aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNeil Alexander <neilalexander@users.noreply.github.com>2020-08-13 18:27:19 +0100
committerGitHub <noreply@github.com>2020-08-13 18:27:19 +0100
commitc1f4faf308169d4008259772d04ce25444996f1e (patch)
tree7a292e8c6a91e9abcccf3f86306a8a551188ea56
parent20c8f252a7930e07a113e24acc59964e5e19e708 (diff)
Fix Docker builds, polylith components (#1269)
-rw-r--r--build/docker/config/dendrite-config.yaml445
-rw-r--r--build/docker/docker-compose.polylith.yml10
-rw-r--r--build/docker/postgres/create_db.sh2
-rw-r--r--cmd/dendrite-sync-api-server/main.go2
-rw-r--r--dendrite-config.yaml2
-rw-r--r--internal/config/config_syncapi.go5
-rw-r--r--internal/setup/base.go20
7 files changed, 342 insertions, 144 deletions
diff --git a/build/docker/config/dendrite-config.yaml b/build/docker/config/dendrite-config.yaml
index c8302c0d..8cc9934d 100644
--- a/build/docker/config/dendrite-config.yaml
+++ b/build/docker/config/dendrite-config.yaml
@@ -1,133 +1,324 @@
-# The config file format version
-# This is used by dendrite to tell if it understands the config format.
-# This will change if the structure of the config file changes or if the meaning
-# of an existing config key changes.
-version: 0
-
-# The matrix specific config
-matrix:
- # The name of the server. This is usually the domain name, e.g 'matrix.org', 'localhost'.
- server_name: "example.com"
- # The path to the PEM formatted matrix private key.
- private_key: "matrix_key.pem"
- # The x509 certificates used by the federation listeners for this server
- federation_certificates: ["server.crt"]
- # The list of identity servers trusted to verify third party identifiers by this server.
- # Defaults to no trusted servers.
- trusted_third_party_id_servers:
- - vector.im
- - matrix.org
-
-# The media repository config
-media:
- # The base path to where the media files will be stored. May be relative or absolute.
- base_path: /var/dendrite/media
-
- # The maximum file size in bytes that is allowed to be stored on this server.
- # Note: if max_file_size_bytes is set to 0, the size is unlimited.
- # Note: if max_file_size_bytes is not set, it will default to 10485760 (10MB)
- max_file_size_bytes: 10485760
-
- # Whether to dynamically generate thumbnails on-the-fly if the requested resolution is not already generated
- # NOTE: This is a possible denial-of-service attack vector - use at your own risk
- dynamic_thumbnails: false
-
- # A list of thumbnail sizes to be pre-generated for downloaded remote / uploaded content
- # method is one of crop or scale. If omitted, it will default to scale.
- # crop scales to fill the requested dimensions and crops the excess.
- # scale scales to fit the requested dimensions and one dimension may be smaller than requested.
- thumbnail_sizes:
- - width: 32
- height: 32
- method: crop
- - width: 96
- height: 96
- method: crop
- - width: 320
- height: 240
- method: scale
- - width: 640
- height: 480
- method: scale
- - width: 800
- height: 600
- method: scale
-
-# The config for the TURN server
-turn:
- # Whether or not guests can request TURN credentials
- turn_allow_guests: true
- # How long the authorization should last
- turn_user_lifetime: "1h"
- # The list of TURN URIs to pass to clients
- turn_uris: []
+# This is the Dendrite configuration file.
+#
+# The configuration is split up into sections - each Dendrite component has a
+# configuration section, in addition to the "global" section which applies to
+# all components.
+#
+# At a minimum, to get started, you will need to update the settings in the
+# "global" section for your deployment, and you will need to check that the
+# database "connection_string" line in each component section is correct.
+#
+# Each component with a "database" section can accept the following formats
+# for "connection_string":
+# SQLite: file:filename.db
+# file:///path/to/filename.db
+# PostgreSQL: postgresql://user:pass@hostname/database?params=...
+#
+# SQLite is embedded into Dendrite and therefore no further prerequisites are
+# needed for the database when using SQLite mode. However, performance with
+# PostgreSQL is significantly better and recommended for multi-user deployments.
+# SQLite is typically around 20-30% slower than PostgreSQL when tested with a
+# small number of users and likely will perform worse still with a higher volume
+# of users.
+#
+# The "max_open_conns" and "max_idle_conns" settings configure the maximum
+# number of open/idle database connections. The value 0 will use the database
+# engine default, and a negative value will use unlimited connections. The
+# "conn_max_lifetime" option controls the maximum length of time a database
+# connection can be idle in seconds - a negative value is unlimited.
+
+# The version of the configuration file.
+version: 1
+
+# Global Matrix configuration. This configuration applies to all components.
+global:
+ # The domain name of this homeserver.
+ server_name: example.com
+
+ # The path to the signing private key file, used to sign requests and events.
+ private_key: matrix_key.pem
+
+ # A unique identifier for this private key. Must start with the prefix "ed25519:".
+ key_id: ed25519:auto
+
+ # How long a remote server can cache our server signing key before requesting it
+ # again. Increasing this number will reduce the number of requests made by other
+ # servers for our key but increases the period that a compromised key will be
+ # considered valid by other homeservers.
+ key_validity_period: 168h0m0s
+
+ # Lists of domains that the server will trust as identity servers to verify third
+ # party identifiers such as phone numbers and email addresses.
+ trusted_third_party_id_servers:
+ - matrix.org
+ - vector.im
+
+ # Configuration for Kafka/Naffka.
+ kafka:
+ # List of Kafka broker addresses to connect to. This is not needed if using
+ # Naffka in monolith mode.
+ addresses:
+ - kafka:9092
+
+ # The prefix to use for Kafka topic names for this homeserver. Change this only if
+ # you are running more than one Dendrite homeserver on the same Kafka deployment.
+ topic_prefix: Dendrite
+
+ # Whether to use Naffka instead of Kafka. This is only available in monolith
+ # mode, but means that you can run a single-process server without requiring
+ # Kafka.
+ use_naffka: false
- # Authorization via Shared Secret
- # The shared secret from coturn
- turn_shared_secret: "<SECRET STRING GOES HERE>"
+ # Naffka database options. Not required when using Kafka.
+ naffka_database:
+ connection_string: file:naffka.db
+ max_open_conns: 100
+ max_idle_conns: 2
+ conn_max_lifetime: -1
- # Authorization via Static Username & Password
- # Hardcoded Username and Password
+ # Configuration for Prometheus metric collection.
+ metrics:
+ # Whether or not Prometheus metrics are enabled.
+ enabled: false
+
+ # HTTP basic authentication to protect access to monitoring.
+ basic_auth:
+ username: metrics
+ password: metrics
+
+# Configuration for the Appservice API.
+app_service_api:
+ internal_api:
+ listen: http://0.0.0.0:7777
+ connect: http://appservice_api:7777
+ database:
+ connection_string: postgresql://dendrite:itsasecret@postgres/dendrite_appservice?sslmode=disable
+ max_open_conns: 100
+ max_idle_conns: 2
+ conn_max_lifetime: -1
+
+ # Appservice configuration files to load into this homeserver.
+ config_files: []
+
+# Configuration for the Client API.
+client_api:
+ internal_api:
+ listen: http://0.0.0.0:7771
+ connect: http://client_api:7771
+ external_api:
+ listen: http://0.0.0.0:8071
+
+ # Prevents new users from being able to register on this homeserver, except when
+ # using the registration shared secret below.
+ registration_disabled: false
+
+ # If set, allows registration by anyone who knows the shared secret, regardless of
+ # whether registration is otherwise disabled.
+ registration_shared_secret: ""
+
+ # Whether to require reCAPTCHA for registration.
+ enable_registration_captcha: false
+
+ # Settings for ReCAPTCHA.
+ recaptcha_public_key: ""
+ recaptcha_private_key: ""
+ recaptcha_bypass_secret: ""
+ recaptcha_siteverify_api: ""
+
+ # TURN server information that this homeserver should send to clients.
+ turn:
+ turn_user_lifetime: ""
+ turn_uris: []
+ turn_shared_secret: ""
turn_username: ""
turn_password: ""
-# The config for communicating with kafka
-kafka:
- # Where the kafka servers are running.
- addresses: ["kafka:9092"]
- # Whether to use naffka instead of kafka.
- # Naffka can only be used when running dendrite as a single monolithic server.
- # Kafka can be used both with a monolithic server and when running the
- # components as separate servers.
- # If enabled database.naffka must also be specified.
- use_naffka: false
- # The names of the kafka topics to use.
- topics:
- output_room_event: roomserverOutput
- output_client_data: clientapiOutput
- output_typing_event: eduServerOutput
- user_updates: userUpdates
-
-
-# The postgres connection configs for connecting to the databases e.g a postgres:// URI
-database:
- account: "postgres://dendrite:itsasecret@postgres/dendrite_account?sslmode=disable"
- device: "postgres://dendrite:itsasecret@postgres/dendrite_device?sslmode=disable"
- media_api: "postgres://dendrite:itsasecret@postgres/dendrite_mediaapi?sslmode=disable"
- sync_api: "postgres://dendrite:itsasecret@postgres/dendrite_syncapi?sslmode=disable"
- room_server: "postgres://dendrite:itsasecret@postgres/dendrite_roomserver?sslmode=disable"
- server_key: "postgres://dendrite:itsasecret@postgres/dendrite_serverkey?sslmode=disable"
- federation_sender: "postgres://dendrite:itsasecret@postgres/dendrite_federationsender?sslmode=disable"
- current_state: "postgres://dendrite:itsasecret@postgres/dendrite_currentstate?sslmode=disable"
- appservice: "postgres://dendrite:itsasecret@postgres/dendrite_appservice?sslmode=disable"
- # If using naffka you need to specify a naffka database
- #naffka: "postgres://dendrite:itsasecret@postgres/dendrite_naffka?sslmode=disable"
-
-# The TCP host:port pairs to bind the internal HTTP APIs to.
-# These shouldn't be exposed to the public internet.
-# These aren't needed when running dendrite as a monolithic server.
-listen:
- room_server: "room_server:7770"
- client_api: "client_api:7771"
- federation_api: "federation_api:7772"
- server_key_api: "server_key_api:7778"
- sync_api: "sync_api:7773"
- media_api: "media_api:7774"
- current_state_server: "current_state_server:7775"
- federation_sender: "federation_sender:7776"
- edu_server: "edu_server:7777"
- key_server: "key_server:7779"
- user_api: "user_api:7780"
- appservice_api: "appservice_api:7781"
-
-# The configuration for tracing the dendrite components.
+# Configuration for the Current State Server.
+current_state_server:
+ internal_api:
+ listen: http://0.0.0.0:7782
+ connect: http://current_state_server:7782
+ database:
+ connection_string: postgresql://dendrite:itsasecret@postgres/dendrite_currentstate?sslmode=disable
+ max_open_conns: 100
+ max_idle_conns: 2
+ conn_max_lifetime: -1
+
+# Configuration for the EDU server.
+edu_server:
+ internal_api:
+ listen: http://0.0.0.0:7778
+ connect: http://edu_server:7778
+
+# Configuration for the Federation API.
+federation_api:
+ internal_api:
+ listen: http://0.0.0.0:7772
+ connect: http://federation_api:7772
+ external_api:
+ listen: http://0.0.0.0:8072
+
+ # List of paths to X.509 certificates to be used by the external federation listeners.
+ # These certificates will be used to calculate the TLS fingerprints and other servers
+ # will expect the certificate to match these fingerprints. Certificates must be in PEM
+ # format.
+ federation_certificates: []
+
+# Configuration for the Federation Sender.
+federation_sender:
+ internal_api:
+ listen: http://0.0.0.0:7775
+ connect: http://federation_sender:7775
+ database:
+ connection_string: postgresql://dendrite:itsasecret@postgres/dendrite_federationsender?sslmode=disable
+ max_open_conns: 100
+ max_idle_conns: 2
+ conn_max_lifetime: -1
+
+ # How many times we will try to resend a failed transaction to a specific server. The
+ # backoff is 2**x seconds, so 1 = 2 seconds, 2 = 4 seconds, 3 = 8 seconds etc.
+ send_max_retries: 16
+
+ # Disable the validation of TLS certificates of remote federated homeservers. Do not
+ # enable this option in production as it presents a security risk!
+ disable_tls_validation: false
+
+ # Use the following proxy server for outbound federation traffic.
+ proxy_outbound:
+ enabled: false
+ protocol: http
+ host: localhost
+ port: 8080
+
+# Configuration for the Key Server (for end-to-end encryption).
+key_server:
+ internal_api:
+ listen: http://0.0.0.0:7779
+ connect: http://key_server:7779
+ database:
+ connection_string: postgresql://dendrite:itsasecret@postgres/dendrite_keyserver?sslmode=disable
+ max_open_conns: 100
+ max_idle_conns: 2
+ conn_max_lifetime: -1
+
+# Configuration for the Media API.
+media_api:
+ internal_api:
+ listen: http://0.0.0.0:7774
+ connect: http://media_api:7774
+ external_api:
+ listen: http://0.0.0.0:8074
+ database:
+ connection_string: postgresql://dendrite:itsasecret@postgres/dendrite_mediaapi?sslmode=disable
+ max_open_conns: 100
+ max_idle_conns: 2
+ conn_max_lifetime: -1
+
+ # Storage path for uploaded media. May be relative or absolute.
+ base_path: /var/dendrite/media
+
+ # The maximum allowed file size (in bytes) for media uploads to this homeserver
+ # (0 = unlimited).
+ max_file_size_bytes: 10485760
+
+ # Whether to dynamically generate thumbnails if needed.
+ dynamic_thumbnails: false
+
+ # The maximum number of simultaneous thumbnail generators to run.
+ max_thumbnail_generators: 10
+
+ # A list of thumbnail sizes to be generated for media content.
+ thumbnail_sizes:
+ - width: 32
+ height: 32
+ method: crop
+ - width: 96
+ height: 96
+ method: crop
+ - width: 640
+ height: 480
+ method: scale
+
+# Configuration for the Room Server.
+room_server:
+ internal_api:
+ listen: http://0.0.0.0:7770
+ connect: http://room_server:7770
+ database:
+ connection_string: postgresql://dendrite:itsasecret@postgres/dendrite_roomserver?sslmode=disable
+ max_open_conns: 100
+ max_idle_conns: 2
+ conn_max_lifetime: -1
+
+# Configuration for the Server Key API (for server signing keys).
+server_key_api:
+ internal_api:
+ listen: http://0.0.0.0:7780
+ connect: http://server_key_api:7780
+ database:
+ connection_string: postgresql://dendrite:itsasecret@postgres/dendrite_serverkey?sslmode=disable
+ max_open_conns: 100
+ max_idle_conns: 2
+ conn_max_lifetime: -1
+
+ # Perspective keyservers to use as a backup when direct key fetches fail. This may
+ # be required to satisfy key requests for servers that are no longer online when
+ # joining some rooms.
+ key_perspectives:
+ - server_name: matrix.org
+ keys:
+ - key_id: ed25519:auto
+ public_key: Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw
+ - key_id: ed25519:a_RXGa
+ public_key: l8Hft5qXKn1vfHrg3p4+W8gELQVo8N13JkluMfmn2sQ
+
+# Configuration for the Sync API.
+sync_api:
+ internal_api:
+ listen: http://0.0.0.0:7773
+ connect: http://sync_api:7773
+ external_api:
+ listen: http://0.0.0.0:8073
+ database:
+ connection_string: postgresql://dendrite:itsasecret@postgres/dendrite_syncapi?sslmode=disable
+ max_open_conns: 100
+ max_idle_conns: 2
+ conn_max_lifetime: -1
+
+# Configuration for the User API.
+user_api:
+ internal_api:
+ listen: http://0.0.0.0:7781
+ connect: http://user_api:7781
+ account_database:
+ connection_string: postgresql://dendrite:itsasecret@postgres/dendrite_account?sslmode=disable
+ max_open_conns: 100
+ max_idle_conns: 2
+ conn_max_lifetime: -1
+ device_database:
+ connection_string: postgresql://dendrite:itsasecret@postgres/dendrite_device?sslmode=disable
+ max_open_conns: 100
+ max_idle_conns: 2
+ conn_max_lifetime: -1
+
+# Configuration for Opentracing.
tracing:
- # Config for the jaeger opentracing reporter.
- # See https://godoc.org/github.com/uber/jaeger-client-go/config#Configuration
- # for documentation.
- jaeger:
- disabled: true
-
-# A list of application service config files to use
-application_services:
- config_files: []
+ enabled: false
+ jaeger:
+ serviceName: ""
+ disabled: false
+ rpc_metrics: false
+ tags: []
+ sampler: null
+ reporter: null
+ headers: null
+ baggage_restrictions: null
+ throttler: null
+
+# Logging configuration, in addition to the standard logging that is sent to
+# stdout by Dendrite.
+logging:
+- type: file
+ level: info
+ params:
+ path: /var/log/dendrite
diff --git a/build/docker/docker-compose.polylith.yml b/build/docker/docker-compose.polylith.yml
index 62ca6763..1f84e58d 100644
--- a/build/docker/docker-compose.polylith.yml
+++ b/build/docker/docker-compose.polylith.yml
@@ -5,9 +5,9 @@ services:
image: matrixdotorg/dendrite:clientproxy
command: [
"--bind-address=:8008",
- "--client-api-server-url=http://client_api:7771",
- "--sync-api-server-url=http://sync_api:7773",
- "--media-api-server-url=http://media_api:7774"
+ "--client-api-server-url=http://client_api:8071",
+ "--sync-api-server-url=http://sync_api:8073",
+ "--media-api-server-url=http://media_api:8074"
]
volumes:
- ./config:/etc/dendrite
@@ -92,8 +92,8 @@ services:
image: matrixdotorg/dendrite:federationproxy
command: [
"--bind-address=:8448",
- "--federation-api-url=http://federation_api:7772",
- "--media-api-server-url=http://media_api:7774"
+ "--federation-api-url=http://federation_api:8072",
+ "--media-api-server-url=http://media_api:8074"
]
volumes:
- ./config:/etc/dendrite
diff --git a/build/docker/postgres/create_db.sh b/build/docker/postgres/create_db.sh
index fdda0346..222675f6 100644
--- a/build/docker/postgres/create_db.sh
+++ b/build/docker/postgres/create_db.sh
@@ -1,5 +1,5 @@
#!/bin/bash
-for db in account device mediaapi syncapi roomserver serverkey federationsender currentstate appservice e2ekey naffka; do
+for db in account device mediaapi syncapi roomserver serverkey keyserver federationsender currentstate appservice e2ekey naffka; do
createdb -U dendrite -O dendrite dendrite_$db
done
diff --git a/cmd/dendrite-sync-api-server/main.go b/cmd/dendrite-sync-api-server/main.go
index ec53af6e..8a73cd37 100644
--- a/cmd/dendrite-sync-api-server/main.go
+++ b/cmd/dendrite-sync-api-server/main.go
@@ -37,7 +37,7 @@ func main() {
base.SetupAndServeHTTP(
base.Cfg.SyncAPI.InternalAPI.Listen,
- setup.NoExternalListener,
+ base.Cfg.SyncAPI.ExternalAPI.Listen,
nil, nil,
)
}
diff --git a/dendrite-config.yaml b/dendrite-config.yaml
index d1b27c28..e48035b5 100644
--- a/dendrite-config.yaml
+++ b/dendrite-config.yaml
@@ -277,6 +277,8 @@ sync_api:
internal_api:
listen: http://localhost:7773
connect: http://localhost:7773
+ external_api:
+ listen: http://[::]:8073
database:
connection_string: file:syncapi.db
max_open_conns: 100
diff --git a/internal/config/config_syncapi.go b/internal/config/config_syncapi.go
index fc1bbcf8..0a96e41c 100644
--- a/internal/config/config_syncapi.go
+++ b/internal/config/config_syncapi.go
@@ -4,6 +4,7 @@ type SyncAPI struct {
Matrix *Global `yaml:"-"`
InternalAPI InternalAPIOptions `yaml:"internal_api"`
+ ExternalAPI ExternalAPIOptions `yaml:"external_api"`
Database DatabaseOptions `yaml:"database"`
}
@@ -11,6 +12,7 @@ type SyncAPI struct {
func (c *SyncAPI) Defaults() {
c.InternalAPI.Listen = "http://localhost:7773"
c.InternalAPI.Connect = "http://localhost:7773"
+ c.ExternalAPI.Listen = "http://localhost:8073"
c.Database.Defaults()
c.Database.ConnectionString = "file:syncapi.db"
}
@@ -18,5 +20,8 @@ func (c *SyncAPI) Defaults() {
func (c *SyncAPI) Verify(configErrs *ConfigErrors, isMonolith bool) {
checkURL(configErrs, "sync_api.internal_api.listen", string(c.InternalAPI.Listen))
checkURL(configErrs, "sync_api.internal_api.bind", string(c.InternalAPI.Connect))
+ if !isMonolith {
+ checkURL(configErrs, "sync_api.external_api.listen", string(c.ExternalAPI.Listen))
+ }
checkNotEmpty(configErrs, "sync_api.database", string(c.Database.ConnectionString))
}
diff --git a/internal/setup/base.go b/internal/setup/base.go
index 2cffb4e8..854f39f0 100644
--- a/internal/setup/base.go
+++ b/internal/setup/base.go
@@ -287,7 +287,7 @@ func (b *BaseDendrite) SetupAndServeHTTP(
}
externalServ := internalServ
- if externalAddr != "" && externalAddr != internalAddr {
+ if externalAddr != NoExternalListener && externalAddr != internalAddr {
externalRouter = mux.NewRouter()
externalServ = &http.Server{
Addr: string(externalAddr),
@@ -307,32 +307,32 @@ func (b *BaseDendrite) SetupAndServeHTTP(
externalRouter.PathPrefix(httputil.PublicMediaPathPrefix).Handler(b.PublicMediaAPIMux)
go func() {
- logrus.Infof("Starting %s listener on %s", b.componentName, externalServ.Addr)
+ logrus.Infof("Starting %s listener on %s", b.componentName, internalServ.Addr)
if certFile != nil && keyFile != nil {
- if err := externalServ.ListenAndServeTLS(*certFile, *keyFile); err != nil {
+ if err := internalServ.ListenAndServeTLS(*certFile, *keyFile); err != nil {
logrus.WithError(err).Fatal("failed to serve HTTPS")
}
} else {
- if err := externalServ.ListenAndServe(); err != nil {
+ if err := internalServ.ListenAndServe(); err != nil {
logrus.WithError(err).Fatal("failed to serve HTTP")
}
}
- logrus.Infof("Stopped %s listener on %s", b.componentName, externalServ.Addr)
+ logrus.Infof("Stopped %s listener on %s", b.componentName, internalServ.Addr)
}()
- if internalAddr != "" && internalAddr != externalAddr {
+ if externalAddr != NoExternalListener && internalAddr != externalAddr {
go func() {
- logrus.Infof("Starting %s listener on %s", b.componentName, internalServ.Addr)
+ logrus.Infof("Starting %s listener on %s", b.componentName, externalServ.Addr)
if certFile != nil && keyFile != nil {
- if err := internalServ.ListenAndServeTLS(*certFile, *keyFile); err != nil {
+ if err := externalServ.ListenAndServeTLS(*certFile, *keyFile); err != nil {
logrus.WithError(err).Fatal("failed to serve HTTPS")
}
} else {
- if err := internalServ.ListenAndServe(); err != nil {
+ if err := externalServ.ListenAndServe(); err != nil {
logrus.WithError(err).Fatal("failed to serve HTTP")
}
}
- logrus.Infof("Stopped %s listener on %s", b.componentName, internalServ.Addr)
+ logrus.Infof("Stopped %s listener on %s", b.componentName, externalServ.Addr)
}()
}