Update docs: element-admin port, bridge guide, production ports
SETUP.md: - element-admin access URL: port 8081 → 8091 - Replace incorrect "no authentication by default" note with correct description of MAS/OIDC auth and required env vars - netstat grep: port 8081 → 8091 PRODUCTION_DEPLOYMENT.md: - Backend port list: 8090 → 8083 (element-call) + add 8091 (element-admin) BRIDGE_SETUP_GUIDE.md: - doublepuppet url: "" → url: null (empty string causes Synapse transaction retry loops; null tells Synapse the appservice has no HTTP endpoint) - WhatsApp/Signal encryption examples: remove non-existent fields allow_key_sharing and self_sign; fix section nesting (top-level in megabridge format, not nested under bridge:) - Script description: rewrite to match what setup-bridges.sh actually does (hostname 0.0.0.0, file permissions, conditional Telegram) - Telegram: document TELEGRAM_API_ID/HASH requirement before running script - Future encryption section: remove outdated self_sign field, update note to reflect current status (MAS appservice login not yet implemented) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
wmair
+34
-48
@@ -43,14 +43,21 @@ Use the provided `setup-bridges.sh` script which handles the correct sequence:
|
||||
|
||||
### What the Script Does
|
||||
|
||||
1. **Removes** docker-compose dependency on Synapse health
|
||||
2. **Starts each bridge** independently to generate configs and registrations
|
||||
3. **Configures** all bridge settings (homeserver address, database, permissions)
|
||||
4. **Waits** for registration.yaml files to be created
|
||||
5. **Adds** registration paths to Synapse homeserver.yaml
|
||||
6. **Mounts** bridge directory in Synapse container
|
||||
7. **Restarts** Synapse to load appservice registrations
|
||||
8. **Starts** all bridges with proper Synapse integration
|
||||
1. Generates a double puppet appservice token pair
|
||||
2. Starts all bridges simultaneously to generate default configs, then stops them
|
||||
3. Configures each bridge (homeserver address, domain, database, permissions, double puppet, encryption off)
|
||||
4. Sets `hostname: 0.0.0.0` so Synapse can reach bridges across Docker containers
|
||||
5. Restarts bridges to generate `registration.yaml` files, then stops them
|
||||
6. Sets file permissions so Synapse can read the registration files
|
||||
7. Creates bridge databases in PostgreSQL
|
||||
8. Registers all appservices in `synapse/data/homeserver.yaml`
|
||||
9. Restarts Synapse, then starts bridges
|
||||
|
||||
**Telegram** requires API credentials from [my.telegram.org](https://my.telegram.org). Add to `.env` before running the script, otherwise Telegram is skipped:
|
||||
```
|
||||
TELEGRAM_API_ID=your_api_id
|
||||
TELEGRAM_API_HASH=your_api_hash
|
||||
```
|
||||
|
||||
## Manual Bridge Setup (If Script Fails)
|
||||
|
||||
@@ -400,7 +407,7 @@ Create `appservices/doublepuppet.yaml`:
|
||||
|
||||
```yaml
|
||||
id: doublepuppet
|
||||
url: ""
|
||||
url: null
|
||||
as_token: "YOUR_AS_TOKEN_HERE"
|
||||
hs_token: "YOUR_HS_TOKEN_HERE"
|
||||
sender_localpart: doublepuppet
|
||||
@@ -448,34 +455,27 @@ synapse:
|
||||
|
||||
**WhatsApp** (`bridges/whatsapp/config/config.yaml`):
|
||||
```yaml
|
||||
bridge:
|
||||
double_puppet:
|
||||
secrets:
|
||||
your-domain.com: as_token:YOUR_AS_TOKEN_HERE
|
||||
# mautrix-whatsapp uses top-level sections (megabridge format)
|
||||
double_puppet:
|
||||
secrets:
|
||||
your-domain.com: as_token:YOUR_AS_TOKEN_HERE
|
||||
|
||||
# Disable encryption (not compatible with MAS)
|
||||
encryption:
|
||||
allow: false
|
||||
default: false
|
||||
msc4190: false
|
||||
self_sign: false
|
||||
allow_key_sharing: true
|
||||
encryption:
|
||||
allow: false
|
||||
default: false
|
||||
msc4190: false
|
||||
```
|
||||
|
||||
**Signal** (`bridges/signal/config/config.yaml`):
|
||||
```yaml
|
||||
bridge:
|
||||
double_puppet:
|
||||
secrets:
|
||||
your-domain.com: as_token:YOUR_AS_TOKEN_HERE
|
||||
double_puppet:
|
||||
secrets:
|
||||
your-domain.com: as_token:YOUR_AS_TOKEN_HERE
|
||||
|
||||
# Disable encryption (not compatible with MAS)
|
||||
encryption:
|
||||
allow: false
|
||||
default: false
|
||||
msc4190: false
|
||||
self_sign: false
|
||||
allow_key_sharing: true
|
||||
encryption:
|
||||
allow: false
|
||||
default: false
|
||||
msc4190: false
|
||||
```
|
||||
|
||||
**Telegram** (`bridges/telegram/config/config.yaml`):
|
||||
@@ -548,25 +548,11 @@ docker restart matrix-bridge-telegram
|
||||
❌ **Not Working** (Known Issue):
|
||||
- Encrypted Matrix rooms → Synapse NotImplementedError with MAS + MSC4190
|
||||
|
||||
### Future: When Synapse Fixes MSC4190 + MAS
|
||||
### Future: When MAS Appservice Login Is Supported
|
||||
|
||||
When Synapse fixes the MSC4190 + MAS compatibility issue:
|
||||
Bridge encryption via MSC4190 requires appservice login support in MAS, which is not yet implemented. Track progress at https://github.com/element-hq/matrix-authentication-service/issues/3206.
|
||||
|
||||
1. Update bridge configs:
|
||||
```yaml
|
||||
encryption:
|
||||
allow: true
|
||||
default: false # Or true if you want encryption by default
|
||||
msc4190: true
|
||||
self_sign: true
|
||||
```
|
||||
|
||||
2. Restart bridges:
|
||||
```bash
|
||||
docker restart matrix-bridge-whatsapp matrix-bridge-signal matrix-bridge-telegram
|
||||
```
|
||||
|
||||
3. Encrypted rooms will work automatically
|
||||
When it lands, update bridge configs to re-enable encryption (fields vary by bridge type — check the bridge's generated `config.yaml` for the correct structure) and restart the bridge containers.
|
||||
|
||||
### Troubleshooting Double Puppet
|
||||
|
||||
|
||||
@@ -160,7 +160,7 @@ PostgreSQL
|
||||
|
||||
1. Run deployment script, choose production mode
|
||||
2. Use `docker-compose.production.yml` but remove Caddy service
|
||||
3. Expose ports 8008, 8080, 8090 to Caddy server only (firewall)
|
||||
3. Expose ports 8008, 8080, 8083, 8091 to Caddy server only (firewall)
|
||||
4. Start services
|
||||
|
||||
## Data Persistence and Backups
|
||||
|
||||
@@ -709,16 +709,21 @@ Navigate to: `https://element.example.com`
|
||||
|
||||
### 13a. Open admin interface
|
||||
|
||||
Navigate to: `http://YOUR_SERVER_IP:8081`
|
||||
Navigate to: `http://YOUR_SERVER_IP:8091`
|
||||
|
||||
**⚠️ Security Note:** This interface has no authentication by default. Restrict access by IP in production!
|
||||
Element Admin authenticates via MAS (OIDC). The `docker-compose.yml` service definition must include:
|
||||
```yaml
|
||||
environment:
|
||||
SERVER_NAME: "matrix.example.com"
|
||||
OIDC_CLIENT_ID: "01ADMN00000000000000000000"
|
||||
OIDC_ISSUER: "https://auth.example.com/"
|
||||
```
|
||||
These are included in the provided `docker-compose.yml`. In production, restrict port 8091 to the Caddy server's IP via firewall.
|
||||
|
||||
### 13b. Connect to homeserver
|
||||
|
||||
1. Enter homeserver URL: `https://matrix.example.com`
|
||||
2. Enter username: `admin`
|
||||
3. Enter password: (from Step 11a)
|
||||
4. Click **"Sign In"**
|
||||
1. The interface will redirect to MAS for login automatically
|
||||
2. Log in with your admin account credentials
|
||||
|
||||
**✓ You should see:**
|
||||
- Admin dashboard loaded
|
||||
@@ -937,7 +942,7 @@ curl https://matrix.example.com/_matrix/client/versions
|
||||
|
||||
1. Find what's using the ports:
|
||||
```bash
|
||||
sudo netstat -tlnp | grep -E '8008|8080|8082|8081|5432'
|
||||
sudo netstat -tlnp | grep -E '8008|8080|8082|8091|5432'
|
||||
```
|
||||
|
||||
2. Either:
|
||||
|
||||
Reference in New Issue
Block a user