matrix-dimension #43

Closed
sophie wants to merge 15 commits from matrix-dimension into main
8 changed files with 290 additions and 20 deletions

View file

@ -26,11 +26,11 @@ Rule of thumb: keep ports below 10000 free for stuff that reserves ports.
| 6667 | | bitlbee |
| 8010 | | matrix-media-repo |
| 8086 | influxdb2 | influx |
| 8184 | | matrix-dimension |
| 11332-11334 | rspamd | rspamd |
| 20000 | mx-puppet-discord | Bridge |
| 20010 | mautrix-telegram | Bridge |
| 20020 | mautrix-whatsapp | Bridge |
| 20030 | matrix-dimension | Matrix Integrations Manager|
| 20080 | matrix-synapse | client, federation |
| 20081 | matrix-synapse | prometheus metrics |
| 20090 | matrix-media-repo | media_repo |

View file

@ -0,0 +1,14 @@
[Unit]
Description=Matrix Dimension
After=network.target
[Service]
User=matrix-dimension
sophie marked this conversation as resolved Outdated
Outdated
Review

Please use a user dedicated to this bundle, naming them accordingly

Please use a user dedicated to this bundle, naming them accordingly

Resolved in b87d3cc975

Resolved in `b87d3cc975`
Group=matrix-dimension
Environment="NODE_ENV=production"
ExecStart=/usr/bin/node ${config['install_dir']}/build/app/index.js
WorkingDirectory=${config['install_dir']}
Restart=on-failure
[Install]
WantedBy=multi-user.target

View file

@ -0,0 +1,93 @@
# The web settings for the service (API and UI).
# It is best to have this run on localhost and use a reverse proxy to access Dimension.
web:
port: 20030
kunsi marked this conversation as resolved Outdated
Outdated
Review

Please change port into the 200xx range and document accordingly in PORT_MAP.md

Please change port into the 200xx range and document accordingly in PORT_MAP.md

Resolved in 2161698a97

Resolved in `2161698a97`
address: '127.0.0.1'
# Homeserver configuration
homeserver:
# The domain name of the homeserver. This is used in many places, such as with go-neb
# setups, to identify the homeserver.
name: "${config['homeserver']['name']}"
# The URL that Dimension, go-neb, and other services provisioned by Dimension should
# use to access the homeserver with.
clientServerUrl: "${config['homeserver']['clientServerUrl']}"
kunsi marked this conversation as resolved Outdated
Outdated
Review

Typo? clientServeUrl vs. clientServerUrl

Typo? `clientServeUrl` vs. `clientServerUrl`

Resolved in 8702e131dc and a65301ee89.

Resolved in `8702e131dc` and `a65301ee89`.
# The URL that Dimension should use when trying to communicate with federated APIs on
# the homeserver. If not supplied or left empty Dimension will try to resolve the address
# through the normal federation process.
#federationUrl: "https://t2bot.io:8448"
# The URL that Dimension will redirect media requests to for downloading media such as
# stickers. If not supplied or left empty Dimension will use the clientServerUrl.
#mediaUrl: "https://t2bot.io"
# The access token Dimension should use for miscellaneous access to the homeserver, and
# for tracking custom sticker pack updates. This should be a user configured on the homeserver
# and be dedicated to Dimension (create a user named "dimension" on your homeserver). For
# information on how to acquire an access token, visit https://t2bot.io/docs/access_tokens
accessToken: "${config['homeserver']['accessToken']}"
kunsi marked this conversation as resolved Outdated
Outdated
Review

Typo? homserver vs. homeserver

Typo? `homserver` vs. `homeserver`

Resolved in 8702e131dc and a65301ee89.

Resolved in `8702e131dc` and `a65301ee89`.
# These users can modify the integrations this Dimension supports.
# To access the admin interface, open Dimension in Riot and click the settings icon.
admins:
% for i in config['admins']:
- "${i}"
% endfor
# IPs and CIDR ranges listed here will be blocked from being widgets.
# Note: Widgets may still be embedded with restricted content, although not through Dimension directly.
widgetBlacklist:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
- 127.0.0.0/8
database:
# Where the database for Dimension is
uri: "postgres://${node.metadata['matrix-dimension']['database']['user']}:${node.metadata['matrix-dimension']['database']['password']}@${node.metadata['matrix-dimension']['database'].get('host', 'localhost')}/${node.metadata['matrix-dimension']['database']['database']}"
# Where to store misc information for the utility bot account.
botData: "${config['data_dir']}/dimension.bot.json"
# Display settings that apply to self-hosted go-neb instances
goneb:
# The avatars to set for each bot. Usually these don't need to be changed, however if your homeserver
# is not able to reach t2bot.io then you should specify your own here. To not use an avatar for a bot,
# make the bot's avatar an empty string.
avatars:
giphy: "mxc://t2bot.io/c5eaab3ef0133c1a61d3c849026deb27"
imgur: "mxc://t2bot.io/6749eaf2b302bb2188ae931b2eeb1513"
github: "mxc://t2bot.io/905b64b3cd8e2347f91a60c5eb0832e1"
wikipedia: "mxc://t2bot.io/7edfb54e9ad9e13fec0df22636feedf1"
travisci: "mxc://t2bot.io/7f4703126906fab8bb27df34a17707a8"
rss: "mxc://t2bot.io/aace4fcbd045f30afc1b4e5f0928f2f3"
google: "mxc://t2bot.io/636ad10742b66c4729bf89881a505142"
guggy: "mxc://t2bot.io/e7ef0ed0ba651aaf907655704f9a7526"
echo: "mxc://t2bot.io/3407ff2db96b4e954fcbf2c6c0415a13"
circleci: "mxc://t2bot.io/cf7d875845a82a6b21f5f66de78f6bee"
jira: "mxc://t2bot.io/f4a38ebcc4280ba5b950163ca3e7c329"
# Settings for interacting with Telegram. Currently only applies for importing
# sticker packs from Telegram.
telegram:
# Talk to @BotFather on Telegram to get a token
botToken: "${config['telegram']['botToken']}"
# Custom sticker pack options.
# Largely based on https://github.com/turt2live/matrix-sticker-manager
stickers:
# Whether or not to allow people to add custom sticker packs
enabled: true
# The sticker manager bot to promote
stickerBot: "@stickers:t2bot.io"
# The sticker manager URL to promote
managerUrl: "https://stickers.t2bot.io"
# Settings for controlling how logging works
logging:
console: true
kunsi marked this conversation as resolved
Review

I think we can omit that, since systemd takes care of the logging part.

I think we can omit that, since systemd takes care of the logging part.
Review

Should the console level be verbose instead of into then?

Should the console level be verbose instead of into then?
Review

I don't think that's needed. We can increase it later, if needed.

I don't think that's needed. We can increase it later, if needed.
Review

Resolved in 3fd20de161 .

Resolved in `3fd20de161 `.
consoleLevel: info

View file

@ -0,0 +1,74 @@
repo.libs.tools.require_bundle(node, 'nodejs')
directories = {
node.metadata['matrix-dimension']['install_dir']: {
'owner': 'matrix-dimension',
'group': 'matrix-dimension',
},
}
git_deploy = {
node.metadata['matrix-dimension']['install_dir']: {
'rev': node.metadata.get('matrix-dimension/version', 'master'), # doesn't have releases yet
sophie marked this conversation as resolved Outdated
Outdated
Review

`node.metadata.get('matrix-dimension/version', 'master')

`node.metadata.get('matrix-dimension/version', 'master')
'repo': 'https://github.com/turt2live/matrix-dimension.git',
'triggers': {
'action:matrix_dimension_build',
},
'needs': {
'directory:{}'.format(node.metadata.get('matrix-dimension/install_dir')),
'directory:{}'.format(node.metadata.get('matrix-dimension/data_dir')),
},
},
}
files = {
'{}/config/production.yaml'.format(node.metadata.get('matrix-dimension/install_dir')): {
'owner': 'matrix-dimension',
'group': 'matrix-dimension',
'content_type': 'mako',
'context': {
'config': node.metadata.get('matrix-dimension', {}),
},
'needs': {
'directory:{}'.format(node.metadata.get('matrix-dimension/install_dir')),
},
'triggers': {
'svc_systemd:matrix-dimension:restart',
},
},
'/etc/systemd/system/matrix-dimension.service': {
'content_type': 'mako',
'context': {
'config': node.metadata.get('matrix-dimension', {}),
},
'triggers': {
'action:systemd-reload',
'svc_systemd:matrix-dimension:restart',
},
},
}
actions = {
'matrix_dimension_build': {
'command': 'cd ' + node.metadata.get('matrix-dimension/install_dir') + ' && sudo -u matrix-dimension npm install && sudo -u matrix-dimension npm run build',
'needs': {
'pkg_apt:nodejs',
},
'triggered': True,
'triggers': {
'svc_systemd:matrix-dimension:restart',
},
},
}
svc_systemd = {
'matrix-dimension': {
'needs': {
'action:matrix_dimension_build',
'file:{}/config/production.yaml'.format(node.metadata.get('matrix-dimension/install_dir')),
'postgres_db:matrix-dimension',
'postgres_role:matrix-dimension',
},
},
}

View file

@ -0,0 +1,77 @@
defaults = {
'backups': {
'paths': {
'/opt/matrix-dimension',
kunsi marked this conversation as resolved
Review

Do we really need to backup this?

Do we really need to backup this?
Review

npm writes all kinds of install info to this location, I guess so.

npm writes all kinds of install info to this location, I guess so.
Review

If it's only information we can restore using a bw apply, there should be no need to backup this. But if it's more than that, i'm okay with backing this up.

If it's only information we can restore using a `bw apply`, there should be no need to backup this. But if it's more than that, i'm okay with backing this up.
'/var/opt/matrix-dimension',
},
},
'matrix-dimension': {
'install_dir': '/opt/matrix-dimension',
'data_dir': '/var/opt/matrix-dimension',
'database': {
'user': 'matrix-dimension',
'password': repo.vault.password_for('{} postgresql matrix-dimension'.format(node.name)),
'database': 'matrix-dimension',
},
},
'postgresql': {
'roles': {
'matrix-dimension': {
'password': repo.vault.password_for('{} postgresql matrix-dimension'.format(node.name)),
},
},
'databases': {
'matrix-dimension': {
'owner': 'matrix-dimension',
},
},
},
'users': {
'matrix-dimension': {
'home': '/var/opt/matrix-dimension',
},
},
}
@metadata_reactor.provides(
'nginx/vhosts/matrix-dimension',
)
def nginx_config(metadata):
return {
'nginx': {
'vhosts': {
'matrix-dimension': {
kunsi marked this conversation as resolved Outdated
Outdated
Review

Please use a generic vhost name (like the bundle name), then set domain key inside. Remember to adjust .provides() accordingly.

Please use a generic vhost name (like the bundle name), then set `domain` key inside. Remember to adjust `.provides()` accordingly.

Resolved in a65301ee89

Resolved in `a65301ee89`
'domain': metadata.get('matrix-dimension/url'),
'do_not_set_content_security_headers': True,
'max_body_size': '50M',
'locations': {
'/': {
'target': 'http://127.0.0.1:20030',
},
},
},
},
},
}
@metadata_reactor.provides(
'icinga2_api/matrix-dimension/services',
)
def icinga_check_for_new_release(metadata):
return {
'icinga2_api': {
'matrix-dimension': {
'services': {
'MATRIX-DIMENSION UPDATE': {
'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_github_for_new_release turt2live/matrix-dimension {}'.format(metadata.get('matrix-dimension/version')),
'vars.notification.mail': True,
'check_interval': '60m',
},
'MATRIX-DIMENSION PROCESS': {
'command_on_monitored_host': '/usr/lib/nagios/plugins/check_procs -a matrix-dimension -c 1:',
kunsi marked this conversation as resolved Outdated
Outdated
Review

Please fix and enable.

Please fix and enable.

Resolved in 'd74618f9a9'

Resolved in 'd74618f9a9'
},
},
},
},
}

View file

@ -1,6 +0,0 @@
add_header Content-Security-Policy "frame-ancestors 'self' chat.sophies-kitchen.eu";
location /.well-known/matrix/ {
alias /etc/matrix-synapse/wellknown/;
add_header Access-Control-Allow-Origin *;
}

View file

@ -0,0 +1 @@
add_header Content-Security-Policy "frame-ancestors 'self' chat.sophies-kitchen.eu";

View file

@ -4,6 +4,7 @@
nodes['htz-cloud.miniserver'] = {
'bundles': {
'element-web',
'matrix-dimension',
'matrix-media-repo',
'matrix-synapse',
'nodejs',
@ -68,10 +69,10 @@ nodes['htz-cloud.miniserver'] = {
},
'brand': 'sophies-kitchen.eu',
'showLabsSettings': True,
'integrations_ui_url': 'https://dimension.franzi.business/riot',
'integrations_rest_url': 'https://dimension.franzi.business/api/v1/scalar',
'integrations_ui_url': 'https://dimension.sophies-kitchen.eu/riot',
'integrations_rest_url': 'https://dimension.sophies-kitchen.eu/api/v1/scalar',
'integrations_widgets_urls': {
'https://dimension.franzi.business/widgets'
'https://dimension.sophies-kitchen.eu/widgets'
},
'default_theme': 'dark',
'defaultCountryCode': 'DE',
@ -103,6 +104,21 @@ nodes['htz-cloud.miniserver'] = {
},
},
},
'matrix-dimension': {
'url': 'dimension.sophies-kitchen.eu',
'version': 'master', # doesn't have releases yet
'homeserver': {
'name': 'sophies-kitchen.eu',
'clientServerUrl': 'https://matrix.sophies-kitchen.eu',
'accessToken': vault.decrypt('encrypt$gAAAAABg4btB0KGk068ahGZzR0w_Lm1bj1wUbB2WfNNs2bp3PwM4Ftp6MjQnrF-CejZfrF0NjPJw9Z4MrgileHP0sVw04mvgKSHfTf8gv4kTB6WuCIxHeMWHUDx00LTWL73fSlhCK0o1'),
},
'admins': [
'@sophie:sophies-kitchen.eu',
],
'telegram': {
'botToken': vault.decrypt('encrypt$gAAAAABg4bcQVzBF_iXdDtjRQD-O37GHdbHwWXyhCLPOuJLbv3ezUeXKR203hkCXkjfItSHi4NiTEgQPadDZTRkavaRpvAoaQV1a4srCS_Y-NU4RiOmkrVFJ_Xhw6UZvwjQUQ0QPOx9t'),
},
},
'matrix-media-repo': {
'version': 'v1.2.8',
'homeservers': {
@ -144,6 +160,14 @@ nodes['htz-cloud.miniserver'] = {
'bot_token': '""',
},
},
'nameservers': {
'213.133.98.98',
'213.133.99.99',
'213.133.100.100',
'2a01:4f8:0:1::add:1010',
'2a01:4f8:0:1::add:9999',
'2a01:4f8:0:1::add:9898',
},
'nftables': {
'rules': {
'input': {
@ -156,16 +180,9 @@ nodes['htz-cloud.miniserver'] = {
},
'nginx': {
'vhosts': {
#'dimension.sophies-kitchen.eu': {
# 'extras': True,
# 'do_not_set_content_security_headers': True,
# 'max_body_size': '50M',
# 'locations': {
# '/': {
# 'target': 'http://127.0.0.1:8184',
# },
# },
#},
'matrix-dimension': {
'extras': True,
},
'sophies-kitchen.eu': {
'webroot': '/var/www/sophies-kitchen.eu/_site/',
'extras': True,