make syn+mas+EW work

2026-01-25 14:31:09 +03:00 · 2024-11-05 00:13:02 +00:00
parent ce7b94a1ac
commit 2be8d772b4
5 changed files with 111 additions and 12 deletions
--- a/data-template/mas/config.yaml
+++ b/data-template/mas/config.yaml
@@ -28,7 +28,7 @@ http:
  - fd00::/8
  - ::1/128
  public_base: https://${MAS_FQDN}/
-  issuer: https://${MAS_FQDN}/
+  issuer: https://${DOMAIN}/
 database:
  host: postgres
  database: mas
@@ -54,9 +54,9 @@ passwords:
    algorithm: argon2id
  minimum_complexity: 3
 matrix:
-  homeserver: localhost:8008
+  homeserver: ${DOMAIN}
  secret: '${SECRETS_MAS_MATRIX_SECRET}'
-  endpoint: http://localhost:8008/
+  endpoint: http://synapse:8008/

 # please keep config above this point as close as possible to the original generated config
 # so that upstream generated config changes can be detected
--- a/data-template/nginx/conf.d/app.conf
+++ b/data-template/nginx/conf.d/app.conf
@@ -13,11 +13,40 @@ server {
    #    root /var/www/certbot;
    # }

+    location /.well-known/matrix/ {
+        root /var/www;
+    }
+
+    # XXX: is this right? or should auth.$DOMAIN be the issuer?
+    location /.well-known/openid-configuration {
+        proxy_pass http://mas:8080;
+        proxy_http_version 1.1;
+        proxy_set_header X-Forwarded-For ${DOLLAR}remote_addr;
+    }
+
    location / {
        return 301 https://${DOLLAR}host${DOLLAR}request_uri;
    }
 }

+server {
+    server_name ${DOMAIN};
+    server_tokens off;
+
+    include /etc/nginx/conf.d/include/ssl.conf;
+
+    location /.well-known/matrix/ {
+        root /var/www;
+    }
+
+    # XXX: is this right? or should auth.$DOMAIN be the issuer?
+    location /.well-known/openid-configuration {
+        proxy_pass http://mas:8080;
+        proxy_http_version 1.1;
+        proxy_set_header X-Forwarded-For ${DOLLAR}remote_addr;
+    }
+}
+
 server {
    server_name ${ELEMENT_WEB_FQDN};
    server_tokens off;
@@ -26,6 +55,7 @@ server {

    location / {
        proxy_pass http://element-web;
+        proxy_set_header X-Forwarded-For ${DOLLAR}remote_addr;
    }
 }

@@ -37,6 +67,7 @@ server {

    location / {
        proxy_pass http://element-call;
+        proxy_set_header X-Forwarded-For ${DOLLAR}remote_addr;
    }
 }

@@ -48,6 +79,8 @@ server {

    location / {
        proxy_pass http://mas:8080;
+        proxy_http_version 1.1;
+        proxy_set_header X-Forwarded-For ${DOLLAR}remote_addr;
    }
 }

@@ -62,14 +95,33 @@ server {
    listen [::]:8448 ssl default_server;

    # pass auth to MAS
-    location ~ ^/_matrix/client/(.*)/(login|logout|refresh)             { proxy_pass http://mas:8080; }
+    location ~ ^/_matrix/client/(.*)/(login|logout|refresh) {
+        proxy_pass http://mas:8080;
+        proxy_set_header X-Forwarded-For ${DOLLAR}remote_addr;
+    }

    # use the generic worker as a synchrotron:
    # taken from https://element-hq.github.io/synapse/latest/workers.html#synapseappgeneric_worker
-    location ~ ^/_matrix/client/(r0|v3)/sync${DOLLAR}                           { proxy_pass http://synapse-generic-worker-1:8081; }
-    location ~ ^/_matrix/client/(api/v1|r0|v3)/events${DOLLAR}                  { proxy_pass http://synapse-generic-worker-1:8081; }
-    location ~ ^/_matrix/client/(api/v1|r0|v3)/initialSync${DOLLAR}             { proxy_pass http://synapse-generic-worker-1:8081; }
-    location ~ ^/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync${DOLLAR} { proxy_pass http://synapse-generic-worker-1:8081; }
+
+    location ~ ^/_matrix/client/(r0|v3)/sync${DOLLAR} {
+        proxy_pass http://synapse-generic-worker-1:8081;
+        proxy_set_header X-Forwarded-For ${DOLLAR}remote_addr;
+    }
+
+    location ~ ^/_matrix/client/(api/v1|r0|v3)/events${DOLLAR} {
+        proxy_pass http://synapse-generic-worker-1:8081;
+        proxy_set_header X-Forwarded-For ${DOLLAR}remote_addr;
+    }
+
+    location ~ ^/_matrix/client/(api/v1|r0|v3)/initialSync${DOLLAR} {
+        proxy_pass http://synapse-generic-worker-1:8081;
+        proxy_set_header X-Forwarded-For ${DOLLAR}remote_addr;
+    }
+
+    location ~ ^/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync${DOLLAR} {
+        proxy_pass http://synapse-generic-worker-1:8081;
+        proxy_set_header X-Forwarded-For ${DOLLAR}remote_addr;
+    }

    location / {
        proxy_pass http://synapse:8008;
--- a/data-template/nginx/www/.well-known/matrix/client
+++ b/data-template/nginx/www/.well-known/matrix/client
@@ -5,6 +5,10 @@
    "m.identity_server": {
        "base_url": "${IDENTITY_SERVER_URL}"
    },
+    "org.matrix.msc2965.authentication": {
+        "issuer": "https://${DOMAIN}/",
+        "account": "https://${MAS_FQDN}/account"
+    },
    "org.matrix.msc4143.rtc_foci": [
        {
            "type": "livekit",