diff --git a/alpine/cgit/build.sh b/alpine/cgit/build.sh new file mode 100644 index 0000000..9b96e8b --- /dev/null +++ b/alpine/cgit/build.sh @@ -0,0 +1,39 @@ +#!/bin/sh + +set -e + +NAME=cgit +IMAGE=/tmp/$NAME.raw + +[ -z $ROOTFS ] && ROOTFS=$(mktemp -d $NAME.XXX -t) +[ -z $ALPINE_VERSION ] && ALPINE_VERSION=3.10 +[ -z $ALPINE_RELEASE ] && ALPINE_RELEASE=0 + +ALPINE_TARBALL=alpine-minirootfs-$ALPINE_VERSION.$ALPINE_RELEASE-x86_64.tar.gz + +[ -f $NAME.raw ] && rm $NAME.raw +[ -f $ALPINE_TARBALL ] || wget http://dl-cdn.alpinelinux.org/alpine/v$ALPINE_VERSION/releases/x86_64/$ALPINE_TARBALL + +(sudo systemctl stop $NAME.service && sudo portablectl detach $NAME) || echo "Image not attached." + +tar xf $ALPINE_TARBALL -C $ROOTFS/ + +chmod 755 $ROOTFS + +mkdir -p \ + $ROOTFS/etc/systemd/system \ + $ROOTFS/etc/$NAME \ + $ROOTFS/var/lib/$NAME \ + $ROOTFS/run/$NAME \ + $ROOTFS/root/.ssh + +touch $ROOTFS/etc/machine-id $ROOTFS/etc/resolv.conf +cp systemd/* $ROOTFS/etc/systemd/system/ + +sudo systemd-nspawn --directory $ROOTFS/ /sbin/apk update +sudo systemd-nspawn --directory $ROOTFS/ /sbin/apk add cgit uwsgi-cgi +sudo systemd-nspawn --directory $ROOTFS/ /bin/rm -rf /etc/apk/* /var/cache/* + +mksquashfs $ROOTFS/ $IMAGE -all-root -noappend +sudo portablectl attach $IMAGE +sudo systemctl restart $NAME.service diff --git a/alpine/cgit/systemd/cgit.service b/alpine/cgit/systemd/cgit.service new file mode 100644 index 0000000..6f47646 --- /dev/null +++ b/alpine/cgit/systemd/cgit.service @@ -0,0 +1,12 @@ +[Unit] +Description=cgit uwsgi service +After=network.target +Before=nginx.service +Requires=cgit.socket + +[Service] +User=cgit +Group=cgit + +ConfigurationDirectory=cgit +StateDirectory=cgit diff --git a/alpine/cgit/systemd/cgit.socket b/alpine/cgit/systemd/cgit.socket new file mode 100644 index 0000000..a861d5a --- /dev/null +++ b/alpine/cgit/systemd/cgit.socket @@ -0,0 +1,10 @@ +[Unit] +Description=cgit socket + +[Socket] +ListenStream=/run/git/cgit.sock +SocketMode=0660 +SocketGroup=http + +[Install] +WantedBy=sockets.target diff --git a/alpine/gitea/README.md b/alpine/gitea/README.md index 438cf48..38498ed 100644 --- a/alpine/gitea/README.md +++ b/alpine/gitea/README.md @@ -38,5 +38,5 @@ through the web UI, but here goes. ## TODO * Instructions for setting up SSH with Gitea's built-in SSH server and the SSH - server running on the host. https://docs.gitea.io/en-us/install-with-docker/ + server running on the host. * Real world configuration. diff --git a/alpine/matrix/README.md b/alpine/matrix/README.md index b7023d6..3f55001 100644 --- a/alpine/matrix/README.md +++ b/alpine/matrix/README.md @@ -1,9 +1,11 @@ -# Matrix synapse service with a TURN server and riot-web frontend +Matrix synapse service with IRC and Telegram gateways +===================================================== -A collection of systemd services that run synapse, riot-web and a TURN server -as systemd portable services. +A collection of systemd services that run synapse and the IRC gateway +(matrix-appservice-irc) in an isolated read-only alpine squashfs image. -## Building the squashfs image +Building the squashfs image +--------------------------- Run: @@ -12,24 +14,62 @@ $ sh build.sh ``` It will create a rootfs/ folder with an alpine filesystem, install synapse, -compress it into a squashfs image that will be used as a root filesystem for -the container. +matrix-appservice-irc and compress it into a squashfs image that will be used +as a root filesystem for the container. -If the script finished successfully, you should get an \~25M matrix.raw +If the script finished successfully, you should get an \~45M matrix.raw image. -## Running the portable services +Running the portable services +----------------------------- Attach the container with `sudo portablectl attach ./matrix.raw`. + +The output should look something like this: + +``` {.sourceCode .shell} +$ sudo portablectl attach ./matrix.raw + +Created directory /etc/systemd/system.attached. +Created directory /etc/systemd/system.attached/matrix.service.d. +Written /etc/systemd/system.attached/matrix.service.d/20-portable.conf. +Created symlink /etc/systemd/system.attached/matrix.service.d/10-profile.conf → /usr/lib/systemd/portable/profile/default/service.conf. +Copied /etc/systemd/system.attached/matrix.service. +Created directory /etc/systemd/system.attached/matrix-appservice-irc.service.d. +Written /etc/systemd/system.attached/matrix-appservice-irc.service.d/20-portable.conf. +Created symlink /etc/systemd/system.attached/matrix-appservice-irc.service.d/10-profile.conf → /usr/lib/systemd/portable/profile/default/service.conf. +Copied /etc/systemd/system.attached/matrix-appservice-irc.service. +Created symlink /etc/portables/matrix.raw → /tmp/matrix.raw. + + Start/Stop as any other systemd service, e.g: ``` {.sourceCode .shell} +sudo systemctl start matrix-appservice-irc.service sudo systemctl stop matrix.service ``` -## Install another existing service +Existing matrix installations +----------------------------- -``` {.sourceCode .shell} -NAME=riot sh build.sh -sudo systemctl start riot.service -``` +1. Stop your current services. +2. Copy all configuration files to `/etc/matrix`. +3. Run all portable services, so that they create all directories in + `/var/lib`. +4. Copy all data files, e.g. homeserver.db if you\'re using sqlite, + media and upload folders for synapse, rooms.db for the irc gateway, + etc. to `/var/lib/matrix-{synapse,appservice-irc}`. + +Warning +------- + +You should set up all logging to stdout. + +Any configuration that has something to do with the filesystem should be +configured to write files to `/var/lib/matrix-{synapse,appservice-irc}`. + +TODO +---- + +- Use a Makefile to build the image. Add attach, detach and clean + targets. diff --git a/alpine/matrix/build.sh b/alpine/matrix/build.sh index 1b39dff..0682477 100644 --- a/alpine/matrix/build.sh +++ b/alpine/matrix/build.sh @@ -1,43 +1,24 @@ #!/bin/sh -set -e +ROOTFS=/tmp/matrix +ALPINE_TARBALL=alpine-minirootfs-3.9.2-x86_64.tar.gz -[ -z $NAME ] && NAME=matrix -IMAGE=/tmp/$NAME.raw - -[ -z $ROOTFS ] && ROOTFS=$(mktemp -d $NAME.XXX -t) -[ -z $ALPINE_VERSION ] && ALPINE_VERSION=3.13 -[ -z $ALPINE_RELEASE ] && ALPINE_RELEASE=1 - -ALPINE_TARBALL=alpine-minirootfs-$ALPINE_VERSION.$ALPINE_RELEASE-x86_64.tar.gz - -[ -f $IMAGE.raw ] && rm $IMAGE.raw -[ -f $ALPINE_TARBALL ] || wget http://dl-cdn.alpinelinux.org/alpine/v$ALPINE_VERSION/releases/x86_64/$ALPINE_TARBALL +wget http://dl-cdn.alpinelinux.org/alpine/v3.9/releases/x86_64/$ALPINE_TARBALL mkdir -p $ROOTFS tar xf $ALPINE_TARBALL -C $ROOTFS/ \ - ./etc ./usr ./lib ./bin ./sbin ./var - -chmod 755 $ROOTFS + ./etc/apk ./etc/os-release ./usr ./lib ./bin ./sbin ./var mkdir -p \ $ROOTFS/etc/systemd/system \ $ROOTFS/var/{lib,run,tmp} \ $ROOTFS/{dev,tmp,proc,root,run,sys} \ - $ROOTFS/etc/$NAME \ - $ROOTFS/var/lib/$NAME \ - $ROOTFS/run/systemd/unit-root/var/tmp + $ROOTFS/etc/matrix \ + $ROOTFS/var/lib/matrix-{synapse,appservice-irc} touch $ROOTFS/etc/machine-id $ROOTFS/etc/resolv.conf -cp -a systemd/${NAME}* $ROOTFS/etc/systemd/system/ -cp conf/os-release $ROOTFS/etc/os-release -sudo systemd-nspawn --directory $ROOTFS/ \ - --bind=$PWD/scripts/install-$NAME.sh:/root/install.sh \ - /bin/sh /root/install.sh +cp systemd/* $ROOTFS/etc/systemd/system/ -sudo mksquashfs $ROOTFS/ $IMAGE -all-root -noappend -sudo systemctl stop $IMAGE || true -sudo portablectl detach $IMAGE || true -sudo portablectl attach $IMAGE -sudo systemctl restart $NAME.service +sudo systemd-nspawn --bind=$PWD/scripts/install.sh:/root/install.sh -D $ROOTFS/ /bin/sh /root/install.sh +mksquashfs $ROOTFS/ /tmp/matrix.raw diff --git a/alpine/matrix/conf/homeserver.jenga.yaml b/alpine/matrix/conf/homeserver.jenga.yaml new file mode 100644 index 0000000..009d965 --- /dev/null +++ b/alpine/matrix/conf/homeserver.jenga.yaml @@ -0,0 +1,143 @@ +no_tls: False +tls_certificate_path: "/etc/synapse/jenga.local.tls.crt" +tls_private_key_path: "/etc/synapse/jenga.local.tls.key" +tls_dh_params_path: "/etc/synapse/jenga.local.tls.dh" +tls_fingerprints: [] +# tls_fingerprints: [{"sha256": ""}] + + +## Server ## +server_name: "jenga.local" +pid_file: /var/lib/synapse/homeserver.pid + + +soft_file_limit: 0 +use_presence: true + + +listeners: + - + port: 8448 + bind_addresses: + - '::' + - '0.0.0.0' + type: http + tls: true + x_forwarded: false + resources: + - + names: + - client # The client-server APIs, both v1 and v2 + # - webclient # A web client. Requires web_client_location to be set. + compress: true + + - names: [federation] # Federation APIs + compress: false + + +# Database configuration +database: + name: "sqlite3" + args: + database: "/var/lib/synapse/homeserver.db" + +event_cache_size: "10K" + +log_config: "/etc/synapse/log.config" + + +## Ratelimiting ## +rc_messages_per_second: 0.2 +rc_message_burst_count: 10.0 +federation_rc_window_size: 1000 +federation_rc_sleep_limit: 10 +federation_rc_sleep_delay: 500 +federation_rc_reject_limit: 50 +federation_rc_concurrent: 3 + +# Directory where uploaded images and attachments are stored. +media_store_path: "/var/lib/synapse/media_store" +uploads_path: "/var/lib/synapse/uploads" +max_upload_size: "10M" +max_image_pixels: "32M" + +dynamic_thumbnails: false +thumbnail_sizes: +- width: 32 + height: 32 + method: crop +- width: 96 + height: 96 + method: crop +- width: 320 + height: 240 + method: scale +- width: 640 + height: 480 + method: scale +- width: 800 + height: 600 + method: scale + +url_preview_enabled: False +max_spider_size: "10M" + + +## Captcha ## +recaptcha_public_key: "YOUR_PUBLIC_KEY" +recaptcha_private_key: "YOUR_PRIVATE_KEY" +enable_registration_captcha: False +recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify" + +turn_user_lifetime: "1h" +turn_allow_guests: True + + +## Registration ## +enable_registration: False +registration_shared_secret: ",@MxAOPr0kkpC-Gzzk1=Ea-HKH@S-utf:Uf0fiz;xAo~I2Y9Fk" +bcrypt_rounds: 12 +allow_guest_access: False +trusted_third_party_id_servers: + - matrix.org + - vector.im + +autocreate_auto_join_rooms: true + + +## Metrics ### +enable_metrics: False +report_stats: false + + +## API Configuration ## +room_invite_state_types: + - "m.room.join_rules" + - "m.room.canonical_alias" + - "m.room.avatar" + - "m.room.name" +app_service_config_files: [] +track_appservice_user_ips: False +macaroon_secret_key: "mL9+dY892cIh&=L6kdZV.SU;i_N=-*DBkA,p^Jp8eQ_v7-DXz4" +expire_access_token: False +form_secret: "&+O&4t2BKp=E++pPrc:Y=Uxi50yM,Z5XxX^VFQ7Fad^0y,#bOc" + +## Signing Keys ## + +signing_key_path: "/etc/synapse/jenga.local.signing.key" +old_signing_keys: {} +key_refresh_interval: "1d" # 1 Day. + + +# Enable password for login. +password_config: + enabled: true + # Uncomment and change to a secret random string for extra security. + # DO NOT CHANGE THIS AFTER INITIAL SETUP! + #pepper: "" + +enable_group_creation: false +alias_creation_rules: + - user_id: "*" + alias: "*" + action: allow diff --git a/alpine/matrix/conf/os-release b/alpine/matrix/conf/os-release deleted file mode 100644 index a6a2844..0000000 --- a/alpine/matrix/conf/os-release +++ /dev/null @@ -1,4 +0,0 @@ -PORTABLE_PRETTY_NAME="Synapse: A matrix homeserver" -PORTABLE_ID=synapse -PRETTY_NAME=Alpine -ID=alpine diff --git a/alpine/matrix/scripts/install-matrix.sh b/alpine/matrix/scripts/install-matrix.sh deleted file mode 100644 index 8ecc993..0000000 --- a/alpine/matrix/scripts/install-matrix.sh +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/sh - -apk --no-cache add --no-scripts --no-commit-hooks synapse - -find /usr -name "__pycache__" -exec rm -rf {} + -find /usr -name "*.pyc" -exec rm {} + - -apk del alpine-keys - -rm -rf /etc/apk \ - /root/.cache \ - /root/.config \ - /var/cache/* diff --git a/alpine/matrix/scripts/install-riot.sh b/alpine/matrix/scripts/install-riot.sh deleted file mode 100644 index 46047b7..0000000 --- a/alpine/matrix/scripts/install-riot.sh +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/sh - -apk --no-cache add --no-scripts --no-commit-hooks riot-web nginx - -apk del alpine-keys - -rm -rf /etc/apk \ - /root/.cache \ - /root/.config \ - /var/cache/* diff --git a/alpine/matrix/scripts/install-turn.sh b/alpine/matrix/scripts/install-turn.sh deleted file mode 100644 index c121ad9..0000000 --- a/alpine/matrix/scripts/install-turn.sh +++ /dev/null @@ -1,15 +0,0 @@ -#!/bin/sh - -apk add --no-cache --purge -uU \ - --repository http://dl-cdn.alpinelinux.org/alpine/edge/testing \ - coturn sqlite-libs - -find /usr -name "__pycache__" -exec rm -rf {} + -find /usr -name "*.pyc" -exec rm {} + - -apk del alpine-keys - -rm -rf /etc/apk \ - /root/.cache \ - /root/.config \ - /var/cache/* diff --git a/alpine/matrix/scripts/install-pip.sh b/alpine/matrix/scripts/install.sh similarity index 57% rename from alpine/matrix/scripts/install-pip.sh rename to alpine/matrix/scripts/install.sh index 0c1fc4b..fd6407a 100644 --- a/alpine/matrix/scripts/install-pip.sh +++ b/alpine/matrix/scripts/install.sh @@ -10,27 +10,37 @@ apk --no-cache add --virtual .synapse-build \ libxslt-dev \ linux-headers \ python3-dev \ - py3-pip \ + yarn \ zlib-dev -pip3 install --upgrade --force pip setuptools +pip3 install --upgrade pip setuptools pip3 install https://github.com/matrix-org/synapse/tarball/master +IRC_DIR=/usr/lib/matrix-appservice-irc/ +mkdir ${IRC_DIR} +cd ${IRC_DIR} +yarn add matrix-appservice-irc +ln -s ${IRC_DIR}/node_modules/matrix-appservice-irc/bin/matrix-appservice-irc /usr/local/bin/matrix-appservice-irc + apk del .synapse-build -# Runtime packages +# Runtime packages. apk --no-cache add \ libjpeg-turbo \ libmagic \ - libressl \ + libressl2.7-libssl \ + nodejs \ python3 find /usr -name "__pycache__" -exec rm -rf {} + find /usr -name "*.pyc" -exec rm {} + +find /usr -name "*yarn*" -exec rm -rf {} + +find / -name "*node-gyp*" -exec rm -rf {} + apk del alpine-keys rm -rf /etc/apk \ /root/.cache \ /root/.config \ + /root/.npm \ /var/cache/* diff --git a/alpine/matrix/systemd/30-synapse-override.conf b/alpine/matrix/systemd/30-synapse-override.conf deleted file mode 100644 index f1446ce..0000000 --- a/alpine/matrix/systemd/30-synapse-override.conf +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -MemoryDenyWriteExecute=no diff --git a/alpine/matrix/systemd/matrix-appservice-irc.service b/alpine/matrix/systemd/matrix-appservice-irc.service new file mode 100644 index 0000000..940e77d --- /dev/null +++ b/alpine/matrix/systemd/matrix-appservice-irc.service @@ -0,0 +1,10 @@ +[Unit] +Description=Matrix IRC gateway +After=matrix.service +Requires=matrix.service + +[Service] +Type=exec +ExecStart=/usr/local/bin/matrix-appservice-irc -c /etc/matrix/irc-config.yaml -f /etc/matrix/irc-registration.yaml -p 7881 +StateDirectory=matrix-appservice-irc +ConfigurationDirectory=matrix diff --git a/alpine/matrix/systemd/matrix.service b/alpine/matrix/systemd/matrix.service index b9158c9..ac6d51f 100644 --- a/alpine/matrix/systemd/matrix.service +++ b/alpine/matrix/systemd/matrix.service @@ -1,16 +1,17 @@ [Unit] Description=Synapse - Matrix homeserver +After=network-online.target Requires=network-online.target [Service] +MemoryDenyWriteExecute=no + Environment=LANG=en_US.UTF-8 Environment=SYNAPSE_LOG_LEVEL=DEBUG Environment=PYTHONDONTWRITEBYTECODE=1 -ExecStart=/usr/bin/synctl start /etc/matrix/homeserver.yaml --no-daemonize +ExecStart=/usr/bin/python3 -m synapse.app.homeserver -c /etc/matrix/homeserver.yaml ExecStop=/usr/bin/synctl stop /etc/matrix/homeserver.yaml -ExecReload=/opt/synapse/bin/synctl restart /etc/matrix/homeserver.yaml -StateDirectory=matrix -RuntimeDirectory=matrix +StateDirectory=matrix-synapse ConfigurationDirectory=matrix diff --git a/alpine/matrix/systemd/riot.service b/alpine/matrix/systemd/riot.service deleted file mode 100644 index b9158c9..0000000 --- a/alpine/matrix/systemd/riot.service +++ /dev/null @@ -1,16 +0,0 @@ -[Unit] -Description=Synapse - Matrix homeserver -Requires=network-online.target - -[Service] -Environment=LANG=en_US.UTF-8 -Environment=SYNAPSE_LOG_LEVEL=DEBUG -Environment=PYTHONDONTWRITEBYTECODE=1 - -ExecStart=/usr/bin/synctl start /etc/matrix/homeserver.yaml --no-daemonize -ExecStop=/usr/bin/synctl stop /etc/matrix/homeserver.yaml -ExecReload=/opt/synapse/bin/synctl restart /etc/matrix/homeserver.yaml - -StateDirectory=matrix -RuntimeDirectory=matrix -ConfigurationDirectory=matrix diff --git a/alpine/matrix/systemd/turn.service b/alpine/matrix/systemd/turn.service deleted file mode 100644 index a23b882..0000000 --- a/alpine/matrix/systemd/turn.service +++ /dev/null @@ -1,13 +0,0 @@ -[Unit] -Description=Coturn - TURN/STUN server -Requires=network-online.target - -[Service] -Environment=LANG=en_US.UTF-8 - -ExecStart=/usr/bin/turnserver -c /etc/coturn/turnserver.conf -Restart=on-failure - -StateDirectory=turn -RuntimeDirectory=turn -ConfigurationDirectory=turn