323 lines
12 KiB
YAML
323 lines
12 KiB
YAML
---
|
|
# tasks file for synapse
|
|
- name: Add Small Hack repo
|
|
kubernetes.core.helm_repository:
|
|
name: small-hack-matrix
|
|
repo_url: https://small-hack.github.io/matrix-chart
|
|
register: repo
|
|
|
|
- name: Update Helm repos
|
|
command: helm repo update
|
|
when: repo.changed
|
|
|
|
- name: Deploy Matrix
|
|
kubernetes.core.helm:
|
|
name: matrix
|
|
chart_ref: small-hack-matrix/matrix
|
|
release_namespace: matrix
|
|
create_namespace: true
|
|
values:
|
|
matrix:
|
|
serverName: eom.dev
|
|
hostname: synapse.eom.dev
|
|
adminEmail: synapse@eom.dev
|
|
encryptByDefault: all
|
|
federation:
|
|
enabled: true
|
|
ingress:
|
|
enabled: true
|
|
host: eom.dev
|
|
className: nginx
|
|
annotations:
|
|
nginx.ingress.kubernetes.io/configuration-snippet: |
|
|
proxy_intercept_errors off;
|
|
cert-manager.io/cluster-issuer: ca-issuer
|
|
tls:
|
|
enabled: true
|
|
host: eom.dev
|
|
oidc:
|
|
enabled: false
|
|
providers:
|
|
- idp_id: github
|
|
idp_name: Github
|
|
idp_brand: "github" # optional: styling hint for clients
|
|
discover: false
|
|
issuer: "https://github.com/"
|
|
client_id: "{{ matrix_github_oidc_client_id }}" # TO BE FILLED
|
|
client_secret: "{{ matrix_github_oidc_client_secret }}" # TO BE FILLED
|
|
authorization_endpoint: "https://github.com/login/oauth/authorize"
|
|
token_endpoint: "https://github.com/login/oauth/access_token"
|
|
userinfo_endpoint: "https://api.github.com/user"
|
|
scopes: ["read:user"]
|
|
allow_existing_users: true
|
|
enable_registration: false
|
|
user_mapping_provider:
|
|
config:
|
|
subject_claim: "id"
|
|
localpart_template: "{{ '{{ user.login }}' | quote }}"
|
|
display_name_template: "{{ '{{ user.name }}' | quote }}"
|
|
- idp_id: google
|
|
idp_name: Google
|
|
idp_brand: "google"
|
|
issuer: "https://accounts.google.com/"
|
|
client_id: "{{ matrix_google_oidc_client_id }}" # TO BE FILLED
|
|
client_secret: "{{ matrix_google_oidc_client_secret }}" # TO BE FILLED
|
|
scopes: ["openid", "profile", "email"] # email is optional, read below
|
|
allow_existing_users: true
|
|
enable_registration: false
|
|
user_mapping_provider:
|
|
config:
|
|
localpart_template: "{{ '{{ user.given_name|lower }}' | quote }}"
|
|
display_name_template: "{{ '{{ user.name }}' | quote }}"
|
|
email_template: "{{ '{{ user.email }}' | quote }}" # needs "email" in scopes above
|
|
allow_public_rooms_over_federation: true
|
|
allow_public_rooms_without_auth: true
|
|
ip_range_blacklist:
|
|
- 127.0.0.0/8
|
|
registration:
|
|
enabled: false
|
|
allowGuests: false
|
|
autoJoinRooms:
|
|
- #main:eom.dev
|
|
- #announcements:eom.dev
|
|
- #general:eom.dev
|
|
- #help:eom.dev
|
|
serve_server_wellknown: true
|
|
homeserverExtra:
|
|
modules:
|
|
- module: "ldap_auth_provider.LdapAuthProviderModule"
|
|
config:
|
|
enabled: true
|
|
uri: "ldap://openldap.openldap.svc.cluster.local:389"
|
|
mode: search
|
|
start_tls: false
|
|
base: "dc=eom,dc=dev"
|
|
attributes:
|
|
uid: "uid"
|
|
mail: "mail"
|
|
name: "givenName"
|
|
bind_dn: cn=readonly,dc=eom,dc=dev
|
|
bind_password: "{{ openldap_readonly_password }}"
|
|
filter: "(&(objectClass=posixAccount)(memberOf=cn=Synapse Users,ou=Synapse,ou=Services,dc=eom,dc=dev))"
|
|
# experimental_features:
|
|
# msc3861:
|
|
# enabled: true
|
|
# # Synapse will call `{issuer}/.well-known/openid-configuration` to get the OIDC configuration
|
|
# issuer: http://localhost:8080/
|
|
# client_id: 0000000000000000000SYNAPSE
|
|
# client_auth_method: client_secret_basic
|
|
# client_secret: 5ZrwKXmKdiQfus2J
|
|
# admin_token: SacP5rWpci6GMqb2
|
|
# account_management_url: "https://matrix-auth-service.eom.dev/"
|
|
volumes:
|
|
media:
|
|
capacity: 2Ti
|
|
postgresql:
|
|
enabled: true
|
|
persistence:
|
|
enabled: true
|
|
global:
|
|
postgresql:
|
|
auth:
|
|
username: synapse
|
|
password: "{{ synapse_admin_password }}"
|
|
primary:
|
|
persistence:
|
|
size: 2Ti
|
|
synapse:
|
|
ingress:
|
|
className: nginx
|
|
annotations:
|
|
cert-manager.io/cluster-issuer: ca-issuer
|
|
nginx.ingress.kubernetes.io/configuration-snippet: proxy_intercept_errors off;
|
|
hosts:
|
|
- host: synapse.eom.dev
|
|
paths:
|
|
# - path: "/_matrix/client/(r0|v3)/(refresh|login|logout).*"
|
|
# pathType: ImplementationSpecific
|
|
# backend:
|
|
# service:
|
|
# name: mas
|
|
# port:
|
|
# name: http
|
|
- path: /
|
|
pathType: Prefix
|
|
tls:
|
|
- secretName: synapse-tls
|
|
hosts:
|
|
- synapse.eom.dev
|
|
element:
|
|
enabled: true
|
|
permalinkPrefix: "https://element.eom.dev"
|
|
ingress:
|
|
host: element.eom.dev
|
|
annotations:
|
|
cert-manager.io/cluster-issuer: ca-issuer
|
|
coturn:
|
|
enabled: false
|
|
certificate:
|
|
enabled: true
|
|
host: coturn.eom.dev
|
|
issuer: ca-issuer
|
|
uris:
|
|
- turn:coturn.eom.dev?transport=udp
|
|
allowGuests: true
|
|
service:
|
|
type: NodePort
|
|
image:
|
|
tag: latest
|
|
pullPolicy: IfNotPresent
|
|
externalDatabase:
|
|
enabled: true
|
|
hostname: matrix-postgresql
|
|
username: matrix
|
|
password: "{{ matrix_admin_password }}"
|
|
database: coturn
|
|
postgresql:
|
|
enabled: false
|
|
nameOverride: matrix-coturn-postgresql
|
|
global:
|
|
postgresql:
|
|
auth:
|
|
password: "{{ coturn_admin_password }}"
|
|
primary:
|
|
persistence:
|
|
size: 256Gi
|
|
coturn:
|
|
realm: coturn.eom.dev
|
|
auth:
|
|
username: coturn
|
|
password: "{{ coturn_admin_password }}"
|
|
mail:
|
|
enabled: true
|
|
from: Synapse <synapse@eom.dev>
|
|
elementUrl: https://element.eom.dev
|
|
relay:
|
|
enabled: false
|
|
external:
|
|
hostname: postfix.eom.dev
|
|
port: "587"
|
|
username: synapse
|
|
password: "{{ synapse_admin_password }}"
|
|
mas:
|
|
enabled: false
|
|
fullnameOverride: mas
|
|
image:
|
|
pullPolicy: IfNotPresent
|
|
tag: latest
|
|
http:
|
|
public_base: https://matrix-auth-service.eom.dev/
|
|
ingress:
|
|
className: nginx
|
|
annotations:
|
|
cert-manager.io/cluster-issuer: ca-issuer
|
|
hosts:
|
|
- host: matrix-auth-service.eom.dev
|
|
paths:
|
|
- path: /
|
|
pathType: ImplementationSpecific
|
|
tls:
|
|
- secretName: mas-tls
|
|
hosts:
|
|
- matrix-auth-service.eom.dev
|
|
postgresql:
|
|
enabled: false
|
|
global:
|
|
auth:
|
|
password: "{{ matrix_auth_service_admin_password }}"
|
|
mas:
|
|
enabled: false
|
|
http:
|
|
public_base: https://matrix-auth-service.eom.dev/
|
|
policy:
|
|
client_registration:
|
|
allow_host_mismatch: true
|
|
allow_insecure_uris: false
|
|
clients:
|
|
- client_id: 0000000000000000000SYNAPSE
|
|
client_auth_method: client_secret_basic
|
|
client_secret: 5ZrwKXmKdiQfus2J
|
|
matrix:
|
|
homeserver: synapse.eom.dev
|
|
endpoint: https://synapse.eom.dev
|
|
secret: SacP5rWpci6GMqb2
|
|
email:
|
|
from: Matrix Auth Service <matrix-auth-service@eom.dev>
|
|
reply_to: No reply <no-reply@eom.dev>
|
|
transport: smtp
|
|
mode: tls
|
|
hostname: postfix.eom.dev
|
|
port: 587
|
|
username: matrix-auth-service
|
|
password: "{{ matrix_auth_service_admin_password }}"
|
|
upstream_oauth2:
|
|
providers:
|
|
- id: 01JG22H4F0G8PYCZ5HVTQVHBC4
|
|
issuer: https://google.com/
|
|
client_id: "{{ matrix_google_oidc_client_id }}"
|
|
client_secret: "{{ matrix_google_oidc_client_secret }}"
|
|
token_endpoint_auth_method: client_secret_basic
|
|
discovery_mode: oidc
|
|
claims_imports:
|
|
subject:
|
|
template: "{{ '{{ user.sub }}' | quote }}"
|
|
|
|
# -- The localpart is the local part of the user's Matrix ID.
|
|
# For example, on the `example.com` server, if the localpart is `alice`,
|
|
# the user's Matrix ID will be `@alice:example.com`.
|
|
localpart:
|
|
action: require
|
|
template: "{{ '{{ user.preferred_username }}' | quote }}"
|
|
|
|
# -- The display name is the user's display name.
|
|
displayname:
|
|
action: suggest
|
|
template: "{{ '{{ user.name }}' | quote }}"
|
|
|
|
# -- An email address to import.
|
|
email:
|
|
action: suggest
|
|
template: "{{ '{{ user.email }}' | quote }}"
|
|
# -- Whether the email address must be marked as verified.
|
|
# Possible values are:
|
|
# - `import`: mark the email address as verified if the upstream provider
|
|
# has marked it as verified, using the `email_verified` claim.
|
|
# This is the default.
|
|
# - `always`: mark the email address as verified
|
|
# - `never`: mark the email address as not verified
|
|
set_email_verification: import
|
|
- id: 01JG2B7DBS6RQRH1TFVZ4BP7H8
|
|
issuer: https://github.com/
|
|
client_id: "{{ matrix_github_oidc_client_id }}"
|
|
client_secret: "{{ matrix_github_oidc_client_secret }}"
|
|
token_endpoint_auth_method: client_secret_basic
|
|
discovery_mode: oidc
|
|
claims_imports:
|
|
subject:
|
|
template: "{{ '{{ user.sub }}' | quote }}"
|
|
|
|
# -- The localpart is the local part of the user's Matrix ID.
|
|
# For example, on the `example.com` server, if the localpart is `alice`,
|
|
# the user's Matrix ID will be `@alice:example.com`.
|
|
localpart:
|
|
action: require
|
|
template: "{{ '{{ user.preferred_username }}' | quote }}"
|
|
|
|
# -- The display name is the user's display name.
|
|
displayname:
|
|
action: suggest
|
|
template: "{{ '{{ user.name }}' | quote }}"
|
|
|
|
# -- An email address to import.
|
|
email:
|
|
action: suggest
|
|
template: "{{ '{{ user.email }}' | quote }}"
|
|
# -- Whether the email address must be marked as verified.
|
|
# Possible values are:
|
|
# - `import`: mark the email address as verified if the upstream provider
|
|
# has marked it as verified, using the `email_verified` claim.
|
|
# This is the default.
|
|
# - `always`: mark the email address as verified
|
|
# - `never`: mark the email address as not verified
|
|
set_email_verification: import
|