inital commit

This commit is contained in:
c0mmando 2023-05-26 18:25:19 +00:00
parent 24448583fa
commit 448eb8b874
39 changed files with 2056 additions and 0 deletions

742
docker-compose.yml Normal file
View File

@ -0,0 +1,742 @@
version: '3.7'
networks:
matrix:
registration:
dimension:
gitea:
privatebin:
ots:
element:
chat:
cinny:
lemmy:
bookstack:
tor:
write:
services:
synapse:
build: ./images/synapse-docker
restart: unless-stopped
container_name: synapse
user: "991:991"
environment:
- SYNAPSE_CONFIG_DIR=/data
- SYNAPSE_CONFIG_PATH=/data/homeserver.yaml
volumes:
- ./files:/data:Z
depends_on:
- postgres
networks:
- matrix
security_opt:
- no-new-privileges:true
cap_drop:
- ALL
extra_hosts:
- "host.docker.internal:host-gateway"
labels:
- "com.centurylinklabs.watchtower.enable=false"
postgres:
image: docker.io/postgres:14.5-alpine
container_name: postgres
user: "70:70"
restart: unless-stopped
environment:
- POSTGRES_USER=${POSTGRES_USER}
- POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
- POSTGRES_DB=${POSTGRES_DB}
- POSTGRES_INITDB_ARGS=--encoding=UTF-8 --lc-collate=C --lc-ctype=C
volumes:
- ./schemas:/var/lib/postgresql/data:Z
ports:
- 127.0.0.1:5432:5432
networks:
- matrix
read_only: true
security_opt:
- no-new-privileges:true
cap_drop:
- ALL
tmpfs:
- /var/run/postgresql:size=50M,mode=0770,uid=70,gid=70,noexec,nosuid,nodev
labels:
- "com.centurylinklabs.watchtower.enable=false"
swag:
image: ghcr.io/linuxserver/swag
restart: unless-stopped
container_name: swag
cap_add:
- NET_ADMIN
environment:
- PUID=1000
- PGID=1000
- URL=${SWAG_URL}
- SUBDOMAINS=${SWAG_SUBDOMAINS}
- VALIDATION=http
- EMAIL=${SWAG_EMAIL}
- ONLY_SUBDOMAINS=false
volumes:
- ./swag:/config:Z
- /etc/localtime:/etc/localtime:ro
ports:
- 443:443
- 80:80
- 8448:8448
networks:
- matrix
- registration
- gitea
- privatebin
- ots
- element
- chat
- lemmy
- cinny
- bookstack
- tor
- write
security_opt:
- no-new-privileges:true
labels:
- "com.centurylinklabs.watchtower.enable=false"
pantalaimon:
build: ./images/pantalaimon
container_name: pantalaimon
user: "911:911"
restart: unless-stopped
volumes:
- ./pantalaimon_data:/data:Z
depends_on:
- synapse
networks:
- matrix
ports:
- 8008:8008
read_only: true
security_opt:
- no-new-privileges:true
cap_drop:
- ALL
labels:
- "com.centurylinklabs.watchtower.enable=false"
mjolnir:
build: ./images/mjolnir
container_name: mjolnir
user: "911:911"
restart: unless-stopped
volumes:
- ./mjolnir:/data:Z
depends_on:
- pantalaimon
networks:
- matrix
read_only: true
security_opt:
- no-new-privileges:true
cap_drop:
- ALL
labels:
- "com.centurylinklabs.watchtower.enable=false"
maubot:
image: dock.mau.dev/maubot/maubot:latest
container_name: maubot
restart: unless-stopped
volumes:
- ./maubot:/data:Z
networks:
- matrix
matrix-registration:
build: ./images/synapse-captcha
container_name: matrix-registration
restart: unless-stopped
command: [
"--config-path=/data/config.yaml",
"serve"
]
ports:
- 127.0.0.1:5000:5000
volumes:
- ./matrix-registration_data:/data:Z
networks:
- matrix
- tor
labels:
- "com.centurylinklabs.watchtower.enable=false"
redis:
image: redis:latest
container_name: redis
restart: unless-stopped
networks:
- matrix
labels:
- "com.centurylinklabs.watchtower.enable=false"
dimension:
build: ./images/matrix-dimension
container_name: dimension
user: "1000:1000"
restart: unless-stopped
volumes:
- ./dimension:/data:Z
- ./dimension/config:/home/node/matrix-dimension/config/:Z
depends_on:
- dimension_db
networks:
- matrix
- dimension
ports:
- 127.0.0.1:8184:8184
read_only: true
security_opt:
- no-new-privileges:true
cap_drop:
- ALL
labels:
- "com.centurylinklabs.watchtower.enable=false"
dimension_db:
image: docker.io/postgres:14.5-alpine
container_name: dimension_db
user: "70:70"
restart: unless-stopped
environment:
- POSTGRES_USER=${DIMENSION_DB_USER}
- POSTGRES_PASSWORD=${DIMENSION_DB_PASSWORD}
- POSTGRES_DB=${DIMENSION_DB_DB}
- POSTGRES_INITDB_ARGS=--encoding=UTF-8 --lc-collate=C --lc-ctype=C
volumes:
- ./dimension/db:/var/lib/postgresql/data:Z
ports:
- 127.0.0.1:5433:5432
networks:
- dimension
read_only: true
security_opt:
- no-new-privileges:true
cap_drop:
- ALL
tmpfs:
- /var/run/postgresql:size=50M,mode=0770,uid=70,gid=70,noexec,nosuid,nodev
labels:
- "com.centurylinklabs.watchtower.enable=false"
grafana:
image: docker.io/grafana/grafana:latest
container_name: grafana
user: "472:472"
volumes:
- ./grafana-data:/var/lib/grafana:Z
restart: unless-stopped
ports:
- 3000:3000
networks:
- matrix
prometheus:
image: docker.io/prom/prometheus:latest
container_name: prometheus
restart: unless-stopped
ports:
- 9000:9090
volumes:
- ./prometheus:/etc/prometheus:Z
networks:
- matrix
command: --web.config.file=/etc/prometheus/web.yml --config.file=/etc/prometheus/prometheus.yml
node_exporter:
image: prom/node-exporter
container_name: node-exporter
restart: unless-stopped
volumes:
- /proc:/host/proc:ro
- /sys:/host/sys:ro
- /:/rootfs:ro
command:
- '--path.procfs=/host/proc'
- '--path.rootfs=/rootfs'
- '--path.sysfs=/host/sys'
- '--collector.filesystem.ignored-mount-points=^/(sys|proc|dev|host|etc)($$|/)'
restart: unless-stopped
expose:
- 9100
networks:
- matrix
cadvisor:
image: gcr.io/cadvisor/cadvisor:latest
container_name: cadvisor
command:
- '-port=9099'
- "--housekeeping_interval=30s"
- "--docker_only=true"
ports:
- 9099:9099
volumes:
- /:/rootfs:ro
- /var/run:/var/run:rw
- /sys:/sys:ro
- /var/lib/docker/:/var/lib/docker:ro
networks:
- matrix
postgres-exporter:
image: quay.io/prometheuscommunity/postgres-exporter
container_name: postgres-exporter
restart: always
environment:
- DATA_SOURCE_URI=postgres:5432/synapse?sslmode=disable
- DATA_SOURCE_USER=${POSTGRES_USER}
- DATA_SOURCE_PASS=${POSTGRES_PASSWORD}
ports:
- "9187:9187"
networks:
- matrix
depends_on:
- postgres
nginx-exporter:
image: nginx/nginx-prometheus-exporter:0.10.0
container_name: nginx-exporter
restart: unless-stopped
ports:
- "4040:4040"
networks:
- matrix
depends_on:
- swag
command:
- -nginx.scrape-uri
- http://swag:81/nginx_status
gitea:
image: gitea/gitea:latest
container_name: gitea
environment:
- USER_UID=1000
- USER_GID=1000
- GITEA__database__DB_TYPE=postgres
- GITEA__database__HOST=gitea-postgres:5432
- GITEA__database__NAME=${GITEA_DB_NAME}
- GITEA__database__USER=${GITEA_POSTGRES_USER}
- GITEA__database__PASSWD=${GITEA_POSTGRES_PASSWORD}
restart: always
networks:
- gitea
- tor
volumes:
- ./gitea:/data
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
ports:
- "3333:3333"
depends_on:
- gitea-postgres
gitea-postgres:
image: postgres:14
container_name: gitea-postgres
restart: always
environment:
- POSTGRES_USER=${GITEA_POSTGRES_USER}
- POSTGRES_PASSWORD=${GITEA_POSTGRES_PASSWORD}
- POSTGRES_DB=${GITEA_DB_NAME}
networks:
- gitea
volumes:
- ./gitea-postgres:/var/lib/postgresql/data
labels:
- "com.centurylinklabs.watchtower.enable=false"
privatebin:
image: privatebin/fs:latest
container_name: privatebin
user: "882:882"
restart: unless-stopped
volumes:
- ./privatebin-data:/srv/data:Z
- ./privatebin-data/conf.php:/srv/cfg/conf.php:ro
networks:
- privatebin
- tor
read_only: true
ots:
image: luzifer/ots:latest
container_name: ots
restart: unless-stopped
networks:
- ots
- tor
entrypoint: ["/usr/local/bin/ots"]
element:
image: vectorim/element-web:latest
container_name: element
restart: unless-stopped
volumes:
- ./element-data/element-config.json:/app/config.json:ro
networks:
- element
chat:
image: ghcr.io/schildichat/schildichat-web:latest
container_name: chat
restart: unless-stopped
volumes:
- ./chat-data/element-config.json:/app/config.json:ro
networks:
- chat
cinny:
image: ghcr.io/cinnyapp/cinny:latest
container_name: cinny
restart: unless-stopped
volumes:
- ./cinny-data/config.json:/app/config.json:ro
networks:
- cinny
lemmy-postgres:
image: postgres:15-alpine
user: "70:70"
container_name: lemmy-postgres
hostname: lemmy-postgres
environment:
- POSTGRES_USER=${LEMMY_POSTGRES_USER}
- POSTGRES_PASSWORD=${LEMMY_POSTGRES_PASSWORD}
- POSTGRES_DB=${LEMMY_POSTGRES_DB}
volumes:
- ./lemmy/volumes/postgres:/var/lib/postgresql/data
restart: unless-stopped
networks:
- lemmy
labels:
- "com.centurylinklabs.watchtower.enable=false"
lemmy:
image: dessalines/lemmy:latest
container_name: lemmy
restart: unless-stopped
environment:
- RUST_LOG="warn,lemmy_server=info,lemmy_api=info,lemmy_api_common=info,lemmy_api_crud=info,lemmy_apub=info,lemmy_db_schema=info,lemmy_db_views=info,lemmy_db_views_actor=info,lemmy_db_views_moderator=info,lemmy_routes=info,lemmy_utils=info,lemmy_websocket=info"
volumes:
- ./lemmy/lemmy.hjson:/config/config.hjson
depends_on:
- postgres
- pictrs
networks:
- lemmy
lemmy-ui:
image: dessalines/lemmy-ui:latest
container_name: lemmy-ui
restart: unless-stopped
environment:
- LEMMY_UI_LEMMY_INTERNAL_HOST=lemmy:8536
- LEMMY_UI_LEMMY_EXTERNAL_HOST=links.hackliberty.org
- LEMMY_UI_HTTPS=true
depends_on:
- lemmy
networks:
- lemmy
pictrs:
image: asonix/pictrs:0.3.1
hostname: pictrs
container_name: pictrs
ports:
- "8537:8080"
- "6670:6669"
user: 991:991
volumes:
- ./lemmy/volumes/pictrs:/mnt
restart: unless-stopped
networks:
- lemmy
labels:
- "com.centurylinklabs.watchtower.enable=false"
protonmail-bridge:
image: shenxn/protonmail-bridge
container_name: protonmail-bridge
ports:
- "1025:25"
restart: unless-stopped
volumes:
- ./protonmail:/root
networks:
- lemmy
bookstack:
image: lscr.io/linuxserver/bookstack:latest
container_name: bookstack
environment:
- PUID=1001
- PGID=1001
- APP_URL=https://docs.hackliberty.org
- DB_HOST=bookstack_db
- DB_PORT=3306
- DB_USER=${BOOKSTACK_DB_USER}
- DB_PASS=${BOOKSTACK_DB_PASS}
- DB_DATABASE=${BOOKSTACK_DB_DB}
volumes:
- ./bookstack:/config:Z
restart: unless-stopped
depends_on:
- bookstack_db
networks:
- bookstack
bookstack_db:
image: lscr.io/linuxserver/mariadb
container_name: bookstack_db
environment:
- PUID=1001
- PGID=1001
- MYSQL_ROOT_PASSWORD=${BOOKSTACK_DB_PASS}
- TZ=Europe/London
- MYSQL_DATABASE=${BOOKSTACK_DB_DB}
- MYSQL_USER=${BOOKSTACK_DB_USER}
- MYSQL_PASSWORD=${BOOKSTACK_DB_PASS}
volumes:
- ./bookstack:/config:Z
restart: unless-stopped
networks:
- bookstack
labels:
- "com.centurylinklabs.watchtower.enable=false"
watchtower:
image: containrrr/watchtower
container_name: watchtower
volumes:
- /var/run/docker.sock:/var/run/docker.sock
command: --interval 14400
matrix-chatgpt4-bot:
image: ghcr.io/matrixgpt/matrix-chatgpt-bot:sha-b78cc35
container_name: chatgpt4
volumes:
- ./chatgpt:/storage
env_file:
- ./.env
matrix-chatgpt3-bot:
image: ghcr.io/matrixgpt/matrix-chatgpt-bot:latest
container_name: chatgpt3
volumes:
- ./chatgpt3:/storage
env_file:
- ./.chatgpt3
tor:
image: osminogin/tor-simple:latest
container_name: tor
volumes:
- ./tor-data:/var/lib/tor
- ./tor-data/torrc:/etc/tor
ports:
- 127.0.0.1:9050:9050
networks:
- tor
- matrix
writefreely:
image: algernon/writefreely
container_name: writefreely
user: "5000:5000"
volumes:
- ./writefreely:/data:Z
ports:
- 9999:9999
networks:
- write
- tor
# WORKERS
synapse-generic-worker-4:
build: ./images/synapse-worker-docker
container_name: synapse-generic-worker-4
user: "991:991"
restart: unless-stopped
environment:
SYNAPSE_WORKER: synapse.app.generic_worker
entrypoint: ["/start.py", "run", "--config-path=/data/homeserver.yaml", "--config-path=/data/workers/worker4.yaml"]
volumes:
- ./files:/data:Z
ports:
- 127.0.0.1:8083:8081
depends_on:
- synapse
networks:
- matrix
security_opt:
- no-new-privileges:true
cap_drop:
- ALL
labels:
- "com.centurylinklabs.watchtower.enable=false"
synapse-generic-worker-3:
build: ./images/synapse-worker-docker
container_name: synapse-generic-worker-3
user: "991:991"
restart: unless-stopped
environment:
SYNAPSE_WORKER: synapse.app.generic_worker
entrypoint: ["/start.py", "run", "--config-path=/data/homeserver.yaml", "--config-path=/data/workers/worker3.yaml"]
volumes:
- ./files:/data:Z
ports:
- 127.0.0.1:8082:8081
depends_on:
- synapse
networks:
- matrix
security_opt:
- no-new-privileges:true
cap_drop:
- ALL
labels:
- "com.centurylinklabs.watchtower.enable=false"
synapse-generic-worker-2:
build: ./images/synapse-worker-docker
container_name: synapse-generic-worker-2
user: "991:991"
restart: unless-stopped
environment:
SYNAPSE_WORKER: synapse.app.generic_worker
entrypoint: ["/start.py", "run", "--config-path=/data/homeserver.yaml", "--config-path=/data/workers/worker2.yaml"]
volumes:
- ./files:/data:Z
ports:
- 127.0.0.1:8081:8081
depends_on:
- synapse
networks:
- matrix
security_opt:
- no-new-privileges:true
cap_drop:
- ALL
labels:
- "com.centurylinklabs.watchtower.enable=false"
synapse-generic-worker-1:
build: ./images/synapse-worker-docker
container_name: synapse-generic-worker-1
user: "991:991"
restart: unless-stopped
environment:
SYNAPSE_WORKER: synapse.app.generic_worker
entrypoint: ["/start.py", "run", "--config-path=/data/homeserver.yaml", "--config-path=/data/workers/worker1.yaml"]
volumes:
- ./files:/data:Z
ports:
- 127.0.0.1:8080:8081
depends_on:
- synapse
networks:
- matrix
security_opt:
- no-new-privileges:true
cap_drop:
- ALL
labels:
- "com.centurylinklabs.watchtower.enable=false"
synapse-federation-sender-4:
build: ./images/synapse-worker-docker
container_name: synapse-federation-sender-4
user: "991:991"
restart: unless-stopped
environment:
SYNAPSE_WORKER: synapse.app.generic_worker
entrypoint: ["/start.py", "run", "--config-path=/data/homeserver.yaml", "--config-path=/data/workers/federation4.yaml"]
volumes:
- ./files:/data:Z
depends_on:
- synapse
networks:
- matrix
security_opt:
- no-new-privileges:true
cap_drop:
- ALL
labels:
- "com.centurylinklabs.watchtower.enable=false"
synapse-federation-sender-3:
build: ./images/synapse-worker-docker
container_name: synapse-federation-sender-3
user: "991:991"
restart: unless-stopped
environment:
SYNAPSE_WORKER: synapse.app.generic_worker
entrypoint: ["/start.py", "run", "--config-path=/data/homeserver.yaml", "--config-path=/data/workers/federation3.yaml"]
volumes:
- ./files:/data:Z
depends_on:
- synapse
networks:
- matrix
security_opt:
- no-new-privileges:true
cap_drop:
- ALL
labels:
- "com.centurylinklabs.watchtower.enable=false"
synapse-federation-sender-2:
build: ./images/synapse-worker-docker
container_name: synapse-federation-sender-2
user: "991:991"
restart: unless-stopped
environment:
SYNAPSE_WORKER: synapse.app.generic_worker
entrypoint: ["/start.py", "run", "--config-path=/data/homeserver.yaml", "--config-path=/data/workers/federation2.yaml"]
volumes:
- ./files:/data:Z
depends_on:
- synapse
networks:
- matrix
security_opt:
- no-new-privileges:true
cap_drop:
- ALL
labels:
- "com.centurylinklabs.watchtower.enable=false"
synapse-federation-sender-1:
build: ./images/synapse-worker-docker
container_name: synapse-federation-sender-1
user: "991:991"
restart: unless-stopped
environment:
SYNAPSE_WORKER: synapse.app.generic_worker
entrypoint: ["/start.py", "run", "--config-path=/data/homeserver.yaml", "--config-path=/data/workers/federation1.yaml"]
volumes:
- ./files:/data:Z
depends_on:
- synapse
networks:
- matrix
security_opt:
- no-new-privileges:true
cap_drop:
- ALL
labels:
- "com.centurylinklabs.watchtower.enable=false"

46
files/config.yaml Normal file
View File

@ -0,0 +1,46 @@
server_location: 'http://synapse:8008'
server_name: 'hackliberty.org'
shared_secret: 'REDACTED'
admin_api_shared_secret: 'REDACTED' # to generate tokens via the web api
base_url: '' # e.g. '/element' for https://example.tld/element/register
client_redirect: 'https://element.hackliberty.org'
riot_instace: 'https://element.hackliberty.org'
#riot_instance: 'https://riot.im/app/'
db: 'sqlite:////data/db.sqlite3'
host: '0.0.0.0'
port: 5000
rate_limit: ["10000 per day", "100 per minute"]
allow_cors: false
ip_logging: false
logging:
disable_existing_loggers: False
version: 1
root:
level: DEBUG
handlers: [console, file]
formatters:
brief:
format: '%(name)s - %(levelname)s - %(message)s'
precise:
format: '%(asctime)s - %(name)s - %(levelname)s - %(message)s'
handlers:
console:
class: logging.StreamHandler
level: INFO
formatter: brief
stream: ext://sys.stdout
file:
class: logging.handlers.RotatingFileHandler
formatter: precise
level: INFO
filename: m_reg.log
maxBytes: 10485760 # 10MB
backupCount: 3
encoding: utf8
# password requirements
password:
min_length: 14
# username requirements
username:
validation_regex: [ '[a-zA-Z0-9]' ]
invalidation_regex: [ '(info|admin|null|123456|mail|fuck|webmaster|root|test|guest|adm|mysql|user|administrator|oracle|ftp|pi|puppet|ansible|ec2-user|vagrant|azureuse|mod|moderator|host|postgres|synapse|support)' ]

218
files/homeserver.yaml Normal file
View File

@ -0,0 +1,218 @@
# Configuration file for Synapse.
#
# For more information on how to configure Synapse, including a complete accounting of
# each option, go to docs/usage/configuration/config_documentation.md or
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html
# Configuration file for Synapse.
modules:
- module: mjolnir.Module
config:
# Prevent servers/users in the ban lists from inviting users on this
# server to rooms. Default true.
block_invites: true
# Flag messages sent by servers/users in the ban lists as spam. Currently
# this means that spammy messages will appear as empty to users. Default
# false.
block_messages: false
# Remove users from the user directory search by filtering matrix IDs and
# display names by the entries in the user ban list. Default false.
block_usernames: false
# The room IDs of the ban lists to honour. Unlike other parts of Mjolnir,
# this list cannot be room aliases or permalinks. This server is expected
# to already be joined to the room - Mjolnir will not automatically join
# these rooms.
ban_lists:
# EBL
- "!GGuqmQVLNyWASNjVQw:envs.net"
# matrix-coc-bl
#- "!WuBtumawCeOGEieRrp:matrix.org"
# matrix-tos-bl
#- "!tUPwPPmVTaiKXMiijj:matrix.org"
# Public Servers Shared Banlist
- "!RRGtWzzVKUJmDVRNnZ:aria-net.org"
# asragr-ban-list
- "!YImXsibeOfGBYVaElT:asra.gr"
# community-moderation-effort-bl:neko.dev
- "!fTjMjIzNKEsFlUIiru:neko.dev"
#message_max_length:
# Limit the characters in a message (event body) that a client can send in an event on this server.
# By default there is no limit (beyond the the limit the spec enforces on event size).
# Uncomment if you want messages to be limited to 510 characters.
#threshold: 510
# Limit messages only in certain rooms rooms.
# By default all rooms will enforce the limit.
# Uncomment if you want messages to only be subject to character limits in certain rooms.
#rooms:
# - "!vMvyOCeCxHsggkmALd:localhost:9999"
# Also hide messages from remote servers that are over the `message_limit`.
# By default only events from this server will be limited.
# WARNING: Remote users on other servers will still be able to messages over the limit.
# Uncomment to enforce the `message_limit` on events from remote servers.
#remote_servers: true
server_name: hackliberty.org
public_baseurl: https://hackliberty.org/
web_client_location: https://element.hackliberty.org/
serve_server_wellknown: true
pid_file: "/data/homeserver.pid"
presence:
enabled: false
allow_device_name_lookup_over_federation: false
allow_public_rooms_over_federation: true
include_profile_data_on_invite: true
require_auth_for_profile_requests: true
allow_profile_lookup_over_federation: true
limit_profile_requests_to_users_who_share_rooms: false
listeners:
- port: 9093
type: http
resources:
- names: [replication]
bind_addresses: ['0.0.0.0']
- port: 8008
tls: false
type: http
x_forwarded: true
bind_addresses: ['0.0.0.0']
resources:
- names: [client, federation]
compress: false
- port: 9000
tls: false
type: metrics
bind_addresses: ['0.0.0.0']
redaction_retention_period: 1m
user_ips_max_age: 1m
retention:
enabled: true
purge_jobs:
- longest_max_lifetime: 1h
interval: 30m
- shortest_max_lifetime: 1h
longest_max_lifetime: 12h
interval: 1h
- shortest_max_lifetime: 12h
longest_max_lifetime: 1d
interval: 12h
- shortest_max_lifetime: 1d
longest_max_lifetime: 10y
interval: 24h
federation_client_minimum_tls_version: 1.2
caches:
global_factor: 2.0
per_cache_factors:
get_users_who_share_room_with_user: 5.0
sync_response_cache_duration: 2m
database:
name: psycopg2
txn_limit: 10000
args:
user: REDACTED
password: REDACTED
database: REDACTED
host: postgres
port: 5432
cp_min: 5
cp_max: 10
log_config: "/data/hackliberty.org.log.config"
rc_federation:
window_size: 1000
sleep_limit: 10
sleep_delay: 500
reject_limit: 50
concurrent: 3
federation_rr_transactions_per_room_per_second: 50
media_store_path: "/data/media_store"
max_upload_size: 50M
max_image_pixels: 50M
url_preview_enabled: true
url_preview_ip_range_blacklist:
- '127.0.0.0/8'
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '100.64.0.0/10'
- '192.0.0.0/24'
- '169.254.0.0/16'
- '192.88.99.0/24'
- '198.18.0.0/15'
- '192.0.2.0/24'
- '198.51.100.0/24'
- '203.0.113.0/24'
- '224.0.0.0/4'
- '::1/128'
- 'fe80::/10'
- 'fc00::/7'
- '2001:db8::/32'
- 'ff00::/8'
- 'fec0::/10'
url_preview_url_blacklist:
- netloc: 'google.com'
- netloc: '*.google.com'
- scheme: 'http'
- netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$'
enable_registration: false
registration_requires_token: true
registration_shared_secret: "REDACTED"
allow_guest_access: false
auto_join_rooms:
- "#community:hackliberty.org"
enable_metrics: true
signing_key_path: "/data/hackliberty.org.signing.key"
trusted_key_servers:
- server_name: "matrix.org"
inhibit_user_in_use_error: true
suppress_key_server_warning: true
report_stats: false
macaroon_secret_key: "REDACTED"
form_secret: "REDACTED"
send_federation: false
federation_sender_instances:
- federation1
- federation2
- federation3
- federation4
redis:
enabled: true
host: redis
port: 6379

8
images/build.sh Normal file
View File

@ -0,0 +1,8 @@
#!/bin/bash
docker build ./synapse-captcha/
docker build ./mjolnir/
docker build ./pantalaimon/
docker build ./synapse-docker/
docker build ./synapse-worker-docker/
docker build ./matrix-dimension/

@ -0,0 +1 @@
Subproject commit 1ee97be49d75f2d89275073963097409498ebcb1

1
images/mjolnir Submodule

@ -0,0 +1 @@
Subproject commit 2915757b7d04308848061d4c048a9ee827fea9aa

1
images/pantalaimon Submodule

@ -0,0 +1 @@
Subproject commit b5a419e488fe985b0d2ef9a8212e71c27ea6a7d6

@ -0,0 +1 @@
Subproject commit 1660b52a5d18e1c2f741348a803632a986beac74

1
images/synapse-docker Submodule

@ -0,0 +1 @@
Subproject commit 53ae6a44fea2ecc954fc7c57b68bbec320bae028

@ -0,0 +1 @@
Subproject commit 215f91bbca874c4679f8bdd0b7f8ca502bd0003d

26
swag/nginx/gzip.conf Normal file
View File

@ -0,0 +1,26 @@
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_min_length 256;
gzip_comp_level 7;
gzip_types
application/atom+xml
application/geo+json
application/javascript
application/x-javascript
application/json
application/ld+json
application/manifest+json
application/rdf+xml
application/rss+xml
application/xhtml+xml
application/xml
font/eot
font/otf
font/ttf
image/svg+xml
text/css
text/javascript
text/plain
text/xml;

View File

@ -0,0 +1,90 @@
## Client API requests
location ~ ^/_matrix/client/(api/v1|r0|v3|unstable)/createRoom$ {
include /config/nginx/include.d/synapse-proxy.conf;
proxy_pass http://generic_worker_lc;
}
location ~ ^/_matrix/client/(api/v1|r0|v3|unstable)/publicRooms$ {
include /config/nginx/include.d/synapse-proxy.conf;
proxy_pass http://generic_worker_lc;
}
location ~ ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/joined_members$ {
include /config/nginx/include.d/synapse-proxy.conf;
proxy_pass http://generic_worker_lc;
}
location ~ ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/context/.*$ {
include /config/nginx/include.d/synapse-proxy.conf;
proxy_pass http://generic_worker_lc;
}
location ~ ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/members$ {
include /config/nginx/include.d/synapse-proxy.conf;
proxy_pass http://generic_worker_lc;
}
location ~ ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state$ {
include /config/nginx/include.d/synapse-proxy.conf;
proxy_pass http://generic_worker_lc;
}
location ~ ^/_matrix/client/v1/rooms/.*/hierarchy$ {
include /config/nginx/include.d/synapse-proxy.conf;
proxy_pass http://generic_worker_lc;
}
location ~ ^/_matrix/client/unstable/org.matrix.msc2716/rooms/.*/batch_send$ {
include /config/nginx/include.d/synapse-proxy.conf;
proxy_pass http://generic_worker_lc;
}
location ~ ^/_matrix/client/unstable/im.nheko.summary/rooms/.*/summary$ {
include /config/nginx/include.d/synapse-proxy.conf;
proxy_pass http://generic_worker_lc;
}
location ~ ^/_matrix/client/(r0|v3|unstable)/account/3pid$ {
include /config/nginx/include.d/synapse-proxy.conf;
proxy_pass http://generic_worker_lc;
}
location ~ ^/_matrix/client/(r0|v3|unstable)/account/whoami$ {
include /config/nginx/include.d/synapse-proxy.conf;
proxy_pass http://generic_worker_lc;
}
location ~ ^/_matrix/client/(r0|v3|unstable)/devices$ {
include /config/nginx/include.d/synapse-proxy.conf;
proxy_pass http://generic_worker_lc;
}
location ~ ^/_matrix/client/versions$ {
include /config/nginx/include.d/synapse-proxy.conf;
proxy_pass http://generic_worker_lc;
}
location ~ ^/_matrix/client/(api/v1|r0|v3|unstable)/voip/turnServer$ {
include /config/nginx/include.d/synapse-proxy.conf;
proxy_pass http://generic_worker_lc;
}
location ~ ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/event/ {
include /config/nginx/include.d/synapse-proxy.conf;
proxy_pass http://generic_worker_lc;
}
location ~ ^/_matrix/client/(api/v1|r0|v3|unstable)/joined_rooms$ {
include /config/nginx/include.d/synapse-proxy.conf;
proxy_pass http://generic_worker_lc;
}
location ~ ^/_matrix/client/v1/rooms/.*/timestamp_to_event$ {
include /config/nginx/include.d/synapse-proxy.conf;
proxy_pass http://generic_worker_lc;
}
location ~ ^/_matrix/client/(api/v1|r0|v3|unstable)/search$ {
include /config/nginx/include.d/synapse-proxy.conf;
proxy_pass http://generic_worker_lc;
}

View File

@ -0,0 +1,26 @@
## Encryption requests
location ~ ^/_matrix/client/(r0|v3|unstable)/keys/query$ {
include /config/nginx/include.d/synapse-proxy.conf;
proxy_pass http://generic_worker_lc;
}
location ~ ^/_matrix/client/(r0|v3|unstable)/keys/changes$ {
include /config/nginx/include.d/synapse-proxy.conf;
proxy_pass http://generic_worker_lc;
}
location ~ ^/_matrix/client/(r0|v3|unstable)/keys/claim$ {
include /config/nginx/include.d/synapse-proxy.conf;
proxy_pass http://generic_worker_lc;
}
location ~ ^/_matrix/client/(r0|v3|unstable)/room_keys/ {
include /config/nginx/include.d/synapse-proxy.conf;
proxy_pass http://generic_worker_lc;
}
# Note that ^/_matrix/client/(r0|v3|unstable)/keys/upload/ requires `worker_main_http_uri`
location ~ ^/_matrix/client/(r0|v3|unstable)/keys/upload/ {
include /config/nginx/include.d/synapse-proxy.conf;
proxy_pass http://generic_worker_lc;
}

View File

@ -0,0 +1,96 @@
## Federation requests
location ~ ^/_matrix/federation/v1/event/ {
include /config/nginx/include.d/synapse-proxy.conf;
proxy_pass http://generic_worker_lc;
}
location ~ ^/_matrix/federation/v1/state/ {
include /config/nginx/include.d/synapse-proxy.conf;
proxy_pass http://generic_worker_lc;
}
location ~ ^/_matrix/federation/v1/state_ids/ {
include /config/nginx/include.d/synapse-proxy.conf;
proxy_pass http://generic_worker_lc;
}
location ~ ^/_matrix/federation/v1/backfill/ {
include /config/nginx/include.d/synapse-proxy.conf;
proxy_pass http://generic_worker_lc;
}
location ~ ^/_matrix/federation/v1/get_missing_events/ {
include /config/nginx/include.d/synapse-proxy.conf;
proxy_pass http://generic_worker_lc;
}
location ~ ^/_matrix/federation/v1/publicRooms {
include /config/nginx/include.d/synapse-proxy.conf;
proxy_pass http://generic_worker_lc;
}
location ~ ^/_matrix/federation/v1/query/ {
include /config/nginx/include.d/synapse-proxy.conf;
proxy_pass http://generic_worker_lc;
}
location ~ ^/_matrix/federation/v1/make_join/ {
include /config/nginx/include.d/synapse-proxy.conf;
proxy_pass http://generic_worker_lc;
}
location ~ ^/_matrix/federation/v1/make_leave/ {
include /config/nginx/include.d/synapse-proxy.conf;
proxy_pass http://generic_worker_lc;
}
location ~ ^/_matrix/federation/(v1|v2)/send_join/ {
include /config/nginx/include.d/synapse-proxy.conf;
proxy_pass http://generic_worker_lc;
}
location ~ ^/_matrix/federation/(v1|v2)/send_leave/ {
include /config/nginx/include.d/synapse-proxy.conf;
proxy_pass http://generic_worker_lc;
}
location ~ ^/_matrix/federation/(v1|v2)/invite/ {
include /config/nginx/include.d/synapse-proxy.conf;
proxy_pass http://generic_worker_lc;
}
location ~ ^/_matrix/federation/v1/event_auth/ {
include /config/nginx/include.d/synapse-proxy.conf;
proxy_pass http://generic_worker_lc;
}
location ~ ^/_matrix/federation/v1/timestamp_to_event/ {
include /config/nginx/include.d/synapse-proxy.conf;
proxy_pass http://generic_worker_lc;
}
location ~ ^/_matrix/federation/v1/exchange_third_party_invite/ {
include /config/nginx/include.d/synapse-proxy.conf;
proxy_pass http://generic_worker_lc;
}
location ~ ^/_matrix/federation/v1/user/devices/ {
include /config/nginx/include.d/synapse-proxy.conf;
proxy_pass http://generic_worker_lc;
}
location ~ ^/_matrix/key/v2/query {
include /config/nginx/include.d/synapse-proxy.conf;
proxy_pass http://generic_worker_lc;
}
location ~ ^/_matrix/federation/v1/hierarchy/ {
include /config/nginx/include.d/synapse-proxy.conf;
proxy_pass http://generic_worker_lc;
}
# Inbound federation transaction request
location ~ ^/_matrix/federation/v1/send/ {
include /config/nginx/include.d/synapse-proxy.conf;
proxy_pass http://generic_worker_ih;
}

View File

@ -0,0 +1,8 @@
location / {
root /config/www/hackliberty.org;
include /config/nginx/gzip.conf;
include /config/nginx/security-headers.conf;
# Add Onion-Location Header
add_header Onion-Location http://kj3wvs3wyfhm3uhhuqxlrhhcp6dneuau4mmvptlor27ghmrqx63fqnid.onion$request_uri;
add_header Content-Security-Policy "default-src 'none'; frame-src https://trocador.app/; connect-src 'self'; font-src 'self'; img-src 'self'; manifest-src 'self'; script-src 'self'; style-src 'self'; form-action 'none'; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none'; require-trusted-types-for 'script'; trusted-types 'none'";
}

View File

@ -0,0 +1,13 @@
location /_matrix/maubot/v1/logs {
proxy_pass http://maubot:29316;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header X-Forwarded-For $remote_addr;
}
location /_matrix/maubot {
proxy_pass http://maubot:29316;
proxy_set_header X-Forwarded-For $remote_addr;
}

View File

@ -0,0 +1,19 @@
location ~ ^/_matrix/client/r0/rooms/([^/]*)/report/(.*)$ {
# Abuse reports should be sent to Mjölnir.
include /config/nginx/proxy.conf;
include /config/nginx/resolver.conf;
include /config/nginx/include.d/synapse-proxy.conf;
set $upstream_app mjolnir;
set $upstream_port 8081;
set $upstream_proto http;
# Add CORS, otherwise a browser will refuse this request.
add_header 'Access-Control-Allow-Credentials' 'true' always;
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
add_header 'Access-Control-Allow-Headers' 'Authorization,Content-Type,Accept,Origin,User-Agent,DNT,Cache-Control,X-Mx-ReqToken,Keep-Alive,X-Requested-With,If-Modified-Since' always;
add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range' always;
add_header 'Access-Control-Max-Age' 1728000;
# Alias the regexps, to ensure that they're not rewritten.
set $room_id $1;
set $event_id $2;
proxy_pass $upstream_proto://$upstream_app:$upstream_port/api/1/report/$room_id/$event_id;
}

View File

@ -0,0 +1,24 @@
location /register {
include /config/nginx/proxy.conf;
include /config/nginx/resolver.conf;
include /config/nginx/include.d/synapse-proxy.conf;
include /config/nginx/gzip.conf;
include /config/nginx/security-headers.conf;
add_header Onion-Location http://54ct5xaioq64ejuxfpyuxyuati4aplp2dlebr3t5ug7ck62i5tsaiuid.onion$request_uri;
set $upstream_app matrix-registration;
set $upstream_port 5000;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
}
location /static {
include /config/nginx/proxy.conf;
include /config/nginx/resolver.conf;
include /config/nginx/include.d/synapse-proxy.conf;
include /config/nginx/gzip.conf;
include /config/nginx/security-headers.conf;
set $upstream_app matrix-registration;
set $upstream_port 5000;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
}

View File

@ -0,0 +1,7 @@
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP 0.0.0.0;
proxy_set_header X-Forwarded-For 0.0.0.0;
proxy_set_header X-Forwarded-Host 0.0.0.0;
proxy_set_header X-Forwarded-Proto $scheme;
port_in_redirect off;

View File

@ -0,0 +1,15 @@
upstream generic_worker_ih {
ip_hash;
server synapse-generic-worker-1:8080;
server synapse-generic-worker-2:8081;
server synapse-generic-worker-3:8082;
server synapse-generic-worker-4:8083;
}
upstream generic_worker_lc {
least_conn;
server synapse-generic-worker-1:8080;
server synapse-generic-worker-2:8081;
server synapse-generic-worker-3:8082;
server synapse-generic-worker-4:8083;
}

148
swag/nginx/nginx.conf Normal file
View File

@ -0,0 +1,148 @@
## Version 2022/08/16 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/nginx/nginx.conf.sample
### Based on alpine defaults
# https://git.alpinelinux.org/aports/tree/main/nginx/nginx.conf?h=3.15-stable
user abc;
# Set number of worker processes automatically based on number of CPU cores.
include /config/nginx/worker_processes.conf;
# Enables the use of JIT for regular expressions to speed-up their processing.
pcre_jit on;
# Configures default error logger.
#error_log /config/log/nginx/error.log;
# Includes files with directives to load dynamic modules.
include /etc/nginx/modules/*.conf;
# Include files with config snippets into the root context.
include /etc/nginx/conf.d/*.conf;
events {
# The maximum number of simultaneous connections that can be opened by
# a worker process.
worker_connections 1024;
}
http {
# Includes mapping of file name extensions to MIME types of responses
# and defines the default type.
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Name servers used to resolve names of upstream servers into addresses.
# It's also needed when using tcpsocket and udpsocket in Lua modules.
#resolver 1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001;
include /config/nginx/resolver.conf;
# Don't tell nginx version to the clients. Default is 'on'.
server_tokens off;
# Specifies the maximum accepted body size of a client request, as
# indicated by the request header Content-Length. If the stated content
# length is greater than this size, then the client receives the HTTP
# error code 413. Set to 0 to disable. Default is '1m'.
client_max_body_size 0;
# Sendfile copies data between one FD and other from within the kernel,
# which is more efficient than read() + write(). Default is off.
sendfile on;
# Causes nginx to attempt to send its HTTP response head in one packet,
# instead of using partial frames. Default is 'off'.
tcp_nopush on;
# all ssl related config moved to ssl.conf
include /config/nginx/ssl.conf;
# Enable gzipping of responses.
#gzip on;
# Set the Vary HTTP header as defined in the RFC 2616. Default is 'off'.
gzip_vary on;
##
# Anonymize the IP Address
##
map $remote_addr $remote_addr_anon {
~(?P<ip>\d+\.\d+)\.\d+\. $ip.0.0;
~(?P<ip>[^:]+:[^:]+): $ip::;
# IP addresses to not anonymize (such as your server)
127.0.0.1 $remote_addr;
::1 $remote_addr;
89.147.110.112 $remote_addr;
default 0.0.0.0;
}
# add $http_x_forwarded_for section if needed.
##
# Tag the Access as Normal or Record IP (Specified Error codes)
##
map $status $normal_access {
400 0;
401 0;
403 0;
#404 0;
405 0;
406 0;
410 0;
default 1;
}
map $status $record_full_ip {
400 1;
401 1;
403 1;
#404 1;
405 1;
406 1;
410 1;
default 0;
}
##
# Set the Logs
##
log_format anon_ip '$remote_addr_anon - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_x_forwarded_for_anon"';
log_format real_ip '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
##
# Do the Actual Logging ( Can be set in Server section(s) )
##
# Anonymized IP Access Logs
access_log /config/log/nginx/access.log anon_ip if=$normal_access;
# Record real IP address on specified errors codes
access_log /config/log/nginx/access.log real_ip if=$record_full_ip;
# NGINX Error Logs
error_log /config/log/nginx/error.log;
# Helper variable for proxying websockets.
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
# Sets the path, format, and configuration for a buffered log write.
# access_log /config/log/nginx/access.log;
# Includes virtual hosts configs.
include /etc/nginx/http.d/*.conf;
include /config/nginx/site-confs/*.conf;
}
daemon off;
pid /run/nginx.pid;

35
swag/nginx/proxy.conf Normal file
View File

@ -0,0 +1,35 @@
## Version 2022/09/01 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/proxy.conf.sample
# Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
# Proxy Connection Settings
proxy_buffers 32 4k;
proxy_connect_timeout 240;
proxy_headers_hash_bucket_size 128;
proxy_headers_hash_max_size 1024;
proxy_http_version 1.1;
proxy_read_timeout 240;
proxy_redirect http:// $scheme://;
proxy_send_timeout 240;
# Proxy Cache and Cookie Settings
proxy_cache_bypass $cookie_session;
#proxy_cookie_path / "/; Secure"; # enable at your own risk, may break certain apps
proxy_no_cache $cookie_session;
# Proxy Header Settings
proxy_set_header Connection $connection_upgrade;
proxy_set_header Early-Data $ssl_early_data;
proxy_set_header Host $host;
proxy_set_header Proxy "";
proxy_set_header Upgrade $http_upgrade;
proxy_set_header X-Forwarded-For 0.0.0.0;
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-Method $request_method;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Real-IP 0.0.0.0;

View File

@ -0,0 +1,13 @@
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer" always;
add_header Cross-Origin-Opener-Policy "same-origin" always;
add_header Origin-Agent-Cluster "?1" always;
# obsolete and replaced with Content-Security-Policy frame-ancestors 'none'
#add_header X-Frame-Options "DENY" always;
# obsolete, unsafe and replaced with strong Content-Security-Policy
add_header X-XSS-Protection "0" always;
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), clipboard-write=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), speaker-selection=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;

View File

@ -0,0 +1,2 @@
add_header Cross-Origin-Embedder-Policy "require-corp" always;
add_header Content-Security-Policy "default-src 'none'; connect-src 'self'; font-src 'self'; img-src 'self'; manifest-src 'self'; script-src 'self'; style-src 'self'; form-action 'none'; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none'; require-trusted-types-for 'script'; trusted-types 'none'" always;

View File

@ -0,0 +1,13 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name blog.*;
include /config/nginx/ssl.conf;
include /config/nginx/gzip.conf;
location / {
root /config/www/blog.hackliberty.org;
}
}

View File

@ -0,0 +1,27 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name chat.*;
include /config/nginx/ssl.conf;
include /config/nginx/gzip.conf;
location / {
include /config/nginx/proxy.conf;
include /config/nginx/resolver.conf;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header Content-Security-Policy "default-src 'none'; connect-src 'self' https://hackliberty.org; font-src 'self'; img-src 'self' https://hackliberty.org blob: data:; manifest-src 'self'; media-src 'self' https://hackliberty.org; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src 'self' blob:; frame-ancestors 'self'; block-all-mixed-content; base-uri 'none'";
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), clipboard-write=(), display-capture=(), document-domain=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), speaker-selection=(), usb=(), xr-spatial-tracking=()" always;
add_header Referrer-Policy "no-referrer" always;
add_header Cross-Origin-Opener-Policy "same-origin" always;
add_header Origin-Agent-Cluster "?1" always;
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options SAMEORIGIN;
set $upstream_app chat;
set $upstream_port 80;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
}
}

View File

@ -0,0 +1,20 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name cinny.*;
include /config/nginx/ssl.conf;
include /config/nginx/gzip.conf;
add_header Content-Security-Policy "frame-ancestors 'none'";
location / {
include /config/nginx/proxy.conf;
include /config/nginx/resolver.conf;
set $upstream_app cinny;
set $upstream_port 80;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
}
}

View File

@ -0,0 +1,17 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name dimension.*;
include /config/nginx/ssl.conf;
location / {
include /config/nginx/proxy.conf;
include /config/nginx/resolver.conf;
set $upstream_app dimension;
set $upstream_port 8184;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
}
}

View File

@ -0,0 +1,18 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name docs.*;
include /config/nginx/ssl.conf;
include /config/nginx/gzip.conf;
location / {
include /config/nginx/proxy.conf;
include /config/nginx/resolver.conf;
set $upstream_app bookstack;
set $upstream_port 80;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
}
}

View File

@ -0,0 +1,27 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name element.*;
include /config/nginx/ssl.conf;
include /config/nginx/gzip.conf;
location / {
include /config/nginx/proxy.conf;
include /config/nginx/resolver.conf;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header Content-Security-Policy "default-src 'none'; connect-src 'self' https://hackliberty.org; font-src 'self'; img-src 'self' https://hackliberty.org blob: data:; manifest-src 'self'; media-src 'self' https://hackliberty.org; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src 'self' blob:; frame-ancestors 'self'; block-all-mixed-content; base-uri 'none'";
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), clipboard-write=(), display-capture=(), document-domain=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), speaker-selection=(), usb=(), xr-spatial-tracking=()" always;
add_header Referrer-Policy "no-referrer" always;
add_header Cross-Origin-Opener-Policy "same-origin" always;
add_header Origin-Agent-Cluster "?1" always;
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options SAMEORIGIN;
set $upstream_app element;
set $upstream_port 80;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
}
}

View File

@ -0,0 +1,20 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name git.*;
include /config/nginx/ssl.conf;
location / {
include /config/nginx/proxy.conf;
include /config/nginx/resolver.conf;
include /config/nginx/security-headers.conf;
add_header Content-Security-Policy "default-src 'none'; connect-src 'self'; font-src * https: data:; img-src * https: data:; manifest-src * https: data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none'";
add_header Onion-Location http://vkp7367tcjpqdwwckigrdrvmwvispvbpg5rlsr2chjxvppfg7hipagyd.onion$request_uri;
set $upstream_app gitea;
set $upstream_port 3333;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
}
}

View File

@ -0,0 +1,18 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name grafana.*;
include /config/nginx/ssl.conf;
include /config/nginx/gzip.conf;
location / {
include /config/nginx/proxy.conf;
include /config/nginx/resolver.conf;
set $upstream_app grafana;
set $upstream_port 3000;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
}
}

View File

@ -0,0 +1,122 @@
# nginx example config
# replace {{yourdomain}} and review the certbot/letsencrypt config
limit_req_zone $binary_remote_addr zone=links.hackliberty.org_ratelimit:10m rate=1r/s;
upstream lemmy {
# this needs to map to the lemmy (server) docker service hostname
server "lemmy:8536";
}
upstream lemmy-ui {
# this needs to map to the lemmy-ui docker service hostname
server "lemmy-ui:1234";
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name links.hackliberty.org;
ssl_certificate /config/keys/cert.crt;
ssl_certificate_key /config/keys/cert.key;
# Various TLS hardening settings
# https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets on;
ssl_stapling on;
ssl_stapling_verify on;
# Hide nginx version
server_tokens off;
# Enable compression for JS/CSS/HTML bundle, for improved client load times.
# It might be nice to compress JSON, but leaving that out to protect against potential
# compression+encryption information leak attacks like BREACH.
gzip on;
gzip_types text/css application/javascript image/svg+xml;
gzip_vary on;
# Only connect to this site via HTTPS for the two years
add_header Strict-Transport-Security "max-age=63072000";
# Various content security headers
add_header Referrer-Policy "same-origin";
add_header X-Content-Type-Options "nosniff";
add_header X-Frame-Options "DENY";
add_header X-XSS-Protection "1; mode=block";
# Upload limit for pictrs
client_max_body_size 20M;
# frontend
location / {
# distinguish between ui requests and backend
# don't change lemmy-ui or lemmy here, they refer to the upstream definitions on top
set $proxpass "http://lemmy-ui";
if ($http_accept = "application/activity+json") {
set $proxpass "http://lemmy";
}
if ($http_accept = "application/ld+json; profile=\"https://www.w3.org/ns/activitystreams\"") {
set $proxpass "http://lemmy";
}
if ($request_method = POST) {
set $proxpass "http://lemmy";
}
proxy_pass $proxpass;
rewrite ^(.+)/+$ $1 permanent;
# Send actual client IP upstream
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
# backend
location ~ ^/(api|feeds|nodeinfo|.well-known) {
proxy_pass "http://lemmy";
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# Rate limit
limit_req zone=links.hackliberty.org_ratelimit burst=30 nodelay;
# Add IP forwarding headers
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
# pictrs only - for adding browser cache control.
location ~ ^/(pictrs) {
# allow browser cache, images never update, we can apply long term cache
expires 120d;
add_header Pragma "public";
add_header Cache-Control "public";
proxy_pass "http://lemmy";
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# Rate limit
limit_req zone=links.hackliberty.org_ratelimit burst=30 nodelay;
# Add IP forwarding headers
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
# Redirect pictshare images to pictrs
location ~ /pictshare/(.*)$ {
return 301 /pictrs/image/$1;
}
}

View File

@ -0,0 +1,102 @@
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name hackliberty.org paste.* ots.* element.* git.* chat.*;
location / {
return 307 https://$host$request_uri;
}
}
#Workers
include /config/nginx/include.d/upstream_workers.conf;
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
listen 8448 ssl http2 default_server;
listen [::]:8448 ssl http2 default_server;
server_name hackliberty.org www.*;
include /config/nginx/ssl.conf;
client_max_body_size 1024M;
# Well-Known
location /.well-known/matrix/server {
default_type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '{"m.server": "hackliberty.org:443"}';
}
location /.well-known/matrix/client {
default_type application/json;
add_header Access-Control-Allow-Origin *;
}
#Home Page
include /config/nginx/include.d/homepage.conf;
# Mjolnir Reports
include /config/nginx/include.d/mjolnir-reports.conf;
# Maubot
include /config/nginx/include.d/maubot.conf;
# Federation_Worker
include /config/nginx/include.d/federation_worker.conf;
# Encryption_Worker
include /config/nginx/include.d/encryption_worker.conf;
# Client_Worker
include /config/nginx/include.d/client_worker.conf;
# Register
include /config/nginx/include.d/register.conf;
# Additional1_Worker | Typing Device Account
#include /config/nginx/include.d/additional1_worker.conf;
# Additional2_Worker | Reciept
#include /config/nginx/include.d/additional2_worker.conf;
# Event_worker
#include /config/nginx/include.d/event_worker.conf;
# Extra Workers
#include /config/nginx/include.d/extra_worker.conf;
# Media Repo
#include /config/nginx/include.d/media-repo.conf;
# /synapse/admin
#include /config/nginx/include.d/synapse-admin.conf;
# Sync_Worker
#include /config/nginx/include.d/sync_worker.conf;
location ~ ^(/_matrix.*) {
include /config/nginx/proxy.conf;
include /config/nginx/resolver.conf;
include /config/nginx/include.d/synapse-proxy.conf;
set $upstream_app synapse;
set $upstream_port 8008;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
}
}
server {
listen 8899;
server_name kj3wvs3wyfhm3uhhuqxlrhhcp6dneuau4mmvptlor27ghmrqx63fqnid.onion;
location ~ ^/.*$ {
root /config/www/hackliberty.org;
include /config/nginx/gzip.conf;
include /config/nginx/security-headers.conf;
# Add Onion-Location Header
add_header Onion-Location http://kj3wvs3wyfhm3uhhuqxlrhhcp6dneuau4mmvptlor27ghmrqx63fqnid.onion$request_uri;
add_header Content-Security-Policy "default-src 'none'; frame-src https://trocador.app/; connect-src 'self'; font-src 'self'; img-src 'self'; manifest-src 'self'; script-src 'self'; style-src 'self'; form-action 'none'; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none'; require-trusted-types-for 'script'; trusted-types 'none'";
}
}

View File

@ -0,0 +1,17 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name maubot.*;
include /config/nginx/ssl.conf;
location / {
include /config/nginx/proxy.conf;
include /config/nginx/resolver.conf;
set $upstream_app maubot;
set $upstream_port 29316;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
}
}

View File

@ -0,0 +1,48 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name ots.*;
ssl_certificate /config/keys/cert.crt;
ssl_certificate_key /config/keys/cert.key;
ssl_session_timeout 10m;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
ssl_dhparam /config/nginx/dhparam4096.pem;
# intermediate configuration
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_conf_command Options PrioritizeChaCha;
ssl_conf_command Ciphersuites TLS_CHACHA20_POLY1305_SHA256;
ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384;
ssl_ecdh_curve X25519:X448:secp521r1:secp384r1;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /config/keys/cert.crt;
# Optional additional headers
add_header Permissions-Policy "interest-cohort=()";
# Add Onion-Location Header
add_header Onion-Location http://5bi7xhmcmji4gfuok5z4j4bgmif2cryuf6was6c7275i3wwfvoolbryd.onion$request_uri;
location / {
include /config/nginx/proxy.conf;
include /config/nginx/resolver.conf;
set $upstream_app ots;
set $upstream_port 3000;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
}
}

View File

@ -0,0 +1,18 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name paste.*;
include /config/nginx/ssl.conf;
location / {
include /config/nginx/proxy.conf;
include /config/nginx/resolver.conf;
add_header Onion-Location http://z2hx4persafjkxw3u23dly24tzzynvkzrp5r3zbh6jrjvd7c7qjsgvyd.onion$request_uri;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
set $upstream_app privatebin;
set $upstream_port 8080;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
}
}

View File

@ -0,0 +1,17 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name prometheus.*;
include /config/nginx/ssl.conf;
location / {
include /config/nginx/proxy.conf;
include /config/nginx/resolver.conf;
set $upstream_app prometheus;
set $upstream_port 9090;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
}
}

30
swag/nginx/ssl.conf Normal file
View File

@ -0,0 +1,30 @@
## Version 2022/08/20 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/nginx/ssl.conf.sample
### Mozilla Recommendations
# generated 2022-08-05, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
ssl_certificate /config/keys/cert.crt;
ssl_certificate_key /config/keys/cert.key;
ssl_session_timeout 10m;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
ssl_dhparam /config/nginx/dhparam4096.pem;
# intermediate configuration
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_conf_command Options PrioritizeChaCha;
ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /config/keys/cert.crt;