studio/tuwunel
2
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

docs: Update deploying/docker

Browse Source 
Signed-off-by: Jason Volk <jason@zemos.net>
This commit is contained in:
Jason Volk
2025-05-06 23:22:13 +00:00
parent 481b67f1f9
commit de1e37f5ae
6 changed files with 146 additions and 147 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
docs/deploying/docker-compose.for-traefik.yml
View File

@@ -1,48 +1,48 @@
# conduwuit - Behind Traefik Reverse Proxy
# tuwunel - Behind Traefik Reverse Proxy
services:
homeserver:
### If you already built the conduduwit image with 'docker build' or want to use the Docker Hub image,
### then you are ready to go.
image: girlbossceo/conduwuit:latest
image: jevolk/tuwunel:latest
restart: unless-stopped
volumes:
- db:/var/lib/conduwuit
#- ./conduwuit.toml:/etc/conduwuit.toml
- db:/var/lib/tuwunel
#- ./tuwunel.toml:/etc/tuwunel.toml
networks:
- proxy
environment:
CONDUWUIT_SERVER_NAME: your.server.name.example # EDIT THIS
CONDUWUIT_DATABASE_PATH: /var/lib/conduwuit
CONDUWUIT_PORT: 6167 # should match the loadbalancer traefik label
CONDUWUIT_MAX_REQUEST_SIZE: 20000000 # in bytes, ~20 MB
CONDUWUIT_ALLOW_REGISTRATION: 'true'
CONDUWUIT_REGISTRATION_TOKEN: 'YOUR_TOKEN' # A registration token is required when registration is allowed.
#CONDUWUIT_YES_I_AM_VERY_VERY_SURE_I_WANT_AN_OPEN_REGISTRATION_SERVER_PRONE_TO_ABUSE: 'true'
CONDUWUIT_ALLOW_FEDERATION: 'true'
CONDUWUIT_ALLOW_CHECK_FOR_UPDATES: 'true'
CONDUWUIT_TRUSTED_SERVERS: '["matrix.org"]'
#CONDUWUIT_LOG: warn,state_res=warn
CONDUWUIT_ADDRESS: 0.0.0.0
#CONDUWUIT_CONFIG: '/etc/conduwuit.toml' # Uncomment if you mapped config toml above
TUWUNEL_SERVER_NAME: your.server.name.example # EDIT THIS
TUWUNEL_DATABASE_PATH: /var/lib/tuwunel
TUWUNEL_PORT: 6167 # should match the loadbalancer traefik label
TUWUNEL_MAX_REQUEST_SIZE: 20000000 # in bytes, ~20 MB
TUWUNEL_ALLOW_REGISTRATION: 'true'
TUWUNEL_REGISTRATION_TOKEN: 'YOUR_TOKEN' # A registration token is required when registration is allowed.
#TUWUNEL_YES_I_AM_VERY_VERY_SURE_I_WANT_AN_OPEN_REGISTRATION_SERVER_PRONE_TO_ABUSE: 'true'
TUWUNEL_ALLOW_FEDERATION: 'true'
TUWUNEL_ALLOW_CHECK_FOR_UPDATES: 'true'
TUWUNEL_TRUSTED_SERVERS: '["matrix.org"]'
#TUWUNEL_LOG: warn,state_res=warn
TUWUNEL_ADDRESS: 0.0.0.0
#TUWUNEL_CONFIG: '/etc/tuwunel.toml' # Uncomment if you mapped config toml above
# We need some way to serve the client and server .well-known json. The simplest way is via the CONDUWUIT_WELL_KNOWN
# variable / config option, there are multiple ways to do this, e.g. in the conduwuit.toml file, and in a seperate
# We need some way to serve the client and server .well-known json. The simplest way is via the TUWUNEL_WELL_KNOWN
# variable / config option, there are multiple ways to do this, e.g. in the tuwunel.toml file, and in a seperate
# see the override file for more information about delegation
CONDUWUIT_WELL_KNOWN: |
TUWUNEL_WELL_KNOWN: |
{
client=https://your.server.name.example,
server=your.server.name.example:443
}
#cpuset: "0-4" # Uncomment to limit to specific CPU cores
ulimits: # conduwuit uses quite a few file descriptors, and on some systems it defaults to 1024, so you can tell docker to increase it
ulimits: # tuwunel uses quite a few file descriptors, and on some systems it defaults to 1024, so you can tell docker to increase it
nofile:
soft: 1048567
hard: 1048567
### Uncomment if you want to use your own Element-Web App.
### Note: You need to provide a config.json for Element and you also need a second
### Domain or Subdomain for the communication between Element and conduwuit
### Domain or Subdomain for the communication between Element and tuwunel
### Config-Docs: https://github.com/vector-im/element-web/blob/develop/docs/config.md
# element-web:
# image: vectorim/element-web:latest

14
docs/deploying/docker-compose.override.yml
View File

@@ -1,4 +1,4 @@
# conduwuit - Traefik Reverse Proxy Labels
# tuwunel - Traefik Reverse Proxy Labels
services:
homeserver:
@@ -6,17 +6,17 @@ services:
- "traefik.enable=true"
- "traefik.docker.network=proxy" # Change this to the name of your Traefik docker proxy network
- "traefik.http.routers.to-conduwuit.rule=Host(`<SUBDOMAIN>.<DOMAIN>`)" # Change to the address on which conduwuit is hosted
- "traefik.http.routers.to-conduwuit.tls=true"
- "traefik.http.routers.to-conduwuit.tls.certresolver=letsencrypt"
- "traefik.http.routers.to-conduwuit.middlewares=cors-headers@docker"
- "traefik.http.services.to_conduwuit.loadbalancer.server.port=6167"
- "traefik.http.routers.to-tuwunel.rule=Host(`<SUBDOMAIN>.<DOMAIN>`)" # Change to the address on which tuwunel is hosted
- "traefik.http.routers.to-tuwunel.tls=true"
- "traefik.http.routers.to-tuwunel.tls.certresolver=letsencrypt"
- "traefik.http.routers.to-tuwunel.middlewares=cors-headers@docker"
- "traefik.http.services.to_tuwunel.loadbalancer.server.port=6167"
- "traefik.http.middlewares.cors-headers.headers.accessControlAllowOriginList=*"
- "traefik.http.middlewares.cors-headers.headers.accessControlAllowHeaders=Origin, X-Requested-With, Content-Type, Accept, Authorization"
- "traefik.http.middlewares.cors-headers.headers.accessControlAllowMethods=GET, POST, PUT, DELETE, OPTIONS"
# If you want to have your account on <DOMAIN>, but host conduwuit on a subdomain,
# If you want to have your account on <DOMAIN>, but host tuwunel on a subdomain,
# you can let it only handle the well known file on that domain instead
#- "traefik.http.routers.to-matrix-wellknown.rule=Host(`<DOMAIN>`) && PathPrefix(`/.well-known/matrix`)"
#- "traefik.http.routers.to-matrix-wellknown.tls=true"

36
docs/deploying/docker-compose.with-caddy.yml
View File

@@ -1,6 +1,6 @@
services:
caddy:
# This compose file uses caddy-docker-proxy as the reverse proxy for conduwuit!
# This compose file uses caddy-docker-proxy as the reverse proxy for tuwunel!
# For more info, visit https://github.com/lucaslorentz/caddy-docker-proxy
image: lucaslorentz/caddy-docker-proxy:ci-alpine
ports:
@@ -20,27 +20,27 @@ services:
caddy.1_respond: /.well-known/matrix/client {"m.server":{"base_url":"https://matrix.example.com"},"m.homeserver":{"base_url":"https://matrix.example.com"},"org.matrix.msc3575.proxy":{"url":"https://matrix.example.com"}}
homeserver:
### If you already built the conduwuit image with 'docker build' or want to use a registry image,
### If you already built the tuwunel image with 'docker build' or want to use a registry image,
### then you are ready to go.
image: girlbossceo/conduwuit:latest
image: jevolk/tuwunel:latest
restart: unless-stopped
volumes:
- db:/var/lib/conduwuit
#- ./conduwuit.toml:/etc/conduwuit.toml
- db:/var/lib/tuwunel
#- ./tuwunel.toml:/etc/tuwunel.toml
environment:
CONDUWUIT_SERVER_NAME: example.com # EDIT THIS
CONDUWUIT_DATABASE_PATH: /var/lib/conduwuit
CONDUWUIT_PORT: 6167
CONDUWUIT_MAX_REQUEST_SIZE: 20000000 # in bytes, ~20 MB
CONDUWUIT_ALLOW_REGISTRATION: 'true'
CONDUWUIT_REGISTRATION_TOKEN: 'YOUR_TOKEN' # A registration token is required when registration is allowed.
#CONDUWUIT_YES_I_AM_VERY_VERY_SURE_I_WANT_AN_OPEN_REGISTRATION_SERVER_PRONE_TO_ABUSE: 'true'
CONDUWUIT_ALLOW_FEDERATION: 'true'
CONDUWUIT_ALLOW_CHECK_FOR_UPDATES: 'true'
CONDUWUIT_TRUSTED_SERVERS: '["matrix.org"]'
#CONDUWUIT_LOG: warn,state_res=warn
CONDUWUIT_ADDRESS: 0.0.0.0
#CONDUWUIT_CONFIG: '/etc/conduwuit.toml' # Uncomment if you mapped config toml above
TUWUNEL_SERVER_NAME: example.com # EDIT THIS
TUWUNEL_DATABASE_PATH: /var/lib/tuwunel
TUWUNEL_PORT: 6167
TUWUNEL_MAX_REQUEST_SIZE: 20000000 # in bytes, ~20 MB
TUWUNEL_ALLOW_REGISTRATION: 'true'
TUWUNEL_REGISTRATION_TOKEN: 'YOUR_TOKEN' # A registration token is required when registration is allowed.
#TUWUNEL_YES_I_AM_VERY_VERY_SURE_I_WANT_AN_OPEN_REGISTRATION_SERVER_PRONE_TO_ABUSE: 'true'
TUWUNEL_ALLOW_FEDERATION: 'true'
TUWUNEL_ALLOW_CHECK_FOR_UPDATES: 'true'
TUWUNEL_TRUSTED_SERVERS: '["matrix.org"]'
#TUWUNEL_LOG: warn,state_res=warn
TUWUNEL_ADDRESS: 0.0.0.0
#TUWUNEL_CONFIG: '/etc/tuwunel.toml' # Uncomment if you mapped config toml above
networks:
- caddy
labels:

60
docs/deploying/docker-compose.with-traefik.yml
View File

@@ -1,56 +1,56 @@
# conduwuit - Behind Traefik Reverse Proxy
# tuwunel - Behind Traefik Reverse Proxy
services:
homeserver:
### If you already built the conduwuit image with 'docker build' or want to use the Docker Hub image,
### If you already built the tuwunel image with 'docker build' or want to use the Docker Hub image,
### then you are ready to go.
image: girlbossceo/conduwuit:latest
image: jevolk/tuwunel:latest
restart: unless-stopped
volumes:
- db:/var/lib/conduwuit
#- ./conduwuit.toml:/etc/conduwuit.toml
- db:/var/lib/tuwunel
#- ./tuwunel.toml:/etc/tuwunel.toml
networks:
- proxy
environment:
CONDUWUIT_SERVER_NAME: your.server.name.example # EDIT THIS
CONDUWUIT_TRUSTED_SERVERS: '["matrix.org"]'
CONDUWUIT_ALLOW_REGISTRATION: 'false' # After setting a secure registration token, you can enable this
CONDUWUIT_REGISTRATION_TOKEN: "" # This is a token you can use to register on the server
#CONDUWUIT_REGISTRATION_TOKEN_FILE: "" # Alternatively you can configure a path to a token file to read
CONDUWUIT_ADDRESS: 0.0.0.0
CONDUWUIT_PORT: 6167 # you need to match this with the traefik load balancer label if you're want to change it
CONDUWUIT_DATABASE_PATH: /var/lib/conduwuit
#CONDUWUIT_CONFIG: '/etc/conduit.toml' # Uncomment if you mapped config toml above
### Uncomment and change values as desired, note that conduwuit has plenty of config options, so you should check out the example example config too
TUWUNEL_SERVER_NAME: your.server.name.example # EDIT THIS
TUWUNEL_TRUSTED_SERVERS: '["matrix.org"]'
TUWUNEL_ALLOW_REGISTRATION: 'false' # After setting a secure registration token, you can enable this
TUWUNEL_REGISTRATION_TOKEN: "" # This is a token you can use to register on the server
#TUWUNEL_REGISTRATION_TOKEN_FILE: "" # Alternatively you can configure a path to a token file to read
TUWUNEL_ADDRESS: 0.0.0.0
TUWUNEL_PORT: 6167 # you need to match this with the traefik load balancer label if you're want to change it
TUWUNEL_DATABASE_PATH: /var/lib/tuwunel
#TUWUNEL_CONFIG: '/etc/conduit.toml' # Uncomment if you mapped config toml above
### Uncomment and change values as desired, note that tuwunel has plenty of config options, so you should check out the example example config too
# Available levels are: error, warn, info, debug, trace - more info at: https://docs.rs/env_logger/*/env_logger/#enabling-logging
# CONDUWUIT_LOG: info # default is: "warn,state_res=warn"
# CONDUWUIT_ALLOW_ENCRYPTION: 'true'
# CONDUWUIT_ALLOW_FEDERATION: 'true'
# CONDUWUIT_ALLOW_CHECK_FOR_UPDATES: 'true'
# CONDUWUIT_ALLOW_INCOMING_PRESENCE: true
# CONDUWUIT_ALLOW_OUTGOING_PRESENCE: true
# CONDUWUIT_ALLOW_LOCAL_PRESENCE: true
# CONDUWUIT_WORKERS: 10
# CONDUWUIT_MAX_REQUEST_SIZE: 20000000 # in bytes, ~20 MB
# CONDUWUIT_NEW_USER_DISPLAYNAME_SUFFIX = "🏳<200d>⚧"
# TUWUNEL_LOG: info # default is: "warn,state_res=warn"
# TUWUNEL_ALLOW_ENCRYPTION: 'true'
# TUWUNEL_ALLOW_FEDERATION: 'true'
# TUWUNEL_ALLOW_CHECK_FOR_UPDATES: 'true'
# TUWUNEL_ALLOW_INCOMING_PRESENCE: true
# TUWUNEL_ALLOW_OUTGOING_PRESENCE: true
# TUWUNEL_ALLOW_LOCAL_PRESENCE: true
# TUWUNEL_WORKERS: 10
# TUWUNEL_MAX_REQUEST_SIZE: 20000000 # in bytes, ~20 MB
# TUWUNEL_NEW_USER_DISPLAYNAME_SUFFIX = "🏳<200d>⚧"
# We need some way to serve the client and server .well-known json. The simplest way is via the CONDUWUIT_WELL_KNOWN
# variable / config option, there are multiple ways to do this, e.g. in the conduwuit.toml file, and in a seperate
# We need some way to serve the client and server .well-known json. The simplest way is via the TUWUNEL_WELL_KNOWN
# variable / config option, there are multiple ways to do this, e.g. in the tuwunel.toml file, and in a seperate
# reverse proxy, but since you do not have a reverse proxy and following this guide, this example is included
CONDUWUIT_WELL_KNOWN: |
TUWUNEL_WELL_KNOWN: |
{
client=https://your.server.name.example,
server=your.server.name.example:443
}
#cpuset: "0-4" # Uncomment to limit to specific CPU cores
ulimits: # conduwuit uses quite a few file descriptors, and on some systems it defaults to 1024, so you can tell docker to increase it
ulimits: # tuwunel uses quite a few file descriptors, and on some systems it defaults to 1024, so you can tell docker to increase it
nofile:
soft: 1048567
hard: 1048567
### Uncomment if you want to use your own Element-Web App.
### Note: You need to provide a config.json for Element and you also need a second
### Domain or Subdomain for the communication between Element and conduwuit
### Domain or Subdomain for the communication between Element and tuwunel
### Config-Docs: https://github.com/vector-im/element-web/blob/develop/docs/config.md
# element-web:
# image: vectorim/element-web:latest

38
docs/deploying/docker-compose.yml
View File

@@ -1,34 +1,34 @@
# conduwuit
# tuwunel
services:
homeserver:
### If you already built the conduwuit image with 'docker build' or want to use a registry image,
### If you already built the tuwunel image with 'docker build' or want to use a registry image,
### then you are ready to go.
image: girlbossceo/conduwuit:latest
image: jevolk/tuwunel:latest
restart: unless-stopped
ports:
- 8448:6167
volumes:
- db:/var/lib/conduwuit
#- ./conduwuit.toml:/etc/conduwuit.toml
- db:/var/lib/tuwunel
#- ./tuwunel.toml:/etc/tuwunel.toml
environment:
CONDUWUIT_SERVER_NAME: your.server.name # EDIT THIS
CONDUWUIT_DATABASE_PATH: /var/lib/conduwuit
CONDUWUIT_PORT: 6167
CONDUWUIT_MAX_REQUEST_SIZE: 20000000 # in bytes, ~20 MB
CONDUWUIT_ALLOW_REGISTRATION: 'true'
CONDUWUIT_REGISTRATION_TOKEN: 'YOUR_TOKEN' # A registration token is required when registration is allowed.
#CONDUWUIT_YES_I_AM_VERY_VERY_SURE_I_WANT_AN_OPEN_REGISTRATION_SERVER_PRONE_TO_ABUSE: 'true'
CONDUWUIT_ALLOW_FEDERATION: 'true'
CONDUWUIT_ALLOW_CHECK_FOR_UPDATES: 'true'
CONDUWUIT_TRUSTED_SERVERS: '["matrix.org"]'
#CONDUWUIT_LOG: warn,state_res=warn
CONDUWUIT_ADDRESS: 0.0.0.0
#CONDUWUIT_CONFIG: '/etc/conduwuit.toml' # Uncomment if you mapped config toml above
TUWUNEL_SERVER_NAME: your.server.name # EDIT THIS
TUWUNEL_DATABASE_PATH: /var/lib/tuwunel
TUWUNEL_PORT: 6167
TUWUNEL_MAX_REQUEST_SIZE: 20000000 # in bytes, ~20 MB
TUWUNEL_ALLOW_REGISTRATION: 'true'
TUWUNEL_REGISTRATION_TOKEN: 'YOUR_TOKEN' # A registration token is required when registration is allowed.
#TUWUNEL_YES_I_AM_VERY_VERY_SURE_I_WANT_AN_OPEN_REGISTRATION_SERVER_PRONE_TO_ABUSE: 'true'
TUWUNEL_ALLOW_FEDERATION: 'true'
TUWUNEL_ALLOW_CHECK_FOR_UPDATES: 'true'
TUWUNEL_TRUSTED_SERVERS: '["matrix.org"]'
#TUWUNEL_LOG: warn,state_res=warn
TUWUNEL_ADDRESS: 0.0.0.0
#TUWUNEL_CONFIG: '/etc/tuwunel.toml' # Uncomment if you mapped config toml above
#
### Uncomment if you want to use your own Element-Web App.
### Note: You need to provide a config.json for Element and you also need a second
### Domain or Subdomain for the communication between Element and conduwuit
### Domain or Subdomain for the communication between Element and tuwunel
### Config-Docs: https://github.com/vector-im/element-web/blob/develop/docs/config.md
# element-web:
# image: vectorim/element-web:latest

101
docs/deploying/docker.md
View File

@@ -1,31 +1,31 @@
# conduwuit for Docker
# tuwunel for Docker
## Docker
To run conduwuit with Docker you can either build the image yourself or pull it
To run tuwunel with Docker you can either build the image yourself or pull it
from a registry.
### Use a registry
OCI images for conduwuit are available in the registries listed below.
OCI images for tuwunel are available in the registries listed below.
| Registry | Image | Size | Notes |
| --------------- | --------------------------------------------------------------- | ----------------------------- | ---------------------- |
| GitHub Registry | [ghcr.io/girlbossceo/conduwuit:latest][gh] | ![Image Size][shield-latest] | Stable latest tagged image. |
| GitLab Registry | [registry.gitlab.com/conduwuit/conduwuit:latest][gl] | ![Image Size][shield-latest] | Stable latest tagged image. |
| Docker Hub | [docker.io/girlbossceo/conduwuit:latest][dh] | ![Image Size][shield-latest] | Stable latest tagged image. |
| GitHub Registry | [ghcr.io/girlbossceo/conduwuit:main][gh] | ![Image Size][shield-main] | Stable main branch. |
| GitLab Registry | [registry.gitlab.com/conduwuit/conduwuit:main][gl] | ![Image Size][shield-main] | Stable main branch. |
| Docker Hub | [docker.io/girlbossceo/conduwuit:main][dh] | ![Image Size][shield-main] | Stable main branch. |
| GitHub Registry | [ghcr.io/jevolk/tuwunel:latest][gh] | ![Image Size][shield-latest] | Stable latest tagged image. |
| GitLab Registry | [registry.gitlab.com/tuwunel/tuwunel:latest][gl] | ![Image Size][shield-latest] | Stable latest tagged image. |
| Docker Hub | [docker.io/jevolk/tuwunel:latest][dh] | ![Image Size][shield-latest] | Stable latest tagged image. |
| GitHub Registry | [ghcr.io/jevolk/tuwunel:main][gh] | ![Image Size][shield-main] | Stable main branch. |
| GitLab Registry | [registry.gitlab.com/tuwunel/tuwunel:main][gl] | ![Image Size][shield-main] | Stable main branch. |
| Docker Hub | [docker.io/jevolk/tuwunel:main][dh] | ![Image Size][shield-main] | Stable main branch. |
[dh]: https://hub.docker.com/r/girlbossceo/conduwuit
[gh]: https://github.com/girlbossceo/conduwuit/pkgs/container/conduwuit
[gl]: https://gitlab.com/conduwuit/conduwuit/container_registry/6369729
[shield-latest]: https://img.shields.io/docker/image-size/girlbossceo/conduwuit/latest
[shield-main]: https://img.shields.io/docker/image-size/girlbossceo/conduwuit/main
[dh]: https://hub.docker.com/r/jevolk/tuwunel
[gh]: https://github.com/jevolk/tuwunel/pkgs/container/tuwunel
[gl]: https://gitlab.com/tuwunel/tuwunel/container_registry/6369729
[shield-latest]: https://img.shields.io/docker/image-size/jevolk/tuwunel/latest
[shield-main]: https://img.shields.io/docker/image-size/jevolk/tuwunel/main
OCI image `.tar.gz` files are also hosted directly at when uploaded by CI with a
commit hash/revision or a tagged release: <https://pup.systems/~strawberry/conduwuit/>
commit hash/revision or a tagged release: <https://pup.systems/~strawberry/tuwunel/>
Use
@@ -41,22 +41,22 @@ When you have the image you can simply run it with
```bash
docker run -d -p 8448:6167 \
-v db:/var/lib/conduwuit/ \
-e CONDUWUIT_SERVER_NAME="your.server.name" \
-e CONDUWUIT_ALLOW_REGISTRATION=false \
--name conduwuit $LINK
-v db:/var/lib/tuwunel/ \
-e tuwunel_SERVER_NAME="your.server.name" \
-e tuwunel_ALLOW_REGISTRATION=false \
--name tuwunel $LINK
```
or you can use [docker compose](#docker-compose).
The `-d` flag lets the container run in detached mode. You may supply an
optional `conduwuit.toml` config file, the example config can be found
optional `tuwunel.toml` config file, the example config can be found
[here](../configuration/examples.md). You can pass in different env vars to
change config values on the fly. You can even configure conduwuit completely by
change config values on the fly. You can even configure tuwunel completely by
using env vars. For an overview of possible values, please take a look at the
[`docker-compose.yml`](docker-compose.yml) file.
If you just want to test conduwuit for a short time, you can use the `--rm`
If you just want to test tuwunel for a short time, you can use the `--rm`
flag, which will clean up everything related to your container after you stop
it.
@@ -91,32 +91,7 @@ docker network create caddy
After that, you can rename it so it matches `docker-compose.yml` and spin up the
containers!
Additional info about deploying conduwuit can be found [here](generic.md).
### Build
Official conduwuit images are built using Nix's
[`buildLayeredImage`][nix-buildlayeredimage]. This ensures all OCI images are
repeatable and reproducible by anyone, keeps the images lightweight, and can be
built offline.
This also ensures portability of our images because `buildLayeredImage` builds
OCI images, not Docker images, and works with other container software.
The OCI images are OS-less with only a very minimal environment of the `tini`
init system, CA certificates, and the conduwuit binary. This does mean there is
not a shell, but in theory you can get a shell by adding the necessary layers
to the layered image. However it's very unlikely you will need a shell for any
real troubleshooting.
The flake file for the OCI image definition is at [`nix/pkgs/oci-image/default.nix`][oci-image-def].
To build an OCI image using Nix, the following outputs can be built:
- `nix build -L .#oci-image` (default features, x86_64 glibc)
- `nix build -L .#oci-image-x86_64-linux-musl` (default features, x86_64 musl)
- `nix build -L .#oci-image-aarch64-linux-musl` (default features, aarch64 musl)
- `nix build -L .#oci-image-x86_64-linux-musl-all-features` (all features, x86_64 musl)
- `nix build -L .#oci-image-aarch64-linux-musl-all-features` (all features, aarch64 musl)
Additional info about deploying tuwunel can be found [here](generic.md).
### Run
@@ -130,6 +105,30 @@ docker compose up -d
> **Note:** Don't forget to modify and adjust the compose file to your needs.
### Nix build
Tuwunel's Nix images are built using [`buildLayeredImage`][nix-buildlayeredimage].
This ensures all OCI images are repeatable and reproducible by anyone, keeps the
images lightweight, and can be built offline.
This also ensures portability of our images because `buildLayeredImage` builds
OCI images, not Docker images, and works with other container software.
The OCI images are OS-less with only a very minimal environment of the `tini`
init system, CA certificates, and the tuwunel binary. This does mean there is
not a shell, but in theory you can get a shell by adding the necessary layers
to the layered image. However it's very unlikely you will need a shell for any
real troubleshooting.
The flake file for the OCI image definition is at [`nix/pkgs/oci-image/default.nix`][oci-image-def].
To build an OCI image using Nix, the following outputs can be built:
- `nix build -L .#oci-image` (default features, x86_64 glibc)
- `nix build -L .#oci-image-x86_64-linux-musl` (default features, x86_64 musl)
- `nix build -L .#oci-image-aarch64-linux-musl` (default features, aarch64 musl)
- `nix build -L .#oci-image-x86_64-linux-musl-all-features` (all features, x86_64 musl)
- `nix build -L .#oci-image-aarch64-linux-musl-all-features` (all features, aarch64 musl)
### Use Traefik as Proxy
As a container user, you probably know about Traefik. It is a easy to use
@@ -138,10 +137,10 @@ web. With the two provided files,
[`docker-compose.for-traefik.yml`](docker-compose.for-traefik.yml) (or
[`docker-compose.with-traefik.yml`](docker-compose.with-traefik.yml)) and
[`docker-compose.override.yml`](docker-compose.override.yml), it is equally easy
to deploy and use conduwuit, with a little caveat. If you already took a look at
to deploy and use tuwunel, with a little caveat. If you already took a look at
the files, then you should have seen the `well-known` service, and that is the
little caveat. Traefik is simply a proxy and loadbalancer and is not able to
serve any kind of content, but for conduwuit to federate, we need to either
serve any kind of content, but for tuwunel to federate, we need to either
expose ports `443` and `8448` or serve two endpoints `.well-known/matrix/client`
and `.well-known/matrix/server`.
@@ -153,4 +152,4 @@ those two files.
See the [TURN](../turn.md) page.
[nix-buildlayeredimage]: https://ryantm.github.io/nixpkgs/builders/images/dockertools/#ssec-pkgs-dockerTools-buildLayeredImage
[oci-image-def]: https://github.com/girlbossceo/conduwuit/blob/main/nix/pkgs/oci-image/default.nix
[oci-image-def]: https://github.com/jevolk/tuwunel/blob/main/nix/pkgs/oci-image/default.nix