adding untested changes and new dockers

social/matrix/.env.example

@@ -0,0 +1,12 @@
+# Synapse homeserver domain (cannot be changed after federation starts)
+SYNAPSE_SERVER_NAME=matrix.example.com
+
+TZ=UTC
+
+# LiveKit JWT service credentials
+# Generate a key/secret pair: https://docs.livekit.io/home/self-hosting/deployment/
+LIVEKIT_KEY=changeme
+LIVEKIT_SECRET=changeme
+
+# Optional: override if livekit is not on localhost
+# LIVEKIT_URL=ws://localhost:7880

social/matrix/README.md

@@ -0,0 +1 @@
+Update livekit.yaml and nginx.conf with homeserver's name

social/matrix/docker-compose.yml

@@ -0,0 +1,66 @@
+services:
+    synapse:
+        image: matrixdotorg/synapse:latest
+        container_name: synapse
+        restart: unless-stopped
+        environment:
+            SYNAPSE_SERVER_NAME: ${SYNAPSE_SERVER_NAME}
+            SYNAPSE_CONFIG_PATH: /data/homeserver.yaml
+            UID: "991"
+            GID: "991"
+            TZ: ${TZ:-UTC}
+        volumes:
+            - ./synapse:/data
+        ports:
+            # Client & federation API (put a reverse proxy in front for TLS)
+            - "8008:8008"
+        healthcheck:
+            test:
+                [
+                    "CMD-SHELL",
+                    "curl -fSs http://localhost:8008/health || exit 1",
+                ]
+            interval: 15s
+            timeout: 5s
+            retries: 3
+            start_period: 30s
+
+    livekit:
+        image: livekit/livekit-server:latest
+        container_name: livekit
+        restart: unless-stopped
+        command: --config /etc/livekit.yaml
+        volumes:
+            - ./livekit/:/etc/
+        network_mode: "container:wireguard"
+
+    lk-jwt:
+        image: ghcr.io/element-hq/lk-jwt-service:latest
+        container_name: lk-jwt
+        restart: unless-stopped
+        environment:
+            LIVEKIT_URL: ${LIVEKIT_URL:-ws://localhost:7880}
+            LIVEKIT_KEY: ${LIVEKIT_KEY}
+            LIVEKIT_SECRET: ${LIVEKIT_SECRET}
+            LIVEKIT_JWT_BIND: ":8090"
+            LIVEKIT_INSECURE_SKIP_VERIFY_TLS: "true"
+        network_mode: "container:wireguard"
+        depends_on:
+            - livekit
+
+    lk-jwt-proxy:
+        image: nginx:alpine
+        container_name: lk-jwt-proxy
+        restart: unless-stopped
+        volumes:
+            - ./lk-jwt-proxy/:/etc/nginx/:ro
+        network_mode: "container:wireguard"
+        depends_on:
+            - lk-jwt
+
+    synapse-admin:
+        image: awesometechnologies/synapse-admin:latest
+        container_name: synapse-admin
+        restart: unless-stopped
+        ports:
+            - "8087:80"

social/matrix/homeserver.yml

@@ -0,0 +1,150 @@
+# Configuration file for Synapse.
+# Config by Mosskoi
+# This configuration intends on creating a private experience for matrix
+# By default it disallows communication with federated services and other servers
+# But by configuring a whitelist you can adds more servers to your network
+# Make sure these other servers have the same whitelist server as you
+# Matrix does not disallow
+
+# * Server
+server_name: "matrix.example.com"
+public_baseurl: https://matrix.example.com/
+
+serve_server_wellknown: true
+extra_well_known_client_content:
+    org.matrix.msc4143.rtc_foci:
+        - type: livekit
+          livekit_service_url: https://livekit.example.com
+
+# Currently unused
+#ip_range_blacklist:
+#- 127.0.0.0/8
+#ip_range_whitelist:
+#- 192.168.1.1
+
+listeners:
+    - port: 8008
+      resources:
+          - compress: false
+            names:
+                - client
+                - federation
+      tls: false
+      type: http
+      x_forwarded: true
+
+# * Homeserver blocking
+
+require_membership_for_aliases: false
+max_avatar_size: 5M
+allowed_avatar_mimetypes:
+    - image/png
+    - image/jpeg
+    - image/webp
+    - image/gif
+
+user_ips_max_age: 90d
+
+# * TLS
+# Currently not used
+# federation_certificate_verification_whitelist:
+#- lon.example.com
+
+# * Federation
+# Private federation system
+federation_domain_whitelist:
+    - matrix.example.com
+federation_metrics_domains:
+    - matrix.example.com
+
+allow_profile_lookup_over_federation: false
+allow_device_name_lookup_over_federation: false
+
+federation:
+    client_timeout: 60s
+    max_short_retry_delay: 7s
+    max_long_retry_delay: 100s
+    max_short_retries: 3
+    max_long_retries: 7
+    destination_min_retry_interval: 10m
+    destination_retry_multiplier: 2
+    destination_max_retry_interval: 12h
+
+database:
+    name: sqlite3
+    args:
+        database: /data/homeserver.db
+log_config: "/data/matrix.example.com.log.config"
+
+# * Logging
+# * Rate limiting
+rc_registration:
+    per_second: 0.1
+    burst_count: 2.0
+
+# * Media Store
+media_store_path: /data/media_store
+max_pending_media_uploads: 10
+#url_preview_enabled: true Must explicit blacklist
+# * Captcha
+# * TURN
+matrix_rtc:
+    transports:
+        - type: livekit
+          livekit_service_url: https://livekit.example.com
+
+# * Registration
+enable_registration: true # Must be enabled for token registrations to work
+enable_registration_without_verification: false
+disable_msisdn_registration: true
+enable_3pid_lookup: false
+registration_requires_token: true
+registration_shared_secret: REGISTRATION_SECRET
+
+enable_set_displayname: true
+enable_set_avatar_url: true
+enable_3pids_changes: true
+
+allow_guest_access: false
+
+autocreate_auto_join_rooms: false
+autocreate_auto_join_rooms_federated: false
+auto_join_rooms_for_guests: false
+
+# * User session management
+login_via_existing_session:
+    enabled: true
+    require_ui_auth: false
+    token_timeout: 5m
+
+# * API Configuration
+#
+macaroon_secret_key: "MACAROON_SECRET"
+form_secret: "FROM_SECRET"
+signing_key_path: "/data/matrix.example.com.signing.key"
+
+# * Rooms
+user_directory:
+    enabled: false
+    search_all_users: false
+    prefer_local_users: true
+    exclude_remote_users: false
+    show_locked_users: false
+
+enable_room_list_search: true
+
+# Guest sign-in
+
+pid_file: /data/homeserver.pid
+
+# Signing and secrets
+report_stats: false
+trusted_key_servers: []
+#  - server_name: "matrix.example.com"
+
+experimental_features:
+    msc4143_enabled: true
+# vim:ft=yaml
+
+app_service_config_files:
+    - /data/registration.yaml

social/matrix/livekit/livekit.yaml

@@ -0,0 +1,9 @@
+port: 7880
+rtc:
+    tcp_port: 7881
+    port_range_start: 50100
+    enabled: true
+    domain: livekit.example.com
+    tls_port: 5349
+    udp_port: 3478
+    external_tls: true

social/matrix/lk-jwt-proxy/nginx.conf

@@ -0,0 +1,19 @@
+events {
+    worker_connections 64;
+}
+
+http {
+    server {
+        listen 8091;
+
+        location / {
+            proxy_pass http://localhost:8090;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+
+            sub_filter_types application/json;
+            sub_filter 'ws://localhost:7880' 'wss://livekit.example.com';
+            sub_filter_once off;
+        }
+    }
+}