diff --git a/docs/deploying/docker-compose.for-traefik.yml b/docs/deploying/docker-compose.for-traefik.yml index d10e58153..1c615673a 100644 --- a/docs/deploying/docker-compose.for-traefik.yml +++ b/docs/deploying/docker-compose.for-traefik.yml @@ -1,40 +1,44 @@ # conduwuit - Behind Traefik Reverse Proxy services: - homeserver: - ### If you already built the conduduwit image with 'docker build' or want to use the Docker Hub image, - ### then you are ready to go. - image: girlbossceo/conduwuit:latest - restart: unless-stopped - volumes: - - db:/var/lib/conduwuit - #- ./conduwuit.toml:/etc/conduwuit.toml - networks: - - proxy - environment: - CONDUWUIT_SERVER_NAME: your.server.name # EDIT THIS - CONDUWUIT_DATABASE_PATH: /var/lib/conduwuit - CONDUWUIT_DATABASE_BACKEND: rocksdb - CONDUWUIT_PORT: 6167 - CONDUWUIT_MAX_REQUEST_SIZE: 20_000_000 # in bytes, ~20 MB - CONDUWUIT_ALLOW_REGISTRATION: 'true' - CONDUWUIT_ALLOW_FEDERATION: 'true' - CONDUWUIT_ALLOW_CHECK_FOR_UPDATES: 'true' - CONDUWUIT_TRUSTED_SERVERS: '["matrix.org"]' - #CONDUWUIT_LOG: warn,state_res=warn - CONDUWUIT_ADDRESS: 0.0.0.0 - #CONDUWUIT_CONFIG: '/etc/conduwuit.toml' # Uncomment if you mapped config toml above - #cpuset: "0-4" # Uncomment to limit to specific CPU cores + homeserver: + ### If you already built the conduduwit image with 'docker build' or want to use the Docker Hub image, + ### then you are ready to go. + image: girlbossceo/conduwuit:latest + restart: unless-stopped + volumes: + - db:/var/lib/conduwuit + #- ./conduwuit.toml:/etc/conduwuit.toml + networks: + - proxy + environment: + CONDUWUIT_SERVER_NAME: your.server.name.example # EDIT THIS + CONDUWUIT_DATABASE_PATH: /var/lib/conduwuit + CONDUWUIT_DATABASE_BACKEND: rocksdb + CONDUWUIT_PORT: 6167 # should match the loadbalancer traefik label + CONDUWUIT_MAX_REQUEST_SIZE: 20_000_000 # in bytes, ~20 MB + CONDUWUIT_ALLOW_REGISTRATION: 'true' + CONDUWUIT_ALLOW_FEDERATION: 'true' + CONDUWUIT_ALLOW_CHECK_FOR_UPDATES: 'true' + CONDUWUIT_TRUSTED_SERVERS: '["matrix.org"]' + #CONDUWUIT_LOG: warn,state_res=warn + CONDUWUIT_ADDRESS: 0.0.0.0 + #CONDUWUIT_CONFIG: '/etc/conduwuit.toml' # Uncomment if you mapped config toml above + + # We need some way to serve the client and server .well-known json. The simplest way is via the CONDUWUIT_WELL_KNOWN + # variable / config option, there are multiple ways to do this, e.g. in the conduwuit.toml file, and in a seperate + # see the override file for more information about delegation + CONDUWUIT_WELL_KNOWN: | + { + client=https://your.server.name.example, + server=your.server.name.example:443 + } + #cpuset: "0-4" # Uncomment to limit to specific CPU cores + ulimits: # conduwuit uses quite a few file descriptors, and on some systems it defaults to 1024, so you can tell docker to increase it + nofile: + soft: 1048567 + hard: 1048567 - # We need some way to server the client and server .well-known json. The simplest way is to use a nginx container - # to serve those two as static files. If you want to use a different way, delete or comment the below service, here - # and in the docker compose override file. - well-known: - image: nginx:latest - restart: unless-stopped - volumes: - - ./nginx/matrix.conf:/etc/nginx/conf.d/matrix.conf # the config to serve the .well-known/matrix files - - ./nginx/www:/var/www/ # location of the client and server .well-known-files ### Uncomment if you want to use your own Element-Web App. ### Note: You need to provide a config.json for Element and you also need a second ### Domain or Subdomain for the communication between Element and conduwuit @@ -50,10 +54,12 @@ services: # - homeserver volumes: - db: + db: networks: - # This is the network Traefik listens to, if your network has a different - # name, don't forget to change it here and in the docker-compose.override.yml - proxy: - external: true + # This is the network Traefik listens to, if your network has a different + # name, don't forget to change it here and in the docker-compose.override.yml + proxy: + external: true + +# vim: ts=2:sw=2:expandtab diff --git a/docs/deploying/docker-compose.override.yml b/docs/deploying/docker-compose.override.yml index 23d6a90b2..a343eeee3 100644 --- a/docs/deploying/docker-compose.override.yml +++ b/docs/deploying/docker-compose.override.yml @@ -1,44 +1,37 @@ # conduwuit - Traefik Reverse Proxy Labels services: - homeserver: - labels: - - "traefik.enable=true" - - "traefik.docker.network=proxy" # Change this to the name of your Traefik docker proxy network - - - "traefik.http.routers.to-conduwuit.rule=Host(`.`)" # Change to the address on which conduwuit is hosted - - "traefik.http.routers.to-conduwuit.tls=true" - - "traefik.http.routers.to-conduwuit.tls.certresolver=letsencrypt" - - "traefik.http.routers.to-conduwuit.middlewares=cors-headers@docker" - - - "traefik.http.middlewares.cors-headers.headers.accessControlAllowOriginList=*" - - "traefik.http.middlewares.cors-headers.headers.accessControlAllowHeaders=Origin, X-Requested-With, Content-Type, Accept, Authorization" - - "traefik.http.middlewares.cors-headers.headers.accessControlAllowMethods=GET, POST, PUT, DELETE, OPTIONS" - - # We need some way to server the client and server .well-known json. The simplest way is to use a nginx container - # to serve those two as static files. If you want to use a different way, delete or comment the below service, here - # and in the docker compose file. - well-known: - labels: - - "traefik.enable=true" - - "traefik.docker.network=proxy" - - - "traefik.http.routers.to-matrix-wellknown.rule=Host(`.`) && PathPrefix(`/.well-known/matrix`)" - - "traefik.http.routers.to-matrix-wellknown.tls=true" - - "traefik.http.routers.to-matrix-wellknown.tls.certresolver=letsencrypt" - - "traefik.http.routers.to-matrix-wellknown.middlewares=cors-headers@docker" - - - "traefik.http.middlewares.cors-headers.headers.accessControlAllowOriginList=*" - - "traefik.http.middlewares.cors-headers.headers.accessControlAllowHeaders=Origin, X-Requested-With, Content-Type, Accept, Authorization" - - "traefik.http.middlewares.cors-headers.headers.accessControlAllowMethods=GET, POST, PUT, DELETE, OPTIONS" - - - ### Uncomment this if you uncommented Element-Web App in the docker-compose.yml - # element-web: - # labels: - # - "traefik.enable=true" - # - "traefik.docker.network=proxy" # Change this to the name of your Traefik docker proxy network - - # - "traefik.http.routers.to-element-web.rule=Host(`.`)" # Change to the address on which Element-Web is hosted - # - "traefik.http.routers.to-element-web.tls=true" - # - "traefik.http.routers.to-element-web.tls.certresolver=letsencrypt" + homeserver: + labels: + - "traefik.enable=true" + - "traefik.docker.network=proxy" # Change this to the name of your Traefik docker proxy network + + - "traefik.http.routers.to-conduwuit.rule=Host(`.`)" # Change to the address on which conduwuit is hosted + - "traefik.http.routers.to-conduwuit.tls=true" + - "traefik.http.routers.to-conduwuit.tls.certresolver=letsencrypt" + - "traefik.http.routers.to-conduwuit.middlewares=cors-headers@docker" + - "traefik.http.services.to_conduwuit.loadbalancer.server.port=6167" + + - "traefik.http.middlewares.cors-headers.headers.accessControlAllowOriginList=*" + - "traefik.http.middlewares.cors-headers.headers.accessControlAllowHeaders=Origin, X-Requested-With, Content-Type, Accept, Authorization" + - "traefik.http.middlewares.cors-headers.headers.accessControlAllowMethods=GET, POST, PUT, DELETE, OPTIONS" + + # If you want to have your account on , but host conduwuit on a subdomain, + # you can let it only handle the well known file on that domain instead + #- "traefik.http.routers.to-matrix-wellknown.rule=Host(``) && PathPrefix(`/.well-known/matrix`)" + #- "traefik.http.routers.to-matrix-wellknown.tls=true" + #- "traefik.http.routers.to-matrix-wellknown.tls.certresolver=letsencrypt" + #- "traefik.http.routers.to-matrix-wellknown.middlewares=cors-headers@docker" + + ### Uncomment this if you uncommented Element-Web App in the docker-compose.yml + # element-web: + # labels: + # - "traefik.enable=true" + # - "traefik.docker.network=proxy" # Change this to the name of your Traefik docker proxy network + + # - "traefik.http.routers.to-element-web.rule=Host(`.`)" # Change to the address on which Element-Web is hosted + # - "traefik.http.routers.to-element-web.tls=true" + # - "traefik.http.routers.to-element-web.tls.certresolver=letsencrypt" + +# vim: ts=2:sw=2:expandtab + diff --git a/docs/deploying/docker-compose.with-traefik.yml b/docs/deploying/docker-compose.with-traefik.yml index 79d200517..f05006a55 100644 --- a/docs/deploying/docker-compose.with-traefik.yml +++ b/docs/deploying/docker-compose.with-traefik.yml @@ -1,42 +1,52 @@ # conduwuit - Behind Traefik Reverse Proxy services: - homeserver: - ### If you already built the conduwuit image with 'docker build' or want to use the Docker Hub image, - ### then you are ready to go. - image: girlbossceo/conduwuit:latest - restart: unless-stopped - volumes: - - db:/srv/conduwuit/.local/share/conduwuit - #- ./conduwuit.toml:/etc/conduwuit.toml - networks: - - proxy - environment: - CONDUWUIT_SERVER_NAME: your.server.name # EDIT THIS - CONDUWUIT_TRUSTED_SERVERS: '["matrix.org"]' - CONDUWUIT_ALLOW_REGISTRATION : 'true' - #CONDUWUIT_CONFIG: '/etc/conduwuit.toml' # Uncomment if you mapped config toml above - ### Uncomment and change values as desired - # CONDUWUIT_ADDRESS: 0.0.0.0 - # CONDUWUIT_PORT: 6167 - # CONDUWUIT_LOG: info # default is: "warn,state_res=warn" - # CONDUWUIT_ALLOW_JAEGER: 'false' - # CONDUWUIT_ALLOW_ENCRYPTION: 'true' - # CONDUWUIT_ALLOW_FEDERATION: 'true' - # CONDUWUIT_ALLOW_CHECK_FOR_UPDATES: 'true' - # CONDUWUIT_DATABASE_PATH: /srv/conduwuit/.local/share/conduwuit - # CONDUWUIT_WORKERS: 10 - # CONDUWUIT_MAX_REQUEST_SIZE: 20000000 # in bytes, ~20 MB + homeserver: + ### If you already built the conduwuit image with 'docker build' or want to use the Docker Hub image, + ### then you are ready to go. + image: girlbossceo/conduwuit:latest + restart: unless-stopped + volumes: + - db:/var/lib/conduwuit + #- ./conduwuit.toml:/etc/conduwuit.toml + networks: + - proxy + environment: + CONDUWUIT_SERVER_NAME: your.server.name.example # EDIT THIS + CONDUWUIT_TRUSTED_SERVERS: '["matrix.org"]' + CONDUWUIT_ALLOW_REGISTRATION: 'false' # After setting a secure registration token, you can enable this + CONDUWUIT_REGISTRATION_TOKEN: # This is a token you can use to register on the server + CONDUWUIT_ADDRESS: 0.0.0.0 + CONDUWUIT_PORT: 6167 # you need to match this with the traefik load balancer label if you're want to change it + CONDUWUIT_DATABASE_PATH: /var/lib/conduwuit + #CONDUWUIT_CONFIG: '/etc/conduit.toml' # Uncomment if you mapped config toml above + ### Uncomment and change values as desired, note that conduwuit has plenty of config options, so you should check out the example example config too + # Available levels are: error, warn, info, debug, trace - more info at: https://docs.rs/env_logger/*/env_logger/#enabling-logging + # CONDUWUIT_LOG: info # default is: "warn,state_res=warn" + # CONDUWUIT_ALLOW_JAEGER: 'false' + # CONDUWUIT_ALLOW_ENCRYPTION: 'true' + # CONDUWUIT_ALLOW_FEDERATION: 'true' + # CONDUWUIT_ALLOW_CHECK_FOR_UPDATES: 'true' + # CONDUWUIT_ALLOW_INCOMING_PRESENCE: true + # CONDUWUIT_ALLOW_OUTGOING_PRESENCE: true + # CONDUWUIT_ALLOW_LOCAL_PRESENCE: true + # CONDUWUIT_WORKERS: 10 + # CONDUWUIT_MAX_REQUEST_SIZE: 20_000_000 # in bytes, ~20 MB + # CONDUWUIT_NEW_USER_DISPLAYNAME_SUFFIX = "🏳<200d>⚧" - # We need some way to server the client and server .well-known json. The simplest way is to use a nginx container - # to serve those two as static files. If you want to use a different way, delete or comment the below service, here - # and in the docker compose override file. - well-known: - image: nginx:latest - restart: unless-stopped - volumes: - - ./nginx/matrix.conf:/etc/nginx/conf.d/matrix.conf # the config to serve the .well-known/matrix files - - ./nginx/www:/var/www/ # location of the client and server .well-known-files + # We need some way to serve the client and server .well-known json. The simplest way is via the CONDUWUIT_WELL_KNOWN + # variable / config option, there are multiple ways to do this, e.g. in the conduwuit.toml file, and in a seperate + # reverse proxy, but since you do not have a reverse proxy and following this guide, this example is included + CONDUWUIT_WELL_KNOWN: | + { + client=https://your.server.name.example, + server=your.server.name.example:443 + } + #cpuset: "0-4" # Uncomment to limit to specific CPU cores + ulimits: # conduwuit uses quite a few file descriptors, and on some systems it defaults to 1024, so you can tell docker to increase it + nofile: + soft: 1048567 + hard: 1048567 ### Uncomment if you want to use your own Element-Web App. ### Note: You need to provide a config.json for Element and you also need a second @@ -52,29 +62,79 @@ services: # depends_on: # - homeserver - traefik: - image: "traefik:latest" - container_name: "traefik" - restart: "unless-stopped" - ports: - - "80:80" - - "443:443" - volumes: - - "/var/run/docker.sock:/var/run/docker.sock" - # - "./traefik_config:/etc/traefik" - - "acme:/etc/traefik/acme" - labels: - - "traefik.enable=true" + traefik: + image: "traefik:latest" + container_name: "traefik" + restart: "unless-stopped" + ports: + - "80:80" + - "443:443" + volumes: + - "/var/run/docker.sock:/var/run/docker.sock:z" + - "acme:/etc/traefik/acme" + #- "./traefik_config:/etc/traefik:z" + labels: + - "traefik.enable=true" - # middleware redirect - - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https" - # global redirect to https - - "traefik.http.routers.redirs.rule=hostregexp(`{host:.+}`)" - - "traefik.http.routers.redirs.entrypoints=http" - - "traefik.http.routers.redirs.middlewares=redirect-to-https" + # middleware redirect + - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https" + # global redirect to https + - "traefik.http.routers.redirs.rule=hostregexp(`{host:.+}`)" + - "traefik.http.routers.redirs.entrypoints=web" + - "traefik.http.routers.redirs.middlewares=redirect-to-https" - networks: - - proxy + configs: + - source: dynamic.yml + target: /etc/traefik/dynamic.yml + + environment: + TRAEFIK_LOG_LEVEL: DEBUG + TRAEFIK_ENTRYPOINTS_WEB: true + TRAEFIK_ENTRYPOINTS_WEB_ADDRESS: ":80" + TRAEFIK_ENTRYPOINTS_WEB_HTTP_REDIRECTIONS_ENTRYPOINT_TO: websecure + + TRAEFIK_ENTRYPOINTS_WEBSECURE: true + TRAEFIK_ENTRYPOINTS_WEBSECURE_ADDRESS: ":443" + TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_TLS_CERTRESOLVER: letsencrypt + #TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_MIDDLEWARES: secureHeaders@file # if you want to enabled STS + + TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT: true + TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_EMAIL: # Set this to the email you want to receive certificate expiration emails for + TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_KEYTYPE: EC384 + TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_HTTPCHALLENGE: true + TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_HTTPCHALLENGE_ENTRYPOINT: web + TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_STORAGE: "/etc/traefik/acme/acme.json" + + TRAEFIK_PROVIDERS_DOCKER: true + TRAEFIK_PROVIDERS_DOCKER_ENDPOINT: "unix:///var/run/docker.sock" + TRAEFIK_PROVIDERS_DOCKER_EXPOSEDBYDEFAULT: false + + TRAEFIK_PROVIDERS_FILE: true + TRAEFIK_PROVIDERS_FILE_FILENAME: "/etc/traefik/dynamic.yml" + +configs: + dynamic.yml: + content: | + # Optionally set STS headers, like in https://hstspreload.org + # http: + # middlewares: + # secureHeaders: + # headers: + # forceSTSHeader: true + # stsIncludeSubdomains: true + # stsPreload: true + # stsSeconds: 31536000 + tls: + options: + default: + cipherSuites: + - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 + - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 + - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 + - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 + minVersion: VersionTLS12 volumes: db: @@ -82,3 +142,5 @@ volumes: networks: proxy: + +# vim: ts=2:sw=2:expandtab