Sovran_Systems/Sovran_SystemsOS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #311 from naturallaw777/copilot/migrate-federation-to-well-known

Browse Source 
Migrate Matrix federation from port 8448 to .well-known/matrix/server delegation on 443
This commit is contained in:
Sovran Systems
2026-06-13 10:04:42 -05:00
committed by GitHub
parent 417456485a d3beee602d
commit 6ec1faf3e6
5 changed files with 12 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/sovran_systemsos_web/server.py
+4 -19
View File
@@ -281,9 +281,6 @@ FEATURE_SERVICE_MAP = {
} }
# Port requirements for service tiles (keyed by unit name or icon) # Port requirements for service tiles (keyed by unit name or icon)
_PORTS_MATRIX_FEDERATION = [
{"port": "8448", "protocol": "TCP", "description": "Matrix server-to-server federation"},
]
_PORTS_ELEMENT_CALLING = [ _PORTS_ELEMENT_CALLING = [
{"port": "7881", "protocol": "TCP", "description": "LiveKit WebRTC signalling"}, {"port": "7881", "protocol": "TCP", "description": "LiveKit WebRTC signalling"},
{"port": "7882", "protocol": "UDP", "description": "LiveKit media (UDP mux)"}, {"port": "7882", "protocol": "UDP", "description": "LiveKit media (UDP mux)"},
@@ -296,7 +293,7 @@ SERVICE_PORT_REQUIREMENTS: dict[str, list[dict]] = {
# Infrastructure # Infrastructure
"caddy.service": [], "caddy.service": [],
# Communication # Communication
"matrix-synapse.service": _PORTS_MATRIX_FEDERATION, "matrix-synapse.service": [],
"livekit.service": _PORTS_ELEMENT_CALLING, "livekit.service": _PORTS_ELEMENT_CALLING,
# Domain-based apps (80/443 handled by end-to-end domain reachability checks) # Domain-based apps (80/443 handled by end-to-end domain reachability checks)
"btcpayserver.service": [], "btcpayserver.service": [],
@@ -2983,28 +2980,16 @@ async def api_service_detail(unit: str, icon: str | None = None):
"status": ps, "status": ps,
"description": p.get("description", ""), "description": p.get("description", ""),
}) })
extra_ports = port_statuses if unit in ("matrix-synapse.service", "livekit.service") else [] extra_ports = port_statuses if unit == "livekit.service" else []
if needs_domain and unit in ("matrix-synapse.service", "livekit.service"): if needs_domain and unit == "livekit.service":
if has_domain_issues: if has_domain_issues:
domain_check_steps.append({ domain_check_steps.append({
"step": 4, "step": 4,
"label": "Federation Port" if unit == "matrix-synapse.service" else "Additional Ports Required", "label": "Additional Ports Required",
"status": "skipped", "status": "skipped",
"detail": "Skipped until Steps 1-3 are complete", "detail": "Skipped until Steps 1-3 are complete",
}) })
elif unit == "matrix-synapse.service":
if extra_ports:
matrix_open = extra_ports[0]["status"] != "closed"
domain_check_steps.append({
"step": 4,
"label": "Federation Port",
"status": "ok" if matrix_open else "error",
"detail": (
f"Matrix federation port 8448 (TCP) is {'open' if matrix_open else 'closed'}.\n"
f"Matrix federation requires port 8448 (TCP) forwarded to {internal_ip}"
),
})
else: else:
extra_open = all(p["status"] != "closed" for p in extra_ports) extra_open = all(p["status"] != "closed" for p in extra_ports)
domain_check_steps.append({ domain_check_steps.append({
app/sovran_systemsos_web/static/onboarding.js
+3 -4
View File
@@ -545,14 +545,13 @@ async function loadStep4() {
html += '<tr><td class="port-req-port">80</td><td class="port-req-proto">TCP</td><td class="port-req-internal-ip">' + ip + '</td><td class="port-req-desc">HTTP</td></tr>'; html += '<tr><td class="port-req-port">80</td><td class="port-req-proto">TCP</td><td class="port-req-internal-ip">' + ip + '</td><td class="port-req-desc">HTTP</td></tr>';
html += '<tr><td class="port-req-port">443</td><td class="port-req-proto">TCP</td><td class="port-req-internal-ip">' + ip + '</td><td class="port-req-desc">HTTPS</td></tr>'; html += '<tr><td class="port-req-port">443</td><td class="port-req-proto">TCP</td><td class="port-req-internal-ip">' + ip + '</td><td class="port-req-desc">HTTPS</td></tr>';
html += '<tr><td class="port-req-port">22</td><td class="port-req-proto">TCP</td><td class="port-req-internal-ip">' + ip + '</td><td class="port-req-desc">SSH Remote Access</td></tr>'; html += '<tr><td class="port-req-port">22</td><td class="port-req-proto">TCP</td><td class="port-req-internal-ip">' + ip + '</td><td class="port-req-desc">SSH Remote Access</td></tr>';
html += '<tr><td class="port-req-port">8448</td><td class="port-req-proto">TCP</td><td class="port-req-internal-ip">' + ip + '</td><td class="port-req-desc">Matrix Federation</td></tr>';
html += '</tbody></table>'; html += '</tbody></table>';
html += '</div>'; html += '</div>';
// Optional ports table // Optional ports table
html += '<div class="onboarding-port-section" style="margin-bottom:20px;">'; html += '<div class="onboarding-port-section" style="margin-bottom:20px;">';
html += '<div class="onboarding-port-section-title" style="font-weight:700;margin-bottom:4px;">Optional — Only needed if you enable Element Calling:</div>'; html += '<div class="onboarding-port-section-title" style="font-weight:700;margin-bottom:4px;">Optional — Only needed if you enable Element Calling:</div>';
html += '<div style="font-size:0.88em;margin-bottom:8px;color:var(--color-text-muted,#888);">These 5 additional port openings are required on top of the 4 required ports above.</div>'; html += '<div style="font-size:0.88em;margin-bottom:8px;color:var(--color-text-muted,#888);">These 5 additional port openings are required on top of the 3 required ports above.</div>';
html += '<table class="onboarding-port-table">'; html += '<table class="onboarding-port-table">';
html += '<thead><tr><th>Port</th><th>Protocol</th><th>Forward&nbsp;to</th><th>Purpose</th></tr></thead>'; html += '<thead><tr><th>Port</th><th>Protocol</th><th>Forward&nbsp;to</th><th>Purpose</th></tr></thead>';
html += '<tbody>'; html += '<tbody>';
@@ -566,8 +565,8 @@ async function loadStep4() {
// Totals // Totals
html += '<div class="onboarding-port-totals">'; html += '<div class="onboarding-port-totals">';
html += '<strong>Total port openings: 4</strong> (without Element Calling)<br>'; html += '<strong>Total port openings: 3</strong> (without Element Calling)<br>';
html += '<strong>Total port openings: 9</strong> (with Element Calling — 4 required + 5 optional)'; html += '<strong>Total port openings: 8</strong> (with Element Calling — 3 required + 5 optional)';
html += '</div>'; html += '</div>';
html += '<div class="onboarding-port-warn" style="margin-bottom:16px;">' html += '<div class="onboarding-port-warn" style="margin-bottom:16px;">'
modules/core/caddy.nix
+3 -3
View File
@@ -94,10 +94,10 @@ EOF
$MATRIX { $MATRIX {
reverse_proxy /_matrix/* http://localhost:8008 reverse_proxy /_matrix/* http://localhost:8008
reverse_proxy /_synapse/client/* http://localhost:8008 reverse_proxy /_synapse/client/* http://localhost:8008
handle /.well-known/matrix/server {
header Content-Type application/json
respond \`{"m.server":"$MATRIX:443"}\` 200
} }
$MATRIX:8448 {
reverse_proxy http://localhost:8008
} }
EOF EOF
fi fi
modules/element-calling.nix
+1 -4
View File
@@ -68,10 +68,7 @@ $MATRIX {
header /.well-known/matrix/* Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" header /.well-known/matrix/* Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
header /.well-known/matrix/* Access-Control-Allow-Headers "X-Requested-With, Content-Type, Authorization" header /.well-known/matrix/* Access-Control-Allow-Headers "X-Requested-With, Content-Type, Authorization"
respond /.well-known/matrix/client \`{ "m.homeserver": {"base_url": "https://$MATRIX" }, "org.matrix.msc4143.rtc_foci": [{ "type":"livekit", "livekit_service_url":"https://$ELEMENT_CALLING/livekit/jwt" }] }\` respond /.well-known/matrix/client \`{ "m.homeserver": {"base_url": "https://$MATRIX" }, "org.matrix.msc4143.rtc_foci": [{ "type":"livekit", "livekit_service_url":"https://$ELEMENT_CALLING/livekit/jwt" }] }\`
} respond /.well-known/matrix/server \`{"m.server":"$MATRIX:443"}\`
$MATRIX:8448 {
reverse_proxy http://localhost:8008
} }
$ELEMENT_CALLING { $ELEMENT_CALLING {
modules/synapse.nix
-3
View File
@@ -250,9 +250,6 @@ CREDS
''; '';
}; };
networking.firewall.allowedTCPPorts = [ 8448 ];
networking.firewall.allowedUDPPorts = [ 8448 ];
sovran_systemsOS.domainRequirements = [ sovran_systemsOS.domainRequirements = [
{ name = "matrix"; label = "Matrix Synapse"; example = "matrix.yourdomain.com"; } { name = "matrix"; label = "Matrix Synapse"; example = "matrix.yourdomain.com"; }
]; ];