From 1a8503700af6c46ab43d02d2547e8363d509ef2f Mon Sep 17 00:00:00 2001
From: Andreas Feldt <andreas@feldt.io>
Date: Tue, 4 Feb 2025 15:09:36 +0100
Subject: [PATCH] Added configuration files

---
 caddy/Caddyfile         | 18 +++++++++
 coturn/turnserver.conf  | 49 +++++++++++++++++++++++++
 docker-compose.yml      | 81 +++++++++++++++++++++++++++++++++++++++++
 synapse/homeserver.yaml | 67 ++++++++++++++++++++++++++++++++++
 4 files changed, 215 insertions(+)
 create mode 100644 caddy/Caddyfile
 create mode 100644 coturn/turnserver.conf
 create mode 100644 docker-compose.yml
 create mode 100644 synapse/homeserver.yaml

diff --git a/caddy/Caddyfile b/caddy/Caddyfile
new file mode 100644
index 0000000..454f628
--- /dev/null
+++ b/caddy/Caddyfile
@@ -0,0 +1,18 @@
+matrix.m00.se {
+  # enable logging
+  log
+
+  reverse_proxy /_matrix/* http://synapse:8008
+  reverse_proxy /_synapse/client/* http://synapse:8008
+}
+matrix.m00.se:8448 {
+  reverse_proxy /_matrix/* synapse:8008
+}
+
+turn.m00.se {
+  respond "Caddy placeholder for turn.m00.se"
+}
+
+admin.matrix.m00.se {
+  reverse_proxy matrix-admin:80 
+}
diff --git a/coturn/turnserver.conf b/coturn/turnserver.conf
new file mode 100644
index 0000000..0efd381
--- /dev/null
+++ b/coturn/turnserver.conf
@@ -0,0 +1,49 @@
+# VoIP traffic is all UDP. There is no reason to let users connect to arbitrary TCP endpoints via the relay.
+no-tcp-relay
+
+# don't let the relay ever try to connect to private IP address ranges within your network (if any)
+# given the turn server is likely behind your firewall, remember to include any privileged public IPs too.
+denied-peer-ip=10.0.0.0-10.255.255.255
+denied-peer-ip=192.168.0.0-192.168.255.255
+denied-peer-ip=172.16.0.0-172.31.255.255
+
+# recommended additional local peers to block, to mitigate external access to internal services.
+# https://www.rtcsec.com/article/slack-webrtc-turn-compromise-and-bug-bounty/#how-to-fix-an-open-turn-relay-to-address-this-vulnerability
+no-multicast-peers
+denied-peer-ip=0.0.0.0-0.255.255.255
+denied-peer-ip=100.64.0.0-100.127.255.255
+denied-peer-ip=127.0.0.0-127.255.255.255
+denied-peer-ip=169.254.0.0-169.254.255.255
+denied-peer-ip=192.0.0.0-192.0.0.255
+denied-peer-ip=192.0.2.0-192.0.2.255
+denied-peer-ip=192.88.99.0-192.88.99.255
+denied-peer-ip=198.18.0.0-198.19.255.255
+denied-peer-ip=198.51.100.0-198.51.100.255
+denied-peer-ip=203.0.113.0-203.0.113.255
+denied-peer-ip=240.0.0.0-255.255.255.255
+
+# special case the turn server itself so that client->TURN->TURN->client flows work
+# this should be one of the turn server's listening IPs
+#allowed-peer-ip=10.0.0.1
+
+# consider whether you want to limit the quota of relayed streams per user (or total) to avoid risk of DoS.
+user-quota=12 # 4 streams per video call, so 12 streams = 3 simultaneous relayed calls per user.
+total-quota=1200
+
+
+use-auth-secret
+static-auth-secret=
+realm=turn.m00.se
+
+syslog
+
+# TLS certificates, including intermediate certs.
+# For Let's Encrypt certificates, use `fullchain.pem` here.
+cert=/etc/ssl/caddy/acme/acme-v02.api.letsencrypt.org-directory/turn.m00.se/turn.m00.se.crt
+
+# TLS private key file
+pkey=/etc/ssl/caddy/acme/acme-v02.api.letsencrypt.org-directory/turn.m00.se/turn.m00.se.key
+
+# Ensure the configuration lines that disable TLS/DTLS are commented-out or removed
+#no-tls
+#no-dtls
diff --git a/docker-compose.yml b/docker-compose.yml
new file mode 100644
index 0000000..1ebe0d3
--- /dev/null
+++ b/docker-compose.yml
@@ -0,0 +1,81 @@
+services:
+  synapse:
+    depends_on:
+      caddy:
+        condition: service_started
+      postgres:
+        condition: service_started
+    container_name: synapse
+    image: matrixdotorg/synapse:latest
+    restart: unless-stopped
+    volumes:
+      - ./synapse:/data
+    networks:
+      - matrix-network
+    user: "1000:1000"
+
+  coturn:
+    depends_on:
+      caddy:
+        condition: service_started
+    container_name: coturn
+    image: coturn/coturn:latest
+    restart: unless-stopped
+    ports:
+      - "3478:3478/udp"
+      - "3478:3478/tcp"
+      - "5349:5349/tcp"
+    volumes:
+      - ./coturn/turnserver.conf:/etc/coturn/turnserver.conf
+      - caddy_data:/etc/ssl/caddy:ro
+
+  caddy:
+    container_name: caddy
+    image: caddy/caddy:latest
+    restart: unless-stopped
+    networks:
+      - matrix-network
+    cap_add:
+      - NET_ADMIN
+    ports:
+      - "80:80"
+      - "443:443"
+      - "443:443/udp"
+      - "8448:8448"
+    volumes:
+      - ./caddy:/etc/caddy
+      - caddy_data:/data
+      - caddy_config:/config
+
+  postgres:
+    container_name: postgres-synapse
+    image: postgres:14-alpine
+    volumes:
+      - ~/apps/postgres:/var/lib/postgresql/data
+    environment:
+      - POSTGRES_PASSWORD=
+      - POSTGRES_USER=synapse
+      - POSTGRES_DB=synapse
+      - POSTGRES_INITDB_ARGS=--encoding=UTF-8 --lc-collate=C --lc-ctype=C
+    networks:
+      - matrix-network
+
+  synapse-admin:
+    depends_on:
+      caddy:
+        condition: service_started
+    container_name: matrix-admin
+    image: ghcr.io/etkecc/synapse-admin:latest
+    networks:
+      - matrix-network
+    restart: "unless-stopped"
+  
+
+networks:
+  matrix-network:
+
+volumes:
+  caddy_data:
+  caddy_config:
+  synapse-data:
+
diff --git a/synapse/homeserver.yaml b/synapse/homeserver.yaml
new file mode 100644
index 0000000..de62bc9
--- /dev/null
+++ b/synapse/homeserver.yaml
@@ -0,0 +1,67 @@
+# Configuration file for Synapse.
+#
+# This is a YAML file: see [1] for a quick introduction. Note in particular
+# that *indentation is important*: all the elements of a list or dictionary
+# should have the same indentation.
+#
+# [1] https://docs.ansible.com/ansible/latest/reference_appendices/YAMLSyntax.html
+#
+# For more information on how to configure Synapse, including a complete accounting of
+# each option, go to docs/usage/configuration/config_documentation.md or
+# https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html
+server_name: "m00.se"
+public_baseurl: "https://matrix.m00.se/"
+pid_file: /data/homeserver.pid
+listeners:
+  - port: 8008
+    tls: false
+    type: http
+    x_forwarded: true
+    resources:
+      - names: [client, federation]
+        compress: false
+database:
+  name: psycopg2
+  args:
+    user: synapse
+    password: # Postgres password set i docker-compose 
+    dbname: synapse
+    host: postgres-synapse
+    port: 5432
+    cp_min: 5
+    cp_max: 10
+
+
+# oidc_providers:
+#   - idp_id: authentik
+#     idp_name: authentik
+#     discover: true
+#     issuer: ""
+#     client_id: ""
+#     client_secret: ""
+#     scopes:
+#       - "openid"
+#       - "profile"
+#       - "email"
+#     user_mapping_provider:
+#       config:
+#         localpart_template: "{{ user.preferred_username }}"
+#         display_name_template: "{{ user.preferred_username|capitalize }}"
+
+turn_uris: [ "turn:turn.m00.se?transport=udp", "turn:turn.m00.se?transport=tcp" ]
+turn_shared_secret: "" # static-auth-secret set in turnserver.conf
+turn_user_lifetime: 86400000
+turn_allow_guests: true
+
+log_config: "/data/m00.se.log.config"
+media_store_path: /data/media_store
+registration_shared_secret: "" # Set to random data (pwgen -s 64 1)
+report_stats: true
+macaroon_secret_key: ""
+form_secret: ""
+signing_key_path: "/data/m00.se.signing.key"
+trusted_key_servers:
+  - server_name: "matrix.org"
+
+
+# vim:ft=yaml