From ec2cacdb4751daef0240ad171cbd4d032f8bd9d1 Mon Sep 17 00:00:00 2001
From: Matthew Hodgson <matthew@matrix.org>
Date: Mon, 4 Nov 2024 22:33:46 +0000
Subject: [PATCH] sort out the network

---
 .env-sample                                 | 22 +++++++-----
 compose.yml                                 | 40 +++++++++++++++------
 data-template/nginx/conf.d/app.conf         |  8 ++---
 data-template/nginx/conf.d/include/ssl.conf |  2 +-
 data-template/synapse/homeserver.yaml       |  7 +++-
 5 files changed, 53 insertions(+), 26 deletions(-)

diff --git a/.env-sample b/.env-sample
index adccc84..2577777 100644
--- a/.env-sample
+++ b/.env-sample
@@ -1,3 +1,4 @@
+#!/usr/bin/bash
 # These env vars get templated into the configs in the respective containers via init scripts.
 #
 # If you want to make more customisations then either edit the templates to add more env variables below
@@ -8,21 +9,24 @@
 
 VOLUME_PATH=.
 DOMAIN=example.com
-HOMESERVER_FQDN=matrix.example.com
-ELEMENT_WEB_FQDN=element.example.com
-ELEMENT_CALL_FQDN=call.example.com
-MAS_FQDN=auth.example.com
+HOMESERVER_FQDN=matrix.$DOMAIN
+ELEMENT_WEB_FQDN=element.$DOMAIN
+ELEMENT_CALL_FQDN=call.$DOMAIN
+MAS_FQDN=auth.$DOMAIN
 
 REPORT_STATS=yes
 
 IDENTITY_SERVER_URL=https://vector.im
 
-MAIL_NOTIF_FROM_ADDRESS=noreply@example.com
-ABUSE_SUPPORT_EMAIL=abuse@example.com
-SECURITY_SUPPORT_EMAIL=security@example.com
+MAIL_NOTIF_FROM_ADDRESS=noreply@$DOMAIN
+ABUSE_SUPPORT_EMAIL=abuse@$DOMAIN
+SECURITY_SUPPORT_EMAIL=security@$DOMAIN
 
 MAS_CLIENT_ID="0000000000000000000SYNAPSE"
-MAS_EMAIL_FROM='"Authentication Service" <support@example.com>'
-MAS_EMAIL_REPLY_TO='"Authentication Service" <support@example.com>'
+MAS_EMAIL_FROM='"Matrix Authentication Service" <support@${DOMAIN}>'
+MAS_EMAIL_REPLY_TO='"Matrix Authentication Service" <support@${DOMAIN}>'
 
 COUNTRY=GB
+
+# as a convenience for creating /etc/hosts
+DOMAINS=($DOMAIN $HOMESERVER_FQDN $ELEMENT_WEB_FQDN $ELEMENT_CALL_FQDN $MAS_FQDN)
diff --git a/compose.yml b/compose.yml
index 5525b76..548c162 100644
--- a/compose.yml
+++ b/compose.yml
@@ -58,6 +58,8 @@ services:
       - "80:80"
       - "443:443"
       - "8448:8448"
+    # shutdown fast so we can iterate rapidly on compose.yml
+    stop_grace_period: 0s
     volumes:
       - ${VOLUME_PATH}/data/nginx/conf.d:/etc/nginx/conf.d
       - ${VOLUME_PATH}/data/nginx/www:/var/www
@@ -65,9 +67,23 @@ services:
       # - ${VOLUME_PATH}/data/certbot/conf:/etc/letsencrypt
       # - ${VOLUME_PATH}/data/certbot/www:/var/www/certbot
     command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'"
+    networks:
+      - backend
     depends_on:
       init:
         condition: service_completed_successfully
+      # synapse:
+      #   condition: service_started
+      # synapse-generic-worker-1:
+      #   condition: service_started
+      # synapse-federation-sender-1:
+      #   condition: service_started
+      # matrix-authentication-service:
+      #   condition: service_started
+      # element-web:
+      #   condition: service_started
+      # element-call:
+      #   condition: service_started
 
   # certbot:
   #   image: certbot/certbot:latest
@@ -115,8 +131,8 @@ services:
     restart: unless-stopped
     volumes:
       - ${VOLUME_PATH}/data/synapse:/data:rw
-    ports:
-      - 8008:8008
+    # ports:
+    #   - 8008:8008
     networks:
       - backend
     environment:
@@ -147,8 +163,8 @@ services:
       SYNAPSE_WORKER: synapse.app.generic_worker
     # Expose port if required so your reverse proxy can send requests to this worker
     # Port configuration will depend on how the http listener is defined in the worker configuration file
-    ports:
-      - 8081:8081
+    # ports:
+    #   - 8081:8081
     secrets:
       - synapse_signing_key
     depends_on:
@@ -166,6 +182,8 @@ services:
       - ${VOLUME_PATH}/data/synapse:/data:rw # Replace VOLUME_PATH with the path to your Synapse volume
     environment:
       SYNAPSE_WORKER: synapse.app.federation_sender
+    # ports:
+    #   - 8082:8082
     secrets:
       - synapse_signing_key
     depends_on:
@@ -174,8 +192,8 @@ services:
   matrix-authentication-service:
     image: ghcr.io/element-hq/matrix-authentication-service:latest
     restart: unless-stopped
-    ports:
-      - 8083:8080
+    # ports:
+    #   - 8083:8080
     volumes:
       - ${VOLUME_PATH}/data/mas:/data:rw
     networks:
@@ -194,15 +212,15 @@ services:
     restart: unless-stopped
     ports:
       - 8025:8025
-      - 1025:1025
+      # - 1025:1025
     networks:
       - backend
 
   element-web:
     image: vectorim/element-web:latest
     restart: unless-stopped
-    ports:
-      - 8080:80
+    # ports:
+    #   - 8080:80
     healthcheck:
       test: ["CMD-SHELL", "curl -fSs http://localhost:8080/version || exit 1"]
       start_period: "5s"
@@ -219,8 +237,8 @@ services:
   element-call:
     image: ghcr.io/element-hq/element-call
     restart: unless-stopped
-    ports:
-      - 8082:80
+    # ports:
+    #   - 8082:80
     networks:
       - backend
     volumes:
diff --git a/data-template/nginx/conf.d/app.conf b/data-template/nginx/conf.d/app.conf
index 8b3eb10..6755563 100644
--- a/data-template/nginx/conf.d/app.conf
+++ b/data-template/nginx/conf.d/app.conf
@@ -25,7 +25,7 @@ server {
     include /etc/nginx/conf.d/include/ssl.conf;
 
     location / {
-        proxy_pass http://element-web:8080;
+        proxy_pass http://element-web;
     }
 }
 
@@ -36,7 +36,7 @@ server {
     include /etc/nginx/conf.d/include/ssl.conf;
 
     location / {
-        proxy_pass http://element-call:8082;
+        proxy_pass http://element-call;
     }
 }
 
@@ -47,7 +47,7 @@ server {
     include /etc/nginx/conf.d/include/ssl.conf;
 
     location / {
-        proxy_pass http://auth:8083;
+        proxy_pass http://matrix-authentication-service:8080;
     }
 }
 
@@ -62,7 +62,7 @@ server {
     listen [::]:8448 ssl default_server;
 
     # pass auth to MAS
-    location ~ ^/_matrix/client/(.*)/(login|logout|refresh)             { proxy_pass http://auth:8083; }
+    location ~ ^/_matrix/client/(.*)/(login|logout|refresh)             { proxy_pass http://matrix-authentication-service:8080; }
 
     # use the generic worker as a synchrotron:
     # taken from https://element-hq.github.io/synapse/latest/workers.html#synapseappgeneric_worker
diff --git a/data-template/nginx/conf.d/include/ssl.conf b/data-template/nginx/conf.d/include/ssl.conf
index bab92d3..c377143 100644
--- a/data-template/nginx/conf.d/include/ssl.conf
+++ b/data-template/nginx/conf.d/include/ssl.conf
@@ -6,5 +6,5 @@
     # include /etc/letsencrypt/options-ssl-nginx.conf;
     # ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
 
-    ssl_certificate /etc/nginx/ssl/client.pem;
+    ssl_certificate /etc/nginx/ssl/cert.pem;
     ssl_certificate_key /etc/nginx/ssl/key.pem;
\ No newline at end of file
diff --git a/data-template/synapse/homeserver.yaml b/data-template/synapse/homeserver.yaml
index d3b27ed..d182ce4 100644
--- a/data-template/synapse/homeserver.yaml
+++ b/data-template/synapse/homeserver.yaml
@@ -64,6 +64,11 @@ redis:
   host: redis
   port: 6379
 
+# as we want our first launch and subsequent upgrades to go as fast
+# as possible don't sleep between background updates
+background_updates:
+    sleep_enabled: false
+
 email:
   smtp_host: mailhog
   smtp_port: 1025
@@ -90,7 +95,7 @@ email:
 experimental_features:
   msc3861: # OIDC
     enabled: true
-    issuer: http://localhost:8080/
+    issuer: http://matrix-authentication-service:8080/
     client_id: ${MAS_CLIENT_ID}
     client_auth_method: client_secret_basic
     client_secret: '${SECRETS_MAS_CLIENT_SECRET}'