chore: publish 7.1.1+v1.149.1 release

Co-authored-by: Cursor <cursoragent@cursor.com>
fix minor bugs with mas integration
2026-05-12 23:52:32 +02:00 · 2026-05-12 21:46:13 +02:00 · 2026-05-11 13:51:33 +02:00 · 2026-05-11 11:25:53 +00:00
6 changed files with 64 additions and 19 deletions
--- a/.env.sample
+++ b/.env.sample
@ -71,11 +71,11 @@ ENABLE_REGISTRATION=false
 ### Matrix Authentication Service (MAS) — Element X / OIDC-native auth

 #COMPOSE_FILE="$COMPOSE_FILE:compose.mas.yml"
-#MAS_ENABLED=1
+#MAS_ENABLED=1 # Leave commented if you plan to migrate an existing homeserver
 #PASSWORD_LOGIN_ENABLED=false
-#SECRET_MAS_ENCRYPTION_VERSION=v1 # length=64 # charset=hex
-#SECRET_MAS_SYNAPSE_SHARED_VERSION=v1 # length=64 # charset=hex
-# PEM private key: abra cannot generate this format — insert only (e.g. openssl genrsa 2048 | abra app secret insert …)
+#SECRET_MAS_ENCRYPTION_VERSION=v1 # length=64 charset=hex
+#SECRET_MAS_SYNAPSE_SHARED_VERSION=v1 # length=64 charset=hex
+# PEM private key: abra cannot generate this format — use `abra app cmd -l YOURAPPDOMAIN generate_mas_signing_rsa`
 #SECRET_MAS_SIGNING_RSA_VERSION=v1 # generate=false

 #### MAS upstream OIDC provider (e.g. Authentik)
@ -87,7 +87,7 @@ ENABLE_REGISTRATION=false
 #MAS_UPSTREAM_HUMAN_NAME=Authentik
 # For migration from previous direct Keycloud-style config: set to oidc-<your old KEYCLOAK_ID> so syn2mas maps users correctly.
 #MAS_UPSTREAM_SYNAPSE_IDP_ID=
-#SECRET_MAS_UPSTREAM_CLIENT_SECRET_VERSION=v1
+#SECRET_MAS_UPSTREAM_CLIENT_VERSION=v1

 ### Shared secret auth (bridges / automation)

--- a/README.md
+++ b/README.md
@ -49,16 +49,17 @@ You'll need to deploy something like [this](https://git.autonomic.zone/ruangrupa

 [MAS](https://element-hq.github.io/matrix-authentication-service/) is Element’s OAuth/OIDC-native auth service for Matrix: it handles login, tokens, and upstream IdPs while Synapse delegates authentication via `matrix_authentication_service`.

+> [!IMPORTANT]
+> **If you plan to migrate an existing homeserver with `syn2mas`:** deploy and configure MAS as below, but **leave `MAS_ENABLED=1` commented** until migration and cutover are done, so Synapse keeps using your current login path until you intentionally switch. You cannot use Synapse legacy OIDC/Keycloak SSO alongside MAS; plan IdP apps and envs accordingly.
+
 **Enable the stack:**

 - In `.env`, uncomment `compose.mas.yml` (and `compose.mas-upstream.yml` plus upstream envs if you use an external IdP), and uncomment the `SECRET_MAS_*` version lines.
 - `abra app secret generate YOURAPPDOMAIN`
- **Manually insert** the PEM RSA key for `SECRET_MAS_SIGNING_RSA_VERSION` (`generate=false` in `.env.sample`) — abra cannot generate that format; see the comment there (e.g. `openssl genrsa 2048` piped to `abra app secret insert`).
+- `abra app cmd -l YOURAPPDOMAIN generate_mas_signing_rsa` — generates and inserts the PEM RSA key for `SECRET_MAS_SIGNING_RSA_VERSION`. Requires `openssl` on the local machine.
 - `abra app cmd YOURAPPDOMAIN db ensure_mas_database` (once, creates the `mas` database in Postgres)
 - `abra app deploy YOURAPPDOMAIN`

-**If you plan to migrate an existing homeserver with `syn2mas`:** deploy and configure MAS as above, but **leave `MAS_ENABLED=1` commented** until migration and cutover are done, so Synapse keeps using your current login path until you intentionally switch. You cannot use Synapse legacy OIDC/Keycloak SSO alongside MAS; plan IdP apps and envs accordingly.
-
 <details>
 <summary><strong>Migrating an existing server (<code>syn2mas</code>)</strong></summary>

@ -78,11 +79,9 @@ Requires PostgreSQL on Synapse and a dedicated MAS database. Backup Postgres (an
   ```
   Use the real service name from `docker service ls` (suffix `_app`).

-4. **Migration:** with MAS still running and Synapse at zero replicas,
+4. **Migration:** with MAS still running and Synapse at zero replicas, run `run_mas_migration` from your machine. The homeserver snapshot at `/tmp/homeserver.yaml` in `mas` must still be present from step 1.
   ```bash
-   abra app run YOURAPPDOMAIN mas -- mas-cli syn2mas migrate \
-     --config /etc/mas/config.yaml \
-     --synapse-config /tmp/homeserver.yaml
+   abra app cmd YOURAPPDOMAIN run_mas_migration
   ```

 5. **Cutover:** in `.env`, set `MAS_ENABLED=1`, `PASSWORD_LOGIN_ENABLED=false`, remove legacy Keycloak/SSO envs, then `abra app deploy YOURAPPDOMAIN` (Synapse comes back with MAS delegation). `syn2mas` does not write to the Synapse database; if you abort before serving traffic through MAS, you can often drop and recreate the MAS DB and revert env.
--- a/abra.sh
+++ b/abra.sh
@ -8,7 +8,7 @@ export TELEGRAM_BRIDGE_YAML_VERSION=v6
 export NGINX_CONFIG_VERSION=v13
 export WK_SERVER_VERSION=v1
 export WK_CLIENT_VERSION=v2
-export MAS_CONFIG_VERSION=v1
+export MAS_CONFIG_VERSION=v2
 export PG_BACKUP_VERSION=v2
 export ADMIN_CONFIG_VERSION=v1

@ -19,9 +19,33 @@ ensure_mas_database () {
    fi
 }

+# Generate a PEM RSA private key and insert it as the MAS signing secret.
+# `abra app secret generate` can only produce random hex/charset strings, so this
+# secret is marked `generate=false` in .env.sample and handled here instead.
+generate_mas_signing_rsa() {
+    if ! command -v openssl &> /dev/null; then
+        echo "openssl is required on your local machine to generate the MAS signing key."
+        echo "It could not be found in your PATH, please install openssl to proceed."
+        exit 1
+    fi
+
+    KEY=$(openssl genrsa 2048 2>/dev/null)
+    if [ -z "$KEY" ]; then
+        echo "Failed to generate RSA private key with openssl."
+        exit 1
+    fi
+
+    if printf '%s\n' "$KEY" | abra app secret insert -C "$APP_NAME" mas_signing_rsa v1; then
+        echo "MAS signing RSA key generated and inserted as v1."
+    else
+        echo "Failed to insert MAS signing RSA key."
+        exit 1
+    fi
+}
+
 # Local helper: fetch homeserver.yaml from app, push to mas, then syn2mas check + dry-run.
 prepare_mas_migration () {
-    local hs_local syn_cfg
+    local syn_cfg

    syn_cfg=/tmp/homeserver.yaml

@ -56,6 +80,28 @@ prepare_mas_migration () {

    trap - EXIT
    cleanup_prepare_mas_migration
+
+    echo ""
+    echo "=== Next migration step: stop Synapse (downtime) ==="
+    echo "Run on a host whose Docker CLI targets this Swarm (same machine you use for 'abra app deploy')."
+    if [ -n "${STACK_NAME:-}" ]; then
+        echo "  docker service scale ${STACK_NAME}_app=0"
+    else
+        echo "STACK_NAME is not set here; resolve the Synapse service name with 'docker service ls' on that host, then:"
+        echo "docker service scale <STACK_NAME>_app=0"
+    fi
+}
+
+# Run syn2mas migrate for real (writes MAS data). Run from your operator machine as MAS image is distroless.
+# Requires /tmp/homeserver.yaml in the mas container (e.g. from prepare_mas_migration) and
+# Synapse scaled down before migrate.
+run_mas_migration () {
+    local syn_cfg=/tmp/homeserver.yaml
+
+    echo "Running mas-cli syn2mas migrate in mas via abra app run..."
+    abra app run -t "$DOMAIN" mas -- mas-cli syn2mas migrate \
+        --config /etc/mas/config.yaml \
+        --synapse-config "$syn_cfg"
 }

 set_admin () {
--- a/compose.mas-upstream.yml
+++ b/compose.mas-upstream.yml
@ -13,9 +13,9 @@ services:
      - MAS_UPSTREAM_HUMAN_NAME
      - MAS_UPSTREAM_SYNAPSE_IDP_ID
    secrets:
-      - mas_upstream_client_secret
+      - mas_upstream_client

 secrets:
-  mas_upstream_client_secret:
+  mas_upstream_client:
    external: true
-    name: ${STACK_NAME}_mas_upstream_client_secret_${SECRET_MAS_UPSTREAM_CLIENT_SECRET_VERSION}
+    name: ${STACK_NAME}_mas_upstream_client_${SECRET_MAS_UPSTREAM_CLIENT_VERSION}
--- a/compose.yml
+++ b/compose.yml
@ -108,7 +108,7 @@ services:
      restart_policy:
        condition: on-failure
      labels:
-        - "coop-cloud.${STACK_NAME}.version=7.1.0+v1.149.1"
+        - "coop-cloud.${STACK_NAME}.version=7.1.1+v1.149.1"
        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT}"
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:8008/health"]
--- a/mas.config.yaml.tmpl
+++ b/mas.config.yaml.tmpl
@ -57,7 +57,7 @@ upstream_oauth2:
      human_name: {{ or (env "MAS_UPSTREAM_HUMAN_NAME") "SSO" }}
      issuer: {{ env "MAS_UPSTREAM_ISSUER" }}
      client_id: {{ env "MAS_UPSTREAM_CLIENT_ID" }}
-      client_secret_file: /run/secrets/mas_upstream_client_secret
+      client_secret_file: /run/secrets/mas_upstream_client
      token_endpoint_auth_method: client_secret_basic
      scope: "openid profile email"
      claims_imports:
Author	SHA1	Message	Date
Simon	d75ca4f11f	chore: publish 7.1.1+v1.149.1 release Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-12 23:52:32 +02:00
Simon	cff6cfb001	fix minor bugs with mas integration	2026-05-12 21:46:13 +02:00
Simon	d82d539424	docs: update mad readme	2026-05-11 13:51:33 +02:00
simon	b4c3db38c3	Merge pull request 'add matrix authentication service incl migration #57 ' (#58 ) from add-matrix-authentication-service into main Reviewed-on: https://git.coopcloud.tech/coop-cloud/matrix-synapse/pulls/58	2026-05-11 11:25:53 +00:00