Move complement setup stuff into the Synapse repo (#12404)
Fixes matrix-org/complement#330 (or it will, once we remove the old files).
It's not quite a lift-and-shift: I've also taken the opportunity to get rid of the custom CA that we used to use to sign the TLS certs, which has been superceded by the CA exposed by Complement.
2 files changed, 149 insertions, 0 deletions
diff --git a/docker/complement/conf-workers/caddy.complement.json b/docker/complement/conf-workers/caddy.complement.json
new file mode 100644
index 0000000000..09e2136af2
--- /dev/null
+++ b/docker/complement/conf-workers/caddy.complement.json
@@ -0,0 +1,72 @@
+{
+ "apps": {
+ "http": {
+ "servers": {
+ "srv0": {
+ "listen": [
+ ":8448"
+ ],
+ "routes": [
+ {
+ "match": [
+ {
+ "host": [
+ "{{ server_name }}"
+ ]
+ }
+ ],
+ "handle": [
+ {
+ "handler": "subroute",
+ "routes": [
+ {
+ "handle": [
+ {
+ "handler": "reverse_proxy",
+ "upstreams": [
+ {
+ "dial": "localhost:8008"
+ }
+ ]
+ }
+ ]
+ }
+ ]
+ }
+ ],
+ "terminal": true
+ }
+ ]
+ }
+ }
+ },
+ "tls": {
+ "automation": {
+ "policies": [
+ {
+ "subjects": [
+ "{{ server_name }}"
+ ],
+ "issuers": [
+ {
+ "module": "internal"
+ }
+ ],
+ "on_demand": true
+ }
+ ]
+ }
+ },
+ "pki": {
+ "certificate_authorities": {
+ "local": {
+ "name": "Complement CA",
+ "root": {
+ "certificate": "/complement/ca/ca.crt",
+ "private_key": "/complement/ca/ca.key"
+ }
+ }
+ }
+ }
+ }
+ }
diff --git a/docker/complement/conf-workers/workers-shared.yaml b/docker/complement/conf-workers/workers-shared.yaml
new file mode 100644
index 0000000000..cdadb736f6
--- /dev/null
+++ b/docker/complement/conf-workers/workers-shared.yaml
@@ -0,0 +1,77 @@
+## Server ##
+report_stats: False
+trusted_key_servers: []
+enable_registration: true
+enable_registration_without_verification: true
+bcrypt_rounds: 4
+
+## Federation ##
+
+# disable verification of federation certificates
+#
+# TODO: Figure out why this is still needed even though we are making use of the custom CA
+federation_verify_certificates: false
+
+# trust certs signed by Complement's CA
+federation_custom_ca_list:
+- /complement/ca/ca.crt
+
+# unblacklist RFC1918 addresses
+federation_ip_range_blacklist: []
+
+# Disable server rate-limiting
+rc_federation:
+ window_size: 1000
+ sleep_limit: 10
+ sleep_delay: 500
+ reject_limit: 99999
+ concurrent: 3
+
+rc_message:
+ per_second: 9999
+ burst_count: 9999
+
+rc_registration:
+ per_second: 9999
+ burst_count: 9999
+
+rc_login:
+ address:
+ per_second: 9999
+ burst_count: 9999
+ account:
+ per_second: 9999
+ burst_count: 9999
+ failed_attempts:
+ per_second: 9999
+ burst_count: 9999
+
+rc_admin_redaction:
+ per_second: 9999
+ burst_count: 9999
+
+rc_joins:
+ local:
+ per_second: 9999
+ burst_count: 9999
+ remote:
+ per_second: 9999
+ burst_count: 9999
+
+federation_rr_transactions_per_room_per_second: 9999
+
+## Experimental Features ##
+
+experimental_features:
+ # Enable history backfilling support
+ msc2716_enabled: true
+ # Enable spaces support
+ spaces_enabled: true
+ # Enable jump to date endpoint
+ msc3030_enabled: true
+
+server_notices:
+ system_mxid_localpart: _server
+ system_mxid_display_name: "Server Alert"
+ system_mxid_avatar_url: ""
+ room_name: "Server Alert"
|
