a first stab at a docker compose up matrix 2.0 stack

compose.yml

@@ -0,0 +1,241 @@
+# FIXME: define a frontend & backend network, and only expose backend services to the frontend (nginx)
+networks:
+  backend:
+
+secrets:
+   postgres_password:
+      file: secrets/postgres/postgres_password
+   synapse_signing_key:
+      file: secrets/synapse/${DOMAIN}.signing.key
+
+services:
+  # dependencies for optionally generating default configs + secrets
+  generate-synapse-secrets:
+    image: ghcr.io/element-hq/synapse:latest
+    restart: "no"
+    volumes:
+      - ${VOLUME_PATH}/data/synapse:/data:rw
+      - ${VOLUME_PATH}/init/generate-synapse-secrets.sh:/entrypoint.sh
+    env_file: .env
+    environment:
+      SYNAPSE_CONFIG_DIR: /data
+      SYNAPSE_CONFIG_PATH: /data/homeserver.yaml.default
+      SYNAPSE_SERVER_NAME: ${DOMAIN}
+      SYNAPSE_REPORT_STATS: ${REPORT_STATS}
+    entrypoint: "/entrypoint.sh"
+
+  generate-mas-secrets:
+    restart: "no"
+    image: ghcr.io/element-hq/matrix-authentication-service:latest
+    volumes:
+      - ${VOLUME_PATH}/data/mas:/data:rw
+    env_file: .env
+    # FIXME: stop this regenerating a spurious default config every time
+    # We can't do the same approach as synapse (unless use a debug image of MAS) as MAS is distroless and has no bash.
+    command: "config generate -o /data/config.yaml.default"
+
+  # dependency for templating /data-template into /data (having extracted any secrets from any default generated configs)
+  init:
+    build: init
+    restart: "no"
+    volumes:
+      - ${VOLUME_PATH}/secrets:/secrets
+      - ${VOLUME_PATH}/data:/data
+      - ${VOLUME_PATH}/data-template:/data-template
+      - ${VOLUME_PATH}/init/init.sh:/init.sh
+    command: "/init.sh"
+    env_file: .env
+    depends_on:
+      generate-synapse-secrets:
+        condition: service_completed_successfully
+      generate-mas-secrets:
+        condition: service_completed_successfully
+
+  # nginx:
+  #   image: nginx:latest
+  #   restart: unless-stopped
+  #   ports:
+  #     - "80:80"
+  #     - "443:443"
+  #   volumes:
+  #     - ${VOLUME_PATH}/data/nginx:/etc/nginx/conf.d
+  #     - ${VOLUME_PATH}/data/certbot/conf:/etc/letsencrypt
+  #     - ${VOLUME_PATH}/data/certbot/www:/var/www/certbot
+  #   command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'"
+  #   depends_on:
+  #     init:
+  #       condition: service_completed_successfully
+
+  # certbot:
+  #   image: certbot/certbot:latest
+  #   restart: unless-stopped
+  #   volumes:
+  #     - ${VOLUME_PATH}/data/certbot/conf:/etc/letsencrypt
+  #     - ${VOLUME_PATH}/data/certbot/www:/var/www/certbot
+  #   entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
+  #   depends_on:
+  #     init:
+  #       condition: service_completed_successfully
+
+  postgres:
+    image: postgres:latest
+    restart: unless-stopped
+    volumes:
+      - ${VOLUME_PATH}/data/postgres:/var/lib/postgresql/data:rw
+      - ${VOLUME_PATH}/data-template/postgres/create-multiple-postgresql-databases.sh:/docker-entrypoint-initdb.d/create-multiple-postgresql-databases.sh
+    networks:
+      - backend
+    environment:
+      POSTGRES_MULTIPLE_DATABASES: synapse,mas
+      POSTGRES_USER: matrix # FIXME: use different username+passwords for synapse & MAS DBs.
+      POSTGRES_PASSWORD_FILE: /run/secrets/postgres_password
+      POSTGRES_INITDB_ARGS: --encoding=UTF8 --locale=C
+    secrets:
+      - postgres_password
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready"]
+      start_period: "1s"
+      interval: "1s"
+      timeout: "5s"
+    depends_on:
+      init:
+        condition: service_completed_successfully
+
+  redis:
+    image: redis:latest
+    restart: unless-stopped
+    networks:
+      - backend
+
+  synapse:
+    image: ghcr.io/element-hq/synapse:latest
+    restart: unless-stopped
+    volumes:
+      - ${VOLUME_PATH}/data/synapse:/data:rw
+    ports:
+      - 8008:8008
+    networks:
+      - backend
+    environment:
+      SYNAPSE_CONFIG_DIR: /data
+      SYNAPSE_CONFIG_PATH: /data/homeserver.yaml
+    secrets:
+      - synapse_signing_key
+    depends_on:
+      postgres:
+        condition: service_healthy
+      init:
+        condition: service_completed_successfully
+
+  synapse-generic-worker-1:
+    image: ghcr.io/element-hq/synapse:latest
+    restart: unless-stopped
+    entrypoint: ["/start.py", "run", "--config-path=/data/homeserver.yaml", "--config-path=/data/workers/synapse-generic-worker-1.yaml"]
+    healthcheck:
+      test: ["CMD-SHELL", "curl -fSs http://localhost:8081/health || exit 1"]
+      start_period: "5s"
+      interval: "15s"
+      timeout: "5s"
+    networks:
+      - backend
+    volumes:
+      - ${VOLUME_PATH}/data/synapse:/data:rw
+    environment:
+      SYNAPSE_WORKER: synapse.app.generic_worker
+    # Expose port if required so your reverse proxy can send requests to this worker
+    # Port configuration will depend on how the http listener is defined in the worker configuration file
+    ports:
+      - 8081:8081
+    secrets:
+      - synapse_signing_key
+    depends_on:
+      - synapse
+
+  synapse-federation-sender-1:
+    image: ghcr.io/element-hq/synapse:latest
+    restart: unless-stopped
+    entrypoint: ["/start.py", "run", "--config-path=/data/homeserver.yaml", "--config-path=/data/workers/synapse-federation-sender-1.yaml"]
+    healthcheck:
+      disable: true
+    networks:
+      - backend
+    volumes:
+      - ${VOLUME_PATH}/data/synapse:/data:rw # Replace VOLUME_PATH with the path to your Synapse volume
+    environment:
+      SYNAPSE_WORKER: synapse.app.federation_sender
+    secrets:
+      - synapse_signing_key
+    depends_on:
+      - synapse
+
+  matrix-authentication-service:
+    image: ghcr.io/element-hq/matrix-authentication-service:latest
+    restart: unless-stopped
+    ports:
+      - 8083:8080
+    volumes:
+      - ${VOLUME_PATH}/data/mas:/data:rw
+    networks:
+      - backend
+    # FIXME: do we also need to sync the db?
+    command: "server --config=/data/config.yaml"
+    depends_on:
+      postgres:
+        condition: service_healthy
+      init:
+        condition: service_completed_successfully
+
+  # as a basic local MTA
+  mailhog:
+    image: mailhog/mailhog:latest
+    restart: unless-stopped
+    ports:
+      - 8025:8025
+      - 1025:1025
+    networks:
+      - backend
+
+  element-web:
+    image: vectorim/element-web:latest
+    restart: unless-stopped
+    ports:
+      - 8080:80
+    healthcheck:
+      test: ["CMD-SHELL", "curl -fSs http://localhost:8080/version || exit 1"]
+      start_period: "5s"
+      interval: "15s"
+      timeout: "5s"
+    networks:
+      - backend
+    volumes:
+      - ${VOLUME_PATH}/data/element-web/config.json:/app/config.json
+    depends_on:
+      init:
+        condition: service_completed_successfully
+
+  element-call:
+    image: ghcr.io/element-hq/element-call
+    restart: unless-stopped
+    ports:
+      - 8082:80
+    networks:
+      - backend
+    volumes:
+      - ${VOLUME_PATH}/data/element-call/config.json:/app/config.json
+    depends_on:
+      init:
+        condition: service_completed_successfully
+
+  # livekit-server:
+  #   image: livekit/livekit-server:latest
+  #   restart: unless-stopped
+  #   ports:
+  #     - 7880:7880 # HTTP API
+  #     - 7881:7881 # WS signalling
+  #     # - 50000-60000:50000-60000/tcp # TCP media
+  #     # - 50000-60000:50000-60000/udp # UDP media
+  #   networks:
+  #     - backend
+  #   depends_on:
+  #     init:
+  #       condition: service_completed_successfully