617 lines
		
	
	
		
			37 KiB
		
	
	
	
		
			YAML
		
	
	
	
	
	
			
		
		
	
	
			617 lines
		
	
	
		
			37 KiB
		
	
	
	
		
			YAML
		
	
	
	
	
	
| # SPDX-FileCopyrightText: 2024 - 2025 Slavi Pantaleev
 | |
| # SPDX-FileCopyrightText: 2025 Suguru Hirahara
 | |
| #
 | |
| # SPDX-License-Identifier: AGPL-3.0-or-later
 | |
| 
 | |
| ---
 | |
| 
 | |
| # matrix-authentication-service (MAS) is an OAuth 2.0 and OpenID Provider server for Matrix.
 | |
| # Project source code URL: https://github.com/element-hq/matrix-authentication-service
 | |
| 
 | |
| matrix_authentication_service_enabled: true
 | |
| 
 | |
| matrix_authentication_service_hostname: ''
 | |
| 
 | |
| # Controls the path prefix for the authentication service.
 | |
| # This value must either be `/` or not end with a slash (e.g. `/auth`).
 | |
| matrix_authentication_service_path_prefix: /
 | |
| 
 | |
| matrix_authentication_service_container_image_self_build: false
 | |
| matrix_authentication_service_container_repo: "https://github.com/element-hq/matrix-authentication-service.git"
 | |
| matrix_authentication_service_container_repo_version: "{{ 'main' if matrix_authentication_service_version == 'latest' else ('v' + matrix_authentication_service_version) }}"
 | |
| matrix_authentication_service_container_src_files_path: "{{ matrix_base_data_path }}/matrix-authentication-service/container-src"
 | |
| 
 | |
| # renovate: datasource=docker depName=ghcr.io/element-hq/matrix-authentication-service
 | |
| matrix_authentication_service_version: 1.1.0
 | |
| matrix_authentication_service_container_image_registry_prefix: "{{ 'localhost/' if matrix_authentication_service_container_image_self_build else matrix_authentication_service_container_image_registry_prefix_upstream }}"
 | |
| matrix_authentication_service_container_image_registry_prefix_upstream: "{{ matrix_authentication_service_container_image_registry_prefix_upstream_default }}"
 | |
| matrix_authentication_service_container_image_registry_prefix_upstream_default: "ghcr.io/"
 | |
| matrix_authentication_service_container_image: "{{ matrix_authentication_service_container_image_registry_prefix }}element-hq/matrix-authentication-service:{{ matrix_authentication_service_version }}"
 | |
| matrix_authentication_service_container_image_force_pull: "{{ matrix_authentication_service_container_image.endswith(':latest') }}"
 | |
| 
 | |
| matrix_authentication_service_base_path: "{{ matrix_base_data_path }}/matrix-authentication-service"
 | |
| matrix_authentication_service_bin_path: "{{ matrix_authentication_service_base_path }}/bin"
 | |
| matrix_authentication_service_config_path: "{{ matrix_authentication_service_base_path }}/config"
 | |
| matrix_authentication_service_data_path: "{{ matrix_authentication_service_base_path }}/data"
 | |
| matrix_authentication_service_data_keys_path: "{{ matrix_authentication_service_data_path }}/keys"
 | |
| 
 | |
| matrix_authentication_service_uid: "{{ matrix_user_uid }}"
 | |
| matrix_authentication_service_gid: "{{ matrix_user_gid }}"
 | |
| 
 | |
| matrix_authentication_service_container_network: ""
 | |
| 
 | |
| matrix_authentication_service_container_additional_networks: "{{ matrix_authentication_service_container_additional_networks_auto + matrix_authentication_service_container_additional_networks_custom }}"
 | |
| matrix_authentication_service_container_additional_networks_auto: []
 | |
| matrix_authentication_service_container_additional_networks_custom: []
 | |
| 
 | |
| # A list of extra arguments to pass to the container
 | |
| matrix_authentication_service_container_extra_arguments: []
 | |
| 
 | |
| # List of systemd services that matrix-authentication-service.service depends on
 | |
| matrix_authentication_service_systemd_required_services_list: "{{ matrix_authentication_service_systemd_required_services_list_default + matrix_authentication_service_systemd_required_services_list_auto + matrix_authentication_service_systemd_required_services_list_custom }}"
 | |
| matrix_authentication_service_systemd_required_services_list_default: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}"
 | |
| matrix_authentication_service_systemd_required_services_list_auto: []
 | |
| matrix_authentication_service_systemd_required_services_list_custom: []
 | |
| 
 | |
| # List of systemd services that matrix-authentication-service.service wants
 | |
| matrix_authentication_service_systemd_wanted_services_list: "{{ matrix_authentication_service_systemd_wanted_services_list_auto + matrix_authentication_service_systemd_wanted_services_list_custom }}"
 | |
| matrix_authentication_service_systemd_wanted_services_list_auto: []
 | |
| matrix_authentication_service_systemd_wanted_services_list_custom: []
 | |
| 
 | |
| ########################################################################################
 | |
| #                                                                                      #
 | |
| # Key management                                                                       #
 | |
| #                                                                                      #
 | |
| ########################################################################################
 | |
| 
 | |
| # Controls whether the playbook will manage the secrets keys for you.
 | |
| #
 | |
| # See:
 | |
| # - matrix_authentication_service_config_secrets_keys
 | |
| # - matrix_authentication_service_key_management_*
 | |
| matrix_authentication_service_key_management_enabled: true
 | |
| 
 | |
| matrix_authentication_service_key_management_list: "{{ matrix_authentication_service_key_management_list_default + matrix_authentication_service_key_management_list_custom }}"
 | |
| matrix_authentication_service_key_management_list_default: |-
 | |
|   {{
 | |
|     (
 | |
|       ([
 | |
|         {
 | |
|           "config": {
 | |
|             "kid": matrix_authentication_service_key_management_rsa_2048_key_id,
 | |
|             "key_file": ("/keys/" + matrix_authentication_service_key_management_rsa_2048_key_file),
 | |
|           },
 | |
|           "key_file": matrix_authentication_service_key_management_rsa_2048_key_file,
 | |
|           "generation_command": matrix_authentication_service_key_management_rsa_2048_generation_command,
 | |
|         }
 | |
|       ] if matrix_authentication_service_key_management_rsa_2048_enabled else [])
 | |
|       +
 | |
|       ([
 | |
|         {
 | |
|           "config": {
 | |
|             "kid": matrix_authentication_service_key_management_ecdsa_p256_key_id,
 | |
|             "key_file": ("/keys/" + matrix_authentication_service_key_management_ecdsa_p256_key_file),
 | |
|           },
 | |
|           "key_file": matrix_authentication_service_key_management_ecdsa_p256_key_file,
 | |
|           "generation_command": matrix_authentication_service_key_management_ecdsa_p256_generation_command,
 | |
|         }
 | |
|       ] if matrix_authentication_service_key_management_ecdsa_p256_enabled else [])
 | |
|       +
 | |
|       ([
 | |
|         {
 | |
|           "config": {
 | |
|             "kid": matrix_authentication_service_key_management_ecdsa_p384_key_id,
 | |
|             "key_file": ("/keys/" + matrix_authentication_service_key_management_ecdsa_p384_key_file),
 | |
|           },
 | |
|           "key_file": matrix_authentication_service_key_management_ecdsa_p384_key_file,
 | |
|           "generation_command": matrix_authentication_service_key_management_ecdsa_p384_generation_command,
 | |
|         }
 | |
|       ] if matrix_authentication_service_key_management_ecdsa_p384_enabled else [])
 | |
|       +
 | |
|       ([
 | |
|         {
 | |
|           "config": {
 | |
|             "kid": matrix_authentication_service_key_management_ecdsa_k256_key_id,
 | |
|             "key_file": ("/keys/" + matrix_authentication_service_key_management_ecdsa_k256_key_file),
 | |
|           },
 | |
|           "key_file": matrix_authentication_service_key_management_ecdsa_k256_key_file,
 | |
|           "generation_command": matrix_authentication_service_key_management_ecdsa_k256_generation_command,
 | |
|         }
 | |
|       ] if matrix_authentication_service_key_management_ecdsa_k256_enabled else [])
 | |
|     )
 | |
|     if matrix_authentication_service_key_management_enabled
 | |
|     else []
 | |
|   }}
 | |
| matrix_authentication_service_key_management_list_custom: []
 | |
| 
 | |
| matrix_authentication_service_key_management_rsa_2048_enabled: true
 | |
| matrix_authentication_service_key_management_rsa_2048_key_id: default-rsa
 | |
| matrix_authentication_service_key_management_rsa_2048_key_file: rsa-2048.priv.pem
 | |
| matrix_authentication_service_key_management_rsa_2048_generation_command: "openssl genpkey -algorithm RSA -out __KEY_FILE_PATH__ -pkeyopt rsa_keygen_bits:2048"
 | |
| 
 | |
| matrix_authentication_service_key_management_ecdsa_p256_enabled: true
 | |
| matrix_authentication_service_key_management_ecdsa_p256_key_id: default-ecdsa-p256
 | |
| matrix_authentication_service_key_management_ecdsa_p256_key_file: ecdsa-p256.priv.pem
 | |
| matrix_authentication_service_key_management_ecdsa_p256_generation_command: "openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:prime256v1 -out __KEY_FILE_PATH__ -outform PEM"
 | |
| matrix_authentication_service_key_management_ecdsa_p384_enabled: true
 | |
| matrix_authentication_service_key_management_ecdsa_p384_key_id: default-ecdsa-p384
 | |
| matrix_authentication_service_key_management_ecdsa_p384_key_file: ecdsa-p384.priv.pem
 | |
| matrix_authentication_service_key_management_ecdsa_p384_generation_command: "openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:secp384r1 -out __KEY_FILE_PATH__ -outform PEM"
 | |
| 
 | |
| matrix_authentication_service_key_management_ecdsa_k256_enabled: true
 | |
| matrix_authentication_service_key_management_ecdsa_k256_key_id: default-ecdsa-k256
 | |
| matrix_authentication_service_key_management_ecdsa_k256_key_file: ecdsa-k256.priv.pem
 | |
| matrix_authentication_service_key_management_ecdsa_k256_generation_command: "openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:secp256k1 -out __KEY_FILE_PATH__ -outform PEM"
 | |
| 
 | |
| ########################################################################################
 | |
| #                                                                                      #
 | |
| # /Key management                                                                      #
 | |
| #                                                                                      #
 | |
| ########################################################################################
 | |
| 
 | |
| 
 | |
| ########################################################################################
 | |
| #                                                                                      #
 | |
| # Email configuration                                                                  #
 | |
| #                                                                                      #
 | |
| ########################################################################################
 | |
| 
 | |
| # Controls the `email.from` configuration setting.
 | |
| matrix_authentication_service_config_email_from: '"{{ matrix_authentication_service_config_email_from_name }}" <{{ matrix_authentication_service_config_email_from_address }}>'
 | |
| matrix_authentication_service_config_email_from_name: 'Matrix Authentication Service'
 | |
| matrix_authentication_service_config_email_from_address: "matrix@{{ matrix_domain }}"
 | |
| 
 | |
| # Controls the `email.reply_to` configuration setting.
 | |
| matrix_authentication_service_config_email_reply_to: '"{{ matrix_authentication_service_config_email_reply_to_name }}" <{{ matrix_authentication_service_config_email_reply_to_address }}>'
 | |
| matrix_authentication_service_config_email_reply_to_name: "{{ matrix_authentication_service_config_email_from_name }}"
 | |
| matrix_authentication_service_config_email_reply_to_address: "{{ matrix_authentication_service_config_email_from_address }}"
 | |
| 
 | |
| # Controls the `email.transport` configuration setting.
 | |
| #
 | |
| # Valid values: blackhole, smtp, aws_ses
 | |
| # Upstream reports that `sendmail` is supported as well,
 | |
| # but this is not true when running it in a container image due to the `sendmail` binary not being included.
 | |
| matrix_authentication_service_config_email_transport: blackhole
 | |
| 
 | |
| # Controls the `email.mode` configuration setting for SMTP.
 | |
| # Valid values: plain, tls, starttls
 | |
| matrix_authentication_service_config_email_mode: plain
 | |
| 
 | |
| # Controls the `email.hostname` configuration setting for SMTP.
 | |
| matrix_authentication_service_config_email_hostname: ""
 | |
| 
 | |
| # Controls the `email.port` configuration setting for SMTP.
 | |
| matrix_authentication_service_config_email_port: 587
 | |
| 
 | |
| # Controls the `email.username` configuration setting for SMTP.
 | |
| matrix_authentication_service_config_email_username: ""
 | |
| 
 | |
| # Controls the `email.password` configuration setting for SMTP.
 | |
| matrix_authentication_service_config_email_password: ""
 | |
| 
 | |
| ########################################################################################
 | |
| #                                                                                      #
 | |
| # /Email configuration                                                                 #
 | |
| #                                                                                      #
 | |
| ########################################################################################
 | |
| 
 | |
| 
 | |
| ########################################################################################
 | |
| #                                                                                      #
 | |
| # Account configuration                                                                #
 | |
| #                                                                                      #
 | |
| ########################################################################################
 | |
| 
 | |
| # Controls the `account.email_change_allowed` configuration setting.
 | |
| #
 | |
| # Whether users are allowed to change their email addresses.
 | |
| matrix_authentication_service_config_account_email_change_allowed: true
 | |
| 
 | |
| # Controls the `account.displayname_change_allowed` configuration setting.
 | |
| #
 | |
| # Whether users are allowed to change their display names.
 | |
| # This should be in sync with the policy in the homeserver configuration.
 | |
| matrix_authentication_service_config_account_displayname_change_allowed: true
 | |
| 
 | |
| # Controls the `account.password_registration_enabled` configuration setting.
 | |
| #
 | |
| # Whether to enable self-service password registration.
 | |
| # This has no effect if password login is disabled.
 | |
| matrix_authentication_service_config_account_password_registration_enabled: false
 | |
| 
 | |
| # Controls the `account.password_change_allowed` configuration setting.
 | |
| #
 | |
| # Whether users are allowed to change their passwords.
 | |
| # This has no effect if password login is disabled.
 | |
| matrix_authentication_service_config_account_password_change_allowed: true
 | |
| 
 | |
| # Controls the `account.password_recovery_enabled` configuration setting.
 | |
| #
 | |
| # Whether email-based password recovery is enabled.
 | |
| # This has no effect if password login is disabled.
 | |
| matrix_authentication_service_config_account_password_recovery_enabled: false
 | |
| 
 | |
| ########################################################################################
 | |
| #                                                                                      #
 | |
| # /Account configuration                                                               #
 | |
| #                                                                                      #
 | |
| ########################################################################################
 | |
| 
 | |
| 
 | |
| ########################################################################################
 | |
| #                                                                                      #
 | |
| # Database configuration                                                               #
 | |
| #                                                                                      #
 | |
| ########################################################################################
 | |
| 
 | |
| # Controls the `database.username` configuration setting.
 | |
| matrix_authentication_service_config_database_username: 'matrix_authentication_service'
 | |
| 
 | |
| # Controls the `database.password` configuration setting.
 | |
| matrix_authentication_service_config_database_password: ''
 | |
| 
 | |
| # Controls the `database.host` configuration setting.
 | |
| matrix_authentication_service_config_database_host: ''
 | |
| 
 | |
| # Controls the `database.port` configuration setting.
 | |
| matrix_authentication_service_config_database_port: 5432
 | |
| 
 | |
| # Controls the `database.database` configuration setting.
 | |
| matrix_authentication_service_config_database_database: 'matrix_authentication_service'
 | |
| 
 | |
| # Controls the `database.ssl_mode` configuration setting.
 | |
| matrix_authentication_service_config_database_ssl_mode: disable
 | |
| 
 | |
| # Controls the `database.max_connections` configuration setting.
 | |
| matrix_authentication_service_config_database_max_connections: 10
 | |
| 
 | |
| # Controls the `database.min_connections` configuration setting.
 | |
| matrix_authentication_service_config_database_min_connections: 0
 | |
| 
 | |
| # Controls the `database.connect_timeout` configuration setting.
 | |
| matrix_authentication_service_config_database_connect_timeout: 30
 | |
| 
 | |
| # Controls the `database.idle_timeout` configuration setting.
 | |
| matrix_authentication_service_config_database_idle_timeout: 600
 | |
| 
 | |
| # Controls the `database.max_lifetime` configuration setting.
 | |
| matrix_authentication_service_config_database_max_lifetime: 1800
 | |
| 
 | |
| ########################################################################################
 | |
| #                                                                                      #
 | |
| # /Database configuration                                                              #
 | |
| #                                                                                      #
 | |
| ########################################################################################
 | |
| 
 | |
| 
 | |
| ########################################################################################
 | |
| #                                                                                      #
 | |
| # Secrets configuration                                                                #
 | |
| #                                                                                      #
 | |
| ########################################################################################
 | |
| 
 | |
| # Controls the `secrets.encryption` configuration setting.
 | |
| matrix_authentication_service_config_secrets_encryption: ''
 | |
| 
 | |
| # Controls the `secrets.keys` configuration setting.
 | |
| matrix_authentication_service_config_secrets_keys: |-
 | |
|   {{
 | |
|     matrix_authentication_service_key_management_list | map(attribute='config') | list
 | |
|     if matrix_authentication_service_key_management_enabled
 | |
|     else []
 | |
|   }}
 | |
| 
 | |
| ########################################################################################
 | |
| #                                                                                      #
 | |
| # /Secrets configuration                                                               #
 | |
| #                                                                                      #
 | |
| ########################################################################################
 | |
| 
 | |
| 
 | |
| ########################################################################################
 | |
| #                                                                                      #
 | |
| # HTTP configuration                                                                 #
 | |
| #                                                                                      #
 | |
| ########################################################################################
 | |
| 
 | |
| # Controls the `http.public_base` configuration setting.
 | |
| matrix_authentication_service_config_http_public_base: "https://{{ matrix_authentication_service_hostname }}{{ '/' if matrix_authentication_service_path_prefix == '/' else (matrix_authentication_service_path_prefix + '/') }}"
 | |
| 
 | |
| # Controls the `http.issuer` configuration setting.
 | |
| matrix_authentication_service_config_http_issuer: "{{ matrix_authentication_service_config_http_public_base }}"
 | |
| 
 | |
| # Controls the `http.trusted_proxies` configuration setting.
 | |
| matrix_authentication_service_config_http_trusted_proxies:
 | |
|   - 192.168.0.0/16
 | |
|   - 172.16.0.0/12
 | |
|   - 10.0.0.0/10
 | |
|   - 127.0.0.1/8
 | |
|   - fd00::/8
 | |
|   - ::1/128
 | |
| 
 | |
| ########################################################################################
 | |
| #                                                                                      #
 | |
| # /HTTP configuration                                                                  #
 | |
| #                                                                                      #
 | |
| ########################################################################################
 | |
| 
 | |
| 
 | |
| ########################################################################################
 | |
| #                                                                                      #
 | |
| # Matrix configuration                                                                 #
 | |
| #                                                                                      #
 | |
| ########################################################################################
 | |
| 
 | |
| # Controls the `matrix.homeserver` configuration setting.
 | |
| # The homeserver name, as per the `server_name` in the Synapse configuration file.
 | |
| matrix_authentication_service_config_matrix_homeserver: ""
 | |
| 
 | |
| # Controls the `matrix.endpoint` configuration setting.
 | |
| # URL to which the homeserver is accessible from the service.
 | |
| matrix_authentication_service_config_matrix_endpoint: ""
 | |
| 
 | |
| # Controls the `matrix.secret` configuration setting.
 | |
| matrix_authentication_service_config_matrix_secret: ""
 | |
| 
 | |
| ########################################################################################
 | |
| #                                                                                      #
 | |
| # /Matrix configuration                                                                #
 | |
| #                                                                                      #
 | |
| ########################################################################################
 | |
| 
 | |
| 
 | |
| ########################################################################################
 | |
| #                                                                                      #
 | |
| # Passwords configuration                                                              #
 | |
| #                                                                                      #
 | |
| ########################################################################################
 | |
| 
 | |
| # Controls the `passwords.enabled` configuration setting.
 | |
| # Whether to enable the password database.
 | |
| # If disabled, users will only be able to log in using upstream OIDC providers.
 | |
| matrix_authentication_service_config_passwords_enabled: true
 | |
| 
 | |
| # Controls the `passwords.schemes` configuration setting.
 | |
| # List of password hashing schemes being used.
 | |
| # Only change this if you know what you're doing.
 | |
| matrix_authentication_service_config_passwords_schemes:
 | |
|   - version: 1
 | |
|     algorithm: argon2id
 | |
| 
 | |
| # Controls the `passwords.minimum_complexity` configuration setting.
 | |
| # Minimum complexity required for passwords, estimated by the zxcvbn algorithm.
 | |
| # Must be between 0 and 4. Default is 3.
 | |
| # See https://github.com/dropbox/zxcvbn#usage for more information.
 | |
| matrix_authentication_service_config_passwords_minimum_complexity: 3
 | |
| 
 | |
| ########################################################################################
 | |
| #                                                                                      #
 | |
| # /Passwords configuration                                                             #
 | |
| #                                                                                      #
 | |
| ########################################################################################
 | |
| 
 | |
| 
 | |
| ########################################################################################
 | |
| #                                                                                      #
 | |
| # Clients configuration                                                                #
 | |
| #                                                                                      #
 | |
| ########################################################################################
 | |
| 
 | |
| # Controls the `clients` configuration setting.
 | |
| # List of clients to be used by the authentication service.
 | |
| #
 | |
| # See:
 | |
| # - https://element-hq.github.io/matrix-authentication-service/reference/configuration.html#clients
 | |
| # - https://element-hq.github.io/matrix-authentication-service/setup/homeserver.html#provision-a-client-for-the-homeserver-to-use
 | |
| #
 | |
| # To define your own, use `matrix_authentication_service_config_clients_custom`.
 | |
| matrix_authentication_service_config_clients: "{{ matrix_authentication_service_config_clients_auto + matrix_authentication_service_config_clients_custom }}"
 | |
| matrix_authentication_service_config_clients_auto: []
 | |
| matrix_authentication_service_config_clients_custom: []
 | |
| 
 | |
| ########################################################################################
 | |
| #                                                                                      #
 | |
| # /Clients configuration                                                               #
 | |
| #                                                                                      #
 | |
| ########################################################################################
 | |
| 
 | |
| 
 | |
| ########################################################################################
 | |
| #                                                                                      #
 | |
| # Upstream OAuth2 configuration                                                        #
 | |
| #                                                                                      #
 | |
| ########################################################################################
 | |
| 
 | |
| # Controls the `upstream_oauth2.providers` configuration setting.
 | |
| # See:
 | |
| # - https://element-hq.github.io/matrix-authentication-service/reference/configuration.html#upstream_oauth2providers
 | |
| matrix_authentication_service_config_upstream_oauth2_providers: []
 | |
| 
 | |
| ########################################################################################
 | |
| #                                                                                      #
 | |
| # /Upstream OAuth2 configuration                                                       #
 | |
| #                                                                                      #
 | |
| ########################################################################################
 | |
| 
 | |
| 
 | |
| # Holds the final Matrix Authentication Service configuration (a combination of the default and its extension).
 | |
| # You most likely don't need to touch this variable. Instead, see `matrix_authentication_service_configuration_yaml` or `matrix_authentication_service_configuration_extension_yaml`.
 | |
| matrix_authentication_service_configuration: "{{ matrix_authentication_service_configuration_yaml | from_yaml | combine(matrix_authentication_service_configuration_extension, recursive=True) }}"
 | |
| 
 | |
| # Default Matrix Authentication Service configuration template which covers the generic use case.
 | |
| # You can customize it by controlling the various variables inside it.
 | |
| #
 | |
| # For a more advanced customization, you can extend the default (see `matrix_authentication_service_configuration_extension_yaml`)
 | |
| # or completely replace this variable with your own template.
 | |
| matrix_authentication_service_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}"
 | |
| 
 | |
| matrix_authentication_service_configuration_extension_yaml: |
 | |
|   # Your custom YAML configuration for Matrix Authentication Service goes here.
 | |
|   # This configuration extends the default starting configuration (`matrix_authentication_service_configuration_yaml`).
 | |
|   #
 | |
|   # You can override individual variables from the default configuration, or introduce new ones.
 | |
|   #
 | |
|   # If you need something more special, you can take full control by
 | |
|   # completely redefining `matrix_authentication_service_configuration_yaml`.
 | |
|   #
 | |
|   # Example configuration extension follows:
 | |
|   #
 | |
|   # user:
 | |
|   #   password: something
 | |
| 
 | |
| matrix_authentication_service_configuration_extension: "{{ matrix_authentication_service_configuration_extension_yaml | from_yaml if matrix_authentication_service_configuration_extension_yaml | from_yaml is mapping else {} }}"
 | |
| 
 | |
| # Additional environment variables to pass to the Matrix Authentication Service container.
 | |
| #
 | |
| # Environment variables take priority over settings in the configuration file.
 | |
| #
 | |
| # Example:
 | |
| # matrix_authentication_service_environment_variables_extension: |
 | |
| #   KEY=value
 | |
| matrix_authentication_service_environment_variables_extension: ''
 | |
| 
 | |
| 
 | |
| ########################################################################################
 | |
| #                                                                                      #
 | |
| # Labels                                                                               #
 | |
| #                                                                                      #
 | |
| ########################################################################################
 | |
| 
 | |
| # matrix_authentication_service_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container.
 | |
| # See `../templates/labels.j2` for details.
 | |
| #
 | |
| # To inject your own other container labels, see `matrix_authentication_service_container_labels_additional_labels`.
 | |
| matrix_authentication_service_container_labels_traefik_enabled: true
 | |
| matrix_authentication_service_container_labels_traefik_docker_network: "{{ matrix_authentication_service_container_network }}"
 | |
| matrix_authentication_service_container_labels_traefik_entrypoints: web-secure
 | |
| matrix_authentication_service_container_labels_traefik_tls_certResolver: default  # noqa var-naming
 | |
| 
 | |
| matrix_authentication_service_container_labels_public_main_hostname: "{{ matrix_authentication_service_hostname }}"
 | |
| # The path prefix must either be `/` or not end with a slash (e.g. `/auth`).
 | |
| matrix_authentication_service_container_labels_public_main_path_prefix: "{{ matrix_authentication_service_path_prefix }}"
 | |
| matrix_authentication_service_container_labels_public_main_rule: "Host(`{{ matrix_authentication_service_container_labels_public_main_hostname }}`){% if matrix_authentication_service_container_labels_public_main_path_prefix != '/' %} && PathPrefix(`{{ matrix_authentication_service_container_labels_public_main_path_prefix }}`){% endif %}"
 | |
| matrix_authentication_service_container_labels_public_main_priority: 0
 | |
| matrix_authentication_service_container_labels_public_main_entrypoints: "{{ matrix_authentication_service_container_labels_traefik_entrypoints }}"
 | |
| matrix_authentication_service_container_labels_public_main_tls: "{{ matrix_authentication_service_container_labels_public_main_entrypoints != 'web' }}"
 | |
| matrix_authentication_service_container_labels_public_main_tls_certResolver: "{{ matrix_authentication_service_container_labels_traefik_tls_certResolver }}"  # noqa var-naming
 | |
| 
 | |
| # Controls whether labels will be added to expose the compatibility layer publicly.
 | |
| #
 | |
| # The service exposes a compatibility layer to allow legacy clients to authenticate using the service.
 | |
| # This works by exposing a few Matrix endpoints that should be proxied to the service.
 | |
| # The following Matrix Client-Server API endpoints need to be handled by the authentication service:
 | |
| # - /_matrix/client/*/login
 | |
| # - /_matrix/client/*/logout
 | |
| # - /_matrix/client/*/refresh
 | |
| #
 | |
| # See:
 | |
| # - https://element-hq.github.io/matrix-authentication-service/setup/homeserver.html#set-up-the-compatibility-layer
 | |
| # - https://element-hq.github.io/matrix-authentication-service/setup/reverse-proxy.html#compatibility-layer
 | |
| #
 | |
| # Regardless of whether this is enabled, it may or may not take effect due to the value of other variables.
 | |
| # See `matrix_authentication_service_container_labels_traefik_enabled`.
 | |
| matrix_authentication_service_container_labels_public_compatibility_layer_enabled: false
 | |
| matrix_authentication_service_container_labels_public_compatibility_layer_hostname: ""
 | |
| matrix_authentication_service_container_labels_public_compatibility_layer_path_regexp: "^/_matrix/client/(?P<version>([^/]+))/(?P<endpoint>(login|logout|refresh))"
 | |
| matrix_authentication_service_container_labels_public_compatibility_layer_rule: "Host(`{{ matrix_authentication_service_container_labels_public_compatibility_layer_hostname }}`) && PathRegexp(`{{ matrix_authentication_service_container_labels_public_compatibility_layer_path_regexp }}`)"
 | |
| matrix_authentication_service_container_labels_public_compatibility_layer_priority: 0
 | |
| matrix_authentication_service_container_labels_public_compatibility_layer_entrypoints: "{{ matrix_authentication_service_container_labels_traefik_entrypoints }}"
 | |
| matrix_authentication_service_container_labels_public_compatibility_layer_tls: "{{ matrix_authentication_service_container_labels_public_compatibility_layer_entrypoints != 'web' }}"
 | |
| matrix_authentication_service_container_labels_public_compatibility_layer_tls_certResolver: "{{ matrix_authentication_service_container_labels_traefik_tls_certResolver }}"  # noqa var-naming
 | |
| 
 | |
| # Controls whether labels will be added to expose the compatibility layer on the internal Traefik entrypoint.
 | |
| # This is similar to `matrix_authentication_service_container_labels_public_compatibility_layer_enabled`, but the entrypoint and intent is different.
 | |
| # Regardless of whether this is enabled, it may or may not take effect due to the value of other variables.
 | |
| # See `matrix_authentication_service_container_labels_traefik_enabled`
 | |
| matrix_authentication_service_container_labels_internal_compatibility_layer_enabled: false
 | |
| matrix_authentication_service_container_labels_internal_compatibility_layer_path_regexp: "{{ matrix_authentication_service_container_labels_public_compatibility_layer_path_regexp }}"
 | |
| matrix_authentication_service_container_labels_internal_compatibility_layer_rule: "PathRegexp(`{{ matrix_authentication_service_container_labels_internal_compatibility_layer_path_regexp }}`)"
 | |
| matrix_authentication_service_container_labels_internal_compatibility_layer_priority: 0
 | |
| matrix_authentication_service_container_labels_internal_compatibility_layer_entrypoints: ""
 | |
| 
 | |
| # Controls which additional headers to attach to all HTTP responses.
 | |
| # To add your own headers, use `matrix_authentication_service_container_labels_traefik_additional_response_headers_custom`
 | |
| matrix_authentication_service_container_labels_traefik_additional_response_headers: "{{ matrix_authentication_service_container_labels_traefik_additional_response_headers_auto | combine(matrix_authentication_service_container_labels_traefik_additional_response_headers_custom) }}"
 | |
| matrix_authentication_service_container_labels_traefik_additional_response_headers_auto: {}
 | |
| matrix_authentication_service_container_labels_traefik_additional_response_headers_custom: {}
 | |
| 
 | |
| # matrix_authentication_service_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
 | |
| # See `../templates/labels.j2` for details.
 | |
| #
 | |
| # Example:
 | |
| # matrix_authentication_service_container_labels_additional_labels: |
 | |
| #   my.label=1
 | |
| #   another.label="here"
 | |
| matrix_authentication_service_container_labels_additional_labels: ''
 | |
| 
 | |
| ########################################################################################
 | |
| #                                                                                      #
 | |
| # /Labels                                                                              #
 | |
| #                                                                                      #
 | |
| ########################################################################################
 | |
| 
 | |
| 
 | |
| ########################################################################################
 | |
| #                                                                                      #
 | |
| # syn2mas configuration                                                                #
 | |
| #                                                                                      #
 | |
| ########################################################################################
 | |
| 
 | |
| matrix_authentication_service_syn2mas_start_wait_time_seconds: 5
 | |
| 
 | |
| # The syn2mas sub-command to run.
 | |
| # Valid values: migrate, check
 | |
| matrix_authentication_service_syn2mas_subcommand: migrate
 | |
| 
 | |
| # Whether to pass a `--dry-run` flag to the 'migrate' sub-command.
 | |
| # See `matrix_authentication_service_syn2mas_subcommand`
 | |
| matrix_authentication_service_syn2mas_migrate_dry_run: false
 | |
| 
 | |
| # Path to Synapse's homeserver.yaml configuration file.
 | |
| matrix_authentication_service_syn2mas_synapse_homeserver_config_path: ""
 | |
| 
 | |
| matrix_authentication_service_syn2mas_container_network: "{{ matrix_authentication_service_container_network }}"
 | |
| 
 | |
| # Additional options passed to the syn2mas sub-command (e.g. `mas-cli syn2mas [OPTIONS] migrate|check`).
 | |
| # Also see: `matrix_authentication_service_syn2mas_subcommand_extra_options`
 | |
| #
 | |
| # Example:
 | |
| # matrix_authentication_service_syn2mas_command_extra_options:
 | |
| #   - "--something"
 | |
| matrix_authentication_service_syn2mas_command_extra_options: []
 | |
| 
 | |
| # Additional options passed to the syn2mas sub-command (e.g. `mas-cli syn2mas migrate|check [OPTIONS]`).
 | |
| # Also see: `matrix_authentication_service_syn2mas_command_extra_options`
 | |
| #
 | |
| # Example:
 | |
| # matrix_authentication_service_syn2mas_subcommand_extra_options:
 | |
| #   - "--dry-run"
 | |
| matrix_authentication_service_syn2mas_subcommand_extra_options: []
 | |
| 
 | |
| ########################################################################################
 | |
| #                                                                                      #
 | |
| # /syn2mas configuration                                                               #
 | |
| #                                                                                      #
 | |
| ########################################################################################
 | |
| 
 | |
| 
 | |
| ########################################################################################
 | |
| #                                                                                      #
 | |
| # Misc                                                                                 #
 | |
| #                                                                                      #
 | |
| ########################################################################################
 | |
| 
 | |
| # Controls whether a migration from a homeserver user database to Matrix Authentication Service is in progress.
 | |
| #
 | |
| # When this is set to `true`, the playbook will:
 | |
| #
 | |
| # - disable the integration between the homeserver and Matrix Authentication Service
 | |
| # - avoid setting up the "compatibility layer" (that is, avoid installing container labels that capture login endpoints like `/_matrix/client/*/login`, etc.)
 | |
| matrix_authentication_service_migration_in_progress: false
 | |
| 
 | |
| ########################################################################################
 | |
| #                                                                                      #
 | |
| # /Misc                                                                                #
 | |
| #                                                                                      #
 | |
| ########################################################################################
 |