recipe-maintainers/matrix-synapse
0
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix minor bugs with mas integration

Browse Source
This commit is contained in:
Simon
2026-05-12 21:46:13 +02:00
parent d82d539424
commit cff6cfb001
5 changed files with 35 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
.env.sample
View File

@ -73,9 +73,9 @@ ENABLE_REGISTRATION=false
#COMPOSE_FILE="$COMPOSE_FILE:compose.mas.yml" #COMPOSE_FILE="$COMPOSE_FILE:compose.mas.yml"
#MAS_ENABLED=1 # !!! Leave commented if you plan to migrate an existing homeserver #MAS_ENABLED=1 # !!! Leave commented if you plan to migrate an existing homeserver
#PASSWORD_LOGIN_ENABLED=false #PASSWORD_LOGIN_ENABLED=false
#SECRET_MAS_ENCRYPTION_VERSION=v1 # length=64 # charset=hex #SECRET_MAS_ENCRYPTION_VERSION=v1 # length=64 charset=hex
#SECRET_MAS_SYNAPSE_SHARED_VERSION=v1 # length=64 # charset=hex #SECRET_MAS_SYNAPSE_SHARED_VERSION=v1 # length=64 charset=hex
# PEM private key: abra cannot generate this format — insert only (e.g. openssl genrsa 2048 | abra app secret insert …) # PEM private key: abra cannot generate this format — use `abra app cmd -l YOURAPPDOMAIN generate_mas_signing_rsa`
#SECRET_MAS_SIGNING_RSA_VERSION=v1 # generate=false #SECRET_MAS_SIGNING_RSA_VERSION=v1 # generate=false
#### MAS upstream OIDC provider (e.g. Authentik) #### MAS upstream OIDC provider (e.g. Authentik)
@ -87,7 +87,7 @@ ENABLE_REGISTRATION=false
#MAS_UPSTREAM_HUMAN_NAME=Authentik #MAS_UPSTREAM_HUMAN_NAME=Authentik
# For migration from previous direct Keycloud-style config: set to oidc-<your old KEYCLOAK_ID> so syn2mas maps users correctly. # For migration from previous direct Keycloud-style config: set to oidc-<your old KEYCLOAK_ID> so syn2mas maps users correctly.
#MAS_UPSTREAM_SYNAPSE_IDP_ID= #MAS_UPSTREAM_SYNAPSE_IDP_ID=
#SECRET_MAS_UPSTREAM_CLIENT_SECRET_VERSION=v1 #SECRET_MAS_UPSTREAM_CLIENT_VERSION=v1
### Shared secret auth (bridges / automation) ### Shared secret auth (bridges / automation)

2
README.md
View File

@ -56,7 +56,7 @@ You'll need to deploy something like [this](https://git.autonomic.zone/ruangrupa
- In `.env`, uncomment `compose.mas.yml` (and `compose.mas-upstream.yml` plus upstream envs if you use an external IdP), and uncomment the `SECRET_MAS_*` version lines. - In `.env`, uncomment `compose.mas.yml` (and `compose.mas-upstream.yml` plus upstream envs if you use an external IdP), and uncomment the `SECRET_MAS_*` version lines.
- `abra app secret generate YOURAPPDOMAIN` - `abra app secret generate YOURAPPDOMAIN`
- **Manually insert** the PEM RSA key for `SECRET_MAS_SIGNING_RSA_VERSION` (`generate=false` in `.env.sample`) — abra cannot generate that format; see the comment there (e.g. `openssl genrsa 2048` piped to `abra app secret insert`). - `abra app cmd -l YOURAPPDOMAIN generate_mas_signing_rsa` — generates and inserts the PEM RSA key for `SECRET_MAS_SIGNING_RSA_VERSION`. Requires `openssl` on the local machine.
- `abra app cmd YOURAPPDOMAIN db ensure_mas_database` (once, creates the `mas` database in Postgres) - `abra app cmd YOURAPPDOMAIN db ensure_mas_database` (once, creates the `mas` database in Postgres)
- `abra app deploy YOURAPPDOMAIN` - `abra app deploy YOURAPPDOMAIN`

28
abra.sh
View File

@ -8,7 +8,7 @@ export TELEGRAM_BRIDGE_YAML_VERSION=v6
export NGINX_CONFIG_VERSION=v13 export NGINX_CONFIG_VERSION=v13
export WK_SERVER_VERSION=v1 export WK_SERVER_VERSION=v1
export WK_CLIENT_VERSION=v2 export WK_CLIENT_VERSION=v2
export MAS_CONFIG_VERSION=v1 export MAS_CONFIG_VERSION=v2
export PG_BACKUP_VERSION=v2 export PG_BACKUP_VERSION=v2
export ADMIN_CONFIG_VERSION=v1 export ADMIN_CONFIG_VERSION=v1
@ -19,9 +19,33 @@ ensure_mas_database () {
fi fi
} }
# Generate a PEM RSA private key and insert it as the MAS signing secret.
# `abra app secret generate` can only produce random hex/charset strings, so this
# secret is marked `generate=false` in .env.sample and handled here instead.
generate_mas_signing_rsa() {
if ! command -v openssl &> /dev/null; then
echo "openssl is required on your local machine to generate the MAS signing key."
echo "It could not be found in your PATH, please install openssl to proceed."
exit 1
fi
KEY=$(openssl genrsa 2048 2>/dev/null)
if [ -z "$KEY" ]; then
echo "Failed to generate RSA private key with openssl."
exit 1
fi
if printf '%s\n' "$KEY" | abra app secret insert -C "$APP_NAME" mas_signing_rsa v1; then
echo "MAS signing RSA key generated and inserted as v1."
else
echo "Failed to insert MAS signing RSA key."
exit 1
fi
}
# Local helper: fetch homeserver.yaml from app, push to mas, then syn2mas check + dry-run. # Local helper: fetch homeserver.yaml from app, push to mas, then syn2mas check + dry-run.
prepare_mas_migration () { prepare_mas_migration () {
local hs_local syn_cfg local syn_cfg
syn_cfg=/tmp/homeserver.yaml syn_cfg=/tmp/homeserver.yaml

6
compose.mas-upstream.yml
View File

@ -13,9 +13,9 @@ services:
- MAS_UPSTREAM_HUMAN_NAME - MAS_UPSTREAM_HUMAN_NAME
- MAS_UPSTREAM_SYNAPSE_IDP_ID - MAS_UPSTREAM_SYNAPSE_IDP_ID
secrets: secrets:
- mas_upstream_client_secret - mas_upstream_client
secrets: secrets:
mas_upstream_client_secret: mas_upstream_client:
external: true external: true
name: ${STACK_NAME}_mas_upstream_client_secret_${SECRET_MAS_UPSTREAM_CLIENT_SECRET_VERSION} name: ${STACK_NAME}_mas_upstream_client_${SECRET_MAS_UPSTREAM_CLIENT_VERSION}

2
mas.config.yaml.tmpl
View File

@ -57,7 +57,7 @@ upstream_oauth2:
human_name: {{ or (env "MAS_UPSTREAM_HUMAN_NAME") "SSO" }} human_name: {{ or (env "MAS_UPSTREAM_HUMAN_NAME") "SSO" }}
issuer: {{ env "MAS_UPSTREAM_ISSUER" }} issuer: {{ env "MAS_UPSTREAM_ISSUER" }}
client_id: {{ env "MAS_UPSTREAM_CLIENT_ID" }} client_id: {{ env "MAS_UPSTREAM_CLIENT_ID" }}
client_secret_file: /run/secrets/mas_upstream_client_secret client_secret_file: /run/secrets/mas_upstream_client
token_endpoint_auth_method: client_secret_basic token_endpoint_auth_method: client_secret_basic
scope: "openid profile email" scope: "openid profile email"
claims_imports: claims_imports: