[int]

roles/authelia-for-mas/defaults/main.json

@@ -1,6 +1,6 @@
 {
 	"var_authelia_for_mas_mas_url_base": "https://mas.example.org",
-	"var_authelia_for_mas_id": "mas",
+	"var_authelia_for_mas_id": "01JADRQ54Y0KCQS0AEJQ4YTY36",
 	"var_authelia_for_mas_client_id": "mas",
 	"var_authelia_for_mas_client_secret": "REPLACE_ME"
 }

roles/authelia-for-mas/vardef.json

@@ -0,0 +1,19 @@
+{
+	"mas_url_base": {
+		"type": "string",
+		"mandatory": false
+	},
+	"id": {
+		"type": "string",
+		"mandatory": false,
+		"description": "needs to be a ULID"
+	}
+	"client_id": {
+		"type": "string",
+		"mandatory": false
+	},
+	"client_secret": {
+		"type": "string",
+		"mandatory": false
+	}
+}

roles/mas-for-synapse/defaults/main.json

@@ -1,5 +1,5 @@
 {
 	"var_mas_for_synapse_synapse_url_base": "https://synapse.example.org",
-	"var_mas_for_synapse_client_id": "synapse",
+	"var_mas_for_synapse_client_id": "01JAE3YFB91XFWEDQY0WFDW5VN",
 	"var_mas_for_synapse_client_secret": "REPLACE_ME"
 }

roles/mas/defaults/main.json

@@ -1,20 +1,21 @@
 {
 	"var_mas_user": "mas",
 	"var_mas_directory": "/opt/mas",
-	"var_mas_server_address": "[::]",
-	"var_mas_server_port": 2839,
+	"var_mas_server_server_address": "[::]",
+	"var_mas_server_server_port": 2839,
+	"var_mas_server_server_domain": "mas.example.org",
 	"var_mas_database_host": "postgresql.example.org",
 	"var_mas_database_port": 5432,
 	"var_mas_database_username": "mas_user",
 	"var_mas_database_password": "REPLACE_ME",
 	"var_mas_database_schema": "mas",
-	"var_mas_matrix_server": "localhost:8008",
+	"var_mas_matrix_server": "synapse.example.org",
 	"var_mas_matrix_secret": "REPLACE_ME",
-	"var_mas_matrix_endpoint": "http://localhost:8008/",
+	"var_mas_matrix_endpoint": "https://synapse.example.org/",
 	"var_mas_encryption_key": "REPLACE_ME",
 	"var_mas_authentication_upstream_kind": "none",
 	"var_mas_authentication_upstream_data_authelia_url_base": "https://authelia.example.org",
-	"var_mas_authentication_upstream_data_authelia_auth_method": "client_secret_post",
+	"var_mas_authentication_upstream_data_authelia_auth_method": "client_secret_basic",
 	"var_mas_authentication_upstream_data_authelia_scope": "openid profile email",
 	"var_mas_authentication_upstream_data_authelia_id": "01JADRQ54Y0KCQS0AEJQ4YTY36",
 	"var_mas_authentication_upstream_data_authelia_client_id": "mas",

roles/mas/templates/config-http.json.j2

@@ -25,7 +25,7 @@
 				],
 				"binds": [
 					{
-						"address": "[{{var_mas_server_address}}]:{{var_mas_server_port | string}}"
+						"address": "{{var_mas_server_server_address}}:{{var_mas_server_server_port | string}}"
 					}
 				],
 				"proxy_protocol": false
@@ -54,7 +54,7 @@
 			"fd00::/8",
 			"::1/128"
 		],
-		"public_base": "http://{{var_mas_server_address}}:{{var_mas_server_port | string}}/",
-		"issuer": "http://{{var_mas_server_address}}:{{var_mas_server_port | string}}/"
+		"public_base": "https://{{var_mas_server_server_domain}}/",
+		"issuer": "https://{{var_mas_server_server_domain}}/"
 	}
 }

roles/mas/templates/config-upstream.json.j2

@@ -11,9 +11,24 @@
 				"token_endpoint": "{{var_mas_authentication_upstream_data_authelia_url_base}}/api/oidc/token",
 				"token_endpoint_auth_method": "{{var_mas_authentication_upstream_data_authelia_auth_method}}",
 				"scope": "{{var_mas_authentication_upstream_data_authelia_scope}}",
+				"discovery_mode": "insecure",
 				"client_id": "{{var_mas_authentication_upstream_data_authelia_client_id}}",
-				"client_secret": "{{var_mas_authentication_upstream_data_authelia_client_secret}}"
-			}
+				"client_secret": "{{var_mas_authentication_upstream_data_authelia_client_secret}}",
+				"claims_imports": {
+					"localpart": {
+						"action": "require",
+						"template": "{{"{{"}} user.preferred_username {{"}}"}}"
+					},
+					"displayname": {
+						"action": "suggest",
+						"template": "{{"{{"}} user.name {{"}}"}}"
+					},
+					"email": {
+						"action": "suggest",
+						"template": "{{"{{"}} user.email {{"}}"}}",
+						"set_email_verification": "always"
+					}
+				}
 		]
 	}
 {% endif %}	

roles/mas/vardef.json

@@ -7,6 +7,18 @@
 		"type": "string",
 		"mandatory": false
 	},
+	"server_address": {
+		"type": "string",
+		"mandatory": false
+	},
+	"server_port": {
+		"type": "string",
+		"mandatory": false
+	},
+	"domain": {
+		"type": "string",
+		"mandatory": false
+	},
 	"database_host": {
 		"type": "string",
 		"mandatory": false
@@ -21,7 +33,7 @@
 	},
 	"database_password": {
 		"type": "string",
-		"mandatory": false
+		"mandatory": true
 	},
 	"database_schema": {
 		"type": "string",
@@ -33,7 +45,7 @@
 	},
 	"matrix_secret": {
 		"type": "string",
-		"mandatory": false
+		"mandatory": true
 	},
 	"matrix_endpoint": {
 		"type": "string",
@@ -41,7 +53,7 @@
 	},
 	"encryption_key": {
 		"type": "string",
-		"mandatory": false
+		"mandatory": true
 	},
 	"authentication_upstream_kind": {
 		"nullable": false,
@@ -63,9 +75,10 @@
 		"type": "string",
 		"mandatory": false
 	},
-	"authentication_upstream_data_authelia_name": {
+	"authentication_upstream_data_authelia_id": {
 		"type": "string",
-		"mandatory": false
+		"mandatory": false,
+		"description": "needs to be a ULID"
 	},
 	"authentication_upstream_data_authelia_client_id": {
 		"type": "string",

roles/synapse-and-nginx/info.md

@@ -6,3 +6,9 @@
 ## Verweise
 
 - [Synapse-Dokumentation über die Nutzung von Reverse-Proxies](https://matrix-org.github.io/synapse/latest/reverse_proxy.html)
+
+
+## ToDo
+
+- MAS-Einbindung (siehe https://element-hq.github.io/matrix-authentication-service/setup/reverse-proxy.html)
+

roles/synapse/defaults/main.json

@@ -21,7 +21,7 @@
 	"var_synapse_authentication_data_authelia_client_secret": "REPLACE_ME",
 	"var_synapse_authentication_data_authelia_url_base": "https://authelia.example.org",
 	"var_synapse_authentication_data_mas_url_base": "http://localhost:2839",
-	"var_synapse_authentication_data_mas_client_id": "synapse",
+	"var_synapse_authentication_data_mas_client_id": "01JAE3YFB91XFWEDQY0WFDW5VN",
 	"var_synapse_authentication_data_mas_client_secret": "REPLACE_ME",
 	"var_synapse_authentication_data_mas_admin_token": "REPLACE_ME",
 	"var_synapse_authentication_data_mas_provider_id": "mas",