uumas/ansible-podman
1
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity

Add matrix authentication service role

Browse Source
This commit is contained in:
uumas
2025-03-22 02:02:32 +02:00
parent ffe3279886
commit 974621ee16
5 changed files with 240 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
roles/matrix_authentication_service/README.md Normal file
View File

@@ -0,0 +1 @@
Sets up a matrix authentication service podman container.

5
roles/matrix_authentication_service/defaults/main.yaml Normal file
View File

@@ -0,0 +1,5 @@
---
matrix_authentication_service_postgres_tag: 16-alpine
matrix_authentication_service_email_smtp_server: ""
matrix_authentication_service_additional_networks: []

132
roles/matrix_authentication_service/meta/argument_specs.yaml Normal file
View File

@@ -0,0 +1,132 @@
---
argument_specs:
main:
description: "Sets up a matrix authentication service podman container."
options:
matrix_authentication_service_additional_networks:
description: A list of additional podman networks for the matrix authentication service container.
type: list
required: false
default: []
elements: str
matrix_authentication_service_domain:
description: Domain for matrix authentication service
type: str
required: true
matrix_authentication_service_homeserver_name:
description: Homserver server name
type: str
required: true
matrix_authentication_service_homeserver_address:
description: Address where homeserver is accessible to matrix authentication service
type: str
required: true
matrix_authentication_service_client_secret:
description: >
See [upstream docs](https://element-hq.github.io/matrix-authentication-service/setup/homeserver.html#provision-a-client-for-the-homeserver-to-use)
type: str
required: true
matrix_authentication_service_homeserver_secret:
description: See [upstream docs](https://element-hq.github.io/matrix-authentication-service/reference/configuration.html#matrix)
type: str
required: true
matrix_authentication_service_secrets:
description:
- Matrix authentication service secrets.
- See [upstream docs](https://element-hq.github.io/matrix-authentication-service/reference/configuration.html#secrets) for more info
type: dict
required: true
options:
encryption:
type: str
required: true
keys:
type: list
required: true
elements: dict
options:
kid:
type: str
required: true
key:
type: str
required: true
matrix_authentication_service_email_smtp_server:
description: email.smtp_host, set this to enable sending emails
type: str
required: false
default: ""
matrix_authentication_service_email_smtp_user:
description: Required if matrix_authentication_service_email_smtp_server is set
type: str
matrix_authentication_service_email_smtp_password:
description: Required if matrix_authentication_service_email_smtp_server is set
type: str
matrix_authentication_service_email_from:
description: Required if matrix_authentication_service_email_smtp_server is set
type: str
matrix_authentication_service_upstream_oauth2_client_id:
description: See https://element-hq.github.io/matrix-authentication-service/reference/configuration.html#upstream_oauth2providers
type: str
required: false
default: ""
matrix_authentication_service_upstream_oauth2_human_name:
description: Required if matrix_authentication_service_upstream_oauth2_client_id is set
type: str
matrix_authentication_service_upstream_oauth2_client_secret:
description: Required if matrix_authentication_service_upstream_oauth2_client_id is set
type: str
matrix_authentication_service_upstream_oauth2_issuer:
description: Required if matrix_authentication_service_upstream_oauth2_client_id is set
type: str
matrix_authentication_service_upstream_oauth2_scope:
description: Required if matrix_authentication_service_upstream_oauth2_client_id is set
type: str
matrix_authentication_service_upstream_oauth2_claims_imports:
description: Required if matrix_authentication_service_upstream_oauth2_client_id is set
type: dict
options:
subject:
type: dict
required: false
options:
template:
type: str
required: true
localpart:
type: dict
required: true
options:
action:
type: str
required: true
template:
description: Required if action is not ignore
type: str
displayname:
type: dict
required: true
options:
action:
type: str
required: true
template:
description: Required if action is not ignore
type: str
email:
type: dict
required: true
options:
action:
type: str
required: true
template:
description: Required if action is not ignore
type: str
matrix_authentication_service_postgres_tag:
description: Postgres tag to use for matrix authentication service postgres container
type: str
required: false
default: 16-alpine

16
roles/matrix_authentication_service/tasks/main.yaml Normal file
View File

@@ -0,0 +1,16 @@
---
- name: Matrix authentication service container
ansible.builtin.import_role:
name: service
vars:
service_name: matrix-authentication-service
service_container_image: "ghcr.io/element-hq/matrix-authentication-service:latest"
service_container_additional_networks: "{{ matrix_authentication_service_additional_networks }}"
service_database_type: postgres
service_postgres_tag: "{{ matrix_authentication_service_postgres_tag }}"
service_container_mounts:
- type: template
source: config.yaml.j2
destination: /config.yaml
service_container_http_port: 8080
service_domains: "{{ [matrix_authentication_service_domain] }}"

86
roles/matrix_authentication_service/templates/config.yaml.j2 Normal file
View File

@@ -0,0 +1,86 @@
---
# vim:ft=yaml
# {{ ansible_managed }}
http:
listeners:
- name: web
resources:
- name: discovery
- name: human
- name: oauth
- name: compat
- name: graphql
- name: assets
binds:
- address: '[::]:8080'
proxy_protocol: false
- name: internal
resources:
- name: health
binds:
- host: localhost
port: 8081
proxy_protocol: false
trusted_proxies:
- 192.168.0.0/16
- 172.16.0.0/12
- 10.0.0.0/10
- 127.0.0.1/8
- fd00::/8
- ::1/128
public_base: https://{{ matrix_authentication_service_domain }}/
database:
host: matrix-authentication-service-postgres
username: matrix_authentication_service
password: "{{ _service_database_password }}"
database: matrix_authentication_service
secrets:
{{ matrix_authentication_service_secrets | to_nice_yaml(indent=2) | indent(2) }}
passwords:
enabled: {{ matrix_authentication_service_upstream_oauth2_client_id | length == 0 }}
schemes:
- version: 1
algorithm: argon2id
minimum_complexity: 3
clients:
- client_id: 0000000000000000000SYNAPSE
client_auth_method: client_secret_basic
client_secret: "{{ matrix_authentication_service_client_secret }}"
matrix:
homeserver: {{ matrix_authentication_service_homeserver_name }}
secret: "{{ matrix_authentication_service_homeserver_secret }}"
endpoint: {{ matrix_authentication_service_homeserver_address }}
account:
email_change_allowed: true
displayname_change_allowed: true
password_registration_enabled: false
{% if matrix_authentication_service_email_smtp_server | length > 0 %}
email:
from: '{{ matrix_authentication_service_email_from }}'
transport: smtp
mode: starttls
hostname: {{ matrix_authentication_service_email_smtp_server }}
port: 587
username: {{ matrix_authentication_service_email_smtp_user }}
password: {{ matrix_authentication_service_email_smtp_password }}
{% endif %}
{% if matrix_authentication_service_upstream_oauth2_client_id | length > 0 %}
upstream_oauth2:
providers:
- id: 01JD3SBR0NMQB0M1WE3HF26E48
human_name: "{{ matrix_authentication_service_upstream_oauth2_human_name }}"
issuer: "{{ matrix_authentication_service_upstream_oauth2_issuer }}"
client_id: "{{ matrix_authentication_service_upstream_oauth2_client_id }}"
client_secret: "{{ matrix_authentication_service_upstream_oauth2_client_secret }}"
scope: "{{ matrix_authentication_service_upstream_oauth2_scope }}"
claims_imports:
{{ matrix_authentication_service_upstream_oauth2_claims_imports | to_nice_yaml(indent=2) | indent(8) }}
token_endpoint_auth_method: client_secret_basic
{% endif %}