connect 5000ms +timeout client 50000ms +timeout server 50000ms +default-server init-addr last,libc,none frontend http - bind :80 - http-request redirect scheme https unless { ssl_fc } - acl certbot path_beg /.well-known/acme-challenge/ - use_backend certbot if certbot +bind *:80 +http-request redirect scheme https unless { ssl_fc } +acl certbot path_beg /.well-known/acme-challenge/ +use_backend certbot if certbot frontend https - bind :::443 v4v6 ssl crt /etc/certificates strict-sni alpn h2.http/1.1 - acl matrix-host hdr(host) -i matrix.example.com - acl matrix-path path_beg /_matrix - acl matrix-path path_beg /_synpase/client - use_backend matrix if matrix-host matrix-path +#uncomment this to get ssl certificate for the first run +bind *:443 v4v6 ssl crt /etc/certificates/terminaldweller.com.pem strict-sni alpn h2,http/1.1 +acl matrix-host hdr(host) -i terminaldweller.com +acl matrix-path path_beg /_matrix +acl matrix-path path_beg /_synpase/client +use_backend matrix if matrix-host matrix-path frontend matrix-federation - bind :::8448 v4v6 ssl crt /etc/certificates alpn h2.http/1.1 - default_backend matrix +#uncomment this to get ssl certificate for the first run +bind *:8448 v4v6 ssl crt /etc/certificates/terminaldweller.com.pem alpn h2,http/1.1 +default_backend matrix -resolvers docker_resolver - nameserver dns 127.0.0.11:53 +resolvers docker +nameserver dns1 127.0.0.11:53 backend matrix - server matrix synapse:8008 +server matrix synapse:8008 backend certbot - server certbot certbot:380 +server certbot certbot:380 |