a first stab at a docker compose up matrix 2.0 stack

init/Dockerfile

@@ -0,0 +1,4 @@
+FROM alpine:latest
+
+# TODO: check this doesn't reinstall yq on every launch and use a builder if necessary
+RUN apk update && apk add yq bash envsubst

init/generate-mas-secrets.sh

@@ -0,0 +1,14 @@
+#!/usr/bin/ash
+
+# a replacement entrypoint script for the MAS docker image which generates default config & secrets if needed.
+# N.B. NOT USED CURRENTLY AS THE MAS IMAGE HAS NO SHELL
+
+
+if [[ -f /data/config.yaml ]]
+then
+	echo "MAS config found - not generating default"
+	exit 0
+fi
+
+echo "MAS config not found - generating default for secrets"
+exec mas-cli config generate -o /data/config.yaml.default

init/generate-synapse-secrets.sh

@@ -0,0 +1,12 @@
+#!/usr/bin/bash
+
+# a replacement entrypoint script for the synapse docker image which generates default config & secrets if needed.
+
+if [[ -f ${SYNAPSE_CONFIG_PATH} ]]
+then
+	echo "Synapse config found - not generating default"
+	exit 0
+fi
+
+echo "Synapse config not found - generating default for secrets"
+exec /start.py generate

init/init-letsencrypt.sh

@@ -0,0 +1,83 @@
+#!/bin/bash
+
+# taken from https://raw.githubusercontent.com/wmnnd/nginx-certbot/refs/heads/master/init-letsencrypt.sh
+
+if ! [ -x "$(command -v docker-compose)" ]; then
+  echo 'Error: docker-compose is not installed.' >&2
+  exit 1
+fi
+
+. .env
+domains=($DOMAIN $HOMESERVER_FQDN $ELEMENT_FQDN $CALL_FQDN $MAS_FQDN)
+rsa_key_size=4096
+data_path="./data/certbot"
+email="" # Adding a valid address is strongly recommended
+staging=0 # Set to 1 if you're testing your setup to avoid hitting request limits
+
+if [ -d "$data_path" ]; then
+  read -p "Existing data found for $domains. Continue and replace existing certificate? (y/N) " decision
+  if [ "$decision" != "Y" ] && [ "$decision" != "y" ]; then
+    exit
+  fi
+fi
+
+
+if [ ! -e "$data_path/conf/options-ssl-nginx.conf" ] || [ ! -e "$data_path/conf/ssl-dhparams.pem" ]; then
+  echo "### Downloading recommended TLS parameters ..."
+  mkdir -p "$data_path/conf"
+  curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > "$data_path/conf/options-ssl-nginx.conf"
+  curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem > "$data_path/conf/ssl-dhparams.pem"
+  echo
+fi
+
+echo "### Creating dummy certificate for $domains ..."
+path="/etc/letsencrypt/live/$domains"
+mkdir -p "$data_path/conf/live/$domains"
+docker-compose run --rm --entrypoint "\
+  openssl req -x509 -nodes -newkey rsa:$rsa_key_size -days 1\
+    -keyout '$path/privkey.pem' \
+    -out '$path/fullchain.pem' \
+    -subj '/CN=localhost'" certbot
+echo
+
+
+echo "### Starting nginx ..."
+docker-compose up --force-recreate -d nginx
+echo
+
+echo "### Deleting dummy certificate for $domains ..."
+docker-compose run --rm --entrypoint "\
+  rm -Rf /etc/letsencrypt/live/$domains && \
+  rm -Rf /etc/letsencrypt/archive/$domains && \
+  rm -Rf /etc/letsencrypt/renewal/$domains.conf" certbot
+echo
+
+
+echo "### Requesting Let's Encrypt certificate for $domains ..."
+#Join $domains to -d args
+domain_args=""
+for domain in "${domains[@]}"; do
+  domain_args="$domain_args -d $domain"
+done
+
+# Select appropriate email arg
+case "$email" in
+  "") email_arg="--register-unsafely-without-email" ;;
+  *) email_arg="--email $email" ;;
+esac
+
+# Enable staging mode if needed
+if [ $staging != "0" ]; then staging_arg="--staging"; fi
+
+docker-compose run --rm --entrypoint "\
+  certbot certonly --webroot -w /var/www/certbot \
+    $staging_arg \
+    $email_arg \
+    $domain_args \
+    --rsa-key-size $rsa_key_size \
+    --agree-tos \
+    --force-renewal" certbot
+echo
+
+echo "### Reloading nginx ..."
+docker-compose exec nginx nginx -s reload

init/init.sh

@@ -0,0 +1,82 @@
+#!/bin/bash
+
+set -e
+#set -x
+
+# basic script to generate templated config for our various docker images.
+# it runs in its own alpine docker image to pull in yq as a dep, and to let the whole thing be managed by docker-compose.
+
+# by this point, synapse & mas should generated default config files & secrets
+# via generate-synapse-secrets.sh and generate-mas-secrets.sh
+
+if [[ ! -f /secrets/synapse/${DOMAIN}.signing.key ]] # TODO: check for existence of other secrets?
+then
+	# extract synapse secrets from the config and move them into ./secrets
+	echo "Extracting generated synapse secrets..."
+	mkdir -p /secrets/synapse
+	for secret in registration_shared_secret macaroon_secret_key form_secret
+	do
+		yq .$secret /data/synapse/homeserver.yaml.default > /secrets/synapse/$secret
+	done
+	# ...and files too, just to keep all our secrets in one place
+	mv /data/synapse/${DOMAIN}.signing.key /secrets/synapse
+fi
+
+if [[ ! -f /secrets/mas/secrets ]] # TODO: check for existence of other secrets?
+then
+	echo "Extracting generated MAS secrets..."
+	mkdir -p /secrets/mas
+	# extract MAS secrets from the config and move them into ./secrets
+	for secret in matrix.secret
+	do
+		yq .$secret /data/mas/config.yaml.default > /secrets/mas/$secret
+	done
+	yq '(.secrets) as $s
+	    ireduce({}; setpath($s | path; $s))' /data/mas/config.yaml.default > /secrets/mas/secrets
+	head -c16 /dev/urandom | base64 | tr -d '=' > /secrets/mas/client.secret
+fi
+
+if [[ ! -f /secrets/postgres/postgres_password ]]
+then
+	mkdir -p /secrets/postgres
+	head -c16 /dev/urandom | base64 | tr -d '=' > /secrets/postgres/postgres_password
+fi
+
+# TODO: compare the default generated config with our templates to see if our templates are stale
+# we'd have to strip out the secrets from the generated configs to be able to diff them sensibly
+
+# now we have our secrets extracted from the default configs, overwrite the configs with our templates
+
+# for simplicity, we just use envsubst for now rather than ansible+jinja or something.
+template() {
+	dir=$1
+	echo "Templating configs in $dir"
+	for file in `find $dir -type f`
+	do
+		mkdir -p `dirname ${file/-template/}`
+		envsubst < $file > ${file/-template/}
+	done
+}
+
+export CONFIG_HEADER="# WARNING: This file is autogenerated by element-quick-start from templates"
+(
+	export SECRETS_SYNAPSE_REGISTRATION_SHARED_SECRET=$(</secrets/synapse/registration_shared_secret)
+	export SECRETS_SYNAPSE_MACAROON_SECRET_KEY=$(</secrets/synapse/macaroon_secret_key)
+	export SECRETS_SYNAPSE_FORM_SECRET=$(</secrets/synapse/form_secret)
+	export SECRETS_MAS_MATRIX_SECRET=$(</secrets/mas/matrix.secret)
+	export SECRETS_MAS_CLIENT_SECRET=$(</secrets/mas/client.secret)
+	export SECRETS_POSTGRES_PASSWORD=$(</secrets/postgres/postgres_password)
+	template "/data-template/synapse"
+)
+
+(
+	export SECRETS_MAS_SECRETS=$(</secrets/mas/secrets)
+	export SECRETS_MAS_MATRIX_SECRET=$(</secrets/mas/matrix.secret)
+	export SECRETS_MAS_CLIENT_SECRET=$(</secrets/mas/client.secret)
+	export SECRETS_POSTGRES_PASSWORD=$(</secrets/postgres/postgres_password)
+	template "/data-template/mas"
+)
+
+template "/data-template/element-web"
+template "/data-template/element-call"
+template "/data-template/nginx"