roles/authelia-for-mas/defaults/main.json

@@ -1,6 +1,6 @@
 {
 	"var_authelia_for_mas_mas_url_base": "https://mas.example.org",
-	"var_authelia_for_mas_id": "01JADRQ54Y0KCQS0AEJQ4YTY36",
+	"var_authelia_for_mas_id": "mas",
 	"var_authelia_for_mas_client_id": "mas",
 	"var_authelia_for_mas_client_secret": "REPLACE_ME"
 }

roles/authelia-for-mas/vardef.json

@@ -1,19 +0,0 @@
-{
-	"mas_url_base": {
-		"type": "string",
-		"mandatory": false
-	},
-	"id": {
-		"type": "string",
-		"mandatory": false,
-		"description": "needs to be a ULID"
-	},
-	"client_id": {
-		"type": "string",
-		"mandatory": false
-	},
-	"client_secret": {
-		"type": "string",
-		"mandatory": false
-	}
-}

roles/mas-for-synapse/defaults/main.json

@@ -1,5 +1,5 @@
 {
 	"var_mas_for_synapse_synapse_url_base": "https://synapse.example.org",
-	"var_mas_for_synapse_client_id": "01JAE3YFB91XFWEDQY0WFDW5VN",
+	"var_mas_for_synapse_client_id": "synapse",
 	"var_mas_for_synapse_client_secret": "REPLACE_ME"
 }

roles/mas/defaults/main.json

@@ -1,23 +1,22 @@
 {
 	"var_mas_user": "mas",
 	"var_mas_directory": "/opt/mas",
-	"var_mas_server_server_address": "[::]",
-	"var_mas_server_server_port": 2839,
-	"var_mas_server_server_domain": "mas.example.org",
+	"var_mas_server_address": "[::]",
+	"var_mas_server_port": 2839,
 	"var_mas_database_host": "postgresql.example.org",
 	"var_mas_database_port": 5432,
 	"var_mas_database_username": "mas_user",
 	"var_mas_database_password": "REPLACE_ME",
 	"var_mas_database_schema": "mas",
-	"var_mas_matrix_server": "synapse.example.org",
+	"var_mas_matrix_server": "localhost:8008",
 	"var_mas_matrix_secret": "REPLACE_ME",
-	"var_mas_matrix_endpoint": "https://synapse.example.org/",
+	"var_mas_matrix_endpoint": "http://localhost:8008/",
 	"var_mas_encryption_key": "REPLACE_ME",
 	"var_mas_authentication_upstream_kind": "none",
 	"var_mas_authentication_upstream_data_authelia_url_base": "https://authelia.example.org",
-	"var_mas_authentication_upstream_data_authelia_auth_method": "client_secret_basic",
+	"var_mas_authentication_upstream_data_authelia_auth_method": "client_secret_post",
 	"var_mas_authentication_upstream_data_authelia_scope": "openid profile email",
-	"var_mas_authentication_upstream_data_authelia_id": "01JADRQ54Y0KCQS0AEJQ4YTY36",
+	"var_mas_authentication_upstream_data_authelia_name": "authelia",
 	"var_mas_authentication_upstream_data_authelia_client_id": "mas",
 	"var_mas_authentication_upstream_data_authelia_client_secret": "REPLACE_ME"
 }

roles/mas/files/conf-compose.py

@@ -65,12 +65,20 @@ def main():
 	## args
 	argument_parser = _argparse.ArgumentParser()
 	argument_parser.add_argument(
-		"-s",
-		"--source-directory",
+		"-b",
+		"--base-file-path",
 		type = str,
-		dest = "source_directory",
-		default = "/opt/mas/conf.d",
-		metavar = "<source-directory>",
+		dest = "base_file_path",
+		default = "/opt/mas/conf.d/base.json",
+		metavar = "<base-file-path>",
+	)
+	argument_parser.add_argument(
+		"-c",
+		"--clients-directory-path",
+		type = str,
+		dest = "clients_directory_path",
+		default = "/opt/mas/conf.d/clients",
+		metavar = "<clients-directory-path>",
 	)
 	argument_parser.add_argument(
 		"-f",
@@ -95,57 +103,16 @@ def main():
 	data = {}
 	### base
 	if True:
-		data_raw = _yaml.safe_load(file_read(_os.path.join(args.source_directory, "base.yaml")))
-		data = dict_merge(
-			data,
-			{
-				"secrets": data_raw["secrets"],
-				"passwords": data_raw["passwords"],
-			}
-		)
-	### database
-	if True:
-		data = dict_merge(
-			data,
-			_json.loads(file_read(_os.path.join(args.source_directory, "database.json")))
-		)
-	### http
-	if True:
-		data = dict_merge(
-			data,
-			_json.loads(file_read(_os.path.join(args.source_directory, "http.json")))
-		)
-	### matrix
-	if True:
-		data = dict_merge(
-			data,
-			_json.loads(file_read(_os.path.join(args.source_directory, "matrix.json")))
-		)
-	### upstream
-	if True:
-		data = dict_merge(
-			data,
-			_json.loads(file_read(_os.path.join(args.source_directory, "upstream.json")))
-		)
-	### email
-	if True:
-		data = dict_merge(
-			data,
-			_json.loads(file_read(_os.path.join(args.source_directory, "email.json")))
-		)
+		data_ = _json.loads(file_read(args.base_file_path))
+		data = dict_merge(data, data_)
 	### clients
 	if True:
-		data = dict_merge(
-			data,
-			{
-				"clients": list(
-					map(
-						lambda name: _json.loads(file_read(_os.path.join(args.source_directory, "clients", name))),
-						_os.listdir(_os.path.join(args.source_directory, "clients"))
-					)
-				),
+		for name in _os.listdir(args.clients_directory_path):
+			data__ = _json.loads(file_read(_os.path.join(args.clients_directory_path, name)))
+			data_ = {
+				"clients": data__
 			}
-		)
+			data = dict_merge(data, data_)
 	## output
 	if True:
 		if (args.output_format == "json"):

roles/mas/tasks/main.json

@@ -13,6 +13,7 @@
 		"become": true,
 		"loop": [
 			"{{var_mas_directory}}/conf.d",
+			"{{var_mas_directory}}/conf.d/providers",
 			"{{var_mas_directory}}/conf.d/clients",
 			"{{var_mas_directory}}/scripts"
 		],
@@ -55,45 +56,9 @@
 		"name": "configuration | base",
 		"become": true,
 		"become_user": "{{var_mas_user}}",
-		"ansible.builtin.shell": {
-			"cmd": "./mas-cli config generate > {{var_mas_directory}}/conf.d/base.yaml",
-			"chdir": "{{var_mas_directory}}"
-		}
-	},
-	{
-		"name": "configuration | database",
-		"become": true,
-		"become_user": "{{var_mas_user}}",
 		"ansible.builtin.template": {
-			"src": "config-database.json.j2",
-			"dest": "{{var_mas_directory}}/conf.d/database.json"
-		}
-	},
-	{
-		"name": "configuration | http",
-		"become": true,
-		"become_user": "{{var_mas_user}}",
-		"ansible.builtin.template": {
-			"src": "config-http.json.j2",
-			"dest": "{{var_mas_directory}}/conf.d/http.json"
-		}
-	},
-	{
-		"name": "configuration | matrix",
-		"become": true,
-		"become_user": "{{var_mas_user}}",
-		"ansible.builtin.template": {
-			"src": "config-matrix.json.j2",
-			"dest": "{{var_mas_directory}}/conf.d/matrix.json"
-		}
-	},
-	{
-		"name": "configuration | upstream",
-		"become": true,
-		"become_user": "{{var_mas_user}}",
-		"ansible.builtin.template": {
-			"src": "config-upstream.json.j2",
-			"dest": "{{var_mas_directory}}/conf.d/upstream.json"
+			"src": "config-base.json.j2",
+			"dest": "{{var_mas_directory}}/conf.d/base.json"
 		}
 	},
 	{

roles/mas/templates/config-base.json.j2

@@ -0,0 +1,111 @@
+{
+	"database": {
+		"host": "{{var_mas_database_host}}",
+		"port": "{{var_mas_database_port | string}}",
+		"username": "{{var_mas_database_username}}",
+		"password": "{{var_mas_database_password}}",
+		"database": "{{var_mas_database_schema}}"
+	},
+	"http": {
+		"listeners": [
+			{
+				"name": "web",
+				"resources": [
+					{
+						"name": "discovery"
+					},
+					{
+						"name": "human"
+					},
+					{
+						"name": "oauth"
+					},
+					{
+						"name": "compat"
+					},
+					{
+						"name": "graphql"
+					},
+					{
+						"name": "assets"
+					}
+				],
+				"binds": [
+					{
+						"address": "[{{var_mas_server_address}}]:{{var_mas_server_port | string}}"
+					}
+				],
+				"proxy_protocol": false
+			},
+			{
+				"name": "internal",
+				"resources": [
+					{
+						"name": "health"
+					}
+				],
+				"binds": [
+					{
+						"host": "localhost",
+						"port": 8081
+					}
+				],
+				"proxy_protocol": false
+			}
+		],
+		"trusted_proxies": [
+			"192.168.0.0/16",
+			"172.16.0.0/12",
+			"10.0.0.0/10",
+			"127.0.0.1/8",
+			"fd00::/8",
+			"::1/128"
+		],
+		"public_base": "http://{{var_mas_server_address}}]:{{var_mas_server_port | string}}/",
+		"issuer": "http://{{var_mas_server_address}}]:{{var_mas_server_port | string}}/"
+	},
+	"matrix": {
+		"homeserver": "{{var_mas_matrix_server}}",
+		"secret": "{{var_mas_matrix_secret}}",
+		"endpoint": "{{var_mas_matrix_endpoint}}"
+	},
+	"secrets": {
+		"encryption": "{{var_mas_encryption_key}}",
+		"keys": [
+			"__TODO__"
+		]
+	},
+	"passwords": {
+		"enabled": true,
+		"schemas": [
+			{
+				"version": 1,
+				"algorithm": "argon2id"
+			}
+		],
+		"minimum_complexity": 3
+	},
+{% if var_mas_authentication_upstream_kind == 'none' %}
+{% endif %}
+{% if var_mas_authentication_upstream_kind == 'authelia' %}
+	"upstream_oauth2": {
+		"providers": [
+			{
+				"id": "{{var_mas_authentication_upstream_data_authelia_name}}",
+				"issuer": "{{var_mas_authentication_upstream_data_authelia_url_base}}",
+				"authorization_endpoint": "{{var_mas_authentication_upstream_data_authelia_url_base}}/api/oidc/authorization",
+				"token_endpoint": "{{var_mas_authentication_upstream_data_authelia_url_base}}/api/oidc/token",
+				"token_endpoint_auth_method": "{{var_mas_authentication_upstream_data_authelia_auth_method}}",
+				"scope": "{{var_mas_authentication_upstream_data_authelia_scope}}",
+				"client_id": "{{var_mas_authentication_upstream_data_authelia_client_id}}",
+				"client_secret": "{{var_mas_authentication_upstream_data_authelia_client_secret}}"
+			}
+		]
+	},
+{% endif %}	
+	"email": {
+		"from": "'\"Authentication Service\" <root@localhost>'",
+		"reply_to": "'\"Authentication Service\" <root@localhost>'",
+		"transport": "blackhole"
+	}
+}

roles/mas/templates/config-database.json.j2

@@ -1,9 +0,0 @@
-{
-	"database": {
-		"host": "{{var_mas_database_host}}",
-		"port": {{var_mas_database_port | string}},
-		"username": "{{var_mas_database_username}}",
-		"password": "{{var_mas_database_password}}",
-		"database": "{{var_mas_database_schema}}"
-	}
-}

roles/mas/templates/config-email.json.j2

@@ -1,7 +0,0 @@
-{
-	"email": {
-		"from": "Authentication Service <root@localhost>",
-		"reply_to": "Authentication Service <root@localhost>",
-		"transport": "blackhole"
-	}
-}

roles/mas/templates/config-http.json.j2

@@ -1,60 +0,0 @@
-{
-	"http": {
-		"listeners": [
-			{
-				"name": "web",
-				"resources": [
-					{
-						"name": "discovery"
-					},
-					{
-						"name": "human"
-					},
-					{
-						"name": "oauth"
-					},
-					{
-						"name": "compat"
-					},
-					{
-						"name": "graphql"
-					},
-					{
-						"name": "assets"
-					}
-				],
-				"binds": [
-					{
-						"address": "{{var_mas_server_server_address}}:{{var_mas_server_server_port | string}}"
-					}
-				],
-				"proxy_protocol": false
-			},
-			{
-				"name": "internal",
-				"resources": [
-					{
-						"name": "health"
-					}
-				],
-				"binds": [
-					{
-						"host": "localhost",
-						"port": 8081
-					}
-				],
-				"proxy_protocol": false
-			}
-		],
-		"trusted_proxies": [
-			"192.168.0.0/16",
-			"172.16.0.0/12",
-			"10.0.0.0/10",
-			"127.0.0.1/8",
-			"fd00::/8",
-			"::1/128"
-		],
-		"public_base": "https://{{var_mas_server_server_domain}}/",
-		"issuer": "https://{{var_mas_server_server_domain}}/"
-	}
-}

roles/mas/templates/config-matrix.json.j2

@@ -1,7 +0,0 @@
-{
-	"matrix": {
-		"homeserver": "{{var_mas_matrix_server}}",
-		"secret": "{{var_mas_matrix_secret}}",
-		"endpoint": "{{var_mas_matrix_endpoint}}"
-	}
-}

roles/mas/templates/config-upstream.json.j2

@@ -1,35 +0,0 @@
-{
-{% if var_mas_authentication_upstream_kind == 'none' %}
-{% endif %}
-{% if var_mas_authentication_upstream_kind == 'authelia' %}
-	"upstream_oauth2": {
-		"providers": [
-			{
-				"id": "{{var_mas_authentication_upstream_data_authelia_id}}",
-				"issuer": "{{var_mas_authentication_upstream_data_authelia_url_base}}",
-				"authorization_endpoint": "{{var_mas_authentication_upstream_data_authelia_url_base}}/api/oidc/authorization",
-				"token_endpoint": "{{var_mas_authentication_upstream_data_authelia_url_base}}/api/oidc/token",
-				"token_endpoint_auth_method": "{{var_mas_authentication_upstream_data_authelia_auth_method}}",
-				"scope": "{{var_mas_authentication_upstream_data_authelia_scope}}",
-				"discovery_mode": "insecure",
-				"client_id": "{{var_mas_authentication_upstream_data_authelia_client_id}}",
-				"client_secret": "{{var_mas_authentication_upstream_data_authelia_client_secret}}",
-				"claims_imports": {
-					"localpart": {
-						"action": "require",
-						"template": "{{"{{"}} user.preferred_username {{"}}"}}"
-					},
-					"displayname": {
-						"action": "suggest",
-						"template": "{{"{{"}} user.name {{"}}"}}"
-					},
-					"email": {
-						"action": "suggest",
-						"template": "{{"{{"}} user.email {{"}}"}}",
-						"set_email_verification": "always"
-					}
-				}
-		]
-	}
-{% endif %}	
-}

roles/mas/vardef.json

@@ -7,18 +7,6 @@
 		"type": "string",
 		"mandatory": false
 	},
-	"server_address": {
-		"type": "string",
-		"mandatory": false
-	},
-	"server_port": {
-		"type": "string",
-		"mandatory": false
-	},
-	"domain": {
-		"type": "string",
-		"mandatory": false
-	},
 	"database_host": {
 		"type": "string",
 		"mandatory": false
@@ -33,7 +21,7 @@
 	},
 	"database_password": {
 		"type": "string",
-		"mandatory": true
+		"mandatory": false
 	},
 	"database_schema": {
 		"type": "string",
@@ -45,7 +33,7 @@
 	},
 	"matrix_secret": {
 		"type": "string",
-		"mandatory": true
+		"mandatory": false
 	},
 	"matrix_endpoint": {
 		"type": "string",
@@ -53,7 +41,7 @@
 	},
 	"encryption_key": {
 		"type": "string",
-		"mandatory": true
+		"mandatory": false
 	},
 	"authentication_upstream_kind": {
 		"nullable": false,
@@ -75,10 +63,9 @@
 		"type": "string",
 		"mandatory": false
 	},
-	"authentication_upstream_data_authelia_id": {
+	"authentication_upstream_data_authelia_name": {
 		"type": "string",
-		"mandatory": false,
-		"description": "needs to be a ULID"
+		"mandatory": false
 	},
 	"authentication_upstream_data_authelia_client_id": {
 		"type": "string",

roles/synapse-and-nginx/info.md

@@ -6,9 +6,3 @@
 ## Verweise
 
 - [Synapse-Dokumentation über die Nutzung von Reverse-Proxies](https://matrix-org.github.io/synapse/latest/reverse_proxy.html)
-
-
-## ToDo
-
-- MAS-Einbindung (siehe https://element-hq.github.io/matrix-authentication-service/setup/reverse-proxy.html)
-

roles/synapse-and-nginx/templates/conf.j2

@@ -1,5 +1,5 @@
 {% macro synapse_common() %}
-	location ~ ^(/_matrix|/_synapse/client|/.well-known) {
+	location ~ ^(/_matrix|/_synapse/client) {
 		proxy_pass http://localhost:8008;
 		proxy_set_header X-Forwarded-For $remote_addr;
 		proxy_set_header X-Forwarded-Proto $scheme;

roles/synapse/defaults/main.json

@@ -21,7 +21,7 @@
 	"var_synapse_authentication_data_authelia_client_secret": "REPLACE_ME",
 	"var_synapse_authentication_data_authelia_url_base": "https://authelia.example.org",
 	"var_synapse_authentication_data_mas_url_base": "http://localhost:2839",
-	"var_synapse_authentication_data_mas_client_id": "01JAE3YFB91XFWEDQY0WFDW5VN",
+	"var_synapse_authentication_data_mas_client_id": "synapse",
 	"var_synapse_authentication_data_mas_client_secret": "REPLACE_ME",
 	"var_synapse_authentication_data_mas_admin_token": "REPLACE_ME",
 	"var_synapse_authentication_data_mas_provider_id": "mas",

roles/synapse/tasks/main.json

@@ -7,13 +7,6 @@
 			"dest": "/etc/apt/sources.list.d/bullseye-backports-for-synapse.list"
 		}
 	},
-	{
-		"name": "update sources",
-		"become": true,
-		"ansible.builtin.apt": {
-			"update_cache": true
-		}
-	},
 	{
 		"name": "prepare package installation | server-name",
 		"become": true,