Add matrix-authentication-service & necessary Synapse adjustments #402

saibotk · 2025-10-04T00:50:56+02:00

saibotk commented

2025-10-04 00:50:56 +02:00

This adds a role for the Matrix Authentication Service (MAS).

Additionally, some changes to Synapse's reverse proxying were necessary.

Please see the respective commits for details.

This adds a role for the Matrix Authentication Service (MAS). Additionally, some changes to Synapse's reverse proxying were necessary. Please see the respective commits for details.

saibotk self-assigned this

2025-10-04 00:50:56 +02:00

saibotk added 3 commits

2025-10-04 00:50:57 +02:00

feat(mas): add matrix authentication service role bdb69b4d34

This adds the [Matrix Authentication Service](https://element-hq.github.io/matrix-authentication-service/index.html) role and playbook.

It configures a slightly opinionated setup bound to running Synapse and without any mailing configuration.
The role installs MAS via podman quadlet with minimal perimssions along with a Postgres 18 instance.

Note:
- Secret configs need to be manually set up, before this role can be used
- Not all MAS configs can be configured via variables, only instance-specific settings are exposed (e.g. hostnames or secrets)
- Migrations from Synapse need to be done manually
- Config changes to Synapse also need to be done manually

feat(synapse): redirect legacy auth endpoints to MAS 2ceee0f553

This adds the necessary proxy setup for legacy authentication support according to the docs [0].

Note: This requires the Synapse instance and MAS to be running on the same host.

0: https://element-hq.github.io/matrix-authentication-service/setup/reverse-proxy.html#compatibility-layer

feat(synapse): Use dynamic well-known from Synapse

ci/woodpecker/pr/ansible-lint Pipeline was successful

Details

ad57f33a2d

Some well-known information is rather dynamic, e.g. the supported/enabled MSCs.
Synapse can handle the client well-known endpoint and might add more in the future.

This also allows Synapse to communicate the MAS configuration to clients.

requested review from histalek

2025-10-04 00:50:57 +02:00

saibotk added 1 commit

2025-10-04 01:09:26 +02:00

fixup! feat(mas): add matrix authentication service role

ci/woodpecker/pr/ansible-lint Pipeline failed

Details

08b6250b7b

saibotk force-pushed matrix-authentication-service from 08b6250b7b to 2e60c72fdc

2025-10-04 01:09:33 +02:00

Compare

saibotk force-pushed matrix-authentication-service from 2e60c72fdc to dc62953537

2025-10-04 01:10:13 +02:00

Compare

histalek approved these changes

2025-10-04 11:12:41 +02:00

Dismissed

histalek left a comment

a few nits otherwise LGTM

roles/matrix_authentication_service/handlers/main.yml Outdated

					
				@ -0,0 +4,4 @@

				  listen: "matrix authentication service selinux context changed"

				- name: Restart matrix authentication service-postgres service.

				  ansible.builtin.systemd:

histalek commented

2025-10-04 09:22:59 +02:00

FYI ansible.builtin.systemd was renamed to ansible.builtin.systemd_service some time in 2023 (i think)

ansible.builtin.systemd is kept as an alias for backwards compatibility

it's probably fine as is and i might replace all occurrences of this in a PR soon enough, just to give a heads up here

FYI `ansible.builtin.systemd` was renamed to `ansible.builtin.systemd_service` some time in 2023 (i think) `ansible.builtin.systemd` is kept as an alias for backwards compatibility it's probably fine as is and i might replace all occurrences of this in a PR soon enough, just to give a heads up here

👍 1

histalek marked this conversation as resolved

roles/matrix_authentication_service/tasks/main.yml Outdated

					
				@ -0,0 +79,4 @@

				      ansible.builtin.stat:

				        path: "{{ caddy_install_dir }}/config"

				      become: true

				      register: caddy_stat_config_dir

histalek commented

2025-10-04 09:33:41 +02:00

tbh just name this matrix_authentication_service_caddy_stat_config_dir

i'm not sure if this could ever meaningfully clash with the caddy role, but we should just not risk it.

this change would also get rid of the ansible-lint violation

tbh just name this `matrix_authentication_service_caddy_stat_config_dir` i'm not sure if this could ever meaningfully clash with the caddy role, but we should just not risk it. this change would also get rid of the ansible-lint violation

histalek marked this conversation as resolved

roles/matrix_authentication_service/templates/matrix-authentication-service-postgres.container.j2 Outdated

					
				@ -0,0 +13,4 @@

				HealthCmd = CMD pg_isready -U mas -d matrix_authentication_service

				# AutoUpdate = registry

histalek commented

2025-10-04 11:02:32 +02:00

this should either be removed or uncommented

histalek marked this conversation as resolved

roles/matrix_authentication_service/templates/matrix-authentication-service-postgres.container.j2 Outdated

					
				@ -0,0 +20,4 @@

				User = 70

				Group = 70

				# NoNewPrivileges = true

histalek commented

2025-10-04 11:03:27 +02:00

is this a problem in this setup? or why is it commented?

histalek marked this conversation as resolved

roles/matrix_authentication_service/templates/matrix-authentication-service.container.j2 Outdated

					
				@ -0,0 +13,4 @@

				Image = {{ matrix_authentication_service_containerimage }}:{{ matrix_authentication_service_image_tag }}

				ContainerName = matrix-authentication-service

				# AutoUpdate = registry