Matrix Docker Ansible eploy
Du kannst nicht mehr als 25 Themen auswählen Themen müssen entweder mit einem Buchstaben oder einer Ziffer beginnen. Sie können Bindestriche („-“) enthalten und bis zu 35 Zeichen lang sein.
 
 

711 Zeilen
42 KiB

  1. # SPDX-FileCopyrightText: 2024 - 2025 Slavi Pantaleev
  2. # SPDX-FileCopyrightText: 2025 Suguru Hirahara
  3. #
  4. # SPDX-License-Identifier: AGPL-3.0-or-later
  5. ---
  6. # matrix-authentication-service (MAS) is an OAuth 2.0 and OpenID Provider server for Matrix.
  7. # Project source code URL: https://github.com/element-hq/matrix-authentication-service
  8. matrix_authentication_service_enabled: true
  9. matrix_authentication_service_hostname: ''
  10. # Controls the path prefix for the authentication service.
  11. # This value must either be `/` or not end with a slash (e.g. `/auth`).
  12. matrix_authentication_service_path_prefix: /
  13. matrix_authentication_service_container_image_self_build: false
  14. matrix_authentication_service_container_repo: "https://github.com/element-hq/matrix-authentication-service.git"
  15. matrix_authentication_service_container_repo_version: "{{ 'main' if matrix_authentication_service_version == 'latest' else ('v' + matrix_authentication_service_version) }}"
  16. matrix_authentication_service_container_src_files_path: "{{ matrix_base_data_path }}/matrix-authentication-service/container-src"
  17. # renovate: datasource=docker depName=ghcr.io/element-hq/matrix-authentication-service
  18. matrix_authentication_service_version: 1.20.0
  19. matrix_authentication_service_container_image_registry_prefix: "{{ 'localhost/' if matrix_authentication_service_container_image_self_build else matrix_authentication_service_container_image_registry_prefix_upstream }}"
  20. matrix_authentication_service_container_image_registry_prefix_upstream: "{{ matrix_authentication_service_container_image_registry_prefix_upstream_default }}"
  21. matrix_authentication_service_container_image_registry_prefix_upstream_default: "ghcr.io/"
  22. matrix_authentication_service_container_image: "{{ matrix_authentication_service_container_image_registry_prefix }}element-hq/matrix-authentication-service:{{ matrix_authentication_service_version }}"
  23. matrix_authentication_service_base_path: "{{ matrix_base_data_path }}/matrix-authentication-service"
  24. matrix_authentication_service_bin_path: "{{ matrix_authentication_service_base_path }}/bin"
  25. matrix_authentication_service_config_path: "{{ matrix_authentication_service_base_path }}/config"
  26. matrix_authentication_service_data_path: "{{ matrix_authentication_service_base_path }}/data"
  27. matrix_authentication_service_data_keys_path: "{{ matrix_authentication_service_data_path }}/keys"
  28. matrix_authentication_service_uid: "{{ matrix_user_uid }}"
  29. matrix_authentication_service_gid: "{{ matrix_user_gid }}"
  30. matrix_authentication_service_container_network: ""
  31. matrix_authentication_service_container_additional_networks: "{{ matrix_authentication_service_container_additional_networks_auto + matrix_authentication_service_container_additional_networks_custom }}"
  32. matrix_authentication_service_container_additional_networks_auto: []
  33. matrix_authentication_service_container_additional_networks_custom: []
  34. # A list of extra arguments to pass to the container
  35. matrix_authentication_service_container_extra_arguments: []
  36. # List of systemd services that matrix-authentication-service.service depends on
  37. matrix_authentication_service_systemd_required_services_list: "{{ matrix_authentication_service_systemd_required_services_list_default + matrix_authentication_service_systemd_required_services_list_auto + matrix_authentication_service_systemd_required_services_list_custom }}"
  38. matrix_authentication_service_systemd_required_services_list_default: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}"
  39. matrix_authentication_service_systemd_required_services_list_auto: []
  40. matrix_authentication_service_systemd_required_services_list_custom: []
  41. # List of systemd services that matrix-authentication-service.service wants
  42. matrix_authentication_service_systemd_wanted_services_list: "{{ matrix_authentication_service_systemd_wanted_services_list_auto + matrix_authentication_service_systemd_wanted_services_list_custom }}"
  43. matrix_authentication_service_systemd_wanted_services_list_auto: []
  44. matrix_authentication_service_systemd_wanted_services_list_custom: []
  45. ########################################################################################
  46. # #
  47. # Key management #
  48. # #
  49. ########################################################################################
  50. # Controls whether the playbook will manage the secrets keys for you.
  51. #
  52. # See:
  53. # - matrix_authentication_service_config_secrets_keys
  54. # - matrix_authentication_service_key_management_*
  55. matrix_authentication_service_key_management_enabled: true
  56. matrix_authentication_service_key_management_list: "{{ matrix_authentication_service_key_management_list_default + matrix_authentication_service_key_management_list_custom }}"
  57. matrix_authentication_service_key_management_list_default: |-
  58. {{
  59. (
  60. ([
  61. {
  62. "config": {
  63. "kid": matrix_authentication_service_key_management_rsa_2048_key_id,
  64. "key_file": ("/keys/" + matrix_authentication_service_key_management_rsa_2048_key_file),
  65. },
  66. "key_file": matrix_authentication_service_key_management_rsa_2048_key_file,
  67. "generation_command": matrix_authentication_service_key_management_rsa_2048_generation_command,
  68. }
  69. ] if matrix_authentication_service_key_management_rsa_2048_enabled else [])
  70. +
  71. ([
  72. {
  73. "config": {
  74. "kid": matrix_authentication_service_key_management_ecdsa_p256_key_id,
  75. "key_file": ("/keys/" + matrix_authentication_service_key_management_ecdsa_p256_key_file),
  76. },
  77. "key_file": matrix_authentication_service_key_management_ecdsa_p256_key_file,
  78. "generation_command": matrix_authentication_service_key_management_ecdsa_p256_generation_command,
  79. }
  80. ] if matrix_authentication_service_key_management_ecdsa_p256_enabled else [])
  81. +
  82. ([
  83. {
  84. "config": {
  85. "kid": matrix_authentication_service_key_management_ecdsa_p384_key_id,
  86. "key_file": ("/keys/" + matrix_authentication_service_key_management_ecdsa_p384_key_file),
  87. },
  88. "key_file": matrix_authentication_service_key_management_ecdsa_p384_key_file,
  89. "generation_command": matrix_authentication_service_key_management_ecdsa_p384_generation_command,
  90. }
  91. ] if matrix_authentication_service_key_management_ecdsa_p384_enabled else [])
  92. +
  93. ([
  94. {
  95. "config": {
  96. "kid": matrix_authentication_service_key_management_ecdsa_k256_key_id,
  97. "key_file": ("/keys/" + matrix_authentication_service_key_management_ecdsa_k256_key_file),
  98. },
  99. "key_file": matrix_authentication_service_key_management_ecdsa_k256_key_file,
  100. "generation_command": matrix_authentication_service_key_management_ecdsa_k256_generation_command,
  101. }
  102. ] if matrix_authentication_service_key_management_ecdsa_k256_enabled else [])
  103. )
  104. if matrix_authentication_service_key_management_enabled
  105. else []
  106. }}
  107. matrix_authentication_service_key_management_list_custom: []
  108. matrix_authentication_service_key_management_rsa_2048_enabled: true
  109. matrix_authentication_service_key_management_rsa_2048_key_id: default-rsa
  110. matrix_authentication_service_key_management_rsa_2048_key_file: rsa-2048.priv.pem
  111. matrix_authentication_service_key_management_rsa_2048_generation_command: "openssl genpkey -algorithm RSA -out __KEY_FILE_PATH__ -pkeyopt rsa_keygen_bits:2048"
  112. matrix_authentication_service_key_management_ecdsa_p256_enabled: true
  113. matrix_authentication_service_key_management_ecdsa_p256_key_id: default-ecdsa-p256
  114. matrix_authentication_service_key_management_ecdsa_p256_key_file: ecdsa-p256.priv.pem
  115. matrix_authentication_service_key_management_ecdsa_p256_generation_command: "openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:prime256v1 -out __KEY_FILE_PATH__ -outform PEM"
  116. matrix_authentication_service_key_management_ecdsa_p384_enabled: true
  117. matrix_authentication_service_key_management_ecdsa_p384_key_id: default-ecdsa-p384
  118. matrix_authentication_service_key_management_ecdsa_p384_key_file: ecdsa-p384.priv.pem
  119. matrix_authentication_service_key_management_ecdsa_p384_generation_command: "openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:secp384r1 -out __KEY_FILE_PATH__ -outform PEM"
  120. matrix_authentication_service_key_management_ecdsa_k256_enabled: true
  121. matrix_authentication_service_key_management_ecdsa_k256_key_id: default-ecdsa-k256
  122. matrix_authentication_service_key_management_ecdsa_k256_key_file: ecdsa-k256.priv.pem
  123. matrix_authentication_service_key_management_ecdsa_k256_generation_command: "openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:secp256k1 -out __KEY_FILE_PATH__ -outform PEM"
  124. ########################################################################################
  125. # #
  126. # /Key management #
  127. # #
  128. ########################################################################################
  129. ########################################################################################
  130. # #
  131. # Email configuration #
  132. # #
  133. ########################################################################################
  134. # Controls the `email.from` configuration setting.
  135. matrix_authentication_service_config_email_from: '"{{ matrix_authentication_service_config_email_from_name }}" <{{ matrix_authentication_service_config_email_from_address }}>'
  136. matrix_authentication_service_config_email_from_name: 'Matrix Authentication Service'
  137. matrix_authentication_service_config_email_from_address: "matrix@{{ matrix_domain }}"
  138. # Controls the `email.reply_to` configuration setting.
  139. matrix_authentication_service_config_email_reply_to: '"{{ matrix_authentication_service_config_email_reply_to_name }}" <{{ matrix_authentication_service_config_email_reply_to_address }}>'
  140. matrix_authentication_service_config_email_reply_to_name: "{{ matrix_authentication_service_config_email_from_name }}"
  141. matrix_authentication_service_config_email_reply_to_address: "{{ matrix_authentication_service_config_email_from_address }}"
  142. # Controls the `email.transport` configuration setting.
  143. #
  144. # Valid values: blackhole, smtp, aws_ses
  145. # Upstream reports that `sendmail` is supported as well,
  146. # but this is not true when running it in a container image due to the `sendmail` binary not being included.
  147. matrix_authentication_service_config_email_transport: blackhole
  148. # Controls the `email.mode` configuration setting for SMTP.
  149. # Valid values: plain, tls, starttls
  150. matrix_authentication_service_config_email_mode: plain
  151. # Controls the `email.hostname` configuration setting for SMTP.
  152. matrix_authentication_service_config_email_hostname: ""
  153. # Controls the `email.port` configuration setting for SMTP.
  154. matrix_authentication_service_config_email_port: 587
  155. # Controls the `email.username` configuration setting for SMTP.
  156. matrix_authentication_service_config_email_username: ""
  157. # Controls the `email.password` configuration setting for SMTP.
  158. matrix_authentication_service_config_email_password: ""
  159. ########################################################################################
  160. # #
  161. # /Email configuration #
  162. # #
  163. ########################################################################################
  164. ########################################################################################
  165. # #
  166. # Account configuration #
  167. # #
  168. ########################################################################################
  169. # Controls the `account.email_change_allowed` configuration setting.
  170. #
  171. # Whether users are allowed to change their email addresses.
  172. matrix_authentication_service_config_account_email_change_allowed: true
  173. # Controls the `account.displayname_change_allowed` configuration setting.
  174. #
  175. # Whether users are allowed to change their display names.
  176. # This should be in sync with the policy in the homeserver configuration.
  177. matrix_authentication_service_config_account_displayname_change_allowed: true
  178. # Controls the `account.password_registration_enabled` configuration setting.
  179. #
  180. # Whether to enable self-service password registration.
  181. # This has no effect if password login is disabled.
  182. matrix_authentication_service_config_account_password_registration_enabled: false
  183. # Controls the `account.password_registration_email_required` configuration setting.
  184. #
  185. # Whether self-service password registrations require a valid email.
  186. matrix_authentication_service_config_account_password_registration_email_required: true
  187. # Controls the `account.password_change_allowed` configuration setting.
  188. #
  189. # Whether users are allowed to change their passwords.
  190. # This has no effect if password login is disabled.
  191. matrix_authentication_service_config_account_password_change_allowed: true
  192. # Controls the `account.password_recovery_enabled` configuration setting.
  193. #
  194. # Whether email-based password recovery is enabled.
  195. # This has no effect if password login is disabled.
  196. matrix_authentication_service_config_account_password_recovery_enabled: false
  197. # Controls the `account.account_deactivation_allowed` configuration setting.
  198. #
  199. # Whether users are allowed to delete their own account
  200. matrix_authentication_service_config_account_account_deactivation_allowed: true
  201. # Controls the `account.login_with_email_allowed` configuration setting.
  202. #
  203. # Whether users can log in with their email address.
  204. # This has no effect if password login is disabled.
  205. matrix_authentication_service_config_account_login_with_email_allowed: false
  206. # Controls the `account.registration_token_required` configuration setting.
  207. #
  208. # Whether registration tokens are required for password registrations.
  209. # When enabled, users must provide a valid registration token during password
  210. # registration. This has no effect if password registration is disabled.
  211. matrix_authentication_service_config_account_registration_token_required: false
  212. ########################################################################################
  213. # #
  214. # /Account configuration #
  215. # #
  216. ########################################################################################
  217. ########################################################################################
  218. # #
  219. # Captcha configuration #
  220. # #
  221. ########################################################################################
  222. # Controls the `captcha.service` configuration setting.
  223. #
  224. # Which service to use for CAPTCHA protection of certain operations (like self-service password registration).
  225. # Valid values: recaptcha_v2, cloudflare_turnstile, hcaptcha
  226. # When defined, `matrix_authentication_service_config_captcha_site_key` and `matrix_authentication_service_config_captcha_secret_key` must be defined as well.
  227. # Leave empty to disable CAPTCHA protection.
  228. matrix_authentication_service_config_captcha_service: ""
  229. # Controls the `captcha.site_key` configuration setting.
  230. matrix_authentication_service_config_captcha_site_key: ""
  231. # Controls the `captcha.secret_key` configuration setting.
  232. matrix_authentication_service_config_captcha_secret_key: ""
  233. ########################################################################################
  234. # #
  235. # /Captcha configuration #
  236. # #
  237. ########################################################################################
  238. ########################################################################################
  239. # #
  240. # Database configuration #
  241. # #
  242. ########################################################################################
  243. # Controls the `database.username` configuration setting.
  244. matrix_authentication_service_config_database_username: 'matrix_authentication_service'
  245. # Controls the `database.password` configuration setting.
  246. matrix_authentication_service_config_database_password: ''
  247. # Controls the `database.host` configuration setting.
  248. matrix_authentication_service_config_database_host: ''
  249. # Controls the `database.port` configuration setting.
  250. matrix_authentication_service_config_database_port: 5432
  251. # Controls the `database.database` configuration setting.
  252. matrix_authentication_service_config_database_database: 'matrix_authentication_service'
  253. # Controls the `database.ssl_mode` configuration setting.
  254. matrix_authentication_service_config_database_ssl_mode: disable
  255. # Controls the `database.max_connections` configuration setting.
  256. matrix_authentication_service_config_database_max_connections: 10
  257. # Controls the `database.min_connections` configuration setting.
  258. matrix_authentication_service_config_database_min_connections: 0
  259. # Controls the `database.connect_timeout` configuration setting.
  260. matrix_authentication_service_config_database_connect_timeout: 30
  261. # Controls the `database.idle_timeout` configuration setting.
  262. matrix_authentication_service_config_database_idle_timeout: 600
  263. # Controls the `database.max_lifetime` configuration setting.
  264. matrix_authentication_service_config_database_max_lifetime: 1800
  265. # Controls whether the database connection is made via a UNIX socket.
  266. matrix_authentication_service_config_database_socket_enabled: false
  267. # The path to the Postgres socket's parent directory inside the MAS container.
  268. matrix_authentication_service_config_database_socket_path: "/run-postgres"
  269. # The path to the Postgres socket directory on the host (bind-mount source).
  270. matrix_authentication_service_config_database_socket_path_host: ""
  271. ########################################################################################
  272. # #
  273. # /Database configuration #
  274. # #
  275. ########################################################################################
  276. ########################################################################################
  277. # #
  278. # Secrets configuration #
  279. # #
  280. ########################################################################################
  281. # Controls the `secrets.encryption` configuration setting.
  282. matrix_authentication_service_config_secrets_encryption: ''
  283. # Controls the `secrets.keys` configuration setting.
  284. matrix_authentication_service_config_secrets_keys: |-
  285. {{
  286. matrix_authentication_service_key_management_list | map(attribute='config') | list
  287. if matrix_authentication_service_key_management_enabled
  288. else []
  289. }}
  290. ########################################################################################
  291. # #
  292. # /Secrets configuration #
  293. # #
  294. ########################################################################################
  295. ########################################################################################
  296. # #
  297. # HTTP configuration #
  298. # #
  299. ########################################################################################
  300. # Controls the resources exposed by the `web` HTTP listener.
  301. matrix_authentication_service_config_http_listener_web_resources: "{{ matrix_authentication_service_config_http_listener_web_resources_default + matrix_authentication_service_config_http_listener_web_resources_auto + matrix_authentication_service_config_http_listener_web_resources_custom }}"
  302. matrix_authentication_service_config_http_listener_web_resources_default: |-
  303. {{
  304. [
  305. {'name': 'discovery'},
  306. {'name': 'human'},
  307. {'name': 'oauth'},
  308. {'name': 'compat'},
  309. {'name': 'graphql'},
  310. {'name': 'assets'},
  311. ]
  312. +
  313. ([{'name': 'adminapi'}] if matrix_authentication_service_admin_api_enabled else [])
  314. }}
  315. matrix_authentication_service_config_http_listener_web_resources_auto: []
  316. matrix_authentication_service_config_http_listener_web_resources_custom: []
  317. # Controls the `http.public_base` configuration setting.
  318. matrix_authentication_service_config_http_public_base: "https://{{ matrix_authentication_service_hostname }}{{ '/' if matrix_authentication_service_path_prefix == '/' else (matrix_authentication_service_path_prefix + '/') }}"
  319. # Controls the `http.issuer` configuration setting.
  320. matrix_authentication_service_config_http_issuer: "{{ matrix_authentication_service_config_http_public_base }}"
  321. # Controls the `http.trusted_proxies` configuration setting.
  322. matrix_authentication_service_config_http_trusted_proxies:
  323. - 192.168.0.0/16
  324. - 172.16.0.0/12
  325. - 10.0.0.0/10
  326. - 127.0.0.1/8
  327. - fd00::/8
  328. - ::1/128
  329. ########################################################################################
  330. # #
  331. # /HTTP configuration #
  332. # #
  333. ########################################################################################
  334. ########################################################################################
  335. # #
  336. # Matrix configuration #
  337. # #
  338. ########################################################################################
  339. # Controls the `matrix.homeserver` configuration setting.
  340. # The homeserver name, as per the `server_name` in the Synapse configuration file.
  341. matrix_authentication_service_config_matrix_homeserver: ""
  342. # Controls the `matrix.endpoint` configuration setting.
  343. # URL to which the homeserver is accessible from the service.
  344. matrix_authentication_service_config_matrix_endpoint: ""
  345. # Controls the `matrix.secret` configuration setting.
  346. matrix_authentication_service_config_matrix_secret: ""
  347. ########################################################################################
  348. # #
  349. # /Matrix configuration #
  350. # #
  351. ########################################################################################
  352. ########################################################################################
  353. # #
  354. # Passwords configuration #
  355. # #
  356. ########################################################################################
  357. # Controls the `passwords.enabled` configuration setting.
  358. # Whether to enable the password database.
  359. # If disabled, users will only be able to log in using upstream OIDC providers.
  360. matrix_authentication_service_config_passwords_enabled: true
  361. # Controls the `passwords.schemes` configuration setting.
  362. # List of password hashing schemes being used.
  363. # Only change this if you know what you're doing.
  364. matrix_authentication_service_config_passwords_schemes:
  365. - version: 1
  366. algorithm: argon2id
  367. # Controls the `passwords.minimum_complexity` configuration setting.
  368. # Minimum complexity required for passwords, estimated by the zxcvbn algorithm.
  369. # Must be between 0 and 4. Default is 3.
  370. # See https://github.com/dropbox/zxcvbn#usage for more information.
  371. matrix_authentication_service_config_passwords_minimum_complexity: 3
  372. ########################################################################################
  373. # #
  374. # /Passwords configuration #
  375. # #
  376. ########################################################################################
  377. ########################################################################################
  378. # #
  379. # Clients configuration #
  380. # #
  381. ########################################################################################
  382. # Controls the `clients` configuration setting.
  383. # List of clients to be used by the authentication service.
  384. #
  385. # See:
  386. # - https://element-hq.github.io/matrix-authentication-service/reference/configuration.html#clients
  387. # - https://element-hq.github.io/matrix-authentication-service/setup/homeserver.html#provision-a-client-for-the-homeserver-to-use
  388. #
  389. # To define your own, use `matrix_authentication_service_config_clients_custom`.
  390. matrix_authentication_service_config_clients: "{{ matrix_authentication_service_config_clients_auto + matrix_authentication_service_config_clients_custom }}"
  391. matrix_authentication_service_config_clients_auto: []
  392. matrix_authentication_service_config_clients_custom: []
  393. ########################################################################################
  394. # #
  395. # /Clients configuration #
  396. # #
  397. ########################################################################################
  398. ########################################################################################
  399. # #
  400. # Upstream OAuth2 configuration #
  401. # #
  402. ########################################################################################
  403. # Controls the `upstream_oauth2.providers` configuration setting.
  404. # See:
  405. # - https://element-hq.github.io/matrix-authentication-service/reference/configuration.html#upstream_oauth2providers
  406. matrix_authentication_service_config_upstream_oauth2_providers: []
  407. ########################################################################################
  408. # #
  409. # /Upstream OAuth2 configuration #
  410. # #
  411. ########################################################################################
  412. # Holds the final Matrix Authentication Service configuration (a combination of the default and its extension).
  413. # You most likely don't need to touch this variable. Instead, see `matrix_authentication_service_configuration_yaml` or `matrix_authentication_service_configuration_extension_yaml`.
  414. matrix_authentication_service_configuration: "{{ matrix_authentication_service_configuration_yaml | from_yaml | combine(matrix_authentication_service_configuration_extension, recursive=True) }}"
  415. # Default Matrix Authentication Service configuration template which covers the generic use case.
  416. # You can customize it by controlling the various variables inside it.
  417. #
  418. # For a more advanced customization, you can extend the default (see `matrix_authentication_service_configuration_extension_yaml`)
  419. # or completely replace this variable with your own template.
  420. matrix_authentication_service_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}"
  421. matrix_authentication_service_configuration_extension_yaml: |
  422. # Your custom YAML configuration for Matrix Authentication Service goes here.
  423. # This configuration extends the default starting configuration (`matrix_authentication_service_configuration_yaml`).
  424. #
  425. # You can override individual variables from the default configuration, or introduce new ones.
  426. #
  427. # If you need something more special, you can take full control by
  428. # completely redefining `matrix_authentication_service_configuration_yaml`.
  429. #
  430. # Example configuration extension follows:
  431. #
  432. # user:
  433. # password: something
  434. matrix_authentication_service_configuration_extension: "{{ matrix_authentication_service_configuration_extension_yaml | from_yaml if matrix_authentication_service_configuration_extension_yaml | from_yaml is mapping else {} }}"
  435. # Additional environment variables to pass to the Matrix Authentication Service container.
  436. #
  437. # Environment variables take priority over settings in the configuration file.
  438. #
  439. # Example:
  440. # matrix_authentication_service_environment_variables_extension: |
  441. # KEY=value
  442. matrix_authentication_service_environment_variables_extension: ''
  443. ########################################################################################
  444. # #
  445. # Labels #
  446. # #
  447. ########################################################################################
  448. # matrix_authentication_service_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container.
  449. # See `../templates/labels.j2` for details.
  450. #
  451. # To inject your own other container labels, see `matrix_authentication_service_container_labels_additional_labels`.
  452. matrix_authentication_service_container_labels_traefik_enabled: true
  453. matrix_authentication_service_container_labels_traefik_docker_network: "{{ matrix_authentication_service_container_network }}"
  454. matrix_authentication_service_container_labels_traefik_entrypoints: web-secure
  455. matrix_authentication_service_container_labels_traefik_tls_certResolver: default # noqa var-naming
  456. matrix_authentication_service_container_labels_public_main_hostname: "{{ matrix_authentication_service_hostname }}"
  457. # The path prefix must either be `/` or not end with a slash (e.g. `/auth`).
  458. matrix_authentication_service_container_labels_public_main_path_prefix: "{{ matrix_authentication_service_path_prefix }}"
  459. matrix_authentication_service_container_labels_public_main_rule: "Host(`{{ matrix_authentication_service_container_labels_public_main_hostname }}`){% if matrix_authentication_service_container_labels_public_main_path_prefix != '/' %} && PathPrefix(`{{ matrix_authentication_service_container_labels_public_main_path_prefix }}`){% endif %}"
  460. matrix_authentication_service_container_labels_public_main_priority: 0
  461. matrix_authentication_service_container_labels_public_main_entrypoints: "{{ matrix_authentication_service_container_labels_traefik_entrypoints }}"
  462. matrix_authentication_service_container_labels_public_main_tls: "{{ matrix_authentication_service_container_labels_public_main_entrypoints != 'web' }}"
  463. matrix_authentication_service_container_labels_public_main_tls_certResolver: "{{ matrix_authentication_service_container_labels_traefik_tls_certResolver }}" # noqa var-naming
  464. # Controls whether labels will be added to expose the compatibility layer publicly.
  465. #
  466. # The service exposes a compatibility layer to allow legacy clients to authenticate using the service.
  467. # This works by exposing a few Matrix endpoints that should be proxied to the service.
  468. # The following Matrix Client-Server API endpoints need to be handled by the authentication service:
  469. # - /_matrix/client/*/login
  470. # - /_matrix/client/*/logout
  471. # - /_matrix/client/*/refresh
  472. #
  473. # See:
  474. # - https://element-hq.github.io/matrix-authentication-service/setup/homeserver.html#set-up-the-compatibility-layer
  475. # - https://element-hq.github.io/matrix-authentication-service/setup/reverse-proxy.html#compatibility-layer
  476. #
  477. # Regardless of whether this is enabled, it may or may not take effect due to the value of other variables.
  478. # See `matrix_authentication_service_container_labels_traefik_enabled`.
  479. matrix_authentication_service_container_labels_public_compatibility_layer_enabled: false
  480. matrix_authentication_service_container_labels_public_compatibility_layer_hostname: ""
  481. matrix_authentication_service_container_labels_public_compatibility_layer_path_regexp: "^/_matrix/client/(?P<version>([^/]+))/(?P<endpoint>(login|logout|refresh))"
  482. matrix_authentication_service_container_labels_public_compatibility_layer_rule: "Host(`{{ matrix_authentication_service_container_labels_public_compatibility_layer_hostname }}`) && PathRegexp(`{{ matrix_authentication_service_container_labels_public_compatibility_layer_path_regexp }}`)"
  483. matrix_authentication_service_container_labels_public_compatibility_layer_priority: 0
  484. matrix_authentication_service_container_labels_public_compatibility_layer_entrypoints: "{{ matrix_authentication_service_container_labels_traefik_entrypoints }}"
  485. matrix_authentication_service_container_labels_public_compatibility_layer_tls: "{{ matrix_authentication_service_container_labels_public_compatibility_layer_entrypoints != 'web' }}"
  486. matrix_authentication_service_container_labels_public_compatibility_layer_tls_certResolver: "{{ matrix_authentication_service_container_labels_traefik_tls_certResolver }}" # noqa var-naming
  487. # Controls whether labels will be added to expose the compatibility layer on the internal Traefik entrypoint.
  488. # This is similar to `matrix_authentication_service_container_labels_public_compatibility_layer_enabled`, but the entrypoint and intent is different.
  489. # Regardless of whether this is enabled, it may or may not take effect due to the value of other variables.
  490. # See `matrix_authentication_service_container_labels_traefik_enabled`
  491. matrix_authentication_service_container_labels_internal_compatibility_layer_enabled: false
  492. matrix_authentication_service_container_labels_internal_compatibility_layer_path_regexp: "{{ matrix_authentication_service_container_labels_public_compatibility_layer_path_regexp }}"
  493. matrix_authentication_service_container_labels_internal_compatibility_layer_rule: "PathRegexp(`{{ matrix_authentication_service_container_labels_internal_compatibility_layer_path_regexp }}`)"
  494. matrix_authentication_service_container_labels_internal_compatibility_layer_priority: 0
  495. matrix_authentication_service_container_labels_internal_compatibility_layer_entrypoints: ""
  496. # Controls which additional headers to attach to all HTTP responses.
  497. # To add your own headers, use `matrix_authentication_service_container_labels_traefik_additional_response_headers_custom`
  498. matrix_authentication_service_container_labels_traefik_additional_response_headers: "{{ matrix_authentication_service_container_labels_traefik_additional_response_headers_auto | combine(matrix_authentication_service_container_labels_traefik_additional_response_headers_custom) }}"
  499. matrix_authentication_service_container_labels_traefik_additional_response_headers_auto: {}
  500. matrix_authentication_service_container_labels_traefik_additional_response_headers_custom: {}
  501. # matrix_authentication_service_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
  502. # See `../templates/labels.j2` for details.
  503. #
  504. # Example:
  505. # matrix_authentication_service_container_labels_additional_labels: |
  506. # my.label=1
  507. # another.label="here"
  508. matrix_authentication_service_container_labels_additional_labels: ''
  509. ########################################################################################
  510. # #
  511. # /Labels #
  512. # #
  513. ########################################################################################
  514. ########################################################################################
  515. # #
  516. # syn2mas configuration #
  517. # #
  518. ########################################################################################
  519. matrix_authentication_service_syn2mas_start_wait_time_seconds: 5
  520. # The syn2mas sub-command to run.
  521. # Valid values: migrate, check
  522. matrix_authentication_service_syn2mas_subcommand: migrate
  523. # Whether to pass a `--dry-run` flag to the 'migrate' sub-command.
  524. # See `matrix_authentication_service_syn2mas_subcommand`
  525. matrix_authentication_service_syn2mas_migrate_dry_run: false
  526. # Path to Synapse's homeserver.yaml configuration file.
  527. matrix_authentication_service_syn2mas_synapse_homeserver_config_path: ""
  528. matrix_authentication_service_syn2mas_container_network: "{{ matrix_authentication_service_container_network }}"
  529. matrix_authentication_service_syn2mas_synapse_database_socket_enabled: false
  530. matrix_authentication_service_syn2mas_synapse_database_socket_path: ""
  531. matrix_authentication_service_syn2mas_synapse_database_socket_path_host: ""
  532. # Additional options passed to the syn2mas sub-command (e.g. `mas-cli syn2mas [OPTIONS] migrate|check`).
  533. # Also see: `matrix_authentication_service_syn2mas_subcommand_extra_options`
  534. #
  535. # Example:
  536. # matrix_authentication_service_syn2mas_command_extra_options:
  537. # - "--something"
  538. matrix_authentication_service_syn2mas_command_extra_options: []
  539. # Additional options passed to the syn2mas sub-command (e.g. `mas-cli syn2mas migrate|check [OPTIONS]`).
  540. # Also see: `matrix_authentication_service_syn2mas_command_extra_options`
  541. #
  542. # Example:
  543. # matrix_authentication_service_syn2mas_subcommand_extra_options:
  544. # - "--dry-run"
  545. matrix_authentication_service_syn2mas_subcommand_extra_options: []
  546. ########################################################################################
  547. # #
  548. # /syn2mas configuration #
  549. # #
  550. ########################################################################################
  551. ########################################################################################
  552. # #
  553. # Misc #
  554. # #
  555. ########################################################################################
  556. # Controls whether a migration from a homeserver user database to Matrix Authentication Service is in progress.
  557. #
  558. # When this is set to `true`, the playbook will:
  559. #
  560. # - disable the integration between the homeserver and Matrix Authentication Service
  561. # - avoid setting up the "compatibility layer" (that is, avoid installing container labels that capture login endpoints like `/_matrix/client/*/login`, etc.)
  562. matrix_authentication_service_migration_in_progress: false
  563. # Controls whether the admin API is enabled.
  564. # Ref: https://element-hq.github.io/matrix-authentication-service/topics/admin-api.html#enabling-the-api
  565. matrix_authentication_service_admin_api_enabled: false
  566. # matrix_authentication_service_restart_necessary controls whether the service
  567. # will be restarted (when true) or merely started (when false) by the
  568. # systemd service manager role (when conditional restart is enabled).
  569. #
  570. # This value is automatically computed during installation based on whether
  571. # any configuration files, the systemd service file, or the container image changed.
  572. # The default of `false` means "no restart needed" — appropriate when the role's
  573. # installation tasks haven't run (e.g., due to --tags skipping them).
  574. matrix_authentication_service_restart_necessary: false
  575. ########################################################################################
  576. # #
  577. # /Misc #
  578. # #
  579. ########################################################################################