recipe-maintainers/matrix-synapse
0
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

add initial mas setup

Browse Source
This commit is contained in:
Simon
2026-04-07 14:59:19 +02:00
parent 8a7978b388
commit 5481b7e31c
8 changed files with 521 additions and 358 deletions
Download Patch File Download Diff File Expand all files Collapse all files

101
.env.sample
View File

@ -19,6 +19,71 @@ SECRET_FORM_SECRET_VERSION=v1
SECRET_MACAROON_VERSION=v1 SECRET_MACAROON_VERSION=v1
SECRET_REGISTRATION_VERSION=v1 SECRET_REGISTRATION_VERSION=v1
## Authentication
# All login / SSO / MAS-related toggles in one place.
### Local password & registration (Synapse native)
# With MAS_ENABLED=1 you must set PASSWORD_LOGIN_ENABLED=false — Synapse forbids legacy password DB alongside matrix_authentication_service.
PASSWORD_LOGIN_ENABLED=true
ENABLE_REGISTRATION=false
# Token based registration. Enable ADMIN_INTERFACE (below) to use the admin interface to generate tokens.
#REGISTRATION_REQUIRES_TOKEN=true
### OIDC via Keycloak-shaped API (e.g. Authentik)
#COMPOSE_FILE="$COMPOSE_FILE:compose.keycloak.yml"
#KEYCLOAK_ENABLED=1
#KEYCLOAK_ID=keycloak
#KEYCLOAK_NAME=
#KEYCLOAK_URL=
#KEYCLOAK_CLIENT_ID=
#KEYCLOAK_CLIENT_DOMAIN=
#KEYCLOAK_ALLOW_EXISTING_USERS=false
#SECRET_KEYCLOAK_CLIENT_SECRET_VERSION=v1
### Second OIDC provider (compose.keycloak2.yml)
#COMPOSE_FILE="$COMPOSE_FILE:compose.keycloak2.yml"
#KEYCLOAK2_ENABLED=1
#KEYCLOAK2_ID=keycloak2
#KEYCLOAK2_NAME=
#KEYCLOAK2_URL=
#KEYCLOAK2_CLIENT_ID=
#KEYCLOAK2_CLIENT_DOMAIN=
#KEYCLOAK2_ALLOW_EXISTING_USERS=false
#SECRET_KEYCLOAK2_CLIENT_SECRET_VERSION=v1
### Third OIDC provider (compose.keycloak3.yml)
#COMPOSE_FILE="$COMPOSE_FILE:compose.keycloak3.yml"
#KEYCLOAK3_ENABLED=1
#KEYCLOAK3_ID=keycloak3
#KEYCLOAK3_NAME=
#KEYCLOAK3_URL=
#KEYCLOAK3_CLIENT_ID=
#KEYCLOAK3_CLIENT_DOMAIN=
#KEYCLOAK3_ALLOW_EXISTING_USERS=false
#SECRET_KEYCLOAK3_CLIENT_SECRET_VERSION=v1
### Matrix Authentication Service (MAS) — Element X / OIDC-native auth
#COMPOSE_FILE="$COMPOSE_FILE:compose.mas.yml"
#MAS_ENABLED=1
#PASSWORD_LOGIN_ENABLED=false
#SECRET_MAS_ENCRYPTION_VERSION=v1 # length=64 # charset=hex
#SECRET_MAS_SYNAPSE_SHARED_VERSION=v1 # length=64 # charset=hex
# PEM private key: abra cannot generate this format — insert only (e.g. openssl genrsa 2048 | abra app secret insert …)
#SECRET_MAS_SIGNING_RSA_VERSION=v1 # generate=false
### Shared secret auth (bridges / automation)
#COMPOSE_FILE="$COMPOSE_FILE:compose.shared_secret_auth.yml"
#SHARED_SECRET_AUTH_ENABLED=1
#SECRET_SHARED_SECRET_AUTH_VERSION=v1 # length=128
## Federation ## Federation
#DISABLE_FEDERATION=1 #DISABLE_FEDERATION=1
@ -28,14 +93,6 @@ SERVE_SERVER_WELLKNOWN=false
ALLOW_PUBLIC_ROOMS_FEDERATION=false ALLOW_PUBLIC_ROOMS_FEDERATION=false
## Registration
ENABLE_REGISTRATION=false
PASSWORD_LOGIN_ENABLED=true
# Token based registration. Enable ADMIN_INTERFACE (below) to use the admin interface to generate tokens.
#REGISTRATION_REQUIRES_TOKEN=true
## Room auto-join ## Room auto-join
#AUTO_JOIN_ROOM_ENABLED=1 #AUTO_JOIN_ROOM_ENABLED=1
@ -98,30 +155,8 @@ RETENTION_MAX_LIFETIME=4w
#LOGIN_LIMIT_ACCOUNT_PER_SECOND=1 #LOGIN_LIMIT_ACCOUNT_PER_SECOND=1
#LOGIN_LIMIT_ACCOUNT_BURST=10 #LOGIN_LIMIT_ACCOUNT_BURST=10
## Keycloak SSO
#COMPOSE_FILE="$COMPOSE_FILE:compose.keycloak.yml"
#KEYCLOAK_ENABLED=1
#KEYCLOAK_ID=keycloak
#KEYCLOAK_NAME=
#KEYCLOAK_URL=
#KEYCLOAK_CLIENT_ID=
#KEYCLOAK_CLIENT_DOMAIN=
#KEYCLOAK_ALLOW_EXISTING_USERS=false
#SECRET_KEYCLOAK_CLIENT_SECRET_VERSION=v1
## TURN ## TURN
#COMPOSE_FILE="$COMPOSE_FILE:compose.keycloak3.yml"
#KEYCLOAK3_ENABLED=1
#KEYCLOAK3_ID=keycloak3
#KEYCLOAK3_NAME=
#KEYCLOAK3_URL=
#KEYCLOAK3_CLIENT_ID=
#KEYCLOAK3_CLIENT_DOMAIN=
#KEYCLOAK3_ALLOW_EXISTING_USERS=false
#SECRET_KEYCLOAK3_CLIENT_SECRET_VERSION=v1
#COMPOSE_FILE="$COMPOSE_FILE:compose.turn.yml" #COMPOSE_FILE="$COMPOSE_FILE:compose.turn.yml"
#TURN_ENABLED=1 #TURN_ENABLED=1
#TURN_URIS="[\"turns:coturn.foo.zone?transport=udp\", \"turns:coturn.foo.zone?transport=tcp\"]" #TURN_URIS="[\"turns:coturn.foo.zone?transport=udp\", \"turns:coturn.foo.zone?transport=tcp\"]"
@ -189,12 +224,6 @@ RETENTION_MAX_LIFETIME=4w
#SECRET_SIGNAL_HS_TOKEN_VERSION=v1 #SECRET_SIGNAL_HS_TOKEN_VERSION=v1
#SECRET_SIGNAL_PICKLE_KEY_VERSION=v1 #SECRET_SIGNAL_PICKLE_KEY_VERSION=v1
## Shared auth
#COMPOSE_FILE="$COMPOSE_FILE:compose.shared_secret_auth.yml"
#SHARED_SECRET_AUTH_ENABLED=1
#SECRET_SHARED_SECRET_AUTH_VERSION=v1 # length=128
## Web Client (Redirect) ## Web Client (Redirect)
#WEB_CLIENT_LOCATION=https://element-web.example.com #WEB_CLIENT_LOCATION=https://element-web.example.com

7
abra.sh
View File

@ -1,13 +1,14 @@
export DISCORD_BRIDGE_YAML_VERSION=v2 export DISCORD_BRIDGE_YAML_VERSION=v2
export ENTRYPOINT_CONF_VERSION=v3 export ENTRYPOINT_CONF_VERSION=v3
export HOMESERVER_YAML_VERSION=v35 export HOMESERVER_YAML_VERSION=v36
export LOG_CONFIG_VERSION=v2 export LOG_CONFIG_VERSION=v2
export SHARED_SECRET_AUTH_VERSION=v2 export SHARED_SECRET_AUTH_VERSION=v2
export SIGNAL_BRIDGE_YAML_VERSION=v6 export SIGNAL_BRIDGE_YAML_VERSION=v6
export TELEGRAM_BRIDGE_YAML_VERSION=v6 export TELEGRAM_BRIDGE_YAML_VERSION=v6
export NGINX_CONFIG_VERSION=v12 export NGINX_CONFIG_VERSION=v13
export WK_SERVER_VERSION=v1 export WK_SERVER_VERSION=v1
export WK_CLIENT_VERSION=v1 export WK_CLIENT_VERSION=v2
export MAS_CONFIG_VERSION=v1
export PG_BACKUP_VERSION=v2 export PG_BACKUP_VERSION=v2
export ADMIN_CONFIG_VERSION=v1 export ADMIN_CONFIG_VERSION=v1

47
compose.mas.yml Normal file
View File

@ -0,0 +1,47 @@
---
version: "3.8"
# Matrix Authentication Service (MAS) — optional overlay for Element X / OIDC-native auth.
services:
mas:
image: ghcr.io/element-hq/matrix-authentication-service:1.14.0
command: ["server", "--config=/etc/mas/config.yaml"]
environment:
- DOMAIN
- SERVER_NAME
- STACK_NAME
networks:
- internal
configs:
- source: mas_config
target: /etc/mas/config.yaml
secrets:
- db_password
- mas_encryption
- mas_synapse_shared
- mas_signing_rsa
deploy:
restart_policy:
condition: on-failure
app:
secrets:
- mas_synapse_shared
configs:
mas_config:
name: ${STACK_NAME}_mas_config_${MAS_CONFIG_VERSION}
file: mas.config.yaml.tmpl
template_driver: golang
secrets:
mas_encryption:
external: true
name: ${STACK_NAME}_mas_encryption_${SECRET_MAS_ENCRYPTION_VERSION}
mas_synapse_shared:
external: true
name: ${STACK_NAME}_mas_synapse_shared_${SECRET_MAS_SYNAPSE_SHARED_VERSION}
mas_signing_rsa:
external: true
name: ${STACK_NAME}_mas_signing_rsa_${SECRET_MAS_SIGNING_RSA_VERSION}

2
compose.yml
View File

@ -10,6 +10,7 @@ services:
environment: environment:
- DOMAIN - DOMAIN
- STACK_NAME - STACK_NAME
- MAS_ENABLED
- NGINX_ACCESS_LOG_LOCATION - NGINX_ACCESS_LOG_LOCATION
- NGINX_ERROR_LOG_LOCATION - NGINX_ERROR_LOG_LOCATION
- MAX_UPLOAD_SIZE - MAX_UPLOAD_SIZE
@ -46,6 +47,7 @@ services:
- macaroon - macaroon
- form_secret - form_secret
environment: environment:
- MAS_ENABLED
- ALLOWED_LIFETIME_MAX - ALLOWED_LIFETIME_MAX
- ALLOW_PUBLIC_ROOMS_FEDERATION - ALLOW_PUBLIC_ROOMS_FEDERATION
- AUTO_JOIN_ROOM - AUTO_JOIN_ROOM

643
homeserver.yaml.tmpl
View File

@ -1,317 +1,326 @@
# All configuration options are documented on the following link: # All configuration options are documented on the following link:
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html
{{ if eq (env "SHARED_SECRET_AUTH_ENABLED") "1" }} {{ if eq (env "SHARED_SECRET_AUTH_ENABLED") "1" }}
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#modules-1 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#modules-1
modules: modules:
- module: shared_secret_authenticator.SharedSecretAuthProvider - module: shared_secret_authenticator.SharedSecretAuthProvider
config: config:
shared_secret: {{ secret "shared_secret_auth" }} shared_secret: {{ secret "shared_secret_auth" }}
m_login_password_support_enabled: true m_login_password_support_enabled: true
{{ end }} {{ end }}
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#server_name # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#server_name
server_name: {{ or (env "SERVER_NAME") (env "DOMAIN") }} server_name: {{ or (env "SERVER_NAME") (env "DOMAIN") }}
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#public_baseurl # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#public_baseurl
public_baseurl: https://{{ env "DOMAIN" }}/ public_baseurl: https://{{ env "DOMAIN" }}/
# https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#require_auth_for_profile_requests # https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#require_auth_for_profile_requests
require_auth_for_profile_requests: {{ env "REQUIRE_AUTH_FOR_PROFILE_REQUESTS" }} require_auth_for_profile_requests: {{ env "REQUIRE_AUTH_FOR_PROFILE_REQUESTS" }}
# https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#limit_profile_requests_to_users_who_share_rooms # https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#limit_profile_requests_to_users_who_share_rooms
limit_profile_requests_to_users_who_share_rooms: {{ env "LIMIT_PROFILE_REQUESTS_TO_USERS_WHO_SHARE_ROOMS" }} limit_profile_requests_to_users_who_share_rooms: {{ env "LIMIT_PROFILE_REQUESTS_TO_USERS_WHO_SHARE_ROOMS" }}
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#serve_server_wellknown # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#serve_server_wellknown
serve_server_wellknown: {{ env "SERVE_SERVER_WELLKNOWN" }} serve_server_wellknown: {{ env "SERVE_SERVER_WELLKNOWN" }}
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#allow_public_rooms_without_auth # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#allow_public_rooms_without_auth
allow_public_rooms_without_auth: false allow_public_rooms_without_auth: false
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#allow_public_rooms_over_federation # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#allow_public_rooms_over_federation
allow_public_rooms_over_federation: {{ or (env "ALLOW_PUBLIC_ROOMS_FEDERATION") "true" }} allow_public_rooms_over_federation: {{ or (env "ALLOW_PUBLIC_ROOMS_FEDERATION") "true" }}
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#listeners # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#listeners
listeners: listeners:
- port: 8008 - port: 8008
tls: false tls: false
type: http type: http
x_forwarded: true x_forwarded: true
{{ if eq (env "DISABLE_FEDERATION") "1" }} {{ if eq (env "DISABLE_FEDERATION") "1" }}
resources: resources:
{{ if eq (env "KEYCLOAK_ENABLED") "1" }} {{ if eq (env "KEYCLOAK_ENABLED") "1" }}
- names: [client, openid] - names: [client, openid]
compress: true compress: true
{{ else }} {{ else }}
- names: [client] - names: [client]
compress: true compress: true
{{ end }} {{ end }}
{{ else }} {{ else }}
resources: resources:
{{ if eq (env "KEYCLOAK_ENABLED") "1" }} {{ if eq (env "KEYCLOAK_ENABLED") "1" }}
- names: [client, openid, federation] - names: [client, openid, federation]
compress: true compress: true
{{ else }} {{ else }}
- names: [client, federation] - names: [client, federation]
compress: true compress: true
{{ end }} {{ end }}
{{ end }} {{ end }}
# https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#delete_stale_devices_after # https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#delete_stale_devices_after
{{ if (env "DELETE_STALE_DEVICES_AFTER") }} {{ if (env "DELETE_STALE_DEVICES_AFTER") }}
delete_stale_devices_after: {{ env "DELETE_STALE_DEVICES_AFTER" }} delete_stale_devices_after: {{ env "DELETE_STALE_DEVICES_AFTER" }}
{{ end }} {{ end }}
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#admin_contact # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#admin_contact
admin_contact: 'mailto:{{ env "ADMIN_EMAIL" }}' admin_contact: 'mailto:{{ env "ADMIN_EMAIL" }}'
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#limit_remote_rooms # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#limit_remote_rooms
limit_remote_rooms: limit_remote_rooms:
enabled: true enabled: true
complexity: 200.0 complexity: 200.0
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#max_avatar_size # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#max_avatar_size
max_avatar_size: 10M max_avatar_size: 10M
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#forgotten_room_retention_period # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#forgotten_room_retention_period
forgotten_room_retention_period: 3d forgotten_room_retention_period: 3d
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#request_token_inhibit_3pid_errors # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#request_token_inhibit_3pid_errors
request_token_inhibit_3pid_errors: true request_token_inhibit_3pid_errors: true
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#redaction_retention_period # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#redaction_retention_period
redaction_retention_period: {{ env "REDACTION_RETENTION_PERIOD" }} redaction_retention_period: {{ env "REDACTION_RETENTION_PERIOD" }}
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#user_ips_max_age # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#user_ips_max_age
user_ips_max_age: {{ env "USER_IPS_MAX_AGE" }} user_ips_max_age: {{ env "USER_IPS_MAX_AGE" }}
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#retention # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#retention
retention: retention:
enabled: true enabled: true
default_policy: default_policy:
min_lifetime: 1d min_lifetime: 1d
max_lifetime: {{ env "RETENTION_MAX_LIFETIME" }} max_lifetime: {{ env "RETENTION_MAX_LIFETIME" }}
allowed_lifetime_min: 1d allowed_lifetime_min: 1d
allowed_lifetime_max: {{ env "ALLOWED_LIFETIME_MAX" }} allowed_lifetime_max: {{ env "ALLOWED_LIFETIME_MAX" }}
purge_jobs: purge_jobs:
- longest_max_lifetime: 3d - longest_max_lifetime: 3d
interval: 12h interval: 12h
- shortest_max_lifetime: 3d - shortest_max_lifetime: 3d
interval: 1d interval: 1d
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#federation_domain_whitelist # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#federation_domain_whitelist
{{ if eq (env "DISABLE_FEDERATION") "1" }} {{ if eq (env "DISABLE_FEDERATION") "1" }}
federation_domain_whitelist: [] federation_domain_whitelist: []
{{ else if eq (env "ENABLE_ALLOWLIST") "1" }} {{ else if eq (env "ENABLE_ALLOWLIST") "1" }}
federation_domain_whitelist: {{ env "FEDERATION_ALLOWLIST" }} federation_domain_whitelist: {{ env "FEDERATION_ALLOWLIST" }}
{{ end }} {{ end }}
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#database-1 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#database-1
database: database:
name: psycopg2 name: psycopg2
txn_limit: 10000 txn_limit: 10000
args: args:
user: synapse user: synapse
password: "{{ secret "db_password" }}" password: "{{ secret "db_password" }}"
database: synapse database: synapse
host: "{{ env "STACK_NAME" }}_db" host: "{{ env "STACK_NAME" }}_db"
port: 5432 port: 5432
cp_min: 5 cp_min: 5
cp_max: 10 cp_max: 10
keepalives_idle: 10 keepalives_idle: 10
keepalives_interval: 10 keepalives_interval: 10
keepalives_count: 3 keepalives_count: 3
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#log_config # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#log_config
log_config: "/data/log.config" log_config: "/data/log.config"
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#media_store_path # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#media_store_path
media_store_path: "/data/media_store" media_store_path: "/data/media_store"
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#max_upload_size # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#max_upload_size
max_upload_size: 50M max_upload_size: 50M
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#turn # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#turn
{{ if eq (env "TURN_ENABLED") "1" }} {{ if eq (env "TURN_ENABLED") "1" }}
turn_uris: {{ env "TURN_URIS" }} turn_uris: {{ env "TURN_URIS" }}
turn_shared_secret: "{{ secret "turn_shared_secret" }}" turn_shared_secret: "{{ secret "turn_shared_secret" }}"
turn_user_lifetime: 1h turn_user_lifetime: 1h
turn_allow_guests: {{ env "TURN_ALLOW_GUESTS" }} turn_allow_guests: {{ env "TURN_ALLOW_GUESTS" }}
{{ end }} {{ end }}
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#enable_registration # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#enable_registration
enable_registration: {{ env "ENABLE_REGISTRATION" }} enable_registration: {{ env "ENABLE_REGISTRATION" }}
# https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#registration_requires_token # https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#registration_requires_token
registration_requires_token: {{ env "REGISTRATION_REQUIRES_TOKEN" }} registration_requires_token: {{ env "REGISTRATION_REQUIRES_TOKEN" }}
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#enable_3pid_lookup # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#enable_3pid_lookup
enable_3pid_lookup: {{ env "ENABLE_3PID_LOOKUP" }} enable_3pid_lookup: {{ env "ENABLE_3PID_LOOKUP" }}
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#allow_guest_access # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#allow_guest_access
allow_guest_access: false allow_guest_access: false
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#registration_shared_secret # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#registration_shared_secret
registration_shared_secret: {{ secret "registration" }} registration_shared_secret: {{ secret "registration" }}
{{ if eq (env "AUTO_JOIN_ROOM_ENABLED") "1" }} {{ if eq (env "AUTO_JOIN_ROOM_ENABLED") "1" }}
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#auto_join_rooms # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#auto_join_rooms
# AUTO_JOIN_ROOM only for backwards compatibility # AUTO_JOIN_ROOM only for backwards compatibility
{{ if (env "AUTO_JOIN_ROOM") }} {{ if (env "AUTO_JOIN_ROOM") }}
auto_join_rooms: auto_join_rooms:
- "{{ env "AUTO_JOIN_ROOM" }}" - "{{ env "AUTO_JOIN_ROOM" }}"
{{ else }} {{ else }}
auto_join_rooms: {{ env "AUTO_JOIN_ROOM_LIST" }} auto_join_rooms: {{ env "AUTO_JOIN_ROOM_LIST" }}
{{ end }} {{ end }}
{{ end }} {{ end }}
# https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#session_lifetime # https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#session_lifetime
{{ if (env "SESSION_LIFETIME") }} {{ if (env "SESSION_LIFETIME") }}
session_lifetime: {{ env "SESSION_LIFETIME" }} session_lifetime: {{ env "SESSION_LIFETIME" }}
{{ end }} {{ end }}
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#report_stats # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#report_stats
report_stats: false report_stats: false
# https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#track_puppeted_user_ips # https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#track_puppeted_user_ips
track_puppeted_user_ips: {{ env "TRACK_PUPPETED_USER_IPS" }} track_puppeted_user_ips: {{ env "TRACK_PUPPETED_USER_IPS" }}
{{ if eq (env "APP_SERVICES_ENABLED") "1" }} {{ if eq (env "APP_SERVICES_ENABLED") "1" }}
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#app_service_config_files # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#app_service_config_files
app_service_config_files: {{ env "APP_SERVICE_CONFIGS" }} app_service_config_files: {{ env "APP_SERVICE_CONFIGS" }}
{{ end }} {{ end }}
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#macaroon_secret_key # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#macaroon_secret_key
macaroon_secret_key: "{{ secret "macaroon" }}" macaroon_secret_key: "{{ secret "macaroon" }}"
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#form_secret # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#form_secret
form_secret: "{{ secret "form_secret" }}" form_secret: "{{ secret "form_secret" }}"
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#signing_key_path # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#signing_key_path
signing_key_path: "/data/{{ env "DOMAIN" }}.signing.key" signing_key_path: "/data/{{ env "DOMAIN" }}.signing.key"
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#old_signing_keys # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#old_signing_keys
{{ if (and (env "OLD_SIGNING_KEY_ID") (env "OLD_SIGNING_KEY") (env "OLD_SIGNING_KEY_EXPIRES")) }} {{ if (and (env "OLD_SIGNING_KEY_ID") (env "OLD_SIGNING_KEY") (env "OLD_SIGNING_KEY_EXPIRES")) }}
old_signing_keys: old_signing_keys:
"ed25519:{{ env "OLD_SIGNING_KEY_ID" }}": { key: "{{ env "OLD_SIGNING_KEY" }}", expired_ts: {{ env "OLD_SIGNING_KEY_EXPIRES" }} } "ed25519:{{ env "OLD_SIGNING_KEY_ID" }}": { key: "{{ env "OLD_SIGNING_KEY" }}", expired_ts: {{ env "OLD_SIGNING_KEY_EXPIRES" }} }
{{ end }} {{ end }}
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#trusted_key_servers # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#trusted_key_servers
{{ if eq (env "ENABLE_ALLOWLIST") "1" }} {{ if eq (env "ENABLE_ALLOWLIST") "1" }}
trusted_key_servers: [] # NOTE(d1): defaults to requesting server directly, which matches FEDERATION_ALLOWLIST trusted_key_servers: [] # NOTE(d1): defaults to requesting server directly, which matches FEDERATION_ALLOWLIST
{{ else }} {{ else }}
trusted_key_servers: trusted_key_servers:
- server_name: "matrix.org" - server_name: "matrix.org"
{{ end }} {{ end }}
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#oidc_providers # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#oidc_providers
{{ if eq (env "KEYCLOAK_ENABLED") "1" }} {{ if eq (env "KEYCLOAK_ENABLED") "1" }}
oidc_providers: oidc_providers:
- idp_id: {{ env "KEYCLOAK_ID" }} - idp_id: {{ env "KEYCLOAK_ID" }}
idp_name: {{ env "KEYCLOAK_NAME" }} idp_name: {{ env "KEYCLOAK_NAME" }}
issuer: "{{ env "KEYCLOAK_URL" }}" issuer: "{{ env "KEYCLOAK_URL" }}"
client_id: "{{ env "KEYCLOAK_CLIENT_ID" }}" client_id: "{{ env "KEYCLOAK_CLIENT_ID" }}"
client_secret: "{{ secret "keycloak_client_secret" }}" client_secret: "{{ secret "keycloak_client_secret" }}"
scopes: ["openid", "profile"] scopes: ["openid", "profile"]
allow_existing_users: {{ env "KEYCLOAK_ALLOW_EXISTING_USERS" }} allow_existing_users: {{ env "KEYCLOAK_ALLOW_EXISTING_USERS" }}
user_mapping_provider: user_mapping_provider:
config: config:
localpart_template: "{{ "{{ user.preferred_username }}" }}" localpart_template: "{{ "{{ user.preferred_username }}" }}"
display_name_template: "{{ "{{ user.name }}" }}" display_name_template: "{{ "{{ user.name }}" }}"
{{ if eq (env "KEYCLOAK2_ENABLED") "1" }} {{ if eq (env "KEYCLOAK2_ENABLED") "1" }}
- idp_id: {{ env "KEYCLOAK2_ID" }} - idp_id: {{ env "KEYCLOAK2_ID" }}
idp_name: {{ env "KEYCLOAK2_NAME" }} idp_name: {{ env "KEYCLOAK2_NAME" }}
issuer: "{{ env "KEYCLOAK2_URL" }}" issuer: "{{ env "KEYCLOAK2_URL" }}"
client_id: "{{ env "KEYCLOAK2_CLIENT_ID" }}" client_id: "{{ env "KEYCLOAK2_CLIENT_ID" }}"
client_secret: "{{ secret "keycloak2_client_secret" }}" client_secret: "{{ secret "keycloak2_client_secret" }}"
scopes: ["openid", "profile"] scopes: ["openid", "profile"]
allow_existing_users: {{ env "KEYCLOAK2_ALLOW_EXISTING_USERS" }} allow_existing_users: {{ env "KEYCLOAK2_ALLOW_EXISTING_USERS" }}
user_mapping_provider: user_mapping_provider:
config: config:
localpart_template: "{{ "{{ user.preferred_username }}" }}" localpart_template: "{{ "{{ user.preferred_username }}" }}"
display_name_template: "{{ "{{ user.name }}" }}" display_name_template: "{{ "{{ user.name }}" }}"
{{ end }} {{ end }}
{{ if eq (env "KEYCLOAK3_ENABLED") "1" }} {{ if eq (env "KEYCLOAK3_ENABLED") "1" }}
- idp_id: {{ env "KEYCLOAK3_ID" }} - idp_id: {{ env "KEYCLOAK3_ID" }}
idp_name: {{ env "KEYCLOAK3_NAME" }} idp_name: {{ env "KEYCLOAK3_NAME" }}
issuer: "{{ env "KEYCLOAK3_URL" }}" issuer: "{{ env "KEYCLOAK3_URL" }}"
client_id: "{{ env "KEYCLOAK3_CLIENT_ID" }}" client_id: "{{ env "KEYCLOAK3_CLIENT_ID" }}"
client_secret: "{{ secret "keycloak3_client_secret" }}" client_secret: "{{ secret "keycloak3_client_secret" }}"
scopes: ["openid", "profile"] scopes: ["openid", "profile"]
allow_existing_users: {{ env "KEYCLOAK3_ALLOW_EXISTING_USERS" }} allow_existing_users: {{ env "KEYCLOAK3_ALLOW_EXISTING_USERS" }}
user_mapping_provider: user_mapping_provider:
config: config:
localpart_template: "{{ "{{ user.preferred_username }}" }}" localpart_template: "{{ "{{ user.preferred_username }}" }}"
display_name_template: "{{ "{{ user.name }}" }}" display_name_template: "{{ "{{ user.name }}" }}"
{{ end }} {{ end }}
{{ end }} {{ end }}
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#sso # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#sso
{{ if eq (env "KEYCLOAK_ENABLED") "1" }} {{ if eq (env "KEYCLOAK_ENABLED") "1" }}
sso: sso:
client_whitelist: client_whitelist:
- https://{{ env "KEYCLOAK_CLIENT_DOMAIN" }} - https://{{ env "KEYCLOAK_CLIENT_DOMAIN" }}
{{ end }} {{ end }}
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#password_config # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#password_config
password_config: # With MAS (matrix_authentication_service), Synapse rejects password_config.enabled: true — set PASSWORD_LOGIN_ENABLED=false in app .env when MAS_ENABLED=1 (.env.sample).
enabled: {{ env "PASSWORD_LOGIN_ENABLED" }} password_config:
enabled: {{ env "PASSWORD_LOGIN_ENABLED" }}
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#email
{{ if eq (env "SMTP_ENABLED") "1" }} {{ if eq (env "MAS_ENABLED") "1" }}
email: # https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#matrix_authentication_service
smtp_host: {{ env "SMTP_HOST" }} matrix_authentication_service:
smtp_port: {{ env "SMTP_PORT" }} enabled: true
smtp_user: {{ env "SMTP_USER" }} endpoint: http://{{ env "STACK_NAME"}}_mas:8080/
smtp_pass: "{{ secret "smtp_password" }}" secret_path: /run/secrets/mas_synapse_shared
require_transport_security: true {{ end }}
notif_from: Your Friendly %(app)s homeserver <{{ env "SMTP_FROM" }}>
app_name: {{ env "SMTP_APP_NAME" }} # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#email
enable_notifs: true {{ if eq (env "SMTP_ENABLED") "1" }}
client_base_url: https://{{ env "DOMAIN" }} email:
{{ end }} smtp_host: {{ env "SMTP_HOST" }}
smtp_port: {{ env "SMTP_PORT" }}
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#encryption_enabled_by_default_for_room_type smtp_user: {{ env "SMTP_USER" }}
encryption_enabled_by_default_for_room_type: {{ env "ENCRYPTED_BY_DEFAULT" }} smtp_pass: "{{ secret "smtp_password" }}"
require_transport_security: true
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#user_directory notif_from: Your Friendly %(app)s homeserver <{{ env "SMTP_FROM" }}>
user_directory: app_name: {{ env "SMTP_APP_NAME" }}
enabled: {{ env "USER_DIRECTORY_ENABLED" }} enable_notifs: true
search_all_users: {{ env "USER_DIRECTORY_SEARCH_ALL_USERS" }} client_base_url: https://{{ env "DOMAIN" }}
prefer_local_users: {{ env "USER_DIRECTORY_PREFER_LOCAL_USERS" }} {{ end }}
show_locked_users: {{ env "USER_DIRECTORY_SHOW_LOCKED_USERS" }}
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#encryption_enabled_by_default_for_room_type
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#media_retention encryption_enabled_by_default_for_room_type: {{ env "ENCRYPTED_BY_DEFAULT" }}
media_retention:
local_media_lifetime: {{ env "MEDIA_RETENTION_LOCAL_LIFETIME" }} # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#user_directory
remote_media_lifetime: {{ env "MEDIA_RETENTION_REMOTE_LIFETIME" }} user_directory:
enabled: {{ env "USER_DIRECTORY_ENABLED" }}
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#enable_metrics search_all_users: {{ env "USER_DIRECTORY_SEARCH_ALL_USERS" }}
enable_metrics: false prefer_local_users: {{ env "USER_DIRECTORY_PREFER_LOCAL_USERS" }}
show_locked_users: {{ env "USER_DIRECTORY_SHOW_LOCKED_USERS" }}
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#track_appservice_user_ips
track_appservice_user_ips: false # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#media_retention
media_retention:
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#forget_rooms_on_leave local_media_lifetime: {{ env "MEDIA_RETENTION_LOCAL_LIFETIME" }}
forget_rooms_on_leave: true remote_media_lifetime: {{ env "MEDIA_RETENTION_REMOTE_LIFETIME" }}
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#opentracing-1 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#enable_metrics
opentracing: enable_metrics: false
enabled: false
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#track_appservice_user_ips
# https://matrix-org.github.io/synapse/develop/usage/configuration/config_documentation.html#ratelimiting track_appservice_user_ips: false
rc_login:
address: # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#forget_rooms_on_leave
per_second: {{ env "LOGIN_LIMIT_IP_PER_SECOND" }} forget_rooms_on_leave: true
burst_count: {{ env "LOGIN_LIMIT_IP_BURST" }}
account: # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#opentracing-1
per_second: {{ env "LOGIN_LIMIT_ACCOUNT_PER_SECOND" }} opentracing:
burst_count: {{ env "LOGIN_LIMIT_ACCOUNT_BURST" }} enabled: false
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#web_client_location # https://matrix-org.github.io/synapse/develop/usage/configuration/config_documentation.html#ratelimiting
web_client_location: {{ env "WEB_CLIENT_LOCATION" }} rc_login:
address:
per_second: {{ env "LOGIN_LIMIT_IP_PER_SECOND" }}
burst_count: {{ env "LOGIN_LIMIT_IP_BURST" }}
account:
per_second: {{ env "LOGIN_LIMIT_ACCOUNT_PER_SECOND" }}
burst_count: {{ env "LOGIN_LIMIT_ACCOUNT_BURST" }}
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#web_client_location
web_client_location: {{ env "WEB_CLIENT_LOCATION" }}

41
mas.config.yaml.tmpl Normal file
View File

@ -0,0 +1,41 @@
# Docs: https://element-hq.github.io/matrix-authentication-service/
http:
public_base: https://{{ env "DOMAIN" }}/
trusted_proxies:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
- 127.0.0.0/8
- fd00::/8
- ::1/128
listeners:
- name: web
resources:
- name: discovery
- name: human
- name: oauth
- name: compat
- name: graphql
playground: false
- name: assets
binds:
- address: "[::]:8080"
database:
uri: postgresql://synapse:{{ secret "db_password" }}@{{ env "STACK_NAME" }}_db:5432/mas?sslmode=disable
matrix:
kind: synapse
homeserver: {{ or (env "SERVER_NAME") (env "DOMAIN") }}
endpoint: http://{{ env "STACK_NAME" }}_app:8008/
secret_file: /run/secrets/mas_synapse_shared
secrets:
# Plain hex in file (abra: length=64 charset=hex). See .env.sample modifiers.
encryption_file: /run/secrets/mas_encryption
keys:
- key_file: /run/secrets/mas_signing_rsa
passwords:
enabled: true

33
nginx.conf.tmpl
View File

@ -15,6 +15,14 @@ http {
keepalive 16; keepalive 16;
} }
{{ if eq (env "MAS_ENABLED") "1" }}
upstream mas_upstream {
zone mas_upstream 64k;
server {{ env "STACK_NAME"}}_mas:8080 resolve;
keepalive 8;
}
{{ end }}
server { server {
listen 80; listen 80;
@ -32,7 +40,30 @@ http {
proxy_http_version 1.1; proxy_http_version 1.1;
} }
location ~* ^(\/_matrix|\/_synapse\/client) { {{ if eq (env "MAS_ENABLED") "1" }}
# MAS on same Host as Synapse (public_base = https://$DOMAIN/): browser/OIDC paths live at repo root, not only under /_matrix/
# Router reference: element-hq/matrix-authentication-service crates/router/src/endpoints.rs
# https://element-hq.github.io/matrix-authentication-service/setup/reverse-proxy.html
location ~ ^/(complete-compat-sso/|oauth2/|\.well-known/(openid-configuration|webfinger|change-password)|authorize|login|logout|register(/|$)|account/|upstream/|consent/|link(\?|/|$)|device/|recover(/|$)|assets/|graphql(/|$)|api/) {
proxy_pass http://mas_upstream;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
client_max_body_size 50M;
}
# Matrix CS API compat (login / logout / refresh and subpaths, e.g. …/login/sso/redirect) — before generic /_matrix
location ~ ^/_matrix/client/[^/]+/(login|logout|refresh)(/.*)?$ {
proxy_pass http://mas_upstream;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
client_max_body_size 50M;
}
{{ end }}
location ~* ^(\/_matrix|\/_synapse\/client|\/_synapse\/mas) {
proxy_pass http://matrix_upstream; proxy_pass http://matrix_upstream;
proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Forwarded-Proto https;

5
well_known_client.conf.tmpl
View File

@ -1,5 +1,8 @@
{ {
"m.homeserver": { "m.homeserver": {
"base_url": "https://{{ env "DOMAIN" }}" "base_url": "https://{{ env "DOMAIN" }}"
} }{{ if eq (env "MAS_ENABLED") "1" }},
"org.matrix.msc2965.authentication": {
"issuer": "https://{{ env "DOMAIN" }}/"
}{{ end }}
} }