diff --git a/alpine/gitea/README.md b/alpine/gitea/README.md index 38498ed..438cf48 100644 --- a/alpine/gitea/README.md +++ b/alpine/gitea/README.md @@ -38,5 +38,5 @@ through the web UI, but here goes. ## TODO * Instructions for setting up SSH with Gitea's built-in SSH server and the SSH - server running on the host. + server running on the host. https://docs.gitea.io/en-us/install-with-docker/ * Real world configuration. diff --git a/alpine/matrix/README.md b/alpine/matrix/README.md index 3f55001..b7023d6 100644 --- a/alpine/matrix/README.md +++ b/alpine/matrix/README.md @@ -1,11 +1,9 @@ -Matrix synapse service with IRC and Telegram gateways -===================================================== +# Matrix synapse service with a TURN server and riot-web frontend -A collection of systemd services that run synapse and the IRC gateway -(matrix-appservice-irc) in an isolated read-only alpine squashfs image. +A collection of systemd services that run synapse, riot-web and a TURN server +as systemd portable services. -Building the squashfs image ---------------------------- +## Building the squashfs image Run: @@ -14,62 +12,24 @@ $ sh build.sh ``` It will create a rootfs/ folder with an alpine filesystem, install synapse, -matrix-appservice-irc and compress it into a squashfs image that will be used -as a root filesystem for the container. +compress it into a squashfs image that will be used as a root filesystem for +the container. -If the script finished successfully, you should get an \~45M matrix.raw +If the script finished successfully, you should get an \~25M matrix.raw image. -Running the portable services ------------------------------ +## Running the portable services Attach the container with `sudo portablectl attach ./matrix.raw`. - -The output should look something like this: - -``` {.sourceCode .shell} -$ sudo portablectl attach ./matrix.raw - -Created directory /etc/systemd/system.attached. -Created directory /etc/systemd/system.attached/matrix.service.d. -Written /etc/systemd/system.attached/matrix.service.d/20-portable.conf. -Created symlink /etc/systemd/system.attached/matrix.service.d/10-profile.conf → /usr/lib/systemd/portable/profile/default/service.conf. -Copied /etc/systemd/system.attached/matrix.service. -Created directory /etc/systemd/system.attached/matrix-appservice-irc.service.d. -Written /etc/systemd/system.attached/matrix-appservice-irc.service.d/20-portable.conf. -Created symlink /etc/systemd/system.attached/matrix-appservice-irc.service.d/10-profile.conf → /usr/lib/systemd/portable/profile/default/service.conf. -Copied /etc/systemd/system.attached/matrix-appservice-irc.service. -Created symlink /etc/portables/matrix.raw → /tmp/matrix.raw. - - Start/Stop as any other systemd service, e.g: ``` {.sourceCode .shell} -sudo systemctl start matrix-appservice-irc.service sudo systemctl stop matrix.service ``` -Existing matrix installations ------------------------------ +## Install another existing service -1. Stop your current services. -2. Copy all configuration files to `/etc/matrix`. -3. Run all portable services, so that they create all directories in - `/var/lib`. -4. Copy all data files, e.g. homeserver.db if you\'re using sqlite, - media and upload folders for synapse, rooms.db for the irc gateway, - etc. to `/var/lib/matrix-{synapse,appservice-irc}`. - -Warning -------- - -You should set up all logging to stdout. - -Any configuration that has something to do with the filesystem should be -configured to write files to `/var/lib/matrix-{synapse,appservice-irc}`. - -TODO ----- - -- Use a Makefile to build the image. Add attach, detach and clean - targets. +``` {.sourceCode .shell} +NAME=riot sh build.sh +sudo systemctl start riot.service +``` diff --git a/alpine/matrix/build.sh b/alpine/matrix/build.sh index 0682477..1b39dff 100644 --- a/alpine/matrix/build.sh +++ b/alpine/matrix/build.sh @@ -1,24 +1,43 @@ #!/bin/sh -ROOTFS=/tmp/matrix -ALPINE_TARBALL=alpine-minirootfs-3.9.2-x86_64.tar.gz +set -e -wget http://dl-cdn.alpinelinux.org/alpine/v3.9/releases/x86_64/$ALPINE_TARBALL +[ -z $NAME ] && NAME=matrix +IMAGE=/tmp/$NAME.raw + +[ -z $ROOTFS ] && ROOTFS=$(mktemp -d $NAME.XXX -t) +[ -z $ALPINE_VERSION ] && ALPINE_VERSION=3.13 +[ -z $ALPINE_RELEASE ] && ALPINE_RELEASE=1 + +ALPINE_TARBALL=alpine-minirootfs-$ALPINE_VERSION.$ALPINE_RELEASE-x86_64.tar.gz + +[ -f $IMAGE.raw ] && rm $IMAGE.raw +[ -f $ALPINE_TARBALL ] || wget http://dl-cdn.alpinelinux.org/alpine/v$ALPINE_VERSION/releases/x86_64/$ALPINE_TARBALL mkdir -p $ROOTFS tar xf $ALPINE_TARBALL -C $ROOTFS/ \ - ./etc/apk ./etc/os-release ./usr ./lib ./bin ./sbin ./var + ./etc ./usr ./lib ./bin ./sbin ./var + +chmod 755 $ROOTFS mkdir -p \ $ROOTFS/etc/systemd/system \ $ROOTFS/var/{lib,run,tmp} \ $ROOTFS/{dev,tmp,proc,root,run,sys} \ - $ROOTFS/etc/matrix \ - $ROOTFS/var/lib/matrix-{synapse,appservice-irc} + $ROOTFS/etc/$NAME \ + $ROOTFS/var/lib/$NAME \ + $ROOTFS/run/systemd/unit-root/var/tmp touch $ROOTFS/etc/machine-id $ROOTFS/etc/resolv.conf +cp -a systemd/${NAME}* $ROOTFS/etc/systemd/system/ +cp conf/os-release $ROOTFS/etc/os-release -cp systemd/* $ROOTFS/etc/systemd/system/ +sudo systemd-nspawn --directory $ROOTFS/ \ + --bind=$PWD/scripts/install-$NAME.sh:/root/install.sh \ + /bin/sh /root/install.sh -sudo systemd-nspawn --bind=$PWD/scripts/install.sh:/root/install.sh -D $ROOTFS/ /bin/sh /root/install.sh -mksquashfs $ROOTFS/ /tmp/matrix.raw +sudo mksquashfs $ROOTFS/ $IMAGE -all-root -noappend +sudo systemctl stop $IMAGE || true +sudo portablectl detach $IMAGE || true +sudo portablectl attach $IMAGE +sudo systemctl restart $NAME.service diff --git a/alpine/matrix/conf/homeserver.jenga.yaml b/alpine/matrix/conf/homeserver.jenga.yaml deleted file mode 100644 index 009d965..0000000 --- a/alpine/matrix/conf/homeserver.jenga.yaml +++ /dev/null @@ -1,143 +0,0 @@ -no_tls: False -tls_certificate_path: "/etc/synapse/jenga.local.tls.crt" -tls_private_key_path: "/etc/synapse/jenga.local.tls.key" -tls_dh_params_path: "/etc/synapse/jenga.local.tls.dh" -tls_fingerprints: [] -# tls_fingerprints: [{"sha256": ""}] - - -## Server ## -server_name: "jenga.local" -pid_file: /var/lib/synapse/homeserver.pid - - -soft_file_limit: 0 -use_presence: true - - -listeners: - - - port: 8448 - bind_addresses: - - '::' - - '0.0.0.0' - type: http - tls: true - x_forwarded: false - resources: - - - names: - - client # The client-server APIs, both v1 and v2 - # - webclient # A web client. Requires web_client_location to be set. - compress: true - - - names: [federation] # Federation APIs - compress: false - - -# Database configuration -database: - name: "sqlite3" - args: - database: "/var/lib/synapse/homeserver.db" - -event_cache_size: "10K" - -log_config: "/etc/synapse/log.config" - - -## Ratelimiting ## -rc_messages_per_second: 0.2 -rc_message_burst_count: 10.0 -federation_rc_window_size: 1000 -federation_rc_sleep_limit: 10 -federation_rc_sleep_delay: 500 -federation_rc_reject_limit: 50 -federation_rc_concurrent: 3 - -# Directory where uploaded images and attachments are stored. -media_store_path: "/var/lib/synapse/media_store" -uploads_path: "/var/lib/synapse/uploads" -max_upload_size: "10M" -max_image_pixels: "32M" - -dynamic_thumbnails: false -thumbnail_sizes: -- width: 32 - height: 32 - method: crop -- width: 96 - height: 96 - method: crop -- width: 320 - height: 240 - method: scale -- width: 640 - height: 480 - method: scale -- width: 800 - height: 600 - method: scale - -url_preview_enabled: False -max_spider_size: "10M" - - -## Captcha ## -recaptcha_public_key: "YOUR_PUBLIC_KEY" -recaptcha_private_key: "YOUR_PRIVATE_KEY" -enable_registration_captcha: False -recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify" - -turn_user_lifetime: "1h" -turn_allow_guests: True - - -## Registration ## -enable_registration: False -registration_shared_secret: ",@MxAOPr0kkpC-Gzzk1=Ea-HKH@S-utf:Uf0fiz;xAo~I2Y9Fk" -bcrypt_rounds: 12 -allow_guest_access: False -trusted_third_party_id_servers: - - matrix.org - - vector.im - -autocreate_auto_join_rooms: true - - -## Metrics ### -enable_metrics: False -report_stats: false - - -## API Configuration ## -room_invite_state_types: - - "m.room.join_rules" - - "m.room.canonical_alias" - - "m.room.avatar" - - "m.room.name" -app_service_config_files: [] -track_appservice_user_ips: False -macaroon_secret_key: "mL9+dY892cIh&=L6kdZV.SU;i_N=-*DBkA,p^Jp8eQ_v7-DXz4" -expire_access_token: False -form_secret: "&+O&4t2BKp=E++pPrc:Y=Uxi50yM,Z5XxX^VFQ7Fad^0y,#bOc" - -## Signing Keys ## - -signing_key_path: "/etc/synapse/jenga.local.signing.key" -old_signing_keys: {} -key_refresh_interval: "1d" # 1 Day. - - -# Enable password for login. -password_config: - enabled: true - # Uncomment and change to a secret random string for extra security. - # DO NOT CHANGE THIS AFTER INITIAL SETUP! - #pepper: "" - -enable_group_creation: false -alias_creation_rules: - - user_id: "*" - alias: "*" - action: allow diff --git a/alpine/matrix/conf/os-release b/alpine/matrix/conf/os-release new file mode 100644 index 0000000..a6a2844 --- /dev/null +++ b/alpine/matrix/conf/os-release @@ -0,0 +1,4 @@ +PORTABLE_PRETTY_NAME="Synapse: A matrix homeserver" +PORTABLE_ID=synapse +PRETTY_NAME=Alpine +ID=alpine diff --git a/alpine/matrix/scripts/install-matrix.sh b/alpine/matrix/scripts/install-matrix.sh new file mode 100644 index 0000000..8ecc993 --- /dev/null +++ b/alpine/matrix/scripts/install-matrix.sh @@ -0,0 +1,13 @@ +#!/bin/sh + +apk --no-cache add --no-scripts --no-commit-hooks synapse + +find /usr -name "__pycache__" -exec rm -rf {} + +find /usr -name "*.pyc" -exec rm {} + + +apk del alpine-keys + +rm -rf /etc/apk \ + /root/.cache \ + /root/.config \ + /var/cache/* diff --git a/alpine/matrix/scripts/install.sh b/alpine/matrix/scripts/install-pip.sh similarity index 57% rename from alpine/matrix/scripts/install.sh rename to alpine/matrix/scripts/install-pip.sh index fd6407a..0c1fc4b 100644 --- a/alpine/matrix/scripts/install.sh +++ b/alpine/matrix/scripts/install-pip.sh @@ -10,37 +10,27 @@ apk --no-cache add --virtual .synapse-build \ libxslt-dev \ linux-headers \ python3-dev \ - yarn \ + py3-pip \ zlib-dev -pip3 install --upgrade pip setuptools +pip3 install --upgrade --force pip setuptools pip3 install https://github.com/matrix-org/synapse/tarball/master -IRC_DIR=/usr/lib/matrix-appservice-irc/ -mkdir ${IRC_DIR} -cd ${IRC_DIR} -yarn add matrix-appservice-irc -ln -s ${IRC_DIR}/node_modules/matrix-appservice-irc/bin/matrix-appservice-irc /usr/local/bin/matrix-appservice-irc - apk del .synapse-build -# Runtime packages. +# Runtime packages apk --no-cache add \ libjpeg-turbo \ libmagic \ - libressl2.7-libssl \ - nodejs \ + libressl \ python3 find /usr -name "__pycache__" -exec rm -rf {} + find /usr -name "*.pyc" -exec rm {} + -find /usr -name "*yarn*" -exec rm -rf {} + -find / -name "*node-gyp*" -exec rm -rf {} + apk del alpine-keys rm -rf /etc/apk \ /root/.cache \ /root/.config \ - /root/.npm \ /var/cache/* diff --git a/alpine/matrix/scripts/install-riot.sh b/alpine/matrix/scripts/install-riot.sh new file mode 100644 index 0000000..46047b7 --- /dev/null +++ b/alpine/matrix/scripts/install-riot.sh @@ -0,0 +1,10 @@ +#!/bin/sh + +apk --no-cache add --no-scripts --no-commit-hooks riot-web nginx + +apk del alpine-keys + +rm -rf /etc/apk \ + /root/.cache \ + /root/.config \ + /var/cache/* diff --git a/alpine/matrix/scripts/install-turn.sh b/alpine/matrix/scripts/install-turn.sh new file mode 100644 index 0000000..c121ad9 --- /dev/null +++ b/alpine/matrix/scripts/install-turn.sh @@ -0,0 +1,15 @@ +#!/bin/sh + +apk add --no-cache --purge -uU \ + --repository http://dl-cdn.alpinelinux.org/alpine/edge/testing \ + coturn sqlite-libs + +find /usr -name "__pycache__" -exec rm -rf {} + +find /usr -name "*.pyc" -exec rm {} + + +apk del alpine-keys + +rm -rf /etc/apk \ + /root/.cache \ + /root/.config \ + /var/cache/* diff --git a/alpine/matrix/systemd/30-synapse-override.conf b/alpine/matrix/systemd/30-synapse-override.conf new file mode 100644 index 0000000..f1446ce --- /dev/null +++ b/alpine/matrix/systemd/30-synapse-override.conf @@ -0,0 +1,2 @@ +[Service] +MemoryDenyWriteExecute=no diff --git a/alpine/matrix/systemd/matrix-appservice-irc.service b/alpine/matrix/systemd/matrix-appservice-irc.service deleted file mode 100644 index 940e77d..0000000 --- a/alpine/matrix/systemd/matrix-appservice-irc.service +++ /dev/null @@ -1,10 +0,0 @@ -[Unit] -Description=Matrix IRC gateway -After=matrix.service -Requires=matrix.service - -[Service] -Type=exec -ExecStart=/usr/local/bin/matrix-appservice-irc -c /etc/matrix/irc-config.yaml -f /etc/matrix/irc-registration.yaml -p 7881 -StateDirectory=matrix-appservice-irc -ConfigurationDirectory=matrix diff --git a/alpine/matrix/systemd/matrix.service b/alpine/matrix/systemd/matrix.service index ac6d51f..b9158c9 100644 --- a/alpine/matrix/systemd/matrix.service +++ b/alpine/matrix/systemd/matrix.service @@ -1,17 +1,16 @@ [Unit] Description=Synapse - Matrix homeserver -After=network-online.target Requires=network-online.target [Service] -MemoryDenyWriteExecute=no - Environment=LANG=en_US.UTF-8 Environment=SYNAPSE_LOG_LEVEL=DEBUG Environment=PYTHONDONTWRITEBYTECODE=1 -ExecStart=/usr/bin/python3 -m synapse.app.homeserver -c /etc/matrix/homeserver.yaml +ExecStart=/usr/bin/synctl start /etc/matrix/homeserver.yaml --no-daemonize ExecStop=/usr/bin/synctl stop /etc/matrix/homeserver.yaml +ExecReload=/opt/synapse/bin/synctl restart /etc/matrix/homeserver.yaml -StateDirectory=matrix-synapse +StateDirectory=matrix +RuntimeDirectory=matrix ConfigurationDirectory=matrix diff --git a/alpine/matrix/systemd/riot.service b/alpine/matrix/systemd/riot.service new file mode 100644 index 0000000..b9158c9 --- /dev/null +++ b/alpine/matrix/systemd/riot.service @@ -0,0 +1,16 @@ +[Unit] +Description=Synapse - Matrix homeserver +Requires=network-online.target + +[Service] +Environment=LANG=en_US.UTF-8 +Environment=SYNAPSE_LOG_LEVEL=DEBUG +Environment=PYTHONDONTWRITEBYTECODE=1 + +ExecStart=/usr/bin/synctl start /etc/matrix/homeserver.yaml --no-daemonize +ExecStop=/usr/bin/synctl stop /etc/matrix/homeserver.yaml +ExecReload=/opt/synapse/bin/synctl restart /etc/matrix/homeserver.yaml + +StateDirectory=matrix +RuntimeDirectory=matrix +ConfigurationDirectory=matrix diff --git a/alpine/matrix/systemd/turn.service b/alpine/matrix/systemd/turn.service new file mode 100644 index 0000000..a23b882 --- /dev/null +++ b/alpine/matrix/systemd/turn.service @@ -0,0 +1,13 @@ +[Unit] +Description=Coturn - TURN/STUN server +Requires=network-online.target + +[Service] +Environment=LANG=en_US.UTF-8 + +ExecStart=/usr/bin/turnserver -c /etc/coturn/turnserver.conf +Restart=on-failure + +StateDirectory=turn +RuntimeDirectory=turn +ConfigurationDirectory=turn