SipsOfCode/infrastructure
2
2
Fork 0
Code Issues 8 Pull requests 6 Releases Activity

Add matrix-authentication-service & necessary Synapse adjustments #402

Merged
saibotk merged 3 commits from matrix-authentication-service into main 2025-10-04 20:36:21 +02:00
Conversation 2 Commits 3 Files changed 12 +440 -7
saibotk commented 2025-10-04 00:50:56 +02:00
Owner
Copy link

This adds a role for the Matrix Authentication Service (MAS).

Additionally, some changes to Synapse's reverse proxying were necessary.

Please see the respective commits for details.

This adds a role for the Matrix Authentication Service (MAS). Additionally, some changes to Synapse's reverse proxying were necessary. Please see the respective commits for details.
saibotk self-assigned this 2025-10-04 00:50:56 +02:00 
This adds the [Matrix Authentication Service](https://element-hq.github.io/matrix-authentication-service/index.html) role and playbook.

It configures a slightly opinionated setup bound to running Synapse and without any mailing configuration.
The role installs MAS via podman quadlet with minimal perimssions along with a Postgres 18 instance.

Note:
- Secret configs need to be manually set up, before this role can be used
- Not all MAS configs can be configured via variables, only instance-specific settings are exposed (e.g. hostnames or secrets)
- Migrations from Synapse need to be done manually
- Config changes to Synapse also need to be done manually
This adds the necessary proxy setup for legacy authentication support according to the docs [0].

Note: This requires the Synapse instance and MAS to be running on the same host.

0: https://element-hq.github.io/matrix-authentication-service/setup/reverse-proxy.html#compatibility-layer
feat(synapse): Use dynamic well-known from Synapse
All checks were successful
ci/woodpecker/pr/ansible-lint Pipeline was successful
Details
ad57f33a2d
 
Some well-known information is rather dynamic, e.g. the supported/enabled MSCs.
Synapse can handle the client well-known endpoint and might add more in the future.

This also allows Synapse to communicate the MAS configuration to clients.
fixup! feat(mas): add matrix authentication service role
Some checks failed
ci/woodpecker/pr/ansible-lint Pipeline failed
Details
08b6250b7b
saibotk force-pushed matrix-authentication-service from 08b6250b7b
Some checks failed
ci/woodpecker/pr/ansible-lint Pipeline failed
Details
to 2e60c72fdc
All checks were successful
ci/woodpecker/pr/ansible-lint Pipeline was successful
Details
2025-10-04 01:09:33 +02:00 Compare
saibotk force-pushed matrix-authentication-service from 2e60c72fdc
All checks were successful
ci/woodpecker/pr/ansible-lint Pipeline was successful
Details
to dc62953537
All checks were successful
ci/woodpecker/pr/ansible-lint Pipeline was successful
Details
2025-10-04 01:10:13 +02:00 Compare
histalek approved these changes 2025-10-04 11:12:41 +02:00
Dismissed
histalek left a comment
Owner
Copy link

a few nits otherwise LGTM

a few nits otherwise LGTM
roles/matrix_authentication_service/handlers/main.yml Outdated
@ -0,0 +4,4 @@
listen: "matrix authentication service selinux context changed"
- name: Restart matrix authentication service-postgres service.
ansible.builtin.systemd:
histalek commented 2025-10-04 09:22:59 +02:00
Owner
Copy link

FYI ansible.builtin.systemd was renamed to ansible.builtin.systemd_service some time in 2023 (i think)

ansible.builtin.systemd is kept as an alias for backwards compatibility

it's probably fine as is and i might replace all occurrences of this in a PR soon enough, just to give a heads up here

FYI `ansible.builtin.systemd` was renamed to `ansible.builtin.systemd_service` some time in 2023 (i think) `ansible.builtin.systemd` is kept as an alias for backwards compatibility it's probably fine as is and i might replace all occurrences of this in a PR soon enough, just to give a heads up here
👍 1
histalek marked this conversation as resolved
roles/matrix_authentication_service/tasks/main.yml Outdated
@ -0,0 +79,4 @@
ansible.builtin.stat:
path: "{{ caddy_install_dir }}/config"
become: true
register: caddy_stat_config_dir
histalek commented 2025-10-04 09:33:41 +02:00
Owner
Copy link

tbh just name this matrix_authentication_service_caddy_stat_config_dir

i'm not sure if this could ever meaningfully clash with the caddy role, but we should just not risk it.

this change would also get rid of the ansible-lint violation

tbh just name this `matrix_authentication_service_caddy_stat_config_dir` i'm not sure if this could ever meaningfully clash with the caddy role, but we should just not risk it. this change would also get rid of the ansible-lint violation
histalek marked this conversation as resolved
roles/matrix_authentication_service/templates/matrix-authentication-service-postgres.container.j2 Outdated
@ -0,0 +13,4 @@
HealthCmd = CMD pg_isready -U mas -d matrix_authentication_service
# AutoUpdate = registry
histalek commented 2025-10-04 11:02:32 +02:00
Owner
Copy link

this should either be removed or uncommented

this should either be removed or uncommented
histalek marked this conversation as resolved
roles/matrix_authentication_service/templates/matrix-authentication-service-postgres.container.j2 Outdated
@ -0,0 +20,4 @@
User = 70
Group = 70
# NoNewPrivileges = true
histalek commented 2025-10-04 11:03:27 +02:00
Owner
Copy link

is this a problem in this setup? or why is it commented?

is this a problem in this setup? or why is it commented?
histalek marked this conversation as resolved
roles/matrix_authentication_service/templates/matrix-authentication-service.container.j2 Outdated
@ -0,0 +13,4 @@
Image = {{ matrix_authentication_service_containerimage }}:{{ matrix_authentication_service_image_tag }}
ContainerName = matrix-authentication-service
# AutoUpdate = registry
histalek commented 2025-10-04 11:05:09 +02:00
Owner
Copy link

should be removed or uncommented

should be removed or uncommented
histalek marked this conversation as resolved
saibotk force-pushed matrix-authentication-service from dc62953537
All checks were successful
ci/woodpecker/pr/ansible-lint Pipeline was successful
Details
to 56a9ae17d2
All checks were successful
ci/woodpecker/pr/ansible-lint Pipeline was successful
Details
2025-10-04 20:10:25 +02:00 Compare
saibotk force-pushed matrix-authentication-service from 56a9ae17d2
All checks were successful
ci/woodpecker/pr/ansible-lint Pipeline was successful
Details
to 13c7544301
All checks were successful
ci/woodpecker/pr/ansible-lint Pipeline was successful
Details
2025-10-04 20:16:04 +02:00 Compare
histalek approved these changes 2025-10-04 20:33:13 +02:00
saibotk force-pushed matrix-authentication-service from 13c7544301
All checks were successful
ci/woodpecker/pr/ansible-lint Pipeline was successful
Details
to 113613bdaa
All checks were successful
ci/woodpecker/pr/ansible-lint Pipeline was successful
Details
ci/woodpecker/push/ansible-lint Pipeline was successful
Details
2025-10-04 20:36:13 +02:00 Compare
saibotk deleted branch matrix-authentication-service 2025-10-04 20:36:21 +02:00
Sign in to join this conversation.
Reviewers
No reviewers
histalek
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
saibotk
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
SipsOfCode/infrastructure!402
No description provided.