synapse: Use matrix authentication service

roles/synapse/defaults/main.yaml

@@ -1,6 +1,8 @@
 ---
 synapse_postgres_tag: 16-alpine
 
+synapse_mas_domain: "auth.{{ synapse_external_domain }}"
+
 synapse_trusted_key_servers:
   - matrix.org
 

roles/synapse/meta/argument_specs.yaml

@@ -17,6 +17,14 @@ argument_specs:
           - This is used to set the public_baseurl option for synapse (with https:// and trailing / added)
         type: str
         required: true
+      synapse_mas_secrets:
+        description: Passed to the matrix_authentication_service role
+        type: dict
+        required: true
+      synapse_mas_domain:
+        description: The public-facing domain that clients use to access matrix authentication service. Defaults to auth.`synapse_external_domain`
+        type: str
+        required: false
       synapse_signing_key:
         description: The homeserver signing key
         type: str

roles/synapse/tasks/main.yaml

@@ -33,6 +33,8 @@
     service_container_secrets:
       - name: signing-key
         value: "{{ synapse_signing_key }}"
+      - name: mas-client-secret
+      - name: mas-homeserver-secret
     service_container_env:
       SYNAPSE_SERVER_NAME: "{{ synapse_server_name }}"
       SYNAPSE_REPORT_STATS: "no"
@@ -40,3 +42,36 @@
       GID: 991
     service_container_http_port: 8008
     service_domains: "{{ [synapse_external_domain] }}"
+    service_vhost_locations:
+      - path: /_matrix/client/*/login
+        proxy_target_socket: /run/matrix-authentication-service-socat.sock
+      - path: /_matrix/client/*/logout
+        proxy_target_socket: /run/matrix-authentication-service-socat.sock
+      - path: /_matrix/client/*/refresh
+        proxy_target_socket: /run/matrix-authentication-service-socat.sock
+      - path: /_matrix/client/*/login/*
+        proxy_target_socket: /run/matrix-authentication-service-socat.sock
+      - path: /_matrix/client/*/logout/*
+        proxy_target_socket: /run/matrix-authentication-service-socat.sock
+      - path: /_matrix/client/*/refresh/*
+        proxy_target_socket: /run/matrix-authentication-service-socat.sock
+    service_wants:
+      - matrix-authentication-service.service
+
+- name: Matrix authentication service for synapse
+  ansible.builtin.include_role:
+    name: matrix_authentication_service
+  vars:
+    matrix_authentication_service_additional_networks:
+      - synapse
+    matrix_authentication_service_secrets: "{{ synapse_mas_secrets }}"
+    matrix_authentication_service_domain: "{{ synapse_mas_domain }}"
+    matrix_authentication_service_homeserver_name: "{{ synapse_server_name }}"
+    matrix_authentication_service_homeserver_address: http://synapse:8009
+    matrix_authentication_service_client_secret: "{{ _service_podman_secrets['synapse-mas-client-secret'] }}"
+    matrix_authentication_service_homeserver_secret: "{{ _service_podman_secrets['synapse-mas-homeserver-secret'] }}"
+
+    matrix_authentication_service_email_smtp_server: "{{ synapse_email_smtp_server }}"
+    matrix_authentication_service_email_smtp_user: "{{ synapse_email_smtp_user }}"
+    matrix_authentication_service_email_smtp_password: "{{ synapse_email_smtp_password }}"
+    matrix_authentication_service_email_from: "{{ synapse_email_from | replace('%(app)s', synapse_email_app_name) }}"

roles/synapse/templates/homeserver.yaml.j2

@@ -17,6 +17,12 @@ listeners:
     x_forwarded: true
     resources:
       - names: [client, federation]
+  - port: 8009
+    tls: false
+    type: http
+    x_forwarded: false
+    resources:
+      - names: [client]
 
 database:
   name: psycopg2
@@ -33,6 +39,8 @@ enable_registration: false
 enable_3pid_changes: false
 ui_auth:
   session_timeout: 5m
+password_config:
+  enabled: false
 
 trusted_key_servers:
 {% for server in synapse_trusted_key_servers %}
@@ -85,7 +93,7 @@ email:
   smtp_user: {{ synapse_smtp_user }}
   smtp_pass: {{ synapse_smtp_password }}
   require_transport_security: true
-  
+
   notif_from: "{{ synapse_email_from }}"
   app_name: "{{ synapse_email_app_name }}"
   enable_notifs: true
@@ -97,3 +105,13 @@ allow_public_rooms_over_federation: {{ synapse_allow_public_rooms_over_federatio
 auto_accept_invites: {{ synapse_auto_accept_invites }}
 auto_join_rooms: {{ synapse_auto_join_rooms }}
 autocreate_auto_join_rooms: false
+
+experimental_features:
+  msc3861:
+    enabled: true
+    issuer: http://matrix-authentication-service:8080/
+    client_id: 0000000000000000000SYNAPSE
+    client_auth_method: client_secret_basic
+    client_secret: "{{ _service_podman_secrets['synapse-mas-client-secret'] }}"
+    admin_token: "{{ _service_podman_secrets['synapse-mas-homeserver-secret'] }}"
+    account_management_url: "https://{{ synapse_mas_domain }}/account"