move matrix to cups-1

aosus · Feb 3, 2024 · 9b2df8c · 9b2df8c
1 parent 69a4bec
commit 9b2df8c
Show file tree

Hide file tree

Showing 10 changed files with 3,996 additions and 0 deletions.
diff --git a/.github/workflows/matrix.yml b/.github/workflows/matrix.yml
@@ -0,0 +1,123 @@
+name: deploy-matrix
+
+on:
+  push:
+    paths:
+      - '.github/workflows/matrix.yml'
+      - 'matrix/**'
+    branches: [main]
+  workflow_dispatch:
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    environment:
+      name: Matrix
+      url: https://matrix.aosus.org
+    steps:
+      - name: checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Tailscale
+        uses: tailscale/github-action@7a0b30ed3517c2244d1330e39467b95f067a33bd
+        with:
+          oauth-client-id: ${{ secrets.TAILSCALE_CLIENT_ID }}
+          oauth-secret: ${{ secrets.TAILSCALE_SECRET }}
+          tags: tag:deploy-ci
+          hostname: Github-actions
+          version: ${{ vars.TAILSCALE_VERSION }}
+
+      - name: Add secrets to homeserver.yml
+        env:
+          MATRIX_TURN_SHARED_SECRET: ${{ secrets.matrix_turn_shared_secret }}
+          MATRIX_REGISTRATION_SHARED_SECRET: ${{ secrets.matrix_registration_shared_secret }}
+          MATRIX_MACAROON_SECRET_KEY: ${{ secrets.matrix_macaroon_secret_key }}
+          MATRIX_FORM_SECRET: ${{ secrets.matrix_form_secret }}
+          MATRIX_OIDC_ISSUER: ${{ secrets.matrix_oidc_issuer }}
+          MATRIX_OIDC_CLIENT_ID: ${{ secrets.matrix_oidc_client_id }}
+          MATRIX_OIDC_CLIENT_SECRET: ${{ secrets.matrix_oidc_client_secret }}
+          MATRIX_POSTGRES_PASSWORD: ${{ secrets.matrix_postgres_password }}
+          MATRIX_SMTP_PASS: ${{ secrets.matrix_smtp_pass }}
+        run: |
+          sed -i "s|(matrix_turn_shared_secret)|$MATRIX_TURN_SHARED_SECRET|g" $GITHUB_WORKSPACE/matrix/homeserver.yaml
+          sed -i "s|(matrix_registration_shared_secret)|$MATRIX_REGISTRATION_SHARED_SECRET|g" $GITHUB_WORKSPACE/matrix/homeserver.yaml
+          sed -i "s|(matrix_macaroon_secret_key)|$MATRIX_MACAROON_SECRET_KEY|g" $GITHUB_WORKSPACE/matrix/homeserver.yaml
+          sed -i "s|(matrix_oidc_issuer)|$MATRIX_OIDC_ISSUER|g" $GITHUB_WORKSPACE/matrix/homeserver.yaml
+          sed -i "s|(matrix_oidc_client_id)|$MATRIX_OIDC_CLIENT_ID|g" $GITHUB_WORKSPACE/matrix/homeserver.yaml
+          sed -i "s|(matrix_oidc_client_secret)|$MATRIX_OIDC_CLIENT_SECRET|g" $GITHUB_WORKSPACE/matrix/homeserver.yaml
+          sed -i "s|(matrix_postgres_password)|$MATRIX_POSTGRES_PASSWORD|g" $GITHUB_WORKSPACE/matrix/homeserver.yaml
+          sed -i "s|(matrix_smtp_pass)|$MATRIX_SMTP_PASS|g" $GITHUB_WORKSPACE/matrix/homeserver.yaml
+
+      - name: Add secrets to eturnal.yml
+        env:
+          MATRIX_TURN_SHARED_SECRET: ${{ secrets.matrix_turn_shared_secret }}
+        run: |
+          sed -i "s|(matrix_turn_shared_secret)|$MATRIX_TURN_SHARED_SECRET|g" $GITHUB_WORKSPACE/matrix/eturnal.yml
+
+      - name: Add secrets to mautrix-telegram config files
+        env:
+          MATRIX_TELEGRAM_AS_TOKEN: ${{ secrets.matrix_telegram_as_token }}
+          MATRIX_TELEGRAM_HS_TOKEN: ${{ secrets.matrix_telegram_hs_token }}
+          MATRIX_TELEGRAM_SENDER_LOCALPART: ${{ secrets.matrix_telegram_sender_localpart }}
+          MATRIX_TELEGRAM_POSTGRES_PASSWORD: ${{ secrets.matrix_telegram_postgres_password }}
+          MATRIX_TELEGRAM_API_ID: ${{ secrets.matrix_telegram_api_id }}
+          MATRIX_TELEGRAM_API_HASH: ${{ secrets.matrix_telegram_api_hash }}
+          MATRIX_TELEGRAM_BOT_TOKEN: ${{ secrets.matrix_telegram_bot_token }}
+        run: |
+          sed -i "s|(matrix_telegram_as_token)|$MATRIX_TELEGRAM_AS_TOKEN|g" $GITHUB_WORKSPACE/matrix/mautrix-telegram/app-service-registration.yaml
+          sed -i "s|(matrix_telegram_hs_token)|$MATRIX_TELEGRAM_HS_TOKEN|g" $GITHUB_WORKSPACE/matrix/mautrix-telegram/app-service-registration.yaml
+          sed -i "s|(matrix_telegram_sender_localpart)|$MATRIX_TELEGRAM_SENDER_LOCALPART|g" $GITHUB_WORKSPACE/matrix/mautrix-telegram/app-service-registration.yaml
+          sed -i "s|(matrix_telegram_postgres_password)|$MATRIX_TELEGRAM_POSTGRES_PASSWORD|g" $GITHUB_WORKSPACE/matrix/mautrix-telegram/config.yaml
+          sed -i "s|(matrix_telegram_as_token)|$MATRIX_TELEGRAM_AS_TOKEN|g" $GITHUB_WORKSPACE/matrix/mautrix-telegram/config.yaml
+          sed -i "s|(matrix_telegram_hs_token)|$MATRIX_TELEGRAM_HS_TOKEN|g" $GITHUB_WORKSPACE/matrix/mautrix-telegram/config.yaml
+          sed -i "s|(matrix_telegram_api_id)|$MATRIX_TELEGRAM_API_ID|g" $GITHUB_WORKSPACE/matrix/mautrix-telegram/config.yaml
+          sed -i "s|(matrix_telegram_api_hash)|$MATRIX_TELEGRAM_API_HASH|g" $GITHUB_WORKSPACE/matrix/mautrix-telegram/config.yaml
+          sed -i "s|(matrix_telegram_bot_token)|$MATRIX_TELEGRAM_BOT_TOKEN|g" $GITHUB_WORKSPACE/matrix/mautrix-telegram/config.yaml
+
+      - name: Add secrets to mautrix-discord config files
+        env:
+          MATRIX_DISCORD_AS_TOKEN: ${{ secrets.matrix_discord_as_token }}
+          MATRIX_DISCORD_HS_TOKEN: ${{ secrets.matrix_discord_hs_token }}
+          MATRIX_DISCORD_SENDER_LOCALPART: ${{ secrets.matrix_discord_sender_localpart }}
+          MATRIX_DISCORD_POSTGRES_PASSWORD: ${{ secrets.matrix_discord_postgres_password }}
+        run: |
+          sed -i "s|(matrix_discord_as_token)|$MATRIX_DISCORD_AS_TOKEN|g" $GITHUB_WORKSPACE/matrix/mautrix-discord/app-service-registration.yaml
+          sed -i "s|(matrix_discord_hs_token)|$MATRIX_DISCORD_HS_TOKEN|g" $GITHUB_WORKSPACE/matrix/mautrix-discord/app-service-registration.yaml
+          sed -i "s|(matrix_discord_sender_localpart)|$MATRIX_DISCORD_SENDER_LOCALPART|g" $GITHUB_WORKSPACE/matrix/mautrix-discord/app-service-registration.yaml
+          sed -i "s|(matrix_discord_postgres_password)|$MATRIX_DISCORD_POSTGRES_PASSWORD|g" $GITHUB_WORKSPACE/matrix/mautrix-discord/config.yaml
+          sed -i "s|(matrix_discord_as_token)|$MATRIX_DISCORD_AS_TOKEN|g" $GITHUB_WORKSPACE/matrix/mautrix-discord/config.yaml
+          sed -i "s|(matrix_discord_hs_token)|$MATRIX_DISCORD_HS_TOKEN|g" $GITHUB_WORKSPACE/matrix/mautrix-discord/config.yaml
+
+      - name: Add secrets to compose
+        env:
+          POSTGRES_PASSWORD: ${{ secrets.matrix_postgres_password }}
+          MATRIX_TELEGRAM_POSTGRES_PASSWORD: ${{ secrets.matrix_telegram_postgres_password }}
+          MATRIX_DISCORD_POSTGRES_PASSWORD: ${{ secrets.matrix_discord_postgres_password }}
+          MATRIX_SLIDING_SYNC_POSTGRES_PASSWORD: ${{ secrets.MATRIX_SLIDING_SYNC_POSTGRES_PASSWORD }}
+          MATRIX_SLIDING_SYNC_POSTGRES_CONNECTION_STRING: ${{ secrets.MATRIX_SLIDING_SYNC_POSTGRES_CONNECTION_STRING }}
+          MATRIX_SLIDING_SYNC_SECRET: ${{ secrets.MATRIX_SLIDING_SYNC_SECRET }}
+        run: |
+          sed -i "s|(matrix_postgres_password)|$POSTGRES_PASSWORD|g" $GITHUB_WORKSPACE/matrix/docker-compose.yml
+          sed -i "s|(matrix_telegram_postgres_password)|$MATRIX_TELEGRAM_POSTGRES_PASSWORD|g" $GITHUB_WORKSPACE/matrix/docker-compose.yml
+          sed -i "s|(matrix_discord_postgres_password)|$MATRIX_DISCORD_POSTGRES_PASSWORD|g" $GITHUB_WORKSPACE/matrix/docker-compose.yml
+          sed -i "s|(MATRIX_SLIDING_SYNC_POSTGRES_PASSWORD)|$MATRIX_SLIDING_SYNC_POSTGRES_PASSWORD|g" $GITHUB_WORKSPACE/matrix/docker-compose.yml
+          sed -i "s|(MATRIX_SLIDING_SYNC_POSTGRES_CONNECTION_STRING)|$MATRIX_SLIDING_SYNC_POSTGRES_CONNECTION_STRING|g" $GITHUB_WORKSPACE/matrix/docker-compose.yml
+          sed -i "s|(MATRIX_SLIDING_SYNC_SECRET)|$MATRIX_SLIDING_SYNC_SECRET|g" $GITHUB_WORKSPACE/matrix/docker-compose.yml
+
+      - name: create file for secrets
+        env:
+          MATRIX_SIGNING_KEY: ${{ secrets.matrix_signing_key }}
+        run: |
+          echo "$MATRIX_SIGNING_KEY" > $GITHUB_WORKSPACE/matrix/signing.key
+
+      - name: Start Deployment
+        uses: FarisZR/[email protected]
+        with:
+          remote_docker_host: ${{ secrets.server_address }}
+          tailscale_ssh: true # no need for manual private and public keys
+          compose_file_path: matrix/docker-compose.yml
+          args: -p matrix up -d --remove-orphans
+          upload_directory: true
+          docker_compose_directory: matrix
diff --git a/caddy/configs/matrix.caddyfile b/caddy/configs/matrix.caddyfile
@@ -0,0 +1,47 @@
+matrix.aosus.org {
+	# proxy direct images from discord CDN instead of uploading (https://docs.mau.fi/bridges/go/discord/direct-media.html)
+	handle /_matrix/media/*/download/aosus.org/discord_* {
+		header Access-Control-Allow-Origin *
+		# Remove path prefix
+		uri path_regexp ^/_matrix/media/.+/download/aosus\.org/discord_ /
+		# The mxc patterns use | instead of /, so replace it first turning it into attachments/1234/5678/filename.png
+		uri replace "%7C" /
+		reverse_proxy {
+			# reverse_proxy automatically includes the uri, so no {uri} at the end
+			to https://cdn.discordapp.com
+			# Caddy doesn't set the Host header automatically when reverse proxying
+			# (because usually reverse proxies are local and don't care about Host headers)
+			header_up Host cdn.discordapp.com
+		}
+	}
+	# Do the same for thumbnails, but redirect to media.discordapp.net (which is Discord's thumbnailing server, and happens to use similar width/height params as Matrix)
+	# Alternatively, you can point this at cdn.discordapp.com too. Clients shouldn't mind even if they get a bigger image than they asked for.
+	handle /_matrix/media/*/thumbnail/aosus.org/discord_* {
+		header Access-Control-Allow-Origin *
+		uri path_regexp ^/_matrix/media/.+/thumbnail/aosus\.org/discord_ /
+		uri replace "%7C" /
+		reverse_proxy {
+			to https://media.discordapp.net
+			header_up Host media.discordapp.net
+		}
+	}
+	handle_errors {
+		# handle_errors is only triggerd on erros from Caddy and not the proxy, that's why we don't specifiy any errors here.
+		rewrite * /proxy_error_page.html
+		file_server {
+			root /srv/
+		}
+	}
+	reverse_proxy synapse:8008
+	encode zstd gzip
+}
+
+syncv3-matrix-proxy.aosus.org {
+	reverse_proxy sliding-sync:8008
+	encode zstd gzip
+}
+
+aosus.org:8448 {
+	reverse_proxy synapse:8008
+	encode zstd gzip
+}
diff --git a/matrix/docker-compose.yml b/matrix/docker-compose.yml
@@ -0,0 +1,181 @@
+networks:
+  default:
+    enable_ipv6: true
+  web:
+    external: true
+
+services:
+  postgres:
+    image: postgres:14.10-alpine@sha256:a52bf84b9edf9229492eaa340848a508b7c67af0fc5b5636d992164dce729174
+    restart: always
+    # These will be used in homeserver.yaml later on
+    environment:
+      - POSTGRES_DB=synapse
+      - POSTGRES_USER=synapse
+      - POSTGRES_PASSWORD=(matrix_postgres_password)
+      - POSTGRES_INITDB_ARGS=--encoding=UTF-8 --lc-collate=C --lc-ctype=C
+    volumes:
+      - synapse-postgresql:/var/lib/postgresql/data:rw
+    networks:
+      default:
+
+
+  synapse:
+    image: ghcr.io/element-hq/synapse:v1.100.0@sha256:0f050ebb925851a4e4b7c9ab451388ed944aeabe5132107782fd41dd05a50f88
+    container_name: synapse
+    restart: always
+    volumes:
+      - synapse-media_store:/data/media_store:rw
+    environment:
+      - UID=991
+      - GID=991
+      - SYNAPSE_CONFIG_DIR=config
+    configs:
+      - source: synapse-homeserver
+        target: /config/homeserver.yaml
+        uid: "991"
+        gid: "991"
+      - source: synapse-log-config
+        target: /config/log.config
+        uid: "991"
+        gid: "991"
+      - source: mautrix-telegram-appservice
+        target: /app-services/telegram.yaml
+        uid: "991"
+        gid: "991"
+      - source: mautrix-discord-appservice
+        target: /app-services/discord.yaml
+        uid: "991"
+        gid: "991"
+    secrets:
+      - source: matrix-signing-key
+        target: signing.key
+        uid: "991"
+        gid: "991"
+    healthcheck:
+      test: [ "CMD", "curl", "-fSs", "http://localhost:8008/health" ]
+      interval: 15s
+      timeout: 5s
+      retries: 3
+      start_period: 5s
+    networks:
+      default:
+      web:
+
+  mautrix-telegram:
+    container_name: mautrix-telegram
+    restart: always
+    image: dock.mau.dev/mautrix/telegram:v0.15.1@sha256:2091e446ac660be59427c89eea961f1355238ec41d814aa1db12dfb7a1a6dc6c
+    configs:
+      - source: mautrix-telegram-appservice
+        target: /data/registration.yaml
+      - source: mautrix-telegram-config
+        target: /data/config.yaml
+    networks:
+      default:
+
+  postgres-telegram:
+    image: postgres:14.10-alpine@sha256:a52bf84b9edf9229492eaa340848a508b7c67af0fc5b5636d992164dce729174
+    restart: always
+    environment:
+      - POSTGRES_DB=telegram
+      - POSTGRES_USER=telegram
+      - POSTGRES_PASSWORD=(matrix_telegram_postgres_password)
+      - POSTGRES_INITDB_ARGS=--encoding=UTF-8 --lc-collate=C --lc-ctype=C
+    volumes:
+      - telegram-postgresql:/var/lib/postgresql/data:rw
+    networks:
+      default:
+
+  mautrix-discord:
+    container_name: mautrix-discord
+    restart: always
+    image: dock.mau.dev/mautrix/discord:latest@sha256:ca9119f6a2d50100d9efd6ce665b969be1fa5ea6898c15b9a3383ad1717ac0aa 
+    configs:
+      - source: mautrix-discord-appservice
+        target: /data/registration.yaml
+      - source: mautrix-discord-config
+        target: /data/config.yaml
+
+  postgres-discord:
+    image: postgres:14.10-alpine@sha256:a52bf84b9edf9229492eaa340848a508b7c67af0fc5b5636d992164dce729174
+    restart: always
+    environment:
+      - POSTGRES_DB=discord
+      - POSTGRES_USER=discord
+      - POSTGRES_PASSWORD=(matrix_discord_postgres_password)
+      - POSTGRES_INITDB_ARGS=--encoding=UTF-8 --lc-collate=C --lc-ctype=C
+    volumes:
+      - discord-postgres:/var/lib/postgresql/data:rw
+
+
+  eturnal:
+    image: ghcr.io/processone/eturnal:1.12.0@sha256:c4ad43bc6a26d418455a0c89df9ce9850798c0a1401fc751ce43d831fd34e19b
+    user: 0:0 # to access caddy certs
+    ports:
+      - '3478:3478'
+      - '32000-32200:32000-32200'
+      - '3478:3478/udp'
+      - '32000-32200:32000-32200/udp'
+    volumes:
+      - caddy_data:/caddy-data:ro
+    configs:
+      - source: eturnal
+        target: /etc/eturnal.yml
+
+  postgres-sync:
+    image: postgres:15.5-alpine@sha256:934be6ae0a5bce0f607a5edc437e6bd606c074e595c28d4897845d6502823104
+    restart: always
+    # These will be used in homeserver.yaml later on
+    environment:
+      - POSTGRES_DB=sync
+      - POSTGRES_USER=sync
+      - POSTGRES_PASSWORD=(MATRIX_SLIDING_SYNC_POSTGRES_PASSWORD)
+      - POSTGRES_INITDB_ARGS=--encoding=UTF-8 --lc-collate=C --lc-ctype=C
+    volumes:
+      - sliding-sync-postgres:/var/lib/postgresql/data
+    networks:
+      default:
+
+  sliding-sync:
+    image: ghcr.io/matrix-org/sliding-sync:v0.99.15@sha256:3e23aaf4950ca861bdf14a772ddc6ca8c0084a9e38d3c4126d9232ba47a87b96
+    restart: always
+    environment:
+      - SYNCV3_SERVER=https://matrix.aosus.org
+      - SYNCV3_DB=(MATRIX_SLIDING_SYNC_POSTGRES_CONNECTION_STRING)
+      - SYNCV3_SECRET=(MATRIX_SLIDING_SYNC_SECRET)
+    depends_on:
+      - postgres-sync
+      - synapse
+    networks:
+      web:
+      default:
+
+configs:
+  synapse-homeserver:
+    file: homeserver.yaml
+  synapse-log-config:
+    file: log.config
+  mautrix-telegram-appservice:
+    file: mautrix-telegram/app-service-registration.yaml
+  mautrix-telegram-config:
+    file: mautrix-telegram/config.yaml
+  mautrix-discord-config:
+    file: mautrix-discord/config.yaml
+  mautrix-discord-appservice:
+    file: mautrix-discord/app-service-registration.yaml
+  eturnal:
+    file: eturnal.yml
+# import key using file created by github runner.
+secrets:
+  matrix-signing-key:
+    file: /home/aosus/matrix/signing.key
+
+volumes:
+  caddy_data:
+    external: true
+  synapse-postgresql:
+  synapse-media_store:
+  telegram-postgresql:
+  discord-postgres:
+  sliding-sync-postgres: