Compare commits

..

2 commits

Author SHA1 Message Date
kjg
c3edc04869 [matrix] update worker and redis for Task#12025 2023-09-26 17:01:41 +00:00
root
84c358a5df [matrix] update worker and redis for Task#12025 2023-09-26 17:00:39 +00:00
12 changed files with 479 additions and 16 deletions

View file

@ -1,7 +1,12 @@
homeServerFQDN=homeServerFQDN.sample.matrix.ungleich.cloud homeServerFQDN=tws-matrix.ungleich.cloud
synapseFQDN=synapse.sample.matrix.ungleich.cloud synapseFQDN=synapse.tws-matrix.ungleich.cloud
elementWebFQDN=elementWebFQDN.sample.matrix.ungleich.cloud elementWebFQDN=chat.tws-matrix.ungleich.cloud
dbuser=synapse dbuser=synapse
dbhost= dbhost=postgres.tws-matrix.ungleich.cloud
dbpassword=NEEDTOSETPASSWORD dbpassword=NEEDTOSETPASSWORD
dbname=synapse dbname=synapse
DOMAIN=synapse.tws-matrix.ungleich.cloud
EMAIL=technik@ungleich.ch
STAGING=no
redishost=redis-node1.ungleich.cloud
redisport=7300

View file

@ -0,0 +1,11 @@
server {
listen *:80;
listen [::]:80;
server_name _;
# Everything else -> ssl
location / {
return 301 https://$host$request_uri;
}
}

View file

@ -0,0 +1,26 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name chat.tws-matrix.ungleich.cloud;
ssl_certificate /etc/letsencrypt/live/chat.tws-matrix.ungleich.cloud/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/chat.tws-matrix.ungleich.cloud/privkey.pem;
client_max_body_size 512m;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "frame-ancestors 'none'";
proxy_pass http://localhost:8080;
}
}

View file

@ -0,0 +1,26 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/tws-matrix.ungleich.cloud/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/tws-matrix.ungleich.cloud/privkey.pem;
server_name tws-matrix.ungleich.cloud;
proxy_buffering off;
location /.well-known/matrix/server {
default_type application/json;
return 200 '{"m.server": "synapse.tws-matrix.ungleich.cloud:443" }';
}
location /.well-known/matrix/client {
default_type application/json;
return 200 '{ "m.homeserver": { "base_url": "https://synapse.tws-matrix.ungleich.cloud" } }';
}
location / {
proxy_buffering off;
client_max_body_size 512M;
return 301 https://chat.tws-matrix.ungleich.cloud;
}
}

View file

@ -0,0 +1,126 @@
upstream synapse_master {
server localhost:8008;
}
upstream synapse_federation {
server localhost:8082;
}
upstream synapse_generic {
server localhost:8081;
}
map $request_uri $synapse_backend {
default synapse_master;
# Sync requests
~*^/_matrix/client/(r0|v3)/sync$ synapse_generic;
~*^/_matrix/client/(api/v1|r0|v3)/events$ synapse_generic;
~*^/_matrix/client/(api/v1|r0|v3)/initialSync$ synapse_generic;
~*^/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync$ synapse_generic;
# Federation requests
~*^/_matrix/federation/v1/event/ synapse_federation;
~*^/_matrix/federation/v1/state/ synapse_federation;
~*^/_matrix/federation/v1/state_ids/ synapse_federation;
~*^/_matrix/federation/v1/backfill/ synapse_federation;
~*^/_matrix/federation/v1/get_missing_events/ synapse_federation;
~*^/_matrix/federation/v1/publicRooms synapse_federation;
~*^/_matrix/federation/v1/query/ synapse_federation;
~*^/_matrix/federation/v1/make_join/ synapse_federation;
~*^/_matrix/federation/v1/make_leave/ synapse_federation;
~*^/_matrix/federation/(v1|v2)/send_join/ synapse_federation;
~*^/_matrix/federation/(v1|v2)/send_leave/ synapse_federation;
~*^/_matrix/federation/(v1|v2)/invite/ synapse_federation;
~*^/_matrix/federation/v1/event_auth/ synapse_federation;
~*^/_matrix/federation/v1/exchange_third_party_invite/ synapse_federation;
~*^/_matrix/federation/v1/user/devices/ synapse_federation;
~*^/_matrix/key/v2/query synapse_federation;
~*^/_matrix/federation/v1/hierarchy/ synapse_federation;
# Inbound federation transaction request
~*^/_matrix/federation/v1/send/ synapse_federation;
# Client API requests
~*^/_matrix/client/(api/v1|r0|v3|unstable)/createRoom$ synapse_generic;
~*^/_matrix/client/(api/v1|r0|v3|unstable)/publicRooms$ synapse_generic;
~*^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/joined_members$ synapse_generic;
~*^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/context/.*$ synapse_generic;
~*^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/members$ synapse_generic;
~*^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state$ synapse_generic;
~*^/_matrix/client/v1/rooms/.*/hierarchy$ synaspe_generic;
~*^/_matrix/client/unstable/org.matrix.msc2716/rooms/.*/batch_send$ synapse_generic;
~*^/_matrix/client/unstable/im.nheko.summary/rooms/.*/summary$ synapse_generic;
~*^/_matrix/client/(r0|v3|unstable)/account/3pid$ synapse_generic;
~*^/_matrix/client/(r0|v3|unstable)/account/whoami$ synapse_generic;
~*^/_matrix/client/(r0|v3|unstable)/devices$ synapse_generic;
~*^/_matrix/client/versions$ synapse_generic;
~*^/_matrix/client/(api/v1|r0|v3|unstable)/voip/turnServer$ synapse_generic;
~*^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/event/ synapse_generic;
~*^/_matrix/client/(api/v1|r0|v3|unstable)/joined_rooms$ synapse_generic;
~*^/_matrix/client/(api/v1|r0|v3|unstable)/search$ synapse_generic;
# Encryption requests
~*^/_matrix/client/(r0|v3|unstable)/keys/query$ synapse_generic;
~*^/_matrix/client/(r0|v3|unstable)/keys/changes$ synapse_generic;
~*^/_matrix/client/(r0|v3|unstable)/keys/claim$ synapse_generic;
~*^/_matrix/client/(r0|v3|unstable)/room_keys/ synapse_generic;
# Registration/login requests
~*^/_matrix/client/(api/v1|r0|v3|unstable)/login$ synapse_generic;
~*^/_matrix/client/(r0|v3|unstable)/register$ synapse_generic;
~*^/_matrix/client/v1/register/m.login.registration_token/validity$ synapse_generic;
# Event sending requests
~*^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/redact synapse_generic;
~*^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/send synapse_generic;
~*^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state/ synapse_generic;
~*^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/(join|invite|leave|ban|unban|kick)$ synapse_generic;
~*^/_matrix/client/(api/v1|r0|v3|unstable)/join/ synapse_generic;
~*^/_matrix/client/(api/v1|r0|v3|unstable)/profile/ synapse_generic;
# Account data requests
~*^/_matrix/client/(r0|v3|unstable)/.*/tags synapse_generic;
~*^/_matrix/client/(r0|v3|unstable)/.*/account_data synapse_generic;
# Receipts requests
#~*^/_matrix/client/(r0|v3|unstable)/rooms/.*/receipt synapse_generic;
#~*^/_matrix/client/(r0|v3|unstable)/rooms/.*/read_markers synapse_generic;
# Presence requests
~*^/_matrix/client/(api/v1|r0|v3|unstable)/presence/ synapse_generic;
# User directory search requests
~*^/_matrix/client/(r0|v3|unstable)/user_directory/search$ synapse_generic;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/synapse.tws-matrix.ungleich.cloud/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/synapse.tws-matrix.ungleich.cloud/privkey.pem;
server_name synapse.tws-matrix.ungleich.cloud;
client_max_body_size 512m;
error_page 403 404 /403_404.html;
location = /403_404.html {
default_type application/json;
return 200 'You are not authorized to access this page.';
}
location ~ /_matrix|/_synapse {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_connect_timeout 3600;
proxy_send_timeout 3600;
proxy_read_timeout 3600;
send_timeout 3600;
proxy_pass http://$synapse_backend;
}
}

View file

@ -0,0 +1,94 @@
# /etc/nginx/nginx.conf
user nginx;
# Set number of worker processes automatically based on number of CPU cores.
worker_processes auto;
# Enables the use of JIT for regular expressions to speed-up their processing.
pcre_jit on;
# Configures default error logger.
error_log /var/log/nginx/error.log warn;
# Includes files with directives to load dynamic modules.
include /etc/nginx/modules/*.conf;
events {
# The maximum number of simultaneous connections that can be opened by
# a worker process.
worker_connections 1024;
}
http {
server_names_hash_bucket_size 64;
map_hash_bucket_size 128;
# Includes mapping of file name extensions to MIME types of responses
# and defines the default type.
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Name servers used to resolve names of upstream servers into addresses.
# It's also needed when using tcpsocket and udpsocket in Lua modules.
#resolver 208.67.222.222 208.67.220.220;
# Don't tell nginx version to clients.
server_tokens off;
# Specifies the maximum accepted body size of a client request, as
# indicated by the request header Content-Length. If the stated content
# length is greater than this size, then the client receives the HTTP
# error code 413. Set to 0 to disable.
client_max_body_size 1m;
# Timeout for keep-alive connections. Server will close connections after
# this time.
keepalive_timeout 65;
# Sendfile copies data between one FD and other from within the kernel,
# which is more efficient than read() + write().
sendfile on;
# Don't buffer data-sends (disable Nagle algorithm).
# Good for sending frequent small bursts of data in real time.
tcp_nodelay on;
# Causes nginx to attempt to send its HTTP response head in one packet,
# instead of using partial frames.
#tcp_nopush on;
# Path of the file with Diffie-Hellman parameters for EDH ciphers.
#ssl_dhparam /etc/ssl/nginx/dh2048.pem;
# Specifies that our cipher suits should be preferred over client ciphers.
ssl_prefer_server_ciphers on;
# Enables a shared SSL cache with size that can hold around 8000 sessions.
ssl_session_cache shared:SSL:2m;
# Enable gzipping of responses.
#gzip on;
# Set the Vary HTTP header as defined in the RFC 2616.
gzip_vary on;
# Enable checking the existence of precompressed files.
#gzip_static on;
# Specifies the main log format.
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
# Sets the path, format, and configuration for a buffered log write.
access_log /var/log/nginx/access.log main;
# Includes virtual hosts configs.
include /etc/nginx/conf.d/*;
}

View file

@ -1,5 +1,19 @@
version: '3' version: '3'
services: services:
#nginx:
# container_name: nginx
# image: ungleich/ungleich-certbot:1.1.4
# restart: unless-stopped
# environment:
# - DOMAIN=${DOMAIN}
# - EMAIL=${EMAIL}
# - STAGING=${STAGING}
# ports:
# - "443:443/tcp"
# volumes:
# - ./conf:/etc/nginx/conf.d
# - ./etcletsencrypt:/etc/letsencrypt
# - ./dconf/nginx.conf:/etc/nginx/nginx.conf
synapse: synapse:
image: matrixdotorg/synapse:latest image: matrixdotorg/synapse:latest
restart: unless-stopped restart: unless-stopped
@ -12,8 +26,12 @@ services:
- DBHOST=${dbhost} - DBHOST=${dbhost}
- DBUSER=${dbuser} - DBUSER=${dbuser}
- DBPASSWORD=${dbpassword} - DBPASSWORD=${dbpassword}
ports: - REDISHOST=${redishost}
- "8008:8008/tcp" - REDISPORT=${redisport}
network_mode: "host"
#ports:
# - "127.0.0.1:8008:8008/tcp"
#- "[::1]:8008:8008/tcp"
volumes: volumes:
- ./synapse:/data - ./synapse:/data
entrypoint: sh -c "/data/homeserver.yaml.sh && chmod -R 777 /data && /start.py" entrypoint: sh -c "/data/homeserver.yaml.sh && chmod -R 777 /data && /start.py"
@ -27,7 +45,52 @@ services:
- ELEMENTWEB=${elementWebFQDN} - ELEMENTWEB=${elementWebFQDN}
volumes: volumes:
- ./element/config.json.sh:/app/config.json.sh - ./element/config.json.sh:/app/config.json.sh
- ./conf:/etc/nginx/conf.d
- ./etcletsencrypt:/etc/letsencrypt
- ./dconf/nginx.conf:/etc/nginx/nginx.conf
command: sh -c "/app/config.json.sh && nginx -g 'daemon off;'" command: sh -c "/app/config.json.sh && nginx -g 'daemon off;'"
#entrypoint: /app/config.json.sh #entrypoint: /app/config.json.sh
ports: network_mode: "host"
- "80:80/tcp" #ports:
# - "443:443/tcp"
# - "80:80/tcp"
#- "127.0.0.1:8080:80/tcp"
#- "[::1]:8080:80/tcp"
synapse-generic-worker-1:
image: matrixdotorg/synapse:latest
container_name: synapse-generic-worker-1
restart: unless-stopped
entrypoint: ["/start.py", "run", "--config-path=/data/homeserver.yaml", "--config-path=/data/workers/synapse-generic-worker-1.yaml"]
healthcheck:
test: ["CMD-SHELL", "curl -fSs http://localhost:8081/health || exit 1"]
start_period: "5s"
interval: "15s"
timeout: "5s"
network_mode: "host"
volumes:
- ./synapse:/data
environment:
SYNAPSE_WORKER: synapse.app.generic_worker
depends_on:
- synapse
synapse-federation-sender-1:
image: matrixdotorg/synapse:latest
container_name: synapse-federation-sender-1
restart: unless-stopped
entrypoint: ["/start.py", "run", "--config-path=/data/homeserver.yaml", "--config-path=/data/workers/synapse-federation-sender-1.yaml"]
healthcheck:
disable: true
network_mode: "host"
volumes:
- ./synapse:/data
environment:
SYNAPSE_WORKER: synapse.app.generic_worker
depends_on:
- synapse
# redis:
# image: "redis:latest"
# restart: "unless-stopped"
# network_mode: "host"

View file

@ -0,0 +1,33 @@
version: 1
formatters:
fmt:
format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s- %(message)s'
filters:
context:
(): synapse.logging.context.LoggingContextFilter
request: ""
handlers:
console:
class: logging.StreamHandler
formatter: fmt
filters: [context]
root:
level: INFO
handlers: [console] # to use file handler instead, switch to [file]
loggers:
synapse:
level: INFO
synapse.storage.SQL:
level: INFO
ldap3:
level: INFO
ldap_auth_provider:
level: INFO

View file

@ -0,0 +1,33 @@
version: 1
formatters:
fmt:
format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s- %(message)s'
filters:
context:
(): synapse.logging.context.LoggingContextFilter
request: ""
handlers:
console:
class: logging.StreamHandler
formatter: fmt
filters: [context]
root:
level: INFO
handlers: [console] # to use file handler instead, switch to [file]
loggers:
synapse:
level: INFO
synapse.storage.SQL:
level: INFO
ldap3:
level: INFO
ldap_auth_provider:
level: INFO

View file

@ -286,11 +286,16 @@ listeners:
tls: false tls: false
type: http type: http
x_forwarded: true x_forwarded: true
bind_addresses: ['::', '0.0.0.0'] bind_addresses: ['::1', '127.0.0.1']
resources: resources:
- names: [client, federation] - names: [client, federation]
compress: false compress: false
# The HTTP replication port
- port: 9093
bind_addresses: ['::1', '127.0.0.1']
type: http
resources:
- names: [replication]
# example additional_resources: # example additional_resources:
# #
@ -2870,8 +2875,8 @@ opentracing:
# started, to ensure that all instances are running with the same config (otherwise # started, to ensure that all instances are running with the same config (otherwise
# events may be dropped). # events may be dropped).
# #
#federation_sender_instances: federation_sender_instances:
# - federation_sender1 - synapse-federation-sender-1
# When using workers this should be a map from worker_name to the # When using workers this should be a map from worker_name to the
# HTTP replication listener of the worker, if configured. # HTTP replication listener of the worker, if configured.
@ -2880,6 +2885,18 @@ opentracing:
# worker1: # worker1:
# host: localhost # host: localhost
# port: 8034 # port: 8034
instance_map:
main:
host: 'localhost'
port: 9093
synapse-generic-worker-1:
host: 'localhost'
port: 8081
tls: false
synapse-federation-sender-1:
host: 'localhost'
port: 8082
tls: false
# Experimental: When using workers you can define which workers should # Experimental: When using workers you can define which workers should
# handle event persistence and typing notifications. Any worker # handle event persistence and typing notifications. Any worker
@ -2899,7 +2916,7 @@ opentracing:
# #
# By default this is unused and traffic is not authenticated. # By default this is unused and traffic is not authenticated.
# #
#worker_replication_secret: "" worker_replication_secret: "testtest#$"
# Configuration for Redis when using workers. This *must* be enabled when # Configuration for Redis when using workers. This *must* be enabled when
@ -2908,13 +2925,13 @@ opentracing:
redis: redis:
# Uncomment the below to enable Redis support. # Uncomment the below to enable Redis support.
# #
#enabled: true enabled: true
# Optional host and port to use to connect to redis. Defaults to # Optional host and port to use to connect to redis. Defaults to
# localhost and 6379 # localhost and 6379
# #
#host: localhost host: $REDISHOST
#port: 6379 port: $REDISPORT
# Optional password if configured on the Redis instance # Optional password if configured on the Redis instance
# #

View file

@ -0,0 +1,15 @@
worker_app: synapse.app.generic_worker
worker_name: synapse-federation-sender-1
worker_listeners:
- type: http
port: 8082
resources:
- names: [federation]
- type: http
port: 9082
resources:
- names: [replication]
worker_log_config: /data/federation_sender.log.yaml

View file

@ -0,0 +1,14 @@
worker_app: synapse.app.generic_worker
worker_name: synapse-generic-worker-1
worker_listeners:
- type: http
port: 8081
resources:
- names: [client]
- type: http
port: 9081
resources:
- names: [replication]
worker_log_config: /data/generic-worker-log.yaml