Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in
Toggle navigation
Menu
Open sidebar
David Runge
infrastructure
Commits
8e4eac7d
Verified
Commit
8e4eac7d
authored
Aug 19, 2020
by
Jan Alexander Steffens (heftig)
Browse files
matrix: Integrate with Keycloak
parent
33089135
Changes
5
Expand all
Hide whitespace changes
Inline
Side-by-side
README.md
View file @
8e4eac7d
...
...
@@ -207,6 +207,12 @@ The following steps should be used to update our managed servers:
#### Services
-
quassel core
### matrix.archlinux.org
#### Services
-
Matrix homeserver (Synapse)
-
Matrix ↔ IRC bridge
### homedir.archlinux.org
#### Services
...
...
group_vars/all/vault_matrix.yml
View file @
8e4eac7d
This diff is collapsed.
Click to expand it.
roles/matrix/tasks/main.yml
View file @
8e4eac7d
...
...
@@ -52,7 +52,7 @@
-
name
:
install synapse
pip
:
name
:
-
'
matrix-synapse[postgres,systemd,url_preview,redis]'
-
'
matrix-synapse[postgres,systemd,url_preview,redis
,oidc
]'
-
pip
state
:
latest
extra_args
:
'
-U
--upgrade-strategy=eager'
...
...
roles/matrix/templates/homeserver.yaml.j2
View file @
8e4eac7d
...
...
@@ -1625,7 +1625,7 @@ oidc_config:
# Uncomment the following to enable authorization against an OpenID Connect
# server. Defaults to false.
#
#
enabled: true
enabled
:
true
# Uncomment the following to disable use of the OIDC discovery mechanism to
# discover endpoints. Defaults to true.
...
...
@@ -1637,19 +1637,19 @@ oidc_config:
#
# Required if 'enabled' is true.
#
#
issuer: "https://accounts.
example.com/
"
issuer
:
"
https://accounts.
archlinux.org/auth/realms/archlinux
"
# oauth2 client id to use.
#
# Required if 'enabled' is true.
#
#
client_id: "
provided-by-your-issuer
"
client_id
:
"
openid_matrix
"
# oauth2 client secret to use.
#
# Required if 'enabled' is true.
#
#
client_secret: "
provided-by-your-issuer
"
client_secret
:
"
{{
vault_matrix_openid_client_secret
}}
"
# auth method to use when exchanging the token.
# Valid values are 'client_secret_basic' (default), 'client_secret_post' and
...
...
@@ -1660,7 +1660,7 @@ oidc_config:
# list of scopes to request. This should normally include the "openid" scope.
# Defaults to ["openid"].
#
#
scopes: ["openid", "profile"]
scopes
:
[
"
openid"
,
"
profile"
]
# the oauth2 authorization endpoint. Required if provider discovery is disabled.
#
...
...
@@ -1727,7 +1727,7 @@ oidc_config:
#
# If unset, no displayname will be set.
#
#
display_name_template: "{{ '{{ user.given_name }} {{ user.last_name }}' }}"
display_name_template
:
"
{{
'{{
user.given_name
}}
{{
user.last_name
}}'
}}"
...
...
tf-stage2/keycloak.tf
View file @
8e4eac7d
...
...
@@ -27,6 +27,12 @@ data "external" "vault_github" {
"--format"
,
"json"
]
}
data
"external"
"vault_matrix"
{
program
=
[
"
${
path
.
module}
/../misc/get_key.py"
,
"group_vars/all/vault_matrix.yml"
,
"vault_matrix_openid_client_secret"
,
"--format"
,
"json"
]
}
provider
"keycloak"
{
client_id
=
"admin-cli"
username
=
data
.
external
.
vault_keycloak
.
result
.
vault_keycloak_admin_user
...
...
@@ -170,6 +176,21 @@ resource "keycloak_openid_client" "openid_gitlab" {
]
}
resource
"keycloak_openid_client"
"openid_matrix"
{
realm_id
=
"archlinux"
client_id
=
"openid_matrix"
client_secret
=
data
.
external
.
vault_matrix
.
result
.
vault_matrix_openid_client_secret
name
=
"Arch Linux Accounts"
enabled
=
true
access_type
=
"CONFIDENTIAL"
standard_flow_enabled
=
true
valid_redirect_uris
=
[
"https://matrix.archlinux.org/_synapse/oidc/callback"
]
}
resource
"keycloak_saml_user_property_protocol_mapper"
"gitlab_saml_email"
{
realm_id
=
"archlinux"
client_id
=
keycloak_saml_client
.
saml_gitlab
.
id
...
...
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment