fix: don't break when logging in with keycloak

2023-10-23 20:16:37 +02:00
22 changed files with 62 additions and 105 deletions
--- a/.env.sample
+++ b/.env.sample
@ -73,13 +73,6 @@ RETENTION_MAX_LIFETIME=4w
 #MEDIA_RETENTION_LOCAL_LIFETIME=30d
 #MEDIA_RETENTION_REMOTE_LIFETIME=14d

-## Ratelimit
-
-#LOGIN_LIMIT_IP_PER_SECOND=5
-#LOGIN_LIMIT_IP_BURST=15
-#LOGIN_LIMIT_ACCOUNT_PER_SECOND=1
-#LOGIN_LIMIT_ACCOUNT_BURST=10
-
 ## Keycloak SSO

 #COMPOSE_FILE="$COMPOSE_FILE:compose.keycloak.yml"
@ -132,12 +125,12 @@ RETENTION_MAX_LIFETIME=4w
 #APP_SERVICE_BOT_USERNAME=telegrambot
 #APP_SERVICE_DISPLAY_NAME="Telegram bridge bot"
 #APP_SERVICE_ID=
-#HOMESERVER_DOMAIN=$DOMAIN
-#HOMESERVER_URL=https://$DOMAIN
+#HOMESERVER_DOMAIN=
+#HOMESERVER_URL=
 #VERIFY_SSL=false
 #ENABLE_ENCRYPTION=true
 #TELEGRAM_APP_ID=
-#TELEGRAM_BRIDGE_PERMISSIONS="{ \"*\": \"relaybot\", \"@foo:matrix.example.com\": \"admin\" }"
+#TELEGRAM_BRIDGE_PERMISSIONS="{ \"*\": \"relaybot\" }"
 #TELEGRAM_SYNC_CHANNEL_MEMBERS=true
 #SECRET_TELEGRAM_DB_PASSWORD_VERSION=v1
 #SECRET_TELEGRAM_API_HASH_VERSION=v1
@ -167,6 +160,3 @@ RETENTION_MAX_LIFETIME=4w
 #COMPOSE_FILE="$COMPOSE_FILE:compose.shared_secret_auth.yml"
 #SHARED_SECRET_AUTH_ENABLED=1
 #SECRET_SHARED_SECRET_AUTH_VERSION=v1 # length=128
-
-## Web Client (Redirect)
-#WEB_CLIENT_LOCATION=https://element-web.example.com
--- a/README.md
+++ b/README.md
@ -24,10 +24,6 @@

 ## Tips & Tricks

-### Create User
-
-`register_new_matrix_user -u <username> -k $(cat /var/run/secrets/registration) -p <password>`
-
 ### Set Admin User

 `abra app cmd YOURAPPDOMAIN db set_admin <adminuser>`
@ -51,7 +47,7 @@ You'll need to deploy something like [this](https://git.autonomic.zone/ruangrupa

 Setting it up is a bit of a chicken/egg & chasing cats moment.

-You need to get your bot setup on the telegram side first by creating a [telegram app](https://my.telegram.org/apps) and a [telegram bot](https://docs.mau.fi/bridges/python/telegram/relay-bot.html#setup) and have these values:
+You need to get your bot setup on the telegram side first and have these values:

 ```
 api_id: ...
@ -59,12 +55,7 @@ api_hash: ...
 telegram_bot_token: ...
 ```

-Also: 
- Make sure to uncomment `APP_SERVICES_ENABLED`
- include the registration in synapse: `APP_SERVICE_CONFIGS="[\"/telegram-data/registration.yaml\"]"`
- and set yourself as admin under `TELEGRAM_BRIDGE_PERMISSIONS`
-
-A rough guide for the following steps:
+Here is a rough guide:

 ```
 abra app secret insert <domain> telegram_api_hash v1 <secret>
--- a/abra.sh
+++ b/abra.sh
@ -1,11 +1,11 @@
 export DISCORD_BRIDGE_YAML_VERSION=v2
-export ENTRYPOINT_CONF_VERSION=v2
-export HOMESERVER_YAML_VERSION=v29
+export ENTRYPOINT_CONF_VERSION=v1
+export HOMESERVER_YAML_VERSION=v26
 export LOG_CONFIG_VERSION=v2
 export SHARED_SECRET_AUTH_VERSION=v1
 export SIGNAL_BRIDGE_YAML_VERSION=v4
 export TELEGRAM_BRIDGE_YAML_VERSION=v6
-export NGINX_CONFIG_VERSION=v7
+export NGINX_CONFIG_VERSION=v5
 export WK_SERVER_VERSION=v1
 export WK_CLIENT_VERSION=v1

--- a/alaconnect.yml
+++ b/alaconnect.yml
@ -1,15 +0,0 @@
-authentik:
-    env:
-        KEYCLOAK_ID: authentik
-        KEYCLOAK_NAME: sso
-        KEYCLOAK_URL: https://authentik.example.com/application/o/matrix/
-        KEYCLOAK_CLIENT_DOMAIN: https://element-web.example.com
-        KEYCLOAK_ALLOW_EXISTING_USERS: "true"
-        KEYCLOAK_CLIENT_ID: matrix
-    uncomment:
-        - compose.keycloak.yml
-        - KEYCLOAK_ENABLED
-        - KEYCLOAK_CLIENT_ID
-        - SECRET_KEYCLOAK_CLIENT_SECRET_VERSION
-    shared_secrets:
-        matrix_secret: keycloak_client_secret
--- a/compose.discord.yml
+++ b/compose.discord.yml
@ -2,7 +2,7 @@
 version: "3.8"

 services:
-  app:
+  synapse:
    environment:
      - APP_SERVICES_ENABLED
      - APP_SERVICE_CONFIGS
--- a/compose.keycloak.yml
+++ b/compose.keycloak.yml
@ -2,7 +2,7 @@
 version: "3.8"

 services:
-  app:
+  synapse:
    secrets:
      - db_password
      - form_secret
--- a/compose.keycloak2.yml
+++ b/compose.keycloak2.yml
@ -2,7 +2,7 @@
 version: "3.8"

 services:
-  app:
+  synapse:
    secrets:
      - keycloak2_client_secret
    environment:
--- a/compose.keycloak3.yml
+++ b/compose.keycloak3.yml
@ -2,7 +2,7 @@
 version: "3.8"

 services:
-  app:
+  synapse:
    secrets:
      - keycloak3_client_secret
    environment:
--- a/compose.shared_secret_auth.yml
+++ b/compose.shared_secret_auth.yml
@ -2,7 +2,7 @@
 version: "3.8"

 services:
-  app:
+  synapse:
    environment:
      - SHARED_SECRET_AUTH_ENABLED
    secrets:
--- a/compose.signal.yml
+++ b/compose.signal.yml
@ -2,7 +2,7 @@
 version: "3.8"

 services:
-  app:
+  synapse:
    environment:
      - APP_SERVICES_ENABLED
      - APP_SERVICE_CONFIGS
--- a/compose.smtp.yml
+++ b/compose.smtp.yml
@ -2,7 +2,7 @@
 version: "3.8"

 services:
-  app:
+  synapse:
    secrets:
      - db_password
      - form_secret
--- a/compose.telegram.yml
+++ b/compose.telegram.yml
@ -2,7 +2,7 @@
 version: "3.8"

 services:
-  app:
+  synapse:
    environment:
      - APP_SERVICES_ENABLED
      - APP_SERVICE_CONFIGS
@ -10,7 +10,7 @@ services:
      - telegram-data:/telegram-data

  telegrambridge:
-    image: dock.mau.dev/mautrix/telegram:v0.15.1
+    image: dock.mau.dev/mautrix/telegram:v0.14.2
    depends_on:
      - telegramdb
    configs:
--- a/compose.turn.yml
+++ b/compose.turn.yml
@ -2,7 +2,7 @@
 version: "3.8"

 services:
-  app:
+  synapse:
    secrets:
      - db_password
      - form_secret
--- a/compose.yml
+++ b/compose.yml
@ -2,13 +2,12 @@
 version: "3.8"

 services:
-  web:
-    image: nginx:1.27.1
+  app:
+    image: nginx:1.23.3
    networks:
      - proxy
      - internal
    environment:
-      - DOMAIN
      - STACK_NAME
      - NGINX_ACCESS_LOG_LOCATION
      - NGINX_ERROR_LOG_LOCATION
@ -28,14 +27,16 @@ services:
        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
        - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
+        - "coop-cloud.${STACK_NAME}.version=5.0.0+v1.93.0"
+        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
    healthcheck:
-      test: curl -f http://${STACK_NAME}_app:8008/health || exit 1
+      test: curl -f http://synapse:8008/health || exit 1
      interval: 5s
      timeout: 3s
      retries: 20

-  app:
-    image: "matrixdotorg/synapse:v1.111.1"
+  synapse:
+    image: "matrixdotorg/synapse:v1.93.0"
    volumes:
      - "data:/data"
    secrets:
@ -71,11 +72,6 @@ services:
      - USER_IPS_MAX_AGE
      - VIRTUAL_HOST=${DOMAIN}
      - VIRTUAL_PORT=8008
-      - LOGIN_LIMIT_IP_PER_SECOND=${LOGIN_LIMIT_IP_PER_SECOND:-0.003}
-      - LOGIN_LIMIT_IP_BURST=${LOGIN_LIMIT_IP_BURST:-5}
-      - LOGIN_LIMIT_ACCOUNT_PER_SECOND=${LOGIN_LIMIT_ACCOUNT_PER_SECOND:-0.003}
-      - LOGIN_LIMIT_ACCOUNT_BURST=${LOGIN_LIMIT_ACCOUNT_BURST:-5}
-      - WEB_CLIENT_LOCATION
    networks:
      - internal
    entrypoint: /docker-entrypoint.sh
@ -87,12 +83,6 @@ services:
      - source: entrypoint_conf
        target: /docker-entrypoint.sh
        mode: 0555
-    deploy:
-      restart_policy:
-        condition: on-failure
-      labels:
-        - "coop-cloud.${STACK_NAME}.version=6.1.3+v1.111.1"
-        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:8008/health"]
      interval: 30s
@ -125,9 +115,9 @@ services:
    deploy:
      labels:
          backupbot.backup: "true"
-          backupbot.backup.pre-hook: "PGPASSWORD=$$(cat $${POSTGRES_PASSWORD_FILE}) pg_dump -U $${POSTGRES_USER} $${POSTGRES_DB} > /var/lib/postgresql/data/backup.sql"
-          backupbot.backup.post-hook: "rm -r /var/lib/postgresql/data/backup.sql"
-          backupbot.backup.path: "/var/lib/postgresql/data"
+          backupbot.backup.pre-hook: "mkdir -p /tmp/backup/ && PGPASSWORD=$$(cat $${POSTGRES_PASSWORD_FILE}) pg_dump -U $${POSTGRES_USER} $${POSTGRES_DB} > /tmp/backup/backup.sql"
+          backupbot.backup.post-hook: "rm -rf /tmp/backup"
+          backupbot.backup.path: "/tmp/backup/"

 volumes:
  data:
--- a/entrypoint.sh.tmpl
+++ b/entrypoint.sh.tmpl
@ -6,7 +6,6 @@ chown 991:991 /data

 if [[ ! -f /data/{{ env "DOMAIN" }}.signing.key ]]; then
    /start.py generate
-    chown -R 991:991 /data/*.config /data/*.key
 fi

 /start.py
--- a/homeserver.yaml.tmpl
+++ b/homeserver.yaml.tmpl
@ -23,7 +23,7 @@ serve_server_wellknown: {{ env "SERVE_SERVER_WELLKNOWN" }}
 allow_public_rooms_without_auth: false

 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#allow_public_rooms_over_federation
-allow_public_rooms_over_federation: {{ or (env "ALLOW_PUBLIC_ROOMS_FEDERATION") "true" }}
+allow_public_rooms_over_federation: {{ env "ALLOW_PUBLIC_ROOMS_FEDERATION" }}

 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#listeners
 listeners:
@ -267,15 +267,3 @@ forget_rooms_on_leave: true
 # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#opentracing-1
 opentracing:
  enabled: false
-
-# https://matrix-org.github.io/synapse/develop/usage/configuration/config_documentation.html#ratelimiting
-rc_login:
-  address:
-    per_second: {{ env "LOGIN_LIMIT_IP_PER_SECOND" }}
-    burst_count: {{ env "LOGIN_LIMIT_IP_BURST" }}
-  account:
-    per_second: {{ env "LOGIN_LIMIT_ACCOUNT_PER_SECOND" }}
-    burst_count: {{ env "LOGIN_LIMIT_ACCOUNT_BURST" }}
-
-# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#web_client_location
-web_client_location: {{ env "WEB_CLIENT_LOCATION" }}
--- a/nginx.conf.tmpl
+++ b/nginx.conf.tmpl
@ -8,22 +8,13 @@ http {
  server {
    listen 80;

-    access_log {{ or (env "NGINX_ACCESS_LOG_LOCATION") "/dev/null" }};
-    error_log {{ or (env "NGINX_ERROR_LOG_LOCATION") "/dev/null" }};
+    access_log {{ env "NGINX_ACCESS_LOG_LOCATION" }};
+    error_log {{ env "NGINX_ERROR_LOG_LOCATION" }};

    server_name {{ env "DOMAIN" }};

-    location = / {
-      proxy_pass http://{{ env "STACK_NAME"}}_app:8008;
-      proxy_set_header X-Forwarded-For $remote_addr;
-      proxy_set_header X-Forwarded-Proto https;
-      proxy_set_header Host $host;
-      client_max_body_size 50M;
-      proxy_http_version 1.1;
-    }
-    
    location ~* ^(\/_matrix|\/_synapse\/client) {
-      proxy_pass http://{{ env "STACK_NAME"}}_app:8008;
+      proxy_pass http://{{ env "STACK_NAME"}}_synapse:8008;
      proxy_set_header X-Forwarded-For $remote_addr;
      proxy_set_header X-Forwarded-Proto https;
      proxy_set_header Host $host;
--- a/release/4.0.0+v1.93.0
+++ b/release/4.0.0+v1.93.0
@ -5,6 +5,4 @@ Copy the secrets:
 * `registration_shared_secret` to `registration`
 * `macaroon_secret_key` to `macaroon`

-The easiest way to do this is to run `abra app run <matrix.example.com> app bash` BEFORE this upgrade, then `cat /run/secrets/registration_shared_secret`.  If you haven't saved the secrets yet, and would like to, please Ctrl+C out of this upgrade and do that first.
-
 Regeneration of these secrets should also work.
--- a/release/5.0.0+v1.93.0
+++ b/release/5.0.0+v1.93.0
@ -1 +1,17 @@
-It's recommended not to upgrade / downgrade directly to this version (or other 5.y.z versions), because of service renaming which was reverted in 6.0.0+v1.100.0.
+An Nginx proxy has been configured as the entrypoint for Synapse. This is not
+optional. This is done to counteract IP collection in Synapse itself. See more:
+
+!!! You MUST undeploy your Synapse install before upgrading to this version !!!
+
+This is because there have been a service rename in the recipe configuration:
+
+* `app` -> `synapse`
+
+This could break stuff in the recipe, so please report issues if you run into
+anything!
+
+    https://git.coopcloud.tech/coop-cloud/matrix-synapse/issues/38
+
+Thanks!
+
+-- d1
--- a/release/5.0.1+v1.93.0
+++ b/release/5.0.1+v1.93.0
@ -1,6 +1,8 @@
-Logging is now disabled by default. If you want to reënable it, set these options:
+take care when upgrading! You need to add two variables to your .env file:
+use the following if you don't want any access logs (including users' IP addresses):
+NGINX_ACCESS_LOG_LOCATION="/dev/null"
+NGINX_ERROR_LOG_LOCATION="/dev/null"

-```
+use the following if you want logs:
 NGINX_ACCESS_LOG_LOCATION="/dev/stdout"
 NGINX_ERROR_LOG_LOCATION="/dev/stderr"
-```
--- a/release/6.0.0+v1.100.0
+++ b/release/6.0.0+v1.100.0
@ -1 +0,0 @@
-If you are upgrading from verison 5.y.z of this recipe, you will need to `undeploy` then `deploy`, because of a service rename which was reverted.
--- a/release/next
+++ b/release/next
@ -0,0 +1,8 @@
+We had to rename some secrets: https://git.coopcloud.tech/coop-cloud/matrix-synapse/issues/35
+
+Copy the secrets:
+
+* `registration_shared_secret` to `registration`
+* `macaroon_secret_key` to `macaroon`
+
+Regeneration of these secrets should also work.
				`@ -1 +0,0 @@`
				If you are upgrading from verison 5.y.z of this recipe, you will need to `undeploy` then `deploy`, because of a service rename which was reverted.