dcape v3 + actual config

dopos · Feb 7, 2024 · 586dca2 · 586dca2
1 parent 9974bbc
commit 586dca2
Show file tree

Hide file tree

Showing 5 changed files with 155 additions and 69 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1 +1,3 @@
-.env*
+.env*
+config/
+data/
diff --git a/Makefile b/Makefile
@@ -1,66 +1,67 @@
-# app custom Makefile
+## dcape-app-template Makefile
+## This file extends Makefile.app from dcape
+#:
 
-APP_NAME ?= dendrite
+SHELL               = /bin/bash
+CFG                ?= .env
+CFG_BAK            ?= $(CFG).bak
 
-# The domain name of this homeserver.
-APP_DOMAIN ?= dev.lan
+#- App name
+APP_NAME           ?= dendrite
 
-# Hostname for external access
-APP_SITE ?= matrix.dev.lan
+#- The domain name of this homeserver.
+APP_DOMAIN         ?= dev.test
 
-# Default username for create-user-admin
-APP_USER ?= admin
-
-# Docker repo & image name without version
-IMAGE    ?= matrixdotorg/dendrite-monolith
+#- Hostname for external access
+APP_SITE           ?= matrix.$(APP_DOMAIN)
 
-# TODO: false/yes??
-USE_DB = yes
+#- app root
+APP_ROOT           ?= $(PWD)
 
-#USE_TLS = yes
-
-# ------------------------------------------------------------------------------
-# app custom config
+#- Docker image name
+IMAGE              ?= ghcr.io/matrix-org/dendrite-monolith
 
-IMAGE_VER        ?= latest
+#- Docker image tag
+IMAGE_VER          ?= v0.13.6
 
-DATA_PATH        ?= $(APP_NAME)
-DCAPE_ROOT       ?= /opt/dcape/var
+USE_DB              = yes
 
+# Default username for create-user-admin
+APP_USER           ?= admin
 
 # ------------------------------------------------------------------------------
-# .env template (custom part)
-# inserted in .env.sample via 'make config'
-define CONFIG_CUSTOM
-# ------------------------------------------------------------------------------
-# app custom config, generated by make config
-# db:$(USE_DB) user:$(ADD_USER)
-
-# Relative data path for service data
-DATA_PATH=$(DATA_PATH)
 
-# Path to /opt/dcape/var. Used only outside drone
-DCAPE_ROOT=$(DCAPE_ROOT)
-
-endef
+# if exists - load old values
+-include $(CFG_BAK)
+export
+-include $(CFG)
+export
 
 # ------------------------------------------------------------------------------
-# Find and include DCAPE/apps/drone/dcape-app/Makefile
+# Find and include DCAPE_ROOT/Makefile
 DCAPE_COMPOSE   ?= dcape-compose
-DCAPE_MAKEFILE  ?= $(shell docker inspect -f "{{.Config.Labels.dcape_app_makefile}}" $(DCAPE_COMPOSE))
-ifeq ($(shell test -e $(DCAPE_MAKEFILE) && echo -n yes),yes)
-  include $(DCAPE_MAKEFILE)
+DCAPE_ROOT      ?= $(shell docker inspect -f "{{.Config.Labels.dcape_root}}" $(DCAPE_COMPOSE))
+
+ifeq ($(shell test -e $(DCAPE_ROOT)/Makefile.app && echo -n yes),yes)
+  include $(DCAPE_ROOT)/Makefile.app
 else
-  include /opt/dcape-app/Makefile
+  include /opt/dcape/Makefile.app
 endif
 
+# ------------------------------------------------------------------------------
+
+.default-deploy: init-files
+
 ## create required files
-init-files: $(DCAPE_ROOT)/$(DATA_PATH)/config $(DCAPE_ROOT)/$(DATA_PATH)/config/matrix_key.pem $(DCAPE_ROOT)/$(DATA_PATH)/config/dendrite.yaml
+init-files: $(APP_ROOT)/config $(APP_ROOT)/config/matrix_key.pem $(APP_ROOT)/config/dendrite.yaml
+
+$(APP_ROOT)/config:
+	mkdir -p $@
 
-$(DCAPE_ROOT)/$(DATA_PATH)/config:
-	mkdir -p $(DCAPE_ROOT)/$(DATA_PATH)/config
+$(APP_ROOT)/config/matrix_key.pem: CMD=run --rm --entrypoint="" app /usr/bin/generate-keys -private-key /etc/dendrite/matrix_key.pem -tls-cert /etc/dendrite/server.crt -tls-key /etc/dendrite/server.key
+$(APP_ROOT)/config/matrix_key.pem: dc
 
-$(DCAPE_ROOT)/$(DATA_PATH)/config/matrix_key.pem:
+$(APP_ROOT)/config/matrix_key.pem11:
 	@docker run --rm --entrypoint="" \
 	  -v $(DCAPE_ROOT)/$(DATA_PATH)/config:/mnt \
 	  $${IMAGE}:$${IMAGE_VER} \
@@ -69,16 +70,17 @@ $(DCAPE_ROOT)/$(DATA_PATH)/config/matrix_key.pem:
 	  -tls-cert /mnt/server.crt \
 	  -tls-key /mnt/server.key
 
-$(DCAPE_ROOT)/$(DATA_PATH)/config/dendrite.yaml: dendrite-sample.monolith.yaml
+$(APP_ROOT)/config/dendrite.yaml: dendrite-sample.monolith.yaml
 	@sed "s/server_name: localhost/server_name: $(APP_DOMAIN)/ ; s|postgresql://username:password\@hostname/dendrite|postgresql://$(PGUSER):$(PGPASSWORD)\@db/$(PGDATABASE)|" $<  > $@
 
 ## create admin user
-create-user-admin:
-	@docker exec -it matrix-dev-lan_app_1 \
-	  /usr/bin/create-account -config /etc/dendrite/dendrite.yaml -username $(APP_USER) -admin
+create-user-admin: CMD=exec -it app /usr/bin/create-account -config /etc/dendrite/dendrite.yaml -username $(APP_USER) -admin
+create-user-admin: dc
 
-create-user-admin-help:
-	@docker exec -it matrix-dev-lan_app_1 /usr/bin/create-account -h
+## show create help
+create-user-admin-help: CMD=exec -it app /usr/bin/create-account -h
+create-user-admin-help: dc
 
+## show versions
 check:
 	curl http://$(APP_SITE)/_matrix/client/versions
diff --git a/README.md b/README.md
@@ -18,7 +18,7 @@
 
 * linux 64bit (git, make, sed)
 * [docker](http://docker.io)
-* [dcape](https://github.com/dopos/dcape) v2
+* [dcape](https://github.com/dopos/dcape) v3
 * Git service ([github](https://github.com), [gitea](https://gitea.io) or [gogs](https://gogs.io))
 
 ## Install
@@ -36,14 +36,15 @@
 ```bash
 git clone --single-branch --depth 1 https://github.com/dopos/dcape-app-dendrite.git
 cd dcape-app-dendrite
-make config
-... <edit .env.sample>
-mv .env.sample .env
+make config-if
+... <edit .env>
+make init-files
 make up
+make create-user-admin
 ```
 
 ## License
 
 The MIT License (MIT), see [LICENSE](LICENSE).
 
-Copyright (c) 2022 Aleksei Kovrizhkin <lekovr+dopos@gmail.com>
+Copyright (c) 2024 Aleksei Kovrizhkin <lekovr+dopos@gmail.com>
diff --git a/dendrite-sample.monolith.yaml → dendrite-sample.yaml b/dendrite-sample.monolith.yaml → dendrite-sample.yaml
@@ -18,12 +18,17 @@ global:
   private_key: matrix_key.pem
 
   # The paths and expiry timestamps (as a UNIX timestamp in millisecond precision)
-  # to old signing private keys that were formerly in use on this domain. These
+  # to old signing keys that were formerly in use on this domain name. These
   # keys will not be used for federation request or event signing, but will be
   # provided to any other homeserver that asks when trying to verify old events.
   old_private_keys:
+  #  If the old private key file is available:
   #  - private_key: old_matrix_key.pem
   #    expired_at: 1601024554498
+  #  If only the public key (in base64 format) and key ID are known:
+  #  - public_key: mn59Kxfdq9VziYHSBzI7+EDPDcBS2Xl7jeUdiiQcOnM=
+  #    key_id: ed25519:mykeyid
+  #    expired_at: 1601024554498
 
   # How long a remote server can cache our server signing key before requesting it
   # again. Increasing this number will reduce the number of requests made by other
@@ -33,18 +38,44 @@ global:
 
   # Global database connection pool, for PostgreSQL monolith deployments only. If
   # this section is populated then you can omit the "database" blocks in all other
-  # sections. For polylith deployments, or monolith deployments using SQLite databases,
+  # sections. For monolith deployments using SQLite databases,
   # you must configure the "database" block for each component instead.
   database:
     connection_string: postgresql://username:password@hostname/dendrite?sslmode=disable
-    max_open_conns: 100
+    max_open_conns: 90
     max_idle_conns: 5
     conn_max_lifetime: -1
 
+  # Configuration for in-memory caches. Caches can often improve performance by
+  # keeping frequently accessed items (like events, identifiers etc.) in memory
+  # rather than having to read them from the database.
+  cache:
+    # The estimated maximum size for the global cache in bytes, or in terabytes,
+    # gigabytes, megabytes or kilobytes when the appropriate 'tb', 'gb', 'mb' or
+    # 'kb' suffix is specified. Note that this is not a hard limit, nor is it a
+    # memory limit for the entire process. A cache that is too small may ultimately
+    # provide little or no benefit.
+    max_size_estimated: 1gb
+
+    # The maximum amount of time that a cache entry can live for in memory before
+    # it will be evicted and/or refreshed from the database. Lower values result in
+    # easier admission of new cache entries but may also increase database load in
+    # comparison to higher values, so adjust conservatively. Higher values may make
+    # it harder for new items to make it into the cache, e.g. if new rooms suddenly
+    # become popular.
+    max_age: 1h
+
   # The server name to delegate server-server communications to, with optional port
   # e.g. localhost:443
   well_known_server_name: ""
 
+  # The base URL to delegate client-server communications to e.g. https://localhost
+  well_known_client_name: ""
+
+  # The server name to delegate sliding sync communications to, with optional port.
+  # Requires `well_known_client_name` to also be configured.
+  well_known_sliding_sync_proxy: ""
+
   # Lists of domains that the server will trust as identity servers to verify third
   # party identifiers such as phone numbers and email addresses.
   trusted_third_party_id_servers:
@@ -67,7 +98,7 @@ global:
   # We use this information to understand how Dendrite is being used in the wild.
   report_stats:
     enabled: false
-    endpoint: https://matrix.org/report-usage-stats/push
+    endpoint: https://panopticon.matrix.org/push
 
   # Server notices allows server admins to send messages to all users on the server.
   server_notices:
@@ -85,11 +116,15 @@ global:
   jetstream:
     # A list of NATS Server addresses to connect to. If none are specified, an
     # internal NATS server will be started automatically when running Dendrite in
-    # monolith mode. For polylith deployments, it is required to specify the address
-    # of at least one NATS Server node.
+    # monolith mode.
     addresses:
     # - localhost:4222
 
+    # Disable the validation of TLS certificates of NATS. This is
+    # not recommended in production since it may allow NATS traffic
+    # to be sent to an insecure endpoint.
+    disable_tls_validation: false
+
     # Persistent directory to store JetStream streams in. This directory should be
     # preserved across Dendrite restarts.
     storage_path: ./
@@ -119,6 +154,13 @@ app_service_api:
   # to be sent to an insecure endpoint.
   disable_tls_validation: false
 
+  # Send the access_token query parameter with appservice requests in addition
+  # to the Authorization header. This can cause hs_tokens to be saved to logs,
+  # so it should not be enabled unless absolutely necessary.
+  legacy_auth: false
+  # Use the legacy unprefixed paths for appservice requests.
+  legacy_paths: false
+
   # Appservice configuration files to load into this homeserver.
   config_files:
   #  - /path/to/appservice_registration.yaml
@@ -146,25 +188,34 @@ client_api:
   recaptcha_public_key: ""
   recaptcha_private_key: ""
   recaptcha_bypass_secret: ""
-  recaptcha_siteverify_api: ""
+
+  # To use hcaptcha.com instead of ReCAPTCHA, set the following parameters, otherwise just keep them empty.
+  # recaptcha_siteverify_api: "https://hcaptcha.com/siteverify"
+  # recaptcha_api_js_url: "https://js.hcaptcha.com/1/api.js"
+  # recaptcha_form_field: "h-captcha-response"
+  # recaptcha_sitekey_class: "h-captcha"
+
 
   # TURN server information that this homeserver should send to clients.
   turn:
-    turn_user_lifetime: ""
+    turn_user_lifetime: "5m"
     turn_uris:
     #  - turn:turn.server.org?transport=udp
     #  - turn:turn.server.org?transport=tcp
     turn_shared_secret: ""
-    turn_username: ""
-    turn_password: ""
+    # If your TURN server requires static credentials, then you will need to enter
+    # them here instead of supplying a shared secret. Note that these credentials
+    # will be visible to clients!
+    # turn_username: ""
+    # turn_password: ""
 
   # Settings for rate-limited endpoints. Rate limiting kicks in after the threshold
   # number of "slots" have been taken by requests from a specific host. Each "slot"
   # will be released after the cooloff time in milliseconds. Server administrators
   # and appservice users are exempt from rate limiting by default.
   rate_limiting:
     enabled: true
-    threshold: 5
+    threshold: 20
     cooloff_ms: 500
     exempt_user_ids:
     #  - "@user:domain.com"
@@ -181,6 +232,13 @@ federation_api:
   # enable this option in production as it presents a security risk!
   disable_tls_validation: false
 
+  # Disable HTTP keepalives, which also prevents connection reuse. Dendrite will typically
+  # keep HTTP connections open to remote hosts for 5 minutes as they can be reused much
+  # more quickly than opening new connections each time. Disabling keepalives will close
+  # HTTP connections immediately after a successful request but may result in more CPU and
+  # memory being used on TLS handshakes for each new connection instead.
+  disable_http_keepalives: false
+
   # Perspective keyservers to use as a backup when direct key fetches fail. This may
   # be required to satisfy key requests for servers that are no longer online when
   # joining some rooms.
@@ -229,7 +287,6 @@ media_api:
 mscs:
   mscs:
   #  - msc2836  # (Threading, see https://github.com/matrix-org/matrix-doc/pull/2836)
-  #  - msc2946  # (Spaces Summary, see https://github.com/matrix-org/matrix-doc/pull/2946)
 
 # Configuration for the Sync API.
 sync_api:
@@ -238,6 +295,19 @@ sync_api:
   # a reverse proxy server.
   # real_ip_header: X-Real-IP
 
+  # Configuration for the full-text search engine.
+  search:
+    # Whether or not search is enabled.
+    enabled: false
+
+    # The path where the search index will be created in.
+    index_path: "./searchindex"
+
+    # The language most likely to be used on the server - used when indexing, to
+    # ensure the returned results match expectations. A full list of possible languages
+    # can be found at https://github.com/blevesearch/bleve/tree/master/analysis/lang
+    language: "en"
+
 # Configuration for the User API.
 user_api:
   # The cost when hashing passwords on registration/login. Default: 10. Min: 4, Max: 31
@@ -254,6 +324,18 @@ user_api:
   # The default lifetime is 3600000ms (60 minutes).
   # openid_token_lifetime_ms: 3600000
 
+  # Users who register on this homeserver will automatically be joined to the rooms listed under "auto_join_rooms" option.
+  # By default, any room aliases included in this list will be created as a publicly joinable room
+  # when the first user registers for the homeserver. If the room already exists,
+  # make certain it is a publicly joinable room, i.e. the join rule of the room must be set to 'public'.
+  # As Spaces are just rooms under the hood, Space aliases may also be used.
+  auto_join_rooms:
+  #  - "#main:matrix.org"
+
+  # The number of workers to start for the DeviceListUpdater. Defaults to 8.
+  # This only needs updating if the "InputDeviceListUpdate" stream keeps growing indefinitely.
+  # worker_count: 8
+
 # Configuration for Opentracing.
 # See https://github.com/matrix-org/dendrite/tree/master/docs/tracing for information on
 # how this works and how to set it up.

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -8,9 +8,8 @@ services:
     volumes:
       - /etc/timezone:/etc/timezone:ro
       - /etc/localtime:/etc/localtime:ro
-      - ./config:/etc/dendrite
-      - ${DCAPE_ROOT}/${DATA_PATH}/config:/etc/dendrite
-      - ${DCAPE_ROOT}/${DATA_PATH}/media:/var/dendrite/media
+      - ${APP_ROOT}/config:/etc/dendrite
+      - ${APP_ROOT}/data:/var/dendrite
     command:
       --tls-cert=server.crt --tls-key=server.key
     labels: