Tuwunel: install matrix server

2026-04-20 21:39:49 +03:00
parent 303aefb75f
commit 452f7973a9
5 changed files with 139 additions and 1 deletions
@@ -19,8 +19,33 @@
    tls anwinged@ya.ru

    # Matrix federation delegation: tells other servers/clients that the
+    # homeserver for vakhrushev.me lives at matrix.vakhrushev.me.
+    # https://spec.matrix.org/latest/server-server-api/#server-discovery
+    handle /.well-known/matrix/server {
+        header Content-Type application/json
+        header Access-Control-Allow-Origin *
+        respond `{"m.server": "matrix.vakhrushev.me:443"}`
+    }
+
+    handle /.well-known/matrix/client {
+        header Content-Type application/json
+        header Access-Control-Allow-Origin *
+        respond `{"m.homeserver": {"base_url": "https://matrix.vakhrushev.me"}}`
+    }
+
+    handle {
+        reverse_proxy {
+            to homepage_app:80
+        }
+    }
+}
+
+matrix.vakhrushev.me {
+    tls anwinged@ya.ru
+
+    reverse_proxy {
        to tuwunel_app:6167
-    }
+    }
 }

 auth.vakhrushev.me {
@@ -0,0 +1,36 @@
+# See versions: https://github.com/matrix-construct/tuwunel/releases
+# Configuration reference: https://github.com/matrix-construct/tuwunel/blob/main/tuwunel-example.toml
+
+services:
+
+  tuwunel_app:
+    image: jevolk/tuwunel:v1.6.0
+    container_name: tuwunel_app
+    restart: unless-stopped
+    user: "{{ owner_create_result.uid }}:{{ owner_create_result.group }}"
+    networks:
+      - "web_proxy_network"
+    volumes:
+      - "{{ data_dir }}:/var/lib/tuwunel"
+    environment:
+      TUWUNEL_SERVER_NAME: "{{ tuwunel_server_name }}"
+      TUWUNEL_DATABASE_PATH: "/var/lib/tuwunel"
+      TUWUNEL_ADDRESS: "0.0.0.0"
+      TUWUNEL_PORT: "6167"
+      TUWUNEL_MAX_REQUEST_SIZE: "20000000"
+
+      TUWUNEL_ALLOW_REGISTRATION: "false"
+      TUWUNEL_ALLOW_FEDERATION: "true"
+      TUWUNEL_ALLOW_CHECK_FOR_UPDATES: "false"
+      TUWUNEL_TRUSTED_SERVERS: '["matrix.org"]'
+
+      # Well-known delegation values returned to clients/servers that query tuwunel directly.
+      # The canonical delegation is served by Caddy on {{ tuwunel_server_name }} (see Caddyfile).
+      TUWUNEL_WELL_KNOWN_SERVER: "{{ tuwunel_well_known_server }}"
+      TUWUNEL_WELL_KNOWN_CLIENT: "{{ tuwunel_well_known_client }}"
+
+      TUWUNEL_LOG: "info"
+
+networks:
+  web_proxy_network:
+    external: true