From 7fa0a5d5958bdfd0125c7ce5095f1a1c2a91d8f8 Mon Sep 17 00:00:00 2001 From: Benjam <53127823+benjamsf@users.noreply.github.com> Date: Sun, 29 Mar 2026 00:32:48 +0200 Subject: [PATCH 1/4] fix: relax rate limits, as previous led to problems --- templates/homeserver.yaml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/templates/homeserver.yaml b/templates/homeserver.yaml index 7d45dde..9af84a6 100644 --- a/templates/homeserver.yaml +++ b/templates/homeserver.yaml @@ -33,6 +33,31 @@ room_list_publication_rules: - user_id: "*" action: allow allow_guest_access: false + +rc_joins: + local: + per_second: 10 + burst_count: 50 + remote: + per_second: 0.01 + burst_count: 3 + per_room: + per_second: 50 + burst_count: 100 + +rc_invites: + per_user: + per_second: 10 + burst_count: 50 + per_room: + per_second: 10 + burst_count: 50 + +rc_presence: + per_user: + per_second: 10 + burst_count: 50 + enable_registration: false enable_registration_without_verification: false federation_domain_whitelist: [] From b48d24335b8e9bb44bbabc005f0b350e8782909c Mon Sep 17 00:00:00 2001 From: Benjam <53127823+benjamsf@users.noreply.github.com> Date: Mon, 30 Mar 2026 23:35:40 +0300 Subject: [PATCH 2/4] feat: minimal implementation of admin bot user to auto-create and manage things --- scripts/synapse-entrypoint.sh | 2 ++ templates/homeserver.yaml | 11 +++++++++++ 2 files changed, 13 insertions(+) diff --git a/scripts/synapse-entrypoint.sh b/scripts/synapse-entrypoint.sh index 8079fca..7e6cf88 100644 --- a/scripts/synapse-entrypoint.sh +++ b/scripts/synapse-entrypoint.sh @@ -53,6 +53,8 @@ else export SYNAPSE_PUBLIC_BASEURL="https://synapse.${SERVER_DOMAIN}:${NGINX_HTTPS_PORT}" fi +export DEPLOYMENT_NAME="${SERVER_DOMAIN%%.*}" + if [[ ! -f "$CONFIG_FILE" ]]; then echo "Creating homeserver.yaml..." mkdir -p "$DATA_DIR" diff --git a/templates/homeserver.yaml b/templates/homeserver.yaml index 9af84a6..7a421d5 100644 --- a/templates/homeserver.yaml +++ b/templates/homeserver.yaml @@ -34,6 +34,17 @@ room_list_publication_rules: action: allow allow_guest_access: false +registration_shared_secret: "${SYNAPSE_REGISTRATION_SECRET}" + +auto_join_rooms: + - "#${DEPLOYMENT_NAME}-space:${SERVER_DOMAIN}" + - "#${DEPLOYMENT_NAME}-general:${SERVER_DOMAIN}" + - "#${DEPLOYMENT_NAME}-helpdesk:${SERVER_DOMAIN}" + - "#${DEPLOYMENT_NAME}-offtopic:${SERVER_DOMAIN}" +autocreate_auto_join_rooms: false +auto_join_rooms_for_guests: false +auto_join_mxid_localpart: "${SYNAPSE_BOT_USERNAME}" + rc_joins: local: per_second: 10 From d570c354b49159f4119d0fbcc50f6e92cc447c13 Mon Sep 17 00:00:00 2001 From: Benjam <53127823+benjamsf@users.noreply.github.com> Date: Wed, 1 Apr 2026 01:52:05 +0300 Subject: [PATCH 3/4] feat: support autocreating space&rooms, defining federation capability by env var --- scripts/synapse-entrypoint.sh | 25 +++++++++++++++++++++++++ templates/homeserver.yaml | 12 +++++++++--- 2 files changed, 34 insertions(+), 3 deletions(-) diff --git a/scripts/synapse-entrypoint.sh b/scripts/synapse-entrypoint.sh index 7e6cf88..86e52ca 100644 --- a/scripts/synapse-entrypoint.sh +++ b/scripts/synapse-entrypoint.sh @@ -57,6 +57,31 @@ export DEPLOYMENT_NAME="${SERVER_DOMAIN%%.*}" if [[ ! -f "$CONFIG_FILE" ]]; then echo "Creating homeserver.yaml..." + + # Compute the federation config block injected as ${SYNAPSE_FEDERATION_CONFIG}. + # SYNAPSE_FEDERATION controls the mode: + # * (default) — open federation with any server + # off / false / no — fully disabled + # domain1.tld,domain2.tld — allowlist specific servers only + case "${SYNAPSE_FEDERATION:-*}" in + off|false|no) + echo "Federation: disabled" + export SYNAPSE_FEDERATION_CONFIG="# Federation disabled — no server-to-server traffic allowed. +federation_domain_whitelist: []" + ;; + "*"|"") + echo "Federation: open (all servers)" + export SYNAPSE_FEDERATION_CONFIG="# Federation open — this server can communicate with any Matrix server." + ;; + *) + echo "Federation: allowlist — ${SYNAPSE_FEDERATION}" + DOMAIN_LINES=$(echo "${SYNAPSE_FEDERATION}" | tr ',' '\n' | sed 's/^[[:space:]]*/ - /' | sed 's/[[:space:]]*$//') + export SYNAPSE_FEDERATION_CONFIG="# Federation restricted to listed servers only. +federation_domain_whitelist: +${DOMAIN_LINES}" + ;; + esac + mkdir -p "$DATA_DIR" envsubst < "$CONFIG_TEMPLATE" > "$CONFIG_FILE" chown -R 991:991 "$DATA_DIR" diff --git a/templates/homeserver.yaml b/templates/homeserver.yaml index 7a421d5..4c5e0fd 100644 --- a/templates/homeserver.yaml +++ b/templates/homeserver.yaml @@ -9,18 +9,20 @@ listeners: type: http x_forwarded: true resources: - - names: [client] + - names: [client, federation] compress: false - port: 8008 tls: false type: http x_forwarded: true resources: - - names: [client] + - names: [client, federation] compress: false report_stats: no media_store_path: /data/media_store +max_upload_size: 50M +max_image_pixels: 32M allow_profile_lookup_over_federation: false allow_public_rooms_over_federation: false @@ -71,7 +73,11 @@ rc_presence: enable_registration: false enable_registration_without_verification: false -federation_domain_whitelist: [] + +${SYNAPSE_FEDERATION_CONFIG} +# Never use matrix.org as a key server — avoids leaking room/user metadata to a third party. +trusted_key_servers: [] +suppress_key_server_warning: true database: name: psycopg2 From 2501b5d4cefd5a68f44d486a108abe520b9f1c81 Mon Sep 17 00:00:00 2001 From: Benjam <53127823+benjamsf@users.noreply.github.com> Date: Wed, 1 Apr 2026 01:56:01 +0300 Subject: [PATCH 4/4] feat: docs for the docker and fix precommit check --- .pre-commit-config.yaml | 1 + README.md | 60 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 61 insertions(+) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 270e8d5..ada6e9c 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -24,6 +24,7 @@ repos: - id: end-of-file-fixer exclude: ".*.sql" - id: check-yaml + exclude: "templates/.*\\.yaml" - id: check-added-large-files - id: check-case-conflict - id: check-json diff --git a/README.md b/README.md index 922cd6c..463364b 100644 --- a/README.md +++ b/README.md @@ -1 +1,61 @@ # docker-synapse-server + +Matrix homeserver (Synapse) for the Deploy App integration stack. + +## DNS records required + +Two public DNS records must point to your WAN address: + +- `synapse.domain` — Matrix homeserver; Element clients connect here and federation traffic arrives here +- `matrix.domain` — Deploy App Matrix integration UI/API (matrixrmapi) +- `mtls.matrix.domain` — mTLS access to the matrix integration API + +## Environment variables + +### Required + +| Variable | Description | +|---|---| +| `SYNAPSE_DATABASE_PASSWORD` | PostgreSQL password for the `synapse` database | +| `SYNAPSE_MACAROON_SECRET_KEY` | Secret used to sign Synapse macaroon tokens. Generate with `openssl rand -hex 32` | +| `SYNAPSE_REGISTRATION_SECRET` | Shared secret used by matrixrmapi to register the admin bot. Generate with `openssl rand -hex 32` | + +### Optional + +| Variable | Default | Description | +|---|---|---| +| `SYNAPSE_BOT_USERNAME` | `matrixrmapi-bot` | Local part of the Synapse admin bot user | +| `SYNAPSE_FEDERATION` | `*` | Federation mode (see below) | + +### Federation modes + +`SYNAPSE_FEDERATION` controls server-to-server federation: + +``` +SYNAPSE_FEDERATION="*" # open — federate with any Matrix server (default) +SYNAPSE_FEDERATION="off" # disabled — no server-to-server traffic at all +SYNAPSE_FEDERATION="pvarki.fi,ally.org" # allowlist — only the listed domains +``` + +### Database variables (set automatically from the compose stack) + +| Variable | Description | +|---|---| +| `POSTGRES_HOST` | PostgreSQL hostname | +| `POSTGRES_USER` | PostgreSQL user | +| `POSTGRES_DB` | PostgreSQL database name | + +## Rooms and spaces created automatically + +On first startup, matrixrmapi creates a Space and four rooms scoped to the deployment: + +| Key | Alias pattern | Purpose | +|---|---|---| +| space | `#-space:` | Top-level Space; all users auto-join | +| general | `#-general:` | General work discussion | +| helpdesk | `#-helpdesk:` | Issue reporting and help | +| offtopic | `#-offtopic:` | Off-topic conversation | +| admin | `#-admin:` | Admin-only channel | + +All rooms use end-to-end encryption and restricted join rules (Space membership required). +Admins promoted in Deploy App receive power level 100 and are joined to the admin channel automatically.