feat(element): Enable Matrix federation via https.

2025-12-07 16:01:37 +01:00 · 2024-06-02 16:06:09 +02:00
parent 75cd077351
commit ecb566f61e
6 changed files with 63 additions and 20 deletions
--- a/docs/enhanced-configuration/matrix-federation.md
+++ b/docs/enhanced-configuration/matrix-federation.md
@@ -5,28 +5,58 @@ SPDX-License-Identifier: Apache-2.0

 <h1>Matrix federation</h1>

+<!-- TOC -->
 * [Use case](#use-case)
 * [Example configuration](#example-configuration)
-  * [DNS setup](#dns-setup)
+  * [Disable federation](#disable-federation)
+  * [Separate Matrix domain](#separate-matrix-domain)
+<!-- TOC -->

 # Use case

-By default you only can chat with users that also have an account within your openDesk installation. The Element chat application and its server component Synapse are based on the Matrix protocol that supports federation with other Matrix servers to communicate with the users with accounts on these servers.
+The Element chat application and its server component Synapse are based on the Matrix protocol,
+that supports federation with other Matrix servers to communicate with the users with accounts on these servers.
+
+By default, you can chat with users that have an account within your openDesk installation and federate with other
+matrix-based servers.
+Federation support can be disabled.

 # Example configuration

-The following values are used in this example documentation. Please ensure when you come across such a value even if it is part of a URL hostname or path that you adapt it where needed to your setup:
+The following values are used in this example documentation.
+Please ensure when you come across such a value,
+even if it is part of a URL hostname or path, that you adapt it where needed to your setup:

- `opendesk.domain.tld`: the mandatory `DOMAIN` setting for your deployment resulting in `https://chat.opendesk.domain.tld` to access the Element chat.
- `my_organization.tld`: an optional alternative domain used for mail and/or Matrix. If not used it is also set to `opendesk.domain.tld`.
+- `opendesk.domain.tld`: the mandatory `DOMAIN` setting for your deployment resulting in
+`https://chat.opendesk.domain.tld` to access the Element chat.
+- `my_organization.tld`: an optional alternative domain used for mail and/or Matrix.
+If not used it is also set to `opendesk.domain.tld`.

-## DNS setup
+## Disable federation

-If you want to federate with other Matrix instances, you need to have both SRV records:
+The following setting can disable federation:

-| Record name                         | Type | Value                                  | Additional Information                                                             |
-| ----------------------------------- | ---- | -------------------------------------- | ---------------------------------------------------------------------------------- |
-| _matrix._tcp.my_organization.tld    | SRV  | `1 10 PORT matrix.opendesk.domain.tld` | `PORT` is your NodePort/LoadBalancer port of `opendesk-synapse-federation` service |
-| matrix-fed._tcp.my_organization.tld | SRV  | `1 10 PORT matrix.opendesk.domain.tld` | `PORT` is your NodePort/LoadBalancer port of `opendesk-synapse-federation` service |
+```yaml
+externalServices:
+  matrix:
+    federation:
+      enabled: false
+```

-*Note:* `matrix.opendesk.domain.tld` in the "Value" column can also be the IP address where synapse TLS port is listening to.
+## Separate Matrix domain
+
+If you want to federate with other Matrix instances and use a separate Matrix domain, you need to provide a JSON file on
+the Matrix domain to use delegation.
+This is not included inside openDesk.
+
+Domain path: `https://my_organization.tld/.well-known/matrix/server`
+
+Content:
+```JSON
+{
+    "m.server": "matrix-federation.opendesk.domain.tld:443"
+}
+```
+
+More detailed information can be found in Matrix/Synapse documentation:
+[Matrix Delegation](https://matrix-org.github.io/synapse/v1.98/delegate.html)
--- a/helmfile/apps/element/values-synapse.yaml.gotmpl
+++ b/helmfile/apps/element/values-synapse.yaml.gotmpl
@@ -83,6 +83,16 @@ containerSecurityContext:
  seLinuxOptions:
    {{ .Values.seLinuxOptions.synapse | toYaml | nindent 4 }}

+federation:
+  enabled: {{ .Values.externalServices.matrix.federation.enabled }}
+  ingress:
+    host: "{{ .Values.global.hosts.synapseFederation }}.{{ .Values.global.domain }}"
+    enabled: {{ .Values.ingress.enabled }}
+    ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
+    tls:
+      enabled: {{ .Values.ingress.tls.enabled }}
+      secretName: {{ .Values.ingress.tls.secretName | quote }}
+
 global:
  domain: {{ .Values.global.domain | quote }}
  hosts:
--- a/helmfile/apps/services/values-certificates.yaml.gotmpl
+++ b/helmfile/apps/services/values-certificates.yaml.gotmpl
@@ -5,7 +5,6 @@ SPDX-License-Identifier: Apache-2.0
 ---
 global:
  domain: {{ .Values.global.domain | quote }}
-  synapseDomain: {{ .Values.global.matrixDomain | quote }}
  hosts:
    {{ .Values.global.hosts | toYaml | nindent 4 }}

--- a/helmfile/environments/default/charts.yaml
+++ b/helmfile/environments/default/charts.yaml
@@ -14,7 +14,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-certificates"
    name: "opendesk-certificates"
-    version: "2.2.0"
+    version: "2.1.3"
    verify: true
  clamav:
    # providerCategory: "Platform"
@@ -78,7 +78,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-element"
-    version: "2.7.1"
+    version: "3.0.0"
    verify: true
  elementWellKnown:
    # providerCategory: "Platform"
@@ -88,7 +88,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-well-known"
-    version: "2.7.1"
+    version: "3.0.0"
    verify: true
  home:
    # providerCategory: "Platform"
@@ -180,7 +180,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-matrix-user-verification-service"
-    version: "2.7.1"
+    version: "3.0.0"
    verify: true
  memcached:
    # providerCategory: "Community"
@@ -346,7 +346,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-synapse"
-    version: "2.7.1"
+    version: "3.0.0"
    verify: true
  synapseCreateAccount:
    # providerCategory: "Platform"
@@ -356,7 +356,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-synapse-create-account"
-    version: "2.7.1"
+    version: "3.0.0"
    verify: true
  synapseWeb:
    # providerCategory: "Platform"
@@ -366,7 +366,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-synapse-web"
-    version: "2.7.1"
+    version: "3.0.0"
    verify: true
  ums:
    # providerCategory: "Supplier"
--- a/helmfile/environments/default/functional.yaml
+++ b/helmfile/environments/default/functional.yaml
@@ -13,4 +13,7 @@ externalServices:
    udmRestApi:
      # Set to 'true' if you don't want to make the UDM REST API from the Nubus stack externally available
      enabled: false
+  matrix:
+    federation:
+      enabled: true
 ...
--- a/helmfile/environments/default/global.yaml
+++ b/helmfile/environments/default/global.yaml
@@ -25,6 +25,7 @@ global:
    openxchange: "webmail"
    openxchangeProvisioning: "ox-provisioning"
    synapse: "matrix"
+    synapseFederation: "matrix-federation"
    univentionManagementStack: "portal"
    whiteboard: "whiteboard"
    xwiki: "wiki"