--- # tasks file for synapse - name: Add Small Hack repo kubernetes.core.helm_repository: name: small-hack-matrix-auth-service repo_url: https://small-hack.github.io/matrix-authentication-service-chart register: repo - name: Update Helm repos command: helm repo update when: repo.changed - name: Deploy Matrix Auth Service kubernetes.core.helm: name: matrix-auth-service chart_ref: small-hack-matrix-auth-service/matrix-authentication-service release_namespace: matrix-auth-service create_namespace: true values: fullnameOverride: mas image: pullPolicy: IfNotPresent tag: latest http: public_base: https://matrix-auth-service.eom.dev/ ingress: className: nginx annotations: cert-manager.io/cluster-issuer: ca-issuer hosts: - host: matrix-auth-service.eom.dev paths: - path: / pathType: Prefix tls: - secretName: mas-tls hosts: - matrix-auth-service.eom.dev postgresql: enabled: true global: auth: password: "{{ matrix_auth_service_admin_password }}" mas: http: public_base: https://matrix-auth-service.eom.dev/ policy: client_registration: allow_host_mismatch: false allow_insecure_uris: false clients: - client_id: 0000000000000000000SYNAPSE client_auth_method: client_secret_basic client_secret: 5ZrwKXmKdiQfus2J matrix: homeserver: synapse.eom.dev endpoint: https://synapse.eom.dev secret: SacP5rWpci6GMqb2 email: from: Matrix Auth Service reply_to: Matrix Auth Service transport: smtp mode: tls hostname: postfix.eom.dev port: 587 username: matrix-auth-service password: "{{ matrix_auth_service_admin_password }}" upstream_oauth2: providers: - id: 01JG22H4F0G8PYCZ5HVTQVHBC4 issuer: https://google.com/ human_name: Google brand_name: google pkce_method: auto client_id: "{{ matrix_google_oidc_client_id }}" client_secret: "{{ matrix_google_oidc_client_secret }}" token_endpoint_auth_method: client_secret_basic scope: "openid email profile" discovery_mode: oidc claims_imports: subject: template: "{{ '{{ user.sub }}' | quote }}" # -- The localpart is the local part of the user's Matrix ID. # For example, on the `example.com` server, if the localpart is `alice`, # the user's Matrix ID will be `@alice:example.com`. localpart: action: require template: "{{ '{{ user.preferred_username }}' | quote }}" # -- The display name is the user's display name. displayname: action: suggest template: "{{ '{{ user.name }}' | quote }}" # -- An email address to import. email: action: suggest template: "{{ '{{ user.email }}' | quote }}" # -- Whether the email address must be marked as verified. # Possible values are: # - `import`: mark the email address as verified if the upstream provider # has marked it as verified, using the `email_verified` claim. # This is the default. # - `always`: mark the email address as verified # - `never`: mark the email address as not verified set_email_verification: import # - id: 01JG2B7DBS6RQRH1TFVZ4BP7H8 # issuer: https://github.com/ # client_id: "{{ matrix_github_oidc_client_id }}" # client_secret: "{{ matrix_github_oidc_client_secret }}" # token_endpoint_auth_method: client_secret_basic # discovery_mode: oidc # claims_imports: # subject: # template: "{{ '{{ user.sub }}' | quote }}" # # # -- The localpart is the local part of the user's Matrix ID. # # For example, on the `example.com` server, if the localpart is `alice`, # # the user's Matrix ID will be `@alice:example.com`. # localpart: # action: require # template: "{{ '{{ user.preferred_username }}' | quote }}" # # # -- The display name is the user's display name. # displayname: # action: suggest # template: "{{ '{{ user.name }}' | quote }}" # # # -- An email address to import. # email: # action: suggest # template: "{{ '{{ user.email }}' | quote }}" # # -- Whether the email address must be marked as verified. # # Possible values are: # # - `import`: mark the email address as verified if the upstream provider # # has marked it as verified, using the `email_verified` claim. # # This is the default. # # - `always`: mark the email address as verified # # - `never`: mark the email address as not verified # set_email_verification: import