diff --git a/docs/deploying/docker-compose.for-traefik.yml b/docs/deploying/docker-compose.for-traefik.yml
index d10e5815..1c615673 100644
--- a/docs/deploying/docker-compose.for-traefik.yml
+++ b/docs/deploying/docker-compose.for-traefik.yml
@@ -1,40 +1,44 @@
# conduwuit - Behind Traefik Reverse Proxy
services:
- homeserver:
- ### If you already built the conduduwit image with 'docker build' or want to use the Docker Hub image,
- ### then you are ready to go.
- image: girlbossceo/conduwuit:latest
- restart: unless-stopped
- volumes:
- - db:/var/lib/conduwuit
- #- ./conduwuit.toml:/etc/conduwuit.toml
- networks:
- - proxy
- environment:
- CONDUWUIT_SERVER_NAME: your.server.name # EDIT THIS
- CONDUWUIT_DATABASE_PATH: /var/lib/conduwuit
- CONDUWUIT_DATABASE_BACKEND: rocksdb
- CONDUWUIT_PORT: 6167
- CONDUWUIT_MAX_REQUEST_SIZE: 20_000_000 # in bytes, ~20 MB
- CONDUWUIT_ALLOW_REGISTRATION: 'true'
- CONDUWUIT_ALLOW_FEDERATION: 'true'
- CONDUWUIT_ALLOW_CHECK_FOR_UPDATES: 'true'
- CONDUWUIT_TRUSTED_SERVERS: '["matrix.org"]'
- #CONDUWUIT_LOG: warn,state_res=warn
- CONDUWUIT_ADDRESS: 0.0.0.0
- #CONDUWUIT_CONFIG: '/etc/conduwuit.toml' # Uncomment if you mapped config toml above
- #cpuset: "0-4" # Uncomment to limit to specific CPU cores
+ homeserver:
+ ### If you already built the conduduwit image with 'docker build' or want to use the Docker Hub image,
+ ### then you are ready to go.
+ image: girlbossceo/conduwuit:latest
+ restart: unless-stopped
+ volumes:
+ - db:/var/lib/conduwuit
+ #- ./conduwuit.toml:/etc/conduwuit.toml
+ networks:
+ - proxy
+ environment:
+ CONDUWUIT_SERVER_NAME: your.server.name.example # EDIT THIS
+ CONDUWUIT_DATABASE_PATH: /var/lib/conduwuit
+ CONDUWUIT_DATABASE_BACKEND: rocksdb
+ CONDUWUIT_PORT: 6167 # should match the loadbalancer traefik label
+ CONDUWUIT_MAX_REQUEST_SIZE: 20_000_000 # in bytes, ~20 MB
+ CONDUWUIT_ALLOW_REGISTRATION: 'true'
+ CONDUWUIT_ALLOW_FEDERATION: 'true'
+ CONDUWUIT_ALLOW_CHECK_FOR_UPDATES: 'true'
+ CONDUWUIT_TRUSTED_SERVERS: '["matrix.org"]'
+ #CONDUWUIT_LOG: warn,state_res=warn
+ CONDUWUIT_ADDRESS: 0.0.0.0
+ #CONDUWUIT_CONFIG: '/etc/conduwuit.toml' # Uncomment if you mapped config toml above
+
+ # We need some way to serve the client and server .well-known json. The simplest way is via the CONDUWUIT_WELL_KNOWN
+ # variable / config option, there are multiple ways to do this, e.g. in the conduwuit.toml file, and in a seperate
+ # see the override file for more information about delegation
+ CONDUWUIT_WELL_KNOWN: |
+ {
+ client=https://your.server.name.example,
+ server=your.server.name.example:443
+ }
+ #cpuset: "0-4" # Uncomment to limit to specific CPU cores
+ ulimits: # conduwuit uses quite a few file descriptors, and on some systems it defaults to 1024, so you can tell docker to increase it
+ nofile:
+ soft: 1048567
+ hard: 1048567
- # We need some way to server the client and server .well-known json. The simplest way is to use a nginx container
- # to serve those two as static files. If you want to use a different way, delete or comment the below service, here
- # and in the docker compose override file.
- well-known:
- image: nginx:latest
- restart: unless-stopped
- volumes:
- - ./nginx/matrix.conf:/etc/nginx/conf.d/matrix.conf # the config to serve the .well-known/matrix files
- - ./nginx/www:/var/www/ # location of the client and server .well-known-files
### Uncomment if you want to use your own Element-Web App.
### Note: You need to provide a config.json for Element and you also need a second
### Domain or Subdomain for the communication between Element and conduwuit
@@ -50,10 +54,12 @@ services:
# - homeserver
volumes:
- db:
+ db:
networks:
- # This is the network Traefik listens to, if your network has a different
- # name, don't forget to change it here and in the docker-compose.override.yml
- proxy:
- external: true
+ # This is the network Traefik listens to, if your network has a different
+ # name, don't forget to change it here and in the docker-compose.override.yml
+ proxy:
+ external: true
+
+# vim: ts=2:sw=2:expandtab
diff --git a/docs/deploying/docker-compose.override.yml b/docs/deploying/docker-compose.override.yml
index 23d6a90b..a343eeee 100644
--- a/docs/deploying/docker-compose.override.yml
+++ b/docs/deploying/docker-compose.override.yml
@@ -1,44 +1,37 @@
# conduwuit - Traefik Reverse Proxy Labels
services:
- homeserver:
- labels:
- - "traefik.enable=true"
- - "traefik.docker.network=proxy" # Change this to the name of your Traefik docker proxy network
+ homeserver:
+ labels:
+ - "traefik.enable=true"
+ - "traefik.docker.network=proxy" # Change this to the name of your Traefik docker proxy network
- - "traefik.http.routers.to-conduwuit.rule=Host(`<SUBDOMAIN>.<DOMAIN>`)" # Change to the address on which conduwuit is hosted
- - "traefik.http.routers.to-conduwuit.tls=true"
- - "traefik.http.routers.to-conduwuit.tls.certresolver=letsencrypt"
- - "traefik.http.routers.to-conduwuit.middlewares=cors-headers@docker"
+ - "traefik.http.routers.to-conduwuit.rule=Host(`<SUBDOMAIN>.<DOMAIN>`)" # Change to the address on which conduwuit is hosted
+ - "traefik.http.routers.to-conduwuit.tls=true"
+ - "traefik.http.routers.to-conduwuit.tls.certresolver=letsencrypt"
+ - "traefik.http.routers.to-conduwuit.middlewares=cors-headers@docker"
+ - "traefik.http.services.to_conduwuit.loadbalancer.server.port=6167"
- - "traefik.http.middlewares.cors-headers.headers.accessControlAllowOriginList=*"
- - "traefik.http.middlewares.cors-headers.headers.accessControlAllowHeaders=Origin, X-Requested-With, Content-Type, Accept, Authorization"
- - "traefik.http.middlewares.cors-headers.headers.accessControlAllowMethods=GET, POST, PUT, DELETE, OPTIONS"
+ - "traefik.http.middlewares.cors-headers.headers.accessControlAllowOriginList=*"
+ - "traefik.http.middlewares.cors-headers.headers.accessControlAllowHeaders=Origin, X-Requested-With, Content-Type, Accept, Authorization"
+ - "traefik.http.middlewares.cors-headers.headers.accessControlAllowMethods=GET, POST, PUT, DELETE, OPTIONS"
- # We need some way to server the client and server .well-known json. The simplest way is to use a nginx container
- # to serve those two as static files. If you want to use a different way, delete or comment the below service, here
- # and in the docker compose file.
- well-known:
- labels:
- - "traefik.enable=true"
- - "traefik.docker.network=proxy"
+ # If you want to have your account on <DOMAIN>, but host conduwuit on a subdomain,
+ # you can let it only handle the well known file on that domain instead
+ #- "traefik.http.routers.to-matrix-wellknown.rule=Host(`<DOMAIN>`) && PathPrefix(`/.well-known/matrix`)"
+ #- "traefik.http.routers.to-matrix-wellknown.tls=true"
+ #- "traefik.http.routers.to-matrix-wellknown.tls.certresolver=letsencrypt"
+ #- "traefik.http.routers.to-matrix-wellknown.middlewares=cors-headers@docker"
- - "traefik.http.routers.to-matrix-wellknown.rule=Host(`<SUBDOMAIN>.<DOMAIN>`) && PathPrefix(`/.well-known/matrix`)"
- - "traefik.http.routers.to-matrix-wellknown.tls=true"
- - "traefik.http.routers.to-matrix-wellknown.tls.certresolver=letsencrypt"
- - "traefik.http.routers.to-matrix-wellknown.middlewares=cors-headers@docker"
+ ### Uncomment this if you uncommented Element-Web App in the docker-compose.yml
+ # element-web:
+ # labels:
+ # - "traefik.enable=true"
+ # - "traefik.docker.network=proxy" # Change this to the name of your Traefik docker proxy network
- - "traefik.http.middlewares.cors-headers.headers.accessControlAllowOriginList=*"
- - "traefik.http.middlewares.cors-headers.headers.accessControlAllowHeaders=Origin, X-Requested-With, Content-Type, Accept, Authorization"
- - "traefik.http.middlewares.cors-headers.headers.accessControlAllowMethods=GET, POST, PUT, DELETE, OPTIONS"
+ # - "traefik.http.routers.to-element-web.rule=Host(`<SUBDOMAIN>.<DOMAIN>`)" # Change to the address on which Element-Web is hosted
+ # - "traefik.http.routers.to-element-web.tls=true"
+ # - "traefik.http.routers.to-element-web.tls.certresolver=letsencrypt"
+# vim: ts=2:sw=2:expandtab
- ### Uncomment this if you uncommented Element-Web App in the docker-compose.yml
- # element-web:
- # labels:
- # - "traefik.enable=true"
- # - "traefik.docker.network=proxy" # Change this to the name of your Traefik docker proxy network
-
- # - "traefik.http.routers.to-element-web.rule=Host(`<SUBDOMAIN>.<DOMAIN>`)" # Change to the address on which Element-Web is hosted
- # - "traefik.http.routers.to-element-web.tls=true"
- # - "traefik.http.routers.to-element-web.tls.certresolver=letsencrypt"
diff --git a/docs/deploying/docker-compose.with-traefik.yml b/docs/deploying/docker-compose.with-traefik.yml
index 79d20051..f05006a5 100644
--- a/docs/deploying/docker-compose.with-traefik.yml
+++ b/docs/deploying/docker-compose.with-traefik.yml
@@ -1,42 +1,52 @@
# conduwuit - Behind Traefik Reverse Proxy
services:
- homeserver:
- ### If you already built the conduwuit image with 'docker build' or want to use the Docker Hub image,
- ### then you are ready to go.
- image: girlbossceo/conduwuit:latest
- restart: unless-stopped
- volumes:
- - db:/srv/conduwuit/.local/share/conduwuit
- #- ./conduwuit.toml:/etc/conduwuit.toml
- networks:
- - proxy
- environment:
- CONDUWUIT_SERVER_NAME: your.server.name # EDIT THIS
- CONDUWUIT_TRUSTED_SERVERS: '["matrix.org"]'
- CONDUWUIT_ALLOW_REGISTRATION : 'true'
- #CONDUWUIT_CONFIG: '/etc/conduwuit.toml' # Uncomment if you mapped config toml above
- ### Uncomment and change values as desired
- # CONDUWUIT_ADDRESS: 0.0.0.0
- # CONDUWUIT_PORT: 6167
- # CONDUWUIT_LOG: info # default is: "warn,state_res=warn"
- # CONDUWUIT_ALLOW_JAEGER: 'false'
- # CONDUWUIT_ALLOW_ENCRYPTION: 'true'
- # CONDUWUIT_ALLOW_FEDERATION: 'true'
- # CONDUWUIT_ALLOW_CHECK_FOR_UPDATES: 'true'
- # CONDUWUIT_DATABASE_PATH: /srv/conduwuit/.local/share/conduwuit
- # CONDUWUIT_WORKERS: 10
- # CONDUWUIT_MAX_REQUEST_SIZE: 20000000 # in bytes, ~20 MB
+ homeserver:
+ ### If you already built the conduwuit image with 'docker build' or want to use the Docker Hub image,
+ ### then you are ready to go.
+ image: girlbossceo/conduwuit:latest
+ restart: unless-stopped
+ volumes:
+ - db:/var/lib/conduwuit
+ #- ./conduwuit.toml:/etc/conduwuit.toml
+ networks:
+ - proxy
+ environment:
+ CONDUWUIT_SERVER_NAME: your.server.name.example # EDIT THIS
+ CONDUWUIT_TRUSTED_SERVERS: '["matrix.org"]'
+ CONDUWUIT_ALLOW_REGISTRATION: 'false' # After setting a secure registration token, you can enable this
+ CONDUWUIT_REGISTRATION_TOKEN: # This is a token you can use to register on the server
+ CONDUWUIT_ADDRESS: 0.0.0.0
+ CONDUWUIT_PORT: 6167 # you need to match this with the traefik load balancer label if you're want to change it
+ CONDUWUIT_DATABASE_PATH: /var/lib/conduwuit
+ #CONDUWUIT_CONFIG: '/etc/conduit.toml' # Uncomment if you mapped config toml above
+ ### Uncomment and change values as desired, note that conduwuit has plenty of config options, so you should check out the example example config too
+ # Available levels are: error, warn, info, debug, trace - more info at: https://docs.rs/env_logger/*/env_logger/#enabling-logging
+ # CONDUWUIT_LOG: info # default is: "warn,state_res=warn"
+ # CONDUWUIT_ALLOW_JAEGER: 'false'
+ # CONDUWUIT_ALLOW_ENCRYPTION: 'true'
+ # CONDUWUIT_ALLOW_FEDERATION: 'true'
+ # CONDUWUIT_ALLOW_CHECK_FOR_UPDATES: 'true'
+ # CONDUWUIT_ALLOW_INCOMING_PRESENCE: true
+ # CONDUWUIT_ALLOW_OUTGOING_PRESENCE: true
+ # CONDUWUIT_ALLOW_LOCAL_PRESENCE: true
+ # CONDUWUIT_WORKERS: 10
+ # CONDUWUIT_MAX_REQUEST_SIZE: 20_000_000 # in bytes, ~20 MB
+ # CONDUWUIT_NEW_USER_DISPLAYNAME_SUFFIX = "🏳<200d>⚧"
- # We need some way to server the client and server .well-known json. The simplest way is to use a nginx container
- # to serve those two as static files. If you want to use a different way, delete or comment the below service, here
- # and in the docker compose override file.
- well-known:
- image: nginx:latest
- restart: unless-stopped
- volumes:
- - ./nginx/matrix.conf:/etc/nginx/conf.d/matrix.conf # the config to serve the .well-known/matrix files
- - ./nginx/www:/var/www/ # location of the client and server .well-known-files
+ # We need some way to serve the client and server .well-known json. The simplest way is via the CONDUWUIT_WELL_KNOWN
+ # variable / config option, there are multiple ways to do this, e.g. in the conduwuit.toml file, and in a seperate
+ # reverse proxy, but since you do not have a reverse proxy and following this guide, this example is included
+ CONDUWUIT_WELL_KNOWN: |
+ {
+ client=https://your.server.name.example,
+ server=your.server.name.example:443
+ }
+ #cpuset: "0-4" # Uncomment to limit to specific CPU cores
+ ulimits: # conduwuit uses quite a few file descriptors, and on some systems it defaults to 1024, so you can tell docker to increase it
+ nofile:
+ soft: 1048567
+ hard: 1048567
### Uncomment if you want to use your own Element-Web App.
### Note: You need to provide a config.json for Element and you also need a second
@@ -52,29 +62,79 @@ services:
# depends_on:
# - homeserver
- traefik:
- image: "traefik:latest"
- container_name: "traefik"
- restart: "unless-stopped"
- ports:
- - "80:80"
- - "443:443"
- volumes:
- - "/var/run/docker.sock:/var/run/docker.sock"
- # - "./traefik_config:/etc/traefik"
- - "acme:/etc/traefik/acme"
- labels:
- - "traefik.enable=true"
+ traefik:
+ image: "traefik:latest"
+ container_name: "traefik"
+ restart: "unless-stopped"
+ ports:
+ - "80:80"
+ - "443:443"
+ volumes:
+ - "/var/run/docker.sock:/var/run/docker.sock:z"
+ - "acme:/etc/traefik/acme"
+ #- "./traefik_config:/etc/traefik:z"
+ labels:
+ - "traefik.enable=true"
- # middleware redirect
- - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
- # global redirect to https
- - "traefik.http.routers.redirs.rule=hostregexp(`{host:.+}`)"
- - "traefik.http.routers.redirs.entrypoints=http"
- - "traefik.http.routers.redirs.middlewares=redirect-to-https"
+ # middleware redirect
+ - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
+ # global redirect to https
+ - "traefik.http.routers.redirs.rule=hostregexp(`{host:.+}`)"
+ - "traefik.http.routers.redirs.entrypoints=web"
+ - "traefik.http.routers.redirs.middlewares=redirect-to-https"
- networks:
- - proxy
+ configs:
+ - source: dynamic.yml
+ target: /etc/traefik/dynamic.yml
+
+ environment:
+ TRAEFIK_LOG_LEVEL: DEBUG
+ TRAEFIK_ENTRYPOINTS_WEB: true
+ TRAEFIK_ENTRYPOINTS_WEB_ADDRESS: ":80"
+ TRAEFIK_ENTRYPOINTS_WEB_HTTP_REDIRECTIONS_ENTRYPOINT_TO: websecure
+
+ TRAEFIK_ENTRYPOINTS_WEBSECURE: true
+ TRAEFIK_ENTRYPOINTS_WEBSECURE_ADDRESS: ":443"
+ TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_TLS_CERTRESOLVER: letsencrypt
+ #TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_MIDDLEWARES: secureHeaders@file # if you want to enabled STS
+
+ TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT: true
+ TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_EMAIL: # Set this to the email you want to receive certificate expiration emails for
+ TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_KEYTYPE: EC384
+ TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_HTTPCHALLENGE: true
+ TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_HTTPCHALLENGE_ENTRYPOINT: web
+ TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_STORAGE: "/etc/traefik/acme/acme.json"
+
+ TRAEFIK_PROVIDERS_DOCKER: true
+ TRAEFIK_PROVIDERS_DOCKER_ENDPOINT: "unix:///var/run/docker.sock"
+ TRAEFIK_PROVIDERS_DOCKER_EXPOSEDBYDEFAULT: false
+
+ TRAEFIK_PROVIDERS_FILE: true
+ TRAEFIK_PROVIDERS_FILE_FILENAME: "/etc/traefik/dynamic.yml"
+
+configs:
+ dynamic.yml:
+ content: |
+ # Optionally set STS headers, like in https://hstspreload.org
+ # http:
+ # middlewares:
+ # secureHeaders:
+ # headers:
+ # forceSTSHeader: true
+ # stsIncludeSubdomains: true
+ # stsPreload: true
+ # stsSeconds: 31536000
+ tls:
+ options:
+ default:
+ cipherSuites:
+ - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+ - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+ - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+ - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+ - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
+ - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
+ minVersion: VersionTLS12
volumes:
db:
@@ -82,3 +142,5 @@ volumes:
networks:
proxy:
+
+# vim: ts=2:sw=2:expandtab