overmind
/
matrix-docker-ansible-deploy
mirror da https://github.com/spantaleev/matrix-docker-ansible-deploy


			
							# SPDX-FileCopyrightText: 2024 - 2025 Slavi Pantaleev
# SPDX-FileCopyrightText: 2025 Suguru Hirahara
#
# SPDX-License-Identifier: AGPL-3.0-or-later

---

# matrix-authentication-service (MAS) is an OAuth 2.0 and OpenID Provider server for Matrix.
# Project source code URL: https://github.com/element-hq/matrix-authentication-service

matrix_authentication_service_enabled: true

matrix_authentication_service_hostname: ''

# Controls the path prefix for the authentication service.
# This value must either be `/` or not end with a slash (e.g. `/auth`).
matrix_authentication_service_path_prefix: /

matrix_authentication_service_container_image_self_build: false
matrix_authentication_service_container_repo: "https://github.com/element-hq/matrix-authentication-service.git"
matrix_authentication_service_container_repo_version: "{{ 'main' if matrix_authentication_service_version == 'latest' else ('v' + matrix_authentication_service_version) }}"
matrix_authentication_service_container_src_files_path: "{{ matrix_base_data_path }}/matrix-authentication-service/container-src"

# renovate: datasource=docker depName=ghcr.io/element-hq/matrix-authentication-service
matrix_authentication_service_version: 1.12.0
matrix_authentication_service_container_image_registry_prefix: "{{ 'localhost/' if matrix_authentication_service_container_image_self_build else matrix_authentication_service_container_image_registry_prefix_upstream }}"
matrix_authentication_service_container_image_registry_prefix_upstream: "{{ matrix_authentication_service_container_image_registry_prefix_upstream_default }}"
matrix_authentication_service_container_image_registry_prefix_upstream_default: "ghcr.io/"
matrix_authentication_service_container_image: "{{ matrix_authentication_service_container_image_registry_prefix }}element-hq/matrix-authentication-service:{{ matrix_authentication_service_version }}"
matrix_authentication_service_container_image_force_pull: "{{ matrix_authentication_service_container_image.endswith(':latest') }}"

matrix_authentication_service_base_path: "{{ matrix_base_data_path }}/matrix-authentication-service"
matrix_authentication_service_bin_path: "{{ matrix_authentication_service_base_path }}/bin"
matrix_authentication_service_config_path: "{{ matrix_authentication_service_base_path }}/config"
matrix_authentication_service_data_path: "{{ matrix_authentication_service_base_path }}/data"
matrix_authentication_service_data_keys_path: "{{ matrix_authentication_service_data_path }}/keys"

matrix_authentication_service_uid: "{{ matrix_user_uid }}"
matrix_authentication_service_gid: "{{ matrix_user_gid }}"

matrix_authentication_service_container_network: ""

matrix_authentication_service_container_additional_networks: "{{ matrix_authentication_service_container_additional_networks_auto + matrix_authentication_service_container_additional_networks_custom }}"
matrix_authentication_service_container_additional_networks_auto: []
matrix_authentication_service_container_additional_networks_custom: []

# A list of extra arguments to pass to the container
matrix_authentication_service_container_extra_arguments: []

# List of systemd services that matrix-authentication-service.service depends on
matrix_authentication_service_systemd_required_services_list: "{{ matrix_authentication_service_systemd_required_services_list_default + matrix_authentication_service_systemd_required_services_list_auto + matrix_authentication_service_systemd_required_services_list_custom }}"
matrix_authentication_service_systemd_required_services_list_default: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}"
matrix_authentication_service_systemd_required_services_list_auto: []
matrix_authentication_service_systemd_required_services_list_custom: []

# List of systemd services that matrix-authentication-service.service wants
matrix_authentication_service_systemd_wanted_services_list: "{{ matrix_authentication_service_systemd_wanted_services_list_auto + matrix_authentication_service_systemd_wanted_services_list_custom }}"
matrix_authentication_service_systemd_wanted_services_list_auto: []
matrix_authentication_service_systemd_wanted_services_list_custom: []

########################################################################################
#                                                                                      #
# Key management                                                                       #
#                                                                                      #
########################################################################################

# Controls whether the playbook will manage the secrets keys for you.
#
# See:
# - matrix_authentication_service_config_secrets_keys
# - matrix_authentication_service_key_management_*
matrix_authentication_service_key_management_enabled: true

matrix_authentication_service_key_management_list: "{{ matrix_authentication_service_key_management_list_default + matrix_authentication_service_key_management_list_custom }}"
matrix_authentication_service_key_management_list_default: |-
  {{
    (
      ([
        {
          "config": {
            "kid": matrix_authentication_service_key_management_rsa_2048_key_id,
            "key_file": ("/keys/" + matrix_authentication_service_key_management_rsa_2048_key_file),
          },
          "key_file": matrix_authentication_service_key_management_rsa_2048_key_file,
          "generation_command": matrix_authentication_service_key_management_rsa_2048_generation_command,
        }
      ] if matrix_authentication_service_key_management_rsa_2048_enabled else [])
      +
      ([
        {
          "config": {
            "kid": matrix_authentication_service_key_management_ecdsa_p256_key_id,
            "key_file": ("/keys/" + matrix_authentication_service_key_management_ecdsa_p256_key_file),
          },
          "key_file": matrix_authentication_service_key_management_ecdsa_p256_key_file,
          "generation_command": matrix_authentication_service_key_management_ecdsa_p256_generation_command,
        }
      ] if matrix_authentication_service_key_management_ecdsa_p256_enabled else [])
      +
      ([
        {
          "config": {
            "kid": matrix_authentication_service_key_management_ecdsa_p384_key_id,
            "key_file": ("/keys/" + matrix_authentication_service_key_management_ecdsa_p384_key_file),
          },
          "key_file": matrix_authentication_service_key_management_ecdsa_p384_key_file,
          "generation_command": matrix_authentication_service_key_management_ecdsa_p384_generation_command,
        }
      ] if matrix_authentication_service_key_management_ecdsa_p384_enabled else [])
      +
      ([
        {
          "config": {
            "kid": matrix_authentication_service_key_management_ecdsa_k256_key_id,
            "key_file": ("/keys/" + matrix_authentication_service_key_management_ecdsa_k256_key_file),
          },
          "key_file": matrix_authentication_service_key_management_ecdsa_k256_key_file,
          "generation_command": matrix_authentication_service_key_management_ecdsa_k256_generation_command,
        }
      ] if matrix_authentication_service_key_management_ecdsa_k256_enabled else [])
    )
    if matrix_authentication_service_key_management_enabled
    else []
  }}
matrix_authentication_service_key_management_list_custom: []

matrix_authentication_service_key_management_rsa_2048_enabled: true
matrix_authentication_service_key_management_rsa_2048_key_id: default-rsa
matrix_authentication_service_key_management_rsa_2048_key_file: rsa-2048.priv.pem
matrix_authentication_service_key_management_rsa_2048_generation_command: "openssl genpkey -algorithm RSA -out __KEY_FILE_PATH__ -pkeyopt rsa_keygen_bits:2048"

matrix_authentication_service_key_management_ecdsa_p256_enabled: true
matrix_authentication_service_key_management_ecdsa_p256_key_id: default-ecdsa-p256
matrix_authentication_service_key_management_ecdsa_p256_key_file: ecdsa-p256.priv.pem
matrix_authentication_service_key_management_ecdsa_p256_generation_command: "openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:prime256v1 -out __KEY_FILE_PATH__ -outform PEM"
matrix_authentication_service_key_management_ecdsa_p384_enabled: true
matrix_authentication_service_key_management_ecdsa_p384_key_id: default-ecdsa-p384
matrix_authentication_service_key_management_ecdsa_p384_key_file: ecdsa-p384.priv.pem
matrix_authentication_service_key_management_ecdsa_p384_generation_command: "openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:secp384r1 -out __KEY_FILE_PATH__ -outform PEM"

matrix_authentication_service_key_management_ecdsa_k256_enabled: true
matrix_authentication_service_key_management_ecdsa_k256_key_id: default-ecdsa-k256
matrix_authentication_service_key_management_ecdsa_k256_key_file: ecdsa-k256.priv.pem
matrix_authentication_service_key_management_ecdsa_k256_generation_command: "openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:secp256k1 -out __KEY_FILE_PATH__ -outform PEM"

########################################################################################
#                                                                                      #
# /Key management                                                                      #
#                                                                                      #
########################################################################################


########################################################################################
#                                                                                      #
# Email configuration                                                                  #
#                                                                                      #
########################################################################################

# Controls the `email.from` configuration setting.
matrix_authentication_service_config_email_from: '"{{ matrix_authentication_service_config_email_from_name }}" <{{ matrix_authentication_service_config_email_from_address }}>'
matrix_authentication_service_config_email_from_name: 'Matrix Authentication Service'
matrix_authentication_service_config_email_from_address: "matrix@{{ matrix_domain }}"

# Controls the `email.reply_to` configuration setting.
matrix_authentication_service_config_email_reply_to: '"{{ matrix_authentication_service_config_email_reply_to_name }}" <{{ matrix_authentication_service_config_email_reply_to_address }}>'
matrix_authentication_service_config_email_reply_to_name: "{{ matrix_authentication_service_config_email_from_name }}"
matrix_authentication_service_config_email_reply_to_address: "{{ matrix_authentication_service_config_email_from_address }}"

# Controls the `email.transport` configuration setting.
#
# Valid values: blackhole, smtp, aws_ses
# Upstream reports that `sendmail` is supported as well,
# but this is not true when running it in a container image due to the `sendmail` binary not being included.
matrix_authentication_service_config_email_transport: blackhole

# Controls the `email.mode` configuration setting for SMTP.
# Valid values: plain, tls, starttls
matrix_authentication_service_config_email_mode: plain

# Controls the `email.hostname` configuration setting for SMTP.
matrix_authentication_service_config_email_hostname: ""

# Controls the `email.port` configuration setting for SMTP.
matrix_authentication_service_config_email_port: 587

# Controls the `email.username` configuration setting for SMTP.
matrix_authentication_service_config_email_username: ""

# Controls the `email.password` configuration setting for SMTP.
matrix_authentication_service_config_email_password: ""

########################################################################################
#                                                                                      #
# /Email configuration                                                                 #
#                                                                                      #
########################################################################################


########################################################################################
#                                                                                      #
# Account configuration                                                                #
#                                                                                      #
########################################################################################

# Controls the `account.email_change_allowed` configuration setting.
#
# Whether users are allowed to change their email addresses.
matrix_authentication_service_config_account_email_change_allowed: true

# Controls the `account.displayname_change_allowed` configuration setting.
#
# Whether users are allowed to change their display names.
# This should be in sync with the policy in the homeserver configuration.
matrix_authentication_service_config_account_displayname_change_allowed: true

# Controls the `account.password_registration_enabled` configuration setting.
#
# Whether to enable self-service password registration.
# This has no effect if password login is disabled.
matrix_authentication_service_config_account_password_registration_enabled: false

# Controls the `account.password_registration_email_required` configuration setting.
#
# Whether self-service password registrations require a valid email.
matrix_authentication_service_config_account_password_registration_email_required: true

# Controls the `account.password_change_allowed` configuration setting.
#
# Whether users are allowed to change their passwords.
# This has no effect if password login is disabled.
matrix_authentication_service_config_account_password_change_allowed: true

# Controls the `account.password_recovery_enabled` configuration setting.
#
# Whether email-based password recovery is enabled.
# This has no effect if password login is disabled.
matrix_authentication_service_config_account_password_recovery_enabled: false

# Controls the `account.account_deactivation_allowed` configuration setting.
#
# Whether users are allowed to delete their own account
matrix_authentication_service_config_account_account_deactivation_allowed: true

# Controls the `account.login_with_email_allowed` configuration setting.
#
# Whether users can log in with their email address.
# This has no effect if password login is disabled.
matrix_authentication_service_config_account_login_with_email_allowed: false

# Controls the `account.registration_token_required` configuration setting.
#
# Whether registration tokens are required for password registrations.
# When enabled, users must provide a valid registration token during password
# registration. This has no effect if password registration is disabled.
matrix_authentication_service_config_account_registration_token_required: false

########################################################################################
#                                                                                      #
# /Account configuration                                                               #
#                                                                                      #
########################################################################################


########################################################################################
#                                                                                      #
# Database configuration                                                               #
#                                                                                      #
########################################################################################

# Controls the `database.username` configuration setting.
matrix_authentication_service_config_database_username: 'matrix_authentication_service'

# Controls the `database.password` configuration setting.
matrix_authentication_service_config_database_password: ''

# Controls the `database.host` configuration setting.
matrix_authentication_service_config_database_host: ''

# Controls the `database.port` configuration setting.
matrix_authentication_service_config_database_port: 5432

# Controls the `database.database` configuration setting.
matrix_authentication_service_config_database_database: 'matrix_authentication_service'

# Controls the `database.ssl_mode` configuration setting.
matrix_authentication_service_config_database_ssl_mode: disable

# Controls the `database.max_connections` configuration setting.
matrix_authentication_service_config_database_max_connections: 10

# Controls the `database.min_connections` configuration setting.
matrix_authentication_service_config_database_min_connections: 0

# Controls the `database.connect_timeout` configuration setting.
matrix_authentication_service_config_database_connect_timeout: 30

# Controls the `database.idle_timeout` configuration setting.
matrix_authentication_service_config_database_idle_timeout: 600

# Controls the `database.max_lifetime` configuration setting.
matrix_authentication_service_config_database_max_lifetime: 1800

########################################################################################
#                                                                                      #
# /Database configuration                                                              #
#                                                                                      #
########################################################################################


########################################################################################
#                                                                                      #
# Secrets configuration                                                                #
#                                                                                      #
########################################################################################

# Controls the `secrets.encryption` configuration setting.
matrix_authentication_service_config_secrets_encryption: ''

# Controls the `secrets.keys` configuration setting.
matrix_authentication_service_config_secrets_keys: |-
  {{
    matrix_authentication_service_key_management_list | map(attribute='config') | list
    if matrix_authentication_service_key_management_enabled
    else []
  }}

########################################################################################
#                                                                                      #
# /Secrets configuration                                                               #
#                                                                                      #
########################################################################################


########################################################################################
#                                                                                      #
# HTTP configuration                                                                 #
#                                                                                      #
########################################################################################

# Controls the resources exposed by the `web` HTTP listener.
matrix_authentication_service_config_http_listener_web_resources: "{{ matrix_authentication_service_config_http_listener_web_resources_default + matrix_authentication_service_config_http_listener_web_resources_auto + matrix_authentication_service_config_http_listener_web_resources_custom }}"
matrix_authentication_service_config_http_listener_web_resources_default: |-
  {{
    [
      {'name': 'discovery'},
      {'name': 'human'},
      {'name': 'oauth'},
      {'name': 'compat'},
      {'name': 'graphql'},
      {'name': 'assets'},
    ]
    +
    ([{'name': 'adminapi'}] if matrix_authentication_service_admin_api_enabled else [])
  }}
matrix_authentication_service_config_http_listener_web_resources_auto: []
matrix_authentication_service_config_http_listener_web_resources_custom: []

# Controls the `http.public_base` configuration setting.
matrix_authentication_service_config_http_public_base: "https://{{ matrix_authentication_service_hostname }}{{ '/' if matrix_authentication_service_path_prefix == '/' else (matrix_authentication_service_path_prefix + '/') }}"

# Controls the `http.issuer` configuration setting.
matrix_authentication_service_config_http_issuer: "{{ matrix_authentication_service_config_http_public_base }}"

# Controls the `http.trusted_proxies` configuration setting.
matrix_authentication_service_config_http_trusted_proxies:
  - 192.168.0.0/16
  - 172.16.0.0/12
  - 10.0.0.0/10
  - 127.0.0.1/8
  - fd00::/8
  - ::1/128

########################################################################################
#                                                                                      #
# /HTTP configuration                                                                  #
#                                                                                      #
########################################################################################


########################################################################################
#                                                                                      #
# Matrix configuration                                                                 #
#                                                                                      #
########################################################################################

# Controls the `matrix.homeserver` configuration setting.
# The homeserver name, as per the `server_name` in the Synapse configuration file.
matrix_authentication_service_config_matrix_homeserver: ""

# Controls the `matrix.endpoint` configuration setting.
# URL to which the homeserver is accessible from the service.
matrix_authentication_service_config_matrix_endpoint: ""

# Controls the `matrix.secret` configuration setting.
matrix_authentication_service_config_matrix_secret: ""

########################################################################################
#                                                                                      #
# /Matrix configuration                                                                #
#                                                                                      #
########################################################################################


########################################################################################
#                                                                                      #
# Passwords configuration                                                              #
#                                                                                      #
########################################################################################

# Controls the `passwords.enabled` configuration setting.
# Whether to enable the password database.
# If disabled, users will only be able to log in using upstream OIDC providers.
matrix_authentication_service_config_passwords_enabled: true

# Controls the `passwords.schemes` configuration setting.
# List of password hashing schemes being used.
# Only change this if you know what you're doing.
matrix_authentication_service_config_passwords_schemes:
  - version: 1
    algorithm: argon2id

# Controls the `passwords.minimum_complexity` configuration setting.
# Minimum complexity required for passwords, estimated by the zxcvbn algorithm.
# Must be between 0 and 4. Default is 3.
# See https://github.com/dropbox/zxcvbn#usage for more information.
matrix_authentication_service_config_passwords_minimum_complexity: 3

########################################################################################
#                                                                                      #
# /Passwords configuration                                                             #
#                                                                                      #
########################################################################################


########################################################################################
#                                                                                      #
# Clients configuration                                                                #
#                                                                                      #
########################################################################################

# Controls the `clients` configuration setting.
# List of clients to be used by the authentication service.
#
# See:
# - https://element-hq.github.io/matrix-authentication-service/reference/configuration.html#clients
# - https://element-hq.github.io/matrix-authentication-service/setup/homeserver.html#provision-a-client-for-the-homeserver-to-use
#
# To define your own, use `matrix_authentication_service_config_clients_custom`.
matrix_authentication_service_config_clients: "{{ matrix_authentication_service_config_clients_auto + matrix_authentication_service_config_clients_custom }}"
matrix_authentication_service_config_clients_auto: []
matrix_authentication_service_config_clients_custom: []

########################################################################################
#                                                                                      #
# /Clients configuration                                                               #
#                                                                                      #
########################################################################################


########################################################################################
#                                                                                      #
# Upstream OAuth2 configuration                                                        #
#                                                                                      #
########################################################################################

# Controls the `upstream_oauth2.providers` configuration setting.
# See:
# - https://element-hq.github.io/matrix-authentication-service/reference/configuration.html#upstream_oauth2providers
matrix_authentication_service_config_upstream_oauth2_providers: []

########################################################################################
#                                                                                      #
# /Upstream OAuth2 configuration                                                       #
#                                                                                      #
########################################################################################


# Holds the final Matrix Authentication Service configuration (a combination of the default and its extension).
# You most likely don't need to touch this variable. Instead, see `matrix_authentication_service_configuration_yaml` or `matrix_authentication_service_configuration_extension_yaml`.
matrix_authentication_service_configuration: "{{ matrix_authentication_service_configuration_yaml | from_yaml | combine(matrix_authentication_service_configuration_extension, recursive=True) }}"

# Default Matrix Authentication Service configuration template which covers the generic use case.
# You can customize it by controlling the various variables inside it.
#
# For a more advanced customization, you can extend the default (see `matrix_authentication_service_configuration_extension_yaml`)
# or completely replace this variable with your own template.
matrix_authentication_service_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}"

matrix_authentication_service_configuration_extension_yaml: |
  # Your custom YAML configuration for Matrix Authentication Service goes here.
  # This configuration extends the default starting configuration (`matrix_authentication_service_configuration_yaml`).
  #
  # You can override individual variables from the default configuration, or introduce new ones.
  #
  # If you need something more special, you can take full control by
  # completely redefining `matrix_authentication_service_configuration_yaml`.
  #
  # Example configuration extension follows:
  #
  # user:
  #   password: something

matrix_authentication_service_configuration_extension: "{{ matrix_authentication_service_configuration_extension_yaml | from_yaml if matrix_authentication_service_configuration_extension_yaml | from_yaml is mapping else {} }}"

# Additional environment variables to pass to the Matrix Authentication Service container.
#
# Environment variables take priority over settings in the configuration file.
#
# Example:
# matrix_authentication_service_environment_variables_extension: |
#   KEY=value
matrix_authentication_service_environment_variables_extension: ''


########################################################################################
#                                                                                      #
# Labels                                                                               #
#                                                                                      #
########################################################################################

# matrix_authentication_service_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container.
# See `../templates/labels.j2` for details.
#
# To inject your own other container labels, see `matrix_authentication_service_container_labels_additional_labels`.
matrix_authentication_service_container_labels_traefik_enabled: true
matrix_authentication_service_container_labels_traefik_docker_network: "{{ matrix_authentication_service_container_network }}"
matrix_authentication_service_container_labels_traefik_entrypoints: web-secure
matrix_authentication_service_container_labels_traefik_tls_certResolver: default  # noqa var-naming

matrix_authentication_service_container_labels_public_main_hostname: "{{ matrix_authentication_service_hostname }}"
# The path prefix must either be `/` or not end with a slash (e.g. `/auth`).
matrix_authentication_service_container_labels_public_main_path_prefix: "{{ matrix_authentication_service_path_prefix }}"
matrix_authentication_service_container_labels_public_main_rule: "Host(`{{ matrix_authentication_service_container_labels_public_main_hostname }}`){% if matrix_authentication_service_container_labels_public_main_path_prefix != '/' %} && PathPrefix(`{{ matrix_authentication_service_container_labels_public_main_path_prefix }}`){% endif %}"
matrix_authentication_service_container_labels_public_main_priority: 0
matrix_authentication_service_container_labels_public_main_entrypoints: "{{ matrix_authentication_service_container_labels_traefik_entrypoints }}"
matrix_authentication_service_container_labels_public_main_tls: "{{ matrix_authentication_service_container_labels_public_main_entrypoints != 'web' }}"
matrix_authentication_service_container_labels_public_main_tls_certResolver: "{{ matrix_authentication_service_container_labels_traefik_tls_certResolver }}"  # noqa var-naming

# Controls whether labels will be added to expose the compatibility layer publicly.
#
# The service exposes a compatibility layer to allow legacy clients to authenticate using the service.
# This works by exposing a few Matrix endpoints that should be proxied to the service.
# The following Matrix Client-Server API endpoints need to be handled by the authentication service:
# - /_matrix/client/*/login
# - /_matrix/client/*/logout
# - /_matrix/client/*/refresh
#
# See:
# - https://element-hq.github.io/matrix-authentication-service/setup/homeserver.html#set-up-the-compatibility-layer
# - https://element-hq.github.io/matrix-authentication-service/setup/reverse-proxy.html#compatibility-layer
#
# Regardless of whether this is enabled, it may or may not take effect due to the value of other variables.
# See `matrix_authentication_service_container_labels_traefik_enabled`.
matrix_authentication_service_container_labels_public_compatibility_layer_enabled: false
matrix_authentication_service_container_labels_public_compatibility_layer_hostname: ""
matrix_authentication_service_container_labels_public_compatibility_layer_path_regexp: "^/_matrix/client/(?P<version>([^/]+))/(?P<endpoint>(login|logout|refresh))"
matrix_authentication_service_container_labels_public_compatibility_layer_rule: "Host(`{{ matrix_authentication_service_container_labels_public_compatibility_layer_hostname }}`) && PathRegexp(`{{ matrix_authentication_service_container_labels_public_compatibility_layer_path_regexp }}`)"
matrix_authentication_service_container_labels_public_compatibility_layer_priority: 0
matrix_authentication_service_container_labels_public_compatibility_layer_entrypoints: "{{ matrix_authentication_service_container_labels_traefik_entrypoints }}"
matrix_authentication_service_container_labels_public_compatibility_layer_tls: "{{ matrix_authentication_service_container_labels_public_compatibility_layer_entrypoints != 'web' }}"
matrix_authentication_service_container_labels_public_compatibility_layer_tls_certResolver: "{{ matrix_authentication_service_container_labels_traefik_tls_certResolver }}"  # noqa var-naming

# Controls whether labels will be added to expose the compatibility layer on the internal Traefik entrypoint.
# This is similar to `matrix_authentication_service_container_labels_public_compatibility_layer_enabled`, but the entrypoint and intent is different.
# Regardless of whether this is enabled, it may or may not take effect due to the value of other variables.
# See `matrix_authentication_service_container_labels_traefik_enabled`
matrix_authentication_service_container_labels_internal_compatibility_layer_enabled: false
matrix_authentication_service_container_labels_internal_compatibility_layer_path_regexp: "{{ matrix_authentication_service_container_labels_public_compatibility_layer_path_regexp }}"
matrix_authentication_service_container_labels_internal_compatibility_layer_rule: "PathRegexp(`{{ matrix_authentication_service_container_labels_internal_compatibility_layer_path_regexp }}`)"
matrix_authentication_service_container_labels_internal_compatibility_layer_priority: 0
matrix_authentication_service_container_labels_internal_compatibility_layer_entrypoints: ""

# Controls which additional headers to attach to all HTTP responses.
# To add your own headers, use `matrix_authentication_service_container_labels_traefik_additional_response_headers_custom`
matrix_authentication_service_container_labels_traefik_additional_response_headers: "{{ matrix_authentication_service_container_labels_traefik_additional_response_headers_auto | combine(matrix_authentication_service_container_labels_traefik_additional_response_headers_custom) }}"
matrix_authentication_service_container_labels_traefik_additional_response_headers_auto: {}
matrix_authentication_service_container_labels_traefik_additional_response_headers_custom: {}

# matrix_authentication_service_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
# See `../templates/labels.j2` for details.
#
# Example:
# matrix_authentication_service_container_labels_additional_labels: |
#   my.label=1
#   another.label="here"
matrix_authentication_service_container_labels_additional_labels: ''

########################################################################################
#                                                                                      #
# /Labels                                                                              #
#                                                                                      #
########################################################################################


########################################################################################
#                                                                                      #
# syn2mas configuration                                                                #
#                                                                                      #
########################################################################################

matrix_authentication_service_syn2mas_start_wait_time_seconds: 5

# The syn2mas sub-command to run.
# Valid values: migrate, check
matrix_authentication_service_syn2mas_subcommand: migrate

# Whether to pass a `--dry-run` flag to the 'migrate' sub-command.
# See `matrix_authentication_service_syn2mas_subcommand`
matrix_authentication_service_syn2mas_migrate_dry_run: false

# Path to Synapse's homeserver.yaml configuration file.
matrix_authentication_service_syn2mas_synapse_homeserver_config_path: ""

matrix_authentication_service_syn2mas_container_network: "{{ matrix_authentication_service_container_network }}"

# Additional options passed to the syn2mas sub-command (e.g. `mas-cli syn2mas [OPTIONS] migrate|check`).
# Also see: `matrix_authentication_service_syn2mas_subcommand_extra_options`
#
# Example:
# matrix_authentication_service_syn2mas_command_extra_options:
#   - "--something"
matrix_authentication_service_syn2mas_command_extra_options: []

# Additional options passed to the syn2mas sub-command (e.g. `mas-cli syn2mas migrate|check [OPTIONS]`).
# Also see: `matrix_authentication_service_syn2mas_command_extra_options`
#
# Example:
# matrix_authentication_service_syn2mas_subcommand_extra_options:
#   - "--dry-run"
matrix_authentication_service_syn2mas_subcommand_extra_options: []

########################################################################################
#                                                                                      #
# /syn2mas configuration                                                               #
#                                                                                      #
########################################################################################


########################################################################################
#                                                                                      #
# Misc                                                                                 #
#                                                                                      #
########################################################################################

# Controls whether a migration from a homeserver user database to Matrix Authentication Service is in progress.
#
# When this is set to `true`, the playbook will:
#
# - disable the integration between the homeserver and Matrix Authentication Service
# - avoid setting up the "compatibility layer" (that is, avoid installing container labels that capture login endpoints like `/_matrix/client/*/login`, etc.)
matrix_authentication_service_migration_in_progress: false

# Controls whether the admin API is enabled.
# Ref: https://element-hq.github.io/matrix-authentication-service/topics/admin-api.html#enabling-the-api
matrix_authentication_service_admin_api_enabled: false

# matrix_authentication_service_restart_necessary controls whether the service
# will be restarted (when true) or merely started (when false) by the
# systemd service manager role (when conditional restart is enabled).
#
# This value is automatically computed during installation based on whether
# any configuration files, the systemd service file, or the container image changed.
# The default of `false` means "no restart needed" — appropriate when the role's
# installation tasks haven't run (e.g., due to --tags skipping them).
matrix_authentication_service_restart_necessary: false

########################################################################################
#                                                                                      #
# /Misc                                                                                #
#                                                                                      #
########################################################################################