Everything posted by bmartino1
-
[GUIDE] Matrix-Synapse w/ postgres DB (chat server) + Element (web client) + Coturn (voice)
I've completed the lxc version for better contorl full env setup and ease of access. https://github.com/bmartino1/unraid-lxc-matrix this project requires ich777 lxc plugin installed. enable anc configure the volume path This is akin to the appdata folder where the sytem lives... this is akin to a VM but closer to a docker given the continer setup and enviroment.... Unraid Installation Step 1 --- Download the LXC TemplateOpen a terminal on your Unraid server and run: wget -O /tmp/lxc_container_template.xml \ https://raw.githubusercontent.com/bmartino1/unraid-lxc-matrix/main/lxc_container_template.xmlStep 2 --- Import the Template/LXCAddTemplate Open the Unraid LXC template page: http://<Your_UnRAID_IP>/LXCAddTemplate Example: http://192.168.1.10/LXCAddTemplate Unraid will automatically detect the downloaded template. Give the continer a name example matrix. Click create and wait for the done button. Then open the terminal then run the scirpts in this order /root/scripts/set-static-ip.shYou MUST SET A STATIC IP! ⚠️ After setting the static IP, fully stop and start the LXC (do not just restart). The new IP will not take effect until a full stop/start cycle. stop the lxc start the lxc * You may need to scroll down for the menu to apear... If you do't stop start you willhave the dhcp ip and static ip and script will not run coreclty... /root/scripts/set-static-ip.shYou MUST SET A STATIC IP! open prot forwarding to 443 and 80 for nginx to teh static ip then set dns record to the bulic ip this will be your domain. *I was able to use free affraid dns https://freedns.afraid.org/ free teer all 5 sub domains... then run the setup script. /root/setup.sh --domain chat.yourPublicdomain.com --admin-pass ChangeMethen 2 side scirpts to have admin script work #Some admin script require teh admin token to do things,,, /root/scripts/get-admin-token.sh #adds token to matrix.env for scritps... #Patch Nginx TO secure jitsu meet public so all things behind nginx RP cd /root/ && wget https://raw.githubusercontent.com/bmartino1/unraid-lxc-matrix/refs/heads/main/patch.sh chmod +x /root/patch.sh /root/patch.sh see WIP admin scritpt testing https://github.com/bmartino1/unraid-lxc-matrix/blob/main/WIP-Notes-Updates.txt Then run the admin scirpt admin consle to make users enable site registration and enjoy... /root/scripts/admin.sh Many Thanks To @ich777 with ich777 for ther OG assistance on a LXC templte in the past... and Many thanks to Adam for ther intal script to get the project started and functional! I also Can't stress on readiing the documentation! Synapse (Matrix homeserver): https://matrix-org.github.io/synapse/latest/ Element Web config: https://github.com/element-hq/element-web/blob/develop/docs/config.md Jitsi Self-Hosting: https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-docker Coturn: https://github.com/coturn/coturn/wiki/turnserver Matrix federation tester: https://federationtester.matrix.org/
-
Log file keeps getting full
unraid is also verbose formthe start and doen't have a logrotate built in for servers runnign longer then a acouple months ... a user scirpt on a cron can turncate teh logs as it builds up in ram as well. example: #!/bin/bash # Unraid: save syslog + dmesg every 14 days # Good for CA User Scripts OUTDIR="/mnt/user/system_logs" STAMPFILE="/boot/config/plugins/user.scripts/.dmesg_syslog_last_run" HOSTNAME="$(hostname)" NOW_EPOCH="$(date +%s)" DATE_TAG="$(date +%Y-%m-%d_%H-%M-%S)" mkdir -p "$OUTDIR" mkdir -p "$(dirname "$STAMPFILE")" # 14 days = 1209600 seconds INTERVAL=1209600 if [[ -f "$STAMPFILE" ]]; then LAST_RUN="$(cat "$STAMPFILE" 2>/dev/null)" else LAST_RUN=0 fi # If not enough time has passed, exit quietly if [[ $((NOW_EPOCH - LAST_RUN)) -lt $INTERVAL ]]; then exit 0 fi SYSLOG_FILE="${OUTDIR}/${HOSTNAME}_syslog_${DATE_TAG}.log" DMESG_FILE="${OUTDIR}/${HOSTNAME}_dmesg_${DATE_TAG}.log" echo "===== SYSLOG ${DATE_TAG} =====" > "$SYSLOG_FILE" cat /var/log/syslog >> "$SYSLOG_FILE" 2>/dev/null || tail -n 5000 /var/log/syslog >> "$SYSLOG_FILE" 2>/dev/null echo "===== DMESG ${DATE_TAG} =====" > "$DMESG_FILE" dmesg -T > "$DMESG_FILE" 2>/dev/null || dmesg > "$DMESG_FILE" # Optional: gzip old logs larger than a few days old find "$OUTDIR" -type f -name "*.log" -mtime +3 -exec gzip -f {} \; # Optional: delete compressed logs older than 180 days find "$OUTDIR" -type f \( -name "*.gz" -o -name "*.log" \) -mtime +180 -delete echo "$NOW_EPOCH" > "$STAMPFILE"In User Scripts: Create a new script Paste that in Set schedule to Custom Use this cron: 0 3 * * 0That means every Sunday at 3:00 AM, and the script itself only performs the save once every 14 days. so yo can also add a cp line to a disk for long term storage... somting i usaly look for with sd card arm devices like p is the logrotate and cron schedules on things.
-
[GUIDE] Matrix-Synapse w/ postgres DB (chat server) + Element (web client) + Coturn (voice)
Thought I give a side update... as I pushed the edits and scripting as far as I could... I kinda gave up on the docker compose setup side of it due to issues configuring and geting the RP to play nice... so I went the other direction... LXC Since I run PVE I tired my hands at a semi pre built LXC... Using that for inspiration after geting the LXC fully Functional... I copleted this https://github.com/bmartino1/unraid-lxc-matrix and made a ich777 lxc template. and spent more of my time building the admin helper interface... I've compelted this as far as I'm willing to go as iit only requireees port 443 and port 80 pointed to teh lxc IP for a functiinoal matrix, cotrun, element, jitsuii setup. *you can edit the nginx cofg and secure it further then I did. while only needing 2 ports. meet.domain_name is still exposed. On my PVE i was able to configure it to public 403 blocked but lgoined in users Private full access to jitsu... given the run around and documentations that go over reverse proxies. and workign with another whos been runnign matrix for many years with there assistnce we are happy to present matrix synapse the unraid LXC...
-
[GUIDE] Matrix-Synapse w/ postgres DB (chat server) + Element (web client) + Coturn (voice)
my issue if my group of friends and thoes that have had this runign have it installed as a vm / lxc... and its more geting configs udpated and transiononed for unraid in the docker space. Curenlty I have a working LXC chat taht a few friends of mine have been testing to a dns name and we just securied meet and coturn using nginx stream so only nginx 443 adn port 80 are needed... my issues is geting docekrs to beahve in the same manor. I'm wokring on a few updated setup and will share when they have been tested working. Glad you were able to figure something out. Given the age I do recomend using free ai platforms like calude to assit here... I run a in house ai via local AI and unradid and also a side project working with freinds builingd a LLM router so while I do use AI its more to help with grammar and typos with some minro config updates. so from my end/point of view a LXC install and shimepnt may be better then trying to futz with mutiple dockers. *having worked with ich777 and ran a unfi lxc for a while it wound't be too hard to re implement but I rather get teh docker side working first... or setup in a more secure fassion. But I can atelaset atest to it working turn key with the ports int he read me open and confirm that it is possble to only allow 443 and 80 to niginx to run the stack... its more quesitons of once i got jitsui working to why not use jitsue why combine the 2 at all. and they wer more combine orgainly due to issues with teh element new webrtc not wanting to use livekit nor coturn for vidoe/voice... jitsu in and of itself is a full platform... same can be said with outher porjects like mubble... otherwise its stable for wher tis out and I might move on form the project and may workin on a unriad lxc tempalte... with a setup scrip[t and options internaly... IDK yet... More needing time betwwen my free time where i can sit down and comit to program debung and tstng with my friends aviable to do the 2 way cal video and 3 way cal video... All I can do is confirm and corect things... until i put the documention and in practice with this type of config and setting. as its 10 dockers atm and may need to look into adding 3 others.. thisn like elmsets web rtc, synapse hookscript and other adons... but that future raod map. the goal atm was get somehting working that is realibel which is done now it time to edit configure and fine tune it to be more secure..
-
bmartino1 User scripts
Due to a bug: https://product.unraid.net/p/muti-nic-macvlan-host-enabled-relapse-ip-added-docker-rc-script-issue I still don’t know how to reporduce on other systems… But inteh event other users experience this bug too... The Fix You need to either clear the statics.ini entry before flushing, or increase the sleep enough to ensure docker hasn't fired yet (fragile). The clean approach is to add the statics.ini removal to your user script: bash #!/bin/bash sleep 20 # Wait for docker services to start # Remove the statics.ini entry so the monitor doesn't fight us sed -i '/^shim-br0 .*/d' /var/local/emhttp/statics.ini # Also create the .down sentinel to suppress the monitor touch /var/tmp/shim-br0.down # Bring interface down ip link set shim-br0 down # Remove all existing IPs ip addr flush dev shim-br0 # Set static IP ip addr add 192.168.2.247/24 dev shim-br0 ip link set shim-br0 up # Re-register our desired IP back into statics.ini so it survives future docker restarts rm -f /var/tmp/shim-br0.downThe sed removes the .248 entry from statics.ini before the flush, so the monitor has nothing to restore. The touch /var/tmp/shim-br0.down is an extra belt-and-suspenders sentinel that some versions of the monitor check before acting. runnign this in stead seems to restore the static set on this sytem… How I under stand it for the root cause: Root Cause: Race Between Your User Script and Unraid's statics.ini Monitor There are two separate things adding IPs to shim-br0, and they're fighting each other. The Sequence of Events14:45:51 — Unraid fires your user scripts in the background, including vhost-shimbridge-unifi fix (which has a sleep 20 inside it) 14:45:54 — rc.docker start fires 14:45:58 — rc.docker creates shim-br0, and adds 192.168.2.248/24 to it. Critically, it also calls add_entry "shim-br0 192.168.2.248/24 metric 0" — which appends a line to /var/local/emhttp/statics.ini ~14:46:11 — Your user script wakes from sleep 20 and does: ip link set shim-br0 down → ip addr flush dev shim-br0 → ip addr add 192.168.2.247/24 dev shim-br0 → ip link set shim-br0 up Almost immediately — Unraid's background monitor+ process (the statics.ini watcher, pids 2581/2591 visible in your top) detects that 192.168.2.248/24 is missing from shim-br0 and re-adds it — but now as a secondary address on top of your .247 The result: .247 is primary (your script), .248 is secondary (the monitor restored it). Why This Only Affects This Systemdel_entry() in rc.docker does two things: it creates a .down sentinel file AND removes the entry from statics.ini. Your raw ip addr flush does neither — it just yanks the IP off the interface without telling the monitor. On other Unraid systems, you're presumably running the user script as the only thing managing shim-br0, but here DOCKER_ALLOW_ACCESS=yes with a br type network causes rc.docker to both create the shim and register it in statics.ini.
-
Log file keeps getting full
example as I would need the lspci pcie device number or diag file to help structure the command.. Step 1 — Find the NIC’s PCI AddressShow all Ethernet controllers with PCI slotlspci -nn | grep -i ethernetExample output: 03:00.0 Ethernet controller [0200]: Intel Corporation I225-V [8086:15f3]👉 The PCI address is: 03:00.0If you want to match it to a specific interface (like eth0)ethtool -i eth0Look for: bus-info: 0000:03:00.0That’s the exact PCI device path. 🔎 Step 2 — Confirm ASPM Status for That Devicelspci -vv -s 03:00.0 | grep -i aspmYou’ll see something like: LnkCtl: ASPM L1 Enabled🛑 Step 3 — Disable ASPM for ONLY That PCI DeviceLinux controls ASPM via sysfs per device. Disable ASPM for that NIC:echo performance | sudo tee /sys/bus/pci/devices/0000:03:00.0/power/controlOR explicitly disable link power states: echo 0 | sudo tee /sys/bus/pci/devices/0000:03:00.0/link/l1_aspm echo 0 | sudo tee /sys/bus/pci/devices/0000:03:00.0/link/l0s_aspm⚠ If link/l1_aspm does not exist, your kernel may not expose per-link controls (depends on kernel version). Verify It Disabledlspci -vv -s 03:00.0 | grep -i aspmYou should now see: ASPM Disabled If You Want It Persistent Across RebootMake a user script at boot: echo 0 | sudo tee /sys/bus/pci/devices/0000:03:00.0/link/l1_aspm echo 0 | sudo tee /sys/bus/pci/devices/0000:03:00.0/link/l0s_aspm
-
Log file keeps getting full
yes we ca use whats called a hook script adn target the aspm of a single device. the issues is who / what is in contorl and manging xyz. as we can run a comand to do that but other interactions, service etc can turn it back on... this is why the global edit and the global option was mentioned
-
[GUIDE] Matrix-Synapse w/ postgres DB (chat server) + Element (web client) + Coturn (voice)
Step 1 — Remove Public Port Forwards On router/firewall: ❌ Remove: 10000 UDP 3478 5349 direct 80 to jitsi direct 443 to jitsi Only allow: 80 → nginx (60080) 443 → nginx (60443) ✅ Step 2 — Put Jitsi Web Fully Behind Nginx In your nginx.conf: server { listen 443 ssl http2; server_name meet.domain_name; ssl_certificate /etc/nginx/certs/fullchain.pem; ssl_certificate_key /etc/nginx/certs/privkey.pem; location / { proxy_pass http://172.42.0.22:8000; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Proto https; } location /xmpp-websocket { proxy_pass http://172.42.0.22:8000/xmpp-websocket; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } *Now meet.DOMAIN is not exposed directly. ✅ Step 3 — Secure JVB (Critical Part) You have two options: 🔹 OPTION A (Cleanest) — Force JVB over TCP 443 Edit JVB config: In sip-communicator.properties: org.jitsi.videobridge.DISABLE_TCP_HARVESTER=false org.jitsi.videobridge.TCP_HARVESTER_PORT=443 org.jitsi.videobridge.TCP_HARVESTER_SSLTCP=true Then: Remove 10000 UDP entirely. Only allow TCP 443. JVB will piggyback over HTTPS. This allows: ✔ No UDP open ✔ No 10000 open ✔ Everything over 443 (however I've bee deleting the jitsue docker data fodler and leting the docker configuration recreat and edit configs.. and wound;t be able to point you where that configuration is...) OR 🔹 OPTION B — Force Everything Through TURN over 443 *What I did as coturn is the legacy and more documentation is on it (secured having workeid with it in the past...) Configure Coturn to listen only on 443 TLS: Coturn config: listening-port=443 tls-listening-port=443 fingerprint use-auth-secret no-udp And configure Jitsi: ENABLE_TURN=true https://jitsi.github.io/handbook/docs/dev-guide/dev-guide-configuration/ Idealy current setup is Now: ✔ No 3478 exposed ✔ No 5349 exposed ✔ Only 443 Media will relay via TURN... 🔐 Step 4 — Lock Jitsi to Matrix Users Only You do NOT want random visitors hitting: https://meet.domain_name In Prosody config: authentication = "internal_hashed" And enable secure domain: VirtualHost "meet.domain_name" authentication = "internal_hashed" VirtualHost "guest.meet.domain_name" authentication = "anonymous" c2s_require_encryption = false Then in Jicofo config: org.jitsi.jicofo.auth.URL=XMPP:meet.domain_name Now only authenticated users (via Matrix widget) can create rooms. 🧠 Even Better (Hard Isolation Mode) You can block public access entirely at nginx level: location / { allow 172.42.0.0/24; deny all; } OR Require a secret custom header example: if ($http_x_matrix_auth != "secretkey123") { return 403; } Then inject that header only from Element... etc But Ultimately this type of setup will mkae meet unusable outside your ecosystem. and only functianl with element 📦 Final Secure Architecture udpate Internet │ └── 443 → Nginx ├── Element ├── Synapse ├── Jitsi Web └── TCP passthrough to JVB No: UDP 10000 3478 5349 Direct Jitsi exposure Only Matrix users can start calls. But I'm stil devlepling the code going through docs and working with some other usrs who have ran a simalr matrix synapse and jitsu setup for a couple years. There is a big difference with direct installing vs docker ran versio of this.
-
[GUIDE] Matrix-Synapse w/ postgres DB (chat server) + Element (web client) + Coturn (voice)
I'm glad you have it working. Its public. Anyone can make a meeting and it will work. I don't know if this is meant to be open to outside world. yes this was a concern of mine its that way by desing and in theory could be foreced behind teh RP where only your server can call meet.ExampleDomain.com I'm still working on a nginx RP manual config eidt to acomplish this but due to teh sperate docker isntce comared to a vm/lxc install of the componets (as differenct cofngs get mirred when using docker ... For secruity you wouldn't want that public. but its also fine if it is as when some one can hit the meet domain and make a meeting its a bit harder to us the meet site directly to add users to join the meeting. as ther are some calls and things per the configuration taht will only allow people in a meeting at that level to be able to comunicate. this is more with the udp docker in in teh host net due to udb issues in the docker bridge. and how to secure and deploy. Thus the reason here is somethign to get a example and quick look while working one should manuly edit and define the docker configuration for each and secure it to threre needs. ATM yes this is by desing to show proof of concept for security it needs to be behind the RP. you can also use the jitsu meet public server as a back end. example: https://meet.jit.si/ ########################## Right now my stack is “public Jitsi with Matrix in front.” What you want is: Let’s break this down carefully and realistically. Important Reality Check (WebRTC Limitation) WebRTC media (JVB + TURN) cannot be fully proxied through Nginx. ❌ UDP 10000 cannot be reverse proxied. ❌ TURN 3478/5349 cannot be reverse proxied. ❌ Media traffic is not HTTP. You can hide the web UI behind nginx.(the meet.exampledomain.com) or use a/the public jitsui server... https://jitsi.org/jitsi-meet/ that said work arounds... You cannot tunnel WebRTC media through nginx unless you: Switch JVB to TCP 443 mode Or run everything through TURN over TLS 443 What You Actually Want (Secure Architecture) Instead of: Internet → 10000 UDP → JVB Internet → 3478 → Coturn Internet → meet.DOMAINYou want: Internet → 443 → Nginx └── / → Element └── /_matrix → Synapse └── meet.DOMAIN → Jitsi Web └── 443 TCP → JVB (via nginx stream or direct TLS passthrough)And NO other open ports. here is how I would go about it form testing (tesing is not done)
-
[Support] - Unifi-Controller: Unifi. Unraid. Reborn.
The reason I stayed out of it and other things there is because of their release of the console OS. There was a few updates back where they actually moved off of Mongoose 3 to mongo 7. unfi ve 8.1+ relase notes... *(UniFi 8.1+ is required for MongoDB 7 support.) There's also issues going on in the Debian repository which most of this is built on where Debbie and 12 buster and Debian 13 are breaking away from the old Java jdk and everyone wants to be on Java 21 at the moment. (debain 13 trix will intall v21 as the loest while alot of apps requrie java 11 or 17 to run...) This update and issue post here is clearly we're referencing an issue between Mongo's db3 which needs to be Mongo's db7 and the Java executable explanation of needing Java version 25 to run the new network application suite due to features in the jdk JRE. Well I'm sure it could be worked around fixed and updated. It's not really worth it to me in terms of getting something viable. By all means a separate Docker instance, another can definitely be built reworked and run as intended. This is why I public archived the lxc variant well that will still run and be updateable. And attempts to run the console OS as an lxc completely failed due to how they're trying to run podman and supervisor to control the unify arm stack of UniFi protect and what actually runs behind the unify OS on their physical hardware. And why I posted the MSP guide for the uniFi console, in which case it'd be better to run a Debian virtual machine and install the os console to maintain all features and availability even for for offline access and configurability of your network without the need of a uniFi router... Besides, the docker Network application has always been fickle based on ubiquity UniFi and how they want to handle software updates, moves and control of the offline system.
-
Unraid OS Version 7.2.4 available
upgraded to 7.2.4 with out issue.
-
Unraid OS Version 7.2.4 available
Other information was udpated regrading kerneals (not per unraid.) https://en.wikipedia.org/wiki/Linux_kernel_version_history so i can see 7.3 jumping into kernel 7
-
[Support] - Unifi-Controller: Unifi. Unraid. Reborn.
No a dumb quesiotn but in the wrong area asking for thiis kiind of support... this is what the linux server does and can be acomplised using docker compose... https://hub.docker.com/r/linuxserver/unifi-network-application https://docs.linuxserver.io/images/docker-unifi-network-application/ There is also a differnet support area onteh unraid form for this as well.. and I've done what I could to assint useres wanting a CA unraid install vareint seen here: https://forums.unraid.net/topic/78060-support-linuxserverio-unifi-controller/page/56/#findComment-1326226 on that supoprt fourm side... as its is issues withteh mongo db setup and its creation... the issues was users had issues seting up mongdb that was requried with the use of the compose file thuis this docker that combines them as a All in one... using the linux server docs. (even thogh this should be on that support side... here is an example compse alternative.. Step 1 — Create the init script first Save this as /mnt/user/appdata/unifi-db/init-mongo.sh on your Unraid server: #!/bin/bash if which mongosh > /dev/null 2>&1; then mongo_init_bin='mongosh' else mongo_init_bin='mongo' fi "${mongo_init_bin}" <<EOF use admin db.auth("root", "${MONGO_INITDB_ROOT_PASSWORD}") db.createUser({ user: "${MONGO_USER}", pwd: "${MONGO_PASS}", roles: [ { db: "${MONGO_DBNAME}", role: "dbOwner" }, { db: "${MONGO_DBNAME}_stat", role: "dbOwner" }, { db: "${MONGO_DBNAME}_audit", role: "dbOwner" } ] }) EOFThen make it executable: chmod +x /mnt/user/appdata/unifi-db/init-mongo.sh Step 2 — The docker-compose file --- services: unifi-db: image: docker.io/mongo:7 container_name: unifi-db environment: - MONGO_INITDB_ROOT_USERNAME=root - MONGO_INITDB_ROOT_PASSWORD=yourRootPassword # change this - MONGO_USER=unifi - MONGO_PASS=yourUnifiPassword # change this - MONGO_DBNAME=unifi - MONGO_AUTHSOURCE=admin volumes: - /mnt/user/appdata/unifi-db/data:/data/db - /mnt/user/appdata/unifi-db/init-mongo.sh:/docker-entrypoint-initdb.d/init-mongo.sh:ro restart: unless-stopped unifi-network-application: image: lscr.io/linuxserver/unifi-network-application:latest container_name: unifi-network-application depends_on: - unifi-db environment: - PUID=99 # Unraid's nobody user - PGID=100 # Unraid's users group - TZ=America/New_York # change to your timezone - MONGO_USER=unifi - MONGO_PASS=yourUnifiPassword # must match above - MONGO_HOST=unifi-db - MONGO_PORT=27017 - MONGO_DBNAME=unifi - MONGO_AUTHSOURCE=admin - MEM_LIMIT=1024 - MEM_STARTUP=1024 volumes: - /mnt/user/appdata/unifi-network-application:/config ports: - 8443:8443 # Web UI (https) - 3478:3478/udp # STUN - 10001:10001/udp # AP discovery - 8080:8080 # Device communication (do NOT change) - 1900:1900/udp # L2 discovery (optional) - 8843:8843 # Guest portal HTTPS (optional) - 8880:8880 # Guest portal HTTP (optional) - 6789:6789 # Mobile speed test (optional) restart: unless-stopped*THis doen't have the ui stack forthe icon nor adatianl label as i dont' want to get off suport topinc for this are...a A few Unraid-specific notes: PUID=99 / PGID=100 are Unraid's standard nobody/users — this avoids permission headaches with appdata shares. Pin MongoDB to a major version (e.g., mongo:7) — never use latest since Mongo doesn't support auto-upgrades between major versions. The init-mongo.sh only runs on the very first start with a clean /data/db. If you've already run the MongoDB container without it, you'll need to delete the data folder and start fresh. After everything is up, the UI is at https://your-unraid-ip:8443. For device adoption, go to Settings > System > Advanced and set the Inform Host to your Unraid server's IP. Please use the other support area for that setup... Thsi is the suport area for: Ultimately with teh unif capabilitet to run the consol os (which runs superviosr docker and podman... I would run teh full consoel os (In a VM) per ealier post https://forums.unraid.net/topic/147455-support-unifi-controller-unifi-unraid-reborn/page/35/#findComment-1608639
-
[GUIDE] Matrix-Synapse w/ postgres DB (chat server) + Element (web client) + Coturn (voice)
I post here more due to a pre-existing guide... This repo is a best-effort starting point ( to get you into something similar to a turn key) https://github.com/bmartino1/matrix-textvoicevideo its only job is to get a working stack running with sane defaults and some recommended security hardening. Custom configurations, federation debugging, and integrations with other services will require referencing the upstream docs: Synapse (Matrix homeserver): https://matrix-org.github.io/synapse/latest/ Element Web config: https://github.com/element-hq/element-web/blob/develop/docs/config.md Jitsi Self-Hosting: https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-docker Coturn: https://github.com/coturn/coturn/wiki/turnserver Matrix federation tester: https://federationtester.matrix.org/ Similar I won't be able to supply much support or help beyond what I personally tested and run as there are a lot of moving parts this repo runs 10 dockers and manges the configuration at a min to just get working... configuration of each service docker and its configuration ultimate rely on you. What you want it to do and how you want to interact with it...
-
[GUIDE] Matrix-Synapse w/ postgres DB (chat server) + Element (web client) + Coturn (voice)
I have recenly pushed and updated code. Per a earlier github issues regarding gui RPs such as NPM... I've added an adataionl flag for some config help edits... So here is a Q/A as I can't type to save my life and use AI / web tools to assit in responses... and will not be able to provide suport for things outside of the stack intedned job. Mainly that I tried to use teh Gui RPs and alwys end up neededing to manual configure teh configs... this is why the nginx stack exisitng in my stack to begin with with the manual edited nginx config... Q/A: Q: MISSING_MATRIX_RTC_FOCUS — this is the most important one to get right. The user is hitting the Element Call button, not the Jitsi widget. Element Call is a completely different calling system that needs matrix-rtc infrastructure this stack doesn't run. The fix is just confirming the three feature_*: false flags are in their config.json, and redirecting them to the correct way to start a Jitsi call (via the widget, not the native call button). A: So example: root@BMM-Tower:/mnt/user/appdata/matrix-textvoicevideo/data/element-web/config# ls config.json* These need adjusted in the elemnet web config: "features": { "feature_video_rooms": false, "feature_group_calls": false, "feature_element_call_video_rooms": false }With elemnt via the web borwser i disabled these so default should be false... This si to enforce a room / caht with 2 poeple only use cotrun. 3 or more use jitsi meet. see more documentation here: https://docs.element.io/latest/element-server-suite-pro/advanced/ Recap: Element Call / Video Rooms — MISSING_MATRIX_RTC_FOCUS This error is not a Jitsi or port problem. It is caused by Element Web trying to use Element Call (a newer WebRTC calling system built into Matrix itself), which requires a separate matrix-rtc service that is not part of this stack. This stack uses Jitsi for video — which is a separate system that Element Web launches as a widget. Element Call and Jitsi are two different things. Fix: Video rooms must be started through the Jitsi widget, not the native Element Call button. To disable the Element Call button entirely and prevent this confusion, make sure your element-web/config/config.json contains the updated element web config above..: If you ran setup.sh, this is already written for you. If you see the error, double-check the file at: data/element-web/config/config.jsonTo start a Jitsi video call: open a room → click the video camera widget icon → Add Jitsi widget. That is how video calling works with this stack. Q: DNS subdomains — they're worried about auth.meet.*, internal-muc.meet.* etc. Clear answer: those are internal XMPP identifiers, they never leave Docker, no DNS needed. Only two public records required. A: No. Those entries in .env (JITSI_AUTH_DOMAIN, JITSI_MUC_DOMAIN, JITSI_INTERNAL_MUC_DOMAIN) are internal XMPP domain names used by Jitsi's components to talk to each other inside Docker. They never leave the container network and do not need public DNS records. You only need two public DNS A records, both pointing to the same public IP: matrix.domain.com A YOUR.PUBLIC.IP meet.matrix.domain.com A YOUR.PUBLIC.IPThat is it. The certificate covers both. Everything else is internal. Q: JVB UDP 10000 missing from docker ps — classic host-network confusion. The port isn't missing, it's just that host-networked containers don't show port mappings in docker ps. Gave them a ss -ulnp command to verify it's actually bound. A: Thought this was celarly exmplaind in teh github readme... This is expected. jitsi-jvb uses network_mode: host — it binds directly to the host network interface rather than going through Docker's port mapping system. That is why no port mapping shows in docker ps. UDP 10000 is open and listening on your Unraid host directly. You can verify with: ss -ulnp | grep 10000Your router just needs UDP 10000 forwarded to your Unraid IP (same IP, same port — no translation needed). Same applies to Coturn on 3478/5349. You can learn some more here via my guide on unraid docker netwroks.. whcih also flowls the docker docs... https://bmartino1.weebly.com/guide-dockernetworks.html and the docker docs... Host was chosen due to issue with docker security and udp traffic to use turn/stun properly. Host allows access into the docker netowrk via the unraid ip and is port forward able to use over the wider internet... a RP in fornt in theory could re route the netowrk with port forwards are not needed for udb traffic though the RP... But due to muticast udp packets and the 2 dockers. cotrun and JVB. it is best (when runnign as docker) to set them to host mode for access into unriads network and capabilties loced due to docker netowrk security. Q: Certbot failure — confirmed their diagnosis is right (nginx holds 60080), pointed them to certbot-init.sh which handles the stop/start, and gave them the manual cert copy path for people using Cloudflare or their own certs. A: *this has been updated in the github now. setup, and teh admin script with certbot are fixed to re use nginx ports makein sure my stack nginx is down so ports are open to comeplte lets encrypt... docker compose TLS profile is also avilabe t=for run and renwal outsdie of the admin scripts.. The root cause is that nginx is already running and holding port 60080 when certbot tries to bind it. Certbot's standalone mode needs to own that port exclusively to serve the ACME challenge. The fix is to stop nginx first, run certbot, then restart nginx. The updated certbot-init.sh script in this repo handles that automatically: bash # Stop nginx, obtain cert, restart nginx ./scripts/certbot-init.shIf you already have your own SSL certs (e.g. from Cloudflare or your own CA), you can skip certbot entirely and copy them directly: bash mkdir -p data/nginx/certs/live/matrix.domain.com cp your-fullchain.pem data/nginx/certs/live/matrix.domain.com/fullchain.pem cp your-privkey.pem data/nginx/certs/live/matrix.domain.com/privkey.pem docker compose restart matrix-nginx matrix-coturnNginx and Coturn both read certs from that path. LAN / --no-tls confusion — clarified that port 80 is never touched even in no-tls mode (nginx stays on 60080), explained hairpin NAT as Option A, and local DNS as Option B. This directly answers their confusion about Unraid going down. A: orginaly this was more lan side testing for me... and stayed for what was side testing / options latter due to nginx RPs adn certs issues for explination to other users... What this does: is no nginx config 443 and cert generation... You may need the new added feature for --behind-proxy ... --no-tls HTTP-only — skip all TLS/certbot entirely Use for: LAN/testing, or when an external proxy on a different machine handles TLS before reaching this host *also recenlty updated in the github read me... https://github.com/bmartino1/matrix-textvoicevideo?tab=readme-ov-file#tls-certificates-and-https TLS Certificates and HTTPSThis stack supports three TLS modes. Choose based on your setup: Mode Flag When to use Self-managed (default) Nginx handles TLS directly. Certbot obtains a Let's Encrypt cert. Best for most setups. Behind external proxy --behind-proxy Another proxy (NPM, Traefik, Caddy) sits in front of this stack and handles TLS. Nginx runs HTTP-only internally. HTTP only --no-tls No TLS at all. Use for LAN-only, testing, or development. Default Mode — Nginx Manages TLSInternet → WAN:443 → Router NAT → Unraid:60443 → nginx (TLS termination) → services Internet → WAN:80 → Router NAT → Unraid:60080 → nginx (ACME / redirect) Nginx holds the TLS certificate and terminates HTTPS for all services. Certbot obtains and renews the certificate from Let's Encrypt. See New added data: https://github.com/bmartino1/matrix-textvoicevideo?tab=readme-ov-file#--behind-proxy-mode--external-reverse-proxy-handles-tls So recap as LAN / Local Server — --no-tls and port 80 on Unraid You are right that --no-tls on Unraid cannot use port 80 — Unraid's web GUI owns it. The --no-tls mode still uses the same host ports 60080/60443 as the rest of the stack (set in docker-compose.yml). Nothing changes about port binding. What changes with --no-tls is that nginx does not redirect HTTP to HTTPS and does not require cert files. The stack is just accessible over plain HTTP. For LAN access you have two options: Option A — Use your real domain but access it on the LAN: Your DNS A record points to your public IP. Access from inside your LAN goes out through your router and back in (hairpin NAT), or you add a local DNS override in your router/Pi-hole pointing matrix.domain.com to your Unraid LAN IP. The stack runs exactly the same — no changes needed. Option B — Local-only hostname with --no-tls: bash sudo bash setup.sh --domain matrix.local --no-tlsThen add a local DNS entry (router, Pi-hole, /etc/hosts) pointing matrix.local to your Unraid IP. Access the UI at http://matrix.local:60080. No A record, no internet required. Note: federation with other Matrix servers won't work without HTTPS. Future Guidelines. as Im just going over docs and doing what the docs say... General Support Guidance This stack has a lot of moving parts and the upstream projects each have their own documentation. For issues beyond basic setup, these are the best references: Synapse (Matrix homeserver): https://matrix-org.github.io/synapse/latest/ Element Web config: https://github.com/element-hq/element-web/blob/develop/docs/config.md Jitsi Self-Hosting: https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-docker Coturn: https://github.com/coturn/coturn/wiki/turnserver Matrix federation tester: https://federationtester.matrix.org/ This repo is a best-effort starting point
-
[Plugin] Docker Compose Manager
The docker compose plugin creates a Docker override yml file for use for the UI stack label. When you edit the unrated compose manager stack you have option for UI labels. If you update just the compose, it will not auto update the UI stack and rewrite the docker override yml file. You have to on save. Delete every item in the UI stack and hit OK. Then edit the docker compose file again and then it will repopulate the information per the labels in the docker compose. Otherwise, you need to manually edit each line again via the UI stack in the web UI
-
[Plugin] Docker Compose Manager
And vise versa to convert compose into a docker run that can be used to make a unraid manual template or run as is with a 3rd party run outside of unraid emhttp dockerman. https://www.decomposerize.com/
-
[Plugin] Docker Compose Manager
Did qdot run Docker run lines or did they have their own compsee system. I've yet to interact with the qnap system. The reason I ask is I can send you to a website that you can paste your Docker one line into and it will generate the compose file options and all. Then you can fix some small things in the compose file. Add things such as labels for unread UI. And run the same configurations changing the mounting points to wherever the data is on unraid.. Example composer riser: https://www.composerize.com/
-
[GUIDE] Matrix-Synapse w/ postgres DB (chat server) + Element (web client) + Coturn (voice)
I may need to run something to make sure nginx is not running and use the same ports as nginx Coturn and jitsu ?jvb? Are set to docker host mode. That is the 1000 port. Certbot is more for setup tsl and use a self signed cert. See the certbot-int (lator I need to update it) as it is a docker run issue with nginxrinning and needing the router port 80 for acme/yls registration...) tested with a cloud flared domain and updated the script, I see I didn't update the GitHub with the correction to run certbot. As certbot need to run docker. Ridge and match same ports as nginx...) DNS needs 2 DNS names to the same cert. If my domain name is unraid.com I will also need meet.unraid.com That is what cause slef host jitsu from make videos rooms. I'm away from PC today and will take a close look at the post and things in GitHub tomorrow. There are a lot of moving parts and I tried to share a lot of secure by default setup. By no means is this GitHub stack complete but it's enough to get people started. I went jitsu due to changes with synapse and new intergration as the config is set to use the server it self and not the public meet.jitsu for a room. I'm also working with 3 other groups that require a little bit of other configuration editing and ATM can only reference the documentation for matrix synapse and element.
-
Immich machine learning
If using the ca, you need to install the cuda version. That's because the default Docker does not have the drivers. Similar back with any other system you need to install the drivers to use that device. The default does not have the graphics drivers installed. That's why you need to install the appropriate Docker based on your hardware...
-
Tutorial for mountaing Unraid NFS share to Ubuntu Server?
that looks good to me/ sorry forthe late reply. my usualy form feed didn't show a update to this topic.
-
How to reduce retention policy for snapshot replication of ZFS datasets?
you can install teh beta snapshot plugiin and delete old snap shots. I have a code stich into my zfs snapshot sytem that keeps X # of snapshots... example: https://forums.unraid.net/topic/178033-bmartino1-user-scripts/#findComment-1478664 You would most likey need a zfs comand to search and delte teh oldest sanpshopt to bring you to new setup....
-
[Container] TSDProxy
your configurations are bad and off I have ver minaml latecy if any at all... But I also have Fiber internet i don't have to wait at all for my services over tsdproxy via CA,. compse etc... that is entrely configuration and per client internet bandwith...
-
Docker Compose enable Tailscale Funnel for docker uses tsdproxy
This is known as a side car method -l tsdproxy.enable=true -l tsdproxy.name=plex -l tsdproxy.funnel=true or --label tsdproxy.enable=true --label tsdproxy.name=plex --label tsdproxy.funnel=true \ and can be added to urnaid ca via extra parm:
-
[Container] TSDProxy
unless your funneling, your client machien also needs to client conect to teh tail net to access the application. see also https://forums.unraid.net/topic/190620-docker-compose-enable-tailscale-funnel-for-docker-uses-tsdproxy/