From 1a8503700af6c46ab43d02d2547e8363d509ef2f Mon Sep 17 00:00:00 2001 From: Andreas Feldt Date: Tue, 4 Feb 2025 15:09:36 +0100 Subject: [PATCH] Added configuration files --- caddy/Caddyfile | 18 +++++++++ coturn/turnserver.conf | 49 +++++++++++++++++++++++++ docker-compose.yml | 81 +++++++++++++++++++++++++++++++++++++++++ synapse/homeserver.yaml | 67 ++++++++++++++++++++++++++++++++++ 4 files changed, 215 insertions(+) create mode 100644 caddy/Caddyfile create mode 100644 coturn/turnserver.conf create mode 100644 docker-compose.yml create mode 100644 synapse/homeserver.yaml diff --git a/caddy/Caddyfile b/caddy/Caddyfile new file mode 100644 index 0000000..454f628 --- /dev/null +++ b/caddy/Caddyfile @@ -0,0 +1,18 @@ +matrix.m00.se { + # enable logging + log + + reverse_proxy /_matrix/* http://synapse:8008 + reverse_proxy /_synapse/client/* http://synapse:8008 +} +matrix.m00.se:8448 { + reverse_proxy /_matrix/* synapse:8008 +} + +turn.m00.se { + respond "Caddy placeholder for turn.m00.se" +} + +admin.matrix.m00.se { + reverse_proxy matrix-admin:80 +} diff --git a/coturn/turnserver.conf b/coturn/turnserver.conf new file mode 100644 index 0000000..0efd381 --- /dev/null +++ b/coturn/turnserver.conf @@ -0,0 +1,49 @@ +# VoIP traffic is all UDP. There is no reason to let users connect to arbitrary TCP endpoints via the relay. +no-tcp-relay + +# don't let the relay ever try to connect to private IP address ranges within your network (if any) +# given the turn server is likely behind your firewall, remember to include any privileged public IPs too. +denied-peer-ip=10.0.0.0-10.255.255.255 +denied-peer-ip=192.168.0.0-192.168.255.255 +denied-peer-ip=172.16.0.0-172.31.255.255 + +# recommended additional local peers to block, to mitigate external access to internal services. +# https://www.rtcsec.com/article/slack-webrtc-turn-compromise-and-bug-bounty/#how-to-fix-an-open-turn-relay-to-address-this-vulnerability +no-multicast-peers +denied-peer-ip=0.0.0.0-0.255.255.255 +denied-peer-ip=100.64.0.0-100.127.255.255 +denied-peer-ip=127.0.0.0-127.255.255.255 +denied-peer-ip=169.254.0.0-169.254.255.255 +denied-peer-ip=192.0.0.0-192.0.0.255 +denied-peer-ip=192.0.2.0-192.0.2.255 +denied-peer-ip=192.88.99.0-192.88.99.255 +denied-peer-ip=198.18.0.0-198.19.255.255 +denied-peer-ip=198.51.100.0-198.51.100.255 +denied-peer-ip=203.0.113.0-203.0.113.255 +denied-peer-ip=240.0.0.0-255.255.255.255 + +# special case the turn server itself so that client->TURN->TURN->client flows work +# this should be one of the turn server's listening IPs +#allowed-peer-ip=10.0.0.1 + +# consider whether you want to limit the quota of relayed streams per user (or total) to avoid risk of DoS. +user-quota=12 # 4 streams per video call, so 12 streams = 3 simultaneous relayed calls per user. +total-quota=1200 + + +use-auth-secret +static-auth-secret= +realm=turn.m00.se + +syslog + +# TLS certificates, including intermediate certs. +# For Let's Encrypt certificates, use `fullchain.pem` here. +cert=/etc/ssl/caddy/acme/acme-v02.api.letsencrypt.org-directory/turn.m00.se/turn.m00.se.crt + +# TLS private key file +pkey=/etc/ssl/caddy/acme/acme-v02.api.letsencrypt.org-directory/turn.m00.se/turn.m00.se.key + +# Ensure the configuration lines that disable TLS/DTLS are commented-out or removed +#no-tls +#no-dtls diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..1ebe0d3 --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,81 @@ +services: + synapse: + depends_on: + caddy: + condition: service_started + postgres: + condition: service_started + container_name: synapse + image: matrixdotorg/synapse:latest + restart: unless-stopped + volumes: + - ./synapse:/data + networks: + - matrix-network + user: "1000:1000" + + coturn: + depends_on: + caddy: + condition: service_started + container_name: coturn + image: coturn/coturn:latest + restart: unless-stopped + ports: + - "3478:3478/udp" + - "3478:3478/tcp" + - "5349:5349/tcp" + volumes: + - ./coturn/turnserver.conf:/etc/coturn/turnserver.conf + - caddy_data:/etc/ssl/caddy:ro + + caddy: + container_name: caddy + image: caddy/caddy:latest + restart: unless-stopped + networks: + - matrix-network + cap_add: + - NET_ADMIN + ports: + - "80:80" + - "443:443" + - "443:443/udp" + - "8448:8448" + volumes: + - ./caddy:/etc/caddy + - caddy_data:/data + - caddy_config:/config + + postgres: + container_name: postgres-synapse + image: postgres:14-alpine + volumes: + - ~/apps/postgres:/var/lib/postgresql/data + environment: + - POSTGRES_PASSWORD= + - POSTGRES_USER=synapse + - POSTGRES_DB=synapse + - POSTGRES_INITDB_ARGS=--encoding=UTF-8 --lc-collate=C --lc-ctype=C + networks: + - matrix-network + + synapse-admin: + depends_on: + caddy: + condition: service_started + container_name: matrix-admin + image: ghcr.io/etkecc/synapse-admin:latest + networks: + - matrix-network + restart: "unless-stopped" + + +networks: + matrix-network: + +volumes: + caddy_data: + caddy_config: + synapse-data: + diff --git a/synapse/homeserver.yaml b/synapse/homeserver.yaml new file mode 100644 index 0000000..de62bc9 --- /dev/null +++ b/synapse/homeserver.yaml @@ -0,0 +1,67 @@ +# Configuration file for Synapse. +# +# This is a YAML file: see [1] for a quick introduction. Note in particular +# that *indentation is important*: all the elements of a list or dictionary +# should have the same indentation. +# +# [1] https://docs.ansible.com/ansible/latest/reference_appendices/YAMLSyntax.html +# +# For more information on how to configure Synapse, including a complete accounting of +# each option, go to docs/usage/configuration/config_documentation.md or +# https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html +server_name: "m00.se" +public_baseurl: "https://matrix.m00.se/" +pid_file: /data/homeserver.pid +listeners: + - port: 8008 + tls: false + type: http + x_forwarded: true + resources: + - names: [client, federation] + compress: false +database: + name: psycopg2 + args: + user: synapse + password: # Postgres password set i docker-compose + dbname: synapse + host: postgres-synapse + port: 5432 + cp_min: 5 + cp_max: 10 + + +# oidc_providers: +# - idp_id: authentik +# idp_name: authentik +# discover: true +# issuer: "" +# client_id: "" +# client_secret: "" +# scopes: +# - "openid" +# - "profile" +# - "email" +# user_mapping_provider: +# config: +# localpart_template: "{{ user.preferred_username }}" +# display_name_template: "{{ user.preferred_username|capitalize }}" + +turn_uris: [ "turn:turn.m00.se?transport=udp", "turn:turn.m00.se?transport=tcp" ] +turn_shared_secret: "" # static-auth-secret set in turnserver.conf +turn_user_lifetime: 86400000 +turn_allow_guests: true + +log_config: "/data/m00.se.log.config" +media_store_path: /data/media_store +registration_shared_secret: "" # Set to random data (pwgen -s 64 1) +report_stats: true +macaroon_secret_key: "" +form_secret: "" +signing_key_path: "/data/m00.se.signing.key" +trusted_key_servers: + - server_name: "matrix.org" + + +# vim:ft=yaml