--- # tasks file for synapse - name: Add Small Hack repo kubernetes.core.helm_repository: name: small-hack-matrix repo_url: https://small-hack.github.io/matrix-chart register: repo - name: Update Helm repos command: helm repo update when: repo.changed - name: Deploy Matrix kubernetes.core.helm: name: matrix chart_ref: small-hack-matrix/matrix release_namespace: matrix create_namespace: true values: matrix: serverName: eom.dev hostname: synapse.eom.dev adminEmail: synapse@eom.dev encryptByDefault: all federation: enabled: true ingress: enabled: true host: eom.dev className: nginx annotations: nginx.ingress.kubernetes.io/configuration-snippet: | proxy_intercept_errors off; cert-manager.io/cluster-issuer: ca-issuer tls: enabled: true host: eom.dev oidc: enabled: false providers: - idp_id: github idp_name: Github idp_brand: "github" # optional: styling hint for clients discover: false issuer: "https://github.com/" client_id: "{{ matrix_github_oidc_client_id }}" # TO BE FILLED client_secret: "{{ matrix_github_oidc_client_secret }}" # TO BE FILLED authorization_endpoint: "https://github.com/login/oauth/authorize" token_endpoint: "https://github.com/login/oauth/access_token" userinfo_endpoint: "https://api.github.com/user" scopes: ["read:user"] allow_existing_users: true enable_registration: false user_mapping_provider: config: subject_claim: "id" localpart_template: "{{ '{{ user.login }}' | quote }}" display_name_template: "{{ '{{ user.name }}' | quote }}" - idp_id: google idp_name: Google idp_brand: "google" issuer: "https://accounts.google.com/" client_id: "{{ matrix_google_oidc_client_id }}" # TO BE FILLED client_secret: "{{ matrix_google_oidc_client_secret }}" # TO BE FILLED scopes: ["openid", "profile", "email"] # email is optional, read below allow_existing_users: true enable_registration: false user_mapping_provider: config: localpart_template: "{{ '{{ user.given_name|lower }}' | quote }}" display_name_template: "{{ '{{ user.name }}' | quote }}" email_template: "{{ '{{ user.email }}' | quote }}" # needs "email" in scopes above allow_public_rooms_over_federation: true allow_public_rooms_without_auth: true ip_range_blacklist: - 127.0.0.0/8 registration: enabled: false allowGuests: false autoJoinRooms: - #main:eom.dev - #announcements:eom.dev - #general:eom.dev - #help:eom.dev serve_server_wellknown: true homeserverExtra: modules: - module: "ldap_auth_provider.LdapAuthProviderModule" config: enabled: true uri: "ldap://openldap.openldap.svc.cluster.local:389" mode: search start_tls: false base: "dc=eom,dc=dev" attributes: uid: "uid" mail: "mail" name: "givenName" bind_dn: cn=readonly,dc=eom,dc=dev bind_password: "{{ openldap_readonly_password }}" filter: "(&(objectClass=posixAccount)(memberOf=cn=Synapse Users,ou=Synapse,ou=Services,dc=eom,dc=dev))" # experimental_features: # msc3861: # enabled: true # # Synapse will call `{issuer}/.well-known/openid-configuration` to get the OIDC configuration # issuer: http://localhost:8080/ # client_id: 0000000000000000000SYNAPSE # client_auth_method: client_secret_basic # client_secret: 5ZrwKXmKdiQfus2J # admin_token: SacP5rWpci6GMqb2 # account_management_url: "https://matrix-auth-service.eom.dev/" volumes: media: capacity: 2Ti postgresql: enabled: true persistence: enabled: true global: postgresql: auth: username: synapse password: "{{ synapse_admin_password }}" primary: persistence: size: 2Ti synapse: ingress: className: nginx annotations: cert-manager.io/cluster-issuer: ca-issuer nginx.ingress.kubernetes.io/configuration-snippet: proxy_intercept_errors off; hosts: - host: synapse.eom.dev paths: # - path: "/_matrix/client/(r0|v3)/(refresh|login|logout).*" # pathType: ImplementationSpecific # backend: # service: # name: mas # port: # name: http - path: / pathType: Prefix tls: - secretName: synapse-tls hosts: - synapse.eom.dev element: enabled: true permalinkPrefix: "https://element.eom.dev" ingress: host: element.eom.dev annotations: cert-manager.io/cluster-issuer: ca-issuer coturn: enabled: false certificate: enabled: true host: coturn.eom.dev issuer: ca-issuer uris: - turn:coturn.eom.dev?transport=udp allowGuests: true service: type: NodePort image: tag: latest pullPolicy: IfNotPresent externalDatabase: enabled: true hostname: matrix-postgresql username: matrix password: "{{ matrix_admin_password }}" database: coturn postgresql: enabled: false nameOverride: matrix-coturn-postgresql global: postgresql: auth: password: "{{ coturn_admin_password }}" primary: persistence: size: 256Gi coturn: realm: coturn.eom.dev auth: username: coturn password: "{{ coturn_admin_password }}" mail: enabled: true from: Synapse elementUrl: https://element.eom.dev relay: enabled: false external: hostname: postfix.eom.dev port: "587" username: synapse password: "{{ synapse_admin_password }}" mas: enabled: false fullnameOverride: mas image: pullPolicy: IfNotPresent tag: latest http: public_base: https://matrix-auth-service.eom.dev/ ingress: className: nginx annotations: cert-manager.io/cluster-issuer: ca-issuer hosts: - host: matrix-auth-service.eom.dev paths: - path: / pathType: ImplementationSpecific tls: - secretName: mas-tls hosts: - matrix-auth-service.eom.dev postgresql: enabled: false global: auth: password: "{{ matrix_auth_service_admin_password }}" mas: enabled: false http: public_base: https://matrix-auth-service.eom.dev/ policy: client_registration: allow_host_mismatch: true allow_insecure_uris: false clients: - client_id: 0000000000000000000SYNAPSE client_auth_method: client_secret_basic client_secret: 5ZrwKXmKdiQfus2J matrix: homeserver: synapse.eom.dev endpoint: https://synapse.eom.dev secret: SacP5rWpci6GMqb2 email: from: Matrix Auth Service reply_to: No reply transport: smtp mode: tls hostname: postfix.eom.dev port: 587 username: matrix-auth-service password: "{{ matrix_auth_service_admin_password }}" upstream_oauth2: providers: - id: 01JG22H4F0G8PYCZ5HVTQVHBC4 issuer: https://google.com/ client_id: "{{ matrix_google_oidc_client_id }}" client_secret: "{{ matrix_google_oidc_client_secret }}" token_endpoint_auth_method: client_secret_basic discovery_mode: oidc claims_imports: subject: template: "{{ '{{ user.sub }}' | quote }}" # -- The localpart is the local part of the user's Matrix ID. # For example, on the `example.com` server, if the localpart is `alice`, # the user's Matrix ID will be `@alice:example.com`. localpart: action: require template: "{{ '{{ user.preferred_username }}' | quote }}" # -- The display name is the user's display name. displayname: action: suggest template: "{{ '{{ user.name }}' | quote }}" # -- An email address to import. email: action: suggest template: "{{ '{{ user.email }}' | quote }}" # -- Whether the email address must be marked as verified. # Possible values are: # - `import`: mark the email address as verified if the upstream provider # has marked it as verified, using the `email_verified` claim. # This is the default. # - `always`: mark the email address as verified # - `never`: mark the email address as not verified set_email_verification: import - id: 01JG2B7DBS6RQRH1TFVZ4BP7H8 issuer: https://github.com/ client_id: "{{ matrix_github_oidc_client_id }}" client_secret: "{{ matrix_github_oidc_client_secret }}" token_endpoint_auth_method: client_secret_basic discovery_mode: oidc claims_imports: subject: template: "{{ '{{ user.sub }}' | quote }}" # -- The localpart is the local part of the user's Matrix ID. # For example, on the `example.com` server, if the localpart is `alice`, # the user's Matrix ID will be `@alice:example.com`. localpart: action: require template: "{{ '{{ user.preferred_username }}' | quote }}" # -- The display name is the user's display name. displayname: action: suggest template: "{{ '{{ user.name }}' | quote }}" # -- An email address to import. email: action: suggest template: "{{ '{{ user.email }}' | quote }}" # -- Whether the email address must be marked as verified. # Possible values are: # - `import`: mark the email address as verified if the upstream provider # has marked it as verified, using the `email_verified` claim. # This is the default. # - `always`: mark the email address as verified # - `never`: mark the email address as not verified set_email_verification: import