Verified Commit 8e4eac7d authored by Jan Alexander Steffens (heftig)'s avatar Jan Alexander Steffens (heftig)
Browse files

matrix: Integrate with Keycloak

parent 33089135
Pipeline #1093 failed with stage
in 3 minutes and 20 seconds
...@@ -207,6 +207,12 @@ The following steps should be used to update our managed servers: ...@@ -207,6 +207,12 @@ The following steps should be used to update our managed servers:
#### Services #### Services
- quassel core - quassel core
### matrix.archlinux.org
#### Services
- Matrix homeserver (Synapse)
- Matrix ↔ IRC bridge
### homedir.archlinux.org ### homedir.archlinux.org
#### Services #### Services
......
This diff is collapsed.
...@@ -52,7 +52,7 @@ ...@@ -52,7 +52,7 @@
- name: install synapse - name: install synapse
pip: pip:
name: name:
- 'matrix-synapse[postgres,systemd,url_preview,redis]' - 'matrix-synapse[postgres,systemd,url_preview,redis,oidc]'
- pip - pip
state: latest state: latest
extra_args: '-U --upgrade-strategy=eager' extra_args: '-U --upgrade-strategy=eager'
......
...@@ -1625,7 +1625,7 @@ oidc_config: ...@@ -1625,7 +1625,7 @@ oidc_config:
# Uncomment the following to enable authorization against an OpenID Connect # Uncomment the following to enable authorization against an OpenID Connect
# server. Defaults to false. # server. Defaults to false.
# #
#enabled: true enabled: true
# Uncomment the following to disable use of the OIDC discovery mechanism to # Uncomment the following to disable use of the OIDC discovery mechanism to
# discover endpoints. Defaults to true. # discover endpoints. Defaults to true.
...@@ -1637,19 +1637,19 @@ oidc_config: ...@@ -1637,19 +1637,19 @@ oidc_config:
# #
# Required if 'enabled' is true. # Required if 'enabled' is true.
# #
#issuer: "https://accounts.example.com/" issuer: "https://accounts.archlinux.org/auth/realms/archlinux"
# oauth2 client id to use. # oauth2 client id to use.
# #
# Required if 'enabled' is true. # Required if 'enabled' is true.
# #
#client_id: "provided-by-your-issuer" client_id: "openid_matrix"
# oauth2 client secret to use. # oauth2 client secret to use.
# #
# Required if 'enabled' is true. # Required if 'enabled' is true.
# #
#client_secret: "provided-by-your-issuer" client_secret: "{{ vault_matrix_openid_client_secret }}"
# auth method to use when exchanging the token. # auth method to use when exchanging the token.
# Valid values are 'client_secret_basic' (default), 'client_secret_post' and # Valid values are 'client_secret_basic' (default), 'client_secret_post' and
...@@ -1660,7 +1660,7 @@ oidc_config: ...@@ -1660,7 +1660,7 @@ oidc_config:
# list of scopes to request. This should normally include the "openid" scope. # list of scopes to request. This should normally include the "openid" scope.
# Defaults to ["openid"]. # Defaults to ["openid"].
# #
#scopes: ["openid", "profile"] scopes: ["openid", "profile"]
# the oauth2 authorization endpoint. Required if provider discovery is disabled. # the oauth2 authorization endpoint. Required if provider discovery is disabled.
# #
...@@ -1727,7 +1727,7 @@ oidc_config: ...@@ -1727,7 +1727,7 @@ oidc_config:
# #
# If unset, no displayname will be set. # If unset, no displayname will be set.
# #
#display_name_template: "{{ '{{ user.given_name }} {{ user.last_name }}' }}" display_name_template: "{{ '{{ user.given_name }} {{ user.last_name }}' }}"
......
...@@ -27,6 +27,12 @@ data "external" "vault_github" { ...@@ -27,6 +27,12 @@ data "external" "vault_github" {
"--format", "json"] "--format", "json"]
} }
data "external" "vault_matrix" {
program = ["${path.module}/../misc/get_key.py", "group_vars/all/vault_matrix.yml",
"vault_matrix_openid_client_secret",
"--format", "json"]
}
provider "keycloak" { provider "keycloak" {
client_id = "admin-cli" client_id = "admin-cli"
username = data.external.vault_keycloak.result.vault_keycloak_admin_user username = data.external.vault_keycloak.result.vault_keycloak_admin_user
...@@ -170,6 +176,21 @@ resource "keycloak_openid_client" "openid_gitlab" { ...@@ -170,6 +176,21 @@ resource "keycloak_openid_client" "openid_gitlab" {
] ]
} }
resource "keycloak_openid_client" "openid_matrix" {
realm_id = "archlinux"
client_id = "openid_matrix"
client_secret = data.external.vault_matrix.result.vault_matrix_openid_client_secret
name = "Arch Linux Accounts"
enabled = true
access_type = "CONFIDENTIAL"
standard_flow_enabled = true
valid_redirect_uris = [
"https://matrix.archlinux.org/_synapse/oidc/callback"
]
}
resource "keycloak_saml_user_property_protocol_mapper" "gitlab_saml_email" { resource "keycloak_saml_user_property_protocol_mapper" "gitlab_saml_email" {
realm_id = "archlinux" realm_id = "archlinux"
client_id = keycloak_saml_client.saml_gitlab.id client_id = keycloak_saml_client.saml_gitlab.id
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment