---
- name: Assert complexity error is set if complexity limit is
  ansible.builtin.assert:
    that: synapse_room_complexity_limit == 0 or synapse_room_complexity_error | length > 0
    fail_msg: "synapse_room_complexity_error must be set when synapse_room_complexity_limit is"
    quiet: true
- name: Assert turn shared secret is set if turn uris is
  ansible.builtin.assert:
    that: synapse_turn_uris | length == 0 or synapse_turn_shared_secret | length > 0
    fail_msg: "synapse_turn_shared_secret must be set when synapse_turn_uris is"
    quiet: true

- name: Synapse container
  ansible.builtin.import_role:
    name: service
  vars:
    service_name: synapse
    service_container_image: "{{ _synapse_image_name }}"
    service_database_type: postgres
    service_postgres_tag: "{{ synapse_postgres_tag }}"
    service_container_mounts:
      - type: template
        source: homeserver.yaml.j2
        destination: /data/homeserver.yaml
      - type: template
        source: log.yaml.j2
        destination: /data/log.yaml
      - type: volume
        source: media
        destination: /data/media
        user: "991"
        group: "991"
    service_container_secrets:
      - name: signing-key
        value: "{{ synapse_signing_key }}"
      - name: mas-client-secret
      - name: mas-homeserver-secret
    service_container_env:
      SYNAPSE_SERVER_NAME: "{{ synapse_server_name }}"
      SYNAPSE_REPORT_STATS: "no"
      UID: 991
      GID: 991
    service_container_http_port: 8008
    service_domains: "{{ [synapse_external_domain] }}"
    service_vhost_locations:
      - path: ^/_matrix/client/.*/(login|logout|refresh).*$
        proxy_target_socket: /run/matrix-authentication-service-socat.sock
    service_wants:
      - matrix-authentication-service.service

- name: Matrix authentication service for synapse
  ansible.builtin.import_role:
    name: matrix_authentication_service
  vars:
    matrix_authentication_service_additional_networks:
      - synapse
    matrix_authentication_service_secrets: "{{ synapse_mas_secrets }}"
    matrix_authentication_service_domain: "{{ synapse_mas_domain }}"
    matrix_authentication_service_homeserver_name: "{{ synapse_server_name }}"
    matrix_authentication_service_homeserver_address: http://synapse:8009
    matrix_authentication_service_client_secret: "{{ service_podman_secrets['synapse-mas-client-secret'] }}"
    matrix_authentication_service_homeserver_secret: "{{ service_podman_secrets['synapse-mas-homeserver-secret'] }}"

    matrix_authentication_service_email_smtp_server: "{{ synapse_email_smtp_server }}"
    matrix_authentication_service_email_smtp_user: "{{ synapse_email_smtp_user }}"
    matrix_authentication_service_email_smtp_password: "{{ synapse_email_smtp_password }}"
    matrix_authentication_service_email_from: "{{ synapse_email_from | replace('%(app)s', synapse_email_app_name) }}"

    matrix_authentication_service_upstream_oauth2_client_id: "{{ synapse_oidc_provider_client_id }}"
    matrix_authentication_service_upstream_oauth2_client_secret: "{{ synapse_oidc_provider_client_secret }}"
    matrix_authentication_service_upstream_oauth2_issuer: "{{ synapse_oidc_provider_issuer }}"
    matrix_authentication_service_upstream_oauth2_scope: "{{ synapse_oidc_provider_scopes | join(' ') }}"
    matrix_authentication_service_upstream_oauth2_claims_imports: "{{ synapse_oidc_provider_mas_claims_imports }}"
    matrix_authentication_service_upstream_oauth2_human_name: "{{ synapse_oidc_provider_name }}"