From 7a37d33ff2b98fcf349ac26976ce54b848dd2d3b Mon Sep 17 00:00:00 2001
From: Ubuntu <ubuntu@hackerspace-zone.labs.lowerlayer.nl>
Date: Fri, 11 Nov 2022 17:55:46 +0000
Subject: [PATCH] matrix: federation works and setup seems to do the right
 thing

---
 Makefile                            |  5 ++
 matrix.yaml                         | 56 ++++++++++++++++++
 matrix/10-envsubst-config.sh        |  5 ++
 matrix/README.md                    |  3 +
 matrix/config.sample.json           | 53 +++++++++++++++++
 matrix/docker-compose.yaml          | 27 ---------
 matrix/element-config.json.template | 73 ------------------------
 matrix/entrypoint-synapse.sh        | 62 ++++++++++++++++++++
 matrix/env.production               |  1 -
 matrix/keycloak.sh                  |  4 ++
 matrix/nginx.conf                   | 71 +++++++++++++++++++++++
 matrix/setup                        | 88 -----------------------------
 nginx.yaml                          |  1 +
 nginx/default.conf                  | 12 +++-
 nginx/etc/nginx.conf                |  3 +
 15 files changed, 272 insertions(+), 192 deletions(-)
 create mode 100644 matrix.yaml
 create mode 100755 matrix/10-envsubst-config.sh
 create mode 100644 matrix/README.md
 create mode 100644 matrix/config.sample.json
 delete mode 100644 matrix/docker-compose.yaml
 delete mode 100644 matrix/element-config.json.template
 create mode 100755 matrix/entrypoint-synapse.sh
 delete mode 100644 matrix/env.production
 create mode 100755 matrix/keycloak.sh
 create mode 100644 matrix/nginx.conf
 delete mode 100755 matrix/setup

diff --git a/Makefile b/Makefile
index 85a4244..0d7e613 100644
--- a/Makefile
+++ b/Makefile
@@ -4,6 +4,7 @@ MODULES += hedgedoc
 MODULES += grafana
 MODULES += prometheus
 MODULES += mastodon
+MODULES += matrix
 #MODULES += pixelfed
 
 include env.production
@@ -36,6 +37,10 @@ mastodon-shell:
 	$(DOCKER) exec mastodon bash
 mastodon-streaming-shell:
 	$(DOCKER) exec mastodon-streaming bash
+matrix-shell:
+	$(DOCKER) exec matrix-synapse bash
+matrix-logs:
+	$(DOCKER) logs -f matrix-synapse
 nginx-build: data/nginx/secrets
 	$(DOCKER) build nginx
 
diff --git a/matrix.yaml b/matrix.yaml
new file mode 100644
index 0000000..e62999e
--- /dev/null
+++ b/matrix.yaml
@@ -0,0 +1,56 @@
+version: '3'
+services:
+# the default synpase uses a sqlite database; this should be fixed at somepoint
+#  matrix-db:
+#    image: postgres:13.4-alpine
+#    restart: unless-stopped
+#    volumes:
+#     - ./data/matrix/db:/var/lib/postgresql/data
+#    environment:
+#     - POSTGRES_DB=synapse
+#     - POSTGRES_USER=synapse
+#     - POSTGRES_PASSWORD=STRONGPASSWORD
+     
+  matrix-element:
+    image: vectorim/element-web:latest
+    restart: unless-stopped
+    container_name: matrix-element
+    env_file:
+     - env.production
+    volumes:
+      - ./matrix/10-envsubst-config.sh:/docker-entrypoint.d/10-envsubst-config.sh:ro
+      - ./matrix/config.sample.json:/app/config.sample.json:ro
+    depends_on:
+      - matrix-synapse
+#    ports:
+#      - "5000:80"
+
+  matrix-synapse:
+    image: matrixdotorg/synapse:latest
+    restart: unless-stopped
+    container_name: matrix-synapse
+    volumes:
+      - ./data/matrix/synapse:/data
+      - ./matrix/entrypoint-synapse.sh:/entrypoint.sh:ro
+    entrypoint: ["/entrypoint.sh"]
+    env_file:
+      - env.production
+    environment:
+      - MATRIX_CLIENT_SECRET=${MATRIX_CLIENT_SECRET}
+    depends_on:
+      - keycloak
+      - nginx
+#    ports:
+#      - "5008:8008"
+
+  # add the nginx configuration into the nginx volume
+  nginx:
+    volumes:
+      - ./matrix/nginx.conf:/etc/nginx/templates/matrix.conf.template:ro
+
+  # add the client secrets to the keycloak-setup volume
+  keycloak-setup:
+    env_file:
+      - data/matrix/secrets
+    volumes:
+      - ./matrix/keycloak.sh:/keycloak-setup/matrix.sh:ro
diff --git a/matrix/10-envsubst-config.sh b/matrix/10-envsubst-config.sh
new file mode 100755
index 0000000..6abd845
--- /dev/null
+++ b/matrix/10-envsubst-config.sh
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+echo >&2 "**** Configuring for $DOMAIN_NAME"
+envsubst < /app/config.sample.json > /app/config.json
+head /app/config.json
diff --git a/matrix/README.md b/matrix/README.md
new file mode 100644
index 0000000..f1ee362
--- /dev/null
+++ b/matrix/README.md
@@ -0,0 +1,3 @@
+# Matrix/Element chat
+
+The sample config for the JSON comes from 8891698745897388db037ea8692937edc199630c on vector-im/element-web
diff --git a/matrix/config.sample.json b/matrix/config.sample.json
new file mode 100644
index 0000000..fccb437
--- /dev/null
+++ b/matrix/config.sample.json
@@ -0,0 +1,53 @@
+{
+    "default_server_config": {
+        "m.homeserver": {
+            "base_url": "https://${MATRIX_HOSTNAME}.${DOMAIN_NAME}",
+            "server_name": "${DOMAIN_NAME}"
+        },
+        "m.identity_server": {
+            "base_url": "https://vector.im"
+        }
+    },
+    "disable_custom_urls": false,
+    "disable_guests": false,
+    "disable_login_language_selector": false,
+    "disable_3pid_login": false,
+    "brand": "Element",
+    "integrations_ui_url": "https://scalar.vector.im/",
+    "integrations_rest_url": "https://scalar.vector.im/api",
+    "integrations_widgets_urls": [
+        "https://scalar.vector.im/_matrix/integrations/v1",
+        "https://scalar.vector.im/api",
+        "https://scalar-staging.vector.im/_matrix/integrations/v1",
+        "https://scalar-staging.vector.im/api",
+        "https://scalar-staging.riot.im/scalar/api"
+    ],
+    "bug_report_endpoint_url": "https://element.io/bugreports/submit",
+    "uisi_autorageshake_app": "element-auto-uisi",
+    "default_country_code": "GB",
+    "show_labs_settings": false,
+    "features": { },
+    "default_federate": true,
+    "default_theme": "light",
+    "room_directory": {
+        "servers": [
+            "matrix.org"
+        ]
+    },
+    "enable_presence_by_hs_url": {
+        "https://matrix.org": false,
+        "https://matrix-client.matrix.org": false
+    },
+    "setting_defaults": {
+        "breadcrumbs": true
+    },
+    "jitsi": {
+        "preferred_domain": "meet.element.io"
+    },
+    "element_call": {
+        "url": "https://call.element.io",
+        "participant_limit": 8,
+        "brand": "Element Call"
+    },
+    "map_style_url": "https://api.maptiler.com/maps/streets/style.json?key=fU3vlMsMn4Jb6dnEIFsx"
+}
diff --git a/matrix/docker-compose.yaml b/matrix/docker-compose.yaml
deleted file mode 100644
index ba42dfc..0000000
--- a/matrix/docker-compose.yaml
+++ /dev/null
@@ -1,27 +0,0 @@
-version: '3'
-services:
-  postgres:
-    image: postgres:13.4-alpine
-    restart: unless-stopped
-    volumes:
-     - ../data/matrix/postgresdata:/var/lib/postgresql/data
-    environment:
-     - POSTGRES_DB=synapse
-     - POSTGRES_USER=synapse
-     - POSTGRES_PASSWORD=STRONGPASSWORD
-     
-  element:
-    image: vectorim/element-web:latest
-    restart: unless-stopped
-    volumes:
-      - ../data/matrix/element-config.json:/app/config.json
-    ports:
-      - "5000:80"
-
-  synapse:
-    image: matrixdotorg/synapse:latest
-    restart: unless-stopped
-    volumes:
-     - ../data/matrix/synapse:/data
-    ports:
-      - "5008:8008"
diff --git a/matrix/element-config.json.template b/matrix/element-config.json.template
deleted file mode 100644
index baef3cb..0000000
--- a/matrix/element-config.json.template
+++ /dev/null
@@ -1,73 +0,0 @@
-{
-     "default_server_config": {
-        "m.homeserver": {
-            "base_url": "https://${MATRIX_HOSTNAME}",
-            "server_name": "${DOMAIN_NAME}"
-        },
-        "m.identity_server": {
-            "base_url": "https://vector.im"
-        }
-    },
-    "brand": "Element",
-    "integrations_ui_url": "https://scalar.vector.im/",
-    "integrations_rest_url": "https://scalar.vector.im/api",
-    "integrations_widgets_urls": [
-        "https://scalar.vector.im/_matrix/integrations/v1",
-        "https://scalar.vector.im/api",
-        "https://scalar-staging.vector.im/_matrix/integrations/v1",
-        "https://scalar-staging.vector.im/api",
-        "https://scalar-staging.riot.im/scalar/api"
-    ],
-    "hosting_signup_link": "https://element.io/matrix-services?utm_source=element-web&utm_medium=web",
-    "bug_report_endpoint_url": "https://element.io/bugreports/submit",
-    "uisi_autorageshake_app": "element-auto-uisi",
-    "showLabsSettings": true,
-    "piwik": {
-        "url": "https://piwik.riot.im/",
-        "siteId": 1,
-        "policyUrl": "https://element.io/cookie-policy"
-    },
-    "roomDirectory": {
-        "servers": [
-            "matrix.org",
-            "gitter.im",
-            "libera.chat"
-        ]
-    },
-    "enable_presence_by_hs_url": {
-        "https://matrix.org": false,
-        "https://matrix-client.matrix.org": false
-    },
-    "terms_and_conditions_links": [
-        {
-            "url": "https://element.io/privacy",
-            "text": "Privacy Policy"
-        },
-        {
-            "url": "https://element.io/cookie-policy",
-            "text": "Cookie Policy"
-        }
-    ],
-    "hostSignup": {
-      "brand": "Element Home",
-      "cookiePolicyUrl": "https://element.io/cookie-policy",
-      "domains": [
-          "matrix.org"
-      ],
-      "privacyPolicyUrl": "https://element.io/privacy",
-      "termsOfServiceUrl": "https://element.io/terms-of-service",
-      "url": "https://ems.element.io/element-home/in-app-loader"
-    },
-    "sentry": {
-        "dsn": "https://029a0eb289f942508ae0fb17935bd8c5@sentry.matrix.org/6",
-        "environment": "develop"
-    },
-    "posthog": {
-        "projectApiKey": "phc_Jzsm6DTm6V2705zeU5dcNvQDlonOR68XvX2sh1sEOHO",
-        "apiHost": "https://posthog.element.io"
-    },
-    "features": {
-        "feature_spotlight": true
-    },
-    "map_style_url": "https://api.maptiler.com/maps/streets/style.json?key=fU3vlMsMn4Jb6dnEIFsx"
-}
diff --git a/matrix/entrypoint-synapse.sh b/matrix/entrypoint-synapse.sh
new file mode 100755
index 0000000..353484e
--- /dev/null
+++ b/matrix/entrypoint-synapse.sh
@@ -0,0 +1,62 @@
+#!/bin/bash
+# This is the custom startup script for the synpase server
+
+# fix up the Element client config to have the correct hostname
+# based on the environment variables
+#export DOMAIN_NAME MATRIX_HOSTNAME
+#envsubst < "element-config.json.template" > "$DATA/element-config.json"
+
+HOMESERVER_YAML="/data/homeserver.yaml"
+
+if [ ! -r "$HOMESERVER_YAML" ]; then
+	echo >&2 "***** Configuring the home server for $DOMAIN_NAME *****"
+
+	export SYNAPSE_SERVER_NAME="$DOMAIN_NAME"
+	export SYNAPSE_REPORT_STATS="no"
+
+	/start.py generate \
+	|| exit 1
+
+	echo >&2 "***** Adding OIDC provider *****"
+	cat <<EOF >> "$HOMESERVER_YAML"
+#
+# added by hackerspace-zone setup scripts
+#
+suppress_key_server_warning: true
+web_client_location: https://${MATRIX_HOSTNAME}.${DOMAIN_NAME}
+public_baseurl: https://${MATRIX_HOSTNAME}.${DOMAIN_NAME}
+oidc_providers:
+  - idp_id: keycloak
+    idp_name: "Keycloak"
+    issuer: "https://${KEYCLOAK_HOSTNAME}.${DOMAIN_NAME}/realms/${REALM}"
+    client_id: "matrix"
+    client_secret: "${MATRIX_CLIENT_SECRET}"
+    scopes: ["openid", "profile"]
+    user_mapping_provider:
+      config:
+        localpart_template: "{{ user.preferred_username }}"
+        display_name_template: "{{ user.name }}"
+EOF
+
+fi
+
+if ! grep -q '^  smtp_host:' && [ -n "$SMTP_SERVER" ]; then
+	echo >&2 "***** Adding SMTP setup to yaml"
+	cat <<EOF >> "$HOMESERVER_YAML"
+#
+# added by hackerspace-zone setup scripts
+#
+email:
+  smtp_host: ${SMTP_SERVER}
+  smtp_port: ${SMTP_PORT}
+  smtp_user: "${SMTP_USER}"
+  smtp_pass: "${SMTP_PASSWORD}"
+  require_transport_security: true
+  notif_from: "%(app)s matrix homeserver <noreply@${DOMAIN_NAME}>"
+  app_name: ${DOMAIN_NAME}
+EOF
+fi
+
+# hack to let keycloak startup
+sleep 5
+exec /start.py
diff --git a/matrix/env.production b/matrix/env.production
deleted file mode 100644
index 85b953c..0000000
--- a/matrix/env.production
+++ /dev/null
@@ -1 +0,0 @@
-# variables
diff --git a/matrix/keycloak.sh b/matrix/keycloak.sh
new file mode 100755
index 0000000..8b74049
--- /dev/null
+++ b/matrix/keycloak.sh
@@ -0,0 +1,4 @@
+#!/bin/bash -x
+# Setup the OAuth client connection
+
+client-create matrix "$MATRIX_HOSTNAME.$DOMAIN_NAME" "$MATRIX_CLIENT_SECRET" </dev/null
diff --git a/matrix/nginx.conf b/matrix/nginx.conf
new file mode 100644
index 0000000..5ee4671
--- /dev/null
+++ b/matrix/nginx.conf
@@ -0,0 +1,71 @@
+map $http_upgrade $connection_upgrade {
+        default upgrade;
+        ''      close;
+}
+
+server {
+	server_name ${MATRIX_HOSTNAME} ${MATRIX_HOSTNAME}.${DOMAIN_NAME};
+	client_max_body_size 128m;
+
+	sendfile on;
+	tcp_nopush on;
+	tcp_nodelay on;
+	keepalive_timeout 65;
+	types_hash_max_size 2048;
+	#include /etc/nginx/mime.types;
+	#default_type application/octet-stream;
+
+	gzip on;
+	gzip_disable "msie6";
+
+	proxy_read_timeout 1800s;
+
+	# required to avoid HTTP 411: see Issue #1486 (https://github.com/dotcloud/docker/issues/1486)
+	chunked_transfer_encoding on;
+
+	location / {
+		proxy_pass http://matrix-element:80;
+		proxy_set_header Host $host;
+		proxy_set_header X-Real-IP $remote_addr;
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+		proxy_set_header X-Forwarded-Proto $scheme;
+	}
+
+	location ~ ^(/_matrix|/_synapse/client) {
+		# note: do not add a path (even a single /) after the port in `proxy_pass`,
+		# otherwise nginx will canonicalise the URI and cause signature verification
+		# errors.
+		proxy_pass http://matrix-synapse:8008;
+		proxy_set_header X-Forwarded-For $remote_addr;
+		proxy_set_header X-Forwarded-Proto $scheme;
+		proxy_set_header Host $host;
+
+		# Nginx by default only allows file uploads up to 1M in size
+		# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
+		client_max_body_size 50M;
+	}
+
+	# serve the static content for the well known files
+	location /.well-known/matrix/server {
+		default_type application/json;
+		return 200 '{"m.server": "${MATRIX_HOSTNAME}.${DOMAIN_NAME}:443"}';
+	}
+
+	location /.well-known/matrix/client {
+		default_type application/json;
+		return 200 '{"m.homeserver":{"base_url": "https://${MATRIX_HOSTNAME}.${DOMAIN_NAME}"}}';  
+	}
+
+	# The federation port is also enabled, although it can also go through 443
+	listen 8448 ssl http2 default_server;
+	#listen [::]:8448 ssl http2 default_server;
+
+	# For the user connection
+	listen 443 ssl http2;
+
+	ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
+	ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;
+	include /etc/nginx/includes/options-ssl-nginx.conf;
+	include /etc/nginx/includes/challenge.conf;
+	ssl_dhparam /etc/nginx/includes/ssl-dhparams.pem;
+}
diff --git a/matrix/setup b/matrix/setup
deleted file mode 100755
index 4e6dc0e..0000000
--- a/matrix/setup
+++ /dev/null
@@ -1,88 +0,0 @@
-#!/bin/bash
-die() { echo >&2 "matrix: ERROR $@" ; exit 1 ; }
-info() { echo >&2 "matrix: $@" ; }
-
-DIRNAME="$(dirname $0)"
-cd "$DIRNAME"
-source ../env.production || die "no top levle env?"
-source ../env.smtp 2>/dev/null 
-source env.production || die "no local env?"
-
-DATA="../data/matrix"
-SYNAPSE_DIR="$DATA/synapse"
-HOMESERVER_YAML="$SYNAPSE_DIR/homeserver.yaml"
-if [  -r "$HOMESERVER_YAML" ]; then
-	docker-compose up -d || die "matrix: unable to restart"
-	exit 0
-fi
-
-docker-compose down 2>/dev/null
-mkdir -p "$DATA"
-
-# fix up the Element client config to have the correct hostname
-# based on the environment variables
-export DOMAIN_NAME MATRIX_HOSTNAME
-envsubst < "element-config.json.template" > "$DATA/element-config.json"
-
-
-# This will create a *delegated* matrix server,
-# where the "servername" is just the top level domain,
-# but it is hosted on "matrix.DOMAIN_NAME".
-# the syntax here is confusing and it is not clear in
-# the docs *which* have to be updated.
-docker-compose run \
-	--rm \
-	-e SYNAPSE_SERVER_NAME="$DOMAIN_NAME" \
-	-e SYNAPSE_REPORT_STATS="no" \
-	synapse generate \
-|| die "unable to generate synapse config"
-
-MATRIX_CLIENT_SECRET="$(openssl rand -hex 20)"
-
-cat <<EOF >> "$HOMESERVER_YAML"
-web_client_location: https://${MATRIX_HOSTNAME}/
-public_baseurl: https://${MATRIX_HOSTNAME}/
-oidc_providers:
-  - idp_id: keycloak
-    idp_name: "KeyCloak"
-    issuer: "https://${KEYCLOAK_HOSTNAME}/realms/${REALM}"
-    client_id: "synapse"
-    client_secret: "${MATRIX_CLIENT_SECRET}"
-    scopes: ["openid", "profile"]
-    user_mapping_provider:
-      config:
-        localpart_template: "{{ user.preferred_username }}"
-        display_name_template: "{{ user.name }}"
-EOF
-
-if [ -n "$SMTP_SERVER" ]; then
-	info "configuring email"
-	cat <<EOF >> "$HOMESERVER_YAML"
-email:
-  smtp_host: ${SMTP_SERVER}
-  smtp_port: ${SMTP_PORT}
-  smtp_user: "${SMTP_USER}"
-  smtp_pass: "${SMTP_PASSWORD}"
-  require_transport_security: true
-  notif_from: "%(app)s matrix homeserver <noreply@${DOMAIN_NAME}>"
-  app_name: ${DOMAIN_NAME}
-EOF
-fi
-
-
-../keycloak/client-delete 'synapse' 2>/dev/null
-
-../keycloak/client-create << EOF || die "unable to create client id"
-{
-	"clientId": "synapse",
-	"rootUrl": "https://$MATRIX_HOSTNAME/",
-	"adminUrl": "https://$MATRIX_HOSTNAME/",
-	"redirectUris": [ "https://$MATRIX_HOSTNAME/*" ],
-	"webOrigins": [ "https://$MATRIX_HOSTNAME" ],
-	"clientAuthenticatorType": "client-secret",
-	"secret": "$MATRIX_CLIENT_SECRET"
-}
-EOF
-
-
-docker-compose up -d || die "matrix: unable to start container"
diff --git a/nginx.yaml b/nginx.yaml
index 6fe1c76..4e42ad7 100644
--- a/nginx.yaml
+++ b/nginx.yaml
@@ -11,6 +11,7 @@ services:
     ports:
       - "80:80"
       - "443:443"
+      - "8448:8448"
     volumes:
       - ./nginx/etc/includes:/etc/nginx/includes:ro
       - ./nginx/etc/nginx.conf:/etc/nginx/nginx.conf:ro
diff --git a/nginx/default.conf b/nginx/default.conf
index da6c466..9953951 100644
--- a/nginx/default.conf
+++ b/nginx/default.conf
@@ -51,9 +51,10 @@ server {
 	chunked_transfer_encoding on;
 
 	# delegated Matrix server
-#	location /.well-known/matrix {
-#		proxy_pass https://${MATRIX_HOSTNAME}.${DOMAIN_NAME};
-#	}
+	location /.well-known/matrix {
+		#return 302 https://${MATRIX_HOSTNAME}.${DOMAIN_NAME}$request_uri;
+		proxy_pass https://${MATRIX_HOSTNAME}.${DOMAIN_NAME}$request_uri;
+	}
 
 	# separate Mastodon WEB_DOMAIN and LOCAL_DOMAIN
 	location = /.well-known/host-meta {
@@ -63,6 +64,11 @@ server {
 		return 302 https://${MASTODON_HOSTNAME}.${DOMAIN_NAME}$request_uri;
 	}
 
+	# OpenID services
+	location = /.well-known/openid-configuration {
+		return 302 https://${KEYCLOAK_HOSTNAME}.${DOMAIN_NAME}$request_uri;
+	}
+
 	# tilde club home directories
 	location ~ ^/~(.+?)(/.*)?$ {
 		alias /home/$1/public_html$2;
diff --git a/nginx/etc/nginx.conf b/nginx/etc/nginx.conf
index 2a339a7..7cbedce 100644
--- a/nginx/etc/nginx.conf
+++ b/nginx/etc/nginx.conf
@@ -16,6 +16,9 @@ http {
 	# Basic Settings
 	##
 
+	# docker container resolver
+	resolver 127.0.0.11 ipv6=off;
+
 	sendfile on;
 	tcp_nopush on;
 	tcp_nodelay on;