Add the matrix stack.

aosus · Oct 24, 2024 · e78a6e5 · e78a6e5
1 parent a5f08cf
commit e78a6e5
Show file tree

Hide file tree

Showing 9 changed files with 3,920 additions and 0 deletions.
diff --git a/.github/workflows/matrix.yml b/.github/workflows/matrix.yml
@@ -0,0 +1,115 @@
+name: deploy-matrix
+
+on:
+  push:
+    paths:
+      - '.github/workflows/matrix.yml'
+      - 'matrix/**'
+    branches: [main]
+  workflow_dispatch:
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    environment:
+      name: Matrix
+      url: https://matrix.aosus.org
+    steps:
+      - name: checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Tailscale
+        uses: tailscale/github-action@7a0b30ed3517c2244d1330e39467b95f067a33bd
+        with:
+          oauth-client-id: ${{ secrets.TAILSCALE_CLIENT_ID }}
+          oauth-secret: ${{ secrets.TAILSCALE_SECRET }}
+          tags: tag:deploy-ci
+          hostname: Github-actions
+          version: ${{ vars.TAILSCALE_VERSION }}
+
+      - name: Add secrets to homeserver.yml
+        env:
+          MATRIX_TURN_SHARED_SECRET: ${{ secrets.matrix_turn_shared_secret }}
+          MATRIX_REGISTRATION_SHARED_SECRET: ${{ secrets.matrix_registration_shared_secret }}
+          MATRIX_FORM_SECRET: ${{ secrets.matrix_form_secret }}
+          MATRIX_POSTGRES_PASSWORD: ${{ secrets.matrix_postgres_password }}
+          MATRIX_SMTP_PASS: ${{ secrets.matrix_smtp_pass }}
+        run: |
+          sed -i "s|(matrix_turn_shared_secret)|$MATRIX_TURN_SHARED_SECRET|g" $GITHUB_WORKSPACE/matrix/homeserver.yaml
+          sed -i "s|(matrix_registration_shared_secret)|$MATRIX_REGISTRATION_SHARED_SECRET|g" $GITHUB_WORKSPACE/matrix/homeserver.yaml
+          sed -i "s|(matrix_oidc_issuer)|$MATRIX_OIDC_ISSUER|g" $GITHUB_WORKSPACE/matrix/homeserver.yaml
+          sed -i "s|(matrix_oidc_client_id)|$MATRIX_OIDC_CLIENT_ID|g" $GITHUB_WORKSPACE/matrix/homeserver.yaml
+          sed -i "s|(matrix_oidc_client_secret)|$MATRIX_OIDC_CLIENT_SECRET|g" $GITHUB_WORKSPACE/matrix/homeserver.yaml
+          sed -i "s|(matrix_postgres_password)|$MATRIX_POSTGRES_PASSWORD|g" $GITHUB_WORKSPACE/matrix/homeserver.yaml
+          sed -i "s|(matrix_smtp_pass)|$MATRIX_SMTP_PASS|g" $GITHUB_WORKSPACE/matrix/homeserver.yaml
+          sed -i "s|(matrix_form_secret)|$MATRIX_FORM_SECRET|g" $GITHUB_WORKSPACE/matrix/homeserver.yaml
+
+      - name: Add secrets to eturnal.yml
+        env:
+          MATRIX_TURN_SHARED_SECRET: ${{ secrets.matrix_turn_shared_secret }}
+        run: |
+          sed -i "s|(matrix_turn_shared_secret)|$MATRIX_TURN_SHARED_SECRET|g" $GITHUB_WORKSPACE/matrix/eturnal.yml
+
+      - name: Add secrets to mautrix-telegram config files
+        env:
+          MATRIX_TELEGRAM_AS_TOKEN: ${{ secrets.matrix_telegram_as_token }}
+          MATRIX_TELEGRAM_HS_TOKEN: ${{ secrets.matrix_telegram_hs_token }}
+          MATRIX_TELEGRAM_SENDER_LOCALPART: ${{ secrets.matrix_telegram_sender_localpart }}
+          MATRIX_TELEGRAM_POSTGRES_PASSWORD: ${{ secrets.matrix_telegram_postgres_password }}
+          MATRIX_TELEGRAM_API_ID: ${{ secrets.matrix_telegram_api_id }}
+          MATRIX_TELEGRAM_API_HASH: ${{ secrets.matrix_telegram_api_hash }}
+          MATRIX_TELEGRAM_BOT_TOKEN: ${{ secrets.matrix_telegram_bot_token }}
+        run: |
+          sed -i "s|(matrix_telegram_as_token)|$MATRIX_TELEGRAM_AS_TOKEN|g" $GITHUB_WORKSPACE/matrix/mautrix-telegram/app-service-registration.yaml
+          sed -i "s|(matrix_telegram_hs_token)|$MATRIX_TELEGRAM_HS_TOKEN|g" $GITHUB_WORKSPACE/matrix/mautrix-telegram/app-service-registration.yaml
+          sed -i "s|(matrix_telegram_sender_localpart)|$MATRIX_TELEGRAM_SENDER_LOCALPART|g" $GITHUB_WORKSPACE/matrix/mautrix-telegram/app-service-registration.yaml
+          sed -i "s|(matrix_telegram_postgres_password)|$MATRIX_TELEGRAM_POSTGRES_PASSWORD|g" $GITHUB_WORKSPACE/matrix/mautrix-telegram/config.yaml
+          sed -i "s|(matrix_telegram_as_token)|$MATRIX_TELEGRAM_AS_TOKEN|g" $GITHUB_WORKSPACE/matrix/mautrix-telegram/config.yaml
+          sed -i "s|(matrix_telegram_hs_token)|$MATRIX_TELEGRAM_HS_TOKEN|g" $GITHUB_WORKSPACE/matrix/mautrix-telegram/config.yaml
+          sed -i "s|(matrix_telegram_api_id)|$MATRIX_TELEGRAM_API_ID|g" $GITHUB_WORKSPACE/matrix/mautrix-telegram/config.yaml
+          sed -i "s|(matrix_telegram_api_hash)|$MATRIX_TELEGRAM_API_HASH|g" $GITHUB_WORKSPACE/matrix/mautrix-telegram/config.yaml
+          sed -i "s|(matrix_telegram_bot_token)|$MATRIX_TELEGRAM_BOT_TOKEN|g" $GITHUB_WORKSPACE/matrix/mautrix-telegram/config.yaml
+
+      - name: Add secrets to mautrix-discord config files
+        env:
+          MATRIX_DISCORD_AS_TOKEN: ${{ secrets.matrix_discord_as_token }}
+          MATRIX_DISCORD_HS_TOKEN: ${{ secrets.matrix_discord_hs_token }}
+          MATRIX_DISCORD_SENDER_LOCALPART: ${{ secrets.matrix_discord_sender_localpart }}
+          MATRIX_DISCORD_POSTGRES_PASSWORD: ${{ secrets.matrix_discord_postgres_password }}
+        run: |
+          sed -i "s|(matrix_discord_as_token)|$MATRIX_DISCORD_AS_TOKEN|g" $GITHUB_WORKSPACE/matrix/mautrix-discord/app-service-registration.yaml
+          sed -i "s|(matrix_discord_hs_token)|$MATRIX_DISCORD_HS_TOKEN|g" $GITHUB_WORKSPACE/matrix/mautrix-discord/app-service-registration.yaml
+          sed -i "s|(matrix_discord_sender_localpart)|$MATRIX_DISCORD_SENDER_LOCALPART|g" $GITHUB_WORKSPACE/matrix/mautrix-discord/app-service-registration.yaml
+          sed -i "s|(matrix_discord_postgres_password)|$MATRIX_DISCORD_POSTGRES_PASSWORD|g" $GITHUB_WORKSPACE/matrix/mautrix-discord/config.yaml
+          sed -i "s|(matrix_discord_as_token)|$MATRIX_DISCORD_AS_TOKEN|g" $GITHUB_WORKSPACE/matrix/mautrix-discord/config.yaml
+          sed -i "s|(matrix_discord_hs_token)|$MATRIX_DISCORD_HS_TOKEN|g" $GITHUB_WORKSPACE/matrix/mautrix-discord/config.yaml
+
+      - name: Add secrets to compose
+        env:
+          POSTGRES_PASSWORD: ${{ secrets.matrix_postgres_password }}
+          MATRIX_TELEGRAM_POSTGRES_PASSWORD: ${{ secrets.matrix_telegram_postgres_password }}
+          MATRIX_DISCORD_POSTGRES_PASSWORD: ${{ secrets.matrix_discord_postgres_password }}
+          MATRIX_DISCORD_RESOLVER_ACCOUNT_TOKEN: ${{ secrets.matrix_discord_resolver_account_token }}
+        run: |
+          sed -i "s|(matrix_postgres_password)|$POSTGRES_PASSWORD|g" $GITHUB_WORKSPACE/matrix/docker-compose.yml
+          sed -i "s|(matrix_telegram_postgres_password)|$MATRIX_TELEGRAM_POSTGRES_PASSWORD|g" $GITHUB_WORKSPACE/matrix/docker-compose.yml
+          sed -i "s|(matrix_discord_postgres_password)|$MATRIX_DISCORD_POSTGRES_PASSWORD|g" $GITHUB_WORKSPACE/matrix/docker-compose.yml
+          sed -i "s|(matrix_discord_resolver_account_token)|$MATRIX_DISCORD_RESOLVER_ACCOUNT_TOKEN|g" $GITHUB_WORKSPACE/matrix/docker-compose.yml
+
+      - name: create file for secrets
+        env:
+          MATRIX_SIGNING_KEY: ${{ secrets.matrix_signing_key }}
+        run: |
+          echo "$MATRIX_SIGNING_KEY" > $GITHUB_WORKSPACE/matrix/signing.key
+
+      - name: Start Deployment
+        uses: FarisZR/[email protected]
+        with:
+          remote_docker_host: ${{ secrets.server_address }}
+          tailscale_ssh: true # no need for manual private and public keys
+          compose_file_path: matrix/docker-compose.yml
+          args: -p matrix up -d --remove-orphans
+          upload_directory: true
+          docker_compose_directory: matrix
diff --git a/matrix/docker-compose.yml b/matrix/docker-compose.yml
@@ -0,0 +1,160 @@
+networks:
+  default:
+    enable_ipv6: true
+  web:
+    external: true
+
+services:
+  postgres:
+    image: postgres:14.13-alpine@sha256:2d28cf41ec156f9a6dc9489fd3e5b59888f89229d68fc622efbfbe576e114b13
+    restart: always
+    # These will be used in homeserver.yaml later on
+    environment:
+      - POSTGRES_DB=synapse
+      - POSTGRES_USER=synapse
+      - POSTGRES_PASSWORD=(matrix_postgres_password)
+      - POSTGRES_INITDB_ARGS=--encoding=UTF-8 --lc-collate=C --lc-ctype=C
+    volumes:
+      - /home/aosus/matrix/synapse-postgresql:/var/lib/postgresql/data:rw
+    networks:
+      default:
+
+
+  synapse:
+    image: ghcr.io/element-hq/synapse:v1.117.0@sha256:070236812ba367a90094fd86df0e160da5643a06e5259154f157d44c4c7a2f31
+    container_name: synapse
+    restart: always
+    volumes:
+      - /home/aosus/matrix/synapse-media_store:/data/media_store:rw
+    environment:
+      - UID=991
+      - GID=991
+      - SYNAPSE_CONFIG_DIR=config
+    configs:
+      - source: synapse-homeserver
+        target: /config/homeserver.yaml
+        uid: "991"
+        gid: "991"
+      - source: synapse-log-config
+        target: /config/log.config
+        uid: "991"
+        gid: "991"
+      - source: mautrix-telegram-appservice
+        target: /app-services/telegram.yaml
+        uid: "991"
+        gid: "991"
+      - source: mautrix-discord-appservice
+        target: /app-services/discord.yaml
+        uid: "991"
+        gid: "991"
+    secrets:
+      - source: matrix-signing-key
+        target: signing.key
+        uid: "991"
+        gid: "991"
+    healthcheck:
+      test: [ "CMD", "curl", "-fSs", "http://localhost:8008/health" ]
+      interval: 15s
+      timeout: 5s
+      retries: 3
+      start_period: 5s
+    networks:
+      default:
+      web:
+
+  mautrix-telegram:
+    container_name: mautrix-telegram
+    restart: always
+    image: dock.mau.dev/mautrix/telegram:v0.15.2@sha256:ac6dc40851cdf32a7bd9ce485a184c76796491a81d2fa01fe34702958efdc3df
+    configs:
+      - source: mautrix-telegram-appservice
+        target: /data/registration.yaml
+      - source: mautrix-telegram-config
+        target: /data/config.yaml
+    networks:
+      default:
+
+  postgres-telegram:
+    image: postgres:14.13-alpine@sha256:2d28cf41ec156f9a6dc9489fd3e5b59888f89229d68fc622efbfbe576e114b13
+    restart: always
+    environment:
+      - POSTGRES_DB=telegram
+      - POSTGRES_USER=telegram
+      - POSTGRES_PASSWORD=(matrix_telegram_postgres_password)
+      - POSTGRES_INITDB_ARGS=--encoding=UTF-8 --lc-collate=C --lc-ctype=C
+    volumes:
+      - /home/aosus/matrix/telegram-postgres:/var/lib/postgresql/data:rw
+    networks:
+      default:
+
+  mautrix-discord:
+    container_name: mautrix-discord
+    restart: always
+    image: dock.mau.dev/mautrix/discord:latest@sha256:4e5236e8057cca76ef0741b8d6f2978eb91e31c272777143424583a3fd9e5ba9 
+    configs:
+      - source: mautrix-discord-appservice
+        target: /data/registration.yaml
+      - source: mautrix-discord-config
+        target: /data/config.yaml
+
+  postgres-discord:
+    image: postgres:14.13-alpine@sha256:2d28cf41ec156f9a6dc9489fd3e5b59888f89229d68fc622efbfbe576e114b13
+    restart: always
+    environment:
+      - POSTGRES_DB=discord
+      - POSTGRES_USER=discord
+      - POSTGRES_PASSWORD=(matrix_discord_postgres_password)
+      - POSTGRES_INITDB_ARGS=--encoding=UTF-8 --lc-collate=C --lc-ctype=C
+    volumes:
+      - /home/aosus/matrix/discord-postgres:/var/lib/postgresql/data:rw
+
+# Discord now requires signed URLs for their CDN, this resolver fetches signed urls using a user token, and redirects the user to it.
+  discord-resolver:
+    image: ghcr.io/aosus/discord_cdn:master@sha256:7f3ac0ff060c4fb44e8caeac9e26f80a8d0056ba0e1012b4c2184b3b11a6099d
+    # ports:
+    #   - 3000:3000
+    environment:
+      - TOKEN=(matrix_discord_resolver_account_token)
+      - CACHE=86400 # cache discord links for a day
+    networks:
+      - web
+
+  eturnal:
+    image: ghcr.io/processone/eturnal:edge@sha256:0b55c6bcd12dac31e4acd5a4ab40793b0a2606c8951802fb21d47fc590a802c3
+    user: 0:0 # to access caddy certs
+    ports:
+      - '3478:3478'
+      - '32000-32200:32000-32200'
+      - '3478:3478/udp'
+      - '32000-32200:32000-32200/udp'
+    volumes:
+      - caddy_data:/caddy-data:ro
+    environment:
+      - ETURNAL_USER=root
+    configs:
+      - source: eturnal
+        target: /etc/eturnal.yml
+
+configs:
+  synapse-homeserver:
+    file: /home/aosus/matrix/homeserver.yaml
+  synapse-log-config:
+    file: /home/aosus/matrix/log.config
+  mautrix-telegram-appservice:
+    file: /home/aosus/matrix/mautrix-telegram/app-service-registration.yaml
+  mautrix-telegram-config:
+    file: /home/aosus/matrix/mautrix-telegram/config.yaml
+  mautrix-discord-config:
+    file: /home/aosus/matrix/mautrix-discord/config.yaml
+  mautrix-discord-appservice:
+    file: /home/aosus/matrix/mautrix-discord/app-service-registration.yaml
+  eturnal:
+    file: /home/aosus/matrix/eturnal.yml
+# import key using file created by github runner.
+secrets:
+  matrix-signing-key:
+    file: /home/aosus/matrix/signing.key
+
+volumes:
+  caddy_data:
+    external: true
diff --git a/matrix/eturnal.yml b/matrix/eturnal.yml
@@ -0,0 +1,59 @@
+# eturnal STUN/TURN server configuration file.
+#
+# This file is written in YAML. The YAML format is indentation-sensitive, please
+# MAKE SURE YOU INDENT CORRECTLY.
+#
+# See: https://eturnal.net/doc/#Global_Configuration
+
+eturnal:
+
+  ## Shared secret for deriving temporary TURN credentials (default: $RANDOM):
+  secret: "(matrix_turn_shared_secret)"
+
+  ## The server's public IPv4 address (default: autodetected):
+  relay_ipv4_addr: "89.58.0.238"
+  ## The server's public IPv6 address (optional):
+  relay_ipv6_addr: "2a03:4000:5d:b9:e801:faff:fe88:7dec"
+  realm: turn.aosus.org
+
+  listen:
+    -
+      ip: "::"
+      port: 3478
+      transport: udp
+    -
+      ip: "::"
+      port: 3478
+      transport: auto #TLS AND TCP
+
+  ## TLS certificate/key files (must be readable by 'eturnal' user!):
+  tls_crt_file: /caddy-data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/turn.aosus.org/turn.aosus.org.crt
+  tls_key_file: /caddy-data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/turn.aosus.org/turn.aosus.org.key
+
+  ## UDP relay port range (usually, several ports per A/V call are required):
+  relay_min_port: 32000     # This is the default.
+  relay_max_port: 32200     # This is the default.
+
+  ## Reject TURN relaying to the following addresses/networks:
+  blacklist_peers:
+    - recommended           # Expands to various addresses/networks recommended
+                            # to be blocked. This is the default.
+
+  ## If 'true', close established calls on expiry of temporary TURN credentials:
+  strict_expiry: false      # This is the default.
+
+  ## Logging configuration:
+  log_level: warning           # critical | error | warning | notice | info | debug
+  log_rotate_size: 10485760 # 10 MiB (default: unlimited, i.e., no rotation).
+  log_rotate_count: 2      # Keep 10 rotated log files.
+  #log_dir: stdout          # Enable for logging to the terminal/journal.
+
+  ## See: https://eturnal.net/doc/#Module_Configuration
+  modules:
+    mod_log_stun: {}        # Log STUN queries (in addition to TURN sessions).
+    #mod_stats_influx: {}   # Log STUN/TURN events into InfluxDB.
+    #mod_stats_prometheus:  # Expose STUN/TURN and VM metrics to Prometheus.
+    #  ip: any              # This is the default: Listen on all interfaces.
+    #  port: 8081           # This is the default.
+    #  tls: false           # This is the default.
+    #  vm_metrics: true     # This is the default.