From 0c854987feb03a2b2652c803b9667ff4d35d42b6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Sun, 17 Dec 2023 00:22:51 +0100 Subject: [PATCH] [mod] role:synapse:sqlite and oidc support --- ansible/roles/synapse/defaults/main.json | 11 +++- ansible/roles/synapse/tasks/main.json | 13 +++++ .../synapse/templates/homeserver.yaml.j2 | 51 +++++++++++++++---- 3 files changed, 62 insertions(+), 13 deletions(-) diff --git a/ansible/roles/synapse/defaults/main.json b/ansible/roles/synapse/defaults/main.json index 32550cb..fe0f604 100644 --- a/ansible/roles/synapse/defaults/main.json +++ b/ansible/roles/synapse/defaults/main.json @@ -1,17 +1,24 @@ { "var_synapse_scheme": "https", "var_synapse_domain": "matrix.example.org", - "var_synaspe_database_kind": "postgresql", + "var_synaspe_database_kind": "sqlite", + "var_synaspe_database_sqlite_path": "/var/synapse/data.sqlite", "var_synaspe_database_postgresql_host": "localhost", "var_synaspe_database_postgresql_port": "5432", "var_synaspe_database_postgresql_username": "synapse_user", - "var_synaspe_database_postgresql_password": "synapse_password", + "var_synaspe_database_postgresql_password": "REPLACE_ME", "var_synaspe_database_postgresql_schema": "synapse", "var_synapse_element_url": "https://element.example.org", "var_synapse_title": "Example | Matrix", "var_synapse_federation_whitelist": "[]", "var_synapse_password_strict_policy": "true", "var_synapse_registration_shared_secret": "REPLACE_ME", + "var_synapse_oidc_enable": false, + "var_synapse_oidc_provider_id": "external_auth", + "var_synapse_oidc_provider_name": "external auth", + "var_synapse_oidc_client_id": "synapse", + "var_synapse_oidc_client_secret": "REPLACE_ME", + "var_synapse_oidc_issuer_url": "https://auth.example.org", "var_synapse_smtp_host": "smtp.example.org", "var_synapse_smtp_port": "587", "var_synapse_smtp_username": "matrix@smtp.example.org", diff --git a/ansible/roles/synapse/tasks/main.json b/ansible/roles/synapse/tasks/main.json index bbd8a94..fd44ce1 100644 --- a/ansible/roles/synapse/tasks/main.json +++ b/ansible/roles/synapse/tasks/main.json @@ -33,10 +33,23 @@ "ansible.builtin.apt": { "update_cache": true, "pkg": [ + "python3-authlib", "matrix-synapse" ] } }, + { + "name": "directories", + "become": true, + "loop": [ + "/var/synapse" + ], + "ansible.builtin.file": { + "state": "directory", + "path": "{{item}}", + "owner": "matrix-synapse" + } + }, { "name": "emplace configuration", "become": true, diff --git a/ansible/roles/synapse/templates/homeserver.yaml.j2 b/ansible/roles/synapse/templates/homeserver.yaml.j2 index e923528..c58e3e7 100644 --- a/ansible/roles/synapse/templates/homeserver.yaml.j2 +++ b/ansible/roles/synapse/templates/homeserver.yaml.j2 @@ -1,3 +1,10 @@ +{% if var_synaspe_database_kind == 'sqlite' %} +database: + name: sqlite3 + args: + database: {{var_synaspe_database_sqlite_path}} +{% endif %} + {% if var_synaspe_database_kind == 'postgresql' %} database: name: psycopg2 @@ -31,7 +38,7 @@ listeners: - '127.0.0.1' type: http tls: false - x_forwarded: false + x_forwarded: true resources: - names: [client] compress: true @@ -78,12 +85,42 @@ url_preview_enabled: false max_spider_size: "10M" enable_registration_captcha: false - recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify" -enable_registration_without_verification: true +registration_shared_secret: "{{var_synapse_registration_shared_secret}}" +{% if var_synapse_oidc_enable %} +enable_registration: false +enable_registration_without_verification: false +{% else %} enable_registration: true +enable_registration_without_verification: true +{% endif %} + +oidc_config: + user_mapping_provider: + config: + # NOT an Ansible variable + localpart_template: "{{"{{"}} user.preferred_username {{"}}"}}" + +{% if var_synapse_oidc_enable %} +oidc_providers: + - idp_id: "{{var_synapse_oidc_provider_id}}" + idp_name: "{{var_synapse_oidc_provider_name}}" + # idp_icon: "mxc://authelia.com/cKlrTPsGvlpKxAYeHWJsdVHI" + discover: true + issuer: "{{var_synapse_oidc_issuer_url}}" + client_id: "{{var_synapse_oidc_client_id}}" + client_secret: "{{var_synapse_oidc_client_secret}}" + scopes: ["openid", "profile", "email"] + allow_existing_users: true + user_mapping_provider: + config: + subject_claim: "sub" + localpart_template: "{{"{{"}} user.preferred_username {{"}}"}}" + display_name_template: "{{"{{"}} user.name {{"}}"}}" + email_template: "{{"{{"}} user.email {{"}}"}}" +{% endif %} account_validity: @@ -118,12 +155,6 @@ saml2_config: user_mapping_provider: config: -oidc_config: - user_mapping_provider: - config: - # NOT an Ansible variable - localpart_template: "{{"{{"}} user.preferred_username {{"}}"}}" - password_config: enabled: true policy: @@ -148,5 +179,3 @@ enable_group_creation: true templates: custom_templates_directory: "/etc/matrix-synapse/templates" - -registration_shared_secret: "{{var_synapse_registration_shared_secret}}"