Merge remote-tracking branch 'origin/main' into compress
# Conflicts: # homeserver.yaml.tmpl
This commit is contained in:
notplants
notplants
112
.env.sample
112
.env.sample
@ -19,6 +19,82 @@ SECRET_FORM_SECRET_VERSION=v1
|
||||
SECRET_MACAROON_VERSION=v1
|
||||
SECRET_REGISTRATION_VERSION=v1
|
||||
|
||||
## Authentication
|
||||
|
||||
# All login / SSO / MAS-related toggles in one place.
|
||||
|
||||
### Local password & registration (Synapse native)
|
||||
|
||||
# With MAS_ENABLED=1 you must set PASSWORD_LOGIN_ENABLED=false — Synapse forbids legacy password DB alongside matrix_authentication_service.
|
||||
PASSWORD_LOGIN_ENABLED=true
|
||||
ENABLE_REGISTRATION=false
|
||||
|
||||
# Token based registration. Enable ADMIN_INTERFACE (below) to use the admin interface to generate tokens.
|
||||
#REGISTRATION_REQUIRES_TOKEN=true
|
||||
|
||||
### OIDC via Keycloak-shaped API (e.g. Authentik)
|
||||
|
||||
#COMPOSE_FILE="$COMPOSE_FILE:compose.keycloak.yml"
|
||||
#KEYCLOAK_ENABLED=1
|
||||
#KEYCLOAK_ID=keycloak
|
||||
#KEYCLOAK_NAME=
|
||||
#KEYCLOAK_URL=
|
||||
#KEYCLOAK_CLIENT_ID=
|
||||
#KEYCLOAK_CLIENT_DOMAIN=
|
||||
#KEYCLOAK_ALLOW_EXISTING_USERS=false
|
||||
#SECRET_KEYCLOAK_CLIENT_SECRET_VERSION=v1
|
||||
|
||||
### Second OIDC provider (compose.keycloak2.yml)
|
||||
|
||||
#COMPOSE_FILE="$COMPOSE_FILE:compose.keycloak2.yml"
|
||||
#KEYCLOAK2_ENABLED=1
|
||||
#KEYCLOAK2_ID=keycloak2
|
||||
#KEYCLOAK2_NAME=
|
||||
#KEYCLOAK2_URL=
|
||||
#KEYCLOAK2_CLIENT_ID=
|
||||
#KEYCLOAK2_CLIENT_DOMAIN=
|
||||
#KEYCLOAK2_ALLOW_EXISTING_USERS=false
|
||||
#SECRET_KEYCLOAK2_CLIENT_SECRET_VERSION=v1
|
||||
|
||||
### Third OIDC provider (compose.keycloak3.yml)
|
||||
|
||||
#COMPOSE_FILE="$COMPOSE_FILE:compose.keycloak3.yml"
|
||||
#KEYCLOAK3_ENABLED=1
|
||||
#KEYCLOAK3_ID=keycloak3
|
||||
#KEYCLOAK3_NAME=
|
||||
#KEYCLOAK3_URL=
|
||||
#KEYCLOAK3_CLIENT_ID=
|
||||
#KEYCLOAK3_CLIENT_DOMAIN=
|
||||
#KEYCLOAK3_ALLOW_EXISTING_USERS=false
|
||||
#SECRET_KEYCLOAK3_CLIENT_SECRET_VERSION=v1
|
||||
|
||||
### Matrix Authentication Service (MAS) — Element X / OIDC-native auth
|
||||
|
||||
#COMPOSE_FILE="$COMPOSE_FILE:compose.mas.yml"
|
||||
#MAS_ENABLED=1 # Leave commented if you plan to migrate an existing homeserver
|
||||
#PASSWORD_LOGIN_ENABLED=false
|
||||
#SECRET_MAS_ENCRYPTION_VERSION=v1 # length=64 charset=hex
|
||||
#SECRET_MAS_SYNAPSE_SHARED_VERSION=v1 # length=64 charset=hex
|
||||
# PEM private key: abra cannot generate this format — use `abra app cmd -l YOURAPPDOMAIN generate_mas_signing_rsa`
|
||||
#SECRET_MAS_SIGNING_RSA_VERSION=v1 # generate=false
|
||||
|
||||
#### MAS upstream OIDC provider (e.g. Authentik)
|
||||
# Create a new OAuth2 app in your IdP with redirect URI: https://<DOMAIN>/upstream/callback/<MAS_UPSTREAM_PROVIDER_ID>
|
||||
#COMPOSE_FILE="$COMPOSE_FILE:compose.mas-upstream.yml"
|
||||
#MAS_UPSTREAM_PROVIDER_ID= # ULID, e.g. 01JSHPZHAXC50QBKH67MH33TNF — generate at https://www.ulidtools.com
|
||||
#MAS_UPSTREAM_ISSUER= # e.g. https://auth.example.com/application/o/matrix-mas/
|
||||
#MAS_UPSTREAM_CLIENT_ID=
|
||||
#MAS_UPSTREAM_HUMAN_NAME=Authentik
|
||||
# For migration from previous direct Keycloud-style config: set to oidc-<your old KEYCLOAK_ID> so syn2mas maps users correctly.
|
||||
#MAS_UPSTREAM_SYNAPSE_IDP_ID=
|
||||
#SECRET_MAS_UPSTREAM_CLIENT_VERSION=v1
|
||||
|
||||
### Shared secret auth (bridges / automation)
|
||||
|
||||
#COMPOSE_FILE="$COMPOSE_FILE:compose.shared_secret_auth.yml"
|
||||
#SHARED_SECRET_AUTH_ENABLED=1
|
||||
#SECRET_SHARED_SECRET_AUTH_VERSION=v1 # length=128
|
||||
|
||||
## Federation
|
||||
|
||||
#DISABLE_FEDERATION=1
|
||||
@ -28,14 +104,6 @@ SERVE_SERVER_WELLKNOWN=false
|
||||
|
||||
ALLOW_PUBLIC_ROOMS_FEDERATION=false
|
||||
|
||||
## Registration
|
||||
|
||||
ENABLE_REGISTRATION=false
|
||||
PASSWORD_LOGIN_ENABLED=true
|
||||
|
||||
# Token based registration. Enable ADMIN_INTERFACE (below) to use the admin interface to generate tokens.
|
||||
#REGISTRATION_REQUIRES_TOKEN=true
|
||||
|
||||
## Room auto-join
|
||||
|
||||
#AUTO_JOIN_ROOM_ENABLED=1
|
||||
@ -102,30 +170,8 @@ RETENTION_MAX_LIFETIME=4w
|
||||
#LOGIN_LIMIT_ACCOUNT_PER_SECOND=1
|
||||
#LOGIN_LIMIT_ACCOUNT_BURST=10
|
||||
|
||||
## Keycloak SSO
|
||||
|
||||
#COMPOSE_FILE="$COMPOSE_FILE:compose.keycloak.yml"
|
||||
#KEYCLOAK_ENABLED=1
|
||||
#KEYCLOAK_ID=keycloak
|
||||
#KEYCLOAK_NAME=
|
||||
#KEYCLOAK_URL=
|
||||
#KEYCLOAK_CLIENT_ID=
|
||||
#KEYCLOAK_CLIENT_DOMAIN=
|
||||
#KEYCLOAK_ALLOW_EXISTING_USERS=false
|
||||
#SECRET_KEYCLOAK_CLIENT_SECRET_VERSION=v1
|
||||
|
||||
## TURN
|
||||
|
||||
#COMPOSE_FILE="$COMPOSE_FILE:compose.keycloak3.yml"
|
||||
#KEYCLOAK3_ENABLED=1
|
||||
#KEYCLOAK3_ID=keycloak3
|
||||
#KEYCLOAK3_NAME=
|
||||
#KEYCLOAK3_URL=
|
||||
#KEYCLOAK3_CLIENT_ID=
|
||||
#KEYCLOAK3_CLIENT_DOMAIN=
|
||||
#KEYCLOAK3_ALLOW_EXISTING_USERS=false
|
||||
#SECRET_KEYCLOAK3_CLIENT_SECRET_VERSION=v1
|
||||
|
||||
#COMPOSE_FILE="$COMPOSE_FILE:compose.turn.yml"
|
||||
#TURN_ENABLED=1
|
||||
#TURN_URIS="[\"turns:coturn.foo.zone?transport=udp\", \"turns:coturn.foo.zone?transport=tcp\"]"
|
||||
@ -193,12 +239,6 @@ RETENTION_MAX_LIFETIME=4w
|
||||
#SECRET_SIGNAL_HS_TOKEN_VERSION=v1
|
||||
#SECRET_SIGNAL_PICKLE_KEY_VERSION=v1
|
||||
|
||||
## Shared auth
|
||||
|
||||
#COMPOSE_FILE="$COMPOSE_FILE:compose.shared_secret_auth.yml"
|
||||
#SHARED_SECRET_AUTH_ENABLED=1
|
||||
#SECRET_SHARED_SECRET_AUTH_VERSION=v1 # length=128
|
||||
|
||||
## Web Client (Redirect)
|
||||
#WEB_CLIENT_LOCATION=https://element-web.example.com
|
||||
|
||||
|
||||
Reference in New Issue
Block a user