add matrix authentication service incl migration #57 #58

simon · 2026-04-09T09:56:42Z

simon commented

2026-04-09 09:56:42 +00:00

Hey, I finished the matrix authentication service integration.

I tested it on our dev instance, including the migration from providing users via authentik oidc to the setup of authentik -> mas -> synapse
haven't yet tested it in combination with bridges, though!

Migration helper script and docs are provided :)

I ran into various issues:

abra app cp couldn't copy the rendered homeserver.yaml configmap from synapse to mas, so I had to use cat and pipe the output
secret generation: mas needs a rsa private key which abra can't generate: SECRET_MAS_SIGNING_RSA_VERSION
mas image is rootless, makes many things a lot harder again, plus you need to init the database manually
syn2mas-migrator is stricter on homeserver.yaml parsing than synapse, so I needed to wrap the boolean configs set via .env
Migration needs mas running and synapse stopped. Scaling down replicas via docker worked like a charm:
- Downtime — stop Synapse: run on the host with Docker/Swarm access (not inside a container), e.g.: docker service scale <STACK_NAME>_app=0
- maybe an abra app stop command to stop single apps utilizing this would be nice for those cases?
- that way the actual migration step could be automated more, too

the diff for the homeserver.yaml looks very big here, in my IDE it showed only the affected lines where I wrapped the booleans

QR code login is a whole different topic. more on that in the issue.

I did work with Cursor IDE on this, but doublechecked basically everything

Hey, I finished the matrix authentication service integration. I tested it on our dev instance, including the migration from providing users via authentik oidc to the setup of `authentik` -> `mas` -> `synapse` haven't yet tested it in combination with bridges, though! Migration helper script and docs are provided :) I ran into various issues: - `abra app cp` couldn't copy the rendered homeserver.yaml configmap from synapse to mas, so I had to use `cat` and pipe the output - secret generation: `mas` needs a rsa private key which abra can't generate: `SECRET_MAS_SIGNING_RSA_VERSION` - `mas` image is rootless, makes many things a lot harder again, plus you need to init the database manually - `syn2mas`-migrator is stricter on `homeserver.yaml` parsing than synapse, so I needed to wrap the boolean configs set via .env - Migration needs `mas` running and `synapse` stopped. Scaling down replicas via docker worked like a charm: - **Downtime — stop Synapse:** run on the **host** with Docker/Swarm access (not inside a container), e.g.: `docker service scale <STACK_NAME>_app=0` - maybe an `abra app stop` command to stop single apps utilizing this would be nice for those cases? - that way the actual migration step could be automated more, too the diff for the homeserver.yaml looks very big here, in my IDE it showed only the affected lines where I wrapped the booleans QR code login is a whole different topic. more on that in the issue. I did work with Cursor IDE on this, but doublechecked basically everything

🚀 1

simon added 8 commits 2026-04-09 09:56:44 +00:00

add initial mas setup 5481b7e31c

add function to init mas database cf30cebf8e

add config for upstream oidc provider for mas dd92cd4bd7

add script to perform mas migration compatibility check 6f47fca73b

provide readme for mas setup and migration 60bd8b1b49

add mas healthcheck 7492e8bd4e

readd cleanup trap to mas migration script 625b0381f8

readd cleanup trap to mas migration script c71dc162cb

simon referenced this pull request

2026-04-09 10:12:32 +00:00