[fix] role:synapse:apt stuff

roles/authelia-for-mas/defaults/main.json

@@ -1,6 +1,6 @@
 {
 	"var_authelia_for_mas_mas_url_base": "https://mas.example.org",
-	"var_authelia_for_mas_id": "mas",
+	"var_authelia_for_mas_id": "01JADRQ54Y0KCQS0AEJQ4YTY36",
 	"var_authelia_for_mas_client_id": "mas",
 	"var_authelia_for_mas_client_secret": "REPLACE_ME"
 }

roles/authelia-for-mas/vardef.json

@@ -0,0 +1,19 @@
+{
+	"mas_url_base": {
+		"type": "string",
+		"mandatory": false
+	},
+	"id": {
+		"type": "string",
+		"mandatory": false,
+		"description": "needs to be a ULID"
+	},
+	"client_id": {
+		"type": "string",
+		"mandatory": false
+	},
+	"client_secret": {
+		"type": "string",
+		"mandatory": false
+	}
+}

roles/mas-for-synapse/defaults/main.json

@@ -1,5 +1,5 @@
 {
 	"var_mas_for_synapse_synapse_url_base": "https://synapse.example.org",
-	"var_mas_for_synapse_client_id": "synapse",
+	"var_mas_for_synapse_client_id": "01JAE3YFB91XFWEDQY0WFDW5VN",
 	"var_mas_for_synapse_client_secret": "REPLACE_ME"
 }

roles/mas/defaults/main.json

@@ -1,22 +1,23 @@
 {
 	"var_mas_user": "mas",
 	"var_mas_directory": "/opt/mas",
-	"var_mas_server_address": "[::]",
+	"var_mas_server_server_address": "[::]",
-	"var_mas_server_port": 2839,
+	"var_mas_server_server_port": 2839,
+	"var_mas_server_server_domain": "mas.example.org",
 	"var_mas_database_host": "postgresql.example.org",
 	"var_mas_database_port": 5432,
 	"var_mas_database_username": "mas_user",
 	"var_mas_database_password": "REPLACE_ME",
 	"var_mas_database_schema": "mas",
-	"var_mas_matrix_server": "localhost:8008",
+	"var_mas_matrix_server": "synapse.example.org",
 	"var_mas_matrix_secret": "REPLACE_ME",
-	"var_mas_matrix_endpoint": "http://localhost:8008/",
+	"var_mas_matrix_endpoint": "https://synapse.example.org/",
 	"var_mas_encryption_key": "REPLACE_ME",
 	"var_mas_authentication_upstream_kind": "none",
 	"var_mas_authentication_upstream_data_authelia_url_base": "https://authelia.example.org",
-	"var_mas_authentication_upstream_data_authelia_auth_method": "client_secret_post",
+	"var_mas_authentication_upstream_data_authelia_auth_method": "client_secret_basic",
 	"var_mas_authentication_upstream_data_authelia_scope": "openid profile email",
-	"var_mas_authentication_upstream_data_authelia_name": "authelia",
+	"var_mas_authentication_upstream_data_authelia_id": "01JADRQ54Y0KCQS0AEJQ4YTY36",
 	"var_mas_authentication_upstream_data_authelia_client_id": "mas",
 	"var_mas_authentication_upstream_data_authelia_client_secret": "REPLACE_ME"
 }

roles/mas/files/conf-compose.py

@@ -65,20 +65,12 @@ def main():
 	## args
 	argument_parser = _argparse.ArgumentParser()
 	argument_parser.add_argument(
-		"-b",
+		"-s",
-		"--base-file-path",
+		"--source-directory",
 		type = str,
-		dest = "base_file_path",
+		dest = "source_directory",
-		default = "/opt/mas/conf.d/base.json",
+		default = "/opt/mas/conf.d",
-		metavar = "<base-file-path>",
+		metavar = "<source-directory>",
-	)
-	argument_parser.add_argument(
-		"-c",
-		"--clients-directory-path",
-		type = str,
-		dest = "clients_directory_path",
-		default = "/opt/mas/conf.d/clients",
-		metavar = "<clients-directory-path>",
 	)
 	argument_parser.add_argument(
 		"-f",
@@ -103,16 +95,57 @@ def main():
 	data = {}
 	### base
 	if True:
-		data_ = _json.loads(file_read(args.base_file_path))
+		data_raw = _yaml.safe_load(file_read(_os.path.join(args.source_directory, "base.yaml")))
-		data = dict_merge(data, data_)
+		data = dict_merge(
+			data,
+			{
+				"secrets": data_raw["secrets"],
+				"passwords": data_raw["passwords"],
+			}
+		)
+	### database
+	if True:
+		data = dict_merge(
+			data,
+			_json.loads(file_read(_os.path.join(args.source_directory, "database.json")))
+		)
+	### http
+	if True:
+		data = dict_merge(
+			data,
+			_json.loads(file_read(_os.path.join(args.source_directory, "http.json")))
+		)
+	### matrix
+	if True:
+		data = dict_merge(
+			data,
+			_json.loads(file_read(_os.path.join(args.source_directory, "matrix.json")))
+		)
+	### upstream
+	if True:
+		data = dict_merge(
+			data,
+			_json.loads(file_read(_os.path.join(args.source_directory, "upstream.json")))
+		)
+	### email
+	if True:
+		data = dict_merge(
+			data,
+			_json.loads(file_read(_os.path.join(args.source_directory, "email.json")))
+		)
 	### clients
 	if True:
-		for name in _os.listdir(args.clients_directory_path):
+		data = dict_merge(
-			data__ = _json.loads(file_read(_os.path.join(args.clients_directory_path, name)))
+			data,
-			data_ = {
+			{
-				"clients": data__
+				"clients": list(
+					map(
+						lambda name: _json.loads(file_read(_os.path.join(args.source_directory, "clients", name))),
+						_os.listdir(_os.path.join(args.source_directory, "clients"))
+					)
+				),
 			}
-			data = dict_merge(data, data_)
+		)
 	## output
 	if True:
 		if (args.output_format == "json"):

roles/mas/tasks/main.json

@@ -13,7 +13,6 @@
 		"become": true,
 		"loop": [
 			"{{var_mas_directory}}/conf.d",
-			"{{var_mas_directory}}/conf.d/providers",
 			"{{var_mas_directory}}/conf.d/clients",
 			"{{var_mas_directory}}/scripts"
 		],
@@ -56,9 +55,45 @@
 		"name": "configuration | base",
 		"become": true,
 		"become_user": "{{var_mas_user}}",
+		"ansible.builtin.shell": {
+			"cmd": "./mas-cli config generate > {{var_mas_directory}}/conf.d/base.yaml",
+			"chdir": "{{var_mas_directory}}"
+		}
+	},
+	{
+		"name": "configuration | database",
+		"become": true,
+		"become_user": "{{var_mas_user}}",
 		"ansible.builtin.template": {
-			"src": "config-base.json.j2",
+			"src": "config-database.json.j2",
-			"dest": "{{var_mas_directory}}/conf.d/base.json"
+			"dest": "{{var_mas_directory}}/conf.d/database.json"
+		}
+	},
+	{
+		"name": "configuration | http",
+		"become": true,
+		"become_user": "{{var_mas_user}}",
+		"ansible.builtin.template": {
+			"src": "config-http.json.j2",
+			"dest": "{{var_mas_directory}}/conf.d/http.json"
+		}
+	},
+	{
+		"name": "configuration | matrix",
+		"become": true,
+		"become_user": "{{var_mas_user}}",
+		"ansible.builtin.template": {
+			"src": "config-matrix.json.j2",
+			"dest": "{{var_mas_directory}}/conf.d/matrix.json"
+		}
+	},
+	{
+		"name": "configuration | upstream",
+		"become": true,
+		"become_user": "{{var_mas_user}}",
+		"ansible.builtin.template": {
+			"src": "config-upstream.json.j2",
+			"dest": "{{var_mas_directory}}/conf.d/upstream.json"
 		}
 	},
 	{

roles/mas/templates/config-base.json.j2

@@ -1,111 +0,0 @@
-{
-	"database": {
-		"host": "{{var_mas_database_host}}",
-		"port": "{{var_mas_database_port | string}}",
-		"username": "{{var_mas_database_username}}",
-		"password": "{{var_mas_database_password}}",
-		"database": "{{var_mas_database_schema}}"
-	},
-	"http": {
-		"listeners": [
-			{
-				"name": "web",
-				"resources": [
-					{
-						"name": "discovery"
-					},
-					{
-						"name": "human"
-					},
-					{
-						"name": "oauth"
-					},
-					{
-						"name": "compat"
-					},
-					{
-						"name": "graphql"
-					},
-					{
-						"name": "assets"
-					}
-				],
-				"binds": [
-					{
-						"address": "[{{var_mas_server_address}}]:{{var_mas_server_port | string}}"
-					}
-				],
-				"proxy_protocol": false
-			},
-			{
-				"name": "internal",
-				"resources": [
-					{
-						"name": "health"
-					}
-				],
-				"binds": [
-					{
-						"host": "localhost",
-						"port": 8081
-					}
-				],
-				"proxy_protocol": false
-			}
-		],
-		"trusted_proxies": [
-			"192.168.0.0/16",
-			"172.16.0.0/12",
-			"10.0.0.0/10",
-			"127.0.0.1/8",
-			"fd00::/8",
-			"::1/128"
-		],
-		"public_base": "http://{{var_mas_server_address}}]:{{var_mas_server_port | string}}/",
-		"issuer": "http://{{var_mas_server_address}}]:{{var_mas_server_port | string}}/"
-	},
-	"matrix": {
-		"homeserver": "{{var_mas_matrix_server}}",
-		"secret": "{{var_mas_matrix_secret}}",
-		"endpoint": "{{var_mas_matrix_endpoint}}"
-	},
-	"secrets": {
-		"encryption": "{{var_mas_encryption_key}}",
-		"keys": [
-			"__TODO__"
-		]
-	},
-	"passwords": {
-		"enabled": true,
-		"schemas": [
-			{
-				"version": 1,
-				"algorithm": "argon2id"
-			}
-		],
-		"minimum_complexity": 3
-	},
-{% if var_mas_authentication_upstream_kind == 'none' %}
-{% endif %}
-{% if var_mas_authentication_upstream_kind == 'authelia' %}
-	"upstream_oauth2": {
-		"providers": [
-			{
-				"id": "{{var_mas_authentication_upstream_data_authelia_name}}",
-				"issuer": "{{var_mas_authentication_upstream_data_authelia_url_base}}",
-				"authorization_endpoint": "{{var_mas_authentication_upstream_data_authelia_url_base}}/api/oidc/authorization",
-				"token_endpoint": "{{var_mas_authentication_upstream_data_authelia_url_base}}/api/oidc/token",
-				"token_endpoint_auth_method": "{{var_mas_authentication_upstream_data_authelia_auth_method}}",
-				"scope": "{{var_mas_authentication_upstream_data_authelia_scope}}",
-				"client_id": "{{var_mas_authentication_upstream_data_authelia_client_id}}",
-				"client_secret": "{{var_mas_authentication_upstream_data_authelia_client_secret}}"
-			}
-		]
-	},
-{% endif %}	
-	"email": {
-		"from": "'\"Authentication Service\" <root@localhost>'",
-		"reply_to": "'\"Authentication Service\" <root@localhost>'",
-		"transport": "blackhole"
-	}
-}

roles/mas/templates/config-database.json.j2

@@ -0,0 +1,9 @@
+{
+	"database": {
+		"host": "{{var_mas_database_host}}",
+		"port": {{var_mas_database_port | string}},
+		"username": "{{var_mas_database_username}}",
+		"password": "{{var_mas_database_password}}",
+		"database": "{{var_mas_database_schema}}"
+	}
+}

roles/mas/templates/config-email.json.j2

@@ -0,0 +1,7 @@
+{
+	"email": {
+		"from": "Authentication Service <root@localhost>",
+		"reply_to": "Authentication Service <root@localhost>",
+		"transport": "blackhole"
+	}
+}

roles/mas/templates/config-http.json.j2

@@ -0,0 +1,60 @@
+{
+	"http": {
+		"listeners": [
+			{
+				"name": "web",
+				"resources": [
+					{
+						"name": "discovery"
+					},
+					{
+						"name": "human"
+					},
+					{
+						"name": "oauth"
+					},
+					{
+						"name": "compat"
+					},
+					{
+						"name": "graphql"
+					},
+					{
+						"name": "assets"
+					}
+				],
+				"binds": [
+					{
+						"address": "{{var_mas_server_server_address}}:{{var_mas_server_server_port | string}}"
+					}
+				],
+				"proxy_protocol": false
+			},
+			{
+				"name": "internal",
+				"resources": [
+					{
+						"name": "health"
+					}
+				],
+				"binds": [
+					{
+						"host": "localhost",
+						"port": 8081
+					}
+				],
+				"proxy_protocol": false
+			}
+		],
+		"trusted_proxies": [
+			"192.168.0.0/16",
+			"172.16.0.0/12",
+			"10.0.0.0/10",
+			"127.0.0.1/8",
+			"fd00::/8",
+			"::1/128"
+		],
+		"public_base": "https://{{var_mas_server_server_domain}}/",
+		"issuer": "https://{{var_mas_server_server_domain}}/"
+	}
+}

roles/mas/templates/config-matrix.json.j2

@@ -0,0 +1,7 @@
+{
+	"matrix": {
+		"homeserver": "{{var_mas_matrix_server}}",
+		"secret": "{{var_mas_matrix_secret}}",
+		"endpoint": "{{var_mas_matrix_endpoint}}"
+	}
+}

roles/mas/templates/config-upstream.json.j2

@@ -0,0 +1,35 @@
+{
+{% if var_mas_authentication_upstream_kind == 'none' %}
+{% endif %}
+{% if var_mas_authentication_upstream_kind == 'authelia' %}
+	"upstream_oauth2": {
+		"providers": [
+			{
+				"id": "{{var_mas_authentication_upstream_data_authelia_id}}",
+				"issuer": "{{var_mas_authentication_upstream_data_authelia_url_base}}",
+				"authorization_endpoint": "{{var_mas_authentication_upstream_data_authelia_url_base}}/api/oidc/authorization",
+				"token_endpoint": "{{var_mas_authentication_upstream_data_authelia_url_base}}/api/oidc/token",
+				"token_endpoint_auth_method": "{{var_mas_authentication_upstream_data_authelia_auth_method}}",
+				"scope": "{{var_mas_authentication_upstream_data_authelia_scope}}",
+				"discovery_mode": "insecure",
+				"client_id": "{{var_mas_authentication_upstream_data_authelia_client_id}}",
+				"client_secret": "{{var_mas_authentication_upstream_data_authelia_client_secret}}",
+				"claims_imports": {
+					"localpart": {
+						"action": "require",
+						"template": "{{"{{"}} user.preferred_username {{"}}"}}"
+					},
+					"displayname": {
+						"action": "suggest",
+						"template": "{{"{{"}} user.name {{"}}"}}"
+					},
+					"email": {
+						"action": "suggest",
+						"template": "{{"{{"}} user.email {{"}}"}}",
+						"set_email_verification": "always"
+					}
+				}
+		]
+	}
+{% endif %}	
+}

roles/mas/vardef.json

@@ -7,6 +7,18 @@
 		"type": "string",
 		"mandatory": false
 	},
+	"server_address": {
+		"type": "string",
+		"mandatory": false
+	},
+	"server_port": {
+		"type": "string",
+		"mandatory": false
+	},
+	"domain": {
+		"type": "string",
+		"mandatory": false
+	},
 	"database_host": {
 		"type": "string",
 		"mandatory": false
@@ -21,7 +33,7 @@
 	},
 	"database_password": {
 		"type": "string",
-		"mandatory": false
+		"mandatory": true
 	},
 	"database_schema": {
 		"type": "string",
@@ -33,7 +45,7 @@
 	},
 	"matrix_secret": {
 		"type": "string",
-		"mandatory": false
+		"mandatory": true
 	},
 	"matrix_endpoint": {
 		"type": "string",
@@ -41,7 +53,7 @@
 	},
 	"encryption_key": {
 		"type": "string",
-		"mandatory": false
+		"mandatory": true
 	},
 	"authentication_upstream_kind": {
 		"nullable": false,
@@ -63,9 +75,10 @@
 		"type": "string",
 		"mandatory": false
 	},
-	"authentication_upstream_data_authelia_name": {
+	"authentication_upstream_data_authelia_id": {
 		"type": "string",
-		"mandatory": false
+		"mandatory": false,
+		"description": "needs to be a ULID"
 	},
 	"authentication_upstream_data_authelia_client_id": {
 		"type": "string",

roles/synapse-and-nginx/info.md

@@ -6,3 +6,9 @@
 ## Verweise
 
 - [Synapse-Dokumentation über die Nutzung von Reverse-Proxies](https://matrix-org.github.io/synapse/latest/reverse_proxy.html)
+
+
+## ToDo
+
+- MAS-Einbindung (siehe https://element-hq.github.io/matrix-authentication-service/setup/reverse-proxy.html)
+

roles/synapse-and-nginx/templates/conf.j2

@@ -1,5 +1,5 @@
 {% macro synapse_common() %}
-	location ~ ^(/_matrix|/_synapse/client) {
+	location ~ ^(/_matrix|/_synapse/client|/.well-known) {
 		proxy_pass http://localhost:8008;
 		proxy_set_header X-Forwarded-For $remote_addr;
 		proxy_set_header X-Forwarded-Proto $scheme;

roles/synapse/defaults/main.json

@@ -21,7 +21,7 @@
 	"var_synapse_authentication_data_authelia_client_secret": "REPLACE_ME",
 	"var_synapse_authentication_data_authelia_url_base": "https://authelia.example.org",
 	"var_synapse_authentication_data_mas_url_base": "http://localhost:2839",
-	"var_synapse_authentication_data_mas_client_id": "synapse",
+	"var_synapse_authentication_data_mas_client_id": "01JAE3YFB91XFWEDQY0WFDW5VN",
 	"var_synapse_authentication_data_mas_client_secret": "REPLACE_ME",
 	"var_synapse_authentication_data_mas_admin_token": "REPLACE_ME",
 	"var_synapse_authentication_data_mas_provider_id": "mas",

roles/synapse/tasks/main.json

@@ -7,6 +7,13 @@
 			"dest": "/etc/apt/sources.list.d/bullseye-backports-for-synapse.list"
 		}
 	},
+	{
+		"name": "update sources",
+		"become": true,
+		"ansible.builtin.apt": {
+			"update_cache": true
+		}
+	},
 	{
 		"name": "prepare package installation | server-name",
 		"become": true,