KI-AGENT: Ergänze Matrix im Selfhost-Stack

.env.example

@@ -64,13 +64,15 @@ FEDEO_BOOTSTRAP_TENANT_SHORT=MEIN
 
 # FEDEO Matrix-Kommunikation
 #
-# Diese Werte werden von docker-compose.yml gelesen, wenn das Profil "matrix"
+# Diese Werte werden von docker-compose.yml und docker-compose.selfhost.yml
-# genutzt wird. Für produktive Systeme müssen alle Geheimnisse ersetzt werden.
+# gelesen, wenn das Profil "matrix" genutzt wird. Für produktive Systeme
+# müssen alle Geheimnisse ersetzt werden.
 
 MATRIX_SERVER_NAME=fedeo.de
 MATRIX_HOMESERVER_HOST=matrix.fedeo.de
 MATRIX_RTC_HOST=call.fedeo.de
 MATRIX_TURN_HOST=turn.fedeo.de
+MATRIX_ELEMENT_HOST=element.fedeo.de
 
 MATRIX_POSTGRES_DB=synapse
 MATRIX_POSTGRES_USER=synapse
@@ -81,6 +83,14 @@ MATRIX_TURN_SHARED_SECRET=change-this-turn-secret
 LIVEKIT_KEY=fedeo-livekit
 LIVEKIT_SECRET=change-this-livekit-secret-please-replace
 
+# Backend-Integration im Selfhost-Stack
+MATRIX_HOMESERVER_URL=http://matrix-synapse:8008
+MATRIX_RTC_JWT_URL=https://call.fedeo.de/livekit/jwt
+MATRIX_LIVEKIT_URL=wss://call.fedeo.de/livekit/sfu
+MATRIX_REGISTRATION_SHARED_SECRET=copy-from-matrix-synapse-homeserver-yaml
+MATRIX_SERVICE_USER_LOCALPART=fedeo_service
+NUXT_PUBLIC_MATRIX_ELEMENT_URL=https://element.fedeo.de
+
 # Lokale Matrix-Entwicklung
 MATRIX_DEV_SYNAPSE_PORT=8008
 MATRIX_DEV_ELEMENT_PORT=8080
@@ -94,10 +104,9 @@ MATRIX_DEV_TURN_PORT=3478
 MATRIX_DEV_TURN_MIN_PORT=49160
 MATRIX_DEV_TURN_MAX_PORT=49200
 
-# Backend-Integration gegen den lokalen Matrix-Stack
+# Lokale Backend-Integration gegen den Matrix-Entwicklungsstack
-MATRIX_HOMESERVER_URL=http://localhost:8008
+# MATRIX_HOMESERVER_URL=http://localhost:8008
-MATRIX_RTC_JWT_URL=http://localhost:8081
+# MATRIX_RTC_JWT_URL=http://localhost:8081
-MATRIX_LIVEKIT_URL=ws://localhost:7880
+# MATRIX_LIVEKIT_URL=ws://localhost:7880
-MATRIX_REGISTRATION_SHARED_SECRET=copy-from-matrix-dev-synapse-homeserver-yaml
+# MATRIX_REGISTRATION_SHARED_SECRET=copy-from-matrix-dev-synapse-homeserver-yaml
-MATRIX_SERVICE_USER_LOCALPART=fedeo_service
+# NUXT_PUBLIC_MATRIX_ELEMENT_URL=http://localhost:8080
-NUXT_PUBLIC_MATRIX_ELEMENT_URL=http://localhost:8080

README.md

@@ -191,14 +191,34 @@ FEDEO_BOOTSTRAP_ADMIN_FIRST_NAME=Admin
 FEDEO_BOOTSTRAP_ADMIN_LAST_NAME=Benutzer
 FEDEO_BOOTSTRAP_TENANT_NAME=Mein Unternehmen
 FEDEO_BOOTSTRAP_TENANT_SHORT=MEIN
+
+MATRIX_SERVER_NAME=example.com
+MATRIX_HOMESERVER_HOST=matrix.example.com
+MATRIX_RTC_HOST=call.example.com
+MATRIX_TURN_HOST=turn.example.com
+MATRIX_ELEMENT_HOST=element.example.com
+MATRIX_POSTGRES_DB=synapse
+MATRIX_POSTGRES_USER=synapse
+MATRIX_POSTGRES_PASSWORD=change-this-matrix-db-password
+MATRIX_TURN_SHARED_SECRET=change-this-turn-secret
+MATRIX_HOMESERVER_URL=http://matrix-synapse:8008
+MATRIX_RTC_JWT_URL=https://call.example.com/livekit/jwt
+MATRIX_LIVEKIT_URL=wss://call.example.com/livekit/sfu
+MATRIX_REGISTRATION_SHARED_SECRET=copy-from-matrix-synapse-homeserver-yaml
+MATRIX_SERVICE_USER_LOCALPART=fedeo_service
+LIVEKIT_KEY=fedeo-livekit
+LIVEKIT_SECRET=change-this-livekit-secret-please-replace
+NUXT_PUBLIC_MATRIX_ELEMENT_URL=https://element.example.com
 ```
 
 Die `FEDEO_BOOTSTRAP_*`-Werte sind für den ersten Start gedacht. Wenn `FEDEO_BOOTSTRAP_ADMIN_EMAIL` und `FEDEO_BOOTSTRAP_ADMIN_PASSWORD` gesetzt sind, legt das Backend idempotent einen Admin-Benutzer, einen ersten Mandanten, eine Administrator-Rolle und grundlegende Stammdaten an. Nach erfolgreichem Erstzugriff solltest du das Bootstrap-Passwort aus der `.env` entfernen oder ändern.
 
-## Docker Compose mit optionaler S3-MinIO-Option
+## Docker Compose mit optionalem S3 und Matrix
 
 Die Selfhost-Konfiguration liegt in `docker-compose.selfhost.yml`. Sie startet MinIO standardmäßig mit. Wenn du stattdessen AWS S3, Hetzner Object Storage, Backblaze B2 S3 oder einen anderen externen S3-Dienst nutzen willst, kannst du die Services `minio` und `createbuckets` entfernen und nur die entsprechenden S3-Umgebungsvariablen auf den externen Anbieter zeigen lassen.
 
+Der Matrix-Stack ist im Selfhost-Compose als optionales Profil `matrix` enthalten. Er umfasst Synapse, eine eigene PostgreSQL-Datenbank für Synapse, Redis, `.well-known/matrix`, coturn, LiveKit, den LiveKit-JWT-Service und Element Web. Vor dem ersten Start musst du `matrix/synapse/homeserver.yaml` erzeugen und `matrix/selfhost/element-config.json` sowie `matrix/well-known/*` auf deine Domains anpassen.
+
 Das Backend führt beim Containerstart standardmäßig `npm run migrate` aus. Setze `FEDEO_RUN_MIGRATIONS=false`, wenn du Migrationen bewusst manuell ausführen möchtest.
 
 ```yaml
@@ -399,6 +419,23 @@ docker compose -f docker-compose.selfhost.yml build
 docker compose -f docker-compose.selfhost.yml up -d
 ```
 
+Mit Matrix-Profil:
+
+```bash
+docker compose -f docker-compose.selfhost.yml --profile matrix up -d
+```
+
+Synapse-Konfiguration vor dem ersten Matrix-Start erzeugen:
+
+```bash
+docker compose -f docker-compose.selfhost.yml --profile matrix run --rm \
+  -e SYNAPSE_SERVER_NAME="${MATRIX_SERVER_NAME}" \
+  -e SYNAPSE_REPORT_STATS=no \
+  matrix-synapse generate
+```
+
+Danach in `matrix/synapse/homeserver.yaml` mindestens Datenbank, Redis, `public_baseurl`, TURN und `registration_shared_secret` setzen. Der Wert von `registration_shared_secret` muss zusätzlich als `MATRIX_REGISTRATION_SHARED_SECRET` in die `.env`, damit FEDEO Matrix-Nutzer provisionieren kann.
+
 Danach Status prufen:
 
 ```bash
@@ -449,6 +486,8 @@ Regelmassig sichern:
 
 - `./postgres`
 - `./minio` falls MinIO lokal genutzt wird
+- `./matrix/postgres` falls Matrix lokal betrieben wird
+- `./matrix/synapse` falls Matrix lokal betrieben wird
 - `./traefik/letsencrypt/acme.json`
 - deine `.env`
 - deine dokumentierten Secret-Werte aus der `.env` oder deinem Secret-Management

docker-compose.selfhost.yml

@@ -130,6 +130,15 @@ services:
       FEDEO_BOOTSTRAP_ADMIN_LAST_NAME: ${FEDEO_BOOTSTRAP_ADMIN_LAST_NAME:-Benutzer}
       FEDEO_BOOTSTRAP_TENANT_NAME: ${FEDEO_BOOTSTRAP_TENANT_NAME:-FEDEO}
       FEDEO_BOOTSTRAP_TENANT_SHORT: ${FEDEO_BOOTSTRAP_TENANT_SHORT:-FEDEO}
+      MATRIX_HOMESERVER_URL: ${MATRIX_HOMESERVER_URL:-http://matrix-synapse:8008}
+      MATRIX_SERVER_NAME: ${MATRIX_SERVER_NAME:-fedeo.de}
+      MATRIX_RTC_HOST: ${MATRIX_RTC_HOST:-call.fedeo.de}
+      MATRIX_RTC_JWT_URL: ${MATRIX_RTC_JWT_URL:-}
+      MATRIX_LIVEKIT_URL: ${MATRIX_LIVEKIT_URL:-}
+      MATRIX_REGISTRATION_SHARED_SECRET: ${MATRIX_REGISTRATION_SHARED_SECRET:-}
+      MATRIX_SERVICE_USER_LOCALPART: ${MATRIX_SERVICE_USER_LOCALPART:-fedeo_service}
+      LIVEKIT_KEY: ${LIVEKIT_KEY:-fedeo-livekit}
+      LIVEKIT_SECRET: ${LIVEKIT_SECRET:-}
     labels:
       - traefik.enable=true
       - traefik.http.routers.fedeo-backend.rule=Host(`${DOMAIN}`) && PathPrefix(`/backend`)
@@ -165,6 +174,199 @@ services:
     networks:
       - web
 
+  matrix-db:
+    image: postgres:16-alpine
+    container_name: fedeo-matrix-db
+    restart: unless-stopped
+    profiles:
+      - matrix
+    environment:
+      POSTGRES_DB: ${MATRIX_POSTGRES_DB:-synapse}
+      POSTGRES_USER: ${MATRIX_POSTGRES_USER:-synapse}
+      POSTGRES_PASSWORD: ${MATRIX_POSTGRES_PASSWORD:-change-this-matrix-db-password}
+      POSTGRES_INITDB_ARGS: --encoding=UTF8 --lc-collate=C --lc-ctype=C
+    volumes:
+      - ./matrix/postgres:/var/lib/postgresql/data
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U ${MATRIX_POSTGRES_USER:-synapse} -d ${MATRIX_POSTGRES_DB:-synapse}"]
+      interval: 10s
+      timeout: 5s
+      retries: 10
+    networks:
+      - internal
+
+  matrix-redis:
+    image: redis:7-alpine
+    container_name: fedeo-matrix-redis
+    restart: unless-stopped
+    profiles:
+      - matrix
+    networks:
+      - internal
+
+  matrix-synapse:
+    image: ghcr.io/element-hq/synapse:latest
+    container_name: fedeo-matrix-synapse
+    restart: unless-stopped
+    profiles:
+      - matrix
+    depends_on:
+      matrix-db:
+        condition: service_healthy
+      matrix-redis:
+        condition: service_started
+    environment:
+      SYNAPSE_CONFIG_PATH: /data/homeserver.yaml
+    volumes:
+      - ./matrix/synapse:/data
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.fedeo-matrix.rule=Host(`${MATRIX_HOMESERVER_HOST:-matrix.fedeo.de}`) && PathPrefix(`/_matrix`)
+      - traefik.http.routers.fedeo-matrix.entrypoints=websecure
+      - traefik.http.routers.fedeo-matrix.tls.certresolver=letsencrypt
+      - traefik.http.services.fedeo-matrix.loadbalancer.server.port=8008
+      - traefik.docker.network=fedeo_web
+    networks:
+      - web
+      - internal
+
+  matrix-well-known:
+    image: nginx:1.27-alpine
+    container_name: fedeo-matrix-well-known
+    restart: unless-stopped
+    profiles:
+      - matrix
+    volumes:
+      - ./matrix/well-known:/usr/share/nginx/html/.well-known/matrix:ro
+    labels:
+      - traefik.enable=true
+      - traefik.http.middlewares.fedeo-matrix-well-known-cors.headers.accesscontrolalloworiginlist=*
+      - traefik.http.middlewares.fedeo-matrix-well-known-cors.headers.accesscontrolallowmethods=GET,OPTIONS
+      - traefik.http.middlewares.fedeo-matrix-well-known-cors.headers.accesscontrolallowheaders=Content-Type,Authorization
+      - traefik.http.routers.fedeo-matrix-well-known.rule=Host(`${MATRIX_SERVER_NAME:-fedeo.de}`) && PathPrefix(`/.well-known/matrix`)
+      - traefik.http.routers.fedeo-matrix-well-known.entrypoints=websecure
+      - traefik.http.routers.fedeo-matrix-well-known.tls.certresolver=letsencrypt
+      - traefik.http.routers.fedeo-matrix-well-known.middlewares=fedeo-matrix-well-known-cors
+      - traefik.http.services.fedeo-matrix-well-known.loadbalancer.server.port=80
+      - traefik.docker.network=fedeo_web
+    networks:
+      - web
+
+  matrix-turn:
+    image: instrumentisto/coturn:4
+    container_name: fedeo-matrix-turn
+    restart: unless-stopped
+    profiles:
+      - matrix
+    command:
+      - --fingerprint
+      - --use-auth-secret
+      - --static-auth-secret=${MATRIX_TURN_SHARED_SECRET:-change-this-turn-secret}
+      - --realm=${MATRIX_SERVER_NAME:-fedeo.de}
+      - --listening-port=3478
+      - --tls-listening-port=5349
+      - --min-port=49160
+      - --max-port=49200
+      - --no-cli
+      - --no-tlsv1
+      - --no-tlsv1_1
+    ports:
+      - "3478:3478/tcp"
+      - "3478:3478/udp"
+      - "5349:5349/tcp"
+      - "49160-49200:49160-49200/udp"
+    networks:
+      - internal
+
+  matrix-livekit:
+    image: livekit/livekit-server:v1.9
+    container_name: fedeo-matrix-livekit
+    restart: unless-stopped
+    profiles:
+      - matrix
+    depends_on:
+      - matrix-redis
+    entrypoint: /bin/sh
+    command:
+      - -ec
+      - |
+        cat >/tmp/livekit.yaml <<EOF
+        port: 7880
+        redis:
+          address: matrix-redis:6379
+        rtc:
+          tcp_port: 7881
+          port_range_start: 50000
+          port_range_end: 50100
+          use_external_ip: true
+        keys:
+          ${LIVEKIT_KEY:-fedeo-livekit}: ${LIVEKIT_SECRET:-change-this-livekit-secret-please-replace}
+        room:
+          auto_create: true
+        EOF
+        exec /livekit-server --config /tmp/livekit.yaml
+    ports:
+      - "7881:7881/tcp"
+      - "50000-50100:50000-50100/udp"
+    labels:
+      - traefik.enable=true
+      - traefik.http.middlewares.fedeo-matrix-livekit-strip.stripprefix.prefixes=/livekit/sfu
+      - traefik.http.routers.fedeo-matrix-livekit.rule=Host(`${MATRIX_RTC_HOST:-call.fedeo.de}`) && PathPrefix(`/livekit/sfu`)
+      - traefik.http.routers.fedeo-matrix-livekit.entrypoints=websecure
+      - traefik.http.routers.fedeo-matrix-livekit.tls.certresolver=letsencrypt
+      - traefik.http.routers.fedeo-matrix-livekit.middlewares=fedeo-matrix-livekit-strip
+      - traefik.http.services.fedeo-matrix-livekit.loadbalancer.server.port=7880
+      - traefik.docker.network=fedeo_web
+    networks:
+      - web
+      - internal
+
+  matrix-rtc-jwt:
+    image: ghcr.io/element-hq/lk-jwt-service:latest
+    container_name: fedeo-matrix-rtc-jwt
+    restart: unless-stopped
+    profiles:
+      - matrix
+    depends_on:
+      - matrix-livekit
+      - matrix-synapse
+    environment:
+      LIVEKIT_URL: wss://${MATRIX_RTC_HOST:-call.fedeo.de}/livekit/sfu
+      LIVEKIT_KEY: ${LIVEKIT_KEY:-fedeo-livekit}
+      LIVEKIT_SECRET: ${LIVEKIT_SECRET:-change-this-livekit-secret-please-replace}
+      LIVEKIT_FULL_ACCESS_HOMESERVERS: ${MATRIX_SERVER_NAME:-fedeo.de}
+      LIVEKIT_JWT_BIND: :8080
+    labels:
+      - traefik.enable=true
+      - traefik.http.middlewares.fedeo-matrix-rtc-jwt-strip.stripprefix.prefixes=/livekit/jwt
+      - traefik.http.routers.fedeo-matrix-rtc-jwt.rule=Host(`${MATRIX_RTC_HOST:-call.fedeo.de}`) && PathPrefix(`/livekit/jwt`)
+      - traefik.http.routers.fedeo-matrix-rtc-jwt.entrypoints=websecure
+      - traefik.http.routers.fedeo-matrix-rtc-jwt.tls.certresolver=letsencrypt
+      - traefik.http.routers.fedeo-matrix-rtc-jwt.middlewares=fedeo-matrix-rtc-jwt-strip
+      - traefik.http.services.fedeo-matrix-rtc-jwt.loadbalancer.server.port=8080
+      - traefik.docker.network=fedeo_web
+    networks:
+      - web
+      - internal
+
+  matrix-element:
+    image: vectorim/element-web:latest
+    container_name: fedeo-matrix-element
+    restart: unless-stopped
+    profiles:
+      - matrix
+    volumes:
+      - ./matrix/selfhost/element-config.json:/app/config.json:ro
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.fedeo-matrix-element.rule=Host(`${MATRIX_ELEMENT_HOST:-element.fedeo.de}`)
+      - traefik.http.routers.fedeo-matrix-element.entrypoints=websecure
+      - traefik.http.routers.fedeo-matrix-element.tls.certresolver=letsencrypt
+      - traefik.http.services.fedeo-matrix-element.loadbalancer.server.port=80
+      - traefik.docker.network=fedeo_web
+    networks:
+      - web
+
 networks:
   web:
     name: fedeo_web

matrix/selfhost/element-config.json

@@ -0,0 +1,21 @@
+{
+  "default_server_config": {
+    "m.homeserver": {
+      "base_url": "https://matrix.fedeo.de",
+      "server_name": "fedeo.de"
+    }
+  },
+  "org.matrix.msc4143.rtc_foci": [
+    {
+      "type": "livekit",
+      "livekit_service_url": "https://call.fedeo.de/livekit/jwt"
+    }
+  ],
+  "disable_custom_urls": false,
+  "disable_guests": true,
+  "brand": "FEDEO Matrix",
+  "default_theme": "light",
+  "features": {
+    "feature_video_rooms": true
+  }
+}