diff --git a/.env-sample b/.env-sample index 5910e7e..bfd3a82 100644 --- a/.env-sample +++ b/.env-sample @@ -7,7 +7,6 @@ # n.b. SECRETS_* env variables get pulled in on demand from files in ./secrets -# XXX: how do we interpolate this in? USER_ID= GROUP_ID= diff --git a/README.md b/README.md index 57c2cc7..6391f50 100644 --- a/README.md +++ b/README.md @@ -11,22 +11,7 @@ into their ESS counterparts, and rehoming the postgres). ## To run ``` -# pick a domain name: -DOMAIN=shadowfax.local - -# grab a TLS certificate for the server: -brew install mkcert || apt-get install mkcert -mkcert -install -mkcert $DOMAIN '*.'$DOMAIN -mkdir -p data/nginx/ssl -mv ${DOMAIN}+1.pem data/nginx/ssl/cert.pem -mv ${DOMAIN}+1-key.pem data/nginx/ssl/key.pem -cp "$(mkcert -CAROOT)"/rootCA.pem data/nginx/ssl - -# make an .env to configure your environment -cp .env-sample .env -sed -ir s/example.com/$DOMAIN/ .env - +./setup.sh docker compose up ``` @@ -55,7 +40,7 @@ docker compose exec mas mas-cli -c /data/config.yaml doctor * [x] sort out the networking * [x] make nginx do something useful when running on a local workstation - * [ ] hook up letsencrypt to nginx properly + * [x] hook up letsencrypt to nginx properly * [x] hook up livekit properly * [x] make it work diff --git a/compose.yml b/compose.yml index f74d910..d1c6bfd 100644 --- a/compose.yml +++ b/compose.yml @@ -72,9 +72,7 @@ services: volumes: - ${VOLUME_PATH}/data/nginx/conf.d:/etc/nginx/conf.d - ${VOLUME_PATH}/data/nginx/www:/var/www - - ${VOLUME_PATH}/data/nginx/ssl:/etc/nginx/ssl - # - ${VOLUME_PATH}/data/certbot/conf:/etc/letsencrypt - # - ${VOLUME_PATH}/data/certbot/www:/var/www/certbot + - ${VOLUME_PATH}/data/ssl:/etc/nginx/ssl command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'" networks: backend: @@ -90,16 +88,18 @@ services: synapse: condition: service_started - # certbot: - # image: certbot/certbot:latest - # restart: unless-stopped - # volumes: - # - ${VOLUME_PATH}/data/certbot/conf:/etc/letsencrypt - # - ${VOLUME_PATH}/data/certbot/www:/var/www/certbot - # entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'" - # depends_on: - # init: - # condition: service_completed_successfully + certbot: + image: certbot/certbot:latest + restart: unless-stopped + volumes: + - ${VOLUME_PATH}/data/certbot/conf:/etc/letsencrypt + - ${VOLUME_PATH}/data/certbot/www:/var/www/certbot + entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'" + depends_on: + init: + condition: service_completed_successfully + nginx: + condition: service_started postgres: image: postgres:latest @@ -143,7 +143,7 @@ services: restart: unless-stopped volumes: - ${VOLUME_PATH}/data/synapse:/data:rw - - ${VOLUME_PATH}/data/nginx/ssl/rootCA.pem:/etc/ssl/certs/ca-certificates.crt + - ${VOLUME_PATH}/data/nginx/ssl/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt # ports: # - 8008:8008 networks: @@ -175,7 +175,7 @@ services: - backend volumes: - ${VOLUME_PATH}/data/synapse:/data:rw - - ${VOLUME_PATH}/data/nginx/ssl/rootCA.pem:/etc/ssl/certs/ca-certificates.crt + - ${VOLUME_PATH}/data/nginx/ssl/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt environment: SYNAPSE_WORKER: synapse.app.generic_worker # Expose port if required so your reverse proxy can send requests to this worker @@ -198,7 +198,7 @@ services: - backend volumes: - ${VOLUME_PATH}/data/synapse:/data:rw # Replace VOLUME_PATH with the path to your Synapse volume - - ${VOLUME_PATH}/data/nginx/ssl/rootCA.pem:/etc/ssl/certs/ca-certificates.crt + - ${VOLUME_PATH}/data/nginx/ssl/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt environment: SYNAPSE_WORKER: synapse.app.federation_sender # ports: @@ -215,7 +215,7 @@ services: # - 8083:8080 volumes: - ${VOLUME_PATH}/data/mas:/data:rw - - ${VOLUME_PATH}/data/nginx/ssl/rootCA.pem:/etc/ssl/certs/ca-certificates.crt + - ${VOLUME_PATH}/data/nginx/ssl/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt networks: - backend # FIXME: do we also need to sync the db? @@ -305,7 +305,7 @@ services: COPY --from=builder /lk-jwt-service / restart: unless-stopped volumes: - - ${VOLUME_PATH}/data/nginx/ssl/rootCA.pem:/etc/ssl/certs/ca-certificates.crt + - ${VOLUME_PATH}/data/nginx/ssl/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt - ${VOLUME_PATH}/init/livekit-jwt-entrypoint.sh:/entrypoint.sh entrypoint: /entrypoint.sh env_file: .env diff --git a/data-template/nginx/conf.d/include/ssl.conf b/data-template/nginx/conf.d/include/ssl.conf index c377143..4064c73 100644 --- a/data-template/nginx/conf.d/include/ssl.conf +++ b/data-template/nginx/conf.d/include/ssl.conf @@ -1,10 +1,8 @@ listen 443 ssl; listen [::]:443 ssl; - # ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; - # ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; - # include /etc/letsencrypt/options-ssl-nginx.conf; - # ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; + ssl_certificate /etc/nginx/ssl/fullchain.pem; + ssl_certificate_key /etc/nginx/ssl/privkey.pem; - ssl_certificate /etc/nginx/ssl/cert.pem; - ssl_certificate_key /etc/nginx/ssl/key.pem; \ No newline at end of file + include /etc/nginx/ssl/options-ssl-nginx.conf; + ssl_dhparam /etc/nginx/ssl/ssl-dhparams.pem; diff --git a/data/element-call/config.json b/data/element-call/config.json deleted file mode 100644 index e69de29..0000000 diff --git a/data/element-web/config.json b/data/element-web/config.json deleted file mode 100644 index e69de29..0000000 diff --git a/data/livekit/config.yaml b/data/livekit/config.yaml deleted file mode 100644 index e69de29..0000000 diff --git a/data/mas/.gitkeep b/data/mas/.gitkeep deleted file mode 100644 index e69de29..0000000 diff --git a/data/nginx/ssl/rootCA.pem b/data/nginx/ssl/rootCA.pem deleted file mode 100644 index e69de29..0000000 diff --git a/data/postgres/.gitkeep b/data/postgres/.gitkeep deleted file mode 100644 index e69de29..0000000 diff --git a/data/synapse/.gitkeep b/data/synapse/.gitkeep deleted file mode 100644 index e69de29..0000000 diff --git a/init/init-letsencrypt.sh b/init/init-letsencrypt.sh index d3992e0..59ffac3 100755 --- a/init/init-letsencrypt.sh +++ b/init/init-letsencrypt.sh @@ -8,10 +8,10 @@ if ! [ -x "$(command -v docker-compose)" ]; then fi . .env -domains=($DOMAIN $HOMESERVER_FQDN $ELEMENT_FQDN $CALL_FQDN $MAS_FQDN) +domains=$DOMAINS rsa_key_size=4096 data_path="./data/certbot" -email="" # Adding a valid address is strongly recommended +read -p "admin email address for letsencrypt: " email staging=0 # Set to 1 if you're testing your setup to avoid hitting request limits if [ -d "$data_path" ]; then @@ -21,26 +21,26 @@ if [ -d "$data_path" ]; then fi fi - -if [ ! -e "$data_path/conf/options-ssl-nginx.conf" ] || [ ! -e "$data_path/conf/ssl-dhparams.pem" ]; then +if [ ! -e "data/ssl/options-ssl-nginx.conf" ] || [ ! -e "data/ssl/ssl-dhparams.pem" ]; then echo "### Downloading recommended TLS parameters ..." mkdir -p "$data_path/conf" - curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > "$data_path/conf/options-ssl-nginx.conf" - curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem > "$data_path/conf/ssl-dhparams.pem" + curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > "data/ssl/options-ssl-nginx.conf" + curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem > "data/ssl/ssl-dhparams.pem" echo fi echo "### Creating dummy certificate for $domains ..." +# N.B. in bash, $domains will return the first value of the array in string context, so this is not a bug: path="/etc/letsencrypt/live/$domains" mkdir -p "$data_path/conf/live/$domains" docker-compose run --rm --entrypoint "\ openssl req -x509 -nodes -newkey rsa:$rsa_key_size -days 1\ -keyout '$path/privkey.pem' \ -out '$path/fullchain.pem' \ - -subj '/CN=localhost'" certbot + -subj '/CN=localhost'; \ + cp /etc/ssl/certs/ca-certificates.crt '$path'" certbot echo - echo "### Starting nginx ..." docker-compose up --force-recreate -d nginx echo diff --git a/secrets/livekit/livekit_api_key b/secrets/livekit/livekit_api_key deleted file mode 100644 index e69de29..0000000 diff --git a/secrets/livekit/livekit_secret_key b/secrets/livekit/livekit_secret_key deleted file mode 100644 index e69de29..0000000 diff --git a/secrets/postgres/postgres_password b/secrets/postgres/postgres_password deleted file mode 100644 index e69de29..0000000 diff --git a/secrets/synapse/signing.key b/secrets/synapse/signing.key deleted file mode 100644 index e69de29..0000000