146 lines
5.9 KiB
YAML
146 lines
5.9 KiB
YAML
# conduwuit - Behind Traefik Reverse Proxy
|
|
|
|
services:
|
|
homeserver:
|
|
### If you already built the conduwuit image with 'docker build' or want to use the Docker Hub image,
|
|
### then you are ready to go.
|
|
image: girlbossceo/conduwuit:latest
|
|
restart: unless-stopped
|
|
volumes:
|
|
- db:/var/lib/conduwuit
|
|
#- ./conduwuit.toml:/etc/conduwuit.toml
|
|
networks:
|
|
- proxy
|
|
environment:
|
|
CONDUWUIT_SERVER_NAME: your.server.name.example # EDIT THIS
|
|
CONDUWUIT_TRUSTED_SERVERS: '["matrix.org"]'
|
|
CONDUWUIT_ALLOW_REGISTRATION: 'false' # After setting a secure registration token, you can enable this
|
|
CONDUWUIT_REGISTRATION_TOKEN: # This is a token you can use to register on the server
|
|
CONDUWUIT_ADDRESS: 0.0.0.0
|
|
CONDUWUIT_PORT: 6167 # you need to match this with the traefik load balancer label if you're want to change it
|
|
CONDUWUIT_DATABASE_PATH: /var/lib/conduwuit
|
|
#CONDUWUIT_CONFIG: '/etc/conduit.toml' # Uncomment if you mapped config toml above
|
|
### Uncomment and change values as desired, note that conduwuit has plenty of config options, so you should check out the example example config too
|
|
# Available levels are: error, warn, info, debug, trace - more info at: https://docs.rs/env_logger/*/env_logger/#enabling-logging
|
|
# CONDUWUIT_LOG: info # default is: "warn,state_res=warn"
|
|
# CONDUWUIT_ALLOW_JAEGER: 'false'
|
|
# CONDUWUIT_ALLOW_ENCRYPTION: 'true'
|
|
# CONDUWUIT_ALLOW_FEDERATION: 'true'
|
|
# CONDUWUIT_ALLOW_CHECK_FOR_UPDATES: 'true'
|
|
# CONDUWUIT_ALLOW_INCOMING_PRESENCE: true
|
|
# CONDUWUIT_ALLOW_OUTGOING_PRESENCE: true
|
|
# CONDUWUIT_ALLOW_LOCAL_PRESENCE: true
|
|
# CONDUWUIT_WORKERS: 10
|
|
# CONDUWUIT_MAX_REQUEST_SIZE: 20_000_000 # in bytes, ~20 MB
|
|
# CONDUWUIT_NEW_USER_DISPLAYNAME_SUFFIX = "🏳<200d>⚧"
|
|
|
|
# We need some way to serve the client and server .well-known json. The simplest way is via the CONDUWUIT_WELL_KNOWN
|
|
# variable / config option, there are multiple ways to do this, e.g. in the conduwuit.toml file, and in a seperate
|
|
# reverse proxy, but since you do not have a reverse proxy and following this guide, this example is included
|
|
CONDUWUIT_WELL_KNOWN: |
|
|
{
|
|
client=https://your.server.name.example,
|
|
server=your.server.name.example:443
|
|
}
|
|
#cpuset: "0-4" # Uncomment to limit to specific CPU cores
|
|
ulimits: # conduwuit uses quite a few file descriptors, and on some systems it defaults to 1024, so you can tell docker to increase it
|
|
nofile:
|
|
soft: 1048567
|
|
hard: 1048567
|
|
|
|
### Uncomment if you want to use your own Element-Web App.
|
|
### Note: You need to provide a config.json for Element and you also need a second
|
|
### Domain or Subdomain for the communication between Element and conduwuit
|
|
### Config-Docs: https://github.com/vector-im/element-web/blob/develop/docs/config.md
|
|
# element-web:
|
|
# image: vectorim/element-web:latest
|
|
# restart: unless-stopped
|
|
# volumes:
|
|
# - ./element_config.json:/app/config.json
|
|
# networks:
|
|
# - proxy
|
|
# depends_on:
|
|
# - homeserver
|
|
|
|
traefik:
|
|
image: "traefik:latest"
|
|
container_name: "traefik"
|
|
restart: "unless-stopped"
|
|
ports:
|
|
- "80:80"
|
|
- "443:443"
|
|
volumes:
|
|
- "/var/run/docker.sock:/var/run/docker.sock:z"
|
|
- "acme:/etc/traefik/acme"
|
|
#- "./traefik_config:/etc/traefik:z"
|
|
labels:
|
|
- "traefik.enable=true"
|
|
|
|
# middleware redirect
|
|
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
|
|
# global redirect to https
|
|
- "traefik.http.routers.redirs.rule=hostregexp(`{host:.+}`)"
|
|
- "traefik.http.routers.redirs.entrypoints=web"
|
|
- "traefik.http.routers.redirs.middlewares=redirect-to-https"
|
|
|
|
configs:
|
|
- source: dynamic.yml
|
|
target: /etc/traefik/dynamic.yml
|
|
|
|
environment:
|
|
TRAEFIK_LOG_LEVEL: DEBUG
|
|
TRAEFIK_ENTRYPOINTS_WEB: true
|
|
TRAEFIK_ENTRYPOINTS_WEB_ADDRESS: ":80"
|
|
TRAEFIK_ENTRYPOINTS_WEB_HTTP_REDIRECTIONS_ENTRYPOINT_TO: websecure
|
|
|
|
TRAEFIK_ENTRYPOINTS_WEBSECURE: true
|
|
TRAEFIK_ENTRYPOINTS_WEBSECURE_ADDRESS: ":443"
|
|
TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_TLS_CERTRESOLVER: letsencrypt
|
|
#TRAEFIK_ENTRYPOINTS_WEBSECURE_HTTP_MIDDLEWARES: secureHeaders@file # if you want to enabled STS
|
|
|
|
TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT: true
|
|
TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_EMAIL: # Set this to the email you want to receive certificate expiration emails for
|
|
TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_KEYTYPE: EC384
|
|
TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_HTTPCHALLENGE: true
|
|
TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_HTTPCHALLENGE_ENTRYPOINT: web
|
|
TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_STORAGE: "/etc/traefik/acme/acme.json"
|
|
|
|
TRAEFIK_PROVIDERS_DOCKER: true
|
|
TRAEFIK_PROVIDERS_DOCKER_ENDPOINT: "unix:///var/run/docker.sock"
|
|
TRAEFIK_PROVIDERS_DOCKER_EXPOSEDBYDEFAULT: false
|
|
|
|
TRAEFIK_PROVIDERS_FILE: true
|
|
TRAEFIK_PROVIDERS_FILE_FILENAME: "/etc/traefik/dynamic.yml"
|
|
|
|
configs:
|
|
dynamic.yml:
|
|
content: |
|
|
# Optionally set STS headers, like in https://hstspreload.org
|
|
# http:
|
|
# middlewares:
|
|
# secureHeaders:
|
|
# headers:
|
|
# forceSTSHeader: true
|
|
# stsIncludeSubdomains: true
|
|
# stsPreload: true
|
|
# stsSeconds: 31536000
|
|
tls:
|
|
options:
|
|
default:
|
|
cipherSuites:
|
|
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
|
|
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
|
|
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
|
|
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
|
|
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
|
|
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
|
|
minVersion: VersionTLS12
|
|
|
|
volumes:
|
|
db:
|
|
acme:
|
|
|
|
networks:
|
|
proxy:
|
|
|
|
# vim: ts=2:sw=2:expandtab
|