From 9a4ff413df89d12494f725ec05076e0b4c97f990 Mon Sep 17 00:00:00 2001
From: Andrew Morgan <1342360+anoadragon453@users.noreply.github.com>
Date: Fri, 29 Jan 2021 13:12:15 +0000
Subject: [PATCH] Add a new dockerfile for worker-mode synapse (#62)

This PR adds a new Dockerfile containing the configuration for a Synapse running in worker mode. Some additional files were required to support the image.

1. A caddy binary needed to be placed in the container for termination TLS requests on the federation port (thanks to Conduit for the idea!). The included file is a Caddy config json file.
2. A shared config file to hand to each Synapse worker was necessary. This file is subtley different from [dockerfiles/synapse/homeserver.yaml](https://github.com/matrix-org/complement/blob/master/dockerfiles/synapse/homeserver.yaml), though it may be nice to have both files be derived from a shared file in the future.

The intention of this is to add testing of Synapse in worker mode to Complement's CI. It is paired with https://github.com/matrix-org/synapse/pull/9162.
---
 dockerfiles/SynapseWorkers.Dockerfile     | 53 ++++++++++++++++
 dockerfiles/synapse/caddy.complement.json | 76 +++++++++++++++++++++++
 dockerfiles/synapse/workers-shared.yaml   | 59 ++++++++++++++++++
 3 files changed, 188 insertions(+)
 create mode 100644 dockerfiles/SynapseWorkers.Dockerfile
 create mode 100644 dockerfiles/synapse/caddy.complement.json
 create mode 100644 dockerfiles/synapse/workers-shared.yaml

diff --git a/dockerfiles/SynapseWorkers.Dockerfile b/dockerfiles/SynapseWorkers.Dockerfile
new file mode 100644
index 00000000..8214e27f
--- /dev/null
+++ b/dockerfiles/SynapseWorkers.Dockerfile
@@ -0,0 +1,53 @@
+# This dockerfile builds on top of Dockerfile-worker and includes a built-in postgres instance
+# as well as sets up the homeserver so that it is ready for testing via Complement
+FROM matrixdotorg/synapse:workers
+
+# Download a caddy server to stand in front of nginx and terminate TLS using Complement's
+# custom CA.
+# We include this near the top of the file in order to cache the result.
+RUN curl -OL "https://github.com/caddyserver/caddy/releases/download/v2.3.0/caddy_2.3.0_linux_amd64.tar.gz" && \
+  tar xzf caddy_2.3.0_linux_amd64.tar.gz && rm caddy_2.3.0_linux_amd64.tar.gz && mv caddy /root
+
+# Install postgresql
+RUN apt-get update
+RUN apt-get install -y postgresql
+
+# Configure a user and create a database for Synapse
+RUN pg_ctlcluster 11 main start &&  su postgres -c "echo \
+ \"ALTER USER postgres PASSWORD 'somesecret'; \
+ CREATE DATABASE synapse \
+  ENCODING 'UTF8' \
+  LC_COLLATE='C' \
+  LC_CTYPE='C' \
+  template=template0;\" | psql" && pg_ctlcluster 11 main stop
+
+# Modify the shared homeserver config with postgres support, certificate setup
+# and the disabling of rate-limiting
+COPY synapse/workers-shared.yaml /conf/workers/shared.yaml
+
+WORKDIR /root
+
+# Copy the caddy config
+COPY synapse/caddy.complement.json /root/caddy.json
+
+# Expose caddy's listener ports
+EXPOSE 8008 8448
+
+ENTRYPOINT \
+  # Replace the server name in the caddy config
+  sed -i "s/{{ server_name }}/${SERVER_NAME}/g" /root/caddy.json && \
+  # Start postgres
+  pg_ctlcluster 11 main start > /dev/null 2>&1 && \
+  # Start caddy
+  /root/caddy start --config /root/caddy.json > /dev/null 2>&1 && \
+  # Set the server name of the homeserver
+  SYNAPSE_SERVER_NAME=${SERVER_NAME} \
+  # No need to report stats here
+  SYNAPSE_REPORT_STATS=no \
+  # Set postgres authentication details which will be placed in the homeserver config file
+  POSTGRES_PASSWORD=somesecret POSTGRES_USER=postgres POSTGRES_HOST=localhost \
+  # Use all available worker types
+  SYNAPSE_WORKERS=* \
+  # Run the script that writes the necessary config files and starts supervisord, which in turn
+  # starts everything else
+  /configure_workers_and_start.py
diff --git a/dockerfiles/synapse/caddy.complement.json b/dockerfiles/synapse/caddy.complement.json
new file mode 100644
index 00000000..db739c60
--- /dev/null
+++ b/dockerfiles/synapse/caddy.complement.json
@@ -0,0 +1,76 @@
+{
+    "apps": {
+      "http": {
+        "servers": {
+          "srv0": {
+            "listen": [
+              ":8448"
+            ],
+            "routes": [
+              {
+                "match": [
+                  {
+                    "host": [
+                      "{{ server_name }}"
+                    ]
+                  }
+                ],
+                "handle": [
+                  {
+                    "handler": "subroute",
+                    "routes": [
+                      {
+                        "handle": [
+                          {
+                            "handler": "reverse_proxy",
+                            "upstreams": [
+                              {
+                                "dial": "localhost:8008"
+                              }
+                            ]
+                          }
+                        ]
+                      }
+                    ]
+                  }
+                ],
+                "terminal": true
+              }
+            ]
+          }
+        }
+      },
+      "tls": {
+        "automation": {
+          "policies": [
+            {
+              "subjects": [
+                "{{ server_name }}"
+              ],
+              "issuers": [
+                {
+                  "module": "internal"
+                }
+              ],
+              "on_demand": true
+            }
+          ]
+        }
+      },
+      "pki": {
+        "certificate_authorities": {
+          "local": {
+            "name": "Complement CA",
+            "root": {
+              "certificate": "/ca/ca.crt",
+              "private_key": "/ca/ca.key"
+            },
+            "intermediate": {
+              "certificate": "/ca/ca.crt",
+              "private_key": "/ca/ca.key"
+            }
+          }
+        }
+      }
+    }
+  }
diff --git a/dockerfiles/synapse/workers-shared.yaml b/dockerfiles/synapse/workers-shared.yaml
new file mode 100644
index 00000000..e0572d86
--- /dev/null
+++ b/dockerfiles/synapse/workers-shared.yaml
@@ -0,0 +1,59 @@
+## Server ##
+report_stats: False
+trusted_key_servers: []
+enable_registration: true
+
+## Federation ##
+
+# disable verification of federation certificates
+#
+# TODO: Figure out why this is still needed even though we are making use of the custom CA
+federation_verify_certificates: false
+
+# trust certs signed by Complement's CA
+federation_custom_ca_list:
+- /ca/ca.crt
+
+# unblacklist RFC1918 addresses
+federation_ip_range_blacklist: []
+
+# Disable server rate-limiting
+rc_federation:
+  window_size: 1000
+  sleep_limit: 10
+  sleep_delay: 500
+  reject_limit: 99999
+  concurrent: 3
+
+rc_message:
+  per_second: 9999
+  burst_count: 9999
+
+rc_registration:
+  per_second: 9999
+  burst_count: 9999
+
+rc_login:
+  address:
+    per_second: 9999
+    burst_count: 9999
+  account:
+    per_second: 9999
+    burst_count: 9999
+  failed_attempts:
+    per_second: 9999
+    burst_count: 9999
+
+rc_admin_redaction:
+  per_second: 9999
+  burst_count: 9999
+
+rc_joins:
+  local:
+    per_second: 9999
+    burst_count: 9999
+  remote:
+    per_second: 9999
+    burst_count: 9999
+
+federation_rr_transactions_per_room_per_second: 9999