mirror of
https://gitlab.com/famedly/conduit.git
synced 2025-01-15 22:16:27 +03:00
Merge branch 'x4u/add-apache-cloudflare-deploy-info' into 'next'
X4u/add apache cloudflare deploy info See merge request famedly/conduit!471
This commit is contained in:
commit
2a9a908343
1 changed files with 44 additions and 6 deletions
50
DEPLOY.md
50
DEPLOY.md
|
@ -19,7 +19,7 @@ You may simply download the binary that fits your machine. Run `uname -m` to see
|
||||||
| armv8 / aarch64 | [Binary][armv8-glibc-master] / [.deb][armv8-glibc-master-deb] | [Binary][armv8-glibc-next] / [.deb][armv8-glibc-next-deb] |
|
| armv8 / aarch64 | [Binary][armv8-glibc-master] / [.deb][armv8-glibc-master-deb] | [Binary][armv8-glibc-next] / [.deb][armv8-glibc-next-deb] |
|
||||||
|
|
||||||
These builds were created on and linked against the glibc version shipped with Debian bullseye.
|
These builds were created on and linked against the glibc version shipped with Debian bullseye.
|
||||||
If you use a system with an older glibc version, you might need to compile Conduit yourself.
|
If you use a system with an older glibc version (e.g. RHEL8), you might need to compile Conduit yourself.
|
||||||
|
|
||||||
[x84_64-glibc-master]: https://gitlab.com/famedly/conduit/-/jobs/artifacts/master/raw/build-output/linux_amd64/conduit?job=docker:master
|
[x84_64-glibc-master]: https://gitlab.com/famedly/conduit/-/jobs/artifacts/master/raw/build-output/linux_amd64/conduit?job=docker:master
|
||||||
[armv7-glibc-master]: https://gitlab.com/famedly/conduit/-/jobs/artifacts/master/raw/build-output/linux_arm_v7/conduit?job=docker:master
|
[armv7-glibc-master]: https://gitlab.com/famedly/conduit/-/jobs/artifacts/master/raw/build-output/linux_arm_v7/conduit?job=docker:master
|
||||||
|
@ -39,12 +39,16 @@ $ sudo wget -O /usr/local/bin/matrix-conduit <url>
|
||||||
$ sudo chmod +x /usr/local/bin/matrix-conduit
|
$ sudo chmod +x /usr/local/bin/matrix-conduit
|
||||||
```
|
```
|
||||||
|
|
||||||
Alternatively, you may compile the binary yourself
|
Alternatively, you may compile the binary yourself. First, install any dependencies:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
|
# Debian
|
||||||
$ sudo apt install libclang-dev build-essential
|
$ sudo apt install libclang-dev build-essential
|
||||||
```
|
|
||||||
|
|
||||||
|
# RHEL
|
||||||
|
$ sudo dnf install clang
|
||||||
|
```
|
||||||
|
Then, `cd` into the source tree of conduit-next and run:
|
||||||
```bash
|
```bash
|
||||||
$ cargo build --release
|
$ cargo build --release
|
||||||
```
|
```
|
||||||
|
@ -74,7 +78,7 @@ cross build --release --no-default-features --features conduit_bin,backend_rocks
|
||||||
While Conduit can run as any user it is usually better to use dedicated users for different services. This also allows
|
While Conduit can run as any user it is usually better to use dedicated users for different services. This also allows
|
||||||
you to make sure that the file permissions are correctly set up.
|
you to make sure that the file permissions are correctly set up.
|
||||||
|
|
||||||
In Debian you can use this command to create a Conduit user:
|
In Debian or RHEL, you can use this command to create a Conduit user:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
sudo adduser --system conduit --no-create-home
|
sudo adduser --system conduit --no-create-home
|
||||||
|
@ -86,6 +90,19 @@ Conduit uses the ports 443 and 8448 both of which need to be open in the firewal
|
||||||
|
|
||||||
If Conduit runs behind a router or in a container and has a different public IP address than the host system these public ports need to be forwarded directly or indirectly to the port mentioned in the config.
|
If Conduit runs behind a router or in a container and has a different public IP address than the host system these public ports need to be forwarded directly or indirectly to the port mentioned in the config.
|
||||||
|
|
||||||
|
## Delegation of federation traffic
|
||||||
|
|
||||||
|
If Conduit runs behind Cloudflare reverse proxy, which doesn't support port 8448 on free plans, [delegation](https://matrix-org.github.io/synapse/latest/delegate.html) can be set up to have federation traffic routed to port 443:
|
||||||
|
```apache
|
||||||
|
# .well-known delegation on Apache
|
||||||
|
<Files "/.well-known/matrix/server">
|
||||||
|
ErrorDocument 200 '{"m.server": "your.server.name:443"}'
|
||||||
|
Header always set Content-Type application/json
|
||||||
|
Header always set Access-Control-Allow-Origin *
|
||||||
|
</Files>
|
||||||
|
```
|
||||||
|
[SRV DNS record](https://spec.matrix.org/latest/server-server-api/#resolving-server-names) delegation is also [possible](https://www.cloudflare.com/en-gb/learning/dns/dns-records/dns-srv-record/).
|
||||||
|
|
||||||
## Setting up a systemd service
|
## Setting up a systemd service
|
||||||
|
|
||||||
Now we'll set up a systemd service for Conduit, so it's easy to start/stop Conduit and set it to autostart when your
|
Now we'll set up a systemd service for Conduit, so it's easy to start/stop Conduit and set it to autostart when your
|
||||||
|
@ -101,6 +118,7 @@ After=network.target
|
||||||
Environment="CONDUIT_CONFIG=/etc/matrix-conduit/conduit.toml"
|
Environment="CONDUIT_CONFIG=/etc/matrix-conduit/conduit.toml"
|
||||||
User=conduit
|
User=conduit
|
||||||
Group=nogroup
|
Group=nogroup
|
||||||
|
# On RHEL: Group=nobody
|
||||||
Restart=always
|
Restart=always
|
||||||
ExecStart=/usr/local/bin/matrix-conduit
|
ExecStart=/usr/local/bin/matrix-conduit
|
||||||
|
|
||||||
|
@ -168,7 +186,7 @@ address = "127.0.0.1" # This makes sure Conduit can only be reached using the re
|
||||||
## Setting the correct file permissions
|
## Setting the correct file permissions
|
||||||
|
|
||||||
As we are using a Conduit specific user we need to allow it to read the config. To do that you can run this command on
|
As we are using a Conduit specific user we need to allow it to read the config. To do that you can run this command on
|
||||||
Debian:
|
Debian or RHEL:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
sudo chown -R root:root /etc/matrix-conduit
|
sudo chown -R root:root /etc/matrix-conduit
|
||||||
|
@ -180,6 +198,7 @@ If you use the default database path you also need to run this:
|
||||||
```bash
|
```bash
|
||||||
sudo mkdir -p /var/lib/matrix-conduit/
|
sudo mkdir -p /var/lib/matrix-conduit/
|
||||||
sudo chown -R conduit:nogroup /var/lib/matrix-conduit/
|
sudo chown -R conduit:nogroup /var/lib/matrix-conduit/
|
||||||
|
# On RHEL: sudo chown -R conduit:nobody /var/lib/matrix-conduit/
|
||||||
sudo chmod 700 /var/lib/matrix-conduit/
|
sudo chmod 700 /var/lib/matrix-conduit/
|
||||||
```
|
```
|
||||||
|
|
||||||
|
@ -192,6 +211,11 @@ This depends on whether you use Apache, Caddy, Nginx or another web server.
|
||||||
Create `/etc/apache2/sites-enabled/050-conduit.conf` and copy-and-paste this:
|
Create `/etc/apache2/sites-enabled/050-conduit.conf` and copy-and-paste this:
|
||||||
|
|
||||||
```apache
|
```apache
|
||||||
|
# Requires mod_proxy and mod_proxy_http
|
||||||
|
#
|
||||||
|
# On Apache instance compiled from source,
|
||||||
|
# paste into httpd-ssl.conf or httpd.conf
|
||||||
|
|
||||||
Listen 8448
|
Listen 8448
|
||||||
|
|
||||||
<VirtualHost *:443 *:8448>
|
<VirtualHost *:443 *:8448>
|
||||||
|
@ -208,7 +232,11 @@ ProxyPassReverse /_matrix/ http://127.0.0.1:6167/_matrix/
|
||||||
**You need to make some edits again.** When you are done, run
|
**You need to make some edits again.** When you are done, run
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
|
# Debian
|
||||||
$ sudo systemctl reload apache2
|
$ sudo systemctl reload apache2
|
||||||
|
|
||||||
|
# Installed from source
|
||||||
|
$ sudo apachectl -k graceful
|
||||||
```
|
```
|
||||||
|
|
||||||
### Caddy
|
### Caddy
|
||||||
|
@ -266,11 +294,19 @@ $ sudo systemctl reload nginx
|
||||||
|
|
||||||
If you chose Caddy as your web proxy SSL certificates are handled automatically and you can skip this step.
|
If you chose Caddy as your web proxy SSL certificates are handled automatically and you can skip this step.
|
||||||
|
|
||||||
The easiest way to get an SSL certificate, if you don't have one already, is to install `certbot` and run this:
|
The easiest way to get an SSL certificate, if you don't have one already, is to [install](https://certbot.eff.org/instructions) `certbot` and run this:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
|
# To use ECC for the private key,
|
||||||
|
# paste into /etc/letsencrypt/cli.ini:
|
||||||
|
# key-type = ecdsa
|
||||||
|
# elliptic-curve = secp384r1
|
||||||
|
|
||||||
$ sudo certbot -d your.server.name
|
$ sudo certbot -d your.server.name
|
||||||
```
|
```
|
||||||
|
[Automated renewal](https://eff-certbot.readthedocs.io/en/stable/using.html#automated-renewals) is usually preconfigured.
|
||||||
|
|
||||||
|
If using Cloudflare, configure instead the edge and origin certificates in dashboard. In case you’re already running a website on the same Apache server, you can just copy-and-paste the SSL configuration from your main virtual host on port 443 into the above-mentioned vhost.
|
||||||
|
|
||||||
## You're done!
|
## You're done!
|
||||||
|
|
||||||
|
@ -294,6 +330,8 @@ You can also use these commands as a quick health check.
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
$ curl https://your.server.name/_matrix/client/versions
|
$ curl https://your.server.name/_matrix/client/versions
|
||||||
|
|
||||||
|
# If using port 8448
|
||||||
$ curl https://your.server.name:8448/_matrix/client/versions
|
$ curl https://your.server.name:8448/_matrix/client/versions
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue