From 697abc99fae3b60451e4a4943971f443c0a00b1f Mon Sep 17 00:00:00 2001
From: florianfederspiel <florian@fedeo.de>
Date: Tue, 19 May 2026 19:00:35 +0200
Subject: [PATCH] KI-AGENT: Starte Matrix im Selfhost ohne Profil

---
 .env.example                        |   8 +-
 README.md                           |  21 +---
 docker-compose.selfhost.yml         | 142 +++++++++++++++++++++++-----
 matrix/selfhost/element-config.json |  21 ----
 4 files changed, 127 insertions(+), 65 deletions(-)
 delete mode 100644 matrix/selfhost/element-config.json

diff --git a/.env.example b/.env.example
index 13d3d52..23f4526 100644
--- a/.env.example
+++ b/.env.example
@@ -64,9 +64,9 @@ FEDEO_BOOTSTRAP_TENANT_SHORT=MEIN
 
 # FEDEO Matrix-Kommunikation
 #
-# Diese Werte werden von docker-compose.yml und docker-compose.selfhost.yml
-# gelesen, wenn das Profil "matrix" genutzt wird. Für produktive Systeme
-# müssen alle Geheimnisse ersetzt werden.
+# Diese Werte werden von docker-compose.selfhost.yml für den integrierten
+# Matrix-Stack gelesen. Für produktive Systeme müssen alle Geheimnisse ersetzt
+# werden.
 
 MATRIX_SERVER_NAME=app.example.com
 
@@ -84,7 +84,7 @@ MATRIX_HOMESERVER_URL=http://matrix-synapse:8008
 MATRIX_RTC_HOST=app.example.com
 MATRIX_RTC_JWT_URL=https://app.example.com/livekit/jwt
 MATRIX_LIVEKIT_URL=wss://app.example.com/livekit/sfu
-MATRIX_REGISTRATION_SHARED_SECRET=copy-from-matrix-synapse-homeserver-yaml
+MATRIX_REGISTRATION_SHARED_SECRET=change-this-matrix-registration-secret
 MATRIX_SERVICE_USER_LOCALPART=fedeo_service
 NUXT_PUBLIC_MATRIX_ELEMENT_URL=https://app.example.com/element
 
diff --git a/README.md b/README.md
index 67b6793..133701e 100644
--- a/README.md
+++ b/README.md
@@ -201,7 +201,7 @@ MATRIX_HOMESERVER_URL=http://matrix-synapse:8008
 MATRIX_RTC_HOST=app.example.com
 MATRIX_RTC_JWT_URL=https://app.example.com/livekit/jwt
 MATRIX_LIVEKIT_URL=wss://app.example.com/livekit/sfu
-MATRIX_REGISTRATION_SHARED_SECRET=copy-from-matrix-synapse-homeserver-yaml
+MATRIX_REGISTRATION_SHARED_SECRET=change-this-matrix-registration-secret
 MATRIX_SERVICE_USER_LOCALPART=fedeo_service
 LIVEKIT_KEY=fedeo-livekit
 LIVEKIT_SECRET=change-this-livekit-secret-please-replace
@@ -214,7 +214,7 @@ Die `FEDEO_BOOTSTRAP_*`-Werte sind für den ersten Start gedacht. Wenn `FEDEO_BO
 
 Die Selfhost-Konfiguration liegt in `docker-compose.selfhost.yml`. Sie startet MinIO standardmäßig mit. Wenn du stattdessen AWS S3, Hetzner Object Storage, Backblaze B2 S3 oder einen anderen externen S3-Dienst nutzen willst, kannst du die Services `minio` und `createbuckets` entfernen und nur die entsprechenden S3-Umgebungsvariablen auf den externen Anbieter zeigen lassen.
 
-Der Matrix-Stack ist im Selfhost-Compose als optionales Profil `matrix` enthalten. Er umfasst Synapse, eine eigene PostgreSQL-Datenbank für Synapse, Redis, `.well-known/matrix`, coturn, LiveKit, den LiveKit-JWT-Service und Element Web. Das einfache Selfhost-Setup nutzt nur `DOMAIN`: Synapse läuft unter `https://DOMAIN/_matrix`, Matrix-Well-Known unter `https://DOMAIN/.well-known/matrix`, LiveKit unter `https://DOMAIN/livekit/sfu`, der JWT-Service unter `https://DOMAIN/livekit/jwt` und Element Web unter `https://DOMAIN/element`. Vor dem ersten Start musst du `matrix/synapse/homeserver.yaml` erzeugen und `matrix/selfhost/element-config.json` auf deine Domain anpassen.
+Der Matrix-Stack ist im Selfhost-Compose direkt enthalten. Er umfasst Synapse, eine eigene PostgreSQL-Datenbank für Synapse, Redis, `.well-known/matrix`, coturn, LiveKit, den LiveKit-JWT-Service und Element Web. Das einfache Selfhost-Setup nutzt nur `DOMAIN`: Synapse läuft unter `https://DOMAIN/_matrix`, Matrix-Well-Known unter `https://DOMAIN/.well-known/matrix`, LiveKit unter `https://DOMAIN/livekit/sfu`, der JWT-Service unter `https://DOMAIN/livekit/jwt` und Element Web unter `https://DOMAIN/element`.
 
 Das Backend führt beim Containerstart standardmäßig `npm run migrate` aus. Setze `FEDEO_RUN_MIGRATIONS=false`, wenn du Migrationen bewusst manuell ausführen möchtest.
 
@@ -416,22 +416,7 @@ docker compose -f docker-compose.selfhost.yml build
 docker compose -f docker-compose.selfhost.yml up -d
 ```
 
-Mit Matrix-Profil:
-
-```bash
-docker compose -f docker-compose.selfhost.yml --profile matrix up -d
-```
-
-Synapse-Konfiguration vor dem ersten Matrix-Start erzeugen:
-
-```bash
-docker compose -f docker-compose.selfhost.yml --profile matrix run --rm \
-  -e SYNAPSE_SERVER_NAME="${MATRIX_SERVER_NAME}" \
-  -e SYNAPSE_REPORT_STATS=no \
-  matrix-synapse generate
-```
-
-Danach in `matrix/synapse/homeserver.yaml` mindestens Datenbank, Redis, `public_baseurl`, TURN und `registration_shared_secret` setzen. Der Wert von `registration_shared_secret` muss zusätzlich als `MATRIX_REGISTRATION_SHARED_SECRET` in die `.env`, damit FEDEO Matrix-Nutzer provisionieren kann.
+Synapse erzeugt `matrix/synapse/homeserver.yaml` beim ersten Start automatisch und aktualisiert die für FEDEO relevanten Werte aus der `.env`. `MATRIX_REGISTRATION_SHARED_SECRET` muss in der `.env` gesetzt und geheim bleiben, weil FEDEO damit Matrix-Nutzer provisioniert.
 
 Danach Status prufen:
 
diff --git a/docker-compose.selfhost.yml b/docker-compose.selfhost.yml
index 559be29..8b54e9d 100644
--- a/docker-compose.selfhost.yml
+++ b/docker-compose.selfhost.yml
@@ -135,10 +135,10 @@ services:
       MATRIX_RTC_HOST: ${MATRIX_RTC_HOST:-${DOMAIN}}
       MATRIX_RTC_JWT_URL: ${MATRIX_RTC_JWT_URL:-}
       MATRIX_LIVEKIT_URL: ${MATRIX_LIVEKIT_URL:-}
-      MATRIX_REGISTRATION_SHARED_SECRET: ${MATRIX_REGISTRATION_SHARED_SECRET:-}
+      MATRIX_REGISTRATION_SHARED_SECRET: ${MATRIX_REGISTRATION_SHARED_SECRET:-change-this-matrix-registration-secret}
       MATRIX_SERVICE_USER_LOCALPART: ${MATRIX_SERVICE_USER_LOCALPART:-fedeo_service}
       LIVEKIT_KEY: ${LIVEKIT_KEY:-fedeo-livekit}
-      LIVEKIT_SECRET: ${LIVEKIT_SECRET:-}
+      LIVEKIT_SECRET: ${LIVEKIT_SECRET:-change-this-livekit-secret-please-replace}
     labels:
       - traefik.enable=true
       - traefik.http.routers.fedeo-backend.rule=Host(`${DOMAIN}`) && PathPrefix(`/backend`)
@@ -178,8 +178,6 @@ services:
     image: postgres:16-alpine
     container_name: fedeo-matrix-db
     restart: unless-stopped
-    profiles:
-      - matrix
     environment:
       POSTGRES_DB: ${MATRIX_POSTGRES_DB:-synapse}
       POSTGRES_USER: ${MATRIX_POSTGRES_USER:-synapse}
@@ -199,8 +197,6 @@ services:
     image: redis:7-alpine
     container_name: fedeo-matrix-redis
     restart: unless-stopped
-    profiles:
-      - matrix
     networks:
       - internal
 
@@ -208,15 +204,79 @@ services:
     image: ghcr.io/element-hq/synapse:latest
     container_name: fedeo-matrix-synapse
     restart: unless-stopped
-    profiles:
-      - matrix
     depends_on:
       matrix-db:
         condition: service_healthy
       matrix-redis:
         condition: service_started
     environment:
+      DOMAIN: ${DOMAIN}
+      MATRIX_POSTGRES_DB: ${MATRIX_POSTGRES_DB:-synapse}
+      MATRIX_POSTGRES_USER: ${MATRIX_POSTGRES_USER:-synapse}
+      MATRIX_POSTGRES_PASSWORD: ${MATRIX_POSTGRES_PASSWORD:-change-this-matrix-db-password}
+      MATRIX_REGISTRATION_SHARED_SECRET: ${MATRIX_REGISTRATION_SHARED_SECRET:-change-this-matrix-registration-secret}
+      MATRIX_SERVER_NAME: ${MATRIX_SERVER_NAME:-${DOMAIN}}
+      MATRIX_TURN_SHARED_SECRET: ${MATRIX_TURN_SHARED_SECRET:-change-this-turn-secret}
       SYNAPSE_CONFIG_PATH: /data/homeserver.yaml
+      SYNAPSE_REPORT_STATS: "no"
+      SYNAPSE_SERVER_NAME: ${MATRIX_SERVER_NAME:-${DOMAIN}}
+    entrypoint: /bin/sh
+    command:
+      - -ec
+      - |
+        if [ ! -f /data/homeserver.yaml ]; then
+          /start.py generate
+        fi
+        python - <<'PY'
+        import os
+        import yaml
+
+        path = "/data/homeserver.yaml"
+        with open(path, "r", encoding="utf-8") as handle:
+            config = yaml.safe_load(handle) or {}
+
+        domain = os.environ["DOMAIN"]
+        server_name = os.environ.get("MATRIX_SERVER_NAME") or domain
+        config["server_name"] = server_name
+        config["public_baseurl"] = f"https://{domain}/"
+        config["database"] = {
+            "name": "psycopg2",
+            "args": {
+                "user": os.environ.get("MATRIX_POSTGRES_USER", "synapse"),
+                "password": os.environ["MATRIX_POSTGRES_PASSWORD"],
+                "database": os.environ.get("MATRIX_POSTGRES_DB", "synapse"),
+                "host": "matrix-db",
+                "cp_min": 5,
+                "cp_max": 10,
+            },
+        }
+        config["redis"] = {"enabled": True, "host": "matrix-redis"}
+        config["registration_shared_secret"] = os.environ["MATRIX_REGISTRATION_SHARED_SECRET"]
+        config["turn_uris"] = [
+            f"turn:{domain}:3478?transport=udp",
+            f"turn:{domain}:3478?transport=tcp",
+        ]
+        config["turn_shared_secret"] = os.environ["MATRIX_TURN_SHARED_SECRET"]
+        config["turn_user_lifetime"] = "1h"
+        config["enable_registration"] = False
+        config["experimental_features"] = {
+            **(config.get("experimental_features") or {}),
+            "msc3266_enabled": True,
+            "msc4222_enabled": True,
+        }
+        config["login_via_existing_session"] = {
+            "enabled": True,
+            "require_ui_auth": False,
+            "token_timeout": "5m",
+        }
+        config["max_event_delay_duration"] = "24h"
+        config["rc_message"] = {"per_second": 0.5, "burst_count": 30}
+        config["rc_delayed_event_mgmt"] = {"per_second": 1, "burst_count": 20}
+
+        with open(path, "w", encoding="utf-8") as handle:
+            yaml.safe_dump(config, handle, sort_keys=False)
+        PY
+        exec /start.py
     volumes:
       - ./matrix/synapse:/data
     labels:
@@ -234,10 +294,30 @@ services:
     image: nginx:1.27-alpine
     container_name: fedeo-matrix-well-known
     restart: unless-stopped
-    profiles:
-      - matrix
-    volumes:
-      - ./matrix/well-known:/usr/share/nginx/html/.well-known/matrix:ro
+    command:
+      - /bin/sh
+      - -ec
+      - |
+        mkdir -p /usr/share/nginx/html/.well-known/matrix
+        cat >/usr/share/nginx/html/.well-known/matrix/client <<EOF
+        {
+          "m.homeserver": {
+            "base_url": "https://${DOMAIN}"
+          },
+          "org.matrix.msc4143.rtc_foci": [
+            {
+              "type": "livekit",
+              "livekit_service_url": "https://${DOMAIN}/livekit/jwt"
+            }
+          ]
+        }
+        EOF
+        cat >/usr/share/nginx/html/.well-known/matrix/server <<EOF
+        {
+          "m.server": "${MATRIX_SERVER_NAME:-${DOMAIN}}:443"
+        }
+        EOF
+        exec nginx -g 'daemon off;'
     labels:
       - traefik.enable=true
       - traefik.http.middlewares.fedeo-matrix-well-known-cors.headers.accesscontrolalloworiginlist=*
@@ -256,8 +336,6 @@ services:
     image: instrumentisto/coturn:4
     container_name: fedeo-matrix-turn
     restart: unless-stopped
-    profiles:
-      - matrix
     command:
       - --fingerprint
       - --use-auth-secret
@@ -282,8 +360,6 @@ services:
     image: livekit/livekit-server:v1.9
     container_name: fedeo-matrix-livekit
     restart: unless-stopped
-    profiles:
-      - matrix
     depends_on:
       - matrix-redis
     entrypoint: /bin/sh
@@ -325,8 +401,6 @@ services:
     image: ghcr.io/element-hq/lk-jwt-service:latest
     container_name: fedeo-matrix-rtc-jwt
     restart: unless-stopped
-    profiles:
-      - matrix
     depends_on:
       - matrix-livekit
       - matrix-synapse
@@ -353,10 +427,34 @@ services:
     image: vectorim/element-web:latest
     container_name: fedeo-matrix-element
     restart: unless-stopped
-    profiles:
-      - matrix
-    volumes:
-      - ./matrix/selfhost/element-config.json:/app/config.json:ro
+    entrypoint: /bin/sh
+    command:
+      - -ec
+      - |
+        cat >/app/config.json <<EOF
+        {
+          "default_server_config": {
+            "m.homeserver": {
+              "base_url": "https://${DOMAIN}",
+              "server_name": "${MATRIX_SERVER_NAME:-${DOMAIN}}"
+            }
+          },
+          "org.matrix.msc4143.rtc_foci": [
+            {
+              "type": "livekit",
+              "livekit_service_url": "https://${DOMAIN}/livekit/jwt"
+            }
+          ],
+          "disable_custom_urls": false,
+          "disable_guests": true,
+          "brand": "FEDEO Matrix",
+          "default_theme": "light",
+          "features": {
+            "feature_video_rooms": true
+          }
+        }
+        EOF
+        exec nginx -g 'daemon off;'
     labels:
       - traefik.enable=true
       - traefik.http.routers.fedeo-matrix-element.rule=Host(`${DOMAIN}`) && PathPrefix(`/element`)
diff --git a/matrix/selfhost/element-config.json b/matrix/selfhost/element-config.json
deleted file mode 100644
index d3ac100..0000000
--- a/matrix/selfhost/element-config.json
+++ /dev/null
@@ -1,21 +0,0 @@
-{
-  "default_server_config": {
-    "m.homeserver": {
-      "base_url": "https://app.example.com",
-      "server_name": "app.example.com"
-    }
-  },
-  "org.matrix.msc4143.rtc_foci": [
-    {
-      "type": "livekit",
-      "livekit_service_url": "https://app.example.com/livekit/jwt"
-    }
-  ],
-  "disable_custom_urls": false,
-  "disable_guests": true,
-  "brand": "FEDEO Matrix",
-  "default_theme": "light",
-  "features": {
-    "feature_video_rooms": true
-  }
-}