From 1ad060cc0fe1d101ae61db8beb2c87c15bab69f2 Mon Sep 17 00:00:00 2001 From: Matthew Hodgson Date: Mon, 4 Nov 2024 18:58:43 +0000 Subject: [PATCH] fix up nginx --- compose.yml | 57 ++++----- data-template/nginx/app.conf | 112 ------------------ data-template/nginx/conf.d/app.conf | 90 ++++++++++++++ data-template/nginx/conf.d/include/ssl.conf | 10 ++ .../nginx/{ => www}/.well-known/matrix/client | 0 .../nginx/{ => www}/.well-known/matrix/server | 0 .../{ => www}/.well-known/matrix/support | 0 data-template/synapse/homeserver.yaml | 2 + data-template/synapse/log.config | 2 + .../workers/synapse-federation-sender-1.yaml | 2 + .../workers/synapse-generic-worker-1.yaml | 2 + init/init.sh | 1 + 12 files changed, 139 insertions(+), 139 deletions(-) delete mode 100644 data-template/nginx/app.conf create mode 100644 data-template/nginx/conf.d/app.conf create mode 100644 data-template/nginx/conf.d/include/ssl.conf rename data-template/nginx/{ => www}/.well-known/matrix/client (100%) rename data-template/nginx/{ => www}/.well-known/matrix/server (100%) rename data-template/nginx/{ => www}/.well-known/matrix/support (100%) diff --git a/compose.yml b/compose.yml index 05160e3..5525b76 100644 --- a/compose.yml +++ b/compose.yml @@ -51,20 +51,23 @@ services: generate-mas-secrets: condition: service_completed_successfully - # nginx: - # image: nginx:latest - # restart: unless-stopped - # ports: - # - "80:80" - # - "443:443" - # volumes: - # - ${VOLUME_PATH}/data/nginx:/etc/nginx/conf.d - # - ${VOLUME_PATH}/data/certbot/conf:/etc/letsencrypt - # - ${VOLUME_PATH}/data/certbot/www:/var/www/certbot - # command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'" - # depends_on: - # init: - # condition: service_completed_successfully + nginx: + image: nginx:latest + restart: unless-stopped + ports: + - "80:80" + - "443:443" + - "8448:8448" + volumes: + - ${VOLUME_PATH}/data/nginx/conf.d:/etc/nginx/conf.d + - ${VOLUME_PATH}/data/nginx/www:/var/www + - ${VOLUME_PATH}/data/nginx/ssl:/etc/nginx/ssl + # - ${VOLUME_PATH}/data/certbot/conf:/etc/letsencrypt + # - ${VOLUME_PATH}/data/certbot/www:/var/www/certbot + command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'" + depends_on: + init: + condition: service_completed_successfully # certbot: # image: certbot/certbot:latest @@ -226,16 +229,16 @@ services: init: condition: service_completed_successfully - # livekit-server: - # image: livekit/livekit-server:latest - # restart: unless-stopped - # ports: - # - 7880:7880 # HTTP API - # - 7881:7881 # WS signalling - # # - 50000-60000:50000-60000/tcp # TCP media - # # - 50000-60000:50000-60000/udp # UDP media - # networks: - # - backend - # depends_on: - # init: - # condition: service_completed_successfully + livekit-server: + image: livekit/livekit-server:latest + restart: unless-stopped + ports: + - 7880:7880 # HTTP API + - 7881:7881 # WS signalling + # - 50000-60000:50000-60000/tcp # TCP media + # - 50000-60000:50000-60000/udp # UDP media + networks: + - backend + depends_on: + init: + condition: service_completed_successfully diff --git a/data-template/nginx/app.conf b/data-template/nginx/app.conf deleted file mode 100644 index 6a9b25a..0000000 --- a/data-template/nginx/app.conf +++ /dev/null @@ -1,112 +0,0 @@ -# taken from https://element-hq.github.io/synapse/latest/reverse_proxy.html -# mixed with https://github.com/wmnnd/nginx-certbot/tree/master/data/nginx - -server { - server_name example.com; - server_tokens off; - - listen 80; - - location /.well-known/acme-challenge/ { - root /var/www/certbot; - } - - location / { - return 301 https://$host$request_uri; - } -} - -server { - server_name element.example.com; - server_tokens off; - - listen 443 ssl default_server; - listen [::]:443 ssl default_server; - - ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; - include /etc/letsencrypt/options-ssl-nginx.conf; - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; - - location / { - proxy_pass http://element-web:8080; - } -} - -server { - server_name call.example.com; - server_tokens off; - - listen 443 ssl default_server; - listen [::]:443 ssl default_server; - - ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; - include /etc/letsencrypt/options-ssl-nginx.conf; - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; - - location / { - proxy_pass http://element-call:8082; - } -} - -server { - server_name auth.example.com; - server_tokens off; - - listen 443 ssl default_server; - listen [::]:443 ssl default_server; - - ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; - include /etc/letsencrypt/options-ssl-nginx.conf; - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; - - location / { - proxy_pass http://auth:8083; - } -} - -server { - server_name matrix.example.com; - server_tokens off; - - listen 443 ssl default_server; - listen [::]:443 ssl default_server; - - # For the federation port - listen 8448 ssl default_server; - listen [::]:8448 ssl default_server; - - ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; - include /etc/letsencrypt/options-ssl-nginx.conf; - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; - - # pass auth to MAS - location ~ ^/_matrix/client/(.*)/(login|logout|refresh) { proxy_pass http://auth:8083 } - - # use the generic worker as a synchrotron: - # taken from https://element-hq.github.io/synapse/latest/workers.html#synapseappgeneric_worker - location ~ ^/_matrix/client/(r0|v3)/sync$ { proxy_pass http://synapse-generic-worker-1:8081 } - location ~ ^/_matrix/client/(api/v1|r0|v3)/events$ { proxy_pass http://synapse-generic-worker-1:8081 } - location ~ ^/_matrix/client/(api/v1|r0|v3)/initialSync$ { proxy_pass http://synapse-generic-worker-1:8081 } - location ~ ^/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync$ { proxy_pass http://synapse-generic-worker-1:8081 } - - location / { - proxy_pass http://synapse:8008; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header Host $host; - - # Nginx by default only allows file uploads up to 1M in size - # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml - client_max_body_size 50M; - } - - location /.well-known {} - - # Synapse responses may be chunked, which is an HTTP/1.1 feature. - proxy_http_version 1.1; -} - diff --git a/data-template/nginx/conf.d/app.conf b/data-template/nginx/conf.d/app.conf new file mode 100644 index 0000000..8b3eb10 --- /dev/null +++ b/data-template/nginx/conf.d/app.conf @@ -0,0 +1,90 @@ +${CONFIG_HEADER} + +# taken from https://element-hq.github.io/synapse/latest/reverse_proxy.html +# mixed with https://github.com/wmnnd/nginx-certbot/tree/master/etc/nginx/conf.d/nginx + +server { + server_name ${DOMAIN}; + server_tokens off; + + listen 80; + + # location /.well-known/acme-challenge/ { + # root /var/www/certbot; + # } + + location / { + return 301 https://${DOLLAR}host${DOLLAR}request_uri; + } +} + +server { + server_name ${ELEMENT_WEB_FQDN}; + server_tokens off; + + include /etc/nginx/conf.d/include/ssl.conf; + + location / { + proxy_pass http://element-web:8080; + } +} + +server { + server_name ${ELEMENT_CALL_FQDN}; + server_tokens off; + + include /etc/nginx/conf.d/include/ssl.conf; + + location / { + proxy_pass http://element-call:8082; + } +} + +server { + server_name ${MAS_FQDN}; + server_tokens off; + + include /etc/nginx/conf.d/include/ssl.conf; + + location / { + proxy_pass http://auth:8083; + } +} + +server { + server_name ${HOMESERVER_FQDN}; + server_tokens off; + + include /etc/nginx/conf.d/include/ssl.conf; + + # For the federation port + listen 8448 ssl default_server; + listen [::]:8448 ssl default_server; + + # pass auth to MAS + location ~ ^/_matrix/client/(.*)/(login|logout|refresh) { proxy_pass http://auth:8083; } + + # use the generic worker as a synchrotron: + # taken from https://element-hq.github.io/synapse/latest/workers.html#synapseappgeneric_worker + location ~ ^/_matrix/client/(r0|v3)/sync${DOLLAR} { proxy_pass http://synapse-generic-worker-1:8081; } + location ~ ^/_matrix/client/(api/v1|r0|v3)/events${DOLLAR} { proxy_pass http://synapse-generic-worker-1:8081; } + location ~ ^/_matrix/client/(api/v1|r0|v3)/initialSync${DOLLAR} { proxy_pass http://synapse-generic-worker-1:8081; } + location ~ ^/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync${DOLLAR} { proxy_pass http://synapse-generic-worker-1:8081; } + + location / { + proxy_pass http://synapse:8008; + proxy_set_header X-Forwarded-For ${DOLLAR}remote_addr; + proxy_set_header X-Forwarded-Proto ${DOLLAR}scheme; + proxy_set_header Host ${DOLLAR}host; + + # Nginx by default only allows file uploads up to 1M in size + # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml + client_max_body_size 50M; + } + + location /.well-known {} + + # Synapse responses may be chunked, which is an HTTP/1.1 feature. + proxy_http_version 1.1; +} + diff --git a/data-template/nginx/conf.d/include/ssl.conf b/data-template/nginx/conf.d/include/ssl.conf new file mode 100644 index 0000000..bab92d3 --- /dev/null +++ b/data-template/nginx/conf.d/include/ssl.conf @@ -0,0 +1,10 @@ + listen 443 ssl; + listen [::]:443 ssl; + + # ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; + # ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; + # include /etc/letsencrypt/options-ssl-nginx.conf; + # ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; + + ssl_certificate /etc/nginx/ssl/client.pem; + ssl_certificate_key /etc/nginx/ssl/key.pem; \ No newline at end of file diff --git a/data-template/nginx/.well-known/matrix/client b/data-template/nginx/www/.well-known/matrix/client similarity index 100% rename from data-template/nginx/.well-known/matrix/client rename to data-template/nginx/www/.well-known/matrix/client diff --git a/data-template/nginx/.well-known/matrix/server b/data-template/nginx/www/.well-known/matrix/server similarity index 100% rename from data-template/nginx/.well-known/matrix/server rename to data-template/nginx/www/.well-known/matrix/server diff --git a/data-template/nginx/.well-known/matrix/support b/data-template/nginx/www/.well-known/matrix/support similarity index 100% rename from data-template/nginx/.well-known/matrix/support rename to data-template/nginx/www/.well-known/matrix/support diff --git a/data-template/synapse/homeserver.yaml b/data-template/synapse/homeserver.yaml index 1b52843..d3b27ed 100644 --- a/data-template/synapse/homeserver.yaml +++ b/data-template/synapse/homeserver.yaml @@ -48,6 +48,8 @@ trusted_key_servers: # please keep config above this point as close as possible to the original generated config # so that upstream generated config changes can be detected +suppress_key_server_warning: true + send_federation: false federation_sender_instances: - synapse-federation-sender-1 diff --git a/data-template/synapse/log.config b/data-template/synapse/log.config index fd36ca7..3aca466 100644 --- a/data-template/synapse/log.config +++ b/data-template/synapse/log.config @@ -1,3 +1,5 @@ +${CONFIG_HEADER} + # Log configuration for Synapse. # # This is a YAML file containing a standard Python logging configuration diff --git a/data-template/synapse/workers/synapse-federation-sender-1.yaml b/data-template/synapse/workers/synapse-federation-sender-1.yaml index 2148660..e409927 100644 --- a/data-template/synapse/workers/synapse-federation-sender-1.yaml +++ b/data-template/synapse/workers/synapse-federation-sender-1.yaml @@ -1,3 +1,5 @@ +${CONFIG_HEADER} + worker_app: synapse.app.federation_sender worker_name: synapse-federation-sender-1 diff --git a/data-template/synapse/workers/synapse-generic-worker-1.yaml b/data-template/synapse/workers/synapse-generic-worker-1.yaml index 6f60e21..609422f 100644 --- a/data-template/synapse/workers/synapse-generic-worker-1.yaml +++ b/data-template/synapse/workers/synapse-generic-worker-1.yaml @@ -1,3 +1,5 @@ +${CONFIG_HEADER} + worker_app: synapse.app.generic_worker worker_name: synapse-generic-worker-1 diff --git a/init/init.sh b/init/init.sh index da8cb65..77e103f 100755 --- a/init/init.sh +++ b/init/init.sh @@ -59,6 +59,7 @@ template() { } export CONFIG_HEADER="# WARNING: This file is autogenerated by element-quick-start from templates" +export DOLLAR='$' # evil hack to escape dollars in config files ( export SECRETS_SYNAPSE_REGISTRATION_SHARED_SECRET=$(