Compare commits

..

32 commits

Author SHA1 Message Date
a7952792f6 forgejo/v8.0.3 2024-09-12 15:09:43 -04:00
20ae6c1795 forgejo/v8.0.1 2024-08-13 05:11:16 -04:00
1d36074033 forgejo/v8.0.0 2024-08-07 03:14:41 -04:00
3d9c0ff585 v7.0.3 2024-06-04 14:16:35 -04:00
6a24d3ed34 v7.0.2 2024-05-02 14:56:58 -04:00
cda5d52791 x-amz-checksum-algorithm must be md5 for b2 2024-04-30 14:24:15 -04:00
0d5d97e5ec v7.0.1 2024-04-29 10:10:53 -04:00
cd100421a6 v1.21.11+1 2024-04-22 10:54:35 -04:00
c58e568da2 update forgejo 2024-04-05 15:30:23 -04:00
b3033edcfc update forgejo 2024-04-01 10:53:07 -04:00
090eb0d686 update forgejo 2024-03-11 14:07:39 -04:00
9db0bc7c73 update to latest stable 2024-01-16 15:18:59 -05:00
ff9478cc4b update to latest stable 2024-01-15 09:57:57 -05:00
f313245419 update for CVE 2023-12-13 13:37:30 -05:00
cc64568f64 CVE forced upgrade 2023-12-07 10:54:41 -05:00
b2562e67c8 setup docker build host 2023-11-27 09:48:04 -05:00
3437d38091 update to avoid CVE 2023-11-27 09:47:45 -05:00
c8989f4a35 updates 2023-11-22 14:24:23 -05:00
dcb8a44f74 enable scale to zero for pg 2023-11-20 15:41:35 -05:00
8278515b93 fixes 2023-11-15 14:37:51 -05:00
812c44be63
tweaks 2023-10-26 12:07:20 -04:00
43e581f079
add burd.me as identity server 2023-10-25 16:30:17 -04:00
4f46eebbac Merge pull request 'add log shipping via vector for all fly "personal" deployments to better stack' (#2) from logs into main
Reviewed-on: #2
2023-10-25 15:41:36 +00:00
157a3eaa73
Updated toml according to article, and some notes. 2023-10-25 11:21:18 -04:00
746f60a3df
add fly launch-generated toml 2023-10-25 11:18:20 -04:00
64f9fbbaef Merge pull request 'add dendrite for matrix.burd.me' (#1) from dendrite into main
Reviewed-on: #1
2023-10-25 15:07:09 +00:00
aa1351d743
remove unused env var 2023-10-25 11:04:37 -04:00
c949ca01eb
more closely align config and sample config 2023-10-25 11:03:09 -04:00
35421db73d
fix docs 2023-10-25 10:55:53 -04:00
fc29b7c9fc
house keeping 2023-10-25 10:54:05 -04:00
7fa500dbf3
update to allow for secrets to remain hidden 2023-10-25 10:54:04 -04:00
23c36f924f
import https://codeberg.org/gerald/dendrite-on-flyio 2023-10-25 10:54:04 -04:00
20 changed files with 1062 additions and 12 deletions

0
.env Normal file
View file

6
.envrc Normal file
View file

@ -0,0 +1,6 @@
dotenv
#[ -d .venv ] || (python -m venv .venv; python -m pip install rbtools)
#[ -f .venv/bin/activate ] && source .venv/bin/activate
watch_file devShell.nix shell.nix flake.nix
#use flake || use nix

3
.gitignore vendored
View file

@ -1,2 +1,3 @@
.direnv/
.nvimlog .nvimlog
*.priv.* *.priv.*

4
dendrite/.dockerignore Normal file
View file

@ -0,0 +1,4 @@
# flyctl launch added from .gitignore
fly.toml
matrix_key.pem
dendrite-sample.in.yaml

1
dendrite/.gitignore vendored Normal file
View file

@ -0,0 +1 @@
matrix_key.pem

9
dendrite/Dockerfile Normal file
View file

@ -0,0 +1,9 @@
FROM matrixdotorg/dendrite-monolith:v0.13.4
RUN apk --update --no-cache add envsubst tini postgresql-client
COPY dendrite.in.yaml /etc/dendrite/
COPY docker-entrypoint.sh /
ENTRYPOINT ["/sbin/tini", "--", "/docker-entrypoint.sh"]

89
dendrite/README.md Normal file
View file

@ -0,0 +1,89 @@
# Matrix Homeserver on fly.io
Quick notes on how to run [dendrite] for a small scale Matrix homeserver on [fly.io] with sqlite storage.
## Requirements
- A domain name where you can create/change A, AAAA and SRV records
- A [fly.io] account and the [`flyctl`] cli installed
- Docker or similar container runtime installed
## Preparations
For federation (talking to other homeservers), your server needs is a matrix server key.
Generate the server key using either the dendrite container:
```shell
docker run --rm -it -v $(pwd):/key -w /key --entrypoint /usr/bin/generate-keys matrixdotorg/dendrite-monolith:latest --private-key matrix_key.pem
```
or the `generate-keys` app:
```shell
go run github.com/matrix-org/dendrite/cmd/generate-keys \
--private-key=matrix_key.pem \
--tls-cert=server.crt \
--tls-key=server.key
```
**Do not loose this key!**
Next, make copy the `dendrite-sample.in.yaml` to `dentrite.in.yaml` and change the `global.server_name` to your desired domain.
Finally, change the `app = "dendrite-on-fly"` line in `fly.toml` to an app name of your desire.
## Deployment
Choose your Fly.io region (`flyctl platform regions`) and edit the `fly.toml`
file.
Create a 10GB persistent volume mount in your desired region.
```shell
flyctl volumes create dendrite_data --region bos --size 10
```
Now you simply can deploy dendrite using
```
flyctl deploy
```
## Secrets
```shell
flyctl secrets set "DATABASE_URL=postgresql://user:pass@hostname/database?params=..."
flyctl secrets set "REGISTRATION_SHARED_SECRET=imabad5cret!"
base64 -w0 matrix_key.pem | flyctl secrets set MATRIX_KEY_PEM=-
```
## Domain configuration
After deployment, execute `flyctl info` to obtain the IP addresses your app runs on.
Use these IPs to create A and AAAA records for the domain name you configured in `dendrite.yaml`
Usually matrix federates on port 8448, but it is possible to use a SRV record to specify a different port (8443 in our case).
Create a SRV record at `_matrix._tcp.<the-original-domain>` with values `10 10 8443 <the-original-domain>`
It is possible to test federation with the [Matrix federation tester](https://federationtester.matrix.org/).
Once you have set up the A and AAAA records, obtain a TLS certificate using `flyctl`
```
flyctl certs add <hostname>
```
You now can create accounts on your homeserver and start chatting with people.
## Still to figure out
- How to backup your sqlite file
## Useful information
- flyctl v0.0.181 and dendrite v0.3.11 were used
[dendrite]: https://github.com/matrix-org/dendrite
[fly.io]: https://fly.io
[`flyctl`]: https://github.com/superfly/flyctl/releases

10
dendrite/TODO Normal file
View file

@ -0,0 +1,10 @@
* file upload/download
* 3pid/email/requestToken untrusted server '' thirdpid config of phone and email failing
* video/voice calls
https://landchad.net/coturn/
https://landchad.net/dendrite/
* media on s3
https://github.com/turt2live/matrix-media-repo/
https://quentin.dufour.io/blog/2021-09-14/matrix-synapse-s3-storage/
* migration
https://ems.element.io/tools/matrix-migration

View file

@ -0,0 +1,409 @@
# This is the Dendrite configuration file.
#
# The configuration is split up into sections - each Dendrite component has a
# configuration section, in addition to the "global" section which applies to
# all components.
# NOTES:
# -----------------------------------------------------------------------------
#
# At a minimum, to get started, you will need to update the settings in the
# "global" section for your deployment, and you will need to check that the
# database "connection_string" line in each component section is correct.
#
# Each component with a "database" section can accept the following formats
# for "connection_string":
# SQLite: file:filename.db
# file:///path/to/filename.db
# PostgreSQL: postgresql://user:pass@hostname/database?params=...
#
# SQLite is embedded into Dendrite and therefore no further prerequisites are
# needed for the database when using SQLite mode. However, performance with
# PostgreSQL is significantly better and recommended for multi-user deployments.
# SQLite is typically around 20-30% slower than PostgreSQL when tested with a
# small number of users and likely will perform worse still with a higher volume
# of users.
#
# The "max_open_conns" and "max_idle_conns" settings configure the maximum
# number of open/idle database connections. The value 0 will use the database
# engine default, and a negative value will use unlimited connections. The
# "conn_max_lifetime" option controls the maximum length of time a database
# connection can be idle in seconds - a negative value is unlimited.
# -----------------------------------------------------------------------------
# The version of the configuration file.
version: 2
client_api:
registration_shared_secret: ${REGISTRATION_SHARED_SECRET}
# Global Matrix configuration. This configuration applies to all components.
global:
# The domain name of this homeserver.
server_name: localhost
# The path to the signing private key file, used to sign requests and events.
# Note that this is NOT the same private key as used for TLS! To generate a
# signing key, use "./bin/generate-keys --private-key matrix_key.pem".
private_key: matrix_key.pem
# The paths and expiry timestamps (as a UNIX timestamp in millisecond precision)
# to old signing keys that were formerly in use on this domain name. These
# keys will not be used for federation request or event signing, but will be
# provided to any other homeserver that asks when trying to verify old events.
old_private_keys:
# If the old private key file is available:
# - private_key: old_matrix_key.pem
# expired_at: 1601024554498
# If only the public key (in base64 format) and key ID are known:
# - public_key: mn59Kxfdq9VziYHSBzI7+EDPDcBS2Xl7jeUdiiQcOnM=
# key_id: ed25519:mykeyid
# expired_at: 1601024554498
# How long a remote server can cache our server signing key before requesting it
# again. Increasing this number will reduce the number of requests made by other
# servers for our key but increases the period that a compromised key will be
# considered valid by other homeservers.
key_validity_period: 168h0m0s
# Global database connection pool, for PostgreSQL monolith deployments only. If
# this section is populated then you can omit the "database" blocks in all other
# sections. For monolith deployments using SQLite databases,
# you must configure the "database" block for each component instead.
database:
connection_string: ${DATABASE_URL}
max_open_conns: 90
max_idle_conns: 5
conn_max_lifetime: -1
# Configuration for in-memory caches. Caches can often improve performance by
# keeping frequently accessed items (like events, identifiers etc.) in memory
# rather than having to read them from the database.
cache:
# The estimated maximum size for the global cache in bytes, or in terabytes,
# gigabytes, megabytes or kilobytes when the appropriate 'tb', 'gb', 'mb' or
# 'kb' suffix is specified. Note that this is not a hard limit, nor is it a
# memory limit for the entire process. A cache that is too small may ultimately
# provide little or no benefit.
max_size_estimated: 1gb
# The maximum amount of time that a cache entry can live for in memory before
# it will be evicted and/or refreshed from the database. Lower values result in
# easier admission of new cache entries but may also increase database load in
# comparison to higher values, so adjust conservatively. Higher values may make
# it harder for new items to make it into the cache, e.g. if new rooms suddenly
# become popular.
max_age: 1h
# The server name to delegate server-server communications to, with optional port
# e.g. localhost:443
well_known_server_name: ""
# The base URL to delegate client-server communications to e.g. https://localhost
well_known_client_name: ""
# The server name to delegate sliding sync communications to, with optional port.
# Requires `well_known_client_name` to also be configured.
well_known_sliding_sync_proxy: ""
# Lists of domains that the server will trust as identity servers to verify third
# party identifiers such as phone numbers and email addresses.
trusted_third_party_id_servers:
- matrix.org
- vector.im
# Disables federation. Dendrite will not be able to communicate with other servers
# in the Matrix federation and the federation API will not be exposed.
disable_federation: false
# Configures the handling of presence events. Inbound controls whether we receive
# presence events from other servers, outbound controls whether we send presence
# events for our local users to other servers.
presence:
enable_inbound: true
enable_outbound: true
# Configures phone-home statistics reporting. These statistics contain the server
# name, number of active users and some information on your deployment config.
# We use this information to understand how Dendrite is being used in the wild.
report_stats:
enabled: true
endpoint: https://panopticon.matrix.org/push
# Server notices allows server admins to send messages to all users on the server.
server_notices:
enabled: false
# The local part, display name and avatar URL (as a mxc:// URL) for the user that
# will send the server notices. These are visible to all users on the deployment.
local_part: "_server"
display_name: "Server Alerts"
avatar_url: ""
# The room name to be used when sending server notices. This room name will
# appear in user clients.
room_name: "Server Alerts"
# Configuration for NATS JetStream
jetstream:
# A list of NATS Server addresses to connect to. If none are specified, an
# internal NATS server will be started automatically when running Dendrite in
# monolith mode.
addresses:
# - localhost:4222
# Disable the validation of TLS certificates of NATS. This is
# not recommended in production since it may allow NATS traffic
# to be sent to an insecure endpoint.
disable_tls_validation: false
# Persistent directory to store JetStream streams in. This directory should be
# preserved across Dendrite restarts.
storage_path: /data/nats
# The prefix to use for stream names for this homeserver - really only useful
# if you are running more than one Dendrite server on the same NATS deployment.
topic_prefix: Dendrite
# Configuration for Kafka/Naffka.
kafka:
# List of Kafka broker addresses to connect to. This is not needed if using
# Naffka in monolith mode.
addresses:
- kafka:9092
# The prefix to use for Kafka topic names for this homeserver. Change this only if
# you are running more than one Dendrite homeserver on the same Kafka deployment.
topic_prefix: Dendrite
# Whether to use Naffka instead of Kafka. This is only available in monolith
# mode, but means that you can run a single-process server without requiring
# Kafka.
use_naffka: true
# Naffka database options. Not required when using Kafka.
naffka_database:
connection_string: file:///data/dendrite.db
max_open_conns: 10
max_idle_conns: 2
conn_max_lifetime: -1
# Configuration for Prometheus metric collection.
metrics:
enabled: false
# HTTP basic authentication to protect access to monitoring.
basic_auth:
username: metrics
password: metrics
# Optional DNS cache. The DNS cache may reduce the load on DNS servers if there
# is no local caching resolver available for use.
dns_cache:
enabled: false
# Maximum number of entries to hold in the DNS cache, and
# for how long those items should be considered valid in seconds.
cache_size: 256
cache_lifetime: "5m" # 5 minutes; https://pkg.go.dev/time@master#ParseDuration
# Configuration for the Appservice API.
app_service_api:
# Disable the validation of TLS certificates of appservices. This is
# not recommended in production since it may allow appservice traffic
# to be sent to an insecure endpoint.
disable_tls_validation: false
# Appservice configuration files to load into this homeserver.
config_files:
# - /path/to/appservice_registration.yaml
# Configuration for the Client API.
client_api:
# Prevents new users from being able to register on this homeserver, except when
# using the registration shared secret below.
registration_disabled: true
# Prevents new guest accounts from being created. Guest registration is also
# disabled implicitly by setting 'registration_disabled' above.
guests_disabled: true
# If set, allows registration by anyone who knows the shared secret, regardless
# of whether registration is otherwise disabled.
registration_shared_secret: ""
# Whether to require reCAPTCHA for registration. If you have enabled registration
# then this is HIGHLY RECOMMENDED to reduce the risk of your homeserver being used
# for coordinated spam attacks.
enable_registration_captcha: false
# Settings for ReCAPTCHA.
recaptcha_public_key: ""
recaptcha_private_key: ""
recaptcha_bypass_secret: ""
# To use hcaptcha.com instead of ReCAPTCHA, set the following parameters, otherwise just keep them empty.
# recaptcha_siteverify_api: "https://hcaptcha.com/siteverify"
# recaptcha_api_js_url: "https://js.hcaptcha.com/1/api.js"
# recaptcha_form_field: "h-captcha-response"
# recaptcha_sitekey_class: "h-captcha"
# TURN server information that this homeserver should send to clients.
turn:
turn_user_lifetime: "5m"
turn_uris:
# - turn:turn.server.org?transport=udp
# - turn:turn.server.org?transport=tcp
turn_shared_secret: ""
# If your TURN server requires static credentials, then you will need to enter
# them here instead of supplying a shared secret. Note that these credentials
# will be visible to clients!
# turn_username: ""
# turn_password: ""
# Settings for rate-limited endpoints. Rate limiting kicks in after the threshold
# number of "slots" have been taken by requests from a specific host. Each "slot"
# will be released after the cooloff time in milliseconds. Server administrators
# and appservice users are exempt from rate limiting by default.
rate_limiting:
enabled: true
threshold: 20
cooloff_ms: 500
exempt_user_ids:
# - "@user:domain.com"
# Configuration for the Federation API.
federation_api:
# How many times we will try to resend a failed transaction to a specific server. The
# backoff is 2**x seconds, so 1 = 2 seconds, 2 = 4 seconds, 3 = 8 seconds etc. Once
# the max retries are exceeded, Dendrite will no longer try to send transactions to
# that server until it comes back to life and connects to us again.
send_max_retries: 16
# Disable the validation of TLS certificates of remote federated homeservers. Do not
# enable this option in production as it presents a security risk!
disable_tls_validation: false
# Disable HTTP keepalives, which also prevents connection reuse. Dendrite will typically
# keep HTTP connections open to remote hosts for 5 minutes as they can be reused much
# more quickly than opening new connections each time. Disabling keepalives will close
# HTTP connections immediately after a successful request but may result in more CPU and
# memory being used on TLS handshakes for each new connection instead.
disable_http_keepalives: false
# Perspective keyservers to use as a backup when direct key fetches fail. This may
# be required to satisfy key requests for servers that are no longer online when
# joining some rooms.
key_perspectives:
- server_name: matrix.org
keys:
- key_id: ed25519:auto
public_key: Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw
- key_id: ed25519:a_RXGa
public_key: l8Hft5qXKn1vfHrg3p4+W8gELQVo8N13JkluMfmn2sQ
# This option will control whether Dendrite will prefer to look up keys directly
# or whether it should try perspective servers first, using direct fetches as a
# last resort.
prefer_direct_fetch: false
# Configuration for the Media API.
media_api:
# Storage path for uploaded media. May be relative or absolute.
base_path: /data/media_store
# The maximum allowed file size (in bytes) for media uploads to this homeserver
# (0 = unlimited). If using a reverse proxy, ensure it allows requests at least
#this large (e.g. the client_max_body_size setting in nginx).
max_file_size_bytes: 10485760
# Whether to dynamically generate thumbnails if needed.
dynamic_thumbnails: false
# The maximum number of simultaneous thumbnail generators to run.
max_thumbnail_generators: 10
# A list of thumbnail sizes to be generated for media content.
thumbnail_sizes:
- width: 32
height: 32
method: crop
- width: 96
height: 96
method: crop
- width: 640
height: 480
method: scale
# Configuration for enabling experimental MSCs on this homeserver.
mscs:
mscs:
# - msc2836 # (Threading, see https://github.com/matrix-org/matrix-doc/pull/2836)
# Configuration for the Sync API.
sync_api:
# This option controls which HTTP header to inspect to find the real remote IP
# address of the client. This is likely required if Dendrite is running behind
# a reverse proxy server.
# real_ip_header: X-Real-IP
# Configuration for the full-text search engine.
search:
# Whether or not search is enabled.
enabled: true
# The path where the search index will be created in.
index_path: "/data/searchindex"
# The language most likely to be used on the server - used when indexing, to
# ensure the returned results match expectations. A full list of possible languages
# can be found at https://github.com/blevesearch/bleve/tree/master/analysis/lang
language: "en"
# Configuration for the User API.
user_api:
# The cost when hashing passwords on registration/login. Default: 10. Min: 4, Max: 31
# See https://pkg.go.dev/golang.org/x/crypto/bcrypt for more information.
# Setting this lower makes registration/login consume less CPU resources at the cost
# of security should the database be compromised. Setting this higher makes registration/login
# consume more CPU resources but makes it harder to brute force password hashes. This value
# can be lowered if performing tests or on embedded Dendrite instances (e.g WASM builds).
bcrypt_cost: 10
# The length of time that a token issued for a relying party from
# /_matrix/client/r0/user/{userId}/openid/request_token endpoint
# is considered to be valid in milliseconds.
# The default lifetime is 3600000ms (60 minutes).
# openid_token_lifetime_ms: 3600000
# Users who register on this homeserver will automatically be joined to the rooms listed under "auto_join_rooms" option.
# By default, any room aliases included in this list will be created as a publicly joinable room
# when the first user registers for the homeserver. If the room already exists,
# make certain it is a publicly joinable room, i.e. the join rule of the room must be set to 'public'.
# As Spaces are just rooms under the hood, Space aliases may also be used.
auto_join_rooms:
# - "#main:matrix.org"
# Configuration for OpenTracing.
# See https://github.com/matrix-org/dendrite/tree/master/docs/tracing for information on
# how this works and how to set it up.
tracing:
enabled: false
jaeger:
serviceName: ""
disabled: false
rpc_metrics: false
tags: []
sampler: null
reporter: null
headers: null
baggage_restrictions: null
throttler: null
# Logging configuration. The "std" logging type controls the logs being sent to
# stdout. The "file" logging type controls logs being written to a log folder on
# the disk. Supported log levels are "debug", "info", "warn", "error".
logging:
- type: std
level: info
- type: file
level: info
params:
path: /var/logs/dendrite

407
dendrite/dendrite.in.yaml Normal file
View file

@ -0,0 +1,407 @@
# This is the Dendrite configuration file.
#
# The configuration is split up into sections - each Dendrite component has a
# configuration section, in addition to the "global" section which applies to
# all components.
# NOTES:
# -----------------------------------------------------------------------------
#
# At a minimum, to get started, you will need to update the settings in the
# "global" section for your deployment, and you will need to check that the
# database "connection_string" line in each component section is correct.
#
# Each component with a "database" section can accept the following formats
# for "connection_string":
# SQLite: file:filename.db
# file:///path/to/filename.db
# PostgreSQL: postgresql://user:pass@hostname/database?params=...
#
# SQLite is embedded into Dendrite and therefore no further prerequisites are
# needed for the database when using SQLite mode. However, performance with
# PostgreSQL is significantly better and recommended for multi-user deployments.
# SQLite is typically around 20-30% slower than PostgreSQL when tested with a
# small number of users and likely will perform worse still with a higher volume
# of users.
#
# The "max_open_conns" and "max_idle_conns" settings configure the maximum
# number of open/idle database connections. The value 0 will use the database
# engine default, and a negative value will use unlimited connections. The
# "conn_max_lifetime" option controls the maximum length of time a database
# connection can be idle in seconds - a negative value is unlimited.
# -----------------------------------------------------------------------------
# The version of the configuration file.
version: 2
# Global Matrix configuration. This configuration applies to all components.
global:
# The domain name of this homeserver.
server_name: matrix.burd.me
# The path to the signing private key file, used to sign requests and events.
# Note that this is NOT the same private key as used for TLS! To generate a
# signing key, use "./bin/generate-keys --private-key matrix_key.pem".
private_key: /etc/dendrite/matrix_key.pem
# The paths and expiry timestamps (as a UNIX timestamp in millisecond precision)
# to old signing keys that were formerly in use on this domain name. These
# keys will not be used for federation request or event signing, but will be
# provided to any other homeserver that asks when trying to verify old events.
old_private_keys:
# If the old private key file is available:
# - private_key: old_matrix_key.pem
# expired_at: 1601024554498
# If only the public key (in base64 format) and key ID are known:
# - public_key: mn59Kxfdq9VziYHSBzI7+EDPDcBS2Xl7jeUdiiQcOnM=
# key_id: ed25519:mykeyid
# expired_at: 1601024554498
# How long a remote server can cache our server signing key before requesting it
# again. Increasing this number will reduce the number of requests made by other
# servers for our key but increases the period that a compromised key will be
# considered valid by other homeservers.
key_validity_period: 168h0m0s
# Global database connection pool, for PostgreSQL monolith deployments only. If
# this section is populated then you can omit the "database" blocks in all other
# sections. For monolith deployments using SQLite databases,
# you must configure the "database" block for each component instead.
database:
connection_string: ${DATABASE_URL}?sslmode=disable
max_open_conns: 90
max_idle_conns: 5
conn_max_lifetime: -1
# Configuration for in-memory caches. Caches can often improve performance by
# keeping frequently accessed items (like events, identifiers etc.) in memory
# rather than having to read them from the database.
cache:
# The estimated maximum size for the global cache in bytes, or in terabytes,
# gigabytes, megabytes or kilobytes when the appropriate 'tb', 'gb', 'mb' or
# 'kb' suffix is specified. Note that this is not a hard limit, nor is it a
# memory limit for the entire process. A cache that is too small may ultimately
# provide little or no benefit.
max_size_estimated: 1gb
# The maximum amount of time that a cache entry can live for in memory before
# it will be evicted and/or refreshed from the database. Lower values result in
# easier admission of new cache entries but may also increase database load in
# comparison to higher values, so adjust conservatively. Higher values may make
# it harder for new items to make it into the cache, e.g. if new rooms suddenly
# become popular.
max_age: 1h
# The server name to delegate server-server communications to, with optional port
# e.g. localhost:443
well_known_server_name: ""
# The base URL to delegate client-server communications to e.g. https://localhost
well_known_client_name: ""
# The server name to delegate sliding sync communications to, with optional port.
# Requires `well_known_client_name` to also be configured.
well_known_sliding_sync_proxy: ""
# Lists of domains that the server will trust as identity servers to verify third
# party identifiers such as phone numbers and email addresses.
trusted_third_party_id_servers:
- matrix.org
- vector.im
- matrix.burd.me
# Disables federation. Dendrite will not be able to communicate with other servers
# in the Matrix federation and the federation API will not be exposed.
disable_federation: false
# Configures the handling of presence events. Inbound controls whether we receive
# presence events from other servers, outbound controls whether we send presence
# events for our local users to other servers.
presence:
enable_inbound: true
enable_outbound: true
# Configures phone-home statistics reporting. These statistics contain the server
# name, number of active users and some information on your deployment config.
# We use this information to understand how Dendrite is being used in the wild.
report_stats:
enabled: true
endpoint: https://panopticon.matrix.org/push
# Server notices allows server admins to send messages to all users on the server.
server_notices:
enabled: false
# The local part, display name and avatar URL (as a mxc:// URL) for the user that
# will send the server notices. These are visible to all users on the deployment.
local_part: "_server"
display_name: "Server Alerts"
avatar_url: ""
# The room name to be used when sending server notices. This room name will
# appear in user clients.
room_name: "Server Alerts"
# Configuration for NATS JetStream
jetstream:
# A list of NATS Server addresses to connect to. If none are specified, an
# internal NATS server will be started automatically when running Dendrite in
# monolith mode.
addresses:
# - localhost:4222
# Disable the validation of TLS certificates of NATS. This is
# not recommended in production since it may allow NATS traffic
# to be sent to an insecure endpoint.
disable_tls_validation: false
# Persistent directory to store JetStream streams in. This directory should be
# preserved across Dendrite restarts.
storage_path: /data/nats
# The prefix to use for stream names for this homeserver - really only useful
# if you are running more than one Dendrite server on the same NATS deployment.
topic_prefix: Dendrite
# Configuration for Kafka/Naffka.
kafka:
# List of Kafka broker addresses to connect to. This is not needed if using
# Naffka in monolith mode.
addresses:
- kafka:9092
# The prefix to use for Kafka topic names for this homeserver. Change this only if
# you are running more than one Dendrite homeserver on the same Kafka deployment.
topic_prefix: Dendrite
# Whether to use Naffka instead of Kafka. This is only available in monolith
# mode, but means that you can run a single-process server without requiring
# Kafka.
use_naffka: true
# Naffka database options. Not required when using Kafka.
naffka_database:
connection_string: file:///data/dendrite.db
max_open_conns: 10
max_idle_conns: 2
conn_max_lifetime: -1
# Configuration for Prometheus metric collection.
metrics:
enabled: false
# HTTP basic authentication to protect access to monitoring.
basic_auth:
username: metrics
password: metrics
# Optional DNS cache. The DNS cache may reduce the load on DNS servers if there
# is no local caching resolver available for use.
dns_cache:
enabled: false
# Maximum number of entries to hold in the DNS cache, and
# for how long those items should be considered valid in seconds.
cache_size: 256
cache_lifetime: "5m" # 5 minutes; https://pkg.go.dev/time@master#ParseDuration
# Configuration for the Appservice API.
app_service_api:
# Disable the validation of TLS certificates of appservices. This is
# not recommended in production since it may allow appservice traffic
# to be sent to an insecure endpoint.
disable_tls_validation: false
# Appservice configuration files to load into this homeserver.
config_files:
# - /path/to/appservice_registration.yaml
# Configuration for the Client API.
client_api:
# Prevents new users from being able to register on this homeserver, except when
# using the registration shared secret below.
registration_disabled: true
# Prevents new guest accounts from being created. Guest registration is also
# disabled implicitly by setting 'registration_disabled' above.
guests_disabled: true
# If set, allows registration by anyone who knows the shared secret, regardless
# of whether registration is otherwise disabled.
registration_shared_secret: ${REGISTRATION_SHARED_SECRET}
# Whether to require reCAPTCHA for registration. If you have enabled registration
# then this is HIGHLY RECOMMENDED to reduce the risk of your homeserver being used
# for coordinated spam attacks.
enable_registration_captcha: false
# Settings for ReCAPTCHA.
recaptcha_public_key: ""
recaptcha_private_key: ""
recaptcha_bypass_secret: ""
# To use hcaptcha.com instead of ReCAPTCHA, set the following parameters, otherwise just keep them empty.
# recaptcha_siteverify_api: "https://hcaptcha.com/siteverify"
# recaptcha_api_js_url: "https://js.hcaptcha.com/1/api.js"
# recaptcha_form_field: "h-captcha-response"
# recaptcha_sitekey_class: "h-captcha"
# TURN server information that this homeserver should send to clients.
turn:
turn_user_lifetime: "5m"
turn_uris:
# - turn:turn.server.org?transport=udp
# - turn:turn.server.org?transport=tcp
turn_shared_secret: ""
# If your TURN server requires static credentials, then you will need to enter
# them here instead of supplying a shared secret. Note that these credentials
# will be visible to clients!
# turn_username: ""
# turn_password: ""
# Settings for rate-limited endpoints. Rate limiting kicks in after the threshold
# number of "slots" have been taken by requests from a specific host. Each "slot"
# will be released after the cooloff time in milliseconds. Server administrators
# and appservice users are exempt from rate limiting by default.
rate_limiting:
enabled: true
threshold: 20
cooloff_ms: 500
exempt_user_ids:
# - "@user:domain.com"
# Configuration for the Federation API.
federation_api:
# How many times we will try to resend a failed transaction to a specific server. The
# backoff is 2**x seconds, so 1 = 2 seconds, 2 = 4 seconds, 3 = 8 seconds etc. Once
# the max retries are exceeded, Dendrite will no longer try to send transactions to
# that server until it comes back to life and connects to us again.
send_max_retries: 16
# Disable the validation of TLS certificates of remote federated homeservers. Do not
# enable this option in production as it presents a security risk!
disable_tls_validation: false
# Disable HTTP keepalives, which also prevents connection reuse. Dendrite will typically
# keep HTTP connections open to remote hosts for 5 minutes as they can be reused much
# more quickly than opening new connections each time. Disabling keepalives will close
# HTTP connections immediately after a successful request but may result in more CPU and
# memory being used on TLS handshakes for each new connection instead.
disable_http_keepalives: false
# Perspective keyservers to use as a backup when direct key fetches fail. This may
# be required to satisfy key requests for servers that are no longer online when
# joining some rooms.
key_perspectives:
- server_name: matrix.org
keys:
- key_id: ed25519:auto
public_key: Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw
- key_id: ed25519:a_RXGa
public_key: l8Hft5qXKn1vfHrg3p4+W8gELQVo8N13JkluMfmn2sQ
# This option will control whether Dendrite will prefer to look up keys directly
# or whether it should try perspective servers first, using direct fetches as a
# last resort.
prefer_direct_fetch: false
# Configuration for the Media API.
media_api:
# Storage path for uploaded media. May be relative or absolute.
base_path: /data/media_store
# The maximum allowed file size (in bytes) for media uploads to this homeserver
# (0 = unlimited). If using a reverse proxy, ensure it allows requests at least
#this large (e.g. the client_max_body_size setting in nginx).
max_file_size_bytes: 10485760
# Whether to dynamically generate thumbnails if needed.
dynamic_thumbnails: false
# The maximum number of simultaneous thumbnail generators to run.
max_thumbnail_generators: 10
# A list of thumbnail sizes to be generated for media content.
thumbnail_sizes:
- width: 32
height: 32
method: crop
- width: 96
height: 96
method: crop
- width: 640
height: 480
method: scale
# Configuration for enabling experimental MSCs on this homeserver.
mscs:
mscs:
# - msc2836 # (Threading, see https://github.com/matrix-org/matrix-doc/pull/2836)
# Configuration for the Sync API.
sync_api:
# This option controls which HTTP header to inspect to find the real remote IP
# address of the client. This is likely required if Dendrite is running behind
# a reverse proxy server.
real_ip_header: X-Client-IP
# Configuration for the full-text search engine.
search:
# Whether or not search is enabled.
enabled: true
# The path where the search index will be created in.
index_path: "/data/searchindex"
# The language most likely to be used on the server - used when indexing, to
# ensure the returned results match expectations. A full list of possible languages
# can be found at https://github.com/blevesearch/bleve/tree/master/analysis/lang
language: "en"
# Configuration for the User API.
user_api:
# The cost when hashing passwords on registration/login. Default: 10. Min: 4, Max: 31
# See https://pkg.go.dev/golang.org/x/crypto/bcrypt for more information.
# Setting this lower makes registration/login consume less CPU resources at the cost
# of security should the database be compromised. Setting this higher makes registration/login
# consume more CPU resources but makes it harder to brute force password hashes. This value
# can be lowered if performing tests or on embedded Dendrite instances (e.g WASM builds).
bcrypt_cost: 10
# The length of time that a token issued for a relying party from
# /_matrix/client/r0/user/{userId}/openid/request_token endpoint
# is considered to be valid in milliseconds.
# The default lifetime is 3600000ms (60 minutes).
# openid_token_lifetime_ms: 3600000
# Users who register on this homeserver will automatically be joined to the rooms listed under "auto_join_rooms" option.
# By default, any room aliases included in this list will be created as a publicly joinable room
# when the first user registers for the homeserver. If the room already exists,
# make certain it is a publicly joinable room, i.e. the join rule of the room must be set to 'public'.
# As Spaces are just rooms under the hood, Space aliases may also be used.
auto_join_rooms:
# - "#main:matrix.org"
# Configuration for OpenTracing.
# See https://github.com/matrix-org/dendrite/tree/master/docs/tracing for information on
# how this works and how to set it up.
tracing:
enabled: false
jaeger:
serviceName: ""
disabled: false
rpc_metrics: false
tags: []
sampler: null
reporter: null
headers: null
baggage_restrictions: null
throttler: null
# Logging configuration. The "std" logging type controls the logs being sent to
# stdout. The "file" logging type controls logs being written to a log folder on
# the disk. Supported log levels are "debug", "info", "warn", "error".
logging:
- type: std
level: info
- type: file
level: info
params:
path: /var/logs/dendrite

9
dendrite/docker-entrypoint.sh Executable file
View file

@ -0,0 +1,9 @@
#!/bin/sh
set -euo pipefail
envsubst < /etc/dendrite/dendrite.in.yaml > /etc/dendrite/dendrite.yaml
echo ${MATRIX_KEY_PEM} | base64 -d > /etc/dendrite/matrix_key.pem
chmod 0660 /etc/dendrite/matrix_key.pem
/usr/bin/dendrite

38
dendrite/fly.toml Normal file
View file

@ -0,0 +1,38 @@
# fly.toml app configuration file generated for burd-infra-dendrite on 2023-10-24T10:06:17-04:00
#
# See https://fly.io/docs/reference/configuration/ for information about how to use this file.
#
[env]
FLY_SCALE_TO_ZERO = "1h"
app = "burd-infra-dendrite"
primary_region = "bos"
kill_signal = "SIGINT"
kill_timeout = "20s"
[build]
[[mounts]]
source = "dendrite_data"
destination = "/data"
[[services]]
protocol = "tcp"
internal_port = 8008
[[services.ports]]
port = 443
handlers = ["tls", "http"]
[[services.ports]]
port = 8443
handlers = ["tls", "http"]
[services.concurrency]
hard_limit = 100
soft_limit = 80
[[services.tcp_checks]]
interval = "10s"
timeout = "2s"
grace_period = "5s"

View file

@ -5,9 +5,8 @@ This deploys a Docker Daemon running on Fly.io which you can used to offload bui
## Installation ## Installation
1. Clone this repository 1. Clone this repository
1. `fly launch`, follow the prompts 1. `fly launch --no-deploy`, follow the prompts
1. Select `n` when it asks if you want to deploy 1. Create a volume in a region of your choice: `fly volumes create data --size 50 --region bos`
1. Create a volume in a region of your choice: `fly volumes create data --size 50 --region ord`
1. Deploy 1. Deploy
## Get Connected ## Get Connected
@ -17,7 +16,7 @@ This deploys a Docker Daemon running on Fly.io which you can used to offload bui
1. `fly ips private` to get the IP of your Daemon 1. `fly ips private` to get the IP of your Daemon
1. Set the `DOCKER_HOST` env variable using that IP: 1. Set the `DOCKER_HOST` env variable using that IP:
``` ```
export DOCKER_HOST=tcp://[fdaa:0:5d2:a7b:81:0:26d4:2]:2375 export DOCKER_HOST=tcp://[fdaa:1:c1ea:a7b:1ed:2ce6:bb1e:2]:2375
``` ```
# Final Step # Final Step

View file

@ -1,13 +1,22 @@
app = "burd-infra-docker-machine" # fly.toml app configuration file generated for burd-infra-docker-machine on 2023-11-22T14:28:06-05:00
kill_signal = "SIGINT" #
kill_timeout = 5 # See https://fly.io/docs/reference/configuration/ for information about how to use this file.
#
[mounts] app = "burd-infra-docker-machine"
destination = "/data" primary_region = "bos"
kill_signal = "SIGINT"
kill_timeout = "5s"
[build]
[[mounts]]
source = "docker_data" source = "docker_data"
destination = "/data"
[[services]] [[services]]
protocol = "tcp" protocol = "tcp"
internal_port = 2375 internal_port = 2375
[[services.ports]] [[services.ports]]
port = 2375 port = 2375

View file

@ -33,6 +33,20 @@ This deploys Drone.io, CI builder for Forgejo (was Gitea).
1. Delete the Docker Engine from your local system. 1. Delete the Docker Engine from your local system.
1. You probably want to scale your remote Daemon: `fly scale vm dedicated-cpu-2x` and `fly scale memory 2048` 1. You probably want to scale your remote Daemon: `fly scale vm dedicated-cpu-2x` and `fly scale memory 2048`
```shell
docker run --detach \
--volume=/var/run/docker.sock:/var/run/docker.sock \
--env=DRONE_RPC_PROTO=https \
--env=DRONE_RPC_HOST=build.burd.me \
--env=DRONE_RPC_SECRET=70619c6241d757e8935c9a7d \
--env=DRONE_RUNNER_CAPACITY=2 \
--env=DRONE_RUNNER_NAME=my-laptop-runner \
--publish=3000:3000 \
--name=runner \
drone/drone-runner-docker:1
```
--restart=always \
# NOTES: # NOTES:
* https://docs.drone.io/server/provider/gitea/ * https://docs.drone.io/server/provider/gitea/

View file

@ -9,6 +9,7 @@ kill_signal = "SIGINT"
kill_timeout = "5s" kill_timeout = "5s"
[experimental] [experimental]
allowed_public_ports = []
auto_rollback = true auto_rollback = true
[build] [build]
@ -18,7 +19,7 @@ kill_timeout = "5s"
DRONE_JSONNET_ENABLED = "true" DRONE_JSONNET_ENABLED = "true"
DRONE_REGISTRATION_CLOSED = "true" DRONE_REGISTRATION_CLOSED = "true"
DRONE_RPC_HOST = "build.burd.me" DRONE_RPC_HOST = "build.burd.me"
DRONE_RPC_PROTO = "https" DRONE_RPC_PROTO = "http"
DRONE_RUNNER_CAPACITY = "1" DRONE_RUNNER_CAPACITY = "1"
DRONE_SERVER_HOST = "build.burd.me" DRONE_SERVER_HOST = "build.burd.me"
DRONE_SERVER_PROTO = "https" DRONE_SERVER_PROTO = "https"
@ -34,8 +35,10 @@ kill_timeout = "5s"
processes = ["server"] processes = ["server"]
[[services]] [[services]]
http_checks = []
protocol = "tcp" protocol = "tcp"
internal_port = 80 internal_port = 80
script_checks = []
processes = ["server"] processes = ["server"]
[[services.ports]] [[services.ports]]
@ -54,4 +57,5 @@ kill_timeout = "5s"
[[services.tcp_checks]] [[services.tcp_checks]]
interval = "15s" interval = "15s"
timeout = "2s" timeout = "2s"
restart_limit = 0
grace_period = "1s" grace_period = "1s"

View file

@ -13,7 +13,7 @@ swap_size_mb = 512
auto_rollback = true auto_rollback = true
[build] [build]
image = "codeberg.org/forgejo/forgejo:1.20.5-0" image = "codeberg.org/forgejo/forgejo:8.0.3"
[env] [env]
GITEA____APP_NAME = "git.burd.me: Git for us" GITEA____APP_NAME = "git.burd.me: Git for us"
@ -51,6 +51,7 @@ swap_size_mb = 512
# GITEA__storage__MINIO_SECRET_ACCESS_KEY = [use fly secrets set ..., see README.md] # GITEA__storage__MINIO_SECRET_ACCESS_KEY = [use fly secrets set ..., see README.md]
GITEA__storage__MINIO_BUCKET = "burd-infra-forgejo-4276-a538" GITEA__storage__MINIO_BUCKET = "burd-infra-forgejo-4276-a538"
GITEA__storage__MINIO_LOCATION = "us-west-000" GITEA__storage__MINIO_LOCATION = "us-west-000"
GITEA__storage__MINIO_CHECKSUM_ALGORITHM = "md5"
[[mounts]] [[mounts]]
source = "forgejo_data" source = "forgejo_data"

14
logs/README.md Normal file
View file

@ -0,0 +1,14 @@
# Create the app but don't deploy just yet
fly launch --no-deploy --image ghcr.io/superfly/fly-log-shipper:latest
# Set some secrets. The secret / env var you set
# determines which "sinks" are configured
fly secrets set ORG=personal
fly secrets set ACCESS_TOKEN=$(fly auth token)
fly secrets set BETTER_STACK_SOURCE_TOKEN=<token provided by better stack>
https://fly.io/docs/going-to-production/monitoring/exporting-logs/#the-fly-log-shipper
https://github.com/superfly/fly-log-shipper
https://uptime.betterstack.com/team/163632/integrations/apis

14
logs/fly.toml Normal file
View file

@ -0,0 +1,14 @@
# fly.toml app configuration file generated for burd-infra-logs-shipper on 2023-10-25T11:17:02-04:00
#
# See https://fly.io/docs/reference/configuration/ for information about how to use this file.
#
app = "burd-infra-logs-shipper"
primary_region = "bos"
[build]
image = "ghcr.io/superfly/fly-log-shipper:latest"
[[services]]
http_checks = []
internal_port = 8686

12
shell.nix Normal file
View file

@ -0,0 +1,12 @@
{ pkgs ? import <nixpkgs> {} }:
pkgs.mkShell {
# nativeBuildInputs is usually what you want -- tools you need to run
nativeBuildInputs = with pkgs.buildPackages; [
ripgrep
envsubst
postgresql
netlify-cli
];
DOCKER_BUILDKIT = 1;
}