From 29eed5b047c3b6031d7bbe77f34f1270ea30c1bc Mon Sep 17 00:00:00 2001
From: Nico Schottelius <nico@nico-notebook.schottelius.org>
Date: Fri, 29 Sep 2023 13:05:47 +0200
Subject: [PATCH] synapse: add new keycloak config

---
 .../files/synapse/config/homeserver.yaml           | 14 +++++++++++++-
 .../files/synapse/docker-compose.yaml              |  2 ++
 .../files/synapse/nginx/synapse.conf               |  2 +-
 3 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/ansible/roles/docker-compose/files/synapse/config/homeserver.yaml b/ansible/roles/docker-compose/files/synapse/config/homeserver.yaml
index 95789b9..8d391e9 100755
--- a/ansible/roles/docker-compose/files/synapse/config/homeserver.yaml
+++ b/ansible/roles/docker-compose/files/synapse/config/homeserver.yaml
@@ -2273,11 +2273,23 @@ sso:
     #audiences:
     #    - "provided-by-your-issuer"
 
+oidc_providers:
+  - idp_id: keycloak
+        idp_name: "Corp Login"
+    issuer: "https://idp.corp-serv.net/realms/MAT"
+    client_id: "synapse"
+    client_secret: "vulBbPIatTqthf3wVgWbXjrLa00Ejk913gQEqgFhZm6FTJj4rc5CWgGGIBjH6CBDaAmeyZ4Tgs0iK7w9tannkaY8u3ziW4vhU0Ji"
+    scopes: ["openid", "profile"]
+    user_mapping_provider:
+      config:
+        localpart_template: "{{ user.preferred_username }}"
+        display_name_template: "{{ user.name }}"
+    backchannel_logout_enabled: true
 
 password_config:
    # Uncomment to disable password login
    #
-   #enabled: false
+   enabled: false
 
    # Uncomment to disable authentication against the local password
    # database. This is ignored if enabled is false, and is only useful
diff --git a/ansible/roles/docker-compose/files/synapse/docker-compose.yaml b/ansible/roles/docker-compose/files/synapse/docker-compose.yaml
index 82195d8..01418f2 100644
--- a/ansible/roles/docker-compose/files/synapse/docker-compose.yaml
+++ b/ansible/roles/docker-compose/files/synapse/docker-compose.yaml
@@ -7,6 +7,8 @@ services:
     volumes:
       - /mnt/synapse_data:/data
       - ./config:/config
+    ports:
+      - "8008:8008/tcp"
     command:
       - run
       - --config-path=/config/homeserver.yaml
diff --git a/ansible/roles/docker-compose/files/synapse/nginx/synapse.conf b/ansible/roles/docker-compose/files/synapse/nginx/synapse.conf
index a1c0e9b..8213020 100644
--- a/ansible/roles/docker-compose/files/synapse/nginx/synapse.conf
+++ b/ansible/roles/docker-compose/files/synapse/nginx/synapse.conf
@@ -34,6 +34,6 @@ server {
       proxy_read_timeout 600s;
       send_timeout 600s;
 
-      proxy_pass http://localhost:8008;
+      proxy_pass http://synapse:8008;
     }
 }