a first stab at a docker compose up matrix 2.0 stack

data-template/element-web/config.json

@@ -0,0 +1,34 @@
+{
+    "default_server_config": {
+        "m.homeserver": {
+            "base_url": "https://${HOMESERVER_FQDN}",
+            "server_name": "${DOMAIN}"
+        },
+        "m.identity_server": {
+            "base_url": "${IDENTITY_SERVER_URL}"
+        }
+    },
+    "disable_custom_urls": false,
+    "disable_guests": false,
+    "disable_login_language_selector": false,
+    "disable_3pid_login": false,
+    "force_verification": false,
+    "brand": "Element",
+    "default_widget_container_height": 280,
+    "default_country_code": "${COUNTRY}",
+    "show_labs_settings": false,
+    "features": {},
+    "default_federate": true,
+    "default_theme": "light",
+    "room_directory": {
+        "servers": ["${DOMAIN}"]
+    },
+    "setting_defaults": {
+        "breadcrumbs": true
+    },
+    "element_call": {
+        "url": "https://${ELEMENT_CALL_FQDN}",
+        "brand": "Element Call"
+    },
+    "map_style_url": "https://api.maptiler.com/maps/streets/style.json?key=fU3vlMsMn4Jb6dnEIFsx"
+}

data-template/mas/config.yaml

@@ -0,0 +1,101 @@
+${CONFIG_HEADER}
+
+http:
+  listeners:
+  - name: web
+    resources:
+    - name: discovery
+    - name: human
+    - name: oauth
+    - name: compat
+    - name: graphql
+    - name: assets
+    binds:
+    - address: '[::]:8080'
+    proxy_protocol: false
+  - name: internal
+    resources:
+    - name: health
+    binds:
+    - host: localhost
+      port: 8081
+    proxy_protocol: false
+  trusted_proxies:
+  - 192.168.0.0/16
+  - 172.16.0.0/12
+  - 10.0.0.0/10
+  - 127.0.0.1/8
+  - fd00::/8
+  - ::1/128
+  public_base: http://[::]:8080/
+  issuer: http://[::]:8080/
+database:
+  host: postgres
+  database: mas
+  username: matrix
+  password: ${SECRETS_POSTGRES_PASSWORD}
+  max_connections: 10
+  min_connections: 0
+  connect_timeout: 30
+  idle_timeout: 600
+  max_lifetime: 1800
+email:
+  from: '${MAS_EMAIL_FROM}'
+  reply_to: '${MAS_EMAIL_REPLY_TO}'
+  transport: smtp
+  mode: plain
+  hostname: mailhog
+  port: 1025
+${SECRETS_MAS_SECRETS}
+passwords:
+  enabled: true
+  schemes:
+  - version: 1
+    algorithm: argon2id
+  minimum_complexity: 3
+matrix:
+  homeserver: localhost:8008
+  secret: '${SECRETS_MAS_MATRIX_SECRET}'
+  endpoint: http://localhost:8008/
+
+# please keep config above this point as close as possible to the original generated config
+# so that upstream generated config changes can be detected
+
+# these taken from midhun's quick-mas-setup
+clients:
+  - client_id: ${MAS_CLIENT_ID}
+    client_auth_method: client_secret_basic
+    client_secret: '${SECRETS_MAS_CLIENT_SECRET}'
+
+templates:
+  path: /usr/local/share/mas-cli/templates/
+  assets_manifest: /usr/local/share/mas-cli/manifest.json
+  translations_path: /usr/local/share/mas-cli/translations/
+
+policy:
+  wasm_module: /usr/local/share/mas-cli/policy.wasm
+  client_registration_entrypoint: client_registration/violation
+  register_entrypoint: register/violation
+  authorization_grant_entrypoint: authorization_grant/violation
+  password_entrypoint: password/violation
+  email_entrypoint: email/violation
+  data:
+    client_registration:
+      allow_insecure_uris: true # allow non-SSL and localhost URIs
+      allow_missing_contacts: true # EW doesn't have contacts at this time
+    admin_users:
+        - admin
+
+branding:
+  service_name: null
+  policy_uri: null
+  tos_uri: null
+  imprint: null
+  logo_uri: null
+
+upstream_oauth2:
+  providers: []
+
+experimental:
+  access_token_ttl: 86400
+  compat_token_ttl: 86400

data-template/nginx/.well-known/matrix/client

@@ -0,0 +1,14 @@
+{
+    "m.homeserver": {
+        "base_url": "https://${HOMESERVER_FQDN}"
+    },
+    "m.identity_server": {
+        "base_url": "${IDENTITY_SERVER_URL}"
+    },
+    "org.matrix.msc4143.rtc_foci": [
+        {
+            "type": "livekit",
+            "livekit_service_url": "https://${ELEMENT_CALL_FQDN}"
+        }
+    ]
+}

data-template/nginx/.well-known/matrix/server

@@ -0,0 +1,3 @@
+{
+    "m.server": "${HOMESERVER_FQDN}:443"
+}

data-template/nginx/.well-known/matrix/support

@@ -0,0 +1,7 @@
+{
+    "support_page": "https://matrix.org/contact/",
+    "contacts": [
+        { "role": "m.role.admin", "email_address": "${ABUSE_SUPPORT_EMAIL}" },
+        { "role": "m.role.security", "email_address": "${SECURITY_SUPPORT_EMAIL}" }
+    ]
+}

data-template/nginx/app.conf

@@ -0,0 +1,112 @@
+# taken from https://element-hq.github.io/synapse/latest/reverse_proxy.html
+# mixed with https://github.com/wmnnd/nginx-certbot/tree/master/data/nginx
+
+server {
+    server_name example.com;
+    server_tokens off;
+
+    listen 80;
+
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+server {
+    server_name element.example.com;
+    server_tokens off;
+
+    listen 443 ssl default_server;
+    listen [::]:443 ssl default_server;
+
+    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
+    include /etc/letsencrypt/options-ssl-nginx.conf;
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+
+    location / {
+        proxy_pass http://element-web:8080;
+    }
+}
+
+server {
+    server_name call.example.com;
+    server_tokens off;
+
+    listen 443 ssl default_server;
+    listen [::]:443 ssl default_server;
+
+    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
+    include /etc/letsencrypt/options-ssl-nginx.conf;
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+
+    location / {
+        proxy_pass http://element-call:8082;
+    }
+}
+
+server {
+    server_name auth.example.com;
+    server_tokens off;
+
+    listen 443 ssl default_server;
+    listen [::]:443 ssl default_server;
+
+    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
+    include /etc/letsencrypt/options-ssl-nginx.conf;
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+
+    location / {
+        proxy_pass http://auth:8083;
+    }
+}
+
+server {
+    server_name matrix.example.com;
+    server_tokens off;
+
+    listen 443 ssl default_server;
+    listen [::]:443 ssl default_server;
+
+    # For the federation port
+    listen 8448 ssl default_server;
+    listen [::]:8448 ssl default_server;
+
+    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
+    include /etc/letsencrypt/options-ssl-nginx.conf;
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+
+    # pass auth to MAS
+    location ~ ^/_matrix/client/(.*)/(login|logout|refresh)             { proxy_pass http://auth:8083 }
+
+    # use the generic worker as a synchrotron:
+    # taken from https://element-hq.github.io/synapse/latest/workers.html#synapseappgeneric_worker
+    location ~ ^/_matrix/client/(r0|v3)/sync$                           { proxy_pass http://synapse-generic-worker-1:8081 }
+    location ~ ^/_matrix/client/(api/v1|r0|v3)/events$                  { proxy_pass http://synapse-generic-worker-1:8081 }
+    location ~ ^/_matrix/client/(api/v1|r0|v3)/initialSync$             { proxy_pass http://synapse-generic-worker-1:8081 }
+    location ~ ^/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync$ { proxy_pass http://synapse-generic-worker-1:8081 }
+
+    location / {
+        proxy_pass http://synapse:8008;
+        proxy_set_header X-Forwarded-For $remote_addr;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header Host $host;
+
+        # Nginx by default only allows file uploads up to 1M in size
+        # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
+        client_max_body_size 50M;
+    }
+
+    location /.well-known {}
+
+    # Synapse responses may be chunked, which is an HTTP/1.1 feature.
+    proxy_http_version 1.1;
+}
+

data-template/postgres/create-multiple-postgresql-databases.sh

@@ -0,0 +1,24 @@
+#!/bin/bash
+
+# from https://github.com/mrts/docker-postgresql-multiple-databases
+
+set -e
+set -u
+
+function create_user_and_database() {
+	local database=$1
+	echo "  Creating user and database '$database'"
+	psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" <<-EOSQL
+	    CREATE USER $database;
+	    CREATE DATABASE $database;
+	    GRANT ALL PRIVILEGES ON DATABASE $database TO $database;
+EOSQL
+}
+
+if [ -n "$POSTGRES_MULTIPLE_DATABASES" ]; then
+	echo "Multiple database creation requested: $POSTGRES_MULTIPLE_DATABASES"
+	for db in $(echo $POSTGRES_MULTIPLE_DATABASES | tr ',' ' '); do
+		create_user_and_database $db
+	done
+	echo "Multiple databases created"
+fi

data-template/synapse/homeserver.yaml

@@ -0,0 +1,98 @@
+${CONFIG_HEADER}
+
+# Configuration file for Synapse.
+#
+# This is a YAML file: see [1] for a quick introduction. Note in particular
+# that *indentation is important*: all the elements of a list or dictionary
+# should have the same indentation.
+#
+# [1] https://docs.ansible.com/ansible/latest/reference_appendices/YAMLSyntax.html
+#
+# For more information on how to configure Synapse, including a complete accounting of
+# each option, go to docs/usage/configuration/config_documentation.md or
+# https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html
+server_name: ${DOMAIN}
+pid_file: /data/homeserver.pid
+listeners:
+  - port: 8008
+    tls: false
+    type: http
+    x_forwarded: true
+    resources:
+      - names: [client, federation]
+        compress: false
+  - port: 9093
+    tls: false
+    type: http
+    resources:
+      - names: [replication]
+
+database:
+    name: psycopg2
+    args:
+        user: matrix
+        password: '${SECRETS_POSTGRES_PASSWORD}'
+        host: postgres
+        database: synapse
+
+log_config: "/data/log.config"
+media_store_path: /data/media_store
+registration_shared_secret: '${SECRETS_SYNAPSE_REGISTRATION_SHARED_SECRET}'
+report_stats: false
+macaroon_secret_key: '${SECRETS_SYNAPSE_MACAROON_SECRET_KEY}'
+form_secret: '${SECRETS_SYNAPSE_FORM_SECRET}'
+signing_key_path: "/run/secrets/synapse_signing_key"
+trusted_key_servers:
+  - server_name: "matrix.org"
+
+# please keep config above this point as close as possible to the original generated config
+# so that upstream generated config changes can be detected
+
+send_federation: false
+federation_sender_instances:
+  - synapse-federation-sender-1
+
+instance_map:
+  main:
+    host: 'synapse'
+    port: 9093
+
+redis:
+  enabled: true
+  host: redis
+  port: 6379
+
+email:
+  smtp_host: mailhog
+  smtp_port: 1025
+  enable_tls: false
+  notif_from: "Your %(app)s homeserver <${MAIL_NOTIF_FROM_ADDRESS}>"
+  app_name: Matrix
+  enable_notifs: true
+  notif_for_new_users: false
+  client_base_url: https://${ELEMENT_WEB_FQDN}
+  validation_token_lifetime: 15m
+  invite_client_location: https://${ELEMENT_WEB_FQDN}
+  subjects:
+    message_from_person_in_room: "[%(app)s] You have a message on %(app)s from %(person)s in the %(room)s room..."
+    message_from_person: "[%(app)s] You have a message on %(app)s from %(person)s..."
+    messages_from_person: "[%(app)s] You have messages on %(app)s from %(person)s..."
+    messages_in_room: "[%(app)s] You have messages on %(app)s in the %(room)s room..."
+    messages_in_room_and_others: "[%(app)s] You have messages on %(app)s in the %(room)s room and others..."
+    messages_from_person_and_others: "[%(app)s] You have messages on %(app)s from %(person)s and others..."
+    invite_from_person_to_room: "[%(app)s] %(person)s has invited you to join the %(room)s room on %(app)s..."
+    invite_from_person: "[%(app)s] %(person)s has invited you to chat on %(app)s..."
+    password_reset: "[%(server_name)s] Password reset"
+    email_validation: "[%(server_name)s] Validate your email"
+
+experimental_features:
+  msc3861: # OIDC
+    enabled: true
+    issuer: http://localhost:8080/
+    client_id: ${MAS_CLIENT_ID}
+    client_auth_method: client_secret_basic
+    client_secret: '${SECRETS_MAS_CLIENT_SECRET}'
+    admin_token: '${SECRETS_MAS_MATRIX_SECRET}'
+    account_management_url: "https://${MAS_FQDN}/account"
+
+# vim:ft=yaml

data-template/synapse/log.config

@@ -0,0 +1,75 @@
+# Log configuration for Synapse.
+#
+# This is a YAML file containing a standard Python logging configuration
+# dictionary. See [1] for details on the valid settings.
+#
+# Synapse also supports structured logging for machine readable logs which can
+# be ingested by ELK stacks. See [2] for details.
+#
+# [1]: https://docs.python.org/3/library/logging.config.html#configuration-dictionary-schema
+# [2]: https://element-hq.github.io/synapse/latest/structured_logging.html
+
+version: 1
+
+formatters:
+    precise:
+        format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s'
+
+handlers:
+    file:
+        class: logging.handlers.TimedRotatingFileHandler
+        formatter: precise
+        filename: /data/homeserver.log
+        when: midnight
+        backupCount: 3  # Does not include the current log file.
+        encoding: utf8
+
+    # Default to buffering writes to log file for efficiency.
+    # WARNING/ERROR logs will still be flushed immediately, but there will be a
+    # delay (of up to `period` seconds, or until the buffer is full with
+    # `capacity` messages) before INFO/DEBUG logs get written.
+    buffer:
+        class: synapse.logging.handlers.PeriodicallyFlushingMemoryHandler
+        target: file
+
+        # The capacity is the maximum number of log lines that are buffered
+        # before being written to disk. Increasing this will lead to better
+        # performance, at the expensive of it taking longer for log lines to
+        # be written to disk.
+        # This parameter is required.
+        capacity: 10
+
+        # Logs with a level at or above the flush level will cause the buffer to
+        # be flushed immediately.
+        # Default value: 40 (ERROR)
+        # Other values: 50 (CRITICAL), 30 (WARNING), 20 (INFO), 10 (DEBUG)
+        flushLevel: 30  # Flush immediately for WARNING logs and higher
+
+        # The period of time, in seconds, between forced flushes.
+        # Messages will not be delayed for longer than this time.
+        # Default value: 5 seconds
+        period: 5
+
+    # A handler that writes logs to stderr. Unused by default, but can be used
+    # instead of "buffer" and "file" in the logger handlers.
+    console:
+        class: logging.StreamHandler
+        formatter: precise
+
+loggers:
+    synapse.storage.SQL:
+        # beware: increasing this to DEBUG will make synapse log sensitive
+        # information such as access tokens.
+        level: INFO
+
+root:
+    level: INFO
+
+    # Write logs to the `buffer` handler, which will buffer them together in memory,
+    # then write them to a file.
+    #
+    # Replace "buffer" with "console" to log to stderr instead.
+    #
+    handlers: [console]
+
+disable_existing_loggers: false

data-template/synapse/workers/synapse-federation-sender-1.yaml

@@ -0,0 +1,4 @@
+worker_app: synapse.app.federation_sender
+worker_name: synapse-federation-sender-1
+
+worker_log_config: /data/log.config

data-template/synapse/workers/synapse-generic-worker-1.yaml

@@ -0,0 +1,11 @@
+worker_app: synapse.app.generic_worker
+worker_name: synapse-generic-worker-1
+
+worker_listeners:
+  - type: http
+    port: 8081
+    x_forwarded: true
+    resources:
+      - names: [client, federation]
+
+worker_log_config: /data/log.config