Last active
August 1, 2019 06:23
-
-
Save qubitrenegade/a16780803bb9662c7825ce9e5becd8fa to your computer and use it in GitHub Desktop.
Configuring Matrix and Riot for Private Chat
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## Server ## | |
# When running as a daemon, the file to store the pid in | |
pid_file: "/var/run/matrix-synapse.pid" | |
public_baseurl: https://matrix.example.com/ | |
allow_public_rooms_without_auth: true | |
allow_public_rooms_over_federation: true | |
#federation_domain_whitelist: | |
# - lon.example.com | |
# - nyc.example.com | |
# - syd.example.com | |
federation_ip_range_blacklist: | |
- '127.0.0.0/8' | |
- '10.0.0.0/8' | |
- '172.16.0.0/12' | |
- '192.168.0.0/16' | |
- '100.64.0.0/10' | |
- '169.254.0.0/16' | |
- '::1/128' | |
- 'fe80::/64' | |
- 'fc00::/7' | |
listeners: | |
- port: 8008 | |
tls: false | |
bind_addresses: ['::1', '127.0.0.1'] | |
type: http | |
x_forwarded: true | |
resources: | |
- names: [client, federation] | |
compress: false | |
## Homeserver blocking ## | |
admin_contact: 'mailto:your-email@example.com' | |
mau_stats_only: true | |
acme: | |
account_key_file: /var/lib/matrix-synapse/acme_account.key | |
## Database ## | |
database: | |
name: psycopg2 | |
args: | |
user: synapse_user | |
password: synapse_user-password-for-pgsql-created-earlier | |
database: synapse | |
host: localhost | |
cp_min: 5 | |
cp_max: 10 | |
## Logging ## | |
log_config: "/etc/matrix-synapse/log.yaml" | |
## Ratelimiting ## | |
# Directory where in-progress uploads are stored. | |
uploads_path: "/var/lib/matrix-synapse/uploads" | |
# The largest allowed upload size in bytes | |
#max_upload_size: 10M | |
# Maximum number of pixels that will be thumbnailed | |
#max_image_pixels: 32M | |
url_preview_enabled: true | |
url_preview_ip_range_blacklist: | |
- '127.0.0.0/8' | |
- '10.0.0.0/8' | |
- '172.16.0.0/12' | |
- '192.168.0.0/16' | |
- '100.64.0.0/10' | |
- '169.254.0.0/16' | |
- '::1/128' | |
- 'fe80::/64' | |
- 'fc00::/7' | |
url_preview_url_blacklist: | |
# blacklist any URL with a username in its URI | |
- username: '*' | |
# blacklist all *.google.com URLs | |
- netloc: 'google.com' | |
- netloc: '*.google.com' | |
# blacklist any URL with a literal IPv4 address | |
- netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$' | |
max_spider_size: 10M | |
## TURN ## | |
turn_uris: ["turn.example.com"] | |
turn_shared_secret: "secure-password-for-turn-server" | |
#turn_user_lifetime: 1h | |
## Registration ## | |
enable_registration: true | |
registration_shared_secret: enter-a-secure-secret-for-user-registration-script-to-work | |
trusted_third_party_id_servers: | |
- vector.im | |
auto_join_rooms: | |
- "#general:example.com" | |
autocreate_auto_join_rooms: true | |
## Metrics ### | |
enable_metrics: true | |
## Signing Keys ## | |
signing_key_path: "/etc/matrix-synapse/homeserver.signing.key" | |
password_config: | |
email: | |
enable_notifs: true | |
smtp_host: "localhost" | |
smtp_port: 25 # SSL: 465, STARTTLS: 587 | |
# smtp_user: "exampleusername" | |
# smtp_pass: "examplepassword" | |
# require_transport_security: False | |
notif_from: "Your Friendly %(app)s Home Server <noreply@example.com>" | |
app_name: Matrix | |
notif_for_new_users: True | |
riot_base_url: "http://chat.example.com" | |
trust_identity_server_for_password_resets: false | |
validation_token_lifetime: 1h | |
template_dir: /opt/venvs/matrix-synapse/lib/python3.6/site-packages/synapse/res/templates/ | |
notif_template_html: notif_mail.html | |
notif_template_text: notif_mail.txt | |
expiry_template_html: notice_expiry.html | |
expiry_template_text: notice_expiry.txt | |
password_reset_template_html: password_reset.html | |
password_reset_template_text: password_reset.txt | |
password_reset_template_success_html: password_reset_success.html | |
password_reset_template_failure_html: password_reset_failure.html | |
push: | |
include_content: true | |
enable_group_creation: true | |
user_directory: | |
enabled: true | |
# search_all_users: false | |
stats: | |
enabled: true | |
bucket_size: 1d | |
retention: 1y |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
server { | |
root /var/www/html/riot; | |
listen 443 ssl; | |
listen [::]:443 ssl; | |
server_name chat.example.com; | |
index index.html; | |
location / { | |
try_files $uri $uri/ =404; | |
} | |
ssl_certificate /etc/letsencrypt/live/example.comfullchain.pem; | |
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; | |
include /etc/letsencrypt/options-ssl-nginx.conf; | |
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; | |
} | |
# redirect everything to SSL, unnecessary for CloudFlare | |
server { | |
if ($host = chat.example.com) { | |
return 301 https://$host$request_uri; | |
} | |
listen 80; | |
listen [::]:80; | |
server_name chat.example.com; | |
return 404; | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
server { | |
root /var/www/html; | |
listen [::]:443 ssl ipv6only=on; | |
listen 443 ssl; | |
index index.html; | |
server_name example.com | |
www.example.com; | |
location /.well-known/matrix/ { | |
add_header 'Content-Type' 'application/json'; # Required to tell the requesting entity we're replying with JSON data | |
add_header 'Access-Control-Allow-Origin' '*'; # Required to allow loading from Riot Web through CLI | |
# The following settings are Optional | |
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; | |
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range'; | |
add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range'; | |
autoindex on; | |
autoindex_exact_size on; | |
autoindex_format json; | |
autoindex_localtime on; | |
} | |
location /_matrix { | |
return 301 https://matrix.example.com$request_uri; | |
} | |
location / { | |
# First attempt to serve request as file, then | |
# as directory, then fall back to displaying a 404. | |
try_files $uri $uri/ =404; | |
} | |
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; | |
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; | |
include /etc/letsencrypt/options-ssl-nginx.conf; | |
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; | |
} | |
server { | |
if ($host = www.example.com) { | |
return 301 https://$host$request_uri; | |
} # managed by Certbot | |
if ($host = example.com) { | |
return 301 https://$host$request_uri; | |
} | |
listen 80 default_server; | |
listen [::]:80 default_server; | |
server_name example.com | |
www.example.com | |
_; | |
return 404; # managed by Certbot | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
server { | |
gzip off; | |
listen 443 ssl; | |
listen [::]:443 ssl; | |
server_name matrix.example.com; | |
location / { | |
proxy_pass http://localhost:8008; | |
proxy_set_header X-Forwarded-For $remote_addr; | |
} | |
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; | |
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; | |
include /etc/letsencrypt/options-ssl-nginx.conf; | |
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; | |
} | |
server { | |
if ($host = matrix.example.com) { | |
return 301 https://$host$request_uri; | |
} # managed by Certbot | |
listen 80; | |
listen [::]:80; | |
server_name matrix.example.com; | |
return 404; # managed by Certbot | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
variable "do_token" {} | |
variable "cf_addresses" { | |
type = list(string) | |
default = [ | |
"173.245.48.0/20", "103.21.244.0/22", "103.22.200.0/22", "103.31.4.0/22", | |
"141.101.64.0/18", "108.162.192.0/18", "190.93.240.0/20", "188.114.96.0/20", | |
"197.234.240.0/22", "198.41.128.0/17", "162.158.0.0/15", "104.16.0.0/12", | |
"172.64.0.0/13", "131.0.72.0/22", | |
"2400:cb00::/32", "2606:4700::/32", "2803:f800::/32", "2405:b500::/32", | |
"2405:8100::/32", "2a06:98c0::/29", "2c0f:f248::/32"] | |
} | |
provider "digitalocean" { | |
token = var.do_token | |
} | |
resource "digitalocean_tag" "inbound-cloudflare" { | |
name = "inbound-cloudflare" | |
} | |
resource "digitalocean_tag" "inbound-ssh" { | |
name = "inbound-ssh" | |
} | |
resource "digitalocean_tag" "inbound-turn" { | |
name = "inbound-turn" | |
} | |
resource "digitalocean_tag" "outbound-all" { | |
name = "outbound-all" | |
} | |
resource "digitalocean_firewall" "inbound-cloudflare" { | |
name = "inbound-cloudflare" | |
tags = ["inbound-cloudflare"] | |
# HTTP/s from CF only | |
inbound_rule { | |
protocol = "tcp" | |
port_range = "80" | |
source_addresses = var.cf_addresses | |
} | |
inbound_rule { | |
protocol = "tcp" | |
port_range = "443" | |
source_addresses = var.cf_addresses | |
} | |
inbound_rule { | |
protocol = "tcp" | |
port_range = "8443" | |
source_addresses = var.cf_addresses | |
} | |
} | |
resource "digitalocean_firewall" "inbound-ssh" { | |
name = "inbound-ssh" | |
tags = ["inbound-ssh"] | |
# SSH access | |
inbound_rule { | |
protocol = "tcp" | |
port_range = "22" | |
source_addresses = ["0.0.0.0/0", "::/0"] | |
} | |
} | |
resource "digitalocean_firewall" "inbound-turn" { | |
name = "inbound-turn" | |
tags = ["inbound-turn"] | |
# TURN server | |
inbound_rule { | |
protocol = "tcp" | |
port_range = "3478" | |
source_addresses = ["0.0.0.0/0", "::/0"] | |
} | |
inbound_rule { | |
protocol = "udp" | |
port_range = "3478" | |
source_addresses = ["0.0.0.0/0", "::/0"] | |
} | |
inbound_rule { | |
protocol = "tcp" | |
port_range = "5349" | |
source_addresses = ["0.0.0.0/0", "::/0"] | |
} | |
inbound_rule { | |
protocol = "udp" | |
port_range = "5349" | |
source_addresses = ["0.0.0.0/0", "::/0"] | |
} | |
} | |
resource "digitalocean_firewall" "outbound-all" { | |
name = "outbound-all" | |
tags = ["outbound-all"] | |
# Outbound to everything | |
outbound_rule { | |
protocol = "tcp" | |
port_range = "1-65535" | |
destination_addresses = ["0.0.0.0/0", "::/0"] | |
} | |
outbound_rule { | |
protocol = "udp" | |
port_range = "1-65535" | |
destination_addresses = ["0.0.0.0/0", "::/0"] | |
} | |
outbound_rule { | |
protocol = "icmp" | |
destination_addresses = ["0.0.0.0/0", "::/0"] | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
listening-port=3478 | |
tls-listening-port=5349 | |
listening-ip=IPv6 | |
listening-ip=IPv4 | |
listening-ip=IPv4local-address | |
use-auth-secret | |
static-auth-secret=<generated password> | |
server-name=turn.example.com | |
realm=turn.example.com | |
user-quota=12 | |
total-quota=1200 | |
no-tcp-relay | |
cert=/etc/letsencrypt/live/example.com/fullchain.pem | |
pkey=/etc/letsencrypt/live/example.com/privkey.pem | |
dh-file=/etc/letsencrypt/ssl-dhparams.pem | |
denied-peer-ip=10.0.0.0-10.255.255.255 | |
denied-peer-ip=192.168.0.0-192.168.255.255 | |
denied-peer-ip=172.16.0.0-172.31.255.255 | |
allowed-peer-ip=IPv4local-address |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment