anonymousland-synapse-docke.../README.md
2023-01-01 05:15:51 +00:00

327 lines
8.2 KiB
Markdown

## Synapse Docker Deployement
*Not Production Ready*
A Synapse Docker deployment with:
- Hardened Synapse image
- Hardened worker images
- Mjolnir & Mjolnir module
- Multi-threaded Synapse process via workers
- Privacy-respecting registration captcha
- Manage Docker variables inside of `.env`
- Manage `state` with the state compressor
- Manage server via `synadm`
- Images built locally
- Matrix Maubot
- Matrix integration manager
### Getting Started
Dependencies: `cargo` `docker` `docker-compose` `git` `python `
Subdomains: `matrix` `dimension` `maubot`
Clone the repository:
```
git clone https://git.anonymousland.org/deathrow/synapse-docker-deployement
```
CD into the repository:
```
cd synapse-docker-deployment
```
Execute the init script to:
- `git clone` the docker images
- Build the docker images
- Build `auto-state-compressor`
- Install `synadm`
*Will take a long time!*
```
bash init.sh
```
Modify variables inside `.env.sample` and move to `.env`
Run this command to generate the Synapse configuration file:
``
docker-compose run --rm -e SYNAPSE_SERVER_NAME=example.tld -e SYNAPSE_REPORT_STATS=no synapse generate
``
### Synapse Configuration
The Synapse config file will be located at `./files/homeserver.yaml`.
Modify the following:
*You will need to uncomment (#) these*
``web_client_location: https://element.example.tld``
``public_baseurl: https://matrix.example.tld``
``serve_server_wellknown: true``
Under the `listeners:` section, add the following:
```
- port: 9093
type: http
resources:
- names: [replication]
```
Under the `retention:` section, you are able to set retention of messages.
Uncomment `enabled: false` if you wish to keep messages indefinitely. *(will take up more disk space)*
For the `purge_jobs:` section, add:
```
purge_jobs:
- longest_max_lifetime: 1h
interval: 30m
- shortest_max_lifetime: 1h
longest_max_lifetime: 12h
interval: 1h
- shortest_max_lifetime: 12h
longest_max_lifetime: 1d
interval: 12h
- shortest_max_lifetime: 1d
longest_max_lifetime: 10y
interval: 24h
```
For `caches:` set the following:
```
caches:
global_factor: 2.0
per_cache_factors:
get_users_who_share_room_with_user: 5.0
sync_response_cache_duration: 2m
```
Under the `databases:` section, remove the default database and add the following:
*(change with the postgres values set inside `.env`)*
Keep the host set to `postgres` as this is the name specified in the `docker-compose.yml`
```
database:
name: psycopg2
txn_limit: 10000
args:
user: user
password: password
database: db
host: postgres
port: 5432
cp_min: 5
cp_max: 10
```
Under the ``## Ratelimiting ##`` section, add the following:
```
rc_federation:
window_size: 1000
sleep_limit: 10
sleep_delay: 500
reject_limit: 50
concurrent: 3
federation_rr_transactions_per_room_per_second: 50
```
Uncomment the `url_preview_enabled: true` and the setting to go with it:
```
url_preview_ip_range_blacklist:
- '127.0.0.0/8'
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '100.64.0.0/10'
- '192.0.0.0/24'
- '169.254.0.0/16'
- '192.88.99.0/24'
- '198.18.0.0/15'
- '192.0.2.0/24'
- '198.51.100.0/24'
- '203.0.113.0/24'
- '224.0.0.0/4'
- '::1/128'
- 'fe80::/10'
- 'fc00::/7'
- '2001:db8::/32'
- 'ff00::/8'
- 'fec0::/10'
```
If you wish to use the `url_preview_url_blacklist:` to blacklist certain URLs from being previewed, you can use the following settings:
```
# blacklist all *.google.com URLs
- netloc: 'google.com'
- netloc: '*.google.com'
# blacklist all plain HTTP URLs
- scheme: 'http'
# blacklist any URL with a literal IPv4 address
- netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$'
```
If you wish to change the number of rounds used to generate a password hash, you may modify the ``bcrypt_rounds:`` setting.
Uncomment ``inhibit_user_in_use_error: true``
Uncomment ``suppress_key_server_warning: true``
Uncomment ``send_federation: false`` and add the following:
```
federation_sender_instances:
- federation1
- federation2
- federation3
```
Under the `redis:` section, uncomment `` enabled: true`` and add the following settings:
```
host: redis
port: 6379
```
### Nginx
The path for NGINX is `/swag/nginx`.
Ensure to review each file before you use it, some variables may need changed such as the `matrix.example.tld` and such.
### Start the server
To start the server, type:
`docker-compose up -d`, you may wish to omit the `-d` on the first run to ensure there are no errors.
### Pantalaimon
Modify the `pantalaimon_data/pantalaimon.conf` to change the `matrix.example.tld`
### Mjolnir
Create a new user on your server with the username `mjonlir`.
[Mjolnir Configuration](https://github.com/matrix-org/mjolnir/blob/main/config/default.yaml)
Inside of `mjolnir/config/production.yaml` modify:
Set `homeserverUrl: "http://pantalaimon:8008"`,
Under `pantalaimon:` set `use: true` with the username `mjolnir` and `password:`
Create a new encrypted room on your server and copy the ID and set it as ``managementRoom: !123:example.tld``
Under `web:` set `enabled: true`
Set `displayReports: true`
In `homeserver.yaml` add the following `modules:`
```
modules:
- module: mjolnir.Module
config:
# Prevent servers/users in the ban lists from inviting users on this
# server to rooms. Default true.
block_invites: true
# Flag messages sent by servers/users in the ban lists as spam. Currently
# this means that spammy messages will appear as empty to users. Default
# false.
block_messages: true
# Remove users from the user directory search by filtering matrix IDs and
# display names by the entries in the user ban list. Default false.
block_usernames: true
# The room IDs of the ban lists to honour. Unlike other parts of Mjolnir,
# this list cannot be room aliases or permalinks. This server is expected
# to already be joined to the room - Mjolnir will not automatically join
# these rooms.
ban_lists:
- "!123:example.tld"
- "!456:example.tld"
message_max_length:
# Limit the characters in a message (event body) that a client can send in an event on this server.
# By default there is no limit (beyond the the limit the spec enforces on event size).
# Uncomment if you want messages to be limited to 510 characters.
#threshold: 510
# Limit messages only in certain rooms rooms.
# By default all rooms will enforce the limit.
# Uncomment if you want messages to only be subject to character limits in certain rooms.
rooms:
- "!123:localhost:9999"
- "!456:localhost:9999"
# Also hide messages from remote servers that are over the `message_limit`.
# By default only events from this server will be limited.
# WARNING: Remote users on other servers will still be able to messages over the limit.
# Uncomment to enforce the `message_limit` on events from remote servers.
remote_servers: false
```
### Captcha
The [synapse-captcha](https://codeberg.org/deathrow/synapse-captcha) is included with this deployment. Refer to this for configuration.
### Dimension
To setup dimension, refer to the [official documentation](https://github.com/turt2live/matrix-dimension/blob/master/docs/installing.md)
For the database:
```
database:
uri: "postgres://admin:password@dimension:5432/dbname"
botData: "/data/bot.json"
```
These values are set in the `.env` file.
### Additional
To bypass ratelimits for certain users:
``
docker exec -it postgres psql insert into ratelimit_override values ('@user:example.tld', 0, 0);
``
Your `mjolnir` and any other admin accounts should be set in the example above.
For synapse state compressor:
``
./synapse_auto_compressor -p postgresql://user:password@localhost/db -c 500 -n 100
``
### Todo
- stream workers
- Proper `sync` load balancing
### Links
- [Synapse-Docker-Compose](https://github.com/tommytran732/Synapse-Docker-Compose)
- [Matrix-org Synapse Docker Compose Workers](https://github.com/matrix-org/synapse/tree/develop/contrib/docker_compose_workers)
- [matrix-conf](https://git.envs.net/envs/matrix-conf/)