matrix: Integrate with Keycloak

8e4eac7d · Jan Alexander Steffens (heftig) · 33089135 · 8e4eac7d · 8e4eac7d · 8e4eac7d
Verified Commit 8e4eac7d authored Aug 19, 2020 by Jan Alexander Steffens (heftig)
--- a/README.md
+++ b/README.md
@@ -207,6 +207,12 @@ The following steps should be used to update our managed servers:
 #### Services
  - quassel core

+### matrix.archlinux.org
+
+#### Services
+  - Matrix homeserver (Synapse)
+  - Matrix ↔ IRC bridge
+
 ### homedir.archlinux.org

 #### Services

--- a/group_vars/all/vault_matrix.yml
+++ b/group_vars/all/vault_matrix.yml
--- a/roles/matrix/tasks/main.yml
+++ b/roles/matrix/tasks/main.yml
@@ -52,7 +52,7 @@
 - name: install synapse
  pip:
    name:
-      - 'matrix-synapse[postgres,systemd,url_preview,redis]'
+      - 'matrix-synapse[postgres,systemd,url_preview,redis,oidc]'
      - pip
    state: latest
    extra_args: '-U --upgrade-strategy=eager'

--- a/roles/matrix/templates/homeserver.yaml.j2
+++ b/roles/matrix/templates/homeserver.yaml.j2
@@ -1625,7 +1625,7 @@ oidc_config:
  # Uncomment the following to enable authorization against an OpenID Connect
  # server. Defaults to false.
  #
-  #enabled: true
+  enabled: true

  # Uncomment the following to disable use of the OIDC discovery mechanism to
  # discover endpoints. Defaults to true.
@@ -1637,19 +1637,19 @@ oidc_config:
  #
  # Required if 'enabled' is true.
  #
-  #issuer: "https://accounts.example.com/"
+  issuer: "https://accounts.archlinux.org/auth/realms/archlinux"

  # oauth2 client id to use.
  #
  # Required if 'enabled' is true.
  #
-  #client_id: "provided-by-your-issuer"
+  client_id: "openid_matrix"

  # oauth2 client secret to use.
  #
  # Required if 'enabled' is true.
  #
-  #client_secret: "provided-by-your-issuer"
+  client_secret: "{{ vault_matrix_openid_client_secret }}"

  # auth method to use when exchanging the token.
  # Valid values are 'client_secret_basic' (default), 'client_secret_post' and
@@ -1660,7 +1660,7 @@ oidc_config:
  # list of scopes to request. This should normally include the "openid" scope.
  # Defaults to ["openid"].
  #
-  #scopes: ["openid", "profile"]
+  scopes: ["openid", "profile"]

  # the oauth2 authorization endpoint. Required if provider discovery is disabled.
  #
@@ -1727,7 +1727,7 @@ oidc_config:
      #
      # If unset, no displayname will be set.
      #
-      #display_name_template: "{{ '{{ user.given_name }} {{ user.last_name }}' }}"
+      display_name_template: "{{ '{{ user.given_name }} {{ user.last_name }}' }}"




--- a/tf-stage2/keycloak.tf
+++ b/tf-stage2/keycloak.tf
@@ -27,6 +27,12 @@ data "external" "vault_github" {
    "--format", "json"]
 }

+data "external" "vault_matrix" {
+  program = ["${path.module}/../misc/get_key.py", "group_vars/all/vault_matrix.yml",
+    "vault_matrix_openid_client_secret",
+    "--format", "json"]
+}
+
 provider "keycloak" {
  client_id = "admin-cli"
  username = data.external.vault_keycloak.result.vault_keycloak_admin_user
@@ -170,6 +176,21 @@ resource "keycloak_openid_client" "openid_gitlab" {
  ]
 }

+resource "keycloak_openid_client" "openid_matrix" {
+  realm_id = "archlinux"
+  client_id = "openid_matrix"
+  client_secret = data.external.vault_matrix.result.vault_matrix_openid_client_secret
+
+  name = "Arch Linux Accounts"
+  enabled = true
+
+  access_type = "CONFIDENTIAL"
+  standard_flow_enabled = true
+  valid_redirect_uris = [
+    "https://matrix.archlinux.org/_synapse/oidc/callback"
+  ]
+}
+
 resource "keycloak_saml_user_property_protocol_mapper" "gitlab_saml_email" {
  realm_id = "archlinux"
  client_id = keycloak_saml_client.saml_gitlab.id