add comrade backupbot

This config allows matrix-synapse to create a endpoint on
$DOMAIN/.well-known/matrix/server used for federation.
It's a straight forward way (no port opening required)
to enable federation if you are okay having a subdomain
(matrix.example.org) as your homeserver address.

.drone.yml

@@ -1,10 +0,0 @@
----
-kind: pipeline
-name: recipe release
-steps:
-  - name: release a new version
-    image: thecoopcloud/drone-abra:latest
-    settings:
-      command: recipe matrix-synapse release
-      deploy_key:
-        from_secret: abra_bot_deploy_key

.env.sample

@@ -15,6 +15,12 @@ COMPOSE_FILE="compose.yml"
 
 #DISABLE_FEDERATION=1
 
+# Set "true" to enable federation endpoint on $DOMAIN/.well-known/matrix/server
+SERVE_SERVER_WELLKNOWN=false 
+
+ENABLE_REGISTRATION=false
+PASSWORD_LOGIN_ENABLED=true
+
 #AUTO_JOIN_ROOM_ENABLED=1
 #AUTO_JOIN_ROOM="#example:example.com"
 
@@ -29,6 +35,8 @@ ENABLE_3PID_LOOKUP=true
 
 USER_IPS_MAX_AGE=1d
 
+ENCRYPTED_BY_DEFAULT=all
+
 #ENABLE_ALLOWLIST=1
 #FEDERATION_ALLOWLIST="[]"
 

.gitignore

@@ -1 +1,2 @@
-/.envrc
+.envrc
+synapse

README.md

@@ -1,7 +1,5 @@
 # Matrix (Synapse)
 
-[![Build Status](https://drone.autonomic.zone/api/badges/coop-cloud/matrix-synapse/status.svg?ref=refs/heads/main)](https://drone.autonomic.zone/coop-cloud/matrix-synapse)
-
 <!-- metadata -->
 
 * **Category**: Apps
@@ -9,30 +7,53 @@
 * **Image**: [`matrixdotorg/synapse`](https://hub.docker.com/r/matrixdotorg/synapse), 4, upstream
 * **Healthcheck**: Yes
 * **Backups**: No
-* **Email**: No
+* **Email**: Yes
 * **Tests**: No
-* **SSO**: No
+* **SSO**: Yes
+
 <!-- endmetadata -->
 
 ## Basic usage
 
-1. Set up Docker Swarm and [`abra`]
-2. Deploy [`coop-cloud/traefik`]
-3. `abra app new matrix-synapse --secrets` (optionally with `--pass` if you'd like
-   to save secrets in `pass`)
-4. `abra app YOURAPPDOMAIN config` - be sure to change `$DOMAIN` to something that resolves to
-   your Docker swarm box
+1. Set up Docker Swarm and [`abra`](https://docs.coopcloud.tech/abra/)
+2. Deploy [`coop-cloud/traefik`](https://git.coopcloud.tech/coop-cloud/traefik)
+3. `abra app new matrix-synapse --secrets` (optionally with `--pass` if you'd like to save secrets in `pass`)
+4. `abra app YOURAPPDOMAIN config` - be sure to change `$DOMAIN` to something that resolves to your Docker swarm box
 5. `abra app YOURAPPDOMAIN deploy`
-6. Create an initial user:
-   `abra app YOURAPPDOMAIN run app register_new_matrix_user -c /data/homeserver.yaml http://localhost:8008`
-
-[abra]: https://git.autonomic.zone/autonomic-cooperative/abra
-[cc-traefik]: https://git.autonomic.zone/coop-cloud/traefik
+6. Create an initial user: `abra app YOURAPPDOMAIN run app register_new_matrix_user -c /data/homeserver.yaml http://localhost:8008`
 
 ## Tips & Tricks
 
+### Disabling federation
+
+> We're not sure this does it exactly and there is still a discussion running
+> upstrem about whether this is the right way to do it & whether it could be
+> more convenient. We welcome issues / change sets to close up more federation
+> functionality.
+
+- use `DISABLE_FEDERATION=1` to turn off federation listeners
+- don't use [`compose.matrix.yml`](https://git.coopcloud.tech/coop-cloud/traefik/src/branch/master/compose.matrix.yml) in your traefik config to keep the federation ports closed
+
+### Enabling federation
+
+See [`#27`](https://git.coopcloud.tech/coop-cloud/matrix-synapse/pulls/27) for more.
+
+Depending on your setup, using `SERVE_SERVER_WELLKNOWN=true` might work to start federating.
+
+### Seeing what changed in `homeserver.yaml` between versions
+
+Change the version range to suit your needs.
+
+```
+git clone https://github.com/matrix-org/synapse
+cd synapse/docs
+git log --follow -p v1.48.0..v1.51.0 sample_config.yaml
+```
+
 ### Generating a new `homeserver.yaml`
 
+The default is also available to see [here](https://matrix-org.github.io/synapse/latest/usage/configuration/homeserver_sample_config.html).
+
 ```
 docker run -it \
   --entrypoint="" \
@@ -52,3 +73,9 @@ docker run -it \
   matrixdotorg/synapse:v1.48.0 \
   sh -c '/start.py generate; cat /data/foo.com.log.config' > log.config
 ```
+
+### Getting client discovery on a custom domain
+
+You'll need to deploy something like [this](https://git.autonomic.zone/ruangrupa/well-known-uris).
+
+This could be implemented in this recipe but we haven't merged it in yet. Chang sets are welcome.

abra.sh

@@ -1,3 +1,3 @@
 export ENTRYPOINT_CONF_VERSION=v1
-export HOMESERVER_YAML_VERSION=v3
+export HOMESERVER_YAML_VERSION=v8
 export LOG_CONFIG_VERSION=v2

compose.keycloak2.yml

@@ -0,0 +1,17 @@
+---
+version: "3.8"
+
+services:
+  app:
+    secrets:
+      - keycloak2_client_secret
+    environment:
+      - KEYCLOAK2_CLIENT_ID
+      - KEYCLOAK2_ENABLED
+      - KEYCLOAK2_NAME
+      - KEYCLOAK2_URL
+
+secrets:
+  keycloak2_client_secret:
+    external: true
+    name: ${STACK_NAME}_keycloak2_client_secret_${SECRET_KEYCLOAK2_CLIENT_SECRET_VERSION}

compose.yml

@@ -3,7 +3,7 @@ version: "3.8"
 
 services:
   app:
-    image: "matrixdotorg/synapse:v1.51.0"
+    image: "matrixdotorg/synapse:v1.55.2"
     volumes:
       - "data:/data"
     secrets:
@@ -12,16 +12,20 @@ services:
       - macaroon_secret_key
       - form_secret
     environment:
+      - ENCRYPTED_BY_DEFAULT
       - AUTO_JOIN_ROOM
       - AUTO_JOIN_ROOM_ENABLED
       - DISABLE_FEDERATION
       - DOMAIN
       - ENABLE_3PID_LOOKUP
       - ENABLE_ALLOWLIST
+      - ENABLE_REGISTRATION
       - FEDERATION_ALLOWLIST
       - LETSENCRYPT_HOST=${DOMAIN}
+      - PASSWORD_LOGIN_ENABLED
       - REDACTION_RETENTION_PERIOD
       - ROOT_LOG_LEVEL
+      - SERVE_SERVER_WELLKNOWN
       - SQL_LOG_LEVEL
       - STACK_NAME
       - SYNAPSE_ADMIN_EMAIL
@@ -51,15 +55,17 @@ services:
         - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        - "coop-cloud.${STACK_NAME}.version=1.1.0+v1.51.0"
+        - "coop-cloud.${STACK_NAME}.version=1.3.0+v1.55.2"
 
   db:
     image: postgres:13-alpine
     secrets:
       - db_password
     environment:
+      - LC_COLLATE=C
+      - LC_CTYPE=C
       - POSTGRES_DB=synapse
-      - POSTGRES_INITDB_ARGS="--encoding=UTF-8 --lc-collate=C --lc-ctype=C"
+      - POSTGRES_INITDB_ARGS="-E \"UTF8\""
       - POSTGRES_PASSWORD_FILE=/run/secrets/db_password
       - POSTGRES_USER=synapse
     networks:
@@ -68,6 +74,12 @@ services:
       test: ["CMD", "pg_isready", "-U", "synapse"]
     volumes:
       - postgres:/var/lib/postgresql/data
+    deploy:
+      labels:
+          backupbot.backup: "true"
+          backupbot.backup.pre-hook: "mkdir -p /tmp/backup/ && PGPASSWORD=$$(cat $${POSTGRES_PASSWORD_FILE}) pg_dump -U $${POSTGRES_USER} $${POSTGRES_DB} > /tmp/backup/backup.sql"
+          backupbot.backup.post-hook: "rm -rf /tmp/backup"
+          backupbot.backup.path: "/tmp/backup/"
 
 volumes:
   data:

homeserver.yaml.tmpl

@@ -85,7 +85,7 @@ public_baseurl: https://{{ env "DOMAIN" }}/
 #
 # Defaults to 'false'.
 #
-#serve_server_wellknown: true
+serve_server_wellknown: {{ env "SERVE_SERVER_WELLKNOWN" }}
 
 # Set the soft limit on the number of file descriptors synapse can use
 # Zero is used to indicate synapse should set the soft limit to the
@@ -1169,7 +1169,7 @@ turn_allow_guests: {{ env "TURN_ALLOW_GUESTS" }}
 
 # Enable registration for new users.
 #
-#enable_registration: false
+enable_registration: {{ env "ENABLE_REGISTRATION" }}
 
 # Time that a user's session remains valid for, after they log in.
 #
@@ -1897,6 +1897,19 @@ oidc_providers:
         display_name_template: "{{ "{{ user.name }}" }}"
   {{ end }}
 
+  {{ if eq (env "KEYCLOAK2_ENABLED") "1" }}
+  - idp_id: keycloak2
+    idp_name: {{ env "KEYCLOAK2_NAME" }}
+    issuer: "{{ env "KEYCLOAK2_URL" }}"
+    client_id: "{{ env "KEYCLOAK2_CLIENT_ID" }}"
+    client_secret: "{{ secret "keycloak2_client_secret" }}"
+    scopes: ["openid", "profile"]
+    user_mapping_provider:
+      config:
+        localpart_template: "{{ "{{ user.preferred_username }}" }}"
+        display_name_template: "{{ "{{ user.name }}" }}"
+  {{ end }}
+
 
 # Enable Central Authentication Service (CAS) for registration and login.
 #
@@ -2035,7 +2048,7 @@ sso:
 password_config:
    # Uncomment to disable password login
    #
-   #enabled: false
+   enabled: {{ env "PASSWORD_LOGIN_ENABLED" }}
 
    # Uncomment to disable authentication against the local password
    # database. This is ignored if `enabled` is false, and is only useful
@@ -2303,7 +2316,7 @@ push:
 # Note that this option will only affect rooms created after it is set. It
 # will also not affect rooms created by other servers.
 #
-#encryption_enabled_by_default_for_room_type: invite
+encryption_enabled_by_default_for_room_type: {{ env "ENCRYPTED_BY_DEFAULT" }}
 
 
 # Uncomment to allow non-server-admin users to create groups on this server

release/1.3.0+v1.55.2

@@ -0,0 +1,6 @@
+The deployment failed due to the app/db getting confused. I think this is just
+due to the recipe not having good healthcheck config. After the app container
+flapped a bit, everything came up nicely. d1 @ autonomic co-op.
+
+Same thing happened to me when deploying this for another instance. Also d1 @
+autonomic co-op.