From 28ec0a6b08e3361773b2603d425bcf310f0e050a Mon Sep 17 00:00:00 2001 From: Philip Haupt <“der.mad.mob@gmail.com”> Date: Tue, 9 Sep 2025 23:46:54 +0200 Subject: [PATCH] synapse change to oidc --- synapse/main.yaml | 13 ++++++++----- synapse/src/values.yaml | 17 ++++++++++++++--- 2 files changed, 22 insertions(+), 8 deletions(-) diff --git a/synapse/main.yaml b/synapse/main.yaml index f67ce99..52bc446 100644 --- a/synapse/main.yaml +++ b/synapse/main.yaml @@ -12,11 +12,14 @@ data: [metrics]\n compress: false\n\n - port: 9093\n tls: false\n bind_addresses: [\"::\"]\n type: http\n\n resources:\n - names: [replication]\n compress: false\n\n## Files ##\n\nmedia_store_path: \"/synapse/data/media\"\nuploads_path: - \"/synapse/data/uploads\"\n\n## Registration ##\n\nenable_registration: true\n\n## + \"/synapse/data/uploads\"\n\n## Registration ##\n\nenable_registration: false\n\n## Metrics ###\n\nenable_metrics: true\n\n## Signing Keys ##\n\nsigning_key_path: \"/synapse/keys/signing.key\"\n\n# The trusted servers to download signing keys from.\ntrusted_key_servers:\n - server_name: matrix.org\n\n## Workers ##\n\n## - Extra config ##\n\nregistration_requires_token: true\n" + Extra config ##\n\noidc_providers:\n- client_id: synapse\n client_secret: DOXPkkV2TUvgBBoQL4gng9e1pUvZeIFo\n + \ idp_id: keycloak\n idp_name: Born In Pain\n issuer: https://iam.borninpain.de/auth/realms/home\n + \ scopes:\n - openid\n - profile\n user_mapping_provider:\n config:\n display_name_template: + '{{ user.name }}'\n localpart_template: '{{ user.preferred_username }}'\n" log.yaml: | version: 1 formatters: @@ -59,7 +62,7 @@ metadata: helm.sh/chart: matrix-synapse-3.12.7 name: synapse-matrix-synapse stringData: - config.yaml: "## Registration ##\n\nregistration_shared_secret: \"123654\"\n\n## + config.yaml: "## Registration ##\n\nregistration_shared_secret: \"0xxtKZ6gdJafYnju8HGf7hkW\"\n\n## API Configuration ##\n\n## Database configuration ##\n\ndatabase:\n name: \"psycopg2\"\n \ args:\n user: \"synapse\"\n password: \"@@POSTGRES_PASSWORD@@\"\n database: \"synapse\"\n host: \"synapse-postgresql\"\n port: 5432\n sslmode: \"prefer\"\n @@ -204,8 +207,8 @@ spec: template: metadata: annotations: - checksum/config: 77b1f5bbbbb36ca64dc91dedeba6fcef0d3bf40ba16b1c761e6d20a079252e2e - checksum/secrets: c6c3922611b50b1ee21f8d734a08725a1dd0d861f83ad711e3aff0f06bc6aa2a + checksum/config: 857a63e706fd696b2e26fa9fbb0b7e72272ac46e878684456bf3c54260da3409 + checksum/secrets: a299d7b016aa05209a701a799dad5cf7ec27b7a59f098652799bc2154f522733 labels: app.kubernetes.io/component: synapse app.kubernetes.io/instance: synapse diff --git a/synapse/src/values.yaml b/synapse/src/values.yaml index b61d07b..89400a6 100644 --- a/synapse/src/values.yaml +++ b/synapse/src/values.yaml @@ -139,10 +139,10 @@ config: ## Registration configuration, note that registration with the ## container-internal register_new_matrix_user tool is always possible. ## - enableRegistration: true + enableRegistration: false ## NB; this value will default to a random string if not specified. - registrationSharedSecret: 123654 + registrationSharedSecret: '' ## NB; Strongly recommended to set this to a secure value. # macaroonSecretKey: '' @@ -181,7 +181,18 @@ config: ## Ref: https://github.com/matrix-org/synapse/blob/develop/docs/sample_config.yaml ## extraConfig: - registration_requires_token: true + oidc_providers: + - idp_id: keycloak + idp_name: "Born In Pain" + issuer: "https://iam.borninpain.de/auth/realms/home" + client_id: "synapse" + client_secret: "DOXPkkV2TUvgBBoQL4gng9e1pUvZeIFo" + scopes: ["openid", "profile"] + user_mapping_provider: + config: + localpart_template: "{{ user.preferred_username }}" + display_name_template: "{{ user.name }}" + # old_signing_keys: # "ed25519:id": { key: "base64string", expired_ts: 123456789123 } # use_presence: false