Add matrix authentication service role

roles/matrix_authentication_service/README.md

@@ -0,0 +1 @@
+Sets up a matrix authentication service podman container.

roles/matrix_authentication_service/defaults/main.yaml

@@ -0,0 +1,5 @@
+---
+matrix_authentication_service_postgres_tag: 16-alpine
+
+matrix_authentication_service_email_smtp_server: ""
+matrix_authentication_service_additional_networks: []

roles/matrix_authentication_service/meta/argument_specs.yaml

@@ -0,0 +1,132 @@
+---
+argument_specs:
+  main:
+    description: "Sets up a matrix authentication service podman container."
+    options:
+      matrix_authentication_service_additional_networks:
+        description: A list of additional podman networks for the matrix authentication service container.
+        type: list
+        required: false
+        default: []
+        elements: str
+      matrix_authentication_service_domain:
+        description: Domain for matrix authentication service
+        type: str
+        required: true
+      matrix_authentication_service_homeserver_name:
+        description: Homserver server name
+        type: str
+        required: true
+      matrix_authentication_service_homeserver_address:
+        description: Address where homeserver is accessible to matrix authentication service
+        type: str
+        required: true
+      matrix_authentication_service_client_secret:
+        description: >
+          See [upstream docs](https://element-hq.github.io/matrix-authentication-service/setup/homeserver.html#provision-a-client-for-the-homeserver-to-use)
+        type: str
+        required: true
+      matrix_authentication_service_homeserver_secret:
+        description: See [upstream docs](https://element-hq.github.io/matrix-authentication-service/reference/configuration.html#matrix)
+        type: str
+        required: true
+      matrix_authentication_service_secrets:
+        description:
+          - Matrix authentication service secrets.
+          - See [upstream docs](https://element-hq.github.io/matrix-authentication-service/reference/configuration.html#secrets) for more info
+        type: dict
+        required: true
+        options:
+          encryption:
+            type: str
+            required: true
+          keys:
+            type: list
+            required: true
+            elements: dict
+            options:
+              kid:
+                type: str
+                required: true
+              key:
+                type: str
+                required: true
+      matrix_authentication_service_email_smtp_server:
+        description: email.smtp_host, set this to enable sending emails
+        type: str
+        required: false
+        default: ""
+      matrix_authentication_service_email_smtp_user:
+        description: Required if matrix_authentication_service_email_smtp_server is set
+        type: str
+      matrix_authentication_service_email_smtp_password:
+        description: Required if matrix_authentication_service_email_smtp_server is set
+        type: str
+      matrix_authentication_service_email_from:
+        description: Required if matrix_authentication_service_email_smtp_server is set
+        type: str
+
+      matrix_authentication_service_upstream_oauth2_client_id:
+        description: See https://element-hq.github.io/matrix-authentication-service/reference/configuration.html#upstream_oauth2providers
+        type: str
+        required: false
+        default: ""
+      matrix_authentication_service_upstream_oauth2_human_name:
+        description: Required if matrix_authentication_service_upstream_oauth2_client_id is set
+        type: str
+      matrix_authentication_service_upstream_oauth2_client_secret:
+        description: Required if matrix_authentication_service_upstream_oauth2_client_id is set
+        type: str
+      matrix_authentication_service_upstream_oauth2_issuer:
+        description: Required if matrix_authentication_service_upstream_oauth2_client_id is set
+        type: str
+      matrix_authentication_service_upstream_oauth2_scope:
+        description: Required if matrix_authentication_service_upstream_oauth2_client_id is set
+        type: str
+      matrix_authentication_service_upstream_oauth2_claims_imports:
+        description: Required if matrix_authentication_service_upstream_oauth2_client_id is set
+        type: dict
+        options:
+          subject:
+            type: dict
+            required: false
+            options:
+              template:
+                type: str
+                required: true
+          localpart:
+            type: dict
+            required: true
+            options:
+              action:
+                type: str
+                required: true
+              template:
+                description: Required if action is not ignore
+                type: str
+          displayname:
+            type: dict
+            required: true
+            options:
+              action:
+                type: str
+                required: true
+              template:
+                description: Required if action is not ignore
+                type: str
+          email:
+            type: dict
+            required: true
+            options:
+              action:
+                type: str
+                required: true
+              template:
+                description: Required if action is not ignore
+                type: str
+
+      matrix_authentication_service_postgres_tag:
+        description: Postgres tag to use for matrix authentication service postgres container
+        type: str
+        required: false
+        default: 16-alpine

roles/matrix_authentication_service/tasks/main.yaml

@@ -0,0 +1,16 @@
+---
+- name: Matrix authentication service container
+  ansible.builtin.import_role:
+    name: service
+  vars:
+    service_name: matrix-authentication-service
+    service_container_image: "ghcr.io/element-hq/matrix-authentication-service:latest"
+    service_container_additional_networks: "{{ matrix_authentication_service_additional_networks }}"
+    service_database_type: postgres
+    service_postgres_tag: "{{ matrix_authentication_service_postgres_tag }}"
+    service_container_mounts:
+      - type: template
+        source: config.yaml.j2
+        destination: /config.yaml
+    service_container_http_port: 8080
+    service_domains: "{{ [matrix_authentication_service_domain] }}"

roles/matrix_authentication_service/templates/config.yaml.j2

@@ -0,0 +1,86 @@
+---
+# vim:ft=yaml
+# {{ ansible_managed }}
+
+http:
+  listeners:
+    - name: web
+      resources:
+        - name: discovery
+        - name: human
+        - name: oauth
+        - name: compat
+        - name: graphql
+        - name: assets
+      binds:
+        - address: '[::]:8080'
+      proxy_protocol: false
+    - name: internal
+      resources:
+        - name: health
+      binds:
+        - host: localhost
+          port: 8081
+      proxy_protocol: false
+  trusted_proxies:
+    - 192.168.0.0/16
+    - 172.16.0.0/12
+    - 10.0.0.0/10
+    - 127.0.0.1/8
+    - fd00::/8
+    - ::1/128
+  public_base: https://{{ matrix_authentication_service_domain }}/
+database:
+  host: matrix-authentication-service-postgres
+  username: matrix_authentication_service
+  password: "{{ _service_database_password }}"
+  database: matrix_authentication_service
+
+secrets: 
+  {{ matrix_authentication_service_secrets | to_nice_yaml(indent=2) | indent(2) }}
+
+passwords:
+  enabled: {{ matrix_authentication_service_upstream_oauth2_client_id | length == 0 }}
+  schemes:
+    - version: 1
+      algorithm: argon2id
+  minimum_complexity: 3
+
+clients:
+  - client_id: 0000000000000000000SYNAPSE
+    client_auth_method: client_secret_basic
+    client_secret: "{{ matrix_authentication_service_client_secret }}"
+
+matrix:
+  homeserver: {{ matrix_authentication_service_homeserver_name }}
+  secret: "{{ matrix_authentication_service_homeserver_secret }}"
+  endpoint: {{ matrix_authentication_service_homeserver_address }}
+
+account:
+  email_change_allowed: true
+  displayname_change_allowed: true
+  password_registration_enabled: false
+
+{% if matrix_authentication_service_email_smtp_server | length > 0 %}
+email:
+  from: '{{ matrix_authentication_service_email_from }}'
+  transport: smtp
+  mode: starttls
+  hostname: {{ matrix_authentication_service_email_smtp_server }}
+  port: 587
+  username: {{ matrix_authentication_service_email_smtp_user }}
+  password: {{ matrix_authentication_service_email_smtp_password }}
+{% endif %}
+{% if matrix_authentication_service_upstream_oauth2_client_id | length > 0 %}
+upstream_oauth2:
+  providers:
+    - id: 01JD3SBR0NMQB0M1WE3HF26E48
+      human_name: "{{ matrix_authentication_service_upstream_oauth2_human_name }}"
+      issuer: "{{ matrix_authentication_service_upstream_oauth2_issuer }}"
+      client_id: "{{ matrix_authentication_service_upstream_oauth2_client_id }}"
+      client_secret: "{{ matrix_authentication_service_upstream_oauth2_client_secret }}"
+      scope: "{{ matrix_authentication_service_upstream_oauth2_scope }}"
+      claims_imports:
+        {{ matrix_authentication_service_upstream_oauth2_claims_imports | to_nice_yaml(indent=2) | indent(8) }}
+      token_endpoint_auth_method: client_secret_basic
+{% endif %}