lieberman
/
milktoasthoney
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Initial

This commit is contained in:
Lieberman 2021-12-11 18:51:37 -03:00
commit c783770b5f
21 changed files with 1487 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
.gitignore vendored Normal file
View File

@ -0,0 +1,15 @@
yggdrasil
wiki
site
revolt
proxy
ldap
hedgedoc
h2
fosstodon
*/data
jitsi/*
!jitsi/*.yml
!jitsi/env.example
!jitsi/Makefile
!jitsi/gen-passwords.sh

6
README.md Normal file
View File

@ -0,0 +1,6 @@
# MilkToastHoney
1. Entrar na pasta master e executar o script `create-networks.sh` para criar as redes.
2. Executar o docker-compose da pasta master para levantar os serviços de: Lokinet, VPN e Proxy
3. Entrar na pasta Matrix e levantar o serviço (provavelmente será necessário baixar e levantar uma vez por causa das configurações geradas)
4. Entrar na pasta jitsi e levantar o serviço

42
jitsi/Makefile Normal file
View File

@ -0,0 +1,42 @@
FORCE_REBUILD ?= 0
JITSI_RELEASE ?= stable
JITSI_BUILD ?= latest
JITSI_REPO ?= jitsi
JITSI_SERVICES ?= base base-java web prosody jicofo jvb jigasi jibri
BUILD_ARGS := --build-arg JITSI_REPO=$(JITSI_REPO) --build-arg JITSI_RELEASE=$(JITSI_RELEASE)
ifeq ($(FORCE_REBUILD), 1)
BUILD_ARGS := $(BUILD_ARGS) --no-cache
endif
all: build-all
release: tag-all push-all
build:
docker build $(BUILD_ARGS) --progress plain --tag $(JITSI_REPO)/$(JITSI_SERVICE) $(JITSI_SERVICE)/
$(addprefix build_,$(JITSI_SERVICES)):
$(MAKE) --no-print-directory JITSI_SERVICE=$(patsubst build_%,%,$@) build
tag:
docker tag $(JITSI_REPO)/$(JITSI_SERVICE):latest $(JITSI_REPO)/$(JITSI_SERVICE):$(JITSI_BUILD)
push:
docker push $(JITSI_REPO)/$(JITSI_SERVICE):latest
docker push $(JITSI_REPO)/$(JITSI_SERVICE):$(JITSI_BUILD)
%-all:
@$(foreach SERVICE, $(JITSI_SERVICES), $(MAKE) --no-print-directory JITSI_SERVICE=$(SERVICE) $(subst -all,;,$@))
clean:
docker-compose stop
docker-compose rm
docker network prune
prepare:
docker pull debian:buster-slim
FORCE_REBUILD=1 $(MAKE)
.PHONY: all build tag push clean prepare release $(addprefix build_,$(JITSI_SERVICES))

299
jitsi/docker-compose.yml Normal file
View File

@ -0,0 +1,299 @@
version: '3'
services:
web:
image: jitsi/web:stable-6433
restart: always
volumes:
- ${CONFIG}/web:/config:Z
- ${CONFIG}/web/crontabs:/var/spool/cron/crontabs:Z
- ${CONFIG}/transcripts:/usr/share/jitsi-meet/transcripts:Z
environment:
- AMPLITUDE_ID
- ANALYTICS_SCRIPT_URLS
- ANALYTICS_WHITELISTED_EVENTS
- CALLSTATS_CUSTOM_SCRIPT_URL
- CALLSTATS_ID
- CALLSTATS_SECRET
- CHROME_EXTENSION_BANNER_JSON
- CONFCODE_URL
- CONFIG_EXTERNAL_CONNECT
- DEFAULT_LANGUAGE
- DEPLOYMENTINFO_ENVIRONMENT
- DEPLOYMENTINFO_ENVIRONMENT_TYPE
- DEPLOYMENTINFO_REGION
- DEPLOYMENTINFO_SHARD
- DEPLOYMENTINFO_USERREGION
- DESKTOP_SHARING_FRAMERATE_MIN
- DESKTOP_SHARING_FRAMERATE_MAX
- DIALIN_NUMBERS_URL
- DIALOUT_AUTH_URL
- DIALOUT_CODES_URL
- DISABLE_AUDIO_LEVELS
- DISABLE_DEEP_LINKING
- DISABLE_HTTPS
- DISABLE_POLLS
- DISABLE_REACTIONS
- DROPBOX_APPKEY
- DROPBOX_REDIRECT_URI
- DYNAMIC_BRANDING_URL
- ENABLE_AUDIO_PROCESSING
- ENABLE_AUTH
- ENABLE_CALENDAR
- ENABLE_COLIBRI_WEBSOCKET
- ENABLE_FILE_RECORDING_SERVICE
- ENABLE_FILE_RECORDING_SERVICE_SHARING
- ENABLE_FLOC
- ENABLE_GUESTS
- ENABLE_HSTS
- ENABLE_HTTP_REDIRECT
- ENABLE_IPV6
- ENABLE_LETSENCRYPT
- ENABLE_LIPSYNC
- ENABLE_NO_AUDIO_DETECTION
- ENABLE_NOISY_MIC_DETECTION
- ENABLE_PREJOIN_PAGE
- ENABLE_P2P
- ENABLE_WELCOME_PAGE
- ENABLE_CLOSE_PAGE
- ENABLE_RECORDING
- ENABLE_REMB
- ENABLE_REQUIRE_DISPLAY_NAME
- ENABLE_SIMULCAST
- ENABLE_STATS_ID
- ENABLE_STEREO
- ENABLE_SUBDOMAINS
- ENABLE_TALK_WHILE_MUTED
- ENABLE_TCC
- ENABLE_TRANSCRIPTIONS
- ENABLE_XMPP_WEBSOCKET
- ETHERPAD_PUBLIC_URL
- ETHERPAD_URL_BASE
- GOOGLE_ANALYTICS_ID
- GOOGLE_API_APP_CLIENT_ID
- INVITE_SERVICE_URL
- JICOFO_AUTH_USER
- LETSENCRYPT_DOMAIN
- LETSENCRYPT_EMAIL
- LETSENCRYPT_USE_STAGING
- MATOMO_ENDPOINT
- MATOMO_SITE_ID
- MICROSOFT_API_APP_CLIENT_ID
- NGINX_RESOLVER
- NGINX_WORKER_PROCESSES
- NGINX_WORKER_CONNECTIONS
- PEOPLE_SEARCH_URL
- PUBLIC_URL
- P2P_PREFERRED_CODEC
- RESOLUTION
- RESOLUTION_MIN
- RESOLUTION_WIDTH
- RESOLUTION_WIDTH_MIN
- START_AUDIO_MUTED
- START_AUDIO_ONLY
- START_BITRATE
- START_SILENT
- START_WITH_AUDIO_MUTED
- START_VIDEO_MUTED
- START_WITH_VIDEO_MUTED
- TESTING_CAP_SCREENSHARE_BITRATE
- TESTING_OCTO_PROBABILITY
- TOKEN_AUTH_URL
- TZ
- VIDEOQUALITY_BITRATE_H264_LOW
- VIDEOQUALITY_BITRATE_H264_STANDARD
- VIDEOQUALITY_BITRATE_H264_HIGH
- VIDEOQUALITY_BITRATE_VP8_LOW
- VIDEOQUALITY_BITRATE_VP8_STANDARD
- VIDEOQUALITY_BITRATE_VP8_HIGH
- VIDEOQUALITY_BITRATE_VP9_LOW
- VIDEOQUALITY_BITRATE_VP9_STANDARD
- VIDEOQUALITY_BITRATE_VP9_HIGH
- VIDEOQUALITY_ENFORCE_PREFERRED_CODEC
- VIDEOQUALITY_PREFERRED_CODEC
- XMPP_AUTH_DOMAIN
- XMPP_BOSH_URL_BASE
- XMPP_DOMAIN
- XMPP_GUEST_DOMAIN
- XMPP_MUC_DOMAIN
- XMPP_RECORDER_DOMAIN
networks:
meet.jitsi:
pg_bus:
ipv4_address: 10.255.253.196
# XMPP server
prosody:
image: jitsi/prosody:stable-6433
restart: ${RESTART_POLICY}
expose:
- '5222'
- '5347'
- '5280'
volumes:
- ${CONFIG}/prosody/config:/config:Z
- ${CONFIG}/prosody/prosody-plugins-custom:/prosody-plugins-custom:Z
environment:
- AUTH_TYPE
- DISABLE_POLLS
- ENABLE_AUTH
- ENABLE_AV_MODERATION
- ENABLE_GUESTS
- ENABLE_LOBBY
- ENABLE_XMPP_WEBSOCKET
- GLOBAL_CONFIG
- GLOBAL_MODULES
- JIBRI_RECORDER_USER
- JIBRI_RECORDER_PASSWORD
- JIBRI_XMPP_USER
- JIBRI_XMPP_PASSWORD
- JICOFO_AUTH_USER
- JICOFO_AUTH_PASSWORD
- JICOFO_COMPONENT_SECRET
- JIGASI_XMPP_USER
- JIGASI_XMPP_PASSWORD
- JVB_AUTH_USER
- JVB_AUTH_PASSWORD
- JWT_APP_ID
- JWT_APP_SECRET
- JWT_ACCEPTED_ISSUERS
- JWT_ACCEPTED_AUDIENCES
- JWT_ASAP_KEYSERVER
- JWT_ALLOW_EMPTY
- JWT_AUTH_TYPE
- JWT_TOKEN_AUTH_MODULE
- LOG_LEVEL
- LDAP_AUTH_METHOD
- LDAP_BASE
- LDAP_BINDDN
- LDAP_BINDPW
- LDAP_FILTER
- LDAP_VERSION
- LDAP_TLS_CIPHERS
- LDAP_TLS_CHECK_PEER
- LDAP_TLS_CACERT_FILE
- LDAP_TLS_CACERT_DIR
- LDAP_START_TLS
- LDAP_URL
- LDAP_USE_TLS
- PUBLIC_URL
- TURN_CREDENTIALS
- TURN_HOST
- TURNS_HOST
- TURN_PORT
- TURNS_PORT
- TZ
- XMPP_DOMAIN
- XMPP_AUTH_DOMAIN
- XMPP_GUEST_DOMAIN
- XMPP_MUC_DOMAIN
- XMPP_INTERNAL_MUC_DOMAIN
- XMPP_MODULES
- XMPP_MUC_MODULES
- XMPP_INTERNAL_MUC_MODULES
- XMPP_RECORDER_DOMAIN
- XMPP_CROSS_DOMAIN
networks:
meet.jitsi:
aliases:
- ${XMPP_SERVER}
# Focus component
jicofo:
image: jitsi/jicofo:stable-6433
restart: ${RESTART_POLICY}
volumes:
- ${CONFIG}/jicofo:/config:Z
environment:
- AUTH_TYPE
- BRIDGE_AVG_PARTICIPANT_STRESS
- BRIDGE_STRESS_THRESHOLD
- ENABLE_AUTH
- ENABLE_AUTO_OWNER
- ENABLE_CODEC_VP8
- ENABLE_CODEC_VP9
- ENABLE_CODEC_H264
- ENABLE_OCTO
- ENABLE_RECORDING
- ENABLE_SCTP
- ENABLE_AUTO_LOGIN
- JICOFO_AUTH_USER
- JICOFO_AUTH_PASSWORD
- JICOFO_ENABLE_BRIDGE_HEALTH_CHECKS
- JICOFO_CONF_INITIAL_PARTICIPANT_WAIT_TIMEOUT
- JICOFO_CONF_SINGLE_PARTICIPANT_TIMEOUT
- JICOFO_ENABLE_HEALTH_CHECKS
- JICOFO_SHORT_ID
- JICOFO_RESERVATION_ENABLED
- JICOFO_RESERVATION_REST_BASE_URL
- JIBRI_BREWERY_MUC
- JIBRI_REQUEST_RETRIES
- JIBRI_PENDING_TIMEOUT
- JIGASI_BREWERY_MUC
- JIGASI_SIP_URI
- JVB_BREWERY_MUC
- MAX_BRIDGE_PARTICIPANTS
- OCTO_BRIDGE_SELECTION_STRATEGY
- SENTRY_DSN="${JICOFO_SENTRY_DSN:-0}"
- SENTRY_ENVIRONMENT
- SENTRY_RELEASE
- TZ
- XMPP_DOMAIN
- XMPP_AUTH_DOMAIN
- XMPP_INTERNAL_MUC_DOMAIN
- XMPP_MUC_DOMAIN
- XMPP_SERVER
depends_on:
- prosody
networks:
meet.jitsi:
# Video bridge
jvb:
image: jitsi/jvb:stable-6433
restart: ${RESTART_POLICY}
# ports:
# - '${JVB_PORT}:${JVB_PORT}/udp'
# - '${JVB_TCP_PORT}:${JVB_TCP_PORT}'
volumes:
- ${CONFIG}/jvb:/config:Z
environment:
- DOCKER_HOST_ADDRESS
- ENABLE_COLIBRI_WEBSOCKET
- ENABLE_OCTO
- JVB_AUTH_USER
- JVB_AUTH_PASSWORD
- JVB_BREWERY_MUC
- JVB_PORT
- JVB_TCP_HARVESTER_DISABLED
- JVB_TCP_PORT
- JVB_TCP_MAPPED_PORT
- JVB_STUN_SERVERS
- JVB_ENABLE_APIS
- JVB_OCTO_BIND_ADDRESS
- JVB_OCTO_PUBLIC_ADDRESS
- JVB_OCTO_BIND_PORT
- JVB_OCTO_REGION
- JVB_WS_DOMAIN
- JVB_WS_SERVER_ID
- PUBLIC_URL
- SENTRY_DSN="${JVB_SENTRY_DSN:-0}"
- SENTRY_ENVIRONMENT
- SENTRY_RELEASE
- COLIBRI_REST_ENABLED
- SHUTDOWN_REST_ENABLED
- TZ
- XMPP_AUTH_DOMAIN
- XMPP_INTERNAL_MUC_DOMAIN
- XMPP_SERVER
depends_on:
- prosody
networks:
meet.jitsi:
# Custom network so all services can communicate using a FQDN
networks:
meet.jitsi:
pg_bus:
external:
name: pg_bus

409
jitsi/env.example Normal file
View File

@ -0,0 +1,409 @@
# shellcheck disable=SC2034
# Security
#
# Set these to strong passwords to avoid intruders from impersonating a service account
# The service(s) won't start unless these are specified
# Running ./gen-passwords.sh will update .env with strong passwords
# You may skip the Jigasi and Jibri passwords if you are not using those
# DO NOT reuse passwords
#
# XMPP password for Jicofo client connections
JICOFO_AUTH_PASSWORD=
# XMPP password for JVB client connections
JVB_AUTH_PASSWORD=
# XMPP password for Jigasi MUC client connections
JIGASI_XMPP_PASSWORD=
# XMPP recorder password for Jibri client connections
JIBRI_RECORDER_PASSWORD=
# XMPP password for Jibri client connections
JIBRI_XMPP_PASSWORD=
#
# Basic configuration options
#
# Directory where all configuration will be stored
CONFIG=~/.jitsi-meet-cfg
# Exposed HTTP port
HTTP_PORT=8000
# Exposed HTTPS port
HTTPS_PORT=8443
# System time zone
TZ=UTC
# Public URL for the web service (required)
#PUBLIC_URL=https://meet.example.com
# IP address of the Docker host
# See the "Running behind NAT or on a LAN environment" section in the Handbook:
# https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-docker#running-behind-nat-or-on-a-lan-environment
#DOCKER_HOST_ADDRESS=192.168.1.1
# Control whether the lobby feature should be enabled or not
#ENABLE_LOBBY=1
# Control whether the A/V moderation should be enabled or not
#ENABLE_AV_MODERATION=1
# Show a prejoin page before entering a conference
#ENABLE_PREJOIN_PAGE=0
# Enable the welcome page
#ENABLE_WELCOME_PAGE=1
# Enable the close page
#ENABLE_CLOSE_PAGE=0
# Disable measuring of audio levels
#DISABLE_AUDIO_LEVELS=0
# Enable noisy mic detection
#ENABLE_NOISY_MIC_DETECTION=1
#
# Let's Encrypt configuration
#
# Enable Let's Encrypt certificate generation
#ENABLE_LETSENCRYPT=1
# Domain for which to generate the certificate
#LETSENCRYPT_DOMAIN=meet.example.com
# E-Mail for receiving important account notifications (mandatory)
#LETSENCRYPT_EMAIL=alice@atlanta.net
# Use the staging server (for avoiding rate limits while testing)
#LETSENCRYPT_USE_STAGING=1
#
# Etherpad integration (for document sharing)
#
# Set etherpad-lite URL in docker local network (uncomment to enable)
#ETHERPAD_URL_BASE=http://etherpad.meet.jitsi:9001
# Set etherpad-lite public URL (uncomment to enable)
#ETHERPAD_PUBLIC_URL=https://etherpad.my.domain
# Name your etherpad instance!
ETHERPAD_TITLE=Video Chat
# The default text of a pad
ETHERPAD_DEFAULT_PAD_TEXT=Welcome to Web Chat!\n\n
# Name of the skin for etherpad
ETHERPAD_SKIN_NAME=colibris
# Skin variants for etherpad
ETHERPAD_SKIN_VARIANTS=super-light-toolbar super-light-editor light-background full-width-editor
#
# Basic Jigasi configuration options (needed for SIP gateway support)
#
# SIP URI for incoming / outgoing calls
#JIGASI_SIP_URI=test@sip2sip.info
# Password for the specified SIP account as a clear text
#JIGASI_SIP_PASSWORD=passw0rd
# SIP server (use the SIP account domain if in doubt)
#JIGASI_SIP_SERVER=sip2sip.info
# SIP server port
#JIGASI_SIP_PORT=5060
# SIP server transport
#JIGASI_SIP_TRANSPORT=UDP
#
# Authentication configuration (see handbook for details)
#
# Enable authentication
#ENABLE_AUTH=1
# Enable guest access
#ENABLE_GUESTS=1
# Select authentication type: internal, jwt or ldap
#AUTH_TYPE=internal
# JWT authentication
#
# Application identifier
#JWT_APP_ID=my_jitsi_app_id
# Application secret known only to your token generator
#JWT_APP_SECRET=my_jitsi_app_secret
# (Optional) Set asap_accepted_issuers as a comma separated list
#JWT_ACCEPTED_ISSUERS=my_web_client,my_app_client
# (Optional) Set asap_accepted_audiences as a comma separated list
#JWT_ACCEPTED_AUDIENCES=my_server1,my_server2
# LDAP authentication (for more information see the Cyrus SASL saslauthd.conf man page)
#
# LDAP url for connection
#LDAP_URL=ldaps://ldap.domain.com/
# LDAP base DN. Can be empty
#LDAP_BASE=DC=example,DC=domain,DC=com
# LDAP user DN. Do not specify this parameter for the anonymous bind
#LDAP_BINDDN=CN=binduser,OU=users,DC=example,DC=domain,DC=com
# LDAP user password. Do not specify this parameter for the anonymous bind
#LDAP_BINDPW=LdapUserPassw0rd
# LDAP filter. Tokens example:
# %1-9 - if the input key is user@mail.domain.com, then %1 is com, %2 is domain and %3 is mail
# %s - %s is replaced by the complete service string
# %r - %r is replaced by the complete realm string
#LDAP_FILTER=(sAMAccountName=%u)
# LDAP authentication method
#LDAP_AUTH_METHOD=bind
# LDAP version
#LDAP_VERSION=3
# LDAP TLS using
#LDAP_USE_TLS=1
# List of SSL/TLS ciphers to allow
#LDAP_TLS_CIPHERS=SECURE256:SECURE128:!AES-128-CBC:!ARCFOUR-128:!CAMELLIA-128-CBC:!3DES-CBC:!CAMELLIA-128-CBC
# Require and verify server certificate
#LDAP_TLS_CHECK_PEER=1
# Path to CA cert file. Used when server certificate verify is enabled
#LDAP_TLS_CACERT_FILE=/etc/ssl/certs/ca-certificates.crt
# Path to CA certs directory. Used when server certificate verify is enabled
#LDAP_TLS_CACERT_DIR=/etc/ssl/certs
# Wether to use starttls, implies LDAPv3 and requires ldap:// instead of ldaps://
# LDAP_START_TLS=1
#
# Advanced configuration options (you generally don't need to change these)
#
# Internal XMPP domain
XMPP_DOMAIN=meet.jitsi
# Internal XMPP server
XMPP_SERVER=xmpp.meet.jitsi
# Internal XMPP server URL
XMPP_BOSH_URL_BASE=http://xmpp.meet.jitsi:5280
# Internal XMPP domain for authenticated services
XMPP_AUTH_DOMAIN=auth.meet.jitsi
# XMPP domain for the MUC
XMPP_MUC_DOMAIN=muc.meet.jitsi
# XMPP domain for the internal MUC used for jibri, jigasi and jvb pools
XMPP_INTERNAL_MUC_DOMAIN=internal-muc.meet.jitsi
# XMPP domain for unauthenticated users
XMPP_GUEST_DOMAIN=guest.meet.jitsi
# Comma separated list of domains for cross domain policy or "true" to allow all
# The PUBLIC_URL is always allowed
#XMPP_CROSS_DOMAIN=true
# Custom Prosody modules for XMPP_DOMAIN (comma separated)
XMPP_MODULES=
# Custom Prosody modules for MUC component (comma separated)
XMPP_MUC_MODULES=
# Custom Prosody modules for internal MUC component (comma separated)
XMPP_INTERNAL_MUC_MODULES=
# MUC for the JVB pool
JVB_BREWERY_MUC=jvbbrewery
# XMPP user for JVB client connections
JVB_AUTH_USER=jvb
# STUN servers used to discover the server's public IP
JVB_STUN_SERVERS=meet-jit-si-turnrelay.jitsi.net:443
# Media port for the Jitsi Videobridge
JVB_PORT=10000
# TCP Fallback for Jitsi Videobridge for when UDP isn't available
JVB_TCP_HARVESTER_DISABLED=true
JVB_TCP_PORT=4443
JVB_TCP_MAPPED_PORT=4443
# A comma separated list of APIs to enable when the JVB is started [default: none]
# See https://github.com/jitsi/jitsi-videobridge/blob/master/doc/rest.md for more information
#JVB_ENABLE_APIS=rest,colibri
# XMPP user for Jicofo client connections.
# NOTE: this option doesn't currently work due to a bug
JICOFO_AUTH_USER=focus
# Base URL of Jicofo's reservation REST API
#JICOFO_RESERVATION_REST_BASE_URL=http://reservation.example.com
# Enable Jicofo's health check REST API (http://<jicofo_base_url>:8888/about/health)
#JICOFO_ENABLE_HEALTH_CHECKS=true
# XMPP user for Jigasi MUC client connections
JIGASI_XMPP_USER=jigasi
# MUC name for the Jigasi pool
JIGASI_BREWERY_MUC=jigasibrewery
# Minimum port for media used by Jigasi
JIGASI_PORT_MIN=20000
# Maximum port for media used by Jigasi
JIGASI_PORT_MAX=20050
# Enable SDES srtp
#JIGASI_ENABLE_SDES_SRTP=1
# Keepalive method
#JIGASI_SIP_KEEP_ALIVE_METHOD=OPTIONS
# Health-check extension
#JIGASI_HEALTH_CHECK_SIP_URI=keepalive
# Health-check interval
#JIGASI_HEALTH_CHECK_INTERVAL=300000
#
# Enable Jigasi transcription
#ENABLE_TRANSCRIPTIONS=1
# Jigasi will record audio when transcriber is on [default: false]
#JIGASI_TRANSCRIBER_RECORD_AUDIO=true
# Jigasi will send transcribed text to the chat when transcriber is on [default: false]
#JIGASI_TRANSCRIBER_SEND_TXT=true
# Jigasi will post an url to the chat with transcription file [default: false]
#JIGASI_TRANSCRIBER_ADVERTISE_URL=true
# Credentials for connect to Cloud Google API from Jigasi
# Please read https://cloud.google.com/text-to-speech/docs/quickstart-protocol
# section "Before you begin" paragraph 1 to 5
# Copy the values from the json to the related env vars
#GC_PROJECT_ID=
#GC_PRIVATE_KEY_ID=
#GC_PRIVATE_KEY=
#GC_CLIENT_EMAIL=
#GC_CLIENT_ID=
#GC_CLIENT_CERT_URL=
# Enable recording
#ENABLE_RECORDING=1
# XMPP domain for the jibri recorder
XMPP_RECORDER_DOMAIN=recorder.meet.jitsi
# XMPP recorder user for Jibri client connections
JIBRI_RECORDER_USER=recorder
# Directory for recordings inside Jibri container
JIBRI_RECORDING_DIR=/config/recordings
# The finalizing script. Will run after recording is complete
#JIBRI_FINALIZE_RECORDING_SCRIPT_PATH=/config/finalize.sh
# XMPP user for Jibri client connections
JIBRI_XMPP_USER=jibri
# MUC name for the Jibri pool
JIBRI_BREWERY_MUC=jibribrewery
# MUC connection timeout
JIBRI_PENDING_TIMEOUT=90
# When jibri gets a request to start a service for a room, the room
# jid will look like: roomName@optional.prefixes.subdomain.xmpp_domain
# We'll build the url for the call by transforming that into:
# https://xmpp_domain/subdomain/roomName
# So if there are any prefixes in the jid (like jitsi meet, which
# has its participants join a muc at conference.xmpp_domain) then
# list that prefix here so it can be stripped out to generate
# the call url correctly
JIBRI_STRIP_DOMAIN_JID=muc
# Directory for logs inside Jibri container
JIBRI_LOGS_DIR=/config/logs
# Configure an external TURN server
# TURN_CREDENTIALS=secret
# TURN_HOST=turnserver.example.com
# TURN_PORT=443
# TURNS_HOST=turnserver.example.com
# TURNS_PORT=443
# Disable HTTPS: handle TLS connections outside of this setup
#DISABLE_HTTPS=1
# Enable FLoC
# Opt-In to Federated Learning of Cohorts tracking
#ENABLE_FLOC=0
# Redirect HTTP traffic to HTTPS
# Necessary for Let's Encrypt, relies on standard HTTPS port (443)
#ENABLE_HTTP_REDIRECT=1
# Send a `strict-transport-security` header to force browsers to use
# a secure and trusted connection. Recommended for production use.
# Defaults to 1 (send the header).
# ENABLE_HSTS=1
# Enable IPv6
# Provides means to disable IPv6 in environments that don't support it (get with the times, people!)
#ENABLE_IPV6=1
# Container restart policy
# Defaults to unless-stopped
RESTART_POLICY=unless-stopped
# Authenticate using external service or just focus external auth window if there is one already.
# TOKEN_AUTH_URL=https://auth.meet.example.com/{room}
# Sentry Error Tracking
# Sentry Data Source Name (Endpoint for Sentry project)
# Example: https://public:private@host:port/1
#JVB_SENTRY_DSN=
#JICOFO_SENTRY_DSN=
#JIGASI_SENTRY_DSN=
# Optional environment info to filter events
#SENTRY_ENVIRONMENT=production
# Optional release info to filter events
#SENTRY_RELEASE=1.0.0
# Optional properties for shutdown api
#COLIBRI_REST_ENABLED=true
#SHUTDOWN_REST_ENABLED=true

16
jitsi/etherpad.yml Normal file
View File

@ -0,0 +1,16 @@
version: '3'
services:
# Etherpad: real-time collaborative document editing
etherpad:
image: etherpad/etherpad:1.8.6
restart: ${RESTART_POLICY}
environment:
- TITLE=${ETHERPAD_TITLE}
- DEFAULT_PAD_TEXT=${ETHERPAD_DEFAULT_PAD_TEXT}
- SKIN_NAME=${ETHERPAD_SKIN_NAME}
- SKIN_VARIANTS=${ETHERPAD_SKIN_VARIANTS}
networks:
meet.jitsi:
aliases:
- etherpad.meet.jitsi

19
jitsi/gen-passwords.sh Executable file
View File

@ -0,0 +1,19 @@
#!/usr/bin/env bash
function generatePassword() {
openssl rand -hex 16
}
JICOFO_AUTH_PASSWORD=$(generatePassword)
JVB_AUTH_PASSWORD=$(generatePassword)
JIGASI_XMPP_PASSWORD=$(generatePassword)
JIBRI_RECORDER_PASSWORD=$(generatePassword)
JIBRI_XMPP_PASSWORD=$(generatePassword)
sed -i.bak \
-e "s#JICOFO_AUTH_PASSWORD=.*#JICOFO_AUTH_PASSWORD=${JICOFO_AUTH_PASSWORD}#g" \
-e "s#JVB_AUTH_PASSWORD=.*#JVB_AUTH_PASSWORD=${JVB_AUTH_PASSWORD}#g" \
-e "s#JIGASI_XMPP_PASSWORD=.*#JIGASI_XMPP_PASSWORD=${JIGASI_XMPP_PASSWORD}#g" \
-e "s#JIBRI_RECORDER_PASSWORD=.*#JIBRI_RECORDER_PASSWORD=${JIBRI_RECORDER_PASSWORD}#g" \
-e "s#JIBRI_XMPP_PASSWORD=.*#JIBRI_XMPP_PASSWORD=${JIBRI_XMPP_PASSWORD}#g" \
"$(dirname "$0")/.env"

46
jitsi/jibri.yml Normal file
View File

@ -0,0 +1,46 @@
version: '3'
services:
jibri:
image: jitsi/jibri:stable-6433
restart: ${RESTART_POLICY}
volumes:
- ${CONFIG}/jibri:/config:Z
- /dev/shm:/dev/shm
cap_add:
- SYS_ADMIN
- NET_BIND_SERVICE
devices:
- /dev/snd:/dev/snd
environment:
- CHROMIUM_FLAGS
- DISPLAY=:0
- ENABLE_STATS_D
- JIBRI_FFMPEG_AUDIO_SOURCE
- JIBRI_FFMPEG_AUDIO_DEVICE
- JIBRI_HTTP_API_EXTERNAL_PORT
- JIBRI_HTTP_API_INTERNAL_PORT
- JIBRI_RECORDING_RESOLUTION
- JIBRI_USAGE_TIMEOUT
- JIBRI_XMPP_USER
- JIBRI_XMPP_PASSWORD
- JIBRI_BREWERY_MUC
- JIBRI_RECORDER_USER
- JIBRI_RECORDER_PASSWORD
- JIBRI_RECORDING_DIR
- JIBRI_FINALIZE_RECORDING_SCRIPT_PATH
- JIBRI_STRIP_DOMAIN_JID
- JIBRI_LOGS_DIR
- PUBLIC_URL
- TZ
- XMPP_AUTH_DOMAIN
- XMPP_DOMAIN
- XMPP_INTERNAL_MUC_DOMAIN
- XMPP_RECORDER_DOMAIN
- XMPP_SERVER
- XMPP_TRUST_ALL_CERTS
depends_on:
- jicofo
networks:
meet.jitsi:

53
jitsi/jigasi.yml Normal file
View File

@ -0,0 +1,53 @@
version: '3'
services:
# SIP gateway (audio)
jigasi:
image: jitsi/jigasi:stable-6433
restart: ${RESTART_POLICY}
ports:
- '${JIGASI_PORT_MIN}-${JIGASI_PORT_MAX}:${JIGASI_PORT_MIN}-${JIGASI_PORT_MAX}/udp'
volumes:
- ${CONFIG}/jigasi:/config:Z
- ${CONFIG}/transcripts:/tmp/transcripts:Z
environment:
- ENABLE_AUTH
- XMPP_AUTH_DOMAIN
- XMPP_MUC_DOMAIN
- XMPP_INTERNAL_MUC_DOMAIN
- XMPP_SERVER
- XMPP_DOMAIN
- PUBLIC_URL
- JIGASI_SIP_URI
- JIGASI_SIP_PASSWORD
- JIGASI_SIP_SERVER
- JIGASI_SIP_PORT
- JIGASI_SIP_TRANSPORT
- JIGASI_SIP_DEFAULT_ROOM
- JIGASI_XMPP_USER
- JIGASI_XMPP_PASSWORD
- JIGASI_BREWERY_MUC
- JIGASI_PORT_MIN
- JIGASI_PORT_MAX
- JIGASI_HEALTH_CHECK_SIP_URI
- JIGASI_HEALTH_CHECK_INTERVAL
- JIGASI_SIP_KEEP_ALIVE_METHOD
- JIGASI_ENABLE_SDES_SRTP
- ENABLE_TRANSCRIPTIONS
- JIGASI_TRANSCRIBER_ADVERTISE_URL
- JIGASI_TRANSCRIBER_RECORD_AUDIO
- JIGASI_TRANSCRIBER_SEND_TXT
- GC_PROJECT_ID
- GC_PRIVATE_KEY_ID
- GC_PRIVATE_KEY
- GC_CLIENT_EMAIL
- GC_CLIENT_ID
- GC_CLIENT_CERT_URL
- SENTRY_DSN="${JIGASI_SENTRY_DSN:-0}"
- SENTRY_ENVIRONMENT
- SENTRY_RELEASE
- TZ
depends_on:
- prosody
networks:
meet.jitsi:

4
master/create-networks.sh Executable file
View File

@ -0,0 +1,4 @@
docker network create --subnet 10.255.251.0/24 pg_opn
docker network create --subnet 10.255.252.0/24 pg_vpn
docker network create --internal --subnet 10.255.253.0/24 pg_bus
docker network create --internal --subnet 10.255.254.0/24 pg_int

62
master/docker-compose.yml Normal file
View File

@ -0,0 +1,62 @@
version: '3.9'
services:
lokinet:
build: lokinet
privileged: true
restart: always
environment:
- "TZ=UTC"
tty: true
tmpfs:
- /run
- /tmp
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
- /sys/fs/cgroup/systemd
- ./data/lokinet:/data
- ./data/proxy/config/:/etc/squid
- ./data/proxy/logs/:/var/log/squid
- ./data/proxy/cache/:/var/spool/squid
- ./lokinet.ini:/etc/loki/lokinet.ini
- ./haproxy.cfg:/etc/haproxy/haproxy.cfg
- ./data/vpn:/certs
- ..:/repo:ro
networks:
pg_vpn:
ipv4_address: 10.255.252.253
pg_bus:
ipv4_address: 10.255.253.254
vpn:
build: vpn
privileged: true
restart: always
volumes:
- ./data/vpn:/config
networks:
pg_opn:
ipv4_address: 10.255.251.254
pg_vpn:
ipv4_address: 10.255.252.254
proxy:
build: proxy
privileged: true
environment:
- "TZ=UTC"
volumes:
- ./data/proxy/logs/:/var/log/squid
- ./data/proxy/cache/:/var/spool/squid
networks:
pg_vpn:
ipv4_address: 10.255.252.252
pg_bus:
ipv4_address: 10.255.253.252
networks:
pg_opn:
external:
name: pg_opn
pg_vpn:
external:
name: pg_vpn
pg_bus:
external:
name: pg_bus

118
master/haproxy.cfg Normal file
View File

@ -0,0 +1,118 @@
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend http-in
bind :80 alpn h2,http/1.1
bind :8008 alpn h2,http/1.1
bind :443 ssl crt /certs/.acme.sh/rato.ro.eu.org/all.pem alpn h2,http/1.1
bind :8448 ssl crt /certs/.acme.sh/rato.ro.eu.org/all.pem alpn h2,http/1.1
default_backend matrix
use_backend aaa if { hdr_beg(host) -i aaa }
use_backend matrixwellknown if { path -i -m beg /.well-known/matrix }
use_backend dimension if { hdr_beg(host) -i dimension }
use_backend element if { hdr_beg(host) -i element }
use_backend fosstodon if { hdr_beg(host) -i fosstodon }
use_backend jitsi if { hdr_beg(host) -i jitsi }
use_backend keycloak if { hdr_beg(host) -i keycloak }
use_backend revolt if { hdr_beg(host) -i revolt. }
use_backend revolt-api if { hdr_beg(host) -i revolt-api }
use_backend revolt-ws if { hdr_beg(host) -i revolt-ws }
use_backend revolt-au if { hdr_beg(host) -i revolt-au }
use_backend revolt-jan if { hdr_beg(host) -i revolt-jan }
use_backend revolt-vox if { hdr_beg(host) -i revolt-vox }
use_backend site if { hdr_beg(host) -i site }
use_backend h2 if { hdr_beg(host) -i h2 }
use_backend pad if { hdr_beg(host) -i pad }
use_backend wiki if { hdr_beg(host) -i wiki }
backend aaa
server aaa 10.255.253.199:80
backend jitsi
server jitsi 10.255.253.196:80
backend keycloak
server keycloak 10.255.253.198:8080
backend matrix
server matrix 10.255.253.10:8008
backend matrixwellknown
http-response add-header Access-Control-Allow-Origin *
option forwardfor
server matrixwellknown 10.255.253.14:80
backend dimension
http-response add-header Access-Control-Allow-Origin *
option forwardfor
server dimension 10.255.253.13:8184
backend element
server element 10.255.253.12:80
backend fosstodon
server fosstodon 10.255.253.20:3001
backend revolt
server revolt 10.255.253.30:5000
backend revolt-api
server revolt-api 10.255.253.31:8000
backend revolt-ws
server revolt-ws 10.255.253.31:9000
backend revolt-au
server revolt-au 10.255.253.32:3000
backend revolt-jan
server revolt-jan 10.255.253.33:3000
backend revolt-vox
server revolt-vox 10.255.253.34:8080
backend wiki
server wiki 10.255.253.194:80
backend site
server site 10.255.253.40:80
backend pad
server pad 10.255.253.50:3000
backend h2
server h2 10.255.253.60:3000

234
master/lokinet.ini Normal file
View File

@ -0,0 +1,234 @@
[router]
# Configuration for routing activity.
# Network ID; this is 'lokinet' for mainnet, 'gamma' for testnet.
#netid=lokinet
# Minimum number of routers lokinet will attempt to maintain connections to.
#min-connections=4
# Maximum number (hard limit) of routers lokinet will be connected to at any time.
#max-connections=6
# Optional directory for containing lokinet runtime data. This includes generated
# private keys.
#data-dir=/var/lib/lokinet
# The number of threads available for performing cryptographic functions.
# The minimum is one thread, but network performance may increase with more.
# threads. Should not exceed the number of logical CPU cores.
# 0 means use the number of logical CPU cores detected at startup.
#worker-threads=0
[network]
# Network settings
# Snapp settings
# Public key of a router which will act as a pinned first-hop. This may be used to
# provide a trusted router (consider that you are not fully anonymous with your
# first hop).
#strict-connect=
# The private key to persist address with. If not specified the address will be
# ephemeral.
#keyfile=
# Set the endpoint authentication mechanism.
# none/whitelist/lmq
#auth=
# lmq endpoint to talk to for authenticating new sessions
# ipc:///var/lib/lokinet/auth.socket
# tcp://127.0.0.1:5555
#auth-lmq=
# lmq function to call for authenticating new sessions
# llarp.auth
#auth-lmq-method=llarp.auth
# manually add a remote endpoint by .loki address to the access whitelist
#auth-whitelist=
# Determines whether we will publish our snapp's introset to the DHT.
#reachable=1
# Number of hops in a path. Min 1, max 8.
#hops=4
# Number of paths to maintain at any given time.
#paths=6
# Whether or not we should act as an exit node. Beware that this increases demand
# on the server and may pose liability concerns. Enable at your own risk.
#exit=0
# When in exit mode announce we allow a private range in our introsetexmaple:
# owned-range=10.0.0.0/24
#owned-range=
# List of ip traffic whitelist, anything not specified will be dropped by us.examples:
# tcp for all tcp traffic regardless of port
# 0x69 for all packets using ip protocol 0x69udp/53 for udp port 53
# tcp/smtp for smtp port
#traffic-whitelist=
# Specify a `.loki` address and an optional ip range to use as an exit broker.
# Example:
# exit-node=whatever.loki # maps all exit traffic to whatever.loki
# exit-node=stuff.loki:100.0.0.0/24 # maps 100.0.0.0/24 to stuff.loki
#exit-node=
# Specify an optional authentication code required to use a non-public exit node.
# For example:
# exit-auth=myfavouriteexit.loki:abc
# uses the authentication code `abc` whenever myfavouriteexit.loki is accessed.
# Can be specified multiple time to store codes for different exit nodes.
#exit-auth=
# Interface name for lokinet traffic. If unset lokinet will look for a free name
# lokinetN, starting at 0 (e.g. lokinet0, lokinet1, ...).
#ifname=
# Local IP and range for lokinet traffic. For example, 172.16.0.1/16 to use
# 172.16.0.1 for this machine and 172.16.x.y for remote peers. If omitted then
# lokinet will attempt to find an unused private range.
#ifaddr=
# For all ipv6 exit traffic you will use this as the base address bitwised or'd with the v4 address in use.
# To disable ipv6 set this to an empty value.
# !!! WARNING !!! Disabling ipv6 tunneling when you have ipv6 routes WILL lead to de-anonymization as lokinet will no longer carry your ipv6 traffic.
#ip6-range=fd00::
# Map a remote `.loki` address to always use a fixed local IP. For example:
# mapaddr=whatever.loki:172.16.0.10
# maps `whatever.loki` to `172.16.0.10` instead of using the next available IP.
# The given IP address must be inside the range configured by ifaddr=
#mapaddr=
# Adds a lokinet relay `.snode` address to the list of relays to avoid when
# building paths. Can be specified multiple times.
#blacklist-snode=
# Specify SRV Records for services hosted on the SNApp
# for more info see https://docs.loki.network/Lokinet/Guides/HostingSNApps/
# srv=_service._protocol priority weight port target.loki
#srv=
# time in seconds how long to wait for a path to align to pivot routers
# if not provided a sensible default will be used
#path-alignment-timeout=
# persist mapped ephemeral addresses to a file
# on restart the mappings will be loaded so that ip addresses will not be mapped to a different address
#persist-addrmap-file=/var/lib/lokinet/addrmap.dat
[paths]
# path selection algorithm options
# Netmask for router path selection; each router must be from a distinct IP subnet of the given size.
# E.g. 16 ensures that all routers are using distinct /16 IP addresses.
#unique-range-size=32
[dns]
# DNS configuration
# Upstream resolver(s) to use as fallback for non-loki addresses.
# Multiple values accepted.
upstream=10.64.0.1
# Address to bind to for handling DNS requests.
bind=127.3.2.1:53
# Add a hosts file to the dns resolver
# For use with client side dns filtering
#add-hosts=
# Can be uncommented and set to 1 to disable resolvconf configuration of lokinet DNS.
# (This is not used directly by lokinet itself, but by the lokinet init scripts
# on systems which use resolveconf)
#no-resolvconf=
[bind]
# This section specifies network interface names and/or IPs as keys, and
# ports as values to control the address(es) on which Lokinet listens for
# incoming data.
#
# Examples:
#
# eth0=1090
# 0.0.0.0=1090
# 1.2.3.4=1090
#
# The first bind to port 1090 on the network interface 'eth0'; the second binds
# to port 1090 on all local network interfaces; and the third example binds to
# port 1090 on the given IP address.
#
# If a private range IP address (or an interface with a private IP) is given, or
# if the 0.0.0.0 all-address IP is given then you must also specify the
# public-ip= and public-port= settings in the [router] section with a public
# address at which this router can be reached.
# Typically this section can be left blank: if no inbound bind addresses are
# configured then lokinet will search for a local network interface with a public
# IP address and use that (with port 1090).
# Specify a source port for **outgoing** Lokinet traffic, for example if you want to
# set up custom firewall rules based on the originating port. Typically this should
# be left unset to automatically choose random source ports.
#*=0
[api]
# JSON API settings
# Determines whether or not the LMQ JSON API is enabled. Defaults
#enabled=1
# IP address and port to bind to.
# Recommend localhost-only for security purposes.
#bind=tcp://127.0.0.1:1190
[bootstrap]
# Configure nodes that will bootstrap us onto the network
# Whether or not to run as a seed node. We will not have any bootstrap routers configured.
#seed-node=0
# Specify a bootstrap file containing a signed RouterContact of a service node
# which can act as a bootstrap. Can be specified multiple times.
#add-node=
[logging]
# logging settings
# Log type (format). Valid options are:
# file - plaintext formatting
# json - json-formatted log statements
# syslog - logs directed to syslog
#type=file
# Minimum log level to print. Logging below this level will be ignored.
# Valid log levels, in ascending order, are:
# trace
# debug
# info
# warn
# error
#level=warn
# When using type=file this is the output filename. If given the value 'stdout' or
# left empty then logging is printed as standard output rather than written to a
# file.
#file=

15
master/lokinet/Dockerfile Normal file
View File

@ -0,0 +1,15 @@
FROM registry.oxen.rocks/lokinet-exit:latest
RUN apt-get -y update && \
apt-get -y install curl iproute2 iputils-ping tcpdump net-tools dnsutils procps squid iptables inetutils-telnet haproxy && \
apt-get -y clean && \
rm -rf /var/lib/apt/lists/*
EXPOSE 3128/tcp
VOLUME [/var/spool/squid /var/log/squid]
COPY routes.service /etc/systemd/system/routes.service
COPY routes-start /usr/local/bin/routes-start
COPY resolv.conf /etc/resolv.conf
RUN chmod +x /usr/local/bin/routes-start
RUN systemctl enable routes.service

1
master/lokinet/resolv.conf Normal file
View File

@ -0,0 +1 @@
nameserver 127.0.0.1

4
master/lokinet/routes-start Normal file
View File

@ -0,0 +1,4 @@
#!/bin/bash
#route del -net default
route add -net 10.64.0.0/24 gw 10.255.252.254
#route add -net default gw 10.255.252.254

7
master/lokinet/routes.service Normal file
View File

@ -0,0 +1,7 @@
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/bin/bash /usr/local/bin/routes-start
[Install]
WantedBy=multi-user.target

20
master/vpn/Dockerfile Normal file
View File

@ -0,0 +1,20 @@
FROM debian
RUN apt-get -y update && \
apt-get -y install curl dbus && \
curl -L -o mullvad.deb https://mullvad.net/download/app/deb/latest && \
apt-get -y install ./mullvad.deb && \
rm -f mullvad.deb && \
apt-get -y clean && \
rm -rf /var/lib/apt/lists/*
RUN apt-get -y update && \
apt-get -y install iputils-ping tcpdump net-tools dnsutils procps iptables git iproute2 && \
apt-get -y clean && \
rm -rf /var/lib/apt/lists/*
VOLUME /config
ADD my_init /
CMD ["/my_init"]

40
master/vpn/README.md Normal file
View File

@ -0,0 +1,40 @@
## Image
Docker image of [mullvad](https://mullvad.net/en/)
## Usage
Start container:
```
docker run -d \
--name mullvad_vpn \
--restart=always \
--privileged \
-v mullvad_config:/config \
oblique/mullvad
```
The first time you need to configure your mullvad client:
```
docker exec -it mullvad_vpn bash
mullvad relay set tunnel-protocol wireguard
mullvad always-require-vpn set on
mullvad auto-connect set on
mullvad account set [ID]
mullvad connect
```
## Use VPN from another container
For `docker run`, use `--net=container:mullvad_vpn`, for example:
```
docker run -it --rm --net=container:mullvad_vpn alpine
```
For `docker-compose`, check my [vpn-example].
[vpn-example]: https://github.com/oblique/dockerfiles/tree/master/composefiles/vpn-example

5
master/vpn/my_init Executable file
View File

@ -0,0 +1,5 @@
#!/bin/bash
export MULLVAD_SETTINGS_DIR=/config
iptables -t nat -A POSTROUTING -j MASQUERADE
exec /opt/Mullvad\ VPN/resources/mullvad-daemon -v

72
matrix/docker-compose.yml Normal file
View File

@ -0,0 +1,72 @@
version: '3'
services:
synapse:
container_name: synapse
hostname: piorgeracao.loki
image: matrixdotorg/synapse:latest
restart: always
environment:
- SYNAPSE_SERVER_NAME=urchcno5rea4njyb7niytdekqw87x55x9q77a1gba9tqkbznw67y.loki
- SYNAPSE_REPORT_STATS=yes
- SYNAPSE_NO_TLS=1
- SYNAPSE_ENABLE_REGISTRATION=yes
# - SYNAPSE_CONFIG_PATH=/config
- SYNAPSE_LOG_LEVEL=DEBUG
# - SYNAPSE_REGISTRATION_SHARED_SECRET=${REG_SHARED_SECRET}
- POSTGRES_DB=synapse
- POSTGRES_HOST=synapse_db
- POSTGRES_USER=postgres
- POSTGRES_PASSWORD=postgres
volumes:
- ./data/synapse:/data
depends_on:
- synapse_db
# In order to expose Synapse, remove one of the following, you might for
# instance expose the TLS port directly:
# ports:
# - 8448:8448/tcp
networks:
pg_bus:
ipv4_address: 10.255.253.10
synapse_db:
image: docker.io/postgres:10-alpine
restart: always
environment:
- POSTGRES_DB=synapse
- POSTGRES_USER=postgres
- POSTGRES_PASSWORD=postgres
volumes:
- ./data/postgres:/var/lib/postgresql/data
networks:
pg_bus:
ipv4_address: 10.255.253.11
element:
image: vectorim/element-web
restart: always
volumes:
- ./data/element/config.json:/app/config.json
networks:
pg_bus:
ipv4_address: 10.255.253.12
dimension:
image: turt2live/matrix-dimension
restart: always
volumes:
- ./data/dimension:/data
extra_hosts:
urchcno5rea4njyb7niytdekqw87x55x9q77a1gba9tqkbznw67y.loki: 10.255.253.254
networks:
pg_bus:
ipv4_address: 10.255.253.13
web:
image: nginx
volumes:
- ./data/wellknown:/usr/share/nginx/html
restart: always
networks:
pg_bus:
ipv4_address: 10.255.253.14
networks:
pg_bus:
external:
name: pg_bus