flfeders/FEDEO
2
1
Fork 0
Code Issues 95 Pull Requests Actions Packages Projects 22 Releases Wiki Activity

KI-AGENT: Starte Matrix im Selfhost ohne Profil

Browse Source
This commit is contained in:
florianfederspiel
2026-05-19 19:00:35 +02:00
parent bace26c084
commit 697abc99fa
4 changed files with 127 additions and 65 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
.env.example
View File

@@ -64,9 +64,9 @@ FEDEO_BOOTSTRAP_TENANT_SHORT=MEIN
# FEDEO Matrix-Kommunikation # FEDEO Matrix-Kommunikation
# #
# Diese Werte werden von docker-compose.yml und docker-compose.selfhost.yml # Diese Werte werden von docker-compose.selfhost.yml für den integrierten
# gelesen, wenn das Profil "matrix" genutzt wird. Für produktive Systeme # Matrix-Stack gelesen. Für produktive Systeme müssen alle Geheimnisse ersetzt
# müssen alle Geheimnisse ersetzt werden. # werden.
MATRIX_SERVER_NAME=app.example.com MATRIX_SERVER_NAME=app.example.com
@@ -84,7 +84,7 @@ MATRIX_HOMESERVER_URL=http://matrix-synapse:8008
MATRIX_RTC_HOST=app.example.com MATRIX_RTC_HOST=app.example.com
MATRIX_RTC_JWT_URL=https://app.example.com/livekit/jwt MATRIX_RTC_JWT_URL=https://app.example.com/livekit/jwt
MATRIX_LIVEKIT_URL=wss://app.example.com/livekit/sfu MATRIX_LIVEKIT_URL=wss://app.example.com/livekit/sfu
MATRIX_REGISTRATION_SHARED_SECRET=copy-from-matrix-synapse-homeserver-yaml MATRIX_REGISTRATION_SHARED_SECRET=change-this-matrix-registration-secret
MATRIX_SERVICE_USER_LOCALPART=fedeo_service MATRIX_SERVICE_USER_LOCALPART=fedeo_service
NUXT_PUBLIC_MATRIX_ELEMENT_URL=https://app.example.com/element NUXT_PUBLIC_MATRIX_ELEMENT_URL=https://app.example.com/element

21
README.md
View File

@@ -201,7 +201,7 @@ MATRIX_HOMESERVER_URL=http://matrix-synapse:8008
MATRIX_RTC_HOST=app.example.com MATRIX_RTC_HOST=app.example.com
MATRIX_RTC_JWT_URL=https://app.example.com/livekit/jwt MATRIX_RTC_JWT_URL=https://app.example.com/livekit/jwt
MATRIX_LIVEKIT_URL=wss://app.example.com/livekit/sfu MATRIX_LIVEKIT_URL=wss://app.example.com/livekit/sfu
MATRIX_REGISTRATION_SHARED_SECRET=copy-from-matrix-synapse-homeserver-yaml MATRIX_REGISTRATION_SHARED_SECRET=change-this-matrix-registration-secret
MATRIX_SERVICE_USER_LOCALPART=fedeo_service MATRIX_SERVICE_USER_LOCALPART=fedeo_service
LIVEKIT_KEY=fedeo-livekit LIVEKIT_KEY=fedeo-livekit
LIVEKIT_SECRET=change-this-livekit-secret-please-replace LIVEKIT_SECRET=change-this-livekit-secret-please-replace
@@ -214,7 +214,7 @@ Die `FEDEO_BOOTSTRAP_*`-Werte sind für den ersten Start gedacht. Wenn `FEDEO_BO
Die Selfhost-Konfiguration liegt in `docker-compose.selfhost.yml`. Sie startet MinIO standardmäßig mit. Wenn du stattdessen AWS S3, Hetzner Object Storage, Backblaze B2 S3 oder einen anderen externen S3-Dienst nutzen willst, kannst du die Services `minio` und `createbuckets` entfernen und nur die entsprechenden S3-Umgebungsvariablen auf den externen Anbieter zeigen lassen. Die Selfhost-Konfiguration liegt in `docker-compose.selfhost.yml`. Sie startet MinIO standardmäßig mit. Wenn du stattdessen AWS S3, Hetzner Object Storage, Backblaze B2 S3 oder einen anderen externen S3-Dienst nutzen willst, kannst du die Services `minio` und `createbuckets` entfernen und nur die entsprechenden S3-Umgebungsvariablen auf den externen Anbieter zeigen lassen.
Der Matrix-Stack ist im Selfhost-Compose als optionales Profil `matrix` enthalten. Er umfasst Synapse, eine eigene PostgreSQL-Datenbank für Synapse, Redis, `.well-known/matrix`, coturn, LiveKit, den LiveKit-JWT-Service und Element Web. Das einfache Selfhost-Setup nutzt nur `DOMAIN`: Synapse läuft unter `https://DOMAIN/_matrix`, Matrix-Well-Known unter `https://DOMAIN/.well-known/matrix`, LiveKit unter `https://DOMAIN/livekit/sfu`, der JWT-Service unter `https://DOMAIN/livekit/jwt` und Element Web unter `https://DOMAIN/element`. Vor dem ersten Start musst du `matrix/synapse/homeserver.yaml` erzeugen und `matrix/selfhost/element-config.json` auf deine Domain anpassen. Der Matrix-Stack ist im Selfhost-Compose direkt enthalten. Er umfasst Synapse, eine eigene PostgreSQL-Datenbank für Synapse, Redis, `.well-known/matrix`, coturn, LiveKit, den LiveKit-JWT-Service und Element Web. Das einfache Selfhost-Setup nutzt nur `DOMAIN`: Synapse läuft unter `https://DOMAIN/_matrix`, Matrix-Well-Known unter `https://DOMAIN/.well-known/matrix`, LiveKit unter `https://DOMAIN/livekit/sfu`, der JWT-Service unter `https://DOMAIN/livekit/jwt` und Element Web unter `https://DOMAIN/element`.
Das Backend führt beim Containerstart standardmäßig `npm run migrate` aus. Setze `FEDEO_RUN_MIGRATIONS=false`, wenn du Migrationen bewusst manuell ausführen möchtest. Das Backend führt beim Containerstart standardmäßig `npm run migrate` aus. Setze `FEDEO_RUN_MIGRATIONS=false`, wenn du Migrationen bewusst manuell ausführen möchtest.
@@ -416,22 +416,7 @@ docker compose -f docker-compose.selfhost.yml build
docker compose -f docker-compose.selfhost.yml up -d docker compose -f docker-compose.selfhost.yml up -d
``` ```
Mit Matrix-Profil: Synapse erzeugt `matrix/synapse/homeserver.yaml` beim ersten Start automatisch und aktualisiert die für FEDEO relevanten Werte aus der `.env`. `MATRIX_REGISTRATION_SHARED_SECRET` muss in der `.env` gesetzt und geheim bleiben, weil FEDEO damit Matrix-Nutzer provisioniert.
```bash
docker compose -f docker-compose.selfhost.yml --profile matrix up -d
```
Synapse-Konfiguration vor dem ersten Matrix-Start erzeugen:
```bash
docker compose -f docker-compose.selfhost.yml --profile matrix run --rm \
-e SYNAPSE_SERVER_NAME="${MATRIX_SERVER_NAME}" \
-e SYNAPSE_REPORT_STATS=no \
matrix-synapse generate
```
Danach in `matrix/synapse/homeserver.yaml` mindestens Datenbank, Redis, `public_baseurl`, TURN und `registration_shared_secret` setzen. Der Wert von `registration_shared_secret` muss zusätzlich als `MATRIX_REGISTRATION_SHARED_SECRET` in die `.env`, damit FEDEO Matrix-Nutzer provisionieren kann.
Danach Status prufen: Danach Status prufen:

142
docker-compose.selfhost.yml
View File

@@ -135,10 +135,10 @@ services:
MATRIX_RTC_HOST: ${MATRIX_RTC_HOST:-${DOMAIN}} MATRIX_RTC_HOST: ${MATRIX_RTC_HOST:-${DOMAIN}}
MATRIX_RTC_JWT_URL: ${MATRIX_RTC_JWT_URL:-} MATRIX_RTC_JWT_URL: ${MATRIX_RTC_JWT_URL:-}
MATRIX_LIVEKIT_URL: ${MATRIX_LIVEKIT_URL:-} MATRIX_LIVEKIT_URL: ${MATRIX_LIVEKIT_URL:-}
MATRIX_REGISTRATION_SHARED_SECRET: ${MATRIX_REGISTRATION_SHARED_SECRET:-} MATRIX_REGISTRATION_SHARED_SECRET: ${MATRIX_REGISTRATION_SHARED_SECRET:-change-this-matrix-registration-secret}
MATRIX_SERVICE_USER_LOCALPART: ${MATRIX_SERVICE_USER_LOCALPART:-fedeo_service} MATRIX_SERVICE_USER_LOCALPART: ${MATRIX_SERVICE_USER_LOCALPART:-fedeo_service}
LIVEKIT_KEY: ${LIVEKIT_KEY:-fedeo-livekit} LIVEKIT_KEY: ${LIVEKIT_KEY:-fedeo-livekit}
LIVEKIT_SECRET: ${LIVEKIT_SECRET:-} LIVEKIT_SECRET: ${LIVEKIT_SECRET:-change-this-livekit-secret-please-replace}
labels: labels:
- traefik.enable=true - traefik.enable=true
- traefik.http.routers.fedeo-backend.rule=Host(`${DOMAIN}`) && PathPrefix(`/backend`) - traefik.http.routers.fedeo-backend.rule=Host(`${DOMAIN}`) && PathPrefix(`/backend`)
@@ -178,8 +178,6 @@ services:
image: postgres:16-alpine image: postgres:16-alpine
container_name: fedeo-matrix-db container_name: fedeo-matrix-db
restart: unless-stopped restart: unless-stopped
profiles:
- matrix
environment: environment:
POSTGRES_DB: ${MATRIX_POSTGRES_DB:-synapse} POSTGRES_DB: ${MATRIX_POSTGRES_DB:-synapse}
POSTGRES_USER: ${MATRIX_POSTGRES_USER:-synapse} POSTGRES_USER: ${MATRIX_POSTGRES_USER:-synapse}
@@ -199,8 +197,6 @@ services:
image: redis:7-alpine image: redis:7-alpine
container_name: fedeo-matrix-redis container_name: fedeo-matrix-redis
restart: unless-stopped restart: unless-stopped
profiles:
- matrix
networks: networks:
- internal - internal
@@ -208,15 +204,79 @@ services:
image: ghcr.io/element-hq/synapse:latest image: ghcr.io/element-hq/synapse:latest
container_name: fedeo-matrix-synapse container_name: fedeo-matrix-synapse
restart: unless-stopped restart: unless-stopped
profiles:
- matrix
depends_on: depends_on:
matrix-db: matrix-db:
condition: service_healthy condition: service_healthy
matrix-redis: matrix-redis:
condition: service_started condition: service_started
environment: environment:
DOMAIN: ${DOMAIN}
MATRIX_POSTGRES_DB: ${MATRIX_POSTGRES_DB:-synapse}
MATRIX_POSTGRES_USER: ${MATRIX_POSTGRES_USER:-synapse}
MATRIX_POSTGRES_PASSWORD: ${MATRIX_POSTGRES_PASSWORD:-change-this-matrix-db-password}
MATRIX_REGISTRATION_SHARED_SECRET: ${MATRIX_REGISTRATION_SHARED_SECRET:-change-this-matrix-registration-secret}
MATRIX_SERVER_NAME: ${MATRIX_SERVER_NAME:-${DOMAIN}}
MATRIX_TURN_SHARED_SECRET: ${MATRIX_TURN_SHARED_SECRET:-change-this-turn-secret}
SYNAPSE_CONFIG_PATH: /data/homeserver.yaml SYNAPSE_CONFIG_PATH: /data/homeserver.yaml
SYNAPSE_REPORT_STATS: "no"
SYNAPSE_SERVER_NAME: ${MATRIX_SERVER_NAME:-${DOMAIN}}
entrypoint: /bin/sh
command:
- -ec
- |
if [ ! -f /data/homeserver.yaml ]; then
/start.py generate
fi
python - <<'PY'
import os
import yaml
path = "/data/homeserver.yaml"
with open(path, "r", encoding="utf-8") as handle:
config = yaml.safe_load(handle) or {}
domain = os.environ["DOMAIN"]
server_name = os.environ.get("MATRIX_SERVER_NAME") or domain
config["server_name"] = server_name
config["public_baseurl"] = f"https://{domain}/"
config["database"] = {
"name": "psycopg2",
"args": {
"user": os.environ.get("MATRIX_POSTGRES_USER", "synapse"),
"password": os.environ["MATRIX_POSTGRES_PASSWORD"],
"database": os.environ.get("MATRIX_POSTGRES_DB", "synapse"),
"host": "matrix-db",
"cp_min": 5,
"cp_max": 10,
},
}
config["redis"] = {"enabled": True, "host": "matrix-redis"}
config["registration_shared_secret"] = os.environ["MATRIX_REGISTRATION_SHARED_SECRET"]
config["turn_uris"] = [
f"turn:{domain}:3478?transport=udp",
f"turn:{domain}:3478?transport=tcp",
]
config["turn_shared_secret"] = os.environ["MATRIX_TURN_SHARED_SECRET"]
config["turn_user_lifetime"] = "1h"
config["enable_registration"] = False
config["experimental_features"] = {
**(config.get("experimental_features") or {}),
"msc3266_enabled": True,
"msc4222_enabled": True,
}
config["login_via_existing_session"] = {
"enabled": True,
"require_ui_auth": False,
"token_timeout": "5m",
}
config["max_event_delay_duration"] = "24h"
config["rc_message"] = {"per_second": 0.5, "burst_count": 30}
config["rc_delayed_event_mgmt"] = {"per_second": 1, "burst_count": 20}
with open(path, "w", encoding="utf-8") as handle:
yaml.safe_dump(config, handle, sort_keys=False)
PY
exec /start.py
volumes: volumes:
- ./matrix/synapse:/data - ./matrix/synapse:/data
labels: labels:
@@ -234,10 +294,30 @@ services:
image: nginx:1.27-alpine image: nginx:1.27-alpine
container_name: fedeo-matrix-well-known container_name: fedeo-matrix-well-known
restart: unless-stopped restart: unless-stopped
profiles: command:
- matrix - /bin/sh
volumes: - -ec
- ./matrix/well-known:/usr/share/nginx/html/.well-known/matrix:ro - |
mkdir -p /usr/share/nginx/html/.well-known/matrix
cat >/usr/share/nginx/html/.well-known/matrix/client <<EOF
{
"m.homeserver": {
"base_url": "https://${DOMAIN}"
},
"org.matrix.msc4143.rtc_foci": [
{
"type": "livekit",
"livekit_service_url": "https://${DOMAIN}/livekit/jwt"
}
]
}
EOF
cat >/usr/share/nginx/html/.well-known/matrix/server <<EOF
{
"m.server": "${MATRIX_SERVER_NAME:-${DOMAIN}}:443"
}
EOF
exec nginx -g 'daemon off;'
labels: labels:
- traefik.enable=true - traefik.enable=true
- traefik.http.middlewares.fedeo-matrix-well-known-cors.headers.accesscontrolalloworiginlist=* - traefik.http.middlewares.fedeo-matrix-well-known-cors.headers.accesscontrolalloworiginlist=*
@@ -256,8 +336,6 @@ services:
image: instrumentisto/coturn:4 image: instrumentisto/coturn:4
container_name: fedeo-matrix-turn container_name: fedeo-matrix-turn
restart: unless-stopped restart: unless-stopped
profiles:
- matrix
command: command:
- --fingerprint - --fingerprint
- --use-auth-secret - --use-auth-secret
@@ -282,8 +360,6 @@ services:
image: livekit/livekit-server:v1.9 image: livekit/livekit-server:v1.9
container_name: fedeo-matrix-livekit container_name: fedeo-matrix-livekit
restart: unless-stopped restart: unless-stopped
profiles:
- matrix
depends_on: depends_on:
- matrix-redis - matrix-redis
entrypoint: /bin/sh entrypoint: /bin/sh
@@ -325,8 +401,6 @@ services:
image: ghcr.io/element-hq/lk-jwt-service:latest image: ghcr.io/element-hq/lk-jwt-service:latest
container_name: fedeo-matrix-rtc-jwt container_name: fedeo-matrix-rtc-jwt
restart: unless-stopped restart: unless-stopped
profiles:
- matrix
depends_on: depends_on:
- matrix-livekit - matrix-livekit
- matrix-synapse - matrix-synapse
@@ -353,10 +427,34 @@ services:
image: vectorim/element-web:latest image: vectorim/element-web:latest
container_name: fedeo-matrix-element container_name: fedeo-matrix-element
restart: unless-stopped restart: unless-stopped
profiles: entrypoint: /bin/sh
- matrix command:
volumes: - -ec
- ./matrix/selfhost/element-config.json:/app/config.json:ro - |
cat >/app/config.json <<EOF
{
"default_server_config": {
"m.homeserver": {
"base_url": "https://${DOMAIN}",
"server_name": "${MATRIX_SERVER_NAME:-${DOMAIN}}"
}
},
"org.matrix.msc4143.rtc_foci": [
{
"type": "livekit",
"livekit_service_url": "https://${DOMAIN}/livekit/jwt"
}
],
"disable_custom_urls": false,
"disable_guests": true,
"brand": "FEDEO Matrix",
"default_theme": "light",
"features": {
"feature_video_rooms": true
}
}
EOF
exec nginx -g 'daemon off;'
labels: labels:
- traefik.enable=true - traefik.enable=true
- traefik.http.routers.fedeo-matrix-element.rule=Host(`${DOMAIN}`) && PathPrefix(`/element`) - traefik.http.routers.fedeo-matrix-element.rule=Host(`${DOMAIN}`) && PathPrefix(`/element`)

21
matrix/selfhost/element-config.json
View File

@@ -1,21 +0,0 @@
{
"default_server_config": {
"m.homeserver": {
"base_url": "https://app.example.com",
"server_name": "app.example.com"
}
},
"org.matrix.msc4143.rtc_foci": [
{
"type": "livekit",
"livekit_service_url": "https://app.example.com/livekit/jwt"
}
],
"disable_custom_urls": false,
"disable_guests": true,
"brand": "FEDEO Matrix",
"default_theme": "light",
"features": {
"feature_video_rooms": true
}
}