From a7a41789daa204b7c93a788a8a2e31f019d0103c Mon Sep 17 00:00:00 2001 From: null31 Date: Wed, 19 Feb 2025 12:17:32 +0100 Subject: [PATCH] Initial commit --- .env | 7 +++ acl_matrix_admin.conf | 11 +++++ bg.log.config | 77 ++++++++++++++++++++++++++++++ compose.yaml | 104 +++++++++++++++++++++++++++++++++++++++++ federation.log.config | 77 ++++++++++++++++++++++++++++++ gnu.moe.log.config | 77 ++++++++++++++++++++++++++++++ hs.yaml | 78 +++++++++++++++++++++++++++++++ media.log.config | 77 ++++++++++++++++++++++++++++++ synapse_gnu.conf | 66 ++++++++++++++++++++++++++ worker-background.yaml | 12 +++++ worker-federation.yaml | 16 +++++++ worker-media.yaml | 17 +++++++ 12 files changed, 619 insertions(+) create mode 100644 .env create mode 100644 acl_matrix_admin.conf create mode 100644 bg.log.config create mode 100644 compose.yaml create mode 100644 federation.log.config create mode 100644 gnu.moe.log.config create mode 100644 hs.yaml create mode 100644 media.log.config create mode 100644 synapse_gnu.conf create mode 100644 worker-background.yaml create mode 100644 worker-federation.yaml create mode 100644 worker-media.yaml diff --git a/.env b/.env new file mode 100644 index 0000000..c801120 --- /dev/null +++ b/.env @@ -0,0 +1,7 @@ +REDIS_IMAGE=redis:7.4.2-alpine +SYNAPSE_IMAGE=matrixdotorg/synapse:v1.124.0 +SYNAPSE_DATA_PATH=/app_data/synapse_gnu:/data:rw +SYNAPSE_HS_CONF=./hs.yaml:/data/hs.yaml:ro +SYNAPSE_LOG_CONF=./gnu.moe.log.config:/data/gnu.moe.log.config:ro +SYNAPSE_SHARED_CONF=/data/hs.yaml +SYNAPSE_SIGNING_KEY=/app_data/synapse_gnu/keys/gnu.moe.signing.key:/data/keys/gnu.moe.signing.key:ro diff --git a/acl_matrix_admin.conf b/acl_matrix_admin.conf new file mode 100644 index 0000000..fb68177 --- /dev/null +++ b/acl_matrix_admin.conf @@ -0,0 +1,11 @@ +allow 2a01:4f9:4a:33d0::f:2/128; +allow 2a01:4f9:4a:33d0::e:3/128; +allow 2605:6400:c985::d2/128; +allow 2a02:e00:fff0:3d6::2; +allow 95.217.118.120; +allow 185.45.114.164; +allow 104.244.77.29; +allow 2605:6400:30:f394::f63a; +allow 127.0.0.1; +allow ::1; +deny all; diff --git a/bg.log.config b/bg.log.config new file mode 100644 index 0000000..d7ebb4f --- /dev/null +++ b/bg.log.config @@ -0,0 +1,77 @@ +# Log configuration for Synapse. +# +# This is a YAML file containing a standard Python logging configuration +# dictionary. See [1] for details on the valid settings. +# +# Synapse also supports structured logging for machine readable logs which can +# be ingested by ELK stacks. See [2] for details. +# +# [1]: https://docs.python.org/3/library/logging.config.html#configuration-dictionary-schema +# [2]: https://matrix-org.github.io/synapse/latest/structured_logging.html + +version: 1 + +formatters: + precise: + format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s' + +handlers: + file: + class: logging.handlers.TimedRotatingFileHandler + formatter: precise + filename: /data/logs/bg.log + when: midnight + backupCount: 3 # Does not include the current log file. + encoding: utf8 + + # Default to buffering writes to log file for efficiency. + # WARNING/ERROR logs will still be flushed immediately, but there will be a + # delay (of up to `period` seconds, or until the buffer is full with + # `capacity` messages) before INFO/DEBUG logs get written. + buffer: + class: synapse.logging.handlers.PeriodicallyFlushingMemoryHandler + target: file + + # The capacity is the maximum number of log lines that are buffered + # before being written to disk. Increasing this will lead to better + # performance, at the expensive of it taking longer for log lines to + # be written to disk. + # This parameter is required. + capacity: 10 + + # Logs with a level at or above the flush level will cause the buffer to + # be flushed immediately. + # Default value: 40 (ERROR) + # Other values: 50 (CRITICAL), 30 (WARNING), 20 (INFO), 10 (DEBUG) + flushLevel: 30 # Flush immediately for WARNING logs and higher + + # The period of time, in seconds, between forced flushes. + # Messages will not be delayed for longer than this time. + # Default value: 5 seconds + period: 5 + + # A handler that writes logs to stderr. Unused by default, but can be used + # instead of "buffer" and "file" in the logger handlers. + console: + class: logging.StreamHandler + formatter: precise + +loggers: + synapse.storage.SQL: + # beware: increasing this to DEBUG will make synapse log sensitive + # information such as access tokens. + level: INFO + +root: + level: INFO + + # Write logs to the `buffer` handler, which will buffer them together in memory, + # then write them to a file. + # + # Replace "buffer" with "console" to log to stderr instead. (Note that you'll + # also need to update the configuration for the `twisted` logger above, in + # this case.) + # + handlers: [buffer] + +disable_existing_loggers: false diff --git a/compose.yaml b/compose.yaml new file mode 100644 index 0000000..945308e --- /dev/null +++ b/compose.yaml @@ -0,0 +1,104 @@ +name: gnu +services: + synapse.main: + image: ${SYNAPSE_IMAGE} + restart: unless-stopped + environment: + - SYNAPSE_CONFIG_PATH=${SYNAPSE_SHARED_CONF} + networks: + - synapse + ports: + - 127.0.0.1:8208:8008 + # - 127.0.0.1:8300:8800 + healthcheck: + disable: true + volumes: + - ${SYNAPSE_DATA_PATH} + - ${SYNAPSE_HS_CONF} + - ${SYNAPSE_SIGNING_KEY} + - ${SYNAPSE_LOG_CONF} + depends_on: + - redis + + synapse.media: + image: ${SYNAPSE_IMAGE} + restart: unless-stopped + command: ["run", "--config-path=${SYNAPSE_SHARED_CONF}", "--config-path=/data/worker-media.yaml"] + environment: + SYNAPSE_WORKER: synapse.app.media_repository + networks: + - synapse + ports: + - 127.0.0.1:8209:8009 + - 127.0.0.1:8301:8800 + healthcheck: + disable: true + volumes: + - ${SYNAPSE_DATA_PATH} + - ${SYNAPSE_HS_CONF} + - ${SYNAPSE_SIGNING_KEY} + - ./media.log.config:/data/media.log.config:ro + - ./worker-media.yaml:/data/worker-media.yaml:ro + depends_on: + - synapse.main + + synapse.federation: + image: ${SYNAPSE_IMAGE} + restart: unless-stopped + command: ["run", "--config-path=${SYNAPSE_SHARED_CONF}", "--config-path=/data/worker-federation.yaml"] + environment: + SYNAPSE_WORKER: synapse.app.generic_worker + networks: + - synapse + ports: + - 127.0.0.1:8210:8010 + - 127.0.0.1:8302:8800 + healthcheck: + disable: true + volumes: + - ${SYNAPSE_DATA_PATH} + - ${SYNAPSE_HS_CONF} + - ${SYNAPSE_SIGNING_KEY} + - ./federation.log.config:/data/federation.log.config:ro + - ./worker-federation.yaml:/data/worker-federation.yaml:ro + depends_on: + - synapse.main + + synapse.bg: + image: ${SYNAPSE_IMAGE} + restart: unless-stopped + command: ["run", "--config-path=${SYNAPSE_SHARED_CONF}", "--config-path=/data/worker-background.yaml"] + environment: + SYNAPSE_WORKER: synapse.app.generic_worker + networks: + - synapse + ports: + - 127.0.0.1:8303:8800 + healthcheck: + disable: true + volumes: + - ${SYNAPSE_DATA_PATH} + - ${SYNAPSE_HS_CONF} + - ${SYNAPSE_SIGNING_KEY} + - ./bg.log.config:/data/bg.log.config:ro + - ./worker-background.yaml:/data/worker-background.yaml:ro + depends_on: + - synapse.main + + redis: + image: ${REDIS_IMAGE} + restart: unless-stopped + networks: + - synapse + volumes: + - redis_data:/data + +networks: + synapse: + ipam: + config: + - subnet: 300f:0:0:2000::/124 + gateway: 300f:0:0:2000::1 + +volumes: + redis_data: diff --git a/federation.log.config b/federation.log.config new file mode 100644 index 0000000..818a900 --- /dev/null +++ b/federation.log.config @@ -0,0 +1,77 @@ +# Log configuration for Synapse. +# +# This is a YAML file containing a standard Python logging configuration +# dictionary. See [1] for details on the valid settings. +# +# Synapse also supports structured logging for machine readable logs which can +# be ingested by ELK stacks. See [2] for details. +# +# [1]: https://docs.python.org/3/library/logging.config.html#configuration-dictionary-schema +# [2]: https://matrix-org.github.io/synapse/latest/structured_logging.html + +version: 1 + +formatters: + precise: + format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s' + +handlers: + file: + class: logging.handlers.TimedRotatingFileHandler + formatter: precise + filename: /data/logs/federation.log + when: midnight + backupCount: 3 # Does not include the current log file. + encoding: utf8 + + # Default to buffering writes to log file for efficiency. + # WARNING/ERROR logs will still be flushed immediately, but there will be a + # delay (of up to `period` seconds, or until the buffer is full with + # `capacity` messages) before INFO/DEBUG logs get written. + buffer: + class: synapse.logging.handlers.PeriodicallyFlushingMemoryHandler + target: file + + # The capacity is the maximum number of log lines that are buffered + # before being written to disk. Increasing this will lead to better + # performance, at the expensive of it taking longer for log lines to + # be written to disk. + # This parameter is required. + capacity: 10 + + # Logs with a level at or above the flush level will cause the buffer to + # be flushed immediately. + # Default value: 40 (ERROR) + # Other values: 50 (CRITICAL), 30 (WARNING), 20 (INFO), 10 (DEBUG) + flushLevel: 30 # Flush immediately for WARNING logs and higher + + # The period of time, in seconds, between forced flushes. + # Messages will not be delayed for longer than this time. + # Default value: 5 seconds + period: 5 + + # A handler that writes logs to stderr. Unused by default, but can be used + # instead of "buffer" and "file" in the logger handlers. + console: + class: logging.StreamHandler + formatter: precise + +loggers: + synapse.storage.SQL: + # beware: increasing this to DEBUG will make synapse log sensitive + # information such as access tokens. + level: INFO + +root: + level: INFO + + # Write logs to the `buffer` handler, which will buffer them together in memory, + # then write them to a file. + # + # Replace "buffer" with "console" to log to stderr instead. (Note that you'll + # also need to update the configuration for the `twisted` logger above, in + # this case.) + # + handlers: [buffer] + +disable_existing_loggers: false diff --git a/gnu.moe.log.config b/gnu.moe.log.config new file mode 100644 index 0000000..0bfd393 --- /dev/null +++ b/gnu.moe.log.config @@ -0,0 +1,77 @@ +# Log configuration for Synapse. +# +# This is a YAML file containing a standard Python logging configuration +# dictionary. See [1] for details on the valid settings. +# +# Synapse also supports structured logging for machine readable logs which can +# be ingested by ELK stacks. See [2] for details. +# +# [1]: https://docs.python.org/3/library/logging.config.html#configuration-dictionary-schema +# [2]: https://matrix-org.github.io/synapse/latest/structured_logging.html + +version: 1 + +formatters: + precise: + format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s' + +handlers: + file: + class: logging.handlers.TimedRotatingFileHandler + formatter: precise + filename: /data/logs/homeserver.log + when: midnight + backupCount: 3 # Does not include the current log file. + encoding: utf8 + + # Default to buffering writes to log file for efficiency. + # WARNING/ERROR logs will still be flushed immediately, but there will be a + # delay (of up to `period` seconds, or until the buffer is full with + # `capacity` messages) before INFO/DEBUG logs get written. + buffer: + class: synapse.logging.handlers.PeriodicallyFlushingMemoryHandler + target: file + + # The capacity is the maximum number of log lines that are buffered + # before being written to disk. Increasing this will lead to better + # performance, at the expensive of it taking longer for log lines to + # be written to disk. + # This parameter is required. + capacity: 10 + + # Logs with a level at or above the flush level will cause the buffer to + # be flushed immediately. + # Default value: 40 (ERROR) + # Other values: 50 (CRITICAL), 30 (WARNING), 20 (INFO), 10 (DEBUG) + flushLevel: 30 # Flush immediately for WARNING logs and higher + + # The period of time, in seconds, between forced flushes. + # Messages will not be delayed for longer than this time. + # Default value: 5 seconds + period: 5 + + # A handler that writes logs to stderr. Unused by default, but can be used + # instead of "buffer" and "file" in the logger handlers. + console: + class: logging.StreamHandler + formatter: precise + +loggers: + synapse.storage.SQL: + # beware: increasing this to DEBUG will make synapse log sensitive + # information such as access tokens. + level: INFO + +root: + level: INFO + + # Write logs to the `buffer` handler, which will buffer them together in memory, + # then write them to a file. + # + # Replace "buffer" with "console" to log to stderr instead. (Note that you'll + # also need to update the configuration for the `twisted` logger above, in + # this case.) + # + handlers: [buffer] + +disable_existing_loggers: false diff --git a/hs.yaml b/hs.yaml new file mode 100644 index 0000000..1214146 --- /dev/null +++ b/hs.yaml @@ -0,0 +1,78 @@ +server_name: "gnu.moe" +public_baseurl: https://matrix.gnu.moe +admin_contact: 'mailto:gear@topnep.net' + +listeners: + - port: 9090 + type: http + resources: + - names: [replication] + - port: 8008 + tls: false + type: http + x_forwarded: true + resources: + - names: [client, federation, metrics] + compress: false + +worker_replication_secret: "somesecret" + +instance_map: + main: + host: synapse.main + port: 9090 + media1: + host: synapse.media + port: 9091 + federation1: + host: synapse.federation + port: 9092 + bg_jobs: + host: synapse.bg + port: 9093 + +database: + name: psycopg2 + args: + user: mitt_user + password: lösenord + database: synapse + hostaddr: fd80::151 + cp_min: 5 + cp_max: 10 + +redis: + enabled: true + host: redis + port: 6379 + + +send_federation: false +federation_sender_instances: + - federation1 +outbound_federation_restricted_to: + - federation1 + +run_background_tasks_on: bg_jobs + +log_config: /data/gnu.moe.log.config + +enable_media_repo: false +media_store_path: /data/media_store +max_upload_size: 32M + +enable_metrics: true +enable_registration: false +mau_stats_only: true +report_stats: false + +registration_shared_secret: "himitsu desu" +macaroon_secret_key: "himitsu desu" +form_secret: "himitsu desu" +signing_key_path: /data/keys/gnu.moe.signing.key + +suppress_key_server_warning: false +trusted_key_servers: + - server_name: "matrix.org" + +# vim:ft=yaml diff --git a/media.log.config b/media.log.config new file mode 100644 index 0000000..cbe1b3d --- /dev/null +++ b/media.log.config @@ -0,0 +1,77 @@ +# Log configuration for Synapse. +# +# This is a YAML file containing a standard Python logging configuration +# dictionary. See [1] for details on the valid settings. +# +# Synapse also supports structured logging for machine readable logs which can +# be ingested by ELK stacks. See [2] for details. +# +# [1]: https://docs.python.org/3/library/logging.config.html#configuration-dictionary-schema +# [2]: https://matrix-org.github.io/synapse/latest/structured_logging.html + +version: 1 + +formatters: + precise: + format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s' + +handlers: + file: + class: logging.handlers.TimedRotatingFileHandler + formatter: precise + filename: /data/logs/media.log + when: midnight + backupCount: 3 # Does not include the current log file. + encoding: utf8 + + # Default to buffering writes to log file for efficiency. + # WARNING/ERROR logs will still be flushed immediately, but there will be a + # delay (of up to `period` seconds, or until the buffer is full with + # `capacity` messages) before INFO/DEBUG logs get written. + buffer: + class: synapse.logging.handlers.PeriodicallyFlushingMemoryHandler + target: file + + # The capacity is the maximum number of log lines that are buffered + # before being written to disk. Increasing this will lead to better + # performance, at the expensive of it taking longer for log lines to + # be written to disk. + # This parameter is required. + capacity: 10 + + # Logs with a level at or above the flush level will cause the buffer to + # be flushed immediately. + # Default value: 40 (ERROR) + # Other values: 50 (CRITICAL), 30 (WARNING), 20 (INFO), 10 (DEBUG) + flushLevel: 30 # Flush immediately for WARNING logs and higher + + # The period of time, in seconds, between forced flushes. + # Messages will not be delayed for longer than this time. + # Default value: 5 seconds + period: 5 + + # A handler that writes logs to stderr. Unused by default, but can be used + # instead of "buffer" and "file" in the logger handlers. + console: + class: logging.StreamHandler + formatter: precise + +loggers: + synapse.storage.SQL: + # beware: increasing this to DEBUG will make synapse log sensitive + # information such as access tokens. + level: INFO + +root: + level: INFO + + # Write logs to the `buffer` handler, which will buffer them together in memory, + # then write them to a file. + # + # Replace "buffer" with "console" to log to stderr instead. (Note that you'll + # also need to update the configuration for the `twisted` logger above, in + # this case.) + # + handlers: [buffer] + +disable_existing_loggers: false diff --git a/synapse_gnu.conf b/synapse_gnu.conf new file mode 100644 index 0000000..8b95ee0 --- /dev/null +++ b/synapse_gnu.conf @@ -0,0 +1,66 @@ +server { + listen 0.0.0.0:443 ssl; + listen 0.0.0.0:443 quic; + listen [2603:c021:c001:31fa:780:b000:0:415]:443 ssl; + listen [2603:c021:c001:31fa:780:b000:0:415]:443 quic; + + http2 on; + http3 on; + + server_name matrix.gnu.moe; + + ssl_certificate /etc/letsencrypt/live/gnu.moe/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/gnu.moe/privkey.pem; + + access_log off; + error_log /var/log/nginx/matrix.error.log; + + add_header Alt-Svc 'h3=":443"; ma=86400'; + + # media endpoints + location ~* ^(/_matrix/media/|/_matrix/client/v1/media/|/_matrix/federation/v1/media/) { proxy_pass http://127.0.0.1:8209; } + location ~* ^(/_synapse/admin/v1/purge_media_cache$|/_synapse/admin/v1/room/.*/media.*$|/_synapse/admin/v1/user/.*/media.*$|/_synapse/admin/v1/media/.*$|/_synapse/admin/v1/quarantine_media/.*$|/_synapse/admin/v1/users/.*/media$) { + proxy_pass http://127.0.0.1:8209; + include acl_matrix_admin.conf; + } + + # federation endpoints + location ~* ^(/_matrix/federation/v1/event/|/_matrix/federation/v1/state/|/_matrix/federation/v1/state_ids/|/_matrix/federation/v1/backfill/|/_matrix/federation/v1/get_missing_events/|/_matrix/federation/v1/publicRooms|/_matrix/federation/v1/query/|/_matrix/federation/v1/make_join/|/_matrix/federation/v1/make_leave/|/_matrix/federation/(v1|v2)/send_join/|/_matrix/federation/(v1|v2)/send_leave/) { proxy_pass http://127.0.0.1:8210; } + location ~* ^(/_matrix/federation/v1/make_knock/|/_matrix/federation/v1/send_knock/|/_matrix/federation/(v1|v2)/invite/|/_matrix/federation/v1/event_auth/|/_matrix/federation/v1/timestamp_to_event/|/_matrix/federation/v1/exchange_third_party_invite/|/_matrix/federation/v1/user/devices/|/_matrix/key/v2/query|/_matrix/federation/v1/hierarchy/|/_matrix/federation/v1/send/) { proxy_pass http://127.0.0.1:8210; } + + # common endpoints + location ~* ^(/_matrix|/_synapse/client) { proxy_pass http://127.0.0.1:8208; } + + # metrics endpoitns + location = /_syn/media { + proxy_pass http://127.0.0.1:8301/_synapse/metrics; + include acl_matrix_admin.conf; + } + location = /_syn/fedi { + proxy_pass http://127.0.0.1:8302/_synapse/metrics; + include acl_matrix_admin.conf; + } + location = /_syn/bgj { + proxy_pass http://127.0.0.1:8303/_synapse/metrics; + include acl_matrix_admin.conf; + } + + # admin endpoints + location ~* ^(/_synapse/metrics|/_synapse/admin|/health) { + proxy_pass http://127.0.0.1:8208; + include acl_matrix_admin.conf; + } + + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $host:$server_port; + proxy_http_version 1.1; + client_max_body_size 32M; + + location /.well-known/matrix/server { return 200 '{ "m.server": "matrix.gnu.moe:443" }\n'; } + location /.well-known/matrix/client { return 200 '{ "m.homeserver": { "base_url": "https://matrix.gnu.moe" } }\n'; } + + include robots.conf; + + location / { return 418; } +} diff --git a/worker-background.yaml b/worker-background.yaml new file mode 100644 index 0000000..ca9d291 --- /dev/null +++ b/worker-background.yaml @@ -0,0 +1,12 @@ +worker_app: synapse.app.generic_worker +worker_name: bg_jobs + +worker_listeners: + - type: http + port: 9093 + resources: + - names: [replication] + - type: metrics + port: 8800 + +worker_log_config: /data/bg.log.config diff --git a/worker-federation.yaml b/worker-federation.yaml new file mode 100644 index 0000000..193df1b --- /dev/null +++ b/worker-federation.yaml @@ -0,0 +1,16 @@ +worker_app: synapse.app.generic_worker +worker_name: federation1 + +worker_listeners: + - type: http + port: 9092 + resources: + - names: [replication] + - type: metrics + port: 8800 + - type: http + port: 8010 + resources: + - names: [federation] + +worker_log_config: /data/federation.log.config diff --git a/worker-media.yaml b/worker-media.yaml new file mode 100644 index 0000000..614dc04 --- /dev/null +++ b/worker-media.yaml @@ -0,0 +1,17 @@ +worker_app: synapse.app.media_repository +worker_name: media1 + +worker_listeners: + - type: http + port: 9091 + resources: + - names: [replication] + - type: metrics + port: 8800 + - type: http + port: 8009 + x_forwarded: true + resources: + - names: [media] + +worker_log_config: /data/media.log.config