improvement: better deploy guide
parent
d7e56dbfa0
commit
b4818716b8
146
DEPLOY.md
146
DEPLOY.md
|
@ -1,53 +1,42 @@
|
|||
# Deploy from source
|
||||
# Deploying Conduit
|
||||
|
||||
## Prerequisites
|
||||
## Getting help
|
||||
|
||||
Make sure you have `libssl-dev` and `pkg-config` installed and the [rust toolchain](https://rustup.rs) is available on at least on user.
|
||||
If you run into any problems while setting up Conduit, write an email to `support@conduit.rs`, ask us in `#conduit:matrix.org` or [open an issue on GitLab](https://gitlab.com/famedly/conduit/-/issues/new).
|
||||
|
||||
## Installing Conduit
|
||||
|
||||
## Install Conduit
|
||||
|
||||
You have to download the binary that fits your machine. Run `uname -m` to see what you need:
|
||||
You have to download the binary that fits your machine. Run `uname -m` to see
|
||||
what you need. Now copy the right url:
|
||||
- x84_64: `https://conduit.rs/master/x86_64/conduit-bin`
|
||||
- armv7: `https://conduit.rs/master/armv7/conduit-bin`
|
||||
- armv8: `https://conduit.rs/master/armv8/conduit-bin`
|
||||
- arm: `https://conduit.rs/master/arm/conduit-bin`
|
||||
|
||||
```bash
|
||||
$ sudo useradd -m conduit
|
||||
$ sudo -u conduit wget <url> -O /home/conduit/conduit-bin && chmod +x /home/conduit/conduit-bin
|
||||
$ sudo wget -O /usr/local/bin/conduit <url>
|
||||
$ sudo chmod +x /usr/local/bin/conduit
|
||||
```
|
||||
|
||||
|
||||
## Setup systemd service
|
||||
## Setting up a systemd service
|
||||
|
||||
In this guide, we set up a systemd service for Conduit, so it's easy to
|
||||
start/stop Conduit and set it to autostart when your server reboots. Paste the
|
||||
Now we'll set up a systemd service for Conduit, so it's easy to start/stop
|
||||
Conduit and set it to autostart when your server reboots. Simply paste the
|
||||
default systemd service you can find below into
|
||||
`/etc/systemd/system/conduit.service` and configure it to fit your setup.
|
||||
`/etc/systemd/system/conduit.service`.
|
||||
|
||||
```systemd
|
||||
[Unit]
|
||||
Description=Conduit
|
||||
Description=Conduit Matrix Server
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
Environment="ROCKET_SERVER_NAME=YOURSERVERNAME.HERE" # EDIT THIS
|
||||
|
||||
Environment="ROCKET_PORT=14004" # Reverse proxy port
|
||||
|
||||
#Environment="ROCKET_MAX_REQUEST_SIZE=20000000" # in bytes
|
||||
#Environment="ROCKET_REGISTRATION_DISABLED=true"
|
||||
#Environment="ROCKET_ENCRYPTION_DISABLED=true"
|
||||
#Environment="ROCKET_FEDERATION_ENABLED=true"
|
||||
#Environment="ROCKET_LOG=normal" # Detailed logging
|
||||
|
||||
Environment="ROCKET_ENV=production"
|
||||
User=conduit
|
||||
Group=conduit
|
||||
Type=simple
|
||||
Environment="CONDUIT_CONFIG=/etc/matrix-conduit/conduit.toml"
|
||||
User=root
|
||||
Group=root
|
||||
Restart=always
|
||||
ExecStart=/home/conduit/conduit-bin
|
||||
ExecStart=/usr/local/bin/matrix-conduit
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
@ -59,43 +48,106 @@ $ sudo systemctl daemon-reload
|
|||
```
|
||||
|
||||
|
||||
## Setup Reverse Proxy
|
||||
## Creating the Conduit configuration file
|
||||
|
||||
This depends on whether you use Apache, Nginx or something else. For Apache it looks like this (in /etc/apache2/sites-enabled/050-conduit.conf):
|
||||
Now we need to create the Conduit's config file in `/etc/matrix-conduit/conduit.toml`. Paste this in **and take a moment to read it. You need to change at least the server name.**
|
||||
```toml
|
||||
[global]
|
||||
# The server_name is the name of this server. It is used as a suffix for user
|
||||
# and room ids. Examples: matrix.org, conduit.rs
|
||||
# The Conduit server needs to be reachable at https://your.server.name/ on port
|
||||
# 443 (client-server) and 8448 (federation) OR you can create /.well-known
|
||||
# files to redirect requests. See
|
||||
# https://matrix.org/docs/spec/client_server/latest#get-well-known-matrix-client
|
||||
# and https://matrix.org/docs/spec/server_server/r0.1.4#get-well-known-matrix-server
|
||||
# for more information
|
||||
|
||||
# YOU NEED TO EDIT THIS
|
||||
#server_name = "your.server.name"
|
||||
|
||||
# This is the only directory where Conduit will save its data
|
||||
database_path = "/var/lib/matrix-conduit/conduit_db"
|
||||
|
||||
# The port Conduit will be running on. You need to set up a reverse proxy in
|
||||
# your web server (e.g. apache or nginx), so all requests to /_matrix on port
|
||||
# 443 and 8448 will be forwarded to the Conduit instance running on this port
|
||||
port = 6167
|
||||
|
||||
# Max size for uploads
|
||||
max_request_size = 20_000_000 # in bytes
|
||||
|
||||
# Disabling registration means no new users will be able to register on this server
|
||||
allow_registration = false
|
||||
|
||||
# Disable encryption, so no new encrypted rooms can be created
|
||||
# Note: existing rooms will continue to work
|
||||
allow_encryption = true
|
||||
allow_federation = true
|
||||
|
||||
#cache_capacity = 1073741824 # in bytes, 1024 * 1024 * 1024
|
||||
#max_concurrent_requests = 4 # How many requests Conduit sends to other servers at the same time
|
||||
#workers = 4 # default: cpu core count * 2
|
||||
|
||||
address = "127.0.0.1" # This makes sure Conduit can only be reached using the reverse proxy
|
||||
```
|
||||
<VirtualHost *:443>
|
||||
|
||||
ServerName conduit.koesters.xyz # EDIT THIS
|
||||
|
||||
## Setting up the Reverse Proxy
|
||||
|
||||
This depends on whether you use Apache, Nginx or another web server.
|
||||
|
||||
### Apache
|
||||
|
||||
Create `/etc/apache2/sites-enabled/050-conduit.conf` and copy-and-paste this:
|
||||
```
|
||||
Listen 8448
|
||||
|
||||
<VirtualHost *:443 *:8448>
|
||||
|
||||
ServerName your.server.name # EDIT THIS
|
||||
|
||||
AllowEncodedSlashes NoDecode
|
||||
|
||||
ServerAlias conduit.koesters.xyz # EDIT THIS
|
||||
|
||||
ProxyPreserveHost On
|
||||
ProxyRequests off
|
||||
AllowEncodedSlashes NoDecode
|
||||
ProxyPass / http://localhost:14004/ nocanon
|
||||
ProxyPassReverse / http://localhost:14004/ nocanon
|
||||
ProxyPass /_matrix/ http://localhost:6167/
|
||||
ProxyPassReverse /_matrix/ http://localhost:6167/
|
||||
|
||||
Include /etc/letsencrypt/options-ssl-apache.conf
|
||||
|
||||
# EDIT THESE:
|
||||
SSLCertificateFile /etc/letsencrypt/live/conduit.koesters.xyz/fullchain.pem
|
||||
SSLCertificateKeyFile /etc/letsencrypt/live/conduit.koesters.xyz/privkey.pem
|
||||
SSLCertificateFile /etc/letsencrypt/live/your.server.name/fullchain.pem # EDIT THIS
|
||||
SSLCertificateKeyFile /etc/letsencrypt/live/your.server.name/privkey.pem # EDIT THIS
|
||||
</VirtualHost>
|
||||
```
|
||||
|
||||
Then run
|
||||
**You need to make some edits again.** When you are done, run
|
||||
```bash
|
||||
$ sudo systemctl reload apache2
|
||||
```
|
||||
|
||||
|
||||
### Nginx
|
||||
|
||||
If you use Nginx and not Apache, add the following server section inside the
|
||||
http section of `/etc/nginx/nginx.conf`
|
||||
```
|
||||
server {
|
||||
listen 443;
|
||||
listen 8448;
|
||||
server_name your.server.name; # EDIT THIS
|
||||
|
||||
location /_matrix/ {
|
||||
proxy_pass http://localhost:6167/_matrix/;
|
||||
}
|
||||
}
|
||||
```
|
||||
**You need to make some edits again.** When you are done, run
|
||||
```bash
|
||||
$ sudo systemctl reload nginx
|
||||
```
|
||||
|
||||
|
||||
## SSL Certificate
|
||||
|
||||
The easiest way to get an SSL certificate for the domain is to install `certbot` and run this:
|
||||
The easiest way to get an SSL certificate, if you don't have one already, is to install `certbot` and run this:
|
||||
```bash
|
||||
$ sudo certbot -d conduit.koesters.xyz
|
||||
$ sudo certbot -d your.server.name
|
||||
```
|
||||
|
||||
|
||||
|
|
|
@ -86,7 +86,7 @@ pub async fn register_route(
|
|||
db: State<'_, Database>,
|
||||
body: Ruma<register::Request<'_>>,
|
||||
) -> ConduitResult<register::Response> {
|
||||
if db.globals.registration_disabled() {
|
||||
if !db.globals.allow_registration() {
|
||||
return Err(Error::BadRequest(
|
||||
ErrorKind::Forbidden,
|
||||
"Registration has been disabled.",
|
||||
|
|
|
@ -240,7 +240,7 @@ pub async fn create_room_route(
|
|||
.map_err(|_| Error::BadRequest(ErrorKind::InvalidParam, "Invalid initial state event."))?;
|
||||
|
||||
// Silently skip encryption events if they are not allowed
|
||||
if pdu_builder.event_type == EventType::RoomEncryption && db.globals.encryption_disabled() {
|
||||
if pdu_builder.event_type == EventType::RoomEncryption && !db.globals.allow_encryption() {
|
||||
continue;
|
||||
}
|
||||
|
||||
|
|
|
@ -33,11 +33,19 @@ pub struct Config {
|
|||
#[serde(default = "default_max_concurrent_requests")]
|
||||
max_concurrent_requests: u16,
|
||||
#[serde(default)]
|
||||
registration_disabled: bool,
|
||||
#[serde(default)]
|
||||
encryption_disabled: bool,
|
||||
#[serde(default)]
|
||||
federation_disabled: bool,
|
||||
allow_registration: bool,
|
||||
#[serde(default = "true_fn")]
|
||||
allow_encryption: bool,
|
||||
#[serde(default = "false_fn")]
|
||||
allow_federation: bool,
|
||||
}
|
||||
|
||||
fn false_fn() -> bool {
|
||||
false
|
||||
}
|
||||
|
||||
fn true_fn() -> bool {
|
||||
true
|
||||
}
|
||||
|
||||
fn default_cache_capacity() -> u64 {
|
||||
|
|
|
@ -111,16 +111,16 @@ impl Globals {
|
|||
self.config.max_request_size
|
||||
}
|
||||
|
||||
pub fn registration_disabled(&self) -> bool {
|
||||
self.config.registration_disabled
|
||||
pub fn allow_registration(&self) -> bool {
|
||||
self.config.allow_registration
|
||||
}
|
||||
|
||||
pub fn encryption_disabled(&self) -> bool {
|
||||
self.config.encryption_disabled
|
||||
pub fn allow_encryption(&self) -> bool {
|
||||
self.config.allow_encryption
|
||||
}
|
||||
|
||||
pub fn federation_disabled(&self) -> bool {
|
||||
self.config.federation_disabled
|
||||
pub fn allow_federation(&self) -> bool {
|
||||
self.config.allow_federation
|
||||
}
|
||||
|
||||
pub fn dns_resolver(&self) -> &TokioAsyncResolver {
|
||||
|
|
|
@ -786,8 +786,8 @@ impl Rooms {
|
|||
#[allow(clippy::blocks_in_if_conditions)]
|
||||
if !match event_type {
|
||||
EventType::RoomEncryption => {
|
||||
// Don't allow encryption events when it's disabled
|
||||
!globals.encryption_disabled()
|
||||
// Only allow encryption events if it's allowed in the config
|
||||
globals.allow_encryption()
|
||||
}
|
||||
EventType::RoomMember => {
|
||||
let prev_event = self
|
||||
|
|
|
@ -36,7 +36,7 @@ pub async fn send_request<T: OutgoingRequest>(
|
|||
where
|
||||
T: Debug,
|
||||
{
|
||||
if globals.federation_disabled() {
|
||||
if !globals.allow_federation() {
|
||||
return Err(Error::bad_config("Federation is disabled."));
|
||||
}
|
||||
|
||||
|
@ -322,7 +322,7 @@ pub async fn request_well_known(
|
|||
pub fn get_server_version_route(
|
||||
db: State<'_, Database>,
|
||||
) -> ConduitResult<get_server_version::Response> {
|
||||
if db.globals.federation_disabled() {
|
||||
if !db.globals.allow_federation() {
|
||||
return Err(Error::bad_config("Federation is disabled."));
|
||||
}
|
||||
|
||||
|
@ -337,7 +337,7 @@ pub fn get_server_version_route(
|
|||
|
||||
#[cfg_attr(feature = "conduit_bin", get("/_matrix/key/v2/server"))]
|
||||
pub fn get_server_keys_route(db: State<'_, Database>) -> Json<String> {
|
||||
if db.globals.federation_disabled() {
|
||||
if !db.globals.allow_federation() {
|
||||
// TODO: Use proper types
|
||||
return Json("Federation is disabled.".to_owned());
|
||||
}
|
||||
|
@ -390,7 +390,7 @@ pub async fn get_public_rooms_filtered_route(
|
|||
db: State<'_, Database>,
|
||||
body: Ruma<get_public_rooms_filtered::v1::Request<'_>>,
|
||||
) -> ConduitResult<get_public_rooms_filtered::v1::Response> {
|
||||
if db.globals.federation_disabled() {
|
||||
if !db.globals.allow_federation() {
|
||||
return Err(Error::bad_config("Federation is disabled."));
|
||||
}
|
||||
|
||||
|
@ -437,7 +437,7 @@ pub async fn get_public_rooms_route(
|
|||
db: State<'_, Database>,
|
||||
body: Ruma<get_public_rooms::v1::Request<'_>>,
|
||||
) -> ConduitResult<get_public_rooms::v1::Response> {
|
||||
if db.globals.federation_disabled() {
|
||||
if !db.globals.allow_federation() {
|
||||
return Err(Error::bad_config("Federation is disabled."));
|
||||
}
|
||||
|
||||
|
@ -484,7 +484,7 @@ pub async fn send_transaction_message_route<'a>(
|
|||
db: State<'a, Database>,
|
||||
body: Ruma<send_transaction_message::v1::Request<'_>>,
|
||||
) -> ConduitResult<send_transaction_message::v1::Response> {
|
||||
if db.globals.federation_disabled() {
|
||||
if !db.globals.allow_federation() {
|
||||
return Err(Error::bad_config("Federation is disabled."));
|
||||
}
|
||||
|
||||
|
@ -587,7 +587,7 @@ pub fn get_missing_events_route<'a>(
|
|||
db: State<'a, Database>,
|
||||
body: Ruma<get_missing_events::v1::Request<'_>>,
|
||||
) -> ConduitResult<get_missing_events::v1::Response> {
|
||||
if db.globals.federation_disabled() {
|
||||
if !db.globals.allow_federation() {
|
||||
return Err(Error::bad_config("Federation is disabled."));
|
||||
}
|
||||
|
||||
|
@ -632,7 +632,7 @@ pub fn get_profile_information_route<'a>(
|
|||
db: State<'a, Database>,
|
||||
body: Ruma<get_profile_information::v1::Request<'_>>,
|
||||
) -> ConduitResult<get_profile_information::v1::Response> {
|
||||
if db.globals.federation_disabled() {
|
||||
if !db.globals.allow_federation() {
|
||||
return Err(Error::bad_config("Federation is disabled."));
|
||||
}
|
||||
|
||||
|
@ -666,7 +666,7 @@ pub fn get_user_devices_route<'a>(
|
|||
db: State<'a, Database>,
|
||||
body: Ruma<membership::v1::Request<'_>>,
|
||||
) -> ConduitResult<get_profile_information::v1::Response> {
|
||||
if db.globals.federation_disabled() {
|
||||
if !db.globals.allow_federation() {
|
||||
return Err(Error::bad_config("Federation is disabled."));
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in New Issue