matrix: federation works and setup seems to do the right thing

2 years ago · 7a37d33ff2
parent 1d1b19dced
commit 7a37d33ff2
15 changed files with 272 additions and 192 deletions
--- a/5
+++ b/5
@ -4,6 +4,7 @@ MODULES += hedgedoc
 MODULES += grafana
 MODULES += prometheus
 MODULES += mastodon
 MODULES += matrix
 #MODULES += pixelfed
 include env.production
@ -36,6 +37,10 @@ mastodon-shell:
 	$(DOCKER) exec mastodon bash
 mastodon-streaming-shell:
 	$(DOCKER) exec mastodon-streaming bash
 matrix-shell:
 	$(DOCKER) exec matrix-synapse bash
 matrix-logs:
 	$(DOCKER) logs -f matrix-synapse
 nginx-build: data/nginx/secrets
 	$(DOCKER) build nginx
--- a/matrix.yaml
+++ b/matrix.yaml
@ -0,0 +1,56 @@
 version: '3'
 services:
 # the default synpase uses a sqlite database; this should be fixed at somepoint
 #  matrix-db:
 #    image: postgres:13.4-alpine
 #    restart: unless-stopped
 #    volumes:
 #     - ./data/matrix/db:/var/lib/postgresql/data
 #    environment:
 #     - POSTGRES_DB=synapse
 #     - POSTGRES_USER=synapse
 #     - POSTGRES_PASSWORD=STRONGPASSWORD
  matrix-element:
    image: vectorim/element-web:latest
    restart: unless-stopped
    container_name: matrix-element
    env_file:
     - env.production
    volumes:
      - ./matrix/10-envsubst-config.sh:/docker-entrypoint.d/10-envsubst-config.sh:ro
      - ./matrix/config.sample.json:/app/config.sample.json:ro
    depends_on:
      - matrix-synapse
 #    ports:
 #      - "5000:80"
  matrix-synapse:
    image: matrixdotorg/synapse:latest
    restart: unless-stopped
    container_name: matrix-synapse
    volumes:
      - ./data/matrix/synapse:/data
      - ./matrix/entrypoint-synapse.sh:/entrypoint.sh:ro
    entrypoint: ["/entrypoint.sh"]
    env_file:
      - env.production
    environment:
      - MATRIX_CLIENT_SECRET=${MATRIX_CLIENT_SECRET}
    depends_on:
      - keycloak
      - nginx
 #    ports:
 #      - "5008:8008"
  # add the nginx configuration into the nginx volume
  nginx:
    volumes:
      - ./matrix/nginx.conf:/etc/nginx/templates/matrix.conf.template:ro
  # add the client secrets to the keycloak-setup volume
  keycloak-setup:
    env_file:
      - data/matrix/secrets
    volumes:
      - ./matrix/keycloak.sh:/keycloak-setup/matrix.sh:ro
--- a/matrix/10-envsubst-config.sh
+++ b/matrix/10-envsubst-config.sh
@ -0,0 +1,5 @@
 #!/bin/sh
 echo >&2 "**** Configuring for $DOMAIN_NAME"
 envsubst < /app/config.sample.json > /app/config.json
 head /app/config.json
--- a/matrix/README.md
+++ b/matrix/README.md
@ -0,0 +1,3 @@
 # Matrix/Element chat
 The sample config for the JSON comes from 8891698745897388db037ea8692937edc199630c on vector-im/element-web
--- a/matrix/config.sample.json
+++ b/matrix/config.sample.json
@ -0,0 +1,53 @@
 {
    "default_server_config": {
        "m.homeserver": {
            "base_url": "https://${MATRIX_HOSTNAME}.${DOMAIN_NAME}",
            "server_name": "${DOMAIN_NAME}"
        },
        "m.identity_server": {
            "base_url": "https://vector.im"
        }
    },
    "disable_custom_urls": false,
    "disable_guests": false,
    "disable_login_language_selector": false,
    "disable_3pid_login": false,
    "brand": "Element",
    "integrations_ui_url": "https://scalar.vector.im/",
    "integrations_rest_url": "https://scalar.vector.im/api",
    "integrations_widgets_urls": [
        "https://scalar.vector.im/_matrix/integrations/v1",
        "https://scalar.vector.im/api",
        "https://scalar-staging.vector.im/_matrix/integrations/v1",
        "https://scalar-staging.vector.im/api",
        "https://scalar-staging.riot.im/scalar/api"
    ],
    "bug_report_endpoint_url": "https://element.io/bugreports/submit",
    "uisi_autorageshake_app": "element-auto-uisi",
    "default_country_code": "GB",
    "show_labs_settings": false,
    "features": { },
    "default_federate": true,
    "default_theme": "light",
    "room_directory": {
        "servers": [
            "matrix.org"
        ]
    },
    "enable_presence_by_hs_url": {
        "https://matrix.org": false,
        "https://matrix-client.matrix.org": false
    },
    "setting_defaults": {
        "breadcrumbs": true
    },
    "jitsi": {
        "preferred_domain": "meet.element.io"
    },
    "element_call": {
        "url": "https://call.element.io",
        "participant_limit": 8,
        "brand": "Element Call"
    },
    "map_style_url": "https://api.maptiler.com/maps/streets/style.json?key=fU3vlMsMn4Jb6dnEIFsx"
 }
--- a/matrix/docker-compose.yaml
+++ b/matrix/docker-compose.yaml
@ -1,27 +0,0 @@
 version: '3'
 services:
  postgres:
    image: postgres:13.4-alpine
    restart: unless-stopped
    volumes:
     - ../data/matrix/postgresdata:/var/lib/postgresql/data
    environment:
     - POSTGRES_DB=synapse
     - POSTGRES_USER=synapse
     - POSTGRES_PASSWORD=STRONGPASSWORD
  element:
    image: vectorim/element-web:latest
    restart: unless-stopped
    volumes:
      - ../data/matrix/element-config.json:/app/config.json
    ports:
      - "5000:80"
  synapse:
    image: matrixdotorg/synapse:latest
    restart: unless-stopped
    volumes:
     - ../data/matrix/synapse:/data
    ports:
      - "5008:8008"
--- a/matrix/element-config.json.template
+++ b/matrix/element-config.json.template
@ -1,73 +0,0 @@
 {
     "default_server_config": {
        "m.homeserver": {
            "base_url": "https://${MATRIX_HOSTNAME}",
            "server_name": "${DOMAIN_NAME}"
        },
        "m.identity_server": {
            "base_url": "https://vector.im"
        }
    },
    "brand": "Element",
    "integrations_ui_url": "https://scalar.vector.im/",
    "integrations_rest_url": "https://scalar.vector.im/api",
    "integrations_widgets_urls": [
        "https://scalar.vector.im/_matrix/integrations/v1",
        "https://scalar.vector.im/api",
        "https://scalar-staging.vector.im/_matrix/integrations/v1",
        "https://scalar-staging.vector.im/api",
        "https://scalar-staging.riot.im/scalar/api"
    ],
    "hosting_signup_link": "https://element.io/matrix-services?utm_source=element-web&utm_medium=web",
    "bug_report_endpoint_url": "https://element.io/bugreports/submit",
    "uisi_autorageshake_app": "element-auto-uisi",
    "showLabsSettings": true,
    "piwik": {
        "url": "https://piwik.riot.im/",
        "siteId": 1,
        "policyUrl": "https://element.io/cookie-policy"
    },
    "roomDirectory": {
        "servers": [
            "matrix.org",
            "gitter.im",
            "libera.chat"
        ]
    },
    "enable_presence_by_hs_url": {
        "https://matrix.org": false,
        "https://matrix-client.matrix.org": false
    },
    "terms_and_conditions_links": [
        {
            "url": "https://element.io/privacy",
            "text": "Privacy Policy"
        },
        {
            "url": "https://element.io/cookie-policy",
            "text": "Cookie Policy"
        }
    ],
    "hostSignup": {
      "brand": "Element Home",
      "cookiePolicyUrl": "https://element.io/cookie-policy",
      "domains": [
          "matrix.org"
      ],
      "privacyPolicyUrl": "https://element.io/privacy",
      "termsOfServiceUrl": "https://element.io/terms-of-service",
      "url": "https://ems.element.io/element-home/in-app-loader"
    },
    "sentry": {
        "dsn": "https://029a0eb289f942508ae0fb17935bd8c5@sentry.matrix.org/6",
        "environment": "develop"
    },
    "posthog": {
        "projectApiKey": "phc_Jzsm6DTm6V2705zeU5dcNvQDlonOR68XvX2sh1sEOHO",
        "apiHost": "https://posthog.element.io"
    },
    "features": {
        "feature_spotlight": true
    },
    "map_style_url": "https://api.maptiler.com/maps/streets/style.json?key=fU3vlMsMn4Jb6dnEIFsx"
 }
--- a/matrix/entrypoint-synapse.sh
+++ b/matrix/entrypoint-synapse.sh
@ -0,0 +1,62 @@
 #!/bin/bash
 # This is the custom startup script for the synpase server
 # fix up the Element client config to have the correct hostname
 # based on the environment variables
 #export DOMAIN_NAME MATRIX_HOSTNAME
 #envsubst < "element-config.json.template" > "$DATA/element-config.json"
 HOMESERVER_YAML="/data/homeserver.yaml"
 if [ ! -r "$HOMESERVER_YAML" ]; then
 	echo >&2 "***** Configuring the home server for $DOMAIN_NAME *****"
 	export SYNAPSE_SERVER_NAME="$DOMAIN_NAME"
 	export SYNAPSE_REPORT_STATS="no"
 	/start.py generate \
 	|| exit 1
 	echo >&2 "***** Adding OIDC provider *****"
 	cat <<EOF >> "$HOMESERVER_YAML"
 #
 # added by hackerspace-zone setup scripts
 #
 suppress_key_server_warning: true
 web_client_location: https://${MATRIX_HOSTNAME}.${DOMAIN_NAME}
 public_baseurl: https://${MATRIX_HOSTNAME}.${DOMAIN_NAME}
 oidc_providers:
  - idp_id: keycloak
    idp_name: "Keycloak"
    issuer: "https://${KEYCLOAK_HOSTNAME}.${DOMAIN_NAME}/realms/${REALM}"
    client_id: "matrix"
    client_secret: "${MATRIX_CLIENT_SECRET}"
    scopes: ["openid", "profile"]
    user_mapping_provider:
      config:
        localpart_template: "{{ user.preferred_username }}"
        display_name_template: "{{ user.name }}"
 EOF
 fi
 if ! grep -q '^  smtp_host:' && [ -n "$SMTP_SERVER" ]; then
 	echo >&2 "***** Adding SMTP setup to yaml"
 	cat <<EOF >> "$HOMESERVER_YAML"
 #
 # added by hackerspace-zone setup scripts
 #
 email:
  smtp_host: ${SMTP_SERVER}
  smtp_port: ${SMTP_PORT}
  smtp_user: "${SMTP_USER}"
  smtp_pass: "${SMTP_PASSWORD}"
  require_transport_security: true
  notif_from: "%(app)s matrix homeserver <noreply@${DOMAIN_NAME}>"
  app_name: ${DOMAIN_NAME}
 EOF
 fi
 # hack to let keycloak startup
 sleep 5
 exec /start.py
--- a/matrix/env.production
+++ b/matrix/env.production
@ -1 +0,0 @@
 # variables
--- a/matrix/keycloak.sh
+++ b/matrix/keycloak.sh
@ -0,0 +1,4 @@
 #!/bin/bash -x
 # Setup the OAuth client connection
 client-create matrix "$MATRIX_HOSTNAME.$DOMAIN_NAME" "$MATRIX_CLIENT_SECRET" </dev/null
--- a/matrix/nginx.conf
+++ b/matrix/nginx.conf
@ -0,0 +1,71 @@
 map $http_upgrade $connection_upgrade {
        default upgrade;
        ''      close;
 }
 server {
 	server_name ${MATRIX_HOSTNAME} ${MATRIX_HOSTNAME}.${DOMAIN_NAME};
 	client_max_body_size 128m;
 	sendfile on;
 	tcp_nopush on;
 	tcp_nodelay on;
 	keepalive_timeout 65;
 	types_hash_max_size 2048;
 	#include /etc/nginx/mime.types;
 	#default_type application/octet-stream;
 	gzip on;
 	gzip_disable "msie6";
 	proxy_read_timeout 1800s;
 	# required to avoid HTTP 411: see Issue #1486 (https://github.com/dotcloud/docker/issues/1486)
 	chunked_transfer_encoding on;
 	location / {
 		proxy_pass http://matrix-element:80;
 		proxy_set_header Host $host;
 		proxy_set_header X-Real-IP $remote_addr;
 		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 		proxy_set_header X-Forwarded-Proto $scheme;
 	}
 	location ~ ^(/_matrix|/_synapse/client) {
 		# note: do not add a path (even a single /) after the port in `proxy_pass`,
 		# otherwise nginx will canonicalise the URI and cause signature verification
 		# errors.
 		proxy_pass http://matrix-synapse:8008;
 		proxy_set_header X-Forwarded-For $remote_addr;
 		proxy_set_header X-Forwarded-Proto $scheme;
 		proxy_set_header Host $host;
 		# Nginx by default only allows file uploads up to 1M in size
 		# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
 		client_max_body_size 50M;
 	}
 	# serve the static content for the well known files
 	location /.well-known/matrix/server {
 		default_type application/json;
 		return 200 '{"m.server": "${MATRIX_HOSTNAME}.${DOMAIN_NAME}:443"}';
 	}
 	location /.well-known/matrix/client {
 		default_type application/json;
 		return 200 '{"m.homeserver":{"base_url": "https://${MATRIX_HOSTNAME}.${DOMAIN_NAME}"}}';  
 	}
 	# The federation port is also enabled, although it can also go through 443
 	listen 8448 ssl http2 default_server;
 	#listen [::]:8448 ssl http2 default_server;
 	# For the user connection
 	listen 443 ssl http2;
 	ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
 	ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;
 	include /etc/nginx/includes/options-ssl-nginx.conf;
 	include /etc/nginx/includes/challenge.conf;
 	ssl_dhparam /etc/nginx/includes/ssl-dhparams.pem;
 }
--- a/matrix/setup
+++ b/matrix/setup
@ -1,88 +0,0 @@
 #!/bin/bash
 die() { echo >&2 "matrix: ERROR $@" ; exit 1 ; }
 info() { echo >&2 "matrix: $@" ; }
 DIRNAME="$(dirname $0)"
 cd "$DIRNAME"
 source ../env.production || die "no top levle env?"
 source ../env.smtp 2>/dev/null 
 source env.production || die "no local env?"
 DATA="../data/matrix"
 SYNAPSE_DIR="$DATA/synapse"
 HOMESERVER_YAML="$SYNAPSE_DIR/homeserver.yaml"
 if [  -r "$HOMESERVER_YAML" ]; then
 	docker-compose up -d || die "matrix: unable to restart"
 	exit 0
 fi
 docker-compose down 2>/dev/null
 mkdir -p "$DATA"
 # fix up the Element client config to have the correct hostname
 # based on the environment variables
 export DOMAIN_NAME MATRIX_HOSTNAME
 envsubst < "element-config.json.template" > "$DATA/element-config.json"
 # This will create a *delegated* matrix server,
 # where the "servername" is just the top level domain,
 # but it is hosted on "matrix.DOMAIN_NAME".
 # the syntax here is confusing and it is not clear in
 # the docs *which* have to be updated.
 docker-compose run \
 	--rm \
 	-e SYNAPSE_SERVER_NAME="$DOMAIN_NAME" \
 	-e SYNAPSE_REPORT_STATS="no" \
 	synapse generate \
 || die "unable to generate synapse config"
 MATRIX_CLIENT_SECRET="$(openssl rand -hex 20)"
 cat <<EOF >> "$HOMESERVER_YAML"
 web_client_location: https://${MATRIX_HOSTNAME}/
 public_baseurl: https://${MATRIX_HOSTNAME}/
 oidc_providers:
  - idp_id: keycloak
    idp_name: "KeyCloak"
    issuer: "https://${KEYCLOAK_HOSTNAME}/realms/${REALM}"
    client_id: "synapse"
    client_secret: "${MATRIX_CLIENT_SECRET}"
    scopes: ["openid", "profile"]
    user_mapping_provider:
      config:
        localpart_template: "{{ user.preferred_username }}"
        display_name_template: "{{ user.name }}"
 EOF
 if [ -n "$SMTP_SERVER" ]; then
 	info "configuring email"
 	cat <<EOF >> "$HOMESERVER_YAML"
 email:
  smtp_host: ${SMTP_SERVER}
  smtp_port: ${SMTP_PORT}
  smtp_user: "${SMTP_USER}"
  smtp_pass: "${SMTP_PASSWORD}"
  require_transport_security: true
  notif_from: "%(app)s matrix homeserver <noreply@${DOMAIN_NAME}>"
  app_name: ${DOMAIN_NAME}
 EOF
 fi
 ../keycloak/client-delete 'synapse' 2>/dev/null
 ../keycloak/client-create << EOF || die "unable to create client id"
 {
 	"clientId": "synapse",
 	"rootUrl": "https://$MATRIX_HOSTNAME/",
 	"adminUrl": "https://$MATRIX_HOSTNAME/",
 	"redirectUris": [ "https://$MATRIX_HOSTNAME/*" ],
 	"webOrigins": [ "https://$MATRIX_HOSTNAME" ],
 	"clientAuthenticatorType": "client-secret",
 	"secret": "$MATRIX_CLIENT_SECRET"
 }
 EOF
 docker-compose up -d || die "matrix: unable to start container"
--- a/nginx.yaml
+++ b/nginx.yaml
@ -11,6 +11,7 @@ services:
    ports:
      - "80:80"
      - "443:443"
      - "8448:8448"
    volumes:
      - ./nginx/etc/includes:/etc/nginx/includes:ro
      - ./nginx/etc/nginx.conf:/etc/nginx/nginx.conf:ro
--- a/nginx/default.conf
+++ b/nginx/default.conf
@ -51,9 +51,10 @@ server {
 	chunked_transfer_encoding on;
 	# delegated Matrix server
-#	location /.well-known/matrix {
+	location /.well-known/matrix {
-#		proxy_pass https://${MATRIX_HOSTNAME}.${DOMAIN_NAME};
+		#return 302 https://${MATRIX_HOSTNAME}.${DOMAIN_NAME}$request_uri;
-#	}
+		proxy_pass https://${MATRIX_HOSTNAME}.${DOMAIN_NAME}$request_uri;
 	}
 	# separate Mastodon WEB_DOMAIN and LOCAL_DOMAIN
 	location = /.well-known/host-meta {
@ -63,6 +64,11 @@ server {
 		return 302 https://${MASTODON_HOSTNAME}.${DOMAIN_NAME}$request_uri;
 	}
 	# OpenID services
 	location = /.well-known/openid-configuration {
 		return 302 https://${KEYCLOAK_HOSTNAME}.${DOMAIN_NAME}$request_uri;
 	}
 	# tilde club home directories
 	location ~ ^/~(.+?)(/.*)?$ {
 		alias /home/$1/public_html$2;
--- a/nginx/etc/nginx.conf
+++ b/nginx/etc/nginx.conf
@ -16,6 +16,9 @@ http {
 	# Basic Settings
 	##
 	# docker container resolver
 	resolver 127.0.0.11 ipv6=off;
 	sendfile on;
 	tcp_nopush on;
 	tcp_nodelay on;
		`@ -0,0 +1,3 @@`
							`# Matrix/Element chat`

							`The sample config for the JSON comes from 8891698745897388db037ea8692937edc199630c on vector-im/element-web`