matrix: delegated home server setup with oicd login

env.production

@@ -6,3 +6,5 @@ HEDGEDOC_HOSTNAME=docs.hackerspace.zone
 MASTODON_HOSTNAME=social.hackerspace.zone
 NEXTCLOUD_HOSTNAME=cloud.hackerspace.zone
 GRAFANA_HOSTNAME=dashboard.hackerspace.zone
+GITLAB_HOSTNAME=git.hackerspace.zone
+MATRIX_HOSTNAME=matrix.hackerspace.zone

matrix/docker-compose.yaml

@@ -0,0 +1,27 @@
+version: '3'
+services:
+  postgres:
+    image: postgres:13.4-alpine
+    restart: unless-stopped
+    volumes:
+     - ./data/postgresdata:/var/lib/postgresql/data
+    environment:
+     - POSTGRES_DB=synapse
+     - POSTGRES_USER=synapse
+     - POSTGRES_PASSWORD=STRONGPASSWORD
+     
+  element:
+    image: vectorim/element-web:latest
+    restart: unless-stopped
+    volumes:
+      - ./element-config.json:/app/config.json
+    ports:
+      - "5000:80"
+
+  synapse:
+    image: matrixdotorg/synapse:latest
+    restart: unless-stopped
+    volumes:
+     - ./data/synapse:/data
+    ports:
+      - "5008:8008"

matrix/element-config.json

@@ -0,0 +1,73 @@
+{
+     "default_server_config": {
+        "m.homeserver": {
+            "base_url": "https://matrix.hackerspace.zone",
+            "server_name": "hackerspace.zone"
+        },
+        "m.identity_server": {
+            "base_url": "https://vector.im"
+        }
+    },
+    "brand": "Element",
+    "integrations_ui_url": "https://scalar.vector.im/",
+    "integrations_rest_url": "https://scalar.vector.im/api",
+    "integrations_widgets_urls": [
+        "https://scalar.vector.im/_matrix/integrations/v1",
+        "https://scalar.vector.im/api",
+        "https://scalar-staging.vector.im/_matrix/integrations/v1",
+        "https://scalar-staging.vector.im/api",
+        "https://scalar-staging.riot.im/scalar/api"
+    ],
+    "hosting_signup_link": "https://element.io/matrix-services?utm_source=element-web&utm_medium=web",
+    "bug_report_endpoint_url": "https://element.io/bugreports/submit",
+    "uisi_autorageshake_app": "element-auto-uisi",
+    "showLabsSettings": true,
+    "piwik": {
+        "url": "https://piwik.riot.im/",
+        "siteId": 1,
+        "policyUrl": "https://element.io/cookie-policy"
+    },
+    "roomDirectory": {
+        "servers": [
+            "matrix.org",
+            "gitter.im",
+            "libera.chat"
+        ]
+    },
+    "enable_presence_by_hs_url": {
+        "https://matrix.org": false,
+        "https://matrix-client.matrix.org": false
+    },
+    "terms_and_conditions_links": [
+        {
+            "url": "https://element.io/privacy",
+            "text": "Privacy Policy"
+        },
+        {
+            "url": "https://element.io/cookie-policy",
+            "text": "Cookie Policy"
+        }
+    ],
+    "hostSignup": {
+      "brand": "Element Home",
+      "cookiePolicyUrl": "https://element.io/cookie-policy",
+      "domains": [
+          "matrix.org"
+      ],
+      "privacyPolicyUrl": "https://element.io/privacy",
+      "termsOfServiceUrl": "https://element.io/terms-of-service",
+      "url": "https://ems.element.io/element-home/in-app-loader"
+    },
+    "sentry": {
+        "dsn": "https://029a0eb289f942508ae0fb17935bd8c5@sentry.matrix.org/6",
+        "environment": "develop"
+    },
+    "posthog": {
+        "projectApiKey": "phc_Jzsm6DTm6V2705zeU5dcNvQDlonOR68XvX2sh1sEOHO",
+        "apiHost": "https://posthog.element.io"
+    },
+    "features": {
+        "feature_spotlight": true
+    },
+    "map_style_url": "https://api.maptiler.com/maps/streets/style.json?key=fU3vlMsMn4Jb6dnEIFsx"
+}

matrix/env.production

@@ -0,0 +1 @@
+# variables

matrix/setup

@@ -0,0 +1,60 @@
+#!/bin/bash
+die() { echo >&2 "$@" ; exit 1 ; }
+
+DIRNAME="$(dirname $0)"
+cd "$DIRNAME"
+source ../env.production || die "no top levle env?"
+source env.production || die "no local env?"
+
+docker-compose down
+
+HOMESERVER_YAML="data/synapse/homeserver.yaml"
+if [  -r "$HOMESERVER_YAML" ]; then
+	echo "home server already configured? delete data directory to force reconfig"
+	exit 0
+fi
+
+# This will create a *delegated* matrix server,
+# where the "servername" is just the top level domain,
+# but it is hosted on "matrix.DOMAIN_NAME".
+# the syntax here is confusing and it is not clear in
+# the docs *which* have to be updated.
+docker run -it --rm \
+	-v "`pwd`/data/synapse:/data" \
+	-e "SYNAPSE_SERVER_NAME=$DOMAIN_NAME" \
+	-e SYNAPSE_REPORT_STATS=yes \
+	matrixdotorg/synapse:latest generate \
+|| die "unable to generate synapse config"
+
+MATRIX_CLIENT_SECRET="$(openssl rand -hex 20)"
+#MATRIX_CLIENT_SECRET="abcdef1234"
+
+cat <<EOF >> "$HOMESERVER_YAML"
+web_client_location: https://${MATRIX_HOSTNAME}/
+public_baseurl: https://${MATRIX_HOSTNAME}/
+oidc_providers:
+  - idp_id: keycloak
+    idp_name: "KeyCloak"
+    issuer: "https://${KEYCLOAK_HOSTNAME}/realms/${REALM}"
+    client_id: "synapse"
+    client_secret: "${MATRIX_CLIENT_SECRET}"
+    scopes: ["openid", "profile"]
+    user_mapping_provider:
+      config:
+        localpart_template: "{{ user.preferred_username }}"
+        display_name_template: "{{ user.name }}"
+EOF
+
+../keycloak/client-delete 'synapse' || echo "client did not exist?"
+
+../keycloak/client-create << EOF || die "unable to create client id"
+{
+	"clientId": "synapse",
+	"rootUrl": "https://$MATRIX_HOSTNAME/",
+	"adminUrl": "https://$MATRIX_HOSTNAME/",
+	"redirectUris": [ "https://$MATRIX_HOSTNAME/*" ],
+	"webOrigins": [ "https://$MATRIX_HOSTNAME" ],
+	"clientAuthenticatorType": "client-secret",
+	"secret": "$MATRIX_CLIENT_SECRET"
+}
+EOF

nginx/certbot-renew

@@ -7,7 +7,7 @@ cd "$DIRNAME"
 source ../env.production
 source ./env.production
 
-domain_args="-d $DOMAIN_NAME,$KEYCLOAK_HOSTNAME,$HEDGEDOC_HOSTNAME,$MASTODON_HOSTNAME,$NEXTCLOUD_HOSTNAME,$GRAFANA_HOSTNAME"
+domain_args="-d $DOMAIN_NAME,$KEYCLOAK_HOSTNAME,$HEDGEDOC_HOSTNAME,$MASTODON_HOSTNAME,$NEXTCLOUD_HOSTNAME,$GRAFANA_HOSTNAME,$MATRIX_HOSTNAME"
 rsa_key_size=2048
 
 set -x