diff --git a/MULTI_MACHINE_CONFIG_SNIPPETS.md b/MULTI_MACHINE_CONFIG_SNIPPETS.md index 9617820..ace1768 100644 --- a/MULTI_MACHINE_CONFIG_SNIPPETS.md +++ b/MULTI_MACHINE_CONFIG_SNIPPETS.md @@ -8,6 +8,7 @@ This document provides configuration snippets for deploying Matrix stack across ✅ **Authelia has its own reverse proxy on Machine 2** ✅ **MAS connects to Authelia via HTTPS (not internal port 9091)** ✅ **DNS points authelia.example.com directly to Machine 2** +✅ **docker-compose.yml defaults to multi-machine mode (no Caddy/Authelia containers)** ## Architecture @@ -670,14 +671,20 @@ curl https://auth.example.com/.well-known/openid-configuration # On Matrix server cd /path/to/matrix-docker-compose -# Edit docker-compose.production.yml to remove Caddy and Authelia services -# (They're running on separate machines) - -# Start Matrix services -docker compose -f docker-compose.production.yml up -d +# Start Matrix services ONLY (no Caddy, no Authelia) +# Multi-machine mode (default) - only starts Synapse, MAS, Element, PostgreSQL +docker compose up -d # Check services -docker compose -f docker-compose.production.yml ps +docker compose ps + +# You should see ONLY these services running: +# - matrix-postgres +# - matrix-synapse +# - matrix-mas +# - matrix-element + +# Caddy and Authelia are NOT started (they run on separate machines) ``` ### Phase 5: Verify Everything Works @@ -799,3 +806,43 @@ If any fail: - Verify firewall allows port 443 - Check reverse proxy configs - Review Let's Encrypt certificate issuance in logs + +--- + +## Docker Compose Deployment Modes + +The production compose file supports multiple deployment architectures: + +### Multi-Machine Mode (Default) ← YOU WANT THIS + +```bash +docker compose up -d +``` + +**What starts:** +- ✅ PostgreSQL +- ✅ Synapse (Matrix homeserver) +- ✅ MAS (Authentication service) +- ✅ Element (Web client) + +**What does NOT start:** +- ❌ Caddy (runs separately on Machine 1) +- ❌ Authelia (runs separately on Machine 2) +- ❌ Redis (only needed if Authelia is in Docker) + +This is the default mode - no profiles needed! + +### Single-Machine Mode + +For all-in-one deployments where everything runs on one server: + +```bash +# With Authelia +docker compose --profile single-machine --profile authelia up -d + +# Without Authelia +docker compose --profile single-machine up -d +``` + +**What starts:** Everything including Caddy in Docker with Let's Encrypt + diff --git a/README.md b/README.md index 1f9976c..e611473 100644 --- a/README.md +++ b/README.md @@ -87,11 +87,14 @@ See [PRODUCTION_DEPLOYMENT.md](PRODUCTION_DEPLOYMENT.md) for: **Deploy command:** ```bash -# With Authelia -docker compose -f docker-compose.production.yml --profile authelia up -d +# Multi-machine (default) - Matrix server only, Caddy/Authelia on separate machines +docker compose up -d -# Without Authelia -docker compose -f docker-compose.production.yml up -d +# Single-machine with Authelia - Everything on one server +docker compose --profile single-machine --profile authelia up -d + +# Single-machine without Authelia +docker compose --profile single-machine up -d ``` ## Authentication Options diff --git a/compose-variants/README.md b/compose-variants/README.md new file mode 100644 index 0000000..6870ea0 --- /dev/null +++ b/compose-variants/README.md @@ -0,0 +1,26 @@ +# Compose File Variants + +This folder contains alternative Docker Compose configurations that are not used in the main deployment. + +## Files + +- **docker-compose.old.yml** - Original compose configuration (legacy) +- **docker-compose.local.yml** - Local testing configuration with self-signed certificates +- **docker-compose.authelia.yml** - Standalone Authelia service +- **docker-compose.caddy.yml** - Standalone Caddy service + +## Active Configuration + +The active configuration is in the root directory as **docker-compose.yml** (production configuration). + +## Usage + +These variants can be used for: +- Local development and testing (docker-compose.local.yml) +- Reference for different deployment architectures +- Standalone service testing + +To use a variant: +```bash +docker compose -f compose-variants/docker-compose.local.yml up -d +``` diff --git a/docker-compose.authelia.yml b/compose-variants/docker-compose.authelia.yml similarity index 100% rename from docker-compose.authelia.yml rename to compose-variants/docker-compose.authelia.yml diff --git a/docker-compose.caddy.yml b/compose-variants/docker-compose.caddy.yml similarity index 100% rename from docker-compose.caddy.yml rename to compose-variants/docker-compose.caddy.yml diff --git a/docker-compose.local.yml b/compose-variants/docker-compose.local.yml similarity index 100% rename from docker-compose.local.yml rename to compose-variants/docker-compose.local.yml diff --git a/docker-compose.production.yml b/compose-variants/docker-compose.old.yml similarity index 79% rename from docker-compose.production.yml rename to compose-variants/docker-compose.old.yml index 0d77f8c..cf9c843 100644 --- a/docker-compose.production.yml +++ b/compose-variants/docker-compose.old.yml @@ -1,10 +1,3 @@ -# Production docker-compose file for Matrix stack -# This configuration: -# - Uses real domain names with Let's Encrypt SSL certificates -# - Makes Authelia optional (use --profile authelia to enable) -# - Includes Caddy for HTTPS termination -# - Configures all services for production use - services: # PostgreSQL Database postgres: @@ -14,7 +7,7 @@ services: environment: POSTGRES_DB: synapse POSTGRES_USER: synapse - POSTGRES_PASSWORD: ${POSTGRES_PASSWORD} + POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-changeme} POSTGRES_INITDB_ARGS: --encoding=UTF-8 --lc-collate=C --lc-ctype=C volumes: - ./postgres/data:/var/lib/postgresql/data @@ -36,11 +29,9 @@ services: SYNAPSE_CONFIG_PATH: /data/homeserver.yaml volumes: - ./synapse/data:/data - - ./bridges:/bridges:ro # Ports exposed only to internal network - access via Caddy expose: - "8008" - - "8448" # Federation port networks: - matrix-network depends_on: @@ -69,8 +60,6 @@ services: # Redis for Authelia session storage redis: - profiles: - - authelia # Only started when Authelia profile is active image: redis:7-alpine container_name: matrix-redis restart: unless-stopped @@ -82,6 +71,30 @@ services: timeout: 5s retries: 5 + # Authelia SSO + authelia: + image: authelia/authelia:latest + container_name: matrix-authelia + restart: unless-stopped + environment: + TZ: Europe/Berlin + AUTHELIA_SESSION_SECRET: ${AUTHELIA_SESSION_SECRET} + AUTHELIA_STORAGE_ENCRYPTION_KEY: ${AUTHELIA_STORAGE_ENCRYPTION_KEY} + AUTHELIA_JWT_SECRET: ${AUTHELIA_JWT_SECRET} + POSTGRES_PASSWORD: ${POSTGRES_PASSWORD} + volumes: + - ./authelia/config:/config + # Accessed via Caddy + expose: + - "9091" + networks: + - matrix-network + depends_on: + postgres: + condition: service_healthy + redis: + condition: service_healthy + # Matrix Authentication Service (MAS) mas: image: ghcr.io/element-hq/matrix-authentication-service:latest @@ -101,13 +114,34 @@ services: depends_on: postgres: condition: service_healthy - # Note: Redis/Authelia dependency removed - works with or without Authelia - # Healthcheck disabled: MAS uses distroless image without curl - # healthcheck: - # test: ["CMD", "curl", "-f", "http://localhost:8081/health"] - # interval: 30s - # timeout: 10s - # retries: 3 + authelia: + condition: service_started + healthcheck: + test: ["CMD", "curl", "-f", "http://localhost:8081/health"] + interval: 30s + timeout: 10s + retries: 3 + + # Caddy Reverse Proxy (HTTPS termination) + caddy: + image: caddy:2-alpine + container_name: matrix-caddy + restart: unless-stopped + ports: + - "443:443" + - "80:80" + - "2019:2019" # Admin API + volumes: + - ./caddy/Caddyfile:/etc/caddy/Caddyfile:ro + - ./caddy/data:/data + - ./caddy/config:/config + networks: + - matrix-network + depends_on: + - synapse + - element + - mas + - authelia # mautrix-telegram Bridge mautrix-telegram: @@ -148,53 +182,6 @@ services: synapse: condition: service_healthy - # Authelia SSO (Optional - use profile "authelia" to enable) - authelia: - profiles: - - authelia # Only started when Authelia profile is active - image: authelia/authelia:latest - container_name: matrix-authelia - restart: unless-stopped - environment: - TZ: ${TZ:-UTC} - AUTHELIA_SESSION_SECRET: ${AUTHELIA_SESSION_SECRET} - AUTHELIA_STORAGE_ENCRYPTION_KEY: ${AUTHELIA_STORAGE_ENCRYPTION_KEY} - AUTHELIA_JWT_SECRET: ${AUTHELIA_JWT_SECRET} - POSTGRES_PASSWORD: ${POSTGRES_PASSWORD} - volumes: - - ./authelia/config:/config - # Accessed via Caddy - expose: - - "9091" - networks: - - matrix-network - depends_on: - postgres: - condition: service_healthy - redis: - condition: service_healthy - - # Caddy Reverse Proxy (HTTPS termination with Let's Encrypt) - caddy: - image: caddy:2-alpine - container_name: matrix-caddy - restart: unless-stopped - ports: - - "443:443" - - "80:80" - - "2019:2019" # Admin API - volumes: - - ./caddy/Caddyfile:/etc/caddy/Caddyfile:ro - - ./caddy/data:/data - - ./caddy/config:/config - networks: - - matrix-network - depends_on: - - synapse - - element - - mas - # Note: Authelia dependency removed - works with or without Authelia - networks: matrix-network: driver: bridge diff --git a/docker-compose.yml b/docker-compose.yml index cf9c843..1291ca2 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,3 +1,19 @@ +# Production docker-compose file for Matrix stack +# This configuration: +# - Uses real domain names with Let's Encrypt SSL certificates +# - Makes Authelia optional (use --profile authelia to enable) +# - Makes Caddy optional (use --profile single-machine for all-in-one deployment) +# - Configures all services for production use +# +# Deployment Modes: +# 1. Multi-machine (default): docker compose -f docker-compose.production.yml up -d +# - Runs: Synapse, MAS, Element, PostgreSQL only +# - Caddy and Authelia run on separate machines +# 2. Single-machine with Authelia: docker compose -f docker-compose.production.yml --profile single-machine --profile authelia up -d +# - Runs everything on one machine with Caddy + Authelia +# 3. Single-machine without Authelia: docker compose -f docker-compose.production.yml --profile single-machine up -d +# - Runs everything on one machine with Caddy, no Authelia + services: # PostgreSQL Database postgres: @@ -7,7 +23,7 @@ services: environment: POSTGRES_DB: synapse POSTGRES_USER: synapse - POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-changeme} + POSTGRES_PASSWORD: ${POSTGRES_PASSWORD} POSTGRES_INITDB_ARGS: --encoding=UTF-8 --lc-collate=C --lc-ctype=C volumes: - ./postgres/data:/var/lib/postgresql/data @@ -29,9 +45,11 @@ services: SYNAPSE_CONFIG_PATH: /data/homeserver.yaml volumes: - ./synapse/data:/data + - ./bridges:/bridges:ro # Ports exposed only to internal network - access via Caddy expose: - "8008" + - "8448" # Federation port networks: - matrix-network depends_on: @@ -60,6 +78,8 @@ services: # Redis for Authelia session storage redis: + profiles: + - authelia # Only started when Authelia profile is active image: redis:7-alpine container_name: matrix-redis restart: unless-stopped @@ -71,30 +91,6 @@ services: timeout: 5s retries: 5 - # Authelia SSO - authelia: - image: authelia/authelia:latest - container_name: matrix-authelia - restart: unless-stopped - environment: - TZ: Europe/Berlin - AUTHELIA_SESSION_SECRET: ${AUTHELIA_SESSION_SECRET} - AUTHELIA_STORAGE_ENCRYPTION_KEY: ${AUTHELIA_STORAGE_ENCRYPTION_KEY} - AUTHELIA_JWT_SECRET: ${AUTHELIA_JWT_SECRET} - POSTGRES_PASSWORD: ${POSTGRES_PASSWORD} - volumes: - - ./authelia/config:/config - # Accessed via Caddy - expose: - - "9091" - networks: - - matrix-network - depends_on: - postgres: - condition: service_healthy - redis: - condition: service_healthy - # Matrix Authentication Service (MAS) mas: image: ghcr.io/element-hq/matrix-authentication-service:latest @@ -114,34 +110,13 @@ services: depends_on: postgres: condition: service_healthy - authelia: - condition: service_started - healthcheck: - test: ["CMD", "curl", "-f", "http://localhost:8081/health"] - interval: 30s - timeout: 10s - retries: 3 - - # Caddy Reverse Proxy (HTTPS termination) - caddy: - image: caddy:2-alpine - container_name: matrix-caddy - restart: unless-stopped - ports: - - "443:443" - - "80:80" - - "2019:2019" # Admin API - volumes: - - ./caddy/Caddyfile:/etc/caddy/Caddyfile:ro - - ./caddy/data:/data - - ./caddy/config:/config - networks: - - matrix-network - depends_on: - - synapse - - element - - mas - - authelia + # Note: Redis/Authelia dependency removed - works with or without Authelia + # Healthcheck disabled: MAS uses distroless image without curl + # healthcheck: + # test: ["CMD", "curl", "-f", "http://localhost:8081/health"] + # interval: 30s + # timeout: 10s + # retries: 3 # mautrix-telegram Bridge mautrix-telegram: @@ -182,6 +157,57 @@ services: synapse: condition: service_healthy + # Authelia SSO (Optional - use profile "authelia" to enable) + authelia: + profiles: + - authelia # Only started when Authelia profile is active + image: authelia/authelia:latest + container_name: matrix-authelia + restart: unless-stopped + environment: + TZ: ${TZ:-UTC} + AUTHELIA_SESSION_SECRET: ${AUTHELIA_SESSION_SECRET} + AUTHELIA_STORAGE_ENCRYPTION_KEY: ${AUTHELIA_STORAGE_ENCRYPTION_KEY} + AUTHELIA_JWT_SECRET: ${AUTHELIA_JWT_SECRET} + POSTGRES_PASSWORD: ${POSTGRES_PASSWORD} + volumes: + - ./authelia/config:/config + # Accessed via Caddy + expose: + - "9091" + networks: + - matrix-network + depends_on: + postgres: + condition: service_healthy + redis: + condition: service_healthy + + # Caddy Reverse Proxy (HTTPS termination with Let's Encrypt) + # For multi-machine deployments: Don't use this profile (Caddy runs separately) + # For single-machine deployments: Use --profile single-machine + caddy: + profiles: + - single-machine # Only started for single-machine deployments + image: caddy:2-alpine + container_name: matrix-caddy + restart: unless-stopped + ports: + - "443:443" + - "80:80" + - "2019:2019" # Admin API + volumes: + - ./caddy/Caddyfile:/etc/caddy/Caddyfile:ro + - ./caddy/data:/data + - ./caddy/config:/config + networks: + - matrix-network + depends_on: + - synapse + - element + - mas + # Note: Authelia dependency removed - works with or without Authelia + networks: matrix-network: driver: bridge