[mod] role:synapse:sqlite and oidc support

2023-12-17 00:22:51 +01:00 · 2023-12-17 00:22:51 +01:00 · 0c854987fe
commit 0c854987fe
parent 7199e7d069
3 changed files with 62 additions and 13 deletions
--- a/ansible/roles/synapse/defaults/main.json
+++ b/ansible/roles/synapse/defaults/main.json
@ -1,17 +1,24 @@
 {
 	"var_synapse_scheme": "https",
 	"var_synapse_domain": "matrix.example.org",
-	"var_synaspe_database_kind": "postgresql",
+	"var_synaspe_database_kind": "sqlite",
+	"var_synaspe_database_sqlite_path": "/var/synapse/data.sqlite",
 	"var_synaspe_database_postgresql_host": "localhost",
 	"var_synaspe_database_postgresql_port": "5432",
 	"var_synaspe_database_postgresql_username": "synapse_user",
-	"var_synaspe_database_postgresql_password": "synapse_password",
+	"var_synaspe_database_postgresql_password": "REPLACE_ME",
 	"var_synaspe_database_postgresql_schema": "synapse",
 	"var_synapse_element_url": "https://element.example.org",
 	"var_synapse_title": "Example | Matrix",
 	"var_synapse_federation_whitelist": "[]",
 	"var_synapse_password_strict_policy": "true",
 	"var_synapse_registration_shared_secret": "REPLACE_ME",
+	"var_synapse_oidc_enable": false,
+	"var_synapse_oidc_provider_id": "external_auth",
+	"var_synapse_oidc_provider_name": "external auth",
+	"var_synapse_oidc_client_id": "synapse",
+	"var_synapse_oidc_client_secret": "REPLACE_ME",
+	"var_synapse_oidc_issuer_url": "https://auth.example.org",
 	"var_synapse_smtp_host": "smtp.example.org",
 	"var_synapse_smtp_port": "587",
 	"var_synapse_smtp_username": "matrix@smtp.example.org",
--- a/ansible/roles/synapse/tasks/main.json
+++ b/ansible/roles/synapse/tasks/main.json
@ -33,10 +33,23 @@
 		"ansible.builtin.apt": {
 			"update_cache": true,
 			"pkg": [
+				"python3-authlib",
 				"matrix-synapse"
 			]
 		}
 	},
+	{
+		"name": "directories",
+		"become": true,
+		"loop": [
+			"/var/synapse"
+		],
+		"ansible.builtin.file": {
+			"state": "directory",
+			"path": "{{item}}",
+			"owner": "matrix-synapse"
+		}
+	},
 	{
 		"name": "emplace configuration",
 		"become": true,
--- a/ansible/roles/synapse/templates/homeserver.yaml.j2
+++ b/ansible/roles/synapse/templates/homeserver.yaml.j2
@ -1,3 +1,10 @@
+{% if var_synaspe_database_kind == 'sqlite' %}
+database:
+  name: sqlite3
+  args:
+    database: {{var_synaspe_database_sqlite_path}}
+{% endif %}
+
 {% if var_synaspe_database_kind == 'postgresql' %}
 database:
  name: psycopg2
@ -31,7 +38,7 @@ listeners:
      - '127.0.0.1'
    type: http
    tls: false
-    x_forwarded: false
+    x_forwarded: true
    resources:
      - names: [client]
        compress: true
@ -78,12 +85,42 @@ url_preview_enabled: false
 max_spider_size: "10M"

 enable_registration_captcha: false
-
 recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify"

-enable_registration_without_verification: true
+registration_shared_secret: "{{var_synapse_registration_shared_secret}}"

+{% if var_synapse_oidc_enable %}
+enable_registration: false
+enable_registration_without_verification: false
+{% else %}
 enable_registration: true
+enable_registration_without_verification: true
+{% endif %}
+
+oidc_config:
+  user_mapping_provider:
+    config:
+      # NOT an Ansible variable
+      localpart_template: "{{"{{"}} user.preferred_username {{"}}"}}"
+
+{% if var_synapse_oidc_enable %}
+oidc_providers:
+  - idp_id: "{{var_synapse_oidc_provider_id}}"
+    idp_name: "{{var_synapse_oidc_provider_name}}"
+    # idp_icon: "mxc://authelia.com/cKlrTPsGvlpKxAYeHWJsdVHI"
+    discover: true
+    issuer: "{{var_synapse_oidc_issuer_url}}"
+    client_id: "{{var_synapse_oidc_client_id}}"
+    client_secret: "{{var_synapse_oidc_client_secret}}"
+    scopes: ["openid", "profile", "email"]
+    allow_existing_users: true
+    user_mapping_provider:
+      config:
+        subject_claim: "sub"
+        localpart_template: "{{"{{"}} user.preferred_username {{"}}"}}"
+        display_name_template: "{{"{{"}} user.name {{"}}"}}"
+        email_template: "{{"{{"}} user.email {{"}}"}}"
+{% endif %}

 account_validity:

@ -118,12 +155,6 @@ saml2_config:
  user_mapping_provider:
    config:

-oidc_config:
-  user_mapping_provider:
-    config:
-      # NOT an Ansible variable
-      localpart_template: "{{"{{"}} user.preferred_username {{"}}"}}"
-
 password_config:
   enabled: true
   policy:
@ -148,5 +179,3 @@ enable_group_creation: true

 templates:
  custom_templates_directory: "/etc/matrix-synapse/templates"
-
-registration_shared_secret: "{{var_synapse_registration_shared_secret}}"