add initial mas setup

.env.sample

@@ -19,6 +19,71 @@ SECRET_FORM_SECRET_VERSION=v1
 SECRET_MACAROON_VERSION=v1
 SECRET_REGISTRATION_VERSION=v1
 
+## Authentication
+
+# All login / SSO / MAS-related toggles in one place.
+
+### Local password & registration (Synapse native)
+
+# With MAS_ENABLED=1 you must set PASSWORD_LOGIN_ENABLED=false — Synapse forbids legacy password DB alongside matrix_authentication_service.
+PASSWORD_LOGIN_ENABLED=true
+ENABLE_REGISTRATION=false
+
+# Token based registration. Enable ADMIN_INTERFACE (below) to use the admin interface to generate tokens.
+#REGISTRATION_REQUIRES_TOKEN=true
+
+### OIDC via Keycloak-shaped API (e.g. Authentik)
+
+#COMPOSE_FILE="$COMPOSE_FILE:compose.keycloak.yml"
+#KEYCLOAK_ENABLED=1
+#KEYCLOAK_ID=keycloak
+#KEYCLOAK_NAME=
+#KEYCLOAK_URL=
+#KEYCLOAK_CLIENT_ID=
+#KEYCLOAK_CLIENT_DOMAIN=
+#KEYCLOAK_ALLOW_EXISTING_USERS=false
+#SECRET_KEYCLOAK_CLIENT_SECRET_VERSION=v1
+
+### Second OIDC provider (compose.keycloak2.yml)
+
+#COMPOSE_FILE="$COMPOSE_FILE:compose.keycloak2.yml"
+#KEYCLOAK2_ENABLED=1
+#KEYCLOAK2_ID=keycloak2
+#KEYCLOAK2_NAME=
+#KEYCLOAK2_URL=
+#KEYCLOAK2_CLIENT_ID=
+#KEYCLOAK2_CLIENT_DOMAIN=
+#KEYCLOAK2_ALLOW_EXISTING_USERS=false
+#SECRET_KEYCLOAK2_CLIENT_SECRET_VERSION=v1
+
+### Third OIDC provider (compose.keycloak3.yml)
+
+#COMPOSE_FILE="$COMPOSE_FILE:compose.keycloak3.yml"
+#KEYCLOAK3_ENABLED=1
+#KEYCLOAK3_ID=keycloak3
+#KEYCLOAK3_NAME=
+#KEYCLOAK3_URL=
+#KEYCLOAK3_CLIENT_ID=
+#KEYCLOAK3_CLIENT_DOMAIN=
+#KEYCLOAK3_ALLOW_EXISTING_USERS=false
+#SECRET_KEYCLOAK3_CLIENT_SECRET_VERSION=v1
+
+### Matrix Authentication Service (MAS) — Element X / OIDC-native auth
+
+#COMPOSE_FILE="$COMPOSE_FILE:compose.mas.yml"
+#MAS_ENABLED=1
+#PASSWORD_LOGIN_ENABLED=false
+#SECRET_MAS_ENCRYPTION_VERSION=v1 # length=64 # charset=hex
+#SECRET_MAS_SYNAPSE_SHARED_VERSION=v1 # length=64 # charset=hex
+# PEM private key: abra cannot generate this format — insert only (e.g. openssl genrsa 2048 | abra app secret insert …)
+#SECRET_MAS_SIGNING_RSA_VERSION=v1 # generate=false
+
+### Shared secret auth (bridges / automation)
+
+#COMPOSE_FILE="$COMPOSE_FILE:compose.shared_secret_auth.yml"
+#SHARED_SECRET_AUTH_ENABLED=1
+#SECRET_SHARED_SECRET_AUTH_VERSION=v1 # length=128
+
 ## Federation
 
 #DISABLE_FEDERATION=1
@@ -28,14 +93,6 @@ SERVE_SERVER_WELLKNOWN=false
 
 ALLOW_PUBLIC_ROOMS_FEDERATION=false
 
-## Registration
-
-ENABLE_REGISTRATION=false
-PASSWORD_LOGIN_ENABLED=true
-
-# Token based registration. Enable ADMIN_INTERFACE (below) to use the admin interface to generate tokens.
-#REGISTRATION_REQUIRES_TOKEN=true
-
 ## Room auto-join
 
 #AUTO_JOIN_ROOM_ENABLED=1
@@ -98,30 +155,8 @@ RETENTION_MAX_LIFETIME=4w
 #LOGIN_LIMIT_ACCOUNT_PER_SECOND=1
 #LOGIN_LIMIT_ACCOUNT_BURST=10
 
-## Keycloak SSO
-
-#COMPOSE_FILE="$COMPOSE_FILE:compose.keycloak.yml"
-#KEYCLOAK_ENABLED=1
-#KEYCLOAK_ID=keycloak
-#KEYCLOAK_NAME=
-#KEYCLOAK_URL=
-#KEYCLOAK_CLIENT_ID=
-#KEYCLOAK_CLIENT_DOMAIN=
-#KEYCLOAK_ALLOW_EXISTING_USERS=false
-#SECRET_KEYCLOAK_CLIENT_SECRET_VERSION=v1
-
 ## TURN
 
-#COMPOSE_FILE="$COMPOSE_FILE:compose.keycloak3.yml"
-#KEYCLOAK3_ENABLED=1
-#KEYCLOAK3_ID=keycloak3
-#KEYCLOAK3_NAME=
-#KEYCLOAK3_URL=
-#KEYCLOAK3_CLIENT_ID=
-#KEYCLOAK3_CLIENT_DOMAIN=
-#KEYCLOAK3_ALLOW_EXISTING_USERS=false
-#SECRET_KEYCLOAK3_CLIENT_SECRET_VERSION=v1
-
 #COMPOSE_FILE="$COMPOSE_FILE:compose.turn.yml"
 #TURN_ENABLED=1
 #TURN_URIS="[\"turns:coturn.foo.zone?transport=udp\", \"turns:coturn.foo.zone?transport=tcp\"]"
@@ -189,12 +224,6 @@ RETENTION_MAX_LIFETIME=4w
 #SECRET_SIGNAL_HS_TOKEN_VERSION=v1
 #SECRET_SIGNAL_PICKLE_KEY_VERSION=v1
 
-## Shared auth
-
-#COMPOSE_FILE="$COMPOSE_FILE:compose.shared_secret_auth.yml"
-#SHARED_SECRET_AUTH_ENABLED=1
-#SECRET_SHARED_SECRET_AUTH_VERSION=v1 # length=128
-
 ## Web Client (Redirect)
 #WEB_CLIENT_LOCATION=https://element-web.example.com
 

abra.sh

@@ -1,13 +1,14 @@
 export DISCORD_BRIDGE_YAML_VERSION=v2
 export ENTRYPOINT_CONF_VERSION=v3
-export HOMESERVER_YAML_VERSION=v35
+export HOMESERVER_YAML_VERSION=v36
 export LOG_CONFIG_VERSION=v2
 export SHARED_SECRET_AUTH_VERSION=v2
 export SIGNAL_BRIDGE_YAML_VERSION=v6
 export TELEGRAM_BRIDGE_YAML_VERSION=v6
-export NGINX_CONFIG_VERSION=v12
+export NGINX_CONFIG_VERSION=v13
 export WK_SERVER_VERSION=v1
-export WK_CLIENT_VERSION=v1
+export WK_CLIENT_VERSION=v2
+export MAS_CONFIG_VERSION=v1
 export PG_BACKUP_VERSION=v2
 export ADMIN_CONFIG_VERSION=v1
 

compose.mas.yml

@@ -0,0 +1,47 @@
+---
+version: "3.8"
+
+# Matrix Authentication Service (MAS) — optional overlay for Element X / OIDC-native auth.
+
+services:
+  mas:
+    image: ghcr.io/element-hq/matrix-authentication-service:1.14.0
+    command: ["server", "--config=/etc/mas/config.yaml"]
+    environment:
+      - DOMAIN
+      - SERVER_NAME
+      - STACK_NAME
+    networks:
+      - internal
+    configs:
+      - source: mas_config
+        target: /etc/mas/config.yaml
+    secrets:
+      - db_password
+      - mas_encryption
+      - mas_synapse_shared
+      - mas_signing_rsa
+    deploy:
+      restart_policy:
+        condition: on-failure
+
+  app:
+    secrets:
+      - mas_synapse_shared
+
+configs:
+  mas_config:
+    name: ${STACK_NAME}_mas_config_${MAS_CONFIG_VERSION}
+    file: mas.config.yaml.tmpl
+    template_driver: golang
+
+secrets:
+  mas_encryption:
+    external: true
+    name: ${STACK_NAME}_mas_encryption_${SECRET_MAS_ENCRYPTION_VERSION}
+  mas_synapse_shared:
+    external: true
+    name: ${STACK_NAME}_mas_synapse_shared_${SECRET_MAS_SYNAPSE_SHARED_VERSION}
+  mas_signing_rsa:
+    external: true
+    name: ${STACK_NAME}_mas_signing_rsa_${SECRET_MAS_SIGNING_RSA_VERSION}

compose.yml

@@ -10,6 +10,7 @@ services:
     environment:
       - DOMAIN
       - STACK_NAME
+      - MAS_ENABLED
       - NGINX_ACCESS_LOG_LOCATION
       - NGINX_ERROR_LOG_LOCATION
       - MAX_UPLOAD_SIZE
@@ -46,6 +47,7 @@ services:
       - macaroon
       - form_secret
     environment:
+      - MAS_ENABLED
       - ALLOWED_LIFETIME_MAX
       - ALLOW_PUBLIC_ROOMS_FEDERATION
       - AUTO_JOIN_ROOM

homeserver.yaml.tmpl

@@ -259,9 +259,18 @@ sso:
 {{ end }}
 
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#password_config
+# With MAS (matrix_authentication_service), Synapse rejects password_config.enabled: true — set PASSWORD_LOGIN_ENABLED=false in app .env when MAS_ENABLED=1 (.env.sample).
 password_config:
    enabled: {{ env "PASSWORD_LOGIN_ENABLED" }}
 
+{{ if eq (env "MAS_ENABLED") "1" }}
+# https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#matrix_authentication_service
+matrix_authentication_service:
+  enabled: true
+  endpoint: http://{{ env "STACK_NAME"}}_mas:8080/
+  secret_path: /run/secrets/mas_synapse_shared
+{{ end }}
+
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#email
 {{ if eq (env "SMTP_ENABLED") "1" }}
 email:

mas.config.yaml.tmpl

@@ -0,0 +1,41 @@
+# Docs: https://element-hq.github.io/matrix-authentication-service/
+
+http:
+  public_base: https://{{ env "DOMAIN" }}/
+  trusted_proxies:
+    - 10.0.0.0/8
+    - 172.16.0.0/12
+    - 192.168.0.0/16
+    - 127.0.0.0/8
+    - fd00::/8
+    - ::1/128
+  listeners:
+    - name: web
+      resources:
+        - name: discovery
+        - name: human
+        - name: oauth
+        - name: compat
+        - name: graphql
+          playground: false
+        - name: assets
+      binds:
+        - address: "[::]:8080"
+
+database:
+  uri: postgresql://synapse:{{ secret "db_password" }}@{{ env "STACK_NAME" }}_db:5432/mas?sslmode=disable
+
+matrix:
+  kind: synapse
+  homeserver: {{ or (env "SERVER_NAME") (env "DOMAIN") }}
+  endpoint: http://{{ env "STACK_NAME" }}_app:8008/
+  secret_file: /run/secrets/mas_synapse_shared
+
+secrets:
+  # Plain hex in file (abra: length=64 charset=hex). See .env.sample modifiers.
+  encryption_file: /run/secrets/mas_encryption
+  keys:
+    - key_file: /run/secrets/mas_signing_rsa
+
+passwords:
+  enabled: true

nginx.conf.tmpl

@@ -15,6 +15,14 @@ http {
     keepalive 16;
   }
 
+{{ if eq (env "MAS_ENABLED") "1" }}
+  upstream mas_upstream {
+    zone mas_upstream 64k;
+    server {{ env "STACK_NAME"}}_mas:8080 resolve;
+    keepalive 8;
+  }
+{{ end }}
+
   server {
     listen 80;
 
@@ -32,7 +40,30 @@ http {
       proxy_http_version 1.1;
     }
     
-    location ~* ^(\/_matrix|\/_synapse\/client) {
+{{ if eq (env "MAS_ENABLED") "1" }}
+    # MAS on same Host as Synapse (public_base = https://$DOMAIN/): browser/OIDC paths live at repo root, not only under /_matrix/
+    # Router reference: element-hq/matrix-authentication-service crates/router/src/endpoints.rs
+    # https://element-hq.github.io/matrix-authentication-service/setup/reverse-proxy.html
+    location ~ ^/(complete-compat-sso/|oauth2/|\.well-known/(openid-configuration|webfinger|change-password)|authorize|login|logout|register(/|$)|account/|upstream/|consent/|link(\?|/|$)|device/|recover(/|$)|assets/|graphql(/|$)|api/) {
+      proxy_pass http://mas_upstream;
+      proxy_http_version 1.1;
+      proxy_set_header Host $host;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto https;
+      client_max_body_size 50M;
+    }
+    # Matrix CS API compat (login / logout / refresh and subpaths, e.g. …/login/sso/redirect) — before generic /_matrix
+    location ~ ^/_matrix/client/[^/]+/(login|logout|refresh)(/.*)?$ {
+      proxy_pass http://mas_upstream;
+      proxy_http_version 1.1;
+      proxy_set_header Host $host;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto https;
+      client_max_body_size 50M;
+    }
+{{ end }}
+
+    location ~* ^(\/_matrix|\/_synapse\/client|\/_synapse\/mas) {
       proxy_pass http://matrix_upstream;
       proxy_set_header X-Forwarded-For $remote_addr;
       proxy_set_header X-Forwarded-Proto https;

well_known_client.conf.tmpl

@@ -1,5 +1,8 @@
 {
   "m.homeserver": {
     "base_url": "https://{{ env "DOMAIN" }}"
-  }
+  }{{ if eq (env "MAS_ENABLED") "1" }},
+  "org.matrix.msc2965.authentication": {
+    "issuer": "https://{{ env "DOMAIN" }}/"
+  }{{ end }}
 }