From 9446e0a3c8c7094ef5c6624acdccddefb729d484 Mon Sep 17 00:00:00 2001
From: Tommy <contact@tommytran.io>
Date: Mon, 27 May 2024 23:40:33 -0700
Subject: [PATCH] Reach parity with TommyTran732/Synapse-Docker

Signed-off-by: Tommy <contact@tommytran.io>
---
 .github/workflows/build.yml |  4 +--
 Dockerfile                  | 68 ++++++++++++++-----------------------
 rootfs/conf/homeserver.yaml | 28 ++++++---------
 3 files changed, 39 insertions(+), 61 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 1e0218a..6a93be1 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -31,8 +31,8 @@ jobs:
 
       - name: Extract version for tags
         run: |
-          echo "FULL_VERSION=$(grep -oP '(?<=SYNAPSE_VERSION=).*' Dockerfile | head -c6)" >> $GITHUB_ENV
-          echo "MAJOR_VERSION=$(grep -oP '(?<=SYNAPSE_VERSION=).*' Dockerfile | head -c4)" >> $GITHUB_ENV
+          echo "FULL_VERSION=$(grep -oP '(?<=SYNAPSE_VERSION=).*' Dockerfile" >> $GITHUB_ENV
+          echo "MAJOR_VERSION=$(grep -oP '(?<=SYNAPSE_VERSION=).*' Dockerfile | head -c5)" >> $GITHUB_ENV
 
       - name: Install cosign
         if: github.event_name != 'pull_request'
diff --git a/Dockerfile b/Dockerfile
index d1fb909..0fc037b 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,7 +1,7 @@
 ARG SYNAPSE_VERSION=1.107.0
 ARG PYTHON_VERSION=3.12
-ARG ALPINE_VERSION=3.18
-ARG HARDENED_MALLOC_VERSION=11
+ARG ALPINE_VERSION=3.20
+ARG HARDENED_MALLOC_VERSION=12
 ARG UID=991
 ARG GID=991
 
@@ -13,64 +13,48 @@ ARG HARDENED_MALLOC_VERSION
 ARG CONFIG_NATIVE=false
 ARG VARIANT=light
 
-RUN apk --no-cache add build-base git gnupg && cd /tmp \
- && wget -q https://github.com/thestinger.gpg && gpg --import thestinger.gpg \
- && git clone --depth 1 --branch ${HARDENED_MALLOC_VERSION} https://github.com/GrapheneOS/hardened_malloc \
- && cd hardened_malloc && git verify-tag $(git describe --tags) \
- && make CONFIG_NATIVE=${CONFIG_NATIVE} VARIANT=${VARIANT}
+RUN apk -U upgrade \
+    && apk --no-cache add build-base git gnupg openssh-keygen
+    
+RUN cd /tmp \
+    && git clone --depth 1 --branch ${HARDENED_MALLOC_VERSION} https://github.com/GrapheneOS/hardened_malloc \
+    && cd hardened_malloc \
+    && wget -q https://grapheneos.org/allowed_signers -O grapheneos_allowed_signers \
+    && git config gpg.ssh.allowedSignersFile grapheneos_allowed_signers \
+    && git verify-tag $(git describe --tags) \
+    && make CONFIG_NATIVE=${CONFIG_NATIVE} VARIANT=${VARIANT}
 
 
 ### Build Synapse
-ARG ALPINE_VERSION
-FROM python:${PYTHON_VERSION}-alpine${ALPINE_VERSION} as builder
+FROM python:${PYTHON_VERSION}-alpine as builder
 
 ARG SYNAPSE_VERSION
 
 RUN apk -U upgrade \
- && apk add -t build-deps \
-        build-base \
-        libffi-dev \
-        libjpeg-turbo-dev \
-        libxslt-dev \
-        linux-headers \
-        openssl-dev \
-        postgresql-dev \
-        rustup \
-        zlib-dev \
- && rustup-init -y && source $HOME/.cargo/env \
- && pip install --upgrade pip \
- && pip install --prefix="/install" --no-warn-script-location \
-        matrix-synapse[all]==${SYNAPSE_VERSION}
+    && apk --no-cache add -t build-deps build-base libffi-dev libjpeg-turbo-dev libxslt-dev linux-headers openssl-dev postgresql-dev rustup zlib-dev
+    
+RUN rustup-init -y && source $HOME/.cargo/env \
+    && pip install --upgrade pip \
+    && pip install --prefix="/install" --no-warn-script-location \
+    matrix-synapse[all]==${SYNAPSE_VERSION}
 
 
 ### Build Production
-ARG ALPINE_VERSION
-ARG PYTHON_VERSION
 
 FROM python:${PYTHON_VERSION}-alpine${ALPINE_VERSION}
 
+LABEL maintainer="Thien Tran contact@tommytran.io"
+
 ARG UID
 ARG GID
 
 RUN apk -U upgrade \
- && apk add -t run-deps \
-        libffi \
-        libgcc \
-        libjpeg-turbo \
-        libstdc++ \
-        libxslt \
-        libpq \
-        openssl \
-        zlib \
-        tzdata \
-        xmlsec \
-        curl \
-        icu-libs \
- && adduser -g ${GID} -u ${UID} --disabled-password --gecos "" synapse \
- && rm -rf /var/cache/apk/*
+    && apk --no-cache add -t run-deps libffi libgcc libjpeg-turbo libstdc++ libxslt libpq openssl zlib tzdata xmlsec git curl icu-libs \
+    && rm -rf /var/cache/apk/*
 
+RUN adduser -g ${GID} -u ${UID} --disabled-password --gecos "" synapse
 
-COPY --from=build-malloc /tmp/hardened_malloc/out-light/libhardened_malloc-light.so /usr/local/lib/
+COPY --from=build-malloc /tmp/hardened_malloc/out/libhardened_malloc-light.so /usr/local/lib/
 COPY --from=builder /install /usr/local
 COPY --chown=synapse:synapse rootfs /
 
@@ -85,4 +69,4 @@ EXPOSE 8008/tcp 8009/tcp 8448/tcp
 ENTRYPOINT ["python3", "start.py"]
 
 HEALTHCHECK --start-period=5s --interval=15s --timeout=5s \
-    CMD curl -fSs http://localhost:8008/health || exit 1
+    CMD curl -fSs http://localhost:8008/health || exit 1
\ No newline at end of file
diff --git a/rootfs/conf/homeserver.yaml b/rootfs/conf/homeserver.yaml
index 3c70e4c..f9c4439 100644
--- a/rootfs/conf/homeserver.yaml
+++ b/rootfs/conf/homeserver.yaml
@@ -7,12 +7,6 @@
 tls_certificate_path: "/data/{{ SYNAPSE_SERVER_NAME }}.tls.crt"
 tls_private_key_path: "/data/{{ SYNAPSE_SERVER_NAME }}.tls.key"
 
-{% if SYNAPSE_ACME %}
-acme:
-    enabled: true
-    port: 8009
-{% endif %}
-
 {% endif %}
 
 ## Server ##
@@ -42,12 +36,17 @@ listeners:
 
   # Allow configuring in case we want to reverse proxy 8008
   # using another process in the same container
+{% if SYNAPSE_USE_UNIX_SOCKET %}
+  # Unix sockets don't care about TLS or IP addresses or ports
+  - path: '/run/main_public.sock'
+    type: http
+{% else %}
   - port: {{ SYNAPSE_HTTP_PORT or 8008 }}
     tls: false
     bind_addresses: ['::']
     type: http
     x_forwarded: false
-
+{% endif %}
     resources:
       - names: [client]
         compress: true
@@ -63,10 +62,13 @@ database:
     user: "{{ POSTGRES_USER or "synapse" }}"
     password: "{{ POSTGRES_PASSWORD }}"
     database: "{{ POSTGRES_DB or "synapse" }}"
+{% if not SYNAPSE_USE_UNIX_SOCKET %}
+{# Synapse will use a default unix socket for Postgres when host/port is not specified (behavior from `psycopg2`). #}
     host: "{{ POSTGRES_HOST or "db" }}"
     port: "{{ POSTGRES_PORT or "5432" }}"
-    cp_min: 5
-    cp_max: 10
+{% endif %}
+    cp_min: {{ POSTGRES_CP_MIN or 5 }}
+    cp_max: {{ POSTGRES_CP_MAX or 10 }}
 {% else %}
 database:
   name: "sqlite3"
@@ -154,14 +156,6 @@ bcrypt_rounds: 12
 allow_guest_access: {{ "True" if SYNAPSE_ALLOW_GUEST else "False" }}
 enable_group_creation: true
 
-# The list of identity servers trusted to verify third party
-# identifiers by this server.
-#
-# Also defines the ID server which will be called when an account is
-# deactivated (one will be picked arbitrarily).
-trusted_third_party_id_servers:
-    - matrix.org
-    - vector.im
 
 ## Metrics ###