ansible-role-eom/tasks/matrix-auth-service.yaml

---
# tasks file for synapse
- name: Add Small Hack repo
  kubernetes.core.helm_repository:
    name: small-hack-matrix-auth-service
    repo_url: https://small-hack.github.io/matrix-authentication-service-chart
  register: repo

- name: Update Helm repos
  command: helm repo update
  when: repo.changed

- name: Deploy Matrix Auth Service
  kubernetes.core.helm:
    name: matrix-auth-service
    chart_ref: small-hack-matrix-auth-service/matrix-authentication-service
    release_namespace: matrix-auth-service
    create_namespace: true
    values:
      fullnameOverride: mas
      image:
        pullPolicy: IfNotPresent
        tag: latest
      http:
        public_base: https://matrix-auth-service.eom.dev/
      ingress:
        className: nginx
        annotations:
          cert-manager.io/cluster-issuer: ca-issuer
        hosts:
          - host: matrix-auth-service.eom.dev
            paths:
              - path: /
                pathType: Prefix
        tls:
          - secretName: mas-tls
            hosts:
              - matrix-auth-service.eom.dev
      postgresql:
        enabled: true
        global:
          auth:
            password: "{{ matrix_auth_service_admin_password }}"
      mas:
        http:
          public_base: https://matrix-auth-service.eom.dev/
        policy:
          client_registration:
            allow_host_mismatch: false
            allow_insecure_uris: false
        clients:
          - client_id: 0000000000000000000SYNAPSE
            client_auth_method: client_secret_basic
            client_secret: 5ZrwKXmKdiQfus2J
        matrix:
          homeserver: synapse.eom.dev
          endpoint: https://synapse.eom.dev
          secret: SacP5rWpci6GMqb2
        email:
          from: Matrix Auth Service <matrix-auth-service@eom.dev>
          reply_to: Matrix Auth Service <matrix-auth-service@eom.dev>
          transport: smtp
          mode: tls
          hostname: postfix.eom.dev
          port: 587
          username: matrix-auth-service
          password: "{{ matrix_auth_service_admin_password }}"
        upstream_oauth2:
          providers:
            - id: 01JG22H4F0G8PYCZ5HVTQVHBC4
              issuer: https://google.com/
              human_name: Google
              brand_name: google
              pkce_method: auto
              client_id: "{{ matrix_google_oidc_client_id }}"
              client_secret: "{{ matrix_google_oidc_client_secret }}"
              token_endpoint_auth_method: client_secret_basic
              scope: "openid email profile"
              discovery_mode: oidc
              claims_imports:
                subject:
                  template: "{{ '{{ user.sub }}' | quote }}"

                # -- The localpart is the local part of the user's Matrix ID.
                # For example, on the `example.com` server, if the localpart is `alice`,
                #  the user's Matrix ID will be `@alice:example.com`.
                localpart:
                  action: require
                  template: "{{ '{{ user.preferred_username }}' | quote }}"

                # -- The display name is the user's display name.
                displayname:
                  action: suggest
                  template: "{{ '{{ user.name }}' | quote }}"

                # -- An email address to import.
                email:
                  action: suggest
                  template: "{{ '{{ user.email }}' | quote }}"
                  # -- Whether the email address must be marked as verified.
                  # Possible values are:
                  #  - `import`: mark the email address as verified if the upstream provider
                  #     has marked it as verified, using the `email_verified` claim.
                  #     This is the default.
                  #   - `always`: mark the email address as verified
                  #   - `never`: mark the email address as not verified
                  set_email_verification: import
#            - id: 01JG2B7DBS6RQRH1TFVZ4BP7H8
#              issuer: https://github.com/
#              client_id: "{{ matrix_github_oidc_client_id }}"
#              client_secret: "{{ matrix_github_oidc_client_secret }}"
#              token_endpoint_auth_method: client_secret_basic
#              discovery_mode: oidc
#              claims_imports:
#                subject:
#                  template: "{{ '{{ user.sub }}' | quote }}"
#
#                # -- The localpart is the local part of the user's Matrix ID.
#                # For example, on the `example.com` server, if the localpart is `alice`,
#                #  the user's Matrix ID will be `@alice:example.com`.
#                localpart:
#                  action: require
#                  template: "{{ '{{ user.preferred_username }}' | quote }}"
#
#                # -- The display name is the user's display name.
#                displayname:
#                  action: suggest
#                  template: "{{ '{{ user.name }}' | quote }}"
#
#                # -- An email address to import.
#                email:
#                  action: suggest
#                  template: "{{ '{{ user.email }}' | quote }}"
#                  # -- Whether the email address must be marked as verified.
#                  # Possible values are:
#                  #  - `import`: mark the email address as verified if the upstream provider
#                  #     has marked it as verified, using the `email_verified` claim.
#                  #     This is the default.
#                  #   - `always`: mark the email address as verified
#                  #   - `never`: mark the email address as not verified
#                  set_email_verification: import