From 3a9de7a7b453cc9ec389b1e452c89237989a1788 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Thu, 17 Oct 2024 23:15:10 +0200 Subject: [PATCH] [int] --- roles/authelia-for-mas/defaults/main.json | 2 +- roles/authelia-for-mas/vardef.json | 19 +++++++++++++++++ roles/mas-for-synapse/defaults/main.json | 2 +- roles/mas/defaults/main.json | 11 +++++----- roles/mas/templates/config-http.json.j2 | 6 +++--- roles/mas/templates/config-upstream.json.j2 | 19 +++++++++++++++-- roles/mas/vardef.json | 23 ++++++++++++++++----- roles/synapse-and-nginx/info.md | 6 ++++++ roles/synapse/defaults/main.json | 2 +- 9 files changed, 72 insertions(+), 18 deletions(-) create mode 100644 roles/authelia-for-mas/vardef.json diff --git a/roles/authelia-for-mas/defaults/main.json b/roles/authelia-for-mas/defaults/main.json index 636a5cb..58848ef 100644 --- a/roles/authelia-for-mas/defaults/main.json +++ b/roles/authelia-for-mas/defaults/main.json @@ -1,6 +1,6 @@ { "var_authelia_for_mas_mas_url_base": "https://mas.example.org", - "var_authelia_for_mas_id": "mas", + "var_authelia_for_mas_id": "01JADRQ54Y0KCQS0AEJQ4YTY36", "var_authelia_for_mas_client_id": "mas", "var_authelia_for_mas_client_secret": "REPLACE_ME" } diff --git a/roles/authelia-for-mas/vardef.json b/roles/authelia-for-mas/vardef.json new file mode 100644 index 0000000..798ef2a --- /dev/null +++ b/roles/authelia-for-mas/vardef.json @@ -0,0 +1,19 @@ +{ + "mas_url_base": { + "type": "string", + "mandatory": false + }, + "id": { + "type": "string", + "mandatory": false, + "description": "needs to be a ULID" + } + "client_id": { + "type": "string", + "mandatory": false + }, + "client_secret": { + "type": "string", + "mandatory": false + } +} diff --git a/roles/mas-for-synapse/defaults/main.json b/roles/mas-for-synapse/defaults/main.json index c90cf80..5802580 100644 --- a/roles/mas-for-synapse/defaults/main.json +++ b/roles/mas-for-synapse/defaults/main.json @@ -1,5 +1,5 @@ { "var_mas_for_synapse_synapse_url_base": "https://synapse.example.org", - "var_mas_for_synapse_client_id": "synapse", + "var_mas_for_synapse_client_id": "01JAE3YFB91XFWEDQY0WFDW5VN", "var_mas_for_synapse_client_secret": "REPLACE_ME" } diff --git a/roles/mas/defaults/main.json b/roles/mas/defaults/main.json index 8536c1b..e50f260 100644 --- a/roles/mas/defaults/main.json +++ b/roles/mas/defaults/main.json @@ -1,20 +1,21 @@ { "var_mas_user": "mas", "var_mas_directory": "/opt/mas", - "var_mas_server_address": "[::]", - "var_mas_server_port": 2839, + "var_mas_server_server_address": "[::]", + "var_mas_server_server_port": 2839, + "var_mas_server_server_domain": "mas.example.org", "var_mas_database_host": "postgresql.example.org", "var_mas_database_port": 5432, "var_mas_database_username": "mas_user", "var_mas_database_password": "REPLACE_ME", "var_mas_database_schema": "mas", - "var_mas_matrix_server": "localhost:8008", + "var_mas_matrix_server": "synapse.example.org", "var_mas_matrix_secret": "REPLACE_ME", - "var_mas_matrix_endpoint": "http://localhost:8008/", + "var_mas_matrix_endpoint": "https://synapse.example.org/", "var_mas_encryption_key": "REPLACE_ME", "var_mas_authentication_upstream_kind": "none", "var_mas_authentication_upstream_data_authelia_url_base": "https://authelia.example.org", - "var_mas_authentication_upstream_data_authelia_auth_method": "client_secret_post", + "var_mas_authentication_upstream_data_authelia_auth_method": "client_secret_basic", "var_mas_authentication_upstream_data_authelia_scope": "openid profile email", "var_mas_authentication_upstream_data_authelia_id": "01JADRQ54Y0KCQS0AEJQ4YTY36", "var_mas_authentication_upstream_data_authelia_client_id": "mas", diff --git a/roles/mas/templates/config-http.json.j2 b/roles/mas/templates/config-http.json.j2 index a05d45e..3ec21c0 100644 --- a/roles/mas/templates/config-http.json.j2 +++ b/roles/mas/templates/config-http.json.j2 @@ -25,7 +25,7 @@ ], "binds": [ { - "address": "[{{var_mas_server_address}}]:{{var_mas_server_port | string}}" + "address": "{{var_mas_server_server_address}}:{{var_mas_server_server_port | string}}" } ], "proxy_protocol": false @@ -54,7 +54,7 @@ "fd00::/8", "::1/128" ], - "public_base": "http://{{var_mas_server_address}}:{{var_mas_server_port | string}}/", - "issuer": "http://{{var_mas_server_address}}:{{var_mas_server_port | string}}/" + "public_base": "https://{{var_mas_server_server_domain}}/", + "issuer": "https://{{var_mas_server_server_domain}}/" } } diff --git a/roles/mas/templates/config-upstream.json.j2 b/roles/mas/templates/config-upstream.json.j2 index 5b246fd..220db66 100644 --- a/roles/mas/templates/config-upstream.json.j2 +++ b/roles/mas/templates/config-upstream.json.j2 @@ -11,9 +11,24 @@ "token_endpoint": "{{var_mas_authentication_upstream_data_authelia_url_base}}/api/oidc/token", "token_endpoint_auth_method": "{{var_mas_authentication_upstream_data_authelia_auth_method}}", "scope": "{{var_mas_authentication_upstream_data_authelia_scope}}", + "discovery_mode": "insecure", "client_id": "{{var_mas_authentication_upstream_data_authelia_client_id}}", - "client_secret": "{{var_mas_authentication_upstream_data_authelia_client_secret}}" - } + "client_secret": "{{var_mas_authentication_upstream_data_authelia_client_secret}}", + "claims_imports": { + "localpart": { + "action": "require", + "template": "{{"{{"}} user.preferred_username {{"}}"}}" + }, + "displayname": { + "action": "suggest", + "template": "{{"{{"}} user.name {{"}}"}}" + }, + "email": { + "action": "suggest", + "template": "{{"{{"}} user.email {{"}}"}}", + "set_email_verification": "always" + } + } ] } {% endif %} diff --git a/roles/mas/vardef.json b/roles/mas/vardef.json index 04f210e..176dd0e 100644 --- a/roles/mas/vardef.json +++ b/roles/mas/vardef.json @@ -7,6 +7,18 @@ "type": "string", "mandatory": false }, + "server_address": { + "type": "string", + "mandatory": false + }, + "server_port": { + "type": "string", + "mandatory": false + }, + "domain": { + "type": "string", + "mandatory": false + }, "database_host": { "type": "string", "mandatory": false @@ -21,7 +33,7 @@ }, "database_password": { "type": "string", - "mandatory": false + "mandatory": true }, "database_schema": { "type": "string", @@ -33,7 +45,7 @@ }, "matrix_secret": { "type": "string", - "mandatory": false + "mandatory": true }, "matrix_endpoint": { "type": "string", @@ -41,7 +53,7 @@ }, "encryption_key": { "type": "string", - "mandatory": false + "mandatory": true }, "authentication_upstream_kind": { "nullable": false, @@ -63,9 +75,10 @@ "type": "string", "mandatory": false }, - "authentication_upstream_data_authelia_name": { + "authentication_upstream_data_authelia_id": { "type": "string", - "mandatory": false + "mandatory": false, + "description": "needs to be a ULID" }, "authentication_upstream_data_authelia_client_id": { "type": "string", diff --git a/roles/synapse-and-nginx/info.md b/roles/synapse-and-nginx/info.md index 7d09e48..686d632 100644 --- a/roles/synapse-and-nginx/info.md +++ b/roles/synapse-and-nginx/info.md @@ -6,3 +6,9 @@ ## Verweise - [Synapse-Dokumentation über die Nutzung von Reverse-Proxies](https://matrix-org.github.io/synapse/latest/reverse_proxy.html) + + +## ToDo + +- MAS-Einbindung (siehe https://element-hq.github.io/matrix-authentication-service/setup/reverse-proxy.html) + diff --git a/roles/synapse/defaults/main.json b/roles/synapse/defaults/main.json index efda6b0..ba81aba 100644 --- a/roles/synapse/defaults/main.json +++ b/roles/synapse/defaults/main.json @@ -21,7 +21,7 @@ "var_synapse_authentication_data_authelia_client_secret": "REPLACE_ME", "var_synapse_authentication_data_authelia_url_base": "https://authelia.example.org", "var_synapse_authentication_data_mas_url_base": "http://localhost:2839", - "var_synapse_authentication_data_mas_client_id": "synapse", + "var_synapse_authentication_data_mas_client_id": "01JAE3YFB91XFWEDQY0WFDW5VN", "var_synapse_authentication_data_mas_client_secret": "REPLACE_ME", "var_synapse_authentication_data_mas_admin_token": "REPLACE_ME", "var_synapse_authentication_data_mas_provider_id": "mas",