diff --git a/site.yml b/site.yml
index 8f05a79dcef5b7b86d0cf42237bf7d8410e7d65e..b108a0dc61cdd3d89d699af7b75433e1b1d0e443 100644
--- a/site.yml
+++ b/site.yml
@@ -76,6 +76,12 @@
basedir: "/srv/{{ servicename }}",
domain: "md.test-warpzone.de"
}
+ - {
+ role: testserver/docker_matrix, tags: [ test_matrix, docker_services ],
+ servicename: "matrix",
+ basedir: "/srv/{{ servicename }}",
+ domain: "matrix.test-warpzone.de"
+ }
- {
role: testserver/docker_nextcloud, tags: [ test_nextcloud, docker_services ],
servicename: "nextcloud",
diff --git a/testserver/docker_matrix/tasks/main.yml b/testserver/docker_matrix/tasks/main.yml
index 27dc2fdaa156cef1d9699c849984ec3bff03650d..6a7bcd15c08928f6612eb9cbbd7b71dd5c684d3f 100644
--- a/testserver/docker_matrix/tasks/main.yml
+++ b/testserver/docker_matrix/tasks/main.yml
@@ -3,7 +3,10 @@
- include_tasks: ../functions/get_secret.yml
with_items:
- { path: /srv/shared/noreply_email_pass, length: -1 }
- - { path: /srv/ldap/secret/ldap_readonly_pass, length: -1 }
+ - { path: /srv/matrix/matrix_macaroon_secret_key, length: 32 }
+ - { path: /srv/matrix/matrix_registration_shared_secret, length: 32 }
+ - { path: /srv/matrix/matrix_form_secret, length: 32 }
+ - { path: /srv/matrix/matrix_oidc_secret, length: 32 }
- { path: /srv/matrix/postgres_user_pass, length: 24 }
- { path: /srv/matrix/admin_access_token, length: -1 } # Get in Element fo an Admin User: Settings > Help > Advanced
@@ -16,8 +19,6 @@
group: www-data
with_items:
- "/srv/matrix/"
- - "/srv/matrix/ma1sd-config/"
- - "/srv/matrix/ma1sd-data/"
- "/srv/matrix/synapse-data/"
@@ -37,8 +38,6 @@
dest: "/srv/matrix/{{ item }}"
with_items:
- docker-compose.yml
- - rest_auth_provider.py
- - ma1sd-config/ma1sd.yaml
- synapse-data/homeserver.log.config
- synapse-data/homeserver.yaml
register: configs
diff --git a/testserver/docker_matrix/templates/README b/testserver/docker_matrix/templates/README
index cbf322fa73a55334e3ec3f4c089fb82e5e50e400..bb58fc81e12115a6809676031a24294ee19ef5fb 100644
--- a/testserver/docker_matrix/templates/README
+++ b/testserver/docker_matrix/templates/README
@@ -1 +1,5 @@
-the rest-auth_provider is from https://githubcom/ma1uta/matrix-synapse-rest-password-provider/
+
+Funktionierende oidc-Konfiguration mit authentik
+ - https://www.youtube.com/watch?v=MwOh4NvPdtQ
+ - https://github.com/matrix-org/tutorial-oidc-playground
+
diff --git a/testserver/docker_matrix/templates/docker-compose.yml b/testserver/docker_matrix/templates/docker-compose.yml
index fb47a54e48dbd96f050c25dc540a6f6ef8db1f10..fa57f24902160d1054e901f304430cc9a21090e5 100644
--- a/testserver/docker_matrix/templates/docker-compose.yml
+++ b/testserver/docker_matrix/templates/docker-compose.yml
@@ -23,6 +23,7 @@ services:
networks:
- default
+
synapse:
image: matrixdotorg/synapse:latest
@@ -31,11 +32,8 @@ services:
cpuset: "0"
depends_on:
- db
- - ma1sd
volumes:
- /srv/matrix/synapse-data/:/data
- # Python version can be found in the dockerfile: https://github.com/matrix-org/synapse/blob/develop/docker/Dockerfile check for tag to get the correct version
- - /srv/matrix/rest_auth_provider.py:/usr/local/lib/python3.11/site-packages/rest_auth_provider.py
environment:
SYNAPSE_CONFIG_PATH: "/data/homeserver.yaml"
TZ: "Europe/Berlin"
@@ -53,23 +51,6 @@ services:
- default
- web
- ma1sd:
-
- image: ma1uta/ma1sd:2.5.0
- restart: always
- volumes:
- - /srv/matrix/ma1sd-config/:/etc/ma1sd
- - /srv/matrix/ma1sd-data/:/var/ma1sd
- labels:
- - com.centurylinklabs.watchtower.enable=false
- - traefik.enable=true
- - traefik.http.routers.{{ servicename }}-ma1sd.rule=((Host(`{{ domain }}`) && PathPrefix(`/_matrix/client/r0/login`)) || (Host(`{{ domain }}`) && PathPrefix(`/_matrix/identity`)))
- - traefik.http.routers.{{ servicename }}-ma1sd.entrypoints=websecure
- - traefik.http.services.{{ servicename }}-ma1sd.loadbalancer.server.port=8090
- networks:
- - default
- - web
-
purgemediacache:
diff --git a/testserver/docker_matrix/templates/ma1sd-config/ma1sd.yaml b/testserver/docker_matrix/templates/ma1sd-config/ma1sd.yaml
deleted file mode 100644
index dd8b2422e75ea3deb49a769f8b038b0f9c44539b..0000000000000000000000000000000000000000
--- a/testserver/docker_matrix/templates/ma1sd-config/ma1sd.yaml
+++ /dev/null
@@ -1,231 +0,0 @@
-
-#######################
-# Matrix config items #
-#######################
-# Matrix domain, same as the domain configure in your Homeserver configuration.
-# NOTE: in Synapse Homeserver, the Matrix domain is defined as 'server_name' in configuration file.
-#
-# This is used to build the various identifiers in all the features.
-#
-# If the hostname of the public URL used to reach your Matrix services is different from your Matrix domain,
-# per example matrix.domain.tld vs domain.tld, then use the server.name configuration option.
-# See the "Configure" section of the Getting Started guide for more info.
-#
-matrix:
- domain: 'matrix.warpzone.ms'
- v1: true # deprecated
- v2: true # MSC2140 API v2. Riot require enabled V2 API.
-
-
-################
-# Signing keys #
-################
-# Absolute path for the Identity Server signing keys database.
-# /!\ THIS MUST **NOT** BE YOUR HOMESERVER KEYS FILE /!\
-# If this path does not exist, it will be auto-generated.
-#
-# During testing, /var/tmp/ma1sd/keys is a possible value
-# For production, recommended location shall be one of the following:
-# - /var/lib/ma1sd/keys
-# - /var/opt/ma1sd/keys
-# - /var/local/ma1sd/keys
-#
-key:
- path: '/var/ma1sd/keys'
-
-
-# Path to the SQLite DB file for ma1sd internal storage
-# /!\ THIS MUST **NOT** BE YOUR HOMESERVER DATABASE /!\
-#
-# Examples:
-# - /var/opt/ma1sd/store.db
-# - /var/local/ma1sd/store.db
-# - /var/lib/ma1sd/store.db
-#
-storage:
-# backend: sqlite # or postgresql
- provider:
- sqlite:
- database: '/var/ma1sd/store.db'
-# postgresql:
-# # Wrap all string values with quotes to avoid yaml parsing mistakes
-# database: '//localhost/ma1sd' # or full variant //192.168.1.100:5432/ma1sd_database
-# username: 'ma1sd_user'
-# password: 'ma1sd_password'
-#
-# # Pool configuration for postgresql backend.
-# #######
-# # Enable or disable pooling
-# pool: false
-#
-# #######
-# # Check database connection before get from pool
-# testBeforeGetFromPool: false # or true
-#
-# #######
-# # There is an internal thread which checks each of the database connections as a keep-alive mechanism. This set the
-# # number of milliseconds it sleeps between checks -- default is 30000. To disable the checking thread, set this to
-# # 0 before you start using the connection source.
-# checkConnectionsEveryMillis: 30000
-#
-# #######
-# # Set the number of connections that can be unused in the available list.
-# maxConnectionsFree: 5
-#
-# #######
-# # Set the number of milliseconds that a connection can stay open before being closed. Set to 9223372036854775807 to have
-# # the connections never expire.
-# maxConnectionAgeMillis: 3600000
-
-###################
-# Identity Stores #
-###################
-# If you are using synapse standalone and do not have an Identity store,
-# see https://github.com/ma1uta/ma1sd/blob/master/docs/stores/synapse.md#synapse-identity-store
-#
-# If you would like to integrate with your AD/Samba/LDAP server,
-# see https://github.com/ma1uta/ma1sd/blob/master/docs/stores/ldap.md
-#
-# For any other Identity store, or to simply discover them,
-# see https://github.com/ma1uta/ma1sd/blob/master/docs/stores/README.md
-
-ldap:
- enabled: true
- connection:
- host: '{{ ldap_ip_ext }}'
- port: 389
- bindDn: '{{ ldap_readonly_bind_dn }}'
- bindPassword: '{{ ldap_readonly_pass }}'
- baseDNs:
- - '{{ ldap_base_dn }}'
- filter: '(&(objectClass=inetOrgPerson)(memberof=CN=active,OU=groups,DC=warpzone,DC=ms))'
- attribute:
- uid:
- type: 'uid'
- value: 'uid'
- name: 'uid'
- threepid:
- email:
- - 'mail'
- msisdn:
- - 'phone'
-
-#################################################
-# Notifications for invites/addition to profile #
-#################################################
-# This is mandatory to deal with anything e-mail related.
-#
-# For an introduction to sessions, invites and 3PIDs in general,
-# see https://github.com/ma1uta/ma1sd/blob/master/docs/threepids/session/session.md#3pid-sessions
-#
-# If you would like to change the content of the notifications,
-# see https://github.com/ma1uta/ma1sd/blob/master/docs/threepids/notification/template-generator.md
-#
-#### E-mail connector
-threepid:
- medium:
- email:
- identity:
- # The e-mail to send as.
- from: "matrix-identity@warpzone.ms"
-
- connectors:
- smtp:
- # SMTP host
- host: "{{ smtp_host }}"
-
- # TLS mode for the connection
- # Possible values:
- # 0 Disable any kind of TLS entirely
- # 1 Enable STARTLS if supported by server (default)
- # 2 Force STARTLS and fail if not available
- # 3 Use full TLS/SSL instead of STARTLS
- #
- tls: 1
-
- # SMTP port
- # Be sure to adapt depending on your TLS choice, if changed from default
- port: "{{ smtp_port }}"
-
- # Login for SMTP
- login: "{{ noreply_email_user }}"
-
- # Password for the account
- password: "{{ noreply_email_pass }}"
-
-
-#### MSC2134 (hash lookup)
-
-#hashing:
-# enabled: false # enable or disable the hash lookup MSC2140 (default is false)
-# pepperLength: 20 # length of the pepper value (default is 20)
-# rotationPolicy: per_requests # or `per_seconds` how often the hashes will be updating
-# hashStorageType: sql # or `in_memory` where the hashes will be stored
-# algorithms:
-# - none # the same as v1 bulk lookup
-# - sha256 # hash the 3PID and pepper.
-# delay: 2m # how often hashes will be updated if rotation policy = per_seconds (default is 10s)
-# requests: 10 # how many lookup requests will be performed before updating hashes if rotation policy = per_requests (default is 10)
-
-### hash lookup for synapseSql provider.
-# synapseSql:
-# lookup:
-# query: 'select user_id as mxid, medium, address from user_threepid_id_server' # query for retrive 3PIDs for hashes.
-# legacyRoomNames: false # use the old query to get room names.
-
-### hash lookup for ldap provider (with example of the ldap configuration)
-# ldap:
-# enabled: true
-# lookup: true # hash lookup
-# activeDirectory: false
-# defaultDomain: ''
-# connection:
-# host: 'ldap.domain.tld'
-# port: 389
-# bindDn: 'cn=admin,dc=domain,dc=tld'
-# bindPassword: 'Secret'
-# baseDNs:
-# - 'dc=domain,dc=tld'
-# attribute:
-# uid:
-# type: 'uid' # or mxid
-# value: 'cn'
-# name: 'displayName'
-# identity:
-# filter: '(objectClass=inetOrgPerson)'
-
-#### MSC2140 (Terms)
-#policy:
-# policies:
-# term_name: # term name
-# version: 1.0 # version
-# terms:
-# en: # lang
-# name: term name en # localized name
-# url: https://ma1sd.host.tld/term_en.html # localized url
-# fe: # lang
-# name: term name fr # localized name
-# url: https://ma1sd.host.tld/term_fr.html # localized url
-# regexp:
-# - '/_matrix/identity/v2/account.*'
-# - '/_matrix/identity/v2/hash_details'
-# - '/_matrix/identity/v2/lookup'
-#
-
-# logging:
-# root: error # default level for all loggers (apps and thirdparty libraries)
-# app: info # log level only for the ma1sd
-# requests: false # or true to dump full requests and responses
-
-dns:
- overwrite:
- homeserver:
- client:
- - name: 'matrix.warpzone.ms'
- value: 'http://synapse:8008'
-
-
-session:
- policy:
- validation:
- enabled: false
diff --git a/testserver/docker_matrix/templates/synapse-data/homeserver.yaml b/testserver/docker_matrix/templates/synapse-data/homeserver.yaml
index 93813866e74f62ffc18298e85b73cf81e0581264..7415de8c4f12868621649784372a85f7077d222a 100644
--- a/testserver/docker_matrix/templates/synapse-data/homeserver.yaml
+++ b/testserver/docker_matrix/templates/synapse-data/homeserver.yaml
@@ -5,6 +5,9 @@ use_presence: false
allow_public_rooms_without_auth: false
allow_public_rooms_over_federation: true
forget_rooms_on_leave: true
+macaroon_secret_key: "{{ matrix_macaroon_secret_key }}"
+registration_shared_secret: "{{ matrix_registration_shared_secret }}"
+form_secret: "{{ matrix_form_secret}}"
listeners:
- port: 8448
@@ -81,7 +84,30 @@ url_preview_ip_range_blacklist:
max_spider_size: 10M
enable_registration: false
-default_identity_server: "{{ matrix.identity_server }}"
+
+password_config:
+ enabled: false
+
+oidc_providers:
+ - idp_id: uffd
+ idp_name: uffd
+ discover: true
+ enable_registration: true
+ allow_existing_users: true
+ issuer: "{{ oidc_global.provider_url }}"
+ client_id: "matrix" # TO BE FILLED
+ client_secret: "{{ matrix_oidc_secret }}" # TO BE FILLED
+ scopes:
+ - "openid"
+ - "profile"
+ - "email"
+ user_mapping_provider:
+ config:
+ subject_claim: "preferred_username"
+ localpart_template: "{% raw %}{{ user.preferred_username }}{% endraw %}"
+ display_name_template: "{% raw %}{{ user.name }}{% endraw %}"
+ email_template: "{% raw %}{{ user.email }}{% endraw %}"
+
auto_join_rooms:
- "#warpzone:{{ matrix.domain }}"
@@ -104,11 +130,6 @@ email:
enable_notifs: true
notif_for_new_users: False
-password_providers:
- - module: "rest_auth_provider.RestAuthProvider"
- config:
- endpoint: "http://ma1sd:8090"
-
encryption_enabled_by_default_for_room_type: invite
enable_group_creation: false