magmaus3/continuwuity
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

deploying: make traefik config self-sufficient, include well known

Browse source
This commit is contained in:
morguldir 2024-08-31 14:08:31 +02:00
parent b45df5f7bd
commit 7b852352e5
No known key found for this signature in database
GPG key ID: 5A6025D4F6E7A8A3
3 changed files with 189 additions and 128 deletions
Download patch file Download diff file Expand all files Collapse all files

82
docs/deploying/docker-compose.for-traefik.yml
View file

@ -1,40 +1,44 @@
# conduwuit - Behind Traefik Reverse Proxy # conduwuit - Behind Traefik Reverse Proxy
services: services:
homeserver: homeserver:
### If you already built the conduduwit image with 'docker build' or want to use the Docker Hub image, ### If you already built the conduduwit image with 'docker build' or want to use the Docker Hub image,
### then you are ready to go. ### then you are ready to go.
image: girlbossceo/conduwuit:latest image: girlbossceo/conduwuit:latest
restart: unless-stopped restart: unless-stopped
volumes: volumes:
- db:/var/lib/conduwuit - db:/var/lib/conduwuit
#- ./conduwuit.toml:/etc/conduwuit.toml #- ./conduwuit.toml:/etc/conduwuit.toml
networks: networks:
- proxy - proxy
environment: environment:
CONDUWUIT_SERVER_NAME: your.server.name # EDIT THIS CONDUWUIT_SERVER_NAME: your.server.name.example # EDIT THIS
CONDUWUIT_DATABASE_PATH: /var/lib/conduwuit CONDUWUIT_DATABASE_PATH: /var/lib/conduwuit
CONDUWUIT_DATABASE_BACKEND: rocksdb CONDUWUIT_DATABASE_BACKEND: rocksdb
CONDUWUIT_PORT: 6167 CONDUWUIT_PORT: 6167 # should match the loadbalancer traefik label
CONDUWUIT_MAX_REQUEST_SIZE: 20_000_000 # in bytes, ~20 MB CONDUWUIT_MAX_REQUEST_SIZE: 20_000_000 # in bytes, ~20 MB
CONDUWUIT_ALLOW_REGISTRATION: 'true' CONDUWUIT_ALLOW_REGISTRATION: 'true'
CONDUWUIT_ALLOW_FEDERATION: 'true' CONDUWUIT_ALLOW_FEDERATION: 'true'
CONDUWUIT_ALLOW_CHECK_FOR_UPDATES: 'true' CONDUWUIT_ALLOW_CHECK_FOR_UPDATES: 'true'
CONDUWUIT_TRUSTED_SERVERS: '["matrix.org"]' CONDUWUIT_TRUSTED_SERVERS: '["matrix.org"]'
#CONDUWUIT_LOG: warn,state_res=warn #CONDUWUIT_LOG: warn,state_res=warn
CONDUWUIT_ADDRESS: 0.0.0.0 CONDUWUIT_ADDRESS: 0.0.0.0
#CONDUWUIT_CONFIG: '/etc/conduwuit.toml' # Uncomment if you mapped config toml above #CONDUWUIT_CONFIG: '/etc/conduwuit.toml' # Uncomment if you mapped config toml above
#cpuset: "0-4" # Uncomment to limit to specific CPU cores
# We need some way to serve the client and server .well-known json. The simplest way is via the CONDUWUIT_WELL_KNOWN
# variable / config option, there are multiple ways to do this, e.g. in the conduwuit.toml file, and in a seperate
# see the override file for more information about delegation
CONDUWUIT_WELL_KNOWN: |
{
client=https://your.server.name.example,
server=your.server.name.example:443
}
#cpuset: "0-4" # Uncomment to limit to specific CPU cores
ulimits: # conduwuit uses quite a few file descriptors, and on some systems it defaults to 1024, so you can tell docker to increase it
nofile:
soft: 1048567
hard: 1048567
# We need some way to server the client and server .well-known json. The simplest way is to use a nginx container
# to serve those two as static files. If you want to use a different way, delete or comment the below service, here
# and in the docker compose override file.
well-known:
image: nginx:latest
restart: unless-stopped
volumes:
- ./nginx/matrix.conf:/etc/nginx/conf.d/matrix.conf # the config to serve the .well-known/matrix files
- ./nginx/www:/var/www/ # location of the client and server .well-known-files
### Uncomment if you want to use your own Element-Web App. ### Uncomment if you want to use your own Element-Web App.
### Note: You need to provide a config.json for Element and you also need a second ### Note: You need to provide a config.json for Element and you also need a second
### Domain or Subdomain for the communication between Element and conduwuit ### Domain or Subdomain for the communication between Element and conduwuit
@ -50,10 +54,12 @@ services:
# - homeserver # - homeserver
volumes: volumes:
db: db:
networks: networks:
# This is the network Traefik listens to, if your network has a different # This is the network Traefik listens to, if your network has a different
# name, don't forget to change it here and in the docker-compose.override.yml # name, don't forget to change it here and in the docker-compose.override.yml
proxy: proxy:
external: true external: true
# vim: ts=2:sw=2:expandtab

61
docs/deploying/docker-compose.override.yml
View file

@ -1,44 +1,37 @@
# conduwuit - Traefik Reverse Proxy Labels # conduwuit - Traefik Reverse Proxy Labels
services: services:
homeserver: homeserver:
labels: labels:
- "traefik.enable=true" - "traefik.enable=true"
- "traefik.docker.network=proxy" # Change this to the name of your Traefik docker proxy network - "traefik.docker.network=proxy" # Change this to the name of your Traefik docker proxy network
- "traefik.http.routers.to-conduwuit.rule=Host(`<SUBDOMAIN>.<DOMAIN>`)" # Change to the address on which conduwuit is hosted - "traefik.http.routers.to-conduwuit.rule=Host(`<SUBDOMAIN>.<DOMAIN>`)" # Change to the address on which conduwuit is hosted
- "traefik.http.routers.to-conduwuit.tls=true" - "traefik.http.routers.to-conduwuit.tls=true"
- "traefik.http.routers.to-conduwuit.tls.certresolver=letsencrypt" - "traefik.http.routers.to-conduwuit.tls.certresolver=letsencrypt"
- "traefik.http.routers.to-conduwuit.middlewares=cors-headers@docker" - "traefik.http.routers.to-conduwuit.middlewares=cors-headers@docker"
- "traefik.http.services.to_conduwuit.loadbalancer.server.port=6167"
- "traefik.http.middlewares.cors-headers.headers.accessControlAllowOriginList=*" - "traefik.http.middlewares.cors-headers.headers.accessControlAllowOriginList=*"
- "traefik.http.middlewares.cors-headers.headers.accessControlAllowHeaders=Origin, X-Requested-With, Content-Type, Accept, Authorization" - "traefik.http.middlewares.cors-headers.headers.accessControlAllowHeaders=Origin, X-Requested-With, Content-Type, Accept, Authorization"
- "traefik.http.middlewares.cors-headers.headers.accessControlAllowMethods=GET, POST, PUT, DELETE, OPTIONS" - "traefik.http.middlewares.cors-headers.headers.accessControlAllowMethods=GET, POST, PUT, DELETE, OPTIONS"
# We need some way to server the client and server .well-known json. The simplest way is to use a nginx container # If you want to have your account on <DOMAIN>, but host conduwuit on a subdomain,
# to serve those two as static files. If you want to use a different way, delete or comment the below service, here # you can let it only handle the well known file on that domain instead
# and in the docker compose file. #- "traefik.http.routers.to-matrix-wellknown.rule=Host(`<DOMAIN>`) && PathPrefix(`/.well-known/matrix`)"
well-known: #- "traefik.http.routers.to-matrix-wellknown.tls=true"
labels: #- "traefik.http.routers.to-matrix-wellknown.tls.certresolver=letsencrypt"
- "traefik.enable=true" #- "traefik.http.routers.to-matrix-wellknown.middlewares=cors-headers@docker"
- "traefik.docker.network=proxy"
- "traefik.http.routers.to-matrix-wellknown.rule=Host(`<SUBDOMAIN>.<DOMAIN>`) && PathPrefix(`/.well-known/matrix`)" ### Uncomment this if you uncommented Element-Web App in the docker-compose.yml
- "traefik.http.routers.to-matrix-wellknown.tls=true" # element-web:
- "traefik.http.routers.to-matrix-wellknown.tls.certresolver=letsencrypt" # labels:
- "traefik.http.routers.to-matrix-wellknown.middlewares=cors-headers@docker" # - "traefik.enable=true"
# - "traefik.docker.network=proxy" # Change this to the name of your Traefik docker proxy network
- "traefik.http.middlewares.cors-headers.headers.accessControlAllowOriginList=*" # - "traefik.http.routers.to-element-web.rule=Host(`<SUBDOMAIN>.<DOMAIN>`)" # Change to the address on which Element-Web is hosted
- "traefik.http.middlewares.cors-headers.headers.accessControlAllowHeaders=Origin, X-Requested-With, Content-Type, Accept, Authorization" # - "traefik.http.routers.to-element-web.tls=true"
- "traefik.http.middlewares.cors-headers.headers.accessControlAllowMethods=GET, POST, PUT, DELETE, OPTIONS" # - "traefik.http.routers.to-element-web.tls.certresolver=letsencrypt"
# vim: ts=2:sw=2:expandtab
### Uncomment this if you uncommented Element-Web App in the docker-compose.yml
# element-web:
# labels:
# - "traefik.enable=true"
# - "traefik.docker.network=proxy" # Change this to the name of your Traefik docker proxy network
# - "traefik.http.routers.to-element-web.rule=Host(`<SUBDOMAIN>.<DOMAIN>`)" # Change to the address on which Element-Web is hosted
# - "traefik.http.routers.to-element-web.tls=true"
# - "traefik.http.routers.to-element-web.tls.certresolver=letsencrypt"

174
docs/deploying/docker-compose.with-traefik.yml
View file

@ -1,42 +1,52 @@
# conduwuit - Behind Traefik Reverse Proxy # conduwuit - Behind Traefik Reverse Proxy
services: services:
homeserver: homeserver:
### If you already built the conduwuit image with 'docker build' or want to use the Docker Hub image, ### If you already built the conduwuit image with 'docker build' or want to use the Docker Hub image,
### then you are ready to go. ### then you are ready to go.
image: girlbossceo/conduwuit:latest image: girlbossceo/conduwuit:latest
restart: unless-stopped restart: unless-stopped
volumes: volumes:
- db:/srv/conduwuit/.local/share/conduwuit - db:/var/lib/conduwuit
#- ./conduwuit.toml:/etc/conduwuit.toml #- ./conduwuit.toml:/etc/conduwuit.toml
networks: networks:
- proxy - proxy
environment: environment:
CONDUWUIT_SERVER_NAME: your.server.name # EDIT THIS CONDUWUIT_SERVER_NAME: your.server.name.example # EDIT THIS
CONDUWUIT_TRUSTED_SERVERS: '["matrix.org"]' CONDUWUIT_TRUSTED_SERVERS: '["matrix.org"]'
CONDUWUIT_ALLOW_REGISTRATION : 'true' CONDUWUIT_ALLOW_REGISTRATION: 'false' # After setting a secure registration token, you can enable this
#CONDUWUIT_CONFIG: '/etc/conduwuit.toml' # Uncomment if you mapped config toml above CONDUWUIT_REGISTRATION_TOKEN: # This is a token you can use to register on the server
### Uncomment and change values as desired CONDUWUIT_ADDRESS: 0.0.0.0
# CONDUWUIT_ADDRESS: 0.0.0.0 CONDUWUIT_PORT: 6167 # you need to match this with the traefik load balancer label if you're want to change it
# CONDUWUIT_PORT: 6167 CONDUWUIT_DATABASE_PATH: /var/lib/conduwuit
# CONDUWUIT_LOG: info # default is: "warn,state_res=warn" #CONDUWUIT_CONFIG: '/etc/conduit.toml' # Uncomment if you mapped config toml above
# CONDUWUIT_ALLOW_JAEGER: 'false' ### Uncomment and change values as desired, note that conduwuit has plenty of config options, so you should check out the example example config too
# CONDUWUIT_ALLOW_ENCRYPTION: 'true' # Available levels are: error, warn, info, debug, trace - more info at: https://docs.rs/env_logger/*/env_logger/#enabling-logging
# CONDUWUIT_ALLOW_FEDERATION: 'true' # CONDUWUIT_LOG: info # default is: "warn,state_res=warn"
# CONDUWUIT_ALLOW_CHECK_FOR_UPDATES: 'true' # CONDUWUIT_ALLOW_JAEGER: 'false'
# CONDUWUIT_DATABASE_PATH: /srv/conduwuit/.local/share/conduwuit # CONDUWUIT_ALLOW_ENCRYPTION: 'true'
# CONDUWUIT_WORKERS: 10 # CONDUWUIT_ALLOW_FEDERATION: 'true'
# CONDUWUIT_MAX_REQUEST_SIZE: 20000000 # in bytes, ~20 MB # CONDUWUIT_ALLOW_CHECK_FOR_UPDATES: 'true'
# CONDUWUIT_ALLOW_INCOMING_PRESENCE: true
# CONDUWUIT_ALLOW_OUTGOING_PRESENCE: true
# CONDUWUIT_ALLOW_LOCAL_PRESENCE: true
# CONDUWUIT_WORKERS: 10
# CONDUWUIT_MAX_REQUEST_SIZE: 20_000_000 # in bytes, ~20 MB
# CONDUWUIT_NEW_USER_DISPLAYNAME_SUFFIX = "🏳<200d>⚧"
# We need some way to server the client and server .well-known json. The simplest way is to use a nginx container # We need some way to serve the client and server .well-known json. The simplest way is via the CONDUWUIT_WELL_KNOWN
# to serve those two as static files. If you want to use a different way, delete or comment the below service, here # variable / config option, there are multiple ways to do this, e.g. in the conduwuit.toml file, and in a seperate
# and in the docker compose override file. # reverse proxy, but since you do not have a reverse proxy and following this guide, this example is included
well-known: CONDUWUIT_WELL_KNOWN: |
image: nginx:latest {
restart: unless-stopped client=https://your.server.name.example,
volumes: server=your.server.name.example:443
- ./nginx/matrix.conf:/etc/nginx/conf.d/matrix.conf # the config to serve the .well-known/matrix files }
- ./nginx/www:/var/www/ # location of the client and server .well-known-files #cpuset: "0-4" # Uncomment to limit to specific CPU cores
ulimits: # conduwuit uses quite a few file descriptors, and on some systems it defaults to 1024, so you can tell docker to increase it
nofile:
soft: 1048567
hard: 1048567
### Uncomment if you want to use your own Element-Web App. ### Uncomment if you want to use your own Element-Web App.
### Note: You need to provide a config.json for Element and you also need a second ### Note: You need to provide a config.json for Element and you also need a second
@ -52,29 +62,79 @@ services:
# depends_on: # depends_on:
# - homeserver # - homeserver
traefik: traefik:
image: "traefik:latest" image: "traefik:latest"
container_name: "traefik" container_name: "traefik"
restart: "unless-stopped" restart: "unless-stopped"
ports: ports:
- "80:80" - "80:80"
- "443:443" - "443:443"
volumes: volumes:
- "/var/run/docker.sock:/var/run/docker.sock" - "/var/run/docker.sock:/var/run/docker.sock:z"
# - "./traefik_config:/etc/traefik" - "acme:/etc/traefik/acme"
- "acme:/etc/traefik/acme" #- "./traefik_config:/etc/traefik:z"
labels: labels:
- "traefik.enable=true" - "traefik.enable=true"
# middleware redirect # middleware redirect
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https" - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
# global redirect to https # global redirect to https
- "traefik.http.routers.redirs.rule=hostregexp(`{host:.+}`)" - "traefik.http.routers.redirs.rule=hostregexp(`{host:.+}`)"
- "traefik.http.routers.redirs.entrypoints=http" - "traefik.http.routers.redirs.entrypoints=web"
- "traefik.http.routers.redirs.middlewares=redirect-to-https" - "traefik.http.routers.redirs.middlewares=redirect-to-https"
networks: configs:
- proxy - source: dynamic.yml
target: /etc/traefik/dynamic.yml
environment:
TRAEFIK_LOG_LEVEL: DEBUG
TRAEFIK_ENTRYPOINTS_WEB: true
TRAEFIK_ENTRYPOINTS_WEB_ADDRESS: ":80"
TRAEFIK_ENTRYPOINTS_WEB_HTTP_REDIRECTIONS_ENTRYPOINT_TO: websecure
TRAEFIK_ENTRYPOINTS_WEBSECURE: true
TRAEFIK_ENTRYPOINTS_WEBSECURE_ADDRESS: ":443"
TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_TLS_CERTRESOLVER: letsencrypt
#TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_MIDDLEWARES: secureHeaders@file # if you want to enabled STS
TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT: true
TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_EMAIL: # Set this to the email you want to receive certificate expiration emails for
TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_KEYTYPE: EC384
TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_HTTPCHALLENGE: true
TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_HTTPCHALLENGE_ENTRYPOINT: web
TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_STORAGE: "/etc/traefik/acme/acme.json"
TRAEFIK_PROVIDERS_DOCKER: true
TRAEFIK_PROVIDERS_DOCKER_ENDPOINT: "unix:///var/run/docker.sock"
TRAEFIK_PROVIDERS_DOCKER_EXPOSEDBYDEFAULT: false
TRAEFIK_PROVIDERS_FILE: true
TRAEFIK_PROVIDERS_FILE_FILENAME: "/etc/traefik/dynamic.yml"
configs:
dynamic.yml:
content: |
# Optionally set STS headers, like in https://hstspreload.org
# http:
# middlewares:
# secureHeaders:
# headers:
# forceSTSHeader: true
# stsIncludeSubdomains: true
# stsPreload: true
# stsSeconds: 31536000
tls:
options:
default:
cipherSuites:
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
minVersion: VersionTLS12
volumes: volumes:
db: db:
@ -82,3 +142,5 @@ volumes:
networks: networks:
proxy: proxy:
# vim: ts=2:sw=2:expandtab