-
Notifications
You must be signed in to change notification settings - Fork 6
/
compose.yml
323 lines (302 loc) · 10.2 KB
/
compose.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
# FIXME: define a frontend & backend network, and only expose backend services to the frontend (nginx)
networks:
backend:
secrets:
postgres_password:
file: secrets/postgres/postgres_password
synapse_signing_key:
file: secrets/synapse/signing.key
livekit_api_key:
file: secrets/livekit/livekit_api_key
livekit_secret_key:
file: secrets/livekit/livekit_secret_key
services:
# XXX: consider factor out secret generation from the compose.yml
# dependencies for optionally generating default configs + secrets
generate-synapse-secrets:
image: ghcr.io/element-hq/synapse:latest
user: $USER_ID:$GROUP_ID
restart: "no"
volumes:
- ${VOLUME_PATH}/data/synapse:/data:rw
- ${VOLUME_PATH}/init/generate-synapse-secrets.sh:/entrypoint.sh
env_file: .env
environment:
SYNAPSE_CONFIG_DIR: /data
SYNAPSE_CONFIG_PATH: /data/homeserver.yaml.default
SYNAPSE_SERVER_NAME: ${DOMAIN}
SYNAPSE_REPORT_STATS: ${REPORT_STATS}
entrypoint: "/entrypoint.sh"
generate-mas-secrets:
restart: "no"
image: ghcr.io/element-hq/matrix-authentication-service:latest
user: $USER_ID:$GROUP_ID
volumes:
- ${VOLUME_PATH}/data/mas:/data:rw
# FIXME: stop this regenerating a spurious default config every time
# We can't do the same approach as synapse (unless use a debug image of MAS) as MAS is distroless and has no bash.
command: "config generate -o /data/config.yaml.default"
# dependency for templating /data-template into /data (having extracted any secrets from any default generated configs)
init:
build: init
user: $USER_ID:$GROUP_ID
restart: "no"
volumes:
- ${VOLUME_PATH}/secrets:/secrets
- ${VOLUME_PATH}/data:/data
- ${VOLUME_PATH}/data-template:/data-template
- ${VOLUME_PATH}/init/init.sh:/init.sh
command: "/init.sh"
env_file: .env
depends_on:
generate-synapse-secrets:
condition: service_completed_successfully
generate-mas-secrets:
condition: service_completed_successfully
nginx:
image: nginx:latest
restart: unless-stopped
ports:
- "80:80"
- "443:443"
- "8448:8448"
# shutdown fast so we can iterate rapidly on compose.yml
stop_grace_period: 0s
volumes:
- ${VOLUME_PATH}/data/nginx/conf.d:/etc/nginx/conf.d
- ${VOLUME_PATH}/data/nginx/www:/var/www
- ${VOLUME_PATH}/data/ssl:/etc/nginx/ssl
command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'"
networks:
backend:
aliases: # so our containers can resolve the LB
- $DOMAIN
- $HOMESERVER_FQDN
- $ELEMENT_WEB_FQDN
- $ELEMENT_CALL_FQDN
- $MAS_FQDN
depends_on:
init:
condition: service_completed_successfully
certbot:
image: certbot/certbot:latest
restart: unless-stopped
volumes:
- ${VOLUME_PATH}/data/certbot/conf:/etc/letsencrypt
- ${VOLUME_PATH}/data/certbot/www:/var/www/certbot
- ${VOLUME_PATH}/data/ssl:/data/ssl
entrypoint: "/bin/sh -c 'trap exit TERM; \
while [ -e /etc/letsencrypt/live ]; \
do sleep 30; certbot --webroot -w /var/www/certbot renew; \
cp /etc/letsencrypt/live/$DOMAIN/*.pem /data/ssl; \
sleep 12h & wait $${!}; \
done;'"
postgres:
image: postgres:latest
restart: unless-stopped
volumes:
- ${VOLUME_PATH}/data/postgres:/var/lib/postgresql/data:rw
- ${VOLUME_PATH}/scripts/create-multiple-postgresql-databases.sh:/docker-entrypoint-initdb.d/create-multiple-postgresql-databases.sh
networks:
- backend
environment:
POSTGRES_MULTIPLE_DATABASES: synapse,mas
POSTGRES_USER: matrix # FIXME: use different username+passwords for synapse & MAS DBs.
POSTGRES_PASSWORD_FILE: /run/secrets/postgres_password
POSTGRES_INITDB_ARGS: --encoding=UTF8 --locale=C
PGDATA: /var/lib/postgresql/data/data # otherwise it clashes with .gitkeep in the parent dir
secrets:
- postgres_password
healthcheck:
test: ["CMD-SHELL", "pg_isready -U matrix"]
start_period: "1s"
interval: "1s"
timeout: "5s"
depends_on:
init:
condition: service_completed_successfully
redis:
image: redis:latest
restart: unless-stopped
# healthcheck:
# test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
# interval: 1s
# timeout: 3s
# retries: 5
networks:
- backend
synapse:
image: ghcr.io/element-hq/synapse:latest
user: $USER_ID:$GROUP_ID
restart: unless-stopped
volumes:
- ${VOLUME_PATH}/data/synapse:/data:rw
- ${VOLUME_PATH}/data/ssl/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt
# ports:
# - 8008:8008
networks:
- backend
environment:
SYNAPSE_CONFIG_DIR: /data
SYNAPSE_CONFIG_PATH: /data/homeserver.yaml
secrets:
- synapse_signing_key
depends_on:
redis:
condition: service_started
postgres:
condition: service_healthy
init:
condition: service_completed_successfully
synapse-generic-worker-1:
image: ghcr.io/element-hq/synapse:latest
user: $USER_ID:$GROUP_ID
restart: unless-stopped
entrypoint: ["/start.py", "run", "--config-path=/data/homeserver.yaml", "--config-path=/data/workers/synapse-generic-worker-1.yaml"]
healthcheck:
test: ["CMD-SHELL", "curl -fSs http://localhost:8081/health || exit 1"]
start_period: "5s"
interval: "15s"
timeout: "5s"
networks:
- backend
volumes:
- ${VOLUME_PATH}/data/synapse:/data:rw
- ${VOLUME_PATH}/data/ssl/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt
environment:
SYNAPSE_WORKER: synapse.app.generic_worker
# Expose port if required so your reverse proxy can send requests to this worker
# Port configuration will depend on how the http listener is defined in the worker configuration file
# ports:
# - 8081:8081
secrets:
- synapse_signing_key
depends_on:
- synapse
synapse-federation-sender-1:
image: ghcr.io/element-hq/synapse:latest
user: $USER_ID:$GROUP_ID
restart: unless-stopped
entrypoint: ["/start.py", "run", "--config-path=/data/homeserver.yaml", "--config-path=/data/workers/synapse-federation-sender-1.yaml"]
healthcheck:
disable: true
networks:
- backend
volumes:
- ${VOLUME_PATH}/data/synapse:/data:rw # Replace VOLUME_PATH with the path to your Synapse volume
- ${VOLUME_PATH}/data/ssl/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt
environment:
SYNAPSE_WORKER: synapse.app.federation_sender
# ports:
# - 8082:8082
secrets:
- synapse_signing_key
depends_on:
- synapse
mas:
image: ghcr.io/element-hq/matrix-authentication-service:latest
restart: unless-stopped
# ports:
# - 8083:8080
volumes:
- ${VOLUME_PATH}/data/mas:/data:rw
- ${VOLUME_PATH}/data/ssl/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt
networks:
- backend
# FIXME: do we also need to sync the db?
command: "server --config=/data/config.yaml"
depends_on:
postgres:
condition: service_healthy
init:
condition: service_completed_successfully
# as a basic local MTA
mailhog:
image: mailhog/mailhog:latest
restart: unless-stopped
# ports:
# - 8025:8025
# - 1025:1025
networks:
- backend
element-web:
image: vectorim/element-web:latest
restart: unless-stopped
# ports:
# - 8080:80
healthcheck:
test: ["CMD-SHELL", "wget -q -O /dev/null http://localhost:80/version || exit 1"]
start_period: "5s"
interval: "15s"
timeout: "5s"
networks:
- backend
volumes:
- ${VOLUME_PATH}/data/element-web/config.json:/app/config.json
depends_on:
init:
condition: service_completed_successfully
element-call:
image: ghcr.io/element-hq/element-call:latest-ci
restart: unless-stopped
# ports:
# - 8082:80
networks:
- backend
volumes:
- ${VOLUME_PATH}/data/element-call/config.json:/app/config.json
depends_on:
init:
condition: service_completed_successfully
livekit:
image: livekit/livekit-server:latest
restart: unless-stopped
volumes:
- ${VOLUME_PATH}/data/livekit/config.yaml:/etc/livekit.yaml
command: --config /etc/livekit.yaml --node-ip ${LIVEKIT_NODE_IP}
ports:
# - 7880:7880 # HTTP listener
- 7881:7881 # TCP WebRTC transport, advertised via SDP
# TODO: expose livekit-turn on TCP & UDP 443 via nginx
# At least this would allow UDP turn on port 443 for better perf.
# You can't expose a massive range here as it literally sets up 10,000 userland listeners, which takes forever
# and will clash with any existing high-numbered ports.
# So for now, tunnel everything via TCP 7881. FIXME!
#- 50000-60000:50000-60000/tcp # TCP media
#- 50000-60000:50000-60000/udp # UDP media
networks:
- backend
depends_on:
init:
condition: service_completed_successfully
redis:
condition: service_started
livekit-jwt:
build:
# evil hack to pull in bash so we can run an entrypoint.sh
# FIXME: it's a bit wasteful; the alternative would be to modify lk-jwt-service to pick up secrets from disk
# Another alternative would be to factor out secret generation from compose.yml and create an .env up front
dockerfile_inline: |
FROM ghcr.io/element-hq/lk-jwt-service:latest-ci AS builder
FROM alpine:latest
RUN apk update && apk add bash
COPY --from=builder /lk-jwt-service /
restart: unless-stopped
volumes:
- ${VOLUME_PATH}/data/ssl/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt
- ${VOLUME_PATH}/scripts/livekit-jwt-entrypoint.sh:/entrypoint.sh
entrypoint: /entrypoint.sh
env_file: .env
deploy:
restart_policy:
condition: on-failure
networks:
- backend
secrets:
- livekit_api_key
- livekit_secret_key
depends_on:
init:
condition: service_completed_successfully
livekit:
condition: service_started