---
# vim:ft=yaml
# {{ ansible_managed }}

http:
  listeners:
    - name: web
      resources:
        - name: discovery
        - name: human
        - name: oauth
        - name: compat
        - name: graphql
        - name: assets
      binds:
        - address: '[::]:8080'
      proxy_protocol: false
    - name: internal
      resources:
        - name: health
      binds:
        - host: localhost
          port: 8081
      proxy_protocol: false
  trusted_proxies:
    - 192.168.0.0/16
    - 172.16.0.0/12
    - 10.0.0.0/10
    - 127.0.0.1/8
    - fd00::/8
    - ::1/128
  public_base: https://{{ matrix_authentication_service_domain }}/
database:
  host: matrix-authentication-service-postgres
  username: matrix_authentication_service
  password: "{{ service_podman_secrets['matrix-authentication-service-postgres'] }}"
  database: matrix_authentication_service

secrets: 
  {{ matrix_authentication_service_secrets | to_nice_yaml(indent=2) | indent(2) }}

passwords:
  enabled: {{ matrix_authentication_service_upstream_oauth2_client_id | length == 0 }}
  schemes:
    - version: 1
      algorithm: argon2id
  minimum_complexity: 3

clients:
  - client_id: 0000000000000000000SYNAPSE
    client_auth_method: client_secret_basic
    client_secret: "{{ matrix_authentication_service_client_secret }}"

matrix:
  homeserver: {{ matrix_authentication_service_homeserver_name }}
  secret: "{{ matrix_authentication_service_homeserver_secret }}"
  endpoint: {{ matrix_authentication_service_homeserver_address }}

account:
  email_change_allowed: true
  displayname_change_allowed: true
  password_registration_enabled: false

{% if matrix_authentication_service_email_smtp_server | length > 0 %}
email:
  from: '{{ matrix_authentication_service_email_from }}'
  transport: smtp
  mode: starttls
  hostname: {{ matrix_authentication_service_email_smtp_server }}
  port: 587
  username: {{ matrix_authentication_service_email_smtp_user }}
  password: {{ matrix_authentication_service_email_smtp_password }}
{% endif %}
{% if matrix_authentication_service_upstream_oauth2_client_id | length > 0 %}
upstream_oauth2:
  providers:
    - id: 01JD3SBR0NMQB0M1WE3HF26E48
      human_name: "{{ matrix_authentication_service_upstream_oauth2_human_name }}"
      issuer: "{{ matrix_authentication_service_upstream_oauth2_issuer }}"
      client_id: "{{ matrix_authentication_service_upstream_oauth2_client_id }}"
      client_secret: "{{ matrix_authentication_service_upstream_oauth2_client_secret }}"
      scope: "{{ matrix_authentication_service_upstream_oauth2_scope }}"
      claims_imports:
        {{ matrix_authentication_service_upstream_oauth2_claims_imports | to_nice_yaml(indent=2) | indent(8) }}
      token_endpoint_auth_method: client_secret_basic
{% endif %}