Verified Commit 8e4eac7d authored by Jan Alexander Steffens (heftig)'s avatar Jan Alexander Steffens (heftig)
Browse files

matrix: Integrate with Keycloak

parent 33089135
......@@ -207,6 +207,12 @@ The following steps should be used to update our managed servers:
#### Services
- quassel core
### matrix.archlinux.org
#### Services
- Matrix homeserver (Synapse)
- Matrix ↔ IRC bridge
### homedir.archlinux.org
#### Services
......
This diff is collapsed.
......@@ -52,7 +52,7 @@
- name: install synapse
pip:
name:
- 'matrix-synapse[postgres,systemd,url_preview,redis]'
- 'matrix-synapse[postgres,systemd,url_preview,redis,oidc]'
- pip
state: latest
extra_args: '-U --upgrade-strategy=eager'
......
......@@ -1625,7 +1625,7 @@ oidc_config:
# Uncomment the following to enable authorization against an OpenID Connect
# server. Defaults to false.
#
#enabled: true
enabled: true
# Uncomment the following to disable use of the OIDC discovery mechanism to
# discover endpoints. Defaults to true.
......@@ -1637,19 +1637,19 @@ oidc_config:
#
# Required if 'enabled' is true.
#
#issuer: "https://accounts.example.com/"
issuer: "https://accounts.archlinux.org/auth/realms/archlinux"
# oauth2 client id to use.
#
# Required if 'enabled' is true.
#
#client_id: "provided-by-your-issuer"
client_id: "openid_matrix"
# oauth2 client secret to use.
#
# Required if 'enabled' is true.
#
#client_secret: "provided-by-your-issuer"
client_secret: "{{ vault_matrix_openid_client_secret }}"
# auth method to use when exchanging the token.
# Valid values are 'client_secret_basic' (default), 'client_secret_post' and
......@@ -1660,7 +1660,7 @@ oidc_config:
# list of scopes to request. This should normally include the "openid" scope.
# Defaults to ["openid"].
#
#scopes: ["openid", "profile"]
scopes: ["openid", "profile"]
# the oauth2 authorization endpoint. Required if provider discovery is disabled.
#
......@@ -1727,7 +1727,7 @@ oidc_config:
#
# If unset, no displayname will be set.
#
#display_name_template: "{{ '{{ user.given_name }} {{ user.last_name }}' }}"
display_name_template: "{{ '{{ user.given_name }} {{ user.last_name }}' }}"
......
......@@ -27,6 +27,12 @@ data "external" "vault_github" {
"--format", "json"]
}
data "external" "vault_matrix" {
program = ["${path.module}/../misc/get_key.py", "group_vars/all/vault_matrix.yml",
"vault_matrix_openid_client_secret",
"--format", "json"]
}
provider "keycloak" {
client_id = "admin-cli"
username = data.external.vault_keycloak.result.vault_keycloak_admin_user
......@@ -170,6 +176,21 @@ resource "keycloak_openid_client" "openid_gitlab" {
]
}
resource "keycloak_openid_client" "openid_matrix" {
realm_id = "archlinux"
client_id = "openid_matrix"
client_secret = data.external.vault_matrix.result.vault_matrix_openid_client_secret
name = "Arch Linux Accounts"
enabled = true
access_type = "CONFIDENTIAL"
standard_flow_enabled = true
valid_redirect_uris = [
"https://matrix.archlinux.org/_synapse/oidc/callback"
]
}
resource "keycloak_saml_user_property_protocol_mapper" "gitlab_saml_email" {
realm_id = "archlinux"
client_id = keycloak_saml_client.saml_gitlab.id
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment