[synapse] outsource oidc_providers

2024-02-23 18:24:35 +09:00 · 2024-02-23 18:24:35 +09:00 · f6b596ebe4
commit f6b596ebe4
parent 4b48d1854f
2 changed files with 32 additions and 16 deletions
--- a/ansible/inventory/runa.yml
+++ b/ansible/inventory/runa.yml
@ -62,6 +62,20 @@ runa:
          postgres_password: "31913hkVN_L9b3i_0v1RX_ZJXx_AD564_MM_nz"
          postgres_db: matrix-synapse-db
          postgres_host: postgresql-mtx.lat.internal.ru.com
+          oidc_providers: |
+            - idp_id: keycloak
+              idp_name: "Corp Login"
+              issuer: "https://idp.corp-serv.net/realms/MAT/"
+              client_id: "synapse"
+              client_secret: "vulBbPIatTqthf3wVgWbXjrLa00Ejk913gQEqgFhZm6FTJj4rc5CWgGGIBjH6CBDaAmeyZ4Tgs0iK7w9tannkaY8u3ziW4vhU0Ji"
+              scopes: ["openid", "profile"]
+              user_mapping_provider:
+                config:
+                  localpart_template: "{{ '{{' }} user.preferred_username {{ '}}' }}"
+                  display_name_template: "{{ '{{' }} user.name {{ '}}' }}"
+                  subject_template: "{{ '{{' }} user.preferred_username {{ '}}' }}"
+                  backchannel_logout_enabled: true
+
      hosts:
        mtx-elem-1.lat.internal.ru.com:
          matrix_service: "elementweb"
@ -96,10 +110,23 @@ runa:
            - turns:mtx-turn-1.lta.internal.ru.com?transport=tcp
            - turns:mtx-turn-1.lta.internal.ru.com?transport=udp
          turn_shared_secret: "ushaHimahxi6eisaeV4Chu0quaeyeish"
-          postgres_user: matrix-synapseTBD
-          postgres_password: "TBD"
-          postgres_db: matrix-synapse-dbTBD
-          postgres_host: TBDpostgresql-mtx.lta.internal.ru.com
+          postgres_user: matrix-synapse
+          postgres_password: "0Dt9G739GRUpb9dgSgWG"
+          postgres_db: matrix-synapse-db
+          postgres_host: postgresql-mtx.ltrudev.internal
+          oidc_providers: |
+            - idp_id: keycloak
+              idp_name: "FIXME Login"
+              issuer: "https://idp.FIXMEcorp-serv.net/realms/MAT/"
+              client_id: "synapseFIXME"
+              client_secret: "FIXME"
+              scopes: ["openid", "profile"]
+              user_mapping_provider:
+                config:
+                  localpart_template: "{{ '{{' }} user.preferred_username {{ '}}' }}"
+                  display_name_template: "{{ '{{' }} user.name {{ '}}' }}"
+                  subject_template: "{{ '{{' }} user.preferred_username {{ '}}' }}"
+                  backchannel_logout_enabled: true
      hosts:
        mtx-mngm-1.lta.internal.ru.com:
          matrix_service: "synapse-admin"
--- a/ansible/roles/synapse/templates/synapse/homeserver.yaml
+++ b/ansible/roles/synapse/templates/synapse/homeserver.yaml
@ -2319,18 +2319,7 @@ sso:
    #    - "provided-by-your-issuer"

 oidc_providers:
-  - idp_id: keycloak
-    idp_name: "Corp Login"
-    issuer: "https://idp.corp-serv.net/realms/MAT/"
-    client_id: "synapse"
-    client_secret: "vulBbPIatTqthf3wVgWbXjrLa00Ejk913gQEqgFhZm6FTJj4rc5CWgGGIBjH6CBDaAmeyZ4Tgs0iK7w9tannkaY8u3ziW4vhU0Ji"
-    scopes: ["openid", "profile"]
-    user_mapping_provider:
-      config:
-        localpart_template: "{{ '{{' }} user.preferred_username {{ '}}' }}"
-        display_name_template: "{{ '{{' }} user.name {{ '}}' }}"
-        subject_template: "{{ '{{' }} user.preferred_username {{ '}}' }}"
-    backchannel_logout_enabled: true
+{{ matrix.oidc_providers | indent(width=2, first=True) }}

 password_config:
   # Uncomment to disable password login