Added configuration files
This commit is contained in:
commit
1a8503700a
4 changed files with 215 additions and 0 deletions
18
caddy/Caddyfile
Normal file
18
caddy/Caddyfile
Normal file
|
@ -0,0 +1,18 @@
|
|||
matrix.m00.se {
|
||||
# enable logging
|
||||
log
|
||||
|
||||
reverse_proxy /_matrix/* http://synapse:8008
|
||||
reverse_proxy /_synapse/client/* http://synapse:8008
|
||||
}
|
||||
matrix.m00.se:8448 {
|
||||
reverse_proxy /_matrix/* synapse:8008
|
||||
}
|
||||
|
||||
turn.m00.se {
|
||||
respond "Caddy placeholder for turn.m00.se"
|
||||
}
|
||||
|
||||
admin.matrix.m00.se {
|
||||
reverse_proxy matrix-admin:80
|
||||
}
|
49
coturn/turnserver.conf
Normal file
49
coturn/turnserver.conf
Normal file
|
@ -0,0 +1,49 @@
|
|||
# VoIP traffic is all UDP. There is no reason to let users connect to arbitrary TCP endpoints via the relay.
|
||||
no-tcp-relay
|
||||
|
||||
# don't let the relay ever try to connect to private IP address ranges within your network (if any)
|
||||
# given the turn server is likely behind your firewall, remember to include any privileged public IPs too.
|
||||
denied-peer-ip=10.0.0.0-10.255.255.255
|
||||
denied-peer-ip=192.168.0.0-192.168.255.255
|
||||
denied-peer-ip=172.16.0.0-172.31.255.255
|
||||
|
||||
# recommended additional local peers to block, to mitigate external access to internal services.
|
||||
# https://www.rtcsec.com/article/slack-webrtc-turn-compromise-and-bug-bounty/#how-to-fix-an-open-turn-relay-to-address-this-vulnerability
|
||||
no-multicast-peers
|
||||
denied-peer-ip=0.0.0.0-0.255.255.255
|
||||
denied-peer-ip=100.64.0.0-100.127.255.255
|
||||
denied-peer-ip=127.0.0.0-127.255.255.255
|
||||
denied-peer-ip=169.254.0.0-169.254.255.255
|
||||
denied-peer-ip=192.0.0.0-192.0.0.255
|
||||
denied-peer-ip=192.0.2.0-192.0.2.255
|
||||
denied-peer-ip=192.88.99.0-192.88.99.255
|
||||
denied-peer-ip=198.18.0.0-198.19.255.255
|
||||
denied-peer-ip=198.51.100.0-198.51.100.255
|
||||
denied-peer-ip=203.0.113.0-203.0.113.255
|
||||
denied-peer-ip=240.0.0.0-255.255.255.255
|
||||
|
||||
# special case the turn server itself so that client->TURN->TURN->client flows work
|
||||
# this should be one of the turn server's listening IPs
|
||||
#allowed-peer-ip=10.0.0.1
|
||||
|
||||
# consider whether you want to limit the quota of relayed streams per user (or total) to avoid risk of DoS.
|
||||
user-quota=12 # 4 streams per video call, so 12 streams = 3 simultaneous relayed calls per user.
|
||||
total-quota=1200
|
||||
|
||||
|
||||
use-auth-secret
|
||||
static-auth-secret=
|
||||
realm=turn.m00.se
|
||||
|
||||
syslog
|
||||
|
||||
# TLS certificates, including intermediate certs.
|
||||
# For Let's Encrypt certificates, use `fullchain.pem` here.
|
||||
cert=/etc/ssl/caddy/acme/acme-v02.api.letsencrypt.org-directory/turn.m00.se/turn.m00.se.crt
|
||||
|
||||
# TLS private key file
|
||||
pkey=/etc/ssl/caddy/acme/acme-v02.api.letsencrypt.org-directory/turn.m00.se/turn.m00.se.key
|
||||
|
||||
# Ensure the configuration lines that disable TLS/DTLS are commented-out or removed
|
||||
#no-tls
|
||||
#no-dtls
|
81
docker-compose.yml
Normal file
81
docker-compose.yml
Normal file
|
@ -0,0 +1,81 @@
|
|||
services:
|
||||
synapse:
|
||||
depends_on:
|
||||
caddy:
|
||||
condition: service_started
|
||||
postgres:
|
||||
condition: service_started
|
||||
container_name: synapse
|
||||
image: matrixdotorg/synapse:latest
|
||||
restart: unless-stopped
|
||||
volumes:
|
||||
- ./synapse:/data
|
||||
networks:
|
||||
- matrix-network
|
||||
user: "1000:1000"
|
||||
|
||||
coturn:
|
||||
depends_on:
|
||||
caddy:
|
||||
condition: service_started
|
||||
container_name: coturn
|
||||
image: coturn/coturn:latest
|
||||
restart: unless-stopped
|
||||
ports:
|
||||
- "3478:3478/udp"
|
||||
- "3478:3478/tcp"
|
||||
- "5349:5349/tcp"
|
||||
volumes:
|
||||
- ./coturn/turnserver.conf:/etc/coturn/turnserver.conf
|
||||
- caddy_data:/etc/ssl/caddy:ro
|
||||
|
||||
caddy:
|
||||
container_name: caddy
|
||||
image: caddy/caddy:latest
|
||||
restart: unless-stopped
|
||||
networks:
|
||||
- matrix-network
|
||||
cap_add:
|
||||
- NET_ADMIN
|
||||
ports:
|
||||
- "80:80"
|
||||
- "443:443"
|
||||
- "443:443/udp"
|
||||
- "8448:8448"
|
||||
volumes:
|
||||
- ./caddy:/etc/caddy
|
||||
- caddy_data:/data
|
||||
- caddy_config:/config
|
||||
|
||||
postgres:
|
||||
container_name: postgres-synapse
|
||||
image: postgres:14-alpine
|
||||
volumes:
|
||||
- ~/apps/postgres:/var/lib/postgresql/data
|
||||
environment:
|
||||
- POSTGRES_PASSWORD=
|
||||
- POSTGRES_USER=synapse
|
||||
- POSTGRES_DB=synapse
|
||||
- POSTGRES_INITDB_ARGS=--encoding=UTF-8 --lc-collate=C --lc-ctype=C
|
||||
networks:
|
||||
- matrix-network
|
||||
|
||||
synapse-admin:
|
||||
depends_on:
|
||||
caddy:
|
||||
condition: service_started
|
||||
container_name: matrix-admin
|
||||
image: ghcr.io/etkecc/synapse-admin:latest
|
||||
networks:
|
||||
- matrix-network
|
||||
restart: "unless-stopped"
|
||||
|
||||
|
||||
networks:
|
||||
matrix-network:
|
||||
|
||||
volumes:
|
||||
caddy_data:
|
||||
caddy_config:
|
||||
synapse-data:
|
||||
|
67
synapse/homeserver.yaml
Normal file
67
synapse/homeserver.yaml
Normal file
|
@ -0,0 +1,67 @@
|
|||
# Configuration file for Synapse.
|
||||
#
|
||||
# This is a YAML file: see [1] for a quick introduction. Note in particular
|
||||
# that *indentation is important*: all the elements of a list or dictionary
|
||||
# should have the same indentation.
|
||||
#
|
||||
# [1] https://docs.ansible.com/ansible/latest/reference_appendices/YAMLSyntax.html
|
||||
#
|
||||
# For more information on how to configure Synapse, including a complete accounting of
|
||||
# each option, go to docs/usage/configuration/config_documentation.md or
|
||||
# https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html
|
||||
server_name: "m00.se"
|
||||
public_baseurl: "https://matrix.m00.se/"
|
||||
pid_file: /data/homeserver.pid
|
||||
listeners:
|
||||
- port: 8008
|
||||
tls: false
|
||||
type: http
|
||||
x_forwarded: true
|
||||
resources:
|
||||
- names: [client, federation]
|
||||
compress: false
|
||||
database:
|
||||
name: psycopg2
|
||||
args:
|
||||
user: synapse
|
||||
password: # Postgres password set i docker-compose
|
||||
dbname: synapse
|
||||
host: postgres-synapse
|
||||
port: 5432
|
||||
cp_min: 5
|
||||
cp_max: 10
|
||||
|
||||
|
||||
# oidc_providers:
|
||||
# - idp_id: authentik
|
||||
# idp_name: authentik
|
||||
# discover: true
|
||||
# issuer: ""
|
||||
# client_id: ""
|
||||
# client_secret: ""
|
||||
# scopes:
|
||||
# - "openid"
|
||||
# - "profile"
|
||||
# - "email"
|
||||
# user_mapping_provider:
|
||||
# config:
|
||||
# localpart_template: "{{ user.preferred_username }}"
|
||||
# display_name_template: "{{ user.preferred_username|capitalize }}"
|
||||
|
||||
turn_uris: [ "turn:turn.m00.se?transport=udp", "turn:turn.m00.se?transport=tcp" ]
|
||||
turn_shared_secret: "" # static-auth-secret set in turnserver.conf
|
||||
turn_user_lifetime: 86400000
|
||||
turn_allow_guests: true
|
||||
|
||||
log_config: "/data/m00.se.log.config"
|
||||
media_store_path: /data/media_store
|
||||
registration_shared_secret: "" # Set to random data (pwgen -s 64 1)
|
||||
report_stats: true
|
||||
macaroon_secret_key: ""
|
||||
form_secret: ""
|
||||
signing_key_path: "/data/m00.se.signing.key"
|
||||
trusted_key_servers:
|
||||
- server_name: "matrix.org"
|
||||
|
||||
|
||||
# vim:ft=yaml
|
Loading…
Add table
Reference in a new issue