diff --git a/README.md b/README.md index 50baa5b..62e7b9b 100644 --- a/README.md +++ b/README.md @@ -18,13 +18,20 @@ docker run --rm -it docker.io/pierre42100/matrix_gateway --help ## Setup dev environment ``` -mkdir -p storage/postgres storage/synapse storage/minio +mkdir -p storage/maspostgres storage/synapse storage/minio docker compose up ``` +To create default account, in another terminal, run the following command: + +```bash +docker compose --profile create-accounts up -d +``` + URLs: * Element: http://localhost:8080/ * Synapse: http://localhost:8448/ +* Matrix Authentication Service: http://localhost:8778/ * OpenID configuration: http://127.0.0.1:9001/dex/.well-known/openid-configuration * Minio console: http://localhost:9002/ diff --git a/docker-compose.yml b/docker-compose.yml index 5a93575..d37a458 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,15 +1,48 @@ services: + mas: + image: ghcr.io/element-hq/matrix-authentication-service:main + user: "1000" + restart: unless-stopped + depends_on: + - masdb + volumes: + - ./docker/mas:/config:ro + command: server -c /config/config.yaml + ports: + - "8778:8778/tcp" + + mas_create_admin1: + image: ghcr.io/element-hq/matrix-authentication-service:main + user: "1000" + restart: no + profiles: ["create-accounts"] + depends_on: + - mas + volumes: + - ./docker/mas:/config:ro + command: | + manage register-user -c /config/config.yaml -y --ignore-password-complexity + -p admin1 -e admin1@admin1.local --admin -d "Admin One" admin1 + + mas_create_user1: + image: ghcr.io/element-hq/matrix-authentication-service:main + user: "1000" + restart: no + profiles: ["create-accounts"] + depends_on: + - mas + volumes: + - ./docker/mas:/config:ro + command: | + manage register-user -c /config/config.yaml -y --ignore-password-complexity + -p user1 -e user1@user1.local -d "User One" user1 + synapse: image: docker.io/matrixdotorg/synapse:latest user: "1000" # Since synapse does not retry to connect to the database, restart upon # failure restart: unless-stopped - entrypoint: /bin/bash - command: > - -c "nohup bash -c 'sleep 10; /config/delayed_accounts_creation.sh' \& - ./start.py" - # See the readme for a full documentation of the environment settings # NOTE: You must edit homeserver.yaml to use postgres, it defaults to sqlite environment: @@ -22,25 +55,25 @@ services: # - ./files:/data # - /path/to/ssd:/data/uploads # - /path/to/large_hdd:/data/media - depends_on: - - db # In order to expose Synapse, remove one of the following, you might for # instance expose the TLS port directly: ports: - - 8448:8448/tcp + - "8448:8448/tcp" - db: + masdb: image: docker.io/postgres:18-alpine user: "1000" environment: - - POSTGRES_USER=synapse + - POSTGRES_DB=masdb + - POSTGRES_USER=masdb - POSTGRES_PASSWORD=changeme # ensure the database gets created correctly # https://element-hq.github.io/synapse/latest/postgres.html#set-up-database - POSTGRES_INITDB_ARGS=--encoding=UTF-8 --lc-collate=C --lc-ctype=C + - PGDATA=/data volumes: # You may store the database tables in a local folder.. - - ./storage/postgres:/var/lib/postgresql/data + - ./storage/maspostgres:/data # .. or store them on some high performance storage for better results # - /path/to/ssd/storage:/var/lib/postgresql/data diff --git a/docker/mas/config.yaml b/docker/mas/config.yaml new file mode 100644 index 0000000..dc2206e --- /dev/null +++ b/docker/mas/config.yaml @@ -0,0 +1,113 @@ +http: + listeners: + - name: web + resources: + - name: discovery + - name: human + - name: oauth + - name: compat + - name: graphql + - name: assets + binds: + - address: '[::]:8778' + proxy_protocol: false + - name: internal + resources: + - name: health + binds: + - host: localhost + port: 8081 + proxy_protocol: false + trusted_proxies: + - 192.168.0.0/16 + - 172.16.0.0/12 + - 10.0.0.0/10 + - 127.0.0.1/8 + - fd00::/8 + - ::1/128 + public_base: http://localhost:8778/ + issuer: http://localhost:8778/ +database: + uri: postgresql://masdb:changeme@masdb/masdb + max_connections: 10 + min_connections: 0 + connect_timeout: 30 + idle_timeout: 600 + max_lifetime: 1800 +email: + from: '"Authentication Service" ' + reply_to: '"Authentication Service" ' + transport: blackhole +secrets: + encryption: 12de9ad7bc2bacfa2ab9b1e3f7f1b3feb802195c8ebe66a8293cdb27f00be471 + keys: + - kid: Bj2PICQ7mf + key: | + -----BEGIN RSA PRIVATE KEY----- + MIIEogIBAAKCAQEAsCYCrrCJA7IuGbTYzP5yZN74QszbzudBUCX6MyN/+36HO2r6 + xL8x1PRJ+Klx9Y90J9pWuo+cIuEmFLqO+Yfblo9fSQgZVvkWAFpO6Xh8J4z9qg49 + M8xm0Ct8EnRDZDCEOBnwoDaAB9RTbpJGa1RPVCiamfi+xU+j47Zl4Er5jvLm81O7 + DSlH9eK8Eih8AxuKTkAbKE1zyXquImE26Mj2dmMRfjDrWV/I8oqE3WFViAKR12Av + zw6TUyduiz8nK9pONCF3NIcQvBdHntBz1HlDXv6i0fRvlGIhjNL5LBgo6XQ3rNM1 + bW2KYOw/iFP0YbfD4/xRjkBPvK2coQ8aRzK2VwIDAQABAoH/G4XU5Xav8ePlUB7x + wRYAycINCGL59Vos2lkUvujNFn6uopoUlKlLH/sLk87l/3hqrc9vvbayrsB/Mr3z + mQmhReUg/khFrVE+Hs/9hH1O6N8ew3N2HKHTbrNcr4V7AiySfDGRZ3ccihyi7KPu + XNbPjlbJ0UUMicfn06ysPl94nt0So0UAmXg+c7sDDqyzh3cY8emedYZ5FCljo/jA + F8k40rs7CywLJYMJB9O1vtomgt1xkDRO4F8UrZrriMIcYn0iFKe7i4AH8D6nkgNu + /v9Z43Leu8yRKrUvbpH3NaX8DlUSFWAXKpwUWr4sAQgWcLkVgjAXG1v9jCE97qW2 + f0nBAoGBAOaKrnY5rWeZ74dERnPhSCsYiqRMneQAh7eJR+Er+xu1yF/bxwkhq2tK + /txheTK448DqhQRtr095t/v7TMZcPl3bSmybT1CQg/wiMJsgDMZqlC9tofvcq6uz + xP8vxMFHd0YSMSP693dkny4MzNY6LuoVWDLT+HxKPJyzGs1alruzAoGBAMOZp5J2 + 3ODcHQlcsGBtj1yVpQ4UXMvrSZF2ygiGK9bagL/f1iAtwACVOh5rgmbiOLSVgmR2 + n4nupTgSAXMYkjmAmDyEh0PDaRl4WWvYEKp8GMvTPVPvjc6N0dT+y8Mf9bu+LcEt + +uZqPOZNbO5Vi+UgGeM9zZpxq/K7dpJmM/jNAoGBALsYHRGxKTsEwFEkZZCxaWIg + HpPL4e8hRwL6FC13BeitFBpHQDX27yi5yi+Lo1I4ngz3xk+bvERhYaDLhrkML0j4 + KGQPfsTBI3vBO3UJA5Ua9XuwG19M7L0BvYPjfmfk2bUyGlM63w4zyMMUfD/3JA+w + ls1ZHTWxAZOh/sRdGirlAoGAX16B1+XgmDp6ZeAtlzaUGd5U1eKTxFF6U1SJ+VIB + +gYblHI84v+riB06cy6ULDnM0C+9neJAs24KXKZa0pV+Zk8O6yLrGN0kV2jYoL5+ + kcFkDa13T3+TssxvLNz22LKyi9GUWYZjuQi/nMLPg/1t8k+Oj7/Iia822WkRzRvL + 51kCgYEAwrN5Us8LR+fThm3C0vhvwv2wap6ccw0qq5+FTN+igAZAmmvKKvhow2Vi + LnPKBkc7QvxvQSNoXkdUo4qs3zOQ7DGvJLqSG9pwxFW5X1+78pNEm5OWe8AlT1uZ + Jz8Z1/Ae7fr/fFaucW9LkWjcuoPwPLiZ3b7ZQ6phs8qzoL+FpBI= + -----END RSA PRIVATE KEY----- + - kid: HcRvLHat12 + key: | + -----BEGIN EC PRIVATE KEY----- + MHcCAQEEIOCCFSnkfz1ksln6kus8enQstBTu0q62IGJVzuX0WiXPoAoGCCqGSM49 + AwEHoUQDQgAEVWPLbvSdxquLAjU3zJLcCWdaxr6QK1tPVbV1IS+87QUMv/zKiCMa + fNpwgBXwU7dF0gY507R2yY9pcdTmRtnRug== + -----END EC PRIVATE KEY----- + - kid: YjMITk5VSn + key: | + -----BEGIN EC PRIVATE KEY----- + MIGkAgEBBDCoPSjaN7qqnPz+vdzHeIy8RZCCtFOqLTkvylM1gz6xOGaVsS63VJw9 + Td9BtpolZ0egBwYFK4EEACKhZANiAAT8tH88HYBHNiQTSqZzlxElSuSDC0+Xn0O9 + ukj0xTTVBp8rUM9lCJQAlB8PjS2XK/n0YvYdzysQb3AYqszJa45/rOGvSar30YNE + gwpJvu36xNIKZT+nHalNwg069FdjNBc= + -----END EC PRIVATE KEY----- + - kid: NvFzzeMRU3 + key: | + -----BEGIN EC PRIVATE KEY----- + MHQCAQEEILJEmFPDGFZoBVBQf1P6h4YfasYsFiu8a6FrFxiJvKXPoAcGBSuBBAAK + oUQDQgAE4NY5H3+D8r9GNOhrpbUn2dvLZIzi4A+SiwfqvtvPEmZkW+KDbd2tzKmx + maydZBn52QWedVY65snGAEoh9mV1TQ== + -----END EC PRIVATE KEY----- +passwords: + enabled: true + schemes: + - version: 1 + algorithm: argon2id + minimum_complexity: 0 +account: + password_registration_enabled: true + password_registration_email_required: false +matrix: + kind: synapse + homeserver: localhost + secret: IhKoLn6jWf1qRRZWvqgaKuIdwD6H0Mvx + endpoint: http://synapse:8448/ + +policy: + data: + client_registration: + allow_insecure_uris: true \ No newline at end of file diff --git a/docker/synapse/delayed_accounts_creation.sh b/docker/synapse/delayed_accounts_creation.sh deleted file mode 100755 index 0b72cb9..0000000 --- a/docker/synapse/delayed_accounts_creation.sh +++ /dev/null @@ -1,2 +0,0 @@ -register_new_matrix_user -a --user admin1 --password admin1 --config /config/homeserver.yaml; -register_new_matrix_user --no-admin --user user1 --password user1 --config /config/homeserver.yaml; \ No newline at end of file diff --git a/docker/synapse/homeserver.yaml b/docker/synapse/homeserver.yaml index fbe5822..95e6f4f 100644 --- a/docker/synapse/homeserver.yaml +++ b/docker/synapse/homeserver.yaml @@ -33,3 +33,9 @@ signing_key_path: "/config/localhost.signing.key" trusted_key_servers: - server_name: "matrix.org" # vim:ft=yaml +matrix_authentication_service: + enabled: true + endpoint: http://mas:8778/ + secret: "IhKoLn6jWf1qRRZWvqgaKuIdwD6H0Mvx" + # Alternatively, using a file: + #secret_file: /path/to/secret.txt