From 4a2d8a6c0cc7aad71ae1260fe89f271e75fe4f63 Mon Sep 17 00:00:00 2001 From: H-Shay Date: Tue, 21 Mar 2023 17:54:19 +0000 Subject: deploy: 96bcc5d9028e745df2f708c92b15e4e5bfc91328 --- v1.80.0/systemd-with-workers/index.html | 283 +++++++++++++++++++++ .../system/matrix-synapse-worker@.service | 26 ++ .../system/matrix-synapse.service | 22 ++ .../system/matrix-synapse.target | 6 + .../workers/background_worker.yaml | 8 + .../workers/event_persister.yaml | 24 ++ .../workers/federation_sender.yaml | 8 + .../workers/generic_worker.yaml | 15 ++ .../systemd-with-workers/workers/media_worker.yaml | 15 ++ .../workers/pusher_worker.yaml | 8 + 10 files changed, 415 insertions(+) create mode 100644 v1.80.0/systemd-with-workers/index.html create mode 100644 v1.80.0/systemd-with-workers/system/matrix-synapse-worker@.service create mode 100644 v1.80.0/systemd-with-workers/system/matrix-synapse.service create mode 100644 v1.80.0/systemd-with-workers/system/matrix-synapse.target create mode 100644 v1.80.0/systemd-with-workers/workers/background_worker.yaml create mode 100644 v1.80.0/systemd-with-workers/workers/event_persister.yaml create mode 100644 v1.80.0/systemd-with-workers/workers/federation_sender.yaml create mode 100644 v1.80.0/systemd-with-workers/workers/generic_worker.yaml create mode 100644 v1.80.0/systemd-with-workers/workers/media_worker.yaml create mode 100644 v1.80.0/systemd-with-workers/workers/pusher_worker.yaml (limited to 'v1.80.0/systemd-with-workers') diff --git a/v1.80.0/systemd-with-workers/index.html b/v1.80.0/systemd-with-workers/index.html new file mode 100644 index 0000000000..4f3f95444a --- /dev/null +++ b/v1.80.0/systemd-with-workers/index.html @@ -0,0 +1,283 @@ + + + + + + Systemd - Synapse + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ +
+ + + + + + + +
+
+ +
+ +
+ +

Setting up Synapse with Workers and Systemd

+

This is a setup for managing synapse with systemd, including support for +managing workers. It provides a matrix-synapse service for the master, as +well as a matrix-synapse-worker@ service template for any workers you +require. Additionally, to group the required services, it sets up a +matrix-synapse.target.

+

See the folder system +for the systemd unit files.

+

The folder workers +contains an example configuration for the generic_worker worker.

+

Synapse configuration files

+

See the worker documentation for information on how to set up the +configuration files and reverse-proxy correctly. +Below is a sample generic_worker worker configuration file.

+
worker_app: synapse.app.generic_worker
+worker_name: generic_worker1
+
+# The replication listener on the main synapse process.
+worker_replication_host: 127.0.0.1
+worker_replication_http_port: 9093
+
+worker_listeners:
+  - type: http
+    port: 8083
+    x_forwarded: true
+    resources:
+      - names: [client, federation]
+
+worker_log_config: /etc/matrix-synapse/generic-worker-log.yaml
+
+

Systemd manages daemonization itself, so ensure that none of the configuration +files set either daemonize or worker_daemonize.

+

The config files of all workers are expected to be located in +/etc/matrix-synapse/workers. If you want to use a different location, edit +the provided *.service files accordingly.

+

There is no need for a separate configuration file for the master process.

+

Set up

+
    +
  1. Adjust synapse configuration files as above.
    2. +
  2. Copy the *.service and *.target files in system +to /etc/systemd/system.
    3. +
  3. Run systemctl daemon-reload to tell systemd to load the new unit files.
    4. +
  4. Run systemctl enable matrix-synapse.service. This will configure the +synapse master process to be started as part of the matrix-synapse.target +target.
    5. +
  5. For each worker process to be enabled, run systemctl enable matrix-synapse-worker@<worker_name>.service. For each <worker_name>, there +should be a corresponding configuration file. +/etc/matrix-synapse/workers/<worker_name>.yaml.
    6. +
  6. Start all the synapse processes with systemctl start matrix-synapse.target.
    7. +
  7. Tell systemd to start synapse on boot with systemctl enable matrix-synapse.target.
    8. +
+

Usage

+

Once the services are correctly set up, you can use the following commands +to manage your synapse installation:

+
# Restart Synapse master and all workers
+systemctl restart matrix-synapse.target
+
+# Stop Synapse and all workers
+systemctl stop matrix-synapse.target
+
+# Restart the master alone
+systemctl start matrix-synapse.service
+
+# Restart a specific worker (eg. generic_worker); the master is
+# unaffected by this.
+systemctl restart matrix-synapse-worker@generic_worker.service
+
+# Add a new worker (assuming all configs are set up already)
+systemctl enable matrix-synapse-worker@federation_writer.service
+systemctl restart matrix-synapse.target
+
+

Hardening

+

Optional: If further hardening is desired, the file +override-hardened.conf may be copied from +contrib/systemd/override-hardened.conf +in this repository to the location +/etc/systemd/system/matrix-synapse.service.d/override-hardened.conf (the +directory may have to be created). It enables certain sandboxing features in +systemd to further secure the synapse service. You may read the comments to +understand what the override file is doing. The same file will need to be copied to +/etc/systemd/system/matrix-synapse-worker@.service.d/override-hardened-worker.conf +(this directory may also have to be created) in order to apply the same +hardening options to any worker processes.

+

Once these files have been copied to their appropriate locations, simply reload +systemd's manager config files and restart all Synapse services to apply the hardening options. They will automatically +be applied at every restart as long as the override files are present at the +specified locations.

+
systemctl daemon-reload
+
+# Restart services
+systemctl restart matrix-synapse.target
+
+

In order to see their effect, you may run systemd-analyze security matrix-synapse.service before and after applying the hardening options to see +the changes being applied at a glance.

+ +
+ + +
+
+ + + +
+ + + + + + + + + + + + + \ No newline at end of file diff --git a/v1.80.0/systemd-with-workers/system/matrix-synapse-worker@.service b/v1.80.0/systemd-with-workers/system/matrix-synapse-worker@.service new file mode 100644 index 0000000000..8f5c44c9d4 --- /dev/null +++ b/v1.80.0/systemd-with-workers/system/matrix-synapse-worker@.service @@ -0,0 +1,26 @@ +[Unit] +Description=Synapse %i +AssertPathExists=/etc/matrix-synapse/workers/%i.yaml + +# This service should be restarted when the synapse target is restarted. +PartOf=matrix-synapse.target +ReloadPropagatedFrom=matrix-synapse.target + +# if this is started at the same time as the main, let the main process start +# first, to initialise the database schema. +After=matrix-synapse.service + +[Service] +Type=notify +NotifyAccess=main +User=matrix-synapse +WorkingDirectory=/var/lib/matrix-synapse +EnvironmentFile=-/etc/default/matrix-synapse +ExecStart=/opt/venvs/matrix-synapse/bin/python -m synapse.app.generic_worker --config-path=/etc/matrix-synapse/homeserver.yaml --config-path=/etc/matrix-synapse/conf.d/ --config-path=/etc/matrix-synapse/workers/%i.yaml +ExecReload=/bin/kill -HUP $MAINPID +Restart=always +RestartSec=3 +SyslogIdentifier=matrix-synapse-%i + +[Install] +WantedBy=matrix-synapse.target diff --git a/v1.80.0/systemd-with-workers/system/matrix-synapse.service b/v1.80.0/systemd-with-workers/system/matrix-synapse.service new file mode 100644 index 0000000000..0c73fb55fb --- /dev/null +++ b/v1.80.0/systemd-with-workers/system/matrix-synapse.service @@ -0,0 +1,22 @@ +[Unit] +Description=Synapse master + +# This service should be restarted when the synapse target is restarted. +PartOf=matrix-synapse.target +ReloadPropagatedFrom=matrix-synapse.target + +[Service] +Type=notify +NotifyAccess=main +User=matrix-synapse +WorkingDirectory=/var/lib/matrix-synapse +EnvironmentFile=-/etc/default/matrix-synapse +ExecStartPre=/opt/venvs/matrix-synapse/bin/python -m synapse.app.homeserver --config-path=/etc/matrix-synapse/homeserver.yaml --config-path=/etc/matrix-synapse/conf.d/ --generate-keys +ExecStart=/opt/venvs/matrix-synapse/bin/python -m synapse.app.homeserver --config-path=/etc/matrix-synapse/homeserver.yaml --config-path=/etc/matrix-synapse/conf.d/ +ExecReload=/bin/kill -HUP $MAINPID +Restart=always +RestartSec=3 +SyslogIdentifier=matrix-synapse + +[Install] +WantedBy=matrix-synapse.target diff --git a/v1.80.0/systemd-with-workers/system/matrix-synapse.target b/v1.80.0/systemd-with-workers/system/matrix-synapse.target new file mode 100644 index 0000000000..e0eba1b342 --- /dev/null +++ b/v1.80.0/systemd-with-workers/system/matrix-synapse.target @@ -0,0 +1,6 @@ +[Unit] +Description=Synapse parent target +After=network.target + +[Install] +WantedBy=multi-user.target diff --git a/v1.80.0/systemd-with-workers/workers/background_worker.yaml b/v1.80.0/systemd-with-workers/workers/background_worker.yaml new file mode 100644 index 0000000000..9fbfbda7db --- /dev/null +++ b/v1.80.0/systemd-with-workers/workers/background_worker.yaml @@ -0,0 +1,8 @@ +worker_app: synapse.app.generic_worker +worker_name: background_worker + +# The replication listener on the main synapse process. +worker_replication_host: 127.0.0.1 +worker_replication_http_port: 9093 + +worker_log_config: /etc/matrix-synapse/background-worker-log.yaml diff --git a/v1.80.0/systemd-with-workers/workers/event_persister.yaml b/v1.80.0/systemd-with-workers/workers/event_persister.yaml new file mode 100644 index 0000000000..c11d5897b1 --- /dev/null +++ b/v1.80.0/systemd-with-workers/workers/event_persister.yaml @@ -0,0 +1,24 @@ +worker_app: synapse.app.generic_worker +worker_name: event_persister1 + +# The replication listener on the main synapse process. +worker_replication_host: 127.0.0.1 +worker_replication_http_port: 9093 + +worker_listeners: + - type: http + port: 8034 + resources: + - names: [replication] + + # Enable listener if this stream writer handles endpoints for the `typing` or + # `to_device` streams. Uses a different port to the `replication` listener to + # avoid exposing the `replication` listener publicly. + # + #- type: http + # port: 8035 + # x_forwarded: true + # resources: + # - names: [client] + +worker_log_config: /etc/matrix-synapse/event-persister-log.yaml diff --git a/v1.80.0/systemd-with-workers/workers/federation_sender.yaml b/v1.80.0/systemd-with-workers/workers/federation_sender.yaml new file mode 100644 index 0000000000..5c591aec2c --- /dev/null +++ b/v1.80.0/systemd-with-workers/workers/federation_sender.yaml @@ -0,0 +1,8 @@ +worker_app: synapse.app.federation_sender +worker_name: federation_sender1 + +# The replication listener on the main synapse process. +worker_replication_host: 127.0.0.1 +worker_replication_http_port: 9093 + +worker_log_config: /etc/matrix-synapse/federation-sender-log.yaml diff --git a/v1.80.0/systemd-with-workers/workers/generic_worker.yaml b/v1.80.0/systemd-with-workers/workers/generic_worker.yaml new file mode 100644 index 0000000000..a858f99ed1 --- /dev/null +++ b/v1.80.0/systemd-with-workers/workers/generic_worker.yaml @@ -0,0 +1,15 @@ +worker_app: synapse.app.generic_worker +worker_name: generic_worker1 + +# The replication listener on the main synapse process. +worker_replication_host: 127.0.0.1 +worker_replication_http_port: 9093 + +worker_listeners: + - type: http + port: 8083 + x_forwarded: true + resources: + - names: [client, federation] + +worker_log_config: /etc/matrix-synapse/generic-worker-log.yaml diff --git a/v1.80.0/systemd-with-workers/workers/media_worker.yaml b/v1.80.0/systemd-with-workers/workers/media_worker.yaml new file mode 100644 index 0000000000..8ad046f11a --- /dev/null +++ b/v1.80.0/systemd-with-workers/workers/media_worker.yaml @@ -0,0 +1,15 @@ +worker_app: synapse.app.media_repository +worker_name: media_worker + +# The replication listener on the main synapse process. +worker_replication_host: 127.0.0.1 +worker_replication_http_port: 9093 + +worker_listeners: + - type: http + port: 8085 + x_forwarded: true + resources: + - names: [media] + +worker_log_config: /etc/matrix-synapse/media-worker-log.yaml diff --git a/v1.80.0/systemd-with-workers/workers/pusher_worker.yaml b/v1.80.0/systemd-with-workers/workers/pusher_worker.yaml new file mode 100644 index 0000000000..46e22c6f06 --- /dev/null +++ b/v1.80.0/systemd-with-workers/workers/pusher_worker.yaml @@ -0,0 +1,8 @@ +worker_app: synapse.app.pusher +worker_name: pusher_worker1 + +# The replication listener on the main synapse process. +worker_replication_host: 127.0.0.1 +worker_replication_http_port: 9093 + +worker_log_config: /etc/matrix-synapse/pusher-worker-log.yaml -- cgit 1.4.1