From a646255def9f28cb1041ad6bf1d040b3ded14c1d Mon Sep 17 00:00:00 2001
From: Robert Swain <rob@matrix.org>
Date: Mon, 26 Jun 2017 14:40:43 +0200
Subject: [PATCH] docker: Add build and full compose setup

---
 docker-build.sh             |  21 +++++
 docker-compose.yml          |  21 -----
 docker/.env                 |   1 +
 docker/.gitignore           |   3 +
 docker/README.md            |  33 +++++++
 docker/dendrite-config.yaml |  73 ++++++++++++++++
 docker/docker-compose.yaml  | 170 ++++++++++++++++++++++++++++++++++++
 docker/generate-keys.sh     |  17 ++++
 docker/init-dendrite-dbs.sh |  10 +++
 9 files changed, 328 insertions(+), 21 deletions(-)
 create mode 100755 docker-build.sh
 delete mode 100644 docker-compose.yml
 create mode 100644 docker/.env
 create mode 100644 docker/.gitignore
 create mode 100644 docker/README.md
 create mode 100644 docker/dendrite-config.yaml
 create mode 100644 docker/docker-compose.yaml
 create mode 100755 docker/generate-keys.sh
 create mode 100755 docker/init-dendrite-dbs.sh

diff --git a/docker-build.sh b/docker-build.sh
new file mode 100755
index 000000000..0792aeefa
--- /dev/null
+++ b/docker-build.sh
@@ -0,0 +1,21 @@
+#!/bin/bash
+
+set -e
+
+GOOS=linux GOARCH=amd64 gb build
+
+mkdir -p docker/bin
+cp bin/*linux-amd64 docker/bin/
+
+cd docker
+
+for cli in {client,federation}-api-proxy dendrite-{{client,federation,media,sync}-api,room}-server; do
+    dockerfile=Dockerfile.$cli
+    cat <<EOF > $dockerfile
+FROM scratch
+COPY bin/$cli-linux-amd64 $cli
+ENTRYPOINT ["/$cli"]
+EOF
+    docker build -t $cli -f $dockerfile .
+    rm $dockerfile
+done
diff --git a/docker-compose.yml b/docker-compose.yml
deleted file mode 100644
index f961ee1fb..000000000
--- a/docker-compose.yml
+++ /dev/null
@@ -1,21 +0,0 @@
-version: '2'
-services:
-  zookeeper:
-    image: wurstmeister/zookeeper
-    ports:
-      - "2181:2181"
-  kafka:
-    image: wurstmeister/kafka:0.10.2.0
-    ports:
-      - "9092:9092"
-    environment:
-      KAFKA_ADVERTISED_HOST_NAME: localhost
-      KAFKA_ZOOKEEPER_CONNECT: zookeeper:2181
-    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock
-  postgres:
-    image: postgres:9.6
-    ports:
-      - "5432:5432"
-    environment:
-      POSTGRES_PASSWORD: SUPERSECRETPASSWORD
diff --git a/docker/.env b/docker/.env
new file mode 100644
index 000000000..ec5cb6dca
--- /dev/null
+++ b/docker/.env
@@ -0,0 +1 @@
+COMPOSE_PROJECT_NAME=dendrite
diff --git a/docker/.gitignore b/docker/.gitignore
new file mode 100644
index 000000000..4817f4aca
--- /dev/null
+++ b/docker/.gitignore
@@ -0,0 +1,3 @@
+Dockerfile*
+bin/
+certs/
diff --git a/docker/README.md b/docker/README.md
new file mode 100644
index 000000000..5ab5df817
--- /dev/null
+++ b/docker/README.md
@@ -0,0 +1,33 @@
+# dendrite in docker
+
+## Building images
+
+At the top level of the dendrite repository there is a `docker-build.sh` script that builds all necessary docker images for running the `docker-compose.yaml` deployment here.
+
+## Configuration
+
+There are a few aspects to configuration of a dendrite deployment for docker-compose:
+
+* `dendrite-config.yaml`
+* certificates
+* environment variables
+
+### `dendrite-config.yaml`
+
+An example `dendrite-config.yaml` is included here. Modify the `server_name` as needed but the rest should just work.
+
+### certificates
+
+Certificates can be generated by running `generate-keys.sh` that is in this directory.
+
+### Environment variables
+
+The following environment variables **MUST** be set when running `docker-compose` in order for everything to work properly:
+
+* `POSTGRES_PASSWORD` - set this to something secret
+
+Note: `COMPOSE_PROJECT_NAME` is set to `dendrite` in the `.env` file in this directory so that containers will be called `dendrite_<service>_1`.
+
+## Running
+
+From this directory, run `POSTGRES_PASSWORD=YOURSECRET docker-compose up -d`. The client-api-proxy will be exposed on `https://0.0.0.0:8443` and the federation-api-proxy on `https://0.0.0.0:8449`.
diff --git a/docker/dendrite-config.yaml b/docker/dendrite-config.yaml
new file mode 100644
index 000000000..a6ff60b7b
--- /dev/null
+++ b/docker/dendrite-config.yaml
@@ -0,0 +1,73 @@
+# The config file version format
+version: v0
+
+# The matrix specific config
+matrix:
+    # The name of the server. This is usually the domain name, e.g 'matrix.org', 'localhost'.
+    server_name: "localhost"
+    # The path to the PEM formatted matrix private key.
+    private_key: "/certs/matrix_key.pem"
+    # The x509 certificates used by the federation listeners for this server
+    federation_certificates: ["/certs/server.crt"]
+
+# The media repository config
+media:
+    # The base path to where the media files will be stored. May be relative or absolute.
+    base_path: /media
+
+    # The maximum file size in bytes that is allowed to be stored on this server.
+    # Note: if max_file_size_bytes is set to 0, the size is unlimited.
+    # Note: if max_file_size_bytes is not set, it will default to 10485760 (10MB)
+    max_file_size_bytes: 10485760
+
+    # Whether to dynamically generate thumbnails on-the-fly if the requested resolution is not already generated
+    # NOTE: This is a possible denial-of-service attack vector - use at your own risk
+    dynamic_thumbnails: false
+
+    # A list of thumbnail sizes to be pre-generated for downloaded remote / uploaded content
+    # method is one of crop or scale. If omitted, it will default to scale.
+    # crop scales to fill the requested dimensions and crops the excess.
+    # scale scales to fit the requested dimensions and one dimension may be smaller than requested.
+    thumbnail_sizes:
+      - width: 32
+        height: 32
+        method: crop
+      - width: 96
+        height: 96
+        method: crop
+      - width: 320
+        height: 240
+        method: scale
+      - width: 640
+        height: 480
+        method: scale
+      - width: 800
+        height: 600
+        method: scale
+
+# The config for communicating with kafka
+kafka:
+    # Where the kafka servers are running.
+    addresses: ["kafka:9092"]
+    # The names of the kafka topics to use.
+    topics:
+        input_room_event: roomserverInput
+        output_room_event: roomserverOutput
+
+# The postgres connection configs for connecting to the databases e.g a postgres:// URI
+database:
+    account: "postgres://postgres@postgres/dendrite_account?sslmode=disable"
+    device: "postgres://postgres@postgres/dendrite_device?sslmode=disable"
+    media_api: "postgres://postgres@postgres/dendrite_media_api?sslmode=disable"
+    sync_api: "postgres://postgres@postgres/dendrite_sync_api?sslmode=disable"
+    room_server: "postgres://postgres@postgres/dendrite_room_server?sslmode=disable"
+    server_key: "postgres://postgres@postgres/dendrite_server_key?sslmode=disable"
+
+# The TCP host:port pairs to bind the internal HTTP APIs to.
+# These shouldn't be exposed to the public internet.
+listen:
+    room_server: "room-server:7770"
+    client_api: "client-api-server:7771"
+    federation_api: "federation-api-server:7772"
+    sync_api: "sync-api-server:7773"
+    media_api: "media-api-server:7774"
diff --git a/docker/docker-compose.yaml b/docker/docker-compose.yaml
new file mode 100644
index 000000000..3ea150bb8
--- /dev/null
+++ b/docker/docker-compose.yaml
@@ -0,0 +1,170 @@
+version: '3'
+services:
+    zookeeper:
+        image: wurstmeister/zookeeper
+        networks:
+            - backend
+        expose:
+            - "2181"
+        restart: unless-stopped
+    kafka:
+        image: wurstmeister/kafka:0.10.2.0
+        environment:
+            KAFKA_ADVERTISED_HOST_NAME: kafka
+            KAFKA_ADVERTISED_PORT: "9092"
+            KAFKA_ZOOKEEPER_CONNECT: zookeeper:2181
+        volumes:
+            - /var/run/docker.sock:/var/run/docker.sock
+        networks:
+            - backend
+        expose:
+            - "9092"
+        depends_on:
+            - zookeeper
+        restart: unless-stopped
+    postgres:
+        image: postgres:9.6
+        environment:
+            POSTGRES_PASSWORD: $POSTGRES_PASSWORD
+        volumes:
+            - ./init-dendrite-dbs.sh:/docker-entrypoint-initdb.d/init-dendrite-dbs.sh
+            - $HOME/dendrite/postgres:/var/lib/postgresql/data
+        networks:
+            - backend
+        ports:
+            - "5432:5432"
+        restart: unless-stopped
+
+    client-api-proxy:
+        image: client-api-proxy
+        command: >-
+            --sync-api-server-url http://sync-api-server:7773
+            --client-api-server-url http://client-api-server:7771
+            --media-api-server-url http://media-api-server:7774
+            --bind-address 0.0.0.0:8443
+            --tls-cert /certs/server.crt
+            --tls-key /certs/server.key
+        volumes:
+            - ./certs:/certs
+        networks:
+            - frontend
+            - backend
+        ports:
+            - "8443:8443"
+        depends_on:
+            - sync-api-server
+            - client-api-server
+            - media-api-server
+        restart: unless-stopped
+    federation-api-proxy:
+        image: federation-api-proxy
+        command: >-
+            --federation-api-url http://federation-api-server:7772
+            --bind-address 0.0.0.0:8449
+            --tls-cert /certs/server.crt
+            --tls-key /certs/server.key
+            # --media-api-url http://media-api-server:7774
+        volumes:
+            - ./certs:/certs
+        networks:
+            - frontend
+            - backend
+        ports:
+            - "8449:8449"
+        depends_on:
+            - federation-api-server
+        restart: unless-stopped
+
+    room-server:
+        image: dendrite-room-server
+        command: --config /dendrite-config.yaml
+        environment:
+            PGHOST: postgres
+            PGPASSWORD: $POSTGRES_PASSWORD
+        volumes:
+            - ./dendrite-config.yaml:/dendrite-config.yaml
+            - ./certs:/certs
+        networks:
+            - backend
+        expose:
+            - "7770"
+        depends_on:
+            - postgres
+            - kafka
+        restart: unless-stopped
+    client-api-server:
+        image: dendrite-client-api-server
+        command: --config /dendrite-config.yaml
+        environment:
+            PGHOST: postgres
+            PGPASSWORD: $POSTGRES_PASSWORD
+        volumes:
+            - ./dendrite-config.yaml:/dendrite-config.yaml
+            - ./certs:/certs
+        networks:
+            - backend
+        expose:
+            - "7771"
+        depends_on:
+            - postgres
+            - kafka
+            - room-server
+        restart: unless-stopped
+    federation-api-server:
+        image: dendrite-federation-api-server
+        command: --config /dendrite-config.yaml
+        environment:
+            PGHOST: postgres
+            PGPASSWORD: $POSTGRES_PASSWORD
+        volumes:
+            - ./dendrite-config.yaml:/dendrite-config.yaml
+            - ./certs:/certs
+        networks:
+            - backend
+        expose:
+            - "7772"
+        depends_on:
+            - postgres
+            - kafka
+            - room-server
+        restart: unless-stopped
+    sync-api-server:
+        image: dendrite-sync-api-server
+        command: --config /dendrite-config.yaml
+        environment:
+            PGHOST: postgres
+            PGPASSWORD: $POSTGRES_PASSWORD
+        volumes:
+            - ./dendrite-config.yaml:/dendrite-config.yaml
+            - ./certs:/certs
+        networks:
+            - backend
+        expose:
+            - "7773"
+        depends_on:
+            - postgres
+            - kafka
+            - room-server
+        restart: unless-stopped
+    media-api-server:
+        image: dendrite-media-api-server
+        command: --config /dendrite-config.yaml
+        environment:
+            PGHOST: postgres
+            PGPASSWORD: $POSTGRES_PASSWORD
+        volumes:
+            - ./dendrite-config.yaml:/dendrite-config.yaml
+            - ./certs:/certs
+            - $HOME/dendrite/media:/media
+        networks:
+            - backend
+        expose:
+            - "7774"
+        depends_on:
+            - postgres
+            - kafka
+        restart: unless-stopped
+
+networks:
+    backend:
+    frontend:
diff --git a/docker/generate-keys.sh b/docker/generate-keys.sh
new file mode 100755
index 000000000..7b589cb82
--- /dev/null
+++ b/docker/generate-keys.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+set -e
+
+# generate self-signed SSL cert (unlike synapse, dendrite doesn't autogen yet)
+# N.B. to specify the right CN if needed
+test -f certs/server.key || openssl req -x509 -newkey rsa:4096 -keyout certs/server.key -out certs/server.crt -days 3650 -nodes -subj /CN=$(hostname)
+
+# generate ed25519 signing key
+test -f certs/matrix_key.pem || python > certs/matrix_key.pem <<EOF
+import base64;
+r = lambda n: base64.b64encode(open("/dev/urandom", "rb").read(n)).decode("utf8");
+print "-----BEGIN MATRIX PRIVATE KEY-----"
+print "Key-ID:", "ed25519:" + r(3).rstrip("=")
+print r(32)
+print "-----END MATRIX PRIVATE KEY-----"
+EOF
diff --git a/docker/init-dendrite-dbs.sh b/docker/init-dendrite-dbs.sh
new file mode 100755
index 000000000..ac270bdbf
--- /dev/null
+++ b/docker/init-dendrite-dbs.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+set -e
+
+sql_command=""
+for i in account device media_api sync_api room_server server_key federation_sender; do
+    db="dendrite_$i"
+    sql_command="$sql_command CREATE DATABASE $db;"
+done
+
+echo "$sql_command" | psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER"