synapse: Use matrix authentication service

2025-03-22 02:05:28 +02:00
parent 974621ee16
commit cefa207eed
4 changed files with 64 additions and 1 deletions
--- a/roles/synapse/defaults/main.yaml
+++ b/roles/synapse/defaults/main.yaml
@@ -1,6 +1,8 @@
 ---
 synapse_postgres_tag: 16-alpine

+synapse_mas_domain: "auth.{{ synapse_external_domain }}"
+
 synapse_trusted_key_servers:
  - matrix.org

--- a/roles/synapse/meta/argument_specs.yaml
+++ b/roles/synapse/meta/argument_specs.yaml
@@ -17,6 +17,14 @@ argument_specs:
          - This is used to set the public_baseurl option for synapse (with https:// and trailing / added)
        type: str
        required: true
+      synapse_mas_secrets:
+        description: Passed to the matrix_authentication_service role
+        type: dict
+        required: true
+      synapse_mas_domain:
+        description: The public-facing domain that clients use to access matrix authentication service. Defaults to auth.`synapse_external_domain`
+        type: str
+        required: false
      synapse_signing_key:
        description: The homeserver signing key
        type: str
--- a/roles/synapse/tasks/main.yaml
+++ b/roles/synapse/tasks/main.yaml
@@ -33,6 +33,8 @@
    service_container_secrets:
      - name: signing-key
        value: "{{ synapse_signing_key }}"
+      - name: mas-client-secret
+      - name: mas-homeserver-secret
    service_container_env:
      SYNAPSE_SERVER_NAME: "{{ synapse_server_name }}"
      SYNAPSE_REPORT_STATS: "no"
@@ -40,3 +42,36 @@
      GID: 991
    service_container_http_port: 8008
    service_domains: "{{ [synapse_external_domain] }}"
+    service_vhost_locations:
+      - path: /_matrix/client/*/login
+        proxy_target_socket: /run/matrix-authentication-service-socat.sock
+      - path: /_matrix/client/*/logout
+        proxy_target_socket: /run/matrix-authentication-service-socat.sock
+      - path: /_matrix/client/*/refresh
+        proxy_target_socket: /run/matrix-authentication-service-socat.sock
+      - path: /_matrix/client/*/login/*
+        proxy_target_socket: /run/matrix-authentication-service-socat.sock
+      - path: /_matrix/client/*/logout/*
+        proxy_target_socket: /run/matrix-authentication-service-socat.sock
+      - path: /_matrix/client/*/refresh/*
+        proxy_target_socket: /run/matrix-authentication-service-socat.sock
+    service_wants:
+      - matrix-authentication-service.service
+
+- name: Matrix authentication service for synapse
+  ansible.builtin.include_role:
+    name: matrix_authentication_service
+  vars:
+    matrix_authentication_service_additional_networks:
+      - synapse
+    matrix_authentication_service_secrets: "{{ synapse_mas_secrets }}"
+    matrix_authentication_service_domain: "{{ synapse_mas_domain }}"
+    matrix_authentication_service_homeserver_name: "{{ synapse_server_name }}"
+    matrix_authentication_service_homeserver_address: http://synapse:8009
+    matrix_authentication_service_client_secret: "{{ _service_podman_secrets['synapse-mas-client-secret'] }}"
+    matrix_authentication_service_homeserver_secret: "{{ _service_podman_secrets['synapse-mas-homeserver-secret'] }}"
+
+    matrix_authentication_service_email_smtp_server: "{{ synapse_email_smtp_server }}"
+    matrix_authentication_service_email_smtp_user: "{{ synapse_email_smtp_user }}"
+    matrix_authentication_service_email_smtp_password: "{{ synapse_email_smtp_password }}"
+    matrix_authentication_service_email_from: "{{ synapse_email_from | replace('%(app)s', synapse_email_app_name) }}"
--- a/roles/synapse/templates/homeserver.yaml.j2
+++ b/roles/synapse/templates/homeserver.yaml.j2
@@ -17,6 +17,12 @@ listeners:
    x_forwarded: true
    resources:
      - names: [client, federation]
+  - port: 8009
+    tls: false
+    type: http
+    x_forwarded: false
+    resources:
+      - names: [client]

 database:
  name: psycopg2
@@ -33,6 +39,8 @@ enable_registration: false
 enable_3pid_changes: false
 ui_auth:
  session_timeout: 5m
+password_config:
+  enabled: false

 trusted_key_servers:
 {% for server in synapse_trusted_key_servers %}
@@ -97,3 +105,13 @@ allow_public_rooms_over_federation: {{ synapse_allow_public_rooms_over_federatio
 auto_accept_invites: {{ synapse_auto_accept_invites }}
 auto_join_rooms: {{ synapse_auto_join_rooms }}
 autocreate_auto_join_rooms: false
+
+experimental_features:
+  msc3861:
+    enabled: true
+    issuer: http://matrix-authentication-service:8080/
+    client_id: 0000000000000000000SYNAPSE
+    client_auth_method: client_secret_basic
+    client_secret: "{{ _service_podman_secrets['synapse-mas-client-secret'] }}"
+    admin_token: "{{ _service_podman_secrets['synapse-mas-homeserver-secret'] }}"
+    account_management_url: "https://{{ synapse_mas_domain }}/account"