From 28ed4f737330a1ec42b5493a24faa9fd13eefe91 Mon Sep 17 00:00:00 2001 From: terminaldweller Date: Fri, 19 Feb 2021 08:02:22 +0000 Subject: update, debugging the haproxy config --- .../certbot/scripts/concatenate-certificates.sh | 1 - .../certbot/scripts/create-certificates.sh | 9 +++- .../certbot/scripts/renew-certificates.sh | 9 ---- .../certbot/scripts/update-haproxy-certificates.sh | 6 +-- matrix-server/docker-compose.yml | 55 ++++++++++++++++------ matrix-server/element/config.json | 54 +++++++++++++++++++++ matrix-server/haproxy/Dockerfile | 2 + matrix-server/haproxy/error.html | 10 ++++ matrix-server/haproxy/haproxy.cfg | 36 ++++++++++++-- matrix-server/postgres/Dockerfile | 3 ++ matrix-server/postgres/pg_hba.conf | 7 +++ matrix-server/postgres/pg_pass_secret | 2 +- matrix-server/synapse/Dockerfile | 5 +- matrix-server/synapse/homeserver.yaml | 8 ++-- 14 files changed, 166 insertions(+), 41 deletions(-) create mode 100644 matrix-server/element/config.json create mode 100644 matrix-server/haproxy/Dockerfile create mode 100644 matrix-server/haproxy/error.html create mode 100644 matrix-server/postgres/Dockerfile create mode 100644 matrix-server/postgres/pg_hba.conf (limited to 'matrix-server') diff --git a/matrix-server/certbot/scripts/concatenate-certificates.sh b/matrix-server/certbot/scripts/concatenate-certificates.sh index 242f5e5..29e75ea 100644 --- a/matrix-server/certbot/scripts/concatenate-certificates.sh +++ b/matrix-server/certbot/scripts/concatenate-certificates.sh @@ -2,6 +2,5 @@ echo "running concat certs..." if [ -f /etc/letsencrypt/live/terminaldweller.com/fullchain.pem -a -f /etc/letsencrypt/live/terminaldweller.com/privkey.pem ]; then - echo "when you're out, we're in...''" cat /etc/letsencrypt/live/terminaldweller.com/fullchain.pem /etc/letsencrypt/live/terminaldweller.com/privkey.pem > /etc/certificates/terminaldweller.com.pem fi diff --git a/matrix-server/certbot/scripts/create-certificates.sh b/matrix-server/certbot/scripts/create-certificates.sh index 1bc1094..804e542 100644 --- a/matrix-server/certbot/scripts/create-certificates.sh +++ b/matrix-server/certbot/scripts/create-certificates.sh @@ -2,9 +2,14 @@ echo "running create certs..." # Request certificates certbot certonly --standalone \ - --non-interactive --agree-tos --email thabogre@gmail.com --http-01-port=380 \ + --non-interactive \ + --agree-tos \ + --email thabogre@gmail.com \ + --http-01-port=380 \ --cert-name terminaldweller.com \ - -d terminaldweller.com + -d terminaldweller.com,mail.terminaldweller.com,www.terminaldweller.com,matrix.terminaldweller.com,element.terminaldweller.com,blog.terminaldweller.com \ + --dry-run + # --server https://acme-v02.api.letsencrypt.org/directory \ # Concatenate certificates . /etc/scripts/concatenate-certificates.sh # Update certificates in HAProxy diff --git a/matrix-server/certbot/scripts/renew-certificates.sh b/matrix-server/certbot/scripts/renew-certificates.sh index ff56115..032486a 100644 --- a/matrix-server/certbot/scripts/renew-certificates.sh +++ b/matrix-server/certbot/scripts/renew-certificates.sh @@ -1,19 +1,10 @@ #!/bin/sh echo "running renew certs..." -# Certificates exist if [ -d /etc/letsencrypt/live/terminaldweller.com ]; then - # Check certificates and renew them certbot renew --http-01-port=380 - - # Concatenate certificates . /etc/scripts/concatenate-certificates.sh - - # Update certificates in HAProxy . /etc/scripts/update-haproxy-certificates.sh - -# Certificates don't exist else - # Execute certificate creation script . /etc/scripts/create-certificates.sh fi diff --git a/matrix-server/certbot/scripts/update-haproxy-certificates.sh b/matrix-server/certbot/scripts/update-haproxy-certificates.sh index 9eaae7c..4fad7df 100644 --- a/matrix-server/certbot/scripts/update-haproxy-certificates.sh +++ b/matrix-server/certbot/scripts/update-haproxy-certificates.sh @@ -1,11 +1,7 @@ #!/bin/sh echo "running update certs..." -# Start transaction -echo -e "set ssl cert /etc/letsencrypt/live/terminaldweller.com/fullchain.pem <<\n$(cat /etc/certificates/terminaldweller.com.pem)\n" | socat tcp-connect:haproxy:9999 - -# Commit transaction +echo -e "set ssl cert /etc/letsencrypt/live/terminaldweller.com/fullchain.pem <<\n$(cat /etc/certificates/terminaldweller.com.pem)\n" | socat tcp-connect:haproxy:9999 - echo "commit ssl cert /etc/letsencrypt/live/terminaldweller.com/fullchain.pem" | socat tcp-connect:haproxy:9999 - - -# Show certification info (not essential) echo "show ssl cert /etc/letsencrypt/live/terminaldweller.com/fullchain.pem" | socat tcp-connect:haproxy:9999 - diff --git a/matrix-server/docker-compose.yml b/matrix-server/docker-compose.yml index eb0f354..add4cd8 100644 --- a/matrix-server/docker-compose.yml +++ b/matrix-server/docker-compose.yml @@ -1,7 +1,17 @@ version: "3.4" services: + element: + image: vectorim/element-web:v1.7.21-rc.1 + networks: + - clientnet + volumes: + - ./element/config.json:/app/config.json + depends_on: + - haproxy postgres: - image: postgres:13-alpine + image: postgres + build: + context: ./postgres/ networks: - dbnet volumes: @@ -9,10 +19,14 @@ services: ports: - "5432:5432" environment: - - POSTGRES_PASSWORD_FILE=/run/secrets/pg_pass_secret - - POSTGRES_USER_FILE=/run/secrets/pg_user_secret - - POSTGRES_INITDB_ARGS_FILE=/run/secrets/pg_initdb_args_secret - - POSTGRES_DB_FILE=/run/secrets/pg_db_secret + # - POSTGRES_PASSWORD_FILE=/run/secrets/pg_pass_secret + # - POSTGRES_USER_FILE=/run/secrets/pg_user_secret + # - POSTGRES_INITDB_ARGS_FILE=/run/secrets/pg_initdb_args_secret + # - POSTGRES_DB_FILE=/run/secrets/pg_db_secret + - POSTGRES_PASSWORD=El3ph@nt#13 + - POSTGRES_USER=postgres + - POSTGRES_INITDB_ARGS=--encoding='UTF-8' --lc-collate='C' --lc-ctype='C' + - POSTGRES_DB=synapse secrets: - pg_pass_secret - pg_user_secret @@ -24,14 +38,9 @@ services: context: ./synapse/ networks: - matrixnet - - certnet - dbnet volumes: - synapse-data:/data/ - # - cert-data:/etc/letsencrypt/live/ - # - ./synapse/homeserver.yaml:/data/homeserver.yaml - # - ./synapse/terminaldweller.com.signing.key:/data/terminaldweller.com.signing.key - # - ./synapse/terminaldweller.com.log.config:/data/terminaldweller.com.log.config # entrypoint: ["tail", "-f", "/dev/null"] # command: ["generate"] depends_on: @@ -47,6 +56,8 @@ services: - SYNAPSE_DATA_DIR=/data/ - SYNAPSE_CONFIG_DIR=/data/ - SYNAPSE_CONFIG_PATH=/data/homeserver.yaml + # - SYNAPSE_CONFIG_DIR=/data/ + # - SYNAPSE_CONFIG_PATH=/data/homeserver.yaml # - TZ=Tehran/Asia healthcheck: test: ["CMD", "curl", "-fSs", "http://localhost:8008/health"] @@ -54,7 +65,9 @@ services: timeout: 10s retries: 3 haproxy: - image: haproxy:lts-alpine + image: haproxy + build: + context: ./haproxy/ ports: - "80:80" - "443:443" @@ -64,14 +77,19 @@ services: - matrixnet - turnnet - certnet + - clientnet volumes: - ./haproxy/haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg:ro # - cert-data:/usr/local/etc/haproxy/certificates:ro # - cert-data:/etc/certificates:ro - certificates:/etc/certificates - depends_on: - - certbot + - ./haproxy/error.html:/srv/error.html # restart: on-failure + healthcheck: + test: ["CMD", "curl", "-fSs", "http://localhost:80/health"] + interval: 1m + timeout: 10s + retries: 3 certbot: image: certbot build: @@ -88,6 +106,8 @@ services: entrypoint: "/bin/sh -c 'trap exit TERM; while :; do . /etc/scripts/renew-certificates.sh ; sleep 12h & wait $${!}; done;'" restart: always command: ["certonly"] + depends_on: + - haproxy # coturn: # image: coturn/coturn:latest # networks: @@ -99,15 +119,22 @@ services: # - "5349:5349" # depends_on: # - synapse + # - haproxy + debugger: + image: alpine:3.13 + volumes: + - synapse-data:/data/ + entrypoint: ["tail", "-f", "/dev/null"] networks: matrixnet: certnet: dbnet: turnnet: + clientnet: volumes: db-data: synapse-data: - cert-data: + # cert-data: certificates: certbot-data: secrets: diff --git a/matrix-server/element/config.json b/matrix-server/element/config.json new file mode 100644 index 0000000..795e104 --- /dev/null +++ b/matrix-server/element/config.json @@ -0,0 +1,54 @@ +{ + "default_server_config": { + "m.homeserver": { + "base_url": "https://element.terminaldweller.com", + "server_name": "terminaldweller.com" + }, + "m.identity_server": { + "base_url": "https://vector.im" + } + }, + "disable_custom_urls": false, + "disable_guests": true, + "disable_login_language_selector": true, + "disable_3pid_login": true, + "brand": "Element", + "integrations_ui_url": "https://scalar.vector.im/", + "integrations_rest_url": "https://scalar.vector.im/api", + "integrations_widgets_urls": [ + "https://scalar.vector.im/_matrix/integrations/v1", + "https://scalar.vector.im/api", + "https://scalar-staging.vector.im/_matrix/integrations/v1", + "https://scalar-staging.vector.im/api", + "https://scalar-staging.riot.im/scalar/api" + ], + "bug_report_endpoint_url": "https://element.io/bugreports/submit", + "defaultCountryCode": "IR", + "showLabsSettings": false, + "features": { + "feature_new_spinner": false + }, + "default_federate": true, + "default_theme": "dark", + "roomDirectory": { + "servers": [ + "terminaldweller.com" + ] + }, + "piwik": { + "url": "https://piwik.riot.im/", + "whitelistedHSUrls": ["https://matrix.org"], + "whitelistedISUrls": ["https://vector.im", "https://matrix.org"], + "siteId": 1 + }, + "enable_presence_by_hs_url": { + "https://matrix.org": false, + "https://matrix-client.matrix.org": false + }, + "settingDefaults": { + "breadcrumbs": true + }, + "jitsi": { + "preferredDomain": "jitsi.riot.im" + } +} diff --git a/matrix-server/haproxy/Dockerfile b/matrix-server/haproxy/Dockerfile new file mode 100644 index 0000000..c7dc38f --- /dev/null +++ b/matrix-server/haproxy/Dockerfile @@ -0,0 +1,2 @@ +FROM haproxy:lts-alpine +RUN apk update && apk upgrade && apk add curl diff --git a/matrix-server/haproxy/error.html b/matrix-server/haproxy/error.html new file mode 100644 index 0000000..85a807e --- /dev/null +++ b/matrix-server/haproxy/error.html @@ -0,0 +1,10 @@ +HTTP/1.0 200 OK + +Cache-Control: no-cache + +Connection: close + +Content-Type: text/plain + + +up diff --git a/matrix-server/haproxy/haproxy.cfg b/matrix-server/haproxy/haproxy.cfg index c619259..09e387c 100644 --- a/matrix-server/haproxy/haproxy.cfg +++ b/matrix-server/haproxy/haproxy.cfg @@ -1,6 +1,7 @@ global stats socket :9999 level admin expose-fd listeners -log stdout format raw local0 +#log stdout format raw local0 +log stdout format raw local0 info ssl-default-bind-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL defaults @@ -10,22 +11,37 @@ timeout server 50000ms default-server init-addr last,libc,none frontend http +mode http +option httplog +log global bind *:80 http-request redirect scheme https unless { ssl_fc } acl certbot path_beg /.well-known/acme-challenge/ use_backend certbot if certbot +use_backend health if { path_beg /health } frontend https #uncomment this to get ssl certificate for the first run -bind *:443 v4v6 ssl crt /etc/certificates/terminaldweller.com.pem strict-sni alpn h2,http/1.1 -acl matrix-host hdr(host) -i terminaldweller.com +#bind :::443 v4v6 ssl crt /etc/certificates/matrix.terminaldweller.com.pem strict-sni alpn h2,http/1.1 +acl matrix-host hdr(host) -i matrix.terminaldweller.com acl matrix-path path_beg /_matrix acl matrix-path path_beg /_synpase/client use_backend matrix if matrix-host matrix-path +#frontend element +#bind *:80 +#acl element hdr_end(host) -i element.terminaldweller.com +#use_backend element if element + +frontend mail +bind *:993 +bind *:587 +acl mail hdr_end(host) -i mail.terminaldweller.com +use_backend mail if mail + frontend matrix-federation #uncomment this to get ssl certificate for the first run -bind *:8448 v4v6 ssl crt /etc/certificates/terminaldweller.com.pem alpn h2,http/1.1 +#bind :::8448 v4v6 ssl crt /etc/certificates/matrix.terminaldweller.com.pem alpn h2,http/1.1 default_backend matrix resolvers docker @@ -35,4 +51,16 @@ backend matrix server matrix synapse:8008 backend certbot +mode http server certbot certbot:380 + +backend element +server element element:80 + +backend mail +server mail mail:993 + +backend health +mode http +server disabled-server 127.0.0.1:1 disabled +errorfile 503 /srv/error.html diff --git a/matrix-server/postgres/Dockerfile b/matrix-server/postgres/Dockerfile new file mode 100644 index 0000000..028d2fb --- /dev/null +++ b/matrix-server/postgres/Dockerfile @@ -0,0 +1,3 @@ +FROM postgres:13-alpine + +COPY ./pg_hba.conf /var/lib/postgres/data/ diff --git a/matrix-server/postgres/pg_hba.conf b/matrix-server/postgres/pg_hba.conf new file mode 100644 index 0000000..1a0a1a9 --- /dev/null +++ b/matrix-server/postgres/pg_hba.conf @@ -0,0 +1,7 @@ +host all all all md5 +local all all trust +host all all 127.0.0.1/32 trust +host all all ::1/128 trust +local replication all trust +host replication all 127.0.0.1/32 trust +host replication all ::1/128 trust diff --git a/matrix-server/postgres/pg_pass_secret b/matrix-server/postgres/pg_pass_secret index f35f326..7779b9c 100644 --- a/matrix-server/postgres/pg_pass_secret +++ b/matrix-server/postgres/pg_pass_secret @@ -1 +1 @@ -El3ph@ant#13 +El3ph@nt#13 diff --git a/matrix-server/synapse/Dockerfile b/matrix-server/synapse/Dockerfile index afba29d..425c11b 100644 --- a/matrix-server/synapse/Dockerfile +++ b/matrix-server/synapse/Dockerfile @@ -1,2 +1,5 @@ -FROM matrixdotorg/synapse:v1.25.0 +FROM matrixdotorg/synapse:v1.26.0 RUN mkdir -p /data/media_store && chown -R 991:991 /data/media_store +COPY ./homeserver.yaml /data/ +RUN chmod 554 /data/homeserver.yaml +# RUN chown synapse /var/log/synapse diff --git a/matrix-server/synapse/homeserver.yaml b/matrix-server/synapse/homeserver.yaml index d75c7af..7c98bd5 100644 --- a/matrix-server/synapse/homeserver.yaml +++ b/matrix-server/synapse/homeserver.yaml @@ -607,7 +607,7 @@ acme: # # If not set, defaults to your 'server_name'. # - domain: matrix.example.com + domain: terminaldweller.com # file to use for the account key. This will be generated if it doesn't # exist. @@ -743,10 +743,10 @@ caches: database: name: psycopg2 args: - user: synapse_user - password: secretpassword + user: postgres + password: El3ph@nt#13 database: synapse - host: localhost + host: postgres cp_min: 5 cp_max: 10 # -- cgit v1.2.3