fix(docker): fix vmalert rules scope + disable synapse OIDC

vmalert: was copying prometheus.yml into /etc/alerts/ causing parse failure. Now only copies alerts.yml (the actual rules file). synapse: mana-auth (Better Auth) has no OIDC discovery endpoint, so disable OIDC and enable password auth until OIDC is implemented. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-15 01:41:08 +02:00 · 2026-03-30 18:33:56 +02:00 · 2026-03-30 18:33:56 +02:00 · e21e09be1e
commit e21e09be1e
parent d0c2302d39
2 changed files with 11 additions and 22 deletions
--- a/docker-compose.macmini.yml
+++ b/docker-compose.macmini.yml
@ -1736,7 +1736,7 @@ services:
        condition: service_healthy
      alertmanager:
        condition: service_healthy
-    entrypoint: ["sh", "-c", "mkdir -p /etc/alerts && cp /mnt/alerts-config/*.yml /etc/alerts/ 2>/dev/null; exec /vmalert-prod -datasource.url=http://victoriametrics:9090 -notifier.url=http://alertmanager:9093 -remoteWrite.url=http://victoriametrics:9090 -remoteRead.url=http://victoriametrics:9090 -rule='/etc/alerts/*.yml' -evaluationInterval=30s -httpListenAddr=:8880"]
+    entrypoint: ["sh", "-c", "mkdir -p /etc/alerts && cp /mnt/alerts-config/alerts.yml /etc/alerts/ 2>/dev/null; exec /vmalert-prod -datasource.url=http://victoriametrics:9090 -notifier.url=http://alertmanager:9093 -remoteWrite.url=http://victoriametrics:9090 -remoteRead.url=http://victoriametrics:9090 -rule='/etc/alerts/alerts.yml' -evaluationInterval=30s -httpListenAddr=:8880"]
    volumes:
      - ./docker/prometheus:/mnt/alerts-config:ro
    ports:
--- a/docker/matrix/config/homeserver.yaml
+++ b/docker/matrix/config/homeserver.yaml
@ -74,10 +74,10 @@ url_preview_ip_range_blacklist:
 enable_registration: false
 enable_registration_without_verification: false

-# Password config (disabled - all users authenticate via OIDC/SSO)
+# Password config (enabled - OIDC not yet available from mana-auth)
 password_config:
-  enabled: false
-  localdb_enabled: false
+  enabled: true
+  localdb_enabled: true
  pepper: "${SYNAPSE_PASSWORD_PEPPER:-change-me-pepper}"

 # Session lifetime (must be >= refresh_token_lifetime)
@ -196,24 +196,13 @@ run_background_tasks_on: synapse
 # OIDC / SSO Configuration (Mana Core Auth)
 # ============================================

-# Enable SSO via Mana Core Auth OIDC Provider
-oidc_providers:
-  - idp_id: manacore
-    idp_name: "Mana Core"
-    idp_brand: "org.matrix.custom"
-    discover: true
-    issuer: "https://auth.mana.how"
-    client_id: "matrix-synapse"
-    client_secret: "6dc67d2dbea5c19409d21cbaec5ba77265b0296796d4ebb015d70209c68f3fd5"
-    scopes: ["openid", "profile", "email"]
-    user_mapping_provider:
-      config:
-        subject_claim: "sub"
-        localpart_template: "{{ user.email.split('@')[0] }}"
-        display_name_template: "{{ user.name }}"
-        email_template: "{{ user.email }}"
-    allow_existing_users: true
-    enable_registration: true
+# OIDC disabled: mana-auth (Better Auth) does not expose OIDC discovery endpoints
+# TODO: add OIDC provider support to mana-auth, then re-enable this
+# oidc_providers:
+#   - idp_id: manacore
+#     issuer: "https://auth.mana.how"
+#     client_id: "matrix-synapse"
+#     ...

 # SSO UI Settings
 sso: