Initial commit

.env

@@ -0,0 +1,7 @@
+REDIS_IMAGE=redis:7.4.2-alpine
+SYNAPSE_IMAGE=matrixdotorg/synapse:v1.124.0
+SYNAPSE_DATA_PATH=/app_data/synapse_gnu:/data:rw
+SYNAPSE_HS_CONF=./hs.yaml:/data/hs.yaml:ro
+SYNAPSE_LOG_CONF=./gnu.moe.log.config:/data/gnu.moe.log.config:ro
+SYNAPSE_SHARED_CONF=/data/hs.yaml
+SYNAPSE_SIGNING_KEY=/app_data/synapse_gnu/keys/gnu.moe.signing.key:/data/keys/gnu.moe.signing.key:ro

acl_matrix_admin.conf

@@ -0,0 +1,11 @@
+allow 2a01:4f9:4a:33d0::f:2/128;
+allow 2a01:4f9:4a:33d0::e:3/128;
+allow 2605:6400:c985::d2/128;
+allow 2a02:e00:fff0:3d6::2;
+allow 95.217.118.120;
+allow 185.45.114.164;
+allow 104.244.77.29;
+allow 2605:6400:30:f394::f63a;
+allow 127.0.0.1;
+allow ::1;
+deny all;

bg.log.config

@@ -0,0 +1,77 @@
+# Log configuration for Synapse.
+#
+# This is a YAML file containing a standard Python logging configuration
+# dictionary. See [1] for details on the valid settings.
+#
+# Synapse also supports structured logging for machine readable logs which can
+# be ingested by ELK stacks. See [2] for details.
+#
+# [1]: https://docs.python.org/3/library/logging.config.html#configuration-dictionary-schema
+# [2]: https://matrix-org.github.io/synapse/latest/structured_logging.html
+
+version: 1
+
+formatters:
+    precise:
+        format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s'
+
+handlers:
+    file:
+        class: logging.handlers.TimedRotatingFileHandler
+        formatter: precise
+        filename: /data/logs/bg.log
+        when: midnight
+        backupCount: 3  # Does not include the current log file.
+        encoding: utf8
+
+    # Default to buffering writes to log file for efficiency.
+    # WARNING/ERROR logs will still be flushed immediately, but there will be a
+    # delay (of up to `period` seconds, or until the buffer is full with
+    # `capacity` messages) before INFO/DEBUG logs get written.
+    buffer:
+        class: synapse.logging.handlers.PeriodicallyFlushingMemoryHandler
+        target: file
+
+        # The capacity is the maximum number of log lines that are buffered
+        # before being written to disk. Increasing this will lead to better
+        # performance, at the expensive of it taking longer for log lines to
+        # be written to disk.
+        # This parameter is required.
+        capacity: 10
+
+        # Logs with a level at or above the flush level will cause the buffer to
+        # be flushed immediately.
+        # Default value: 40 (ERROR)
+        # Other values: 50 (CRITICAL), 30 (WARNING), 20 (INFO), 10 (DEBUG)
+        flushLevel: 30  # Flush immediately for WARNING logs and higher
+
+        # The period of time, in seconds, between forced flushes.
+        # Messages will not be delayed for longer than this time.
+        # Default value: 5 seconds
+        period: 5
+
+    # A handler that writes logs to stderr. Unused by default, but can be used
+    # instead of "buffer" and "file" in the logger handlers.
+    console:
+        class: logging.StreamHandler
+        formatter: precise
+
+loggers:
+    synapse.storage.SQL:
+        # beware: increasing this to DEBUG will make synapse log sensitive
+        # information such as access tokens.
+        level: INFO
+
+root:
+    level: INFO
+
+    # Write logs to the `buffer` handler, which will buffer them together in memory,
+    # then write them to a file.
+    #
+    # Replace "buffer" with "console" to log to stderr instead. (Note that you'll
+    # also need to update the configuration for the `twisted` logger above, in
+    # this case.)
+    #
+    handlers: [buffer]
+
+disable_existing_loggers: false

compose.yaml

@@ -0,0 +1,104 @@
+name: gnu
+services:
+  synapse.main:
+    image: ${SYNAPSE_IMAGE}
+    restart: unless-stopped
+    environment:
+      - SYNAPSE_CONFIG_PATH=${SYNAPSE_SHARED_CONF}
+    networks:
+      - synapse
+    ports:
+      - 127.0.0.1:8208:8008
+      # - 127.0.0.1:8300:8800
+    healthcheck:
+      disable: true
+    volumes:
+      - ${SYNAPSE_DATA_PATH}
+      - ${SYNAPSE_HS_CONF}
+      - ${SYNAPSE_SIGNING_KEY}
+      - ${SYNAPSE_LOG_CONF}
+    depends_on:
+      - redis
+
+  synapse.media:
+    image: ${SYNAPSE_IMAGE}
+    restart: unless-stopped
+    command: ["run", "--config-path=${SYNAPSE_SHARED_CONF}", "--config-path=/data/worker-media.yaml"]
+    environment:
+      SYNAPSE_WORKER: synapse.app.media_repository
+    networks:
+      - synapse
+    ports:
+      - 127.0.0.1:8209:8009
+      - 127.0.0.1:8301:8800
+    healthcheck:
+      disable: true
+    volumes:
+      - ${SYNAPSE_DATA_PATH}
+      - ${SYNAPSE_HS_CONF}
+      - ${SYNAPSE_SIGNING_KEY}
+      - ./media.log.config:/data/media.log.config:ro
+      - ./worker-media.yaml:/data/worker-media.yaml:ro
+    depends_on:
+      - synapse.main
+
+  synapse.federation:
+    image: ${SYNAPSE_IMAGE}
+    restart: unless-stopped
+    command: ["run", "--config-path=${SYNAPSE_SHARED_CONF}", "--config-path=/data/worker-federation.yaml"]
+    environment:
+      SYNAPSE_WORKER: synapse.app.generic_worker
+    networks:
+      - synapse
+    ports:
+      - 127.0.0.1:8210:8010
+      - 127.0.0.1:8302:8800
+    healthcheck:
+      disable: true
+    volumes:
+      - ${SYNAPSE_DATA_PATH}
+      - ${SYNAPSE_HS_CONF}
+      - ${SYNAPSE_SIGNING_KEY}
+      - ./federation.log.config:/data/federation.log.config:ro
+      - ./worker-federation.yaml:/data/worker-federation.yaml:ro
+    depends_on:
+      - synapse.main
+
+  synapse.bg:
+    image: ${SYNAPSE_IMAGE}
+    restart: unless-stopped
+    command: ["run", "--config-path=${SYNAPSE_SHARED_CONF}", "--config-path=/data/worker-background.yaml"]
+    environment:
+      SYNAPSE_WORKER: synapse.app.generic_worker
+    networks:
+      - synapse
+    ports:
+      - 127.0.0.1:8303:8800
+    healthcheck:
+      disable: true
+    volumes:
+      - ${SYNAPSE_DATA_PATH}
+      - ${SYNAPSE_HS_CONF}
+      - ${SYNAPSE_SIGNING_KEY}
+      - ./bg.log.config:/data/bg.log.config:ro
+      - ./worker-background.yaml:/data/worker-background.yaml:ro
+    depends_on:
+      - synapse.main
+
+  redis:
+    image: ${REDIS_IMAGE}
+    restart: unless-stopped
+    networks:
+      - synapse
+    volumes:
+      - redis_data:/data
+
+networks:
+  synapse:
+    ipam:
+      config:
+        - subnet: 300f:0:0:2000::/124
+          gateway: 300f:0:0:2000::1
+
+volumes:
+  redis_data:

federation.log.config

@@ -0,0 +1,77 @@
+# Log configuration for Synapse.
+#
+# This is a YAML file containing a standard Python logging configuration
+# dictionary. See [1] for details on the valid settings.
+#
+# Synapse also supports structured logging for machine readable logs which can
+# be ingested by ELK stacks. See [2] for details.
+#
+# [1]: https://docs.python.org/3/library/logging.config.html#configuration-dictionary-schema
+# [2]: https://matrix-org.github.io/synapse/latest/structured_logging.html
+
+version: 1
+
+formatters:
+    precise:
+        format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s'
+
+handlers:
+    file:
+        class: logging.handlers.TimedRotatingFileHandler
+        formatter: precise
+        filename: /data/logs/federation.log
+        when: midnight
+        backupCount: 3  # Does not include the current log file.
+        encoding: utf8
+
+    # Default to buffering writes to log file for efficiency.
+    # WARNING/ERROR logs will still be flushed immediately, but there will be a
+    # delay (of up to `period` seconds, or until the buffer is full with
+    # `capacity` messages) before INFO/DEBUG logs get written.
+    buffer:
+        class: synapse.logging.handlers.PeriodicallyFlushingMemoryHandler
+        target: file
+
+        # The capacity is the maximum number of log lines that are buffered
+        # before being written to disk. Increasing this will lead to better
+        # performance, at the expensive of it taking longer for log lines to
+        # be written to disk.
+        # This parameter is required.
+        capacity: 10
+
+        # Logs with a level at or above the flush level will cause the buffer to
+        # be flushed immediately.
+        # Default value: 40 (ERROR)
+        # Other values: 50 (CRITICAL), 30 (WARNING), 20 (INFO), 10 (DEBUG)
+        flushLevel: 30  # Flush immediately for WARNING logs and higher
+
+        # The period of time, in seconds, between forced flushes.
+        # Messages will not be delayed for longer than this time.
+        # Default value: 5 seconds
+        period: 5
+
+    # A handler that writes logs to stderr. Unused by default, but can be used
+    # instead of "buffer" and "file" in the logger handlers.
+    console:
+        class: logging.StreamHandler
+        formatter: precise
+
+loggers:
+    synapse.storage.SQL:
+        # beware: increasing this to DEBUG will make synapse log sensitive
+        # information such as access tokens.
+        level: INFO
+
+root:
+    level: INFO
+
+    # Write logs to the `buffer` handler, which will buffer them together in memory,
+    # then write them to a file.
+    #
+    # Replace "buffer" with "console" to log to stderr instead. (Note that you'll
+    # also need to update the configuration for the `twisted` logger above, in
+    # this case.)
+    #
+    handlers: [buffer]
+
+disable_existing_loggers: false

gnu.moe.log.config

@@ -0,0 +1,77 @@
+# Log configuration for Synapse.
+#
+# This is a YAML file containing a standard Python logging configuration
+# dictionary. See [1] for details on the valid settings.
+#
+# Synapse also supports structured logging for machine readable logs which can
+# be ingested by ELK stacks. See [2] for details.
+#
+# [1]: https://docs.python.org/3/library/logging.config.html#configuration-dictionary-schema
+# [2]: https://matrix-org.github.io/synapse/latest/structured_logging.html
+
+version: 1
+
+formatters:
+    precise:
+        format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s'
+
+handlers:
+    file:
+        class: logging.handlers.TimedRotatingFileHandler
+        formatter: precise
+        filename: /data/logs/homeserver.log
+        when: midnight
+        backupCount: 3  # Does not include the current log file.
+        encoding: utf8
+
+    # Default to buffering writes to log file for efficiency.
+    # WARNING/ERROR logs will still be flushed immediately, but there will be a
+    # delay (of up to `period` seconds, or until the buffer is full with
+    # `capacity` messages) before INFO/DEBUG logs get written.
+    buffer:
+        class: synapse.logging.handlers.PeriodicallyFlushingMemoryHandler
+        target: file
+
+        # The capacity is the maximum number of log lines that are buffered
+        # before being written to disk. Increasing this will lead to better
+        # performance, at the expensive of it taking longer for log lines to
+        # be written to disk.
+        # This parameter is required.
+        capacity: 10
+
+        # Logs with a level at or above the flush level will cause the buffer to
+        # be flushed immediately.
+        # Default value: 40 (ERROR)
+        # Other values: 50 (CRITICAL), 30 (WARNING), 20 (INFO), 10 (DEBUG)
+        flushLevel: 30  # Flush immediately for WARNING logs and higher
+
+        # The period of time, in seconds, between forced flushes.
+        # Messages will not be delayed for longer than this time.
+        # Default value: 5 seconds
+        period: 5
+
+    # A handler that writes logs to stderr. Unused by default, but can be used
+    # instead of "buffer" and "file" in the logger handlers.
+    console:
+        class: logging.StreamHandler
+        formatter: precise
+
+loggers:
+    synapse.storage.SQL:
+        # beware: increasing this to DEBUG will make synapse log sensitive
+        # information such as access tokens.
+        level: INFO
+
+root:
+    level: INFO
+
+    # Write logs to the `buffer` handler, which will buffer them together in memory,
+    # then write them to a file.
+    #
+    # Replace "buffer" with "console" to log to stderr instead. (Note that you'll
+    # also need to update the configuration for the `twisted` logger above, in
+    # this case.)
+    #
+    handlers: [buffer]
+
+disable_existing_loggers: false

hs.yaml

@@ -0,0 +1,78 @@
+server_name: "gnu.moe"
+public_baseurl: https://matrix.gnu.moe
+admin_contact: 'mailto:gear@topnep.net'
+
+listeners:
+  - port: 9090
+    type: http
+    resources:
+      - names: [replication]
+  - port: 8008
+    tls: false
+    type: http
+    x_forwarded: true
+    resources:
+      - names: [client, federation, metrics]
+        compress: false
+
+worker_replication_secret: "somesecret"
+
+instance_map:
+  main:
+    host: synapse.main
+    port: 9090
+  media1:
+    host: synapse.media
+    port: 9091
+  federation1:
+    host: synapse.federation
+    port: 9092
+  bg_jobs:
+    host: synapse.bg
+    port: 9093
+
+database:
+  name: psycopg2
+  args:
+    user: mitt_user
+    password: lösenord
+    database: synapse
+    hostaddr: fd80::151
+    cp_min: 5
+    cp_max: 10
+
+redis:
+  enabled: true
+  host: redis
+  port: 6379
+
+
+send_federation: false
+federation_sender_instances:
+  - federation1
+outbound_federation_restricted_to:
+  - federation1
+
+run_background_tasks_on: bg_jobs
+
+log_config: /data/gnu.moe.log.config
+
+enable_media_repo: false
+media_store_path: /data/media_store
+max_upload_size: 32M
+
+enable_metrics: true
+enable_registration: false
+mau_stats_only: true
+report_stats: false
+
+registration_shared_secret: "himitsu desu"
+macaroon_secret_key: "himitsu desu"
+form_secret: "himitsu desu"
+signing_key_path: /data/keys/gnu.moe.signing.key
+
+suppress_key_server_warning: false
+trusted_key_servers:
+  - server_name: "matrix.org"
+
+# vim:ft=yaml

media.log.config

@@ -0,0 +1,77 @@
+# Log configuration for Synapse.
+#
+# This is a YAML file containing a standard Python logging configuration
+# dictionary. See [1] for details on the valid settings.
+#
+# Synapse also supports structured logging for machine readable logs which can
+# be ingested by ELK stacks. See [2] for details.
+#
+# [1]: https://docs.python.org/3/library/logging.config.html#configuration-dictionary-schema
+# [2]: https://matrix-org.github.io/synapse/latest/structured_logging.html
+
+version: 1
+
+formatters:
+    precise:
+        format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s'
+
+handlers:
+    file:
+        class: logging.handlers.TimedRotatingFileHandler
+        formatter: precise
+        filename: /data/logs/media.log
+        when: midnight
+        backupCount: 3  # Does not include the current log file.
+        encoding: utf8
+
+    # Default to buffering writes to log file for efficiency.
+    # WARNING/ERROR logs will still be flushed immediately, but there will be a
+    # delay (of up to `period` seconds, or until the buffer is full with
+    # `capacity` messages) before INFO/DEBUG logs get written.
+    buffer:
+        class: synapse.logging.handlers.PeriodicallyFlushingMemoryHandler
+        target: file
+
+        # The capacity is the maximum number of log lines that are buffered
+        # before being written to disk. Increasing this will lead to better
+        # performance, at the expensive of it taking longer for log lines to
+        # be written to disk.
+        # This parameter is required.
+        capacity: 10
+
+        # Logs with a level at or above the flush level will cause the buffer to
+        # be flushed immediately.
+        # Default value: 40 (ERROR)
+        # Other values: 50 (CRITICAL), 30 (WARNING), 20 (INFO), 10 (DEBUG)
+        flushLevel: 30  # Flush immediately for WARNING logs and higher
+
+        # The period of time, in seconds, between forced flushes.
+        # Messages will not be delayed for longer than this time.
+        # Default value: 5 seconds
+        period: 5
+
+    # A handler that writes logs to stderr. Unused by default, but can be used
+    # instead of "buffer" and "file" in the logger handlers.
+    console:
+        class: logging.StreamHandler
+        formatter: precise
+
+loggers:
+    synapse.storage.SQL:
+        # beware: increasing this to DEBUG will make synapse log sensitive
+        # information such as access tokens.
+        level: INFO
+
+root:
+    level: INFO
+
+    # Write logs to the `buffer` handler, which will buffer them together in memory,
+    # then write them to a file.
+    #
+    # Replace "buffer" with "console" to log to stderr instead. (Note that you'll
+    # also need to update the configuration for the `twisted` logger above, in
+    # this case.)
+    #
+    handlers: [buffer]
+
+disable_existing_loggers: false

synapse_gnu.conf

@@ -0,0 +1,66 @@
+server {
+        listen 0.0.0.0:443 ssl;
+	listen 0.0.0.0:443 quic;
+        listen [2603:c021:c001:31fa:780:b000:0:415]:443 ssl;
+	listen [2603:c021:c001:31fa:780:b000:0:415]:443 quic;
+
+	http2 on;
+	http3 on;
+
+        server_name matrix.gnu.moe;
+
+        ssl_certificate /etc/letsencrypt/live/gnu.moe/fullchain.pem;
+        ssl_certificate_key /etc/letsencrypt/live/gnu.moe/privkey.pem;
+
+        access_log off;
+        error_log /var/log/nginx/matrix.error.log;
+
+	add_header Alt-Svc 'h3=":443"; ma=86400';
+
+        # media endpoints
+        location ~* ^(/_matrix/media/|/_matrix/client/v1/media/|/_matrix/federation/v1/media/) { proxy_pass http://127.0.0.1:8209; }
+        location ~* ^(/_synapse/admin/v1/purge_media_cache$|/_synapse/admin/v1/room/.*/media.*$|/_synapse/admin/v1/user/.*/media.*$|/_synapse/admin/v1/media/.*$|/_synapse/admin/v1/quarantine_media/.*$|/_synapse/admin/v1/users/.*/media$) {
+                proxy_pass http://127.0.0.1:8209;
+                include acl_matrix_admin.conf;
+        }
+        
+        # federation endpoints
+        location ~* ^(/_matrix/federation/v1/event/|/_matrix/federation/v1/state/|/_matrix/federation/v1/state_ids/|/_matrix/federation/v1/backfill/|/_matrix/federation/v1/get_missing_events/|/_matrix/federation/v1/publicRooms|/_matrix/federation/v1/query/|/_matrix/federation/v1/make_join/|/_matrix/federation/v1/make_leave/|/_matrix/federation/(v1|v2)/send_join/|/_matrix/federation/(v1|v2)/send_leave/) { proxy_pass http://127.0.0.1:8210; }
+        location ~* ^(/_matrix/federation/v1/make_knock/|/_matrix/federation/v1/send_knock/|/_matrix/federation/(v1|v2)/invite/|/_matrix/federation/v1/event_auth/|/_matrix/federation/v1/timestamp_to_event/|/_matrix/federation/v1/exchange_third_party_invite/|/_matrix/federation/v1/user/devices/|/_matrix/key/v2/query|/_matrix/federation/v1/hierarchy/|/_matrix/federation/v1/send/) { proxy_pass http://127.0.0.1:8210; }
+        
+        # common endpoints
+        location ~* ^(/_matrix|/_synapse/client) { proxy_pass http://127.0.0.1:8208; }
+
+        # metrics endpoitns
+        location = /_syn/media {
+                proxy_pass http://127.0.0.1:8301/_synapse/metrics;
+                include acl_matrix_admin.conf;
+        }
+        location = /_syn/fedi {
+                proxy_pass http://127.0.0.1:8302/_synapse/metrics;
+                include acl_matrix_admin.conf;
+        }
+        location = /_syn/bgj {
+                proxy_pass http://127.0.0.1:8303/_synapse/metrics;
+                include acl_matrix_admin.conf;
+        }
+
+        # admin endpoints
+        location ~* ^(/_synapse/metrics|/_synapse/admin|/health) {
+                proxy_pass http://127.0.0.1:8208;
+                include acl_matrix_admin.conf;
+        }
+
+        proxy_set_header X-Forwarded-For $remote_addr;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header Host $host:$server_port;
+        proxy_http_version 1.1;
+        client_max_body_size 32M;
+
+	location /.well-known/matrix/server { return 200 '{ "m.server": "matrix.gnu.moe:443" }\n'; }
+	location /.well-known/matrix/client { return 200 '{ "m.homeserver": { "base_url": "https://matrix.gnu.moe" } }\n'; }
+
+	include robots.conf;
+
+	location / { return 418; }
+}

worker-background.yaml

@@ -0,0 +1,12 @@
+worker_app: synapse.app.generic_worker
+worker_name: bg_jobs
+
+worker_listeners:
+  - type: http
+    port: 9093
+    resources:
+      - names: [replication]
+  - type: metrics
+    port: 8800
+
+worker_log_config: /data/bg.log.config

worker-federation.yaml

@@ -0,0 +1,16 @@
+worker_app: synapse.app.generic_worker
+worker_name: federation1
+
+worker_listeners:
+  - type: http
+    port: 9092
+    resources:
+      - names: [replication]
+  - type: metrics
+    port: 8800
+  - type: http
+    port: 8010
+    resources:
+      - names: [federation]
+
+worker_log_config: /data/federation.log.config

worker-media.yaml

@@ -0,0 +1,17 @@
+worker_app: synapse.app.media_repository
+worker_name: media1
+
+worker_listeners:
+  - type: http
+    port: 9091
+    resources:
+      - names: [replication]
+  - type: metrics
+    port: 8800
+  - type: http
+    port: 8009
+    x_forwarded: true
+    resources:
+      - names: [media]
+
+worker_log_config: /data/media.log.config