Adding Healthcheck and upgrading to latest synapse backend

docker-compose.yaml

@@ -2,7 +2,7 @@
 services:
 
   synapse:
-    image: ghcr.io/element-hq/synapse:v1.105.1
+    image: ghcr.io/element-hq/synapse:v1.126.0
     restart: always
     environment:
       - SYNAPSE_CONFIG_PATH=/data/homeserver.yaml
@@ -17,9 +17,15 @@ services:
       matrix_db:
     ports:
       - 8008:8008
+    healthcheck:
+      test: ["CMD", "curl", "-fSs", "http://localhost:8008/health"]
+      interval: 15s
+      timeout: 5s
+      retries: 3
+      start_period: 5s
 
   db:
-    image: docker.io/postgres:16.2-alpine
+    image: docker.io/postgres:16-alpine
     environment:
       - POSTGRES_DB=synapse
       - POSTGRES_USER=matrix_synapse
@@ -31,7 +37,7 @@ services:
       matrix_db:
   
   element:
-    image: vectorim/element-web:v1.11.65
+    image: vectorim/element-web:v1.11.95
     restart: unless-stopped
     volumes:
       - ./config/element/element-config.json:/app/config.json
@@ -39,7 +45,8 @@ services:
       matrix_server:
         ipv4_address: 10.10.10.3
     depends_on:
-      - synapse
+      synapse:
+        condition: service_healthy
 
   sydent:
     image: docker.io/matrixdotorg/sydent:v2.6.1
@@ -48,35 +55,21 @@ services:
       matrix_server:
         ipv4_address: 10.10.10.5
     depends_on:
-      - synapse
+      synapse:
+        condition: service_healthy
 
   synapse-admin:
-    image: awesometechnologies/synapse-admin:0.10.1
+    image: awesometechnologies/synapse-admin:0.10.3
     restart: unless-stopped
     networks:
       matrix_server:
         ipv4_address: 10.10.10.6
     depends_on:
-      - synapse
-
-  sliding-sync:
-    image: ghcr.io/matrix-org/sliding-sync:v0.99.16
-
-    restart: always
-    environment:
-      - SYNCV3_BINDADDR=:8008
-      - SYNCV3_SERVER=https://DOMAIN
-      - SYNCV3_SECRET=SLIDING_SYNC_KEY
-      - SYNCV3_DB=user=matrix_synapse dbname=synapse sslmode=disable host=db password=PG_PASS
-    networks:
-      matrix_server:
-        ipv4_address: 10.10.10.7
-      matrix_db:
-    depends_on:
-      - synapse
+      synapse:
+        condition: service_healthy
 
   hydrogen-web:
-    image: ghcr.io/element-hq/hydrogen-web:v0.4.1
+    image: ghcr.io/element-hq/hydrogen-web:v0.5.1
     restart: unless-stopped
     environment:
       - |

install.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-set -euo pipefail
+set -eo pipefail
 
 DOMAIN=$1
 if [ -z ${DOMAIN} ]; then
@@ -94,7 +94,7 @@ PG_PASS=$(pwgen -s 28 -1)
 sed -i "s|DOMAIN|${DOMAIN}|g" "${BASE_DIR}/docker-compose.yaml"
 sed -i "s|PG_PASS|${PG_PASS}|g" "${BASE_DIR}/docker-compose.yaml"
 
-# Generate synapse file
+# Generate synapse config file
 echo -e "Generating synapse file..\n"
 docker compose run --rm -e SYNAPSE_SERVER_NAME=${DOMAIN} -e SYNAPSE_REPORT_STATS=yes synapse generate
 
@@ -111,6 +111,7 @@ cp /tmp/homeserver.yaml "${BASE_DIR}/config/synapse/homeserver.yaml"
 
 # Configure User Directory and TURN
 cat <<EOF >> "${BASE_DIR}/config/synapse/homeserver.yaml"
+public_baseurl: "https://${DOMAIN}"
 user_directory:
     enabled: true
     search_all_users: true
@@ -121,6 +122,7 @@ turn_user_lifetime: 86400000
 turn_shared_secret: "${TURN_STATIC_SECRET}"
 turn_uris: [ "turn:${DOMAIN}?transport=udp" ]
 suppress_key_server_warning: true
+enable_authenticated_media: False
 retention:
   enabled: true
   default_policy:
@@ -158,14 +160,10 @@ server {
     # Hardening
     add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
     add_header Content-Security-Policy "default-src 'self' ${DOMAIN} http: https: data: blob: 'unsafe-inline' 'unsafe-eval'" always;
+    add_header X-XSS-Protection "1; mode=block";
+    add_header X-Content-Type-Options nosniff;
     add_header X-Frame-Options "SAMEORIGIN";
 
-    location /.well-known/matrix/client {
-        default_type application/json;
-        add_header Access-Control-Allow-Origin *;
-        return 200 '{"m.homeserver": {"base_url": "https://${DOMAIN}"}, "org.matrix.msc3575.proxy": {"url": "https://${DOMAIN}"}}';
-    }
-
     # Admin panel
     location /admin/ {
         proxy_pass http://10.10.10.6/;
@@ -175,21 +173,23 @@ server {
         proxy_http_version 1.1;
     }
 
-    # Sydent identity server
-    location ~ ^(/_matrix/identity) {
-        proxy_pass http://10.10.10.5:8090;
+    # Proxy for Synapse Admin Panel
+    location /_synapse/admin {
+        proxy_pass http://10.10.10.4:8008;
         proxy_set_header X-Forwarded-For \$remote_addr;
         proxy_set_header X-Forwarded-Proto \$scheme;
         proxy_set_header Host \$host;
+        client_max_body_size 50M;
         proxy_http_version 1.1;
     }
 
-    # Sliding Sync
-    location ~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync) {
-        proxy_pass http://10.10.10.7:8008;
+    # Sydent identity server
+    location ~ ^(/_matrix/identity) {
+        proxy_pass http://10.10.10.5:8090;
         proxy_set_header X-Forwarded-For \$remote_addr;
         proxy_set_header X-Forwarded-Proto \$scheme;
         proxy_set_header Host \$host;
+        proxy_http_version 1.1;
     }
 
     # Synapse Backend
@@ -214,6 +214,12 @@ server {
         proxy_http_version 1.1;
     }
 
+    location /.well-known/matrix/client {
+        default_type application/json;
+        add_header Access-Control-Allow-Origin *;
+        return 200 '{"m.homeserver": {"base_url": "https://${DOMAIN}"}, "m.identity_server": {"base_url": "https://${DOMAIN}"}}';
+    }
+
     # Element Frontend
     location / {
         # Element chat Container Network IP

killall.sh

@@ -11,10 +11,14 @@ if [ "${answer}" != "${answer#[Yy]}" ] ;then
     systemctl disable --now nginx
     systemctl disable --now coturn
 
+    echo "Deleting all containers"
+    for container in `docker ps -a  | awk '{print $1}' | tail +2`; do docker rm -f ${container}; done
+
     echo "Purging containers data"
     docker system prune -a -f
 
     echo "Removing packages"
+    cd /tmp
     apt remove -y --purge pwgen nginx python3-certbot-nginx coturn* docker*
     systemctl daemon-reload