titan-iac/services/comms/mas-configmap.yaml

# services/comms/mas-configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
  name: matrix-authentication-service-config
data:
  config.yaml: |
    http:
      public_base: "https://matrix.live.bstein.dev/"
      listeners:
        - name: web
          resources:
            - name: discovery
            - name: human
            - name: oauth
            - name: compat
            - name: graphql
            - name: assets
          binds:
            - address: "0.0.0.0:8080"
        - name: internal
          resources:
            - name: health
            - name: adminapi
          binds:
            - address: "0.0.0.0:8081"

    database:
      uri: "postgresql://mas:@@MAS_DB_PASSWORD@@@postgres-service.postgres.svc.cluster.local:5432/mas?sslmode=prefer"

    clients:
      - client_id: 01KDXMVQBQ5JNY6SEJPZW6Z8BM
        client_auth_method: client_secret_basic
        client_secret_file: /vault/secrets/mas-admin-secret

    secrets:
      encryption_file: /vault/secrets/mas-encryption
      keys:
        - kid: "othrys-rsa-1"
          key_file: /vault/secrets/mas-rsa-key

    passwords:
      enabled: true
      schemes:
        - version: 1
          algorithm: bcrypt

    matrix:
      kind: synapse
      homeserver: live.bstein.dev
      endpoint: "http://othrys-synapse-matrix-synapse:8008/"
      secret: "@@MATRIX_SHARED_SECRET@@"

    upstream_oauth2:
      providers:
        - id: 01KDTTKYCYTAAAQKMAKZZ5CPW3
          synapse_idp_id: oidc-keycloak
          issuer: "https://sso.bstein.dev/realms/atlas"
          human_name: "Keycloak"
          brand_name: "keycloak"
          client_id: "othrys-mas"
          client_secret: "@@KEYCLOAK_CLIENT_SECRET@@"
          token_endpoint_auth_method: client_secret_post
          scope: "openid profile email"
          claims_imports:
            localpart:
              action: require
              template: "{{ user.preferred_username }}"
              on_conflict: add
            displayname:
              action: force
              template: "{{ user.name }}"
            email:
              action: force
              template: "{{ user.email }}"

    policy:
      data:
        admin_clients:
          - 01KDXMVQBQ5JNY6SEJPZW6Z8BM
        client_registration:
          allow_insecure_uris: true
          allow_host_mismatch: true
          allow_missing_client_uri: true
comms: consolidate stack manifests 2026-01-08 01:55:58 -03:00			`# services/comms/mas-configmap.yaml`
communication: add matrix-authentication-service 2025-12-31 15:37:54 -03:00			`apiVersion: v1`
			`kind: ConfigMap`
			`metadata:`
			`name: matrix-authentication-service-config`
			`data:`
			`config.yaml: \|`
			`http:`
			`public_base: "https://matrix.live.bstein.dev/"`
communication: make MAS listen on IPv4 2025-12-31 15:57:33 -03:00			`listeners:`
			`- name: web`
			`resources:`
			`- name: discovery`
			`- name: human`
			`- name: oauth`
			`- name: compat`
			`- name: graphql`
			`- name: assets`
			`binds:`
			`- address: "0.0.0.0:8080"`
			`- name: internal`
			`resources:`
			`- name: health`
comms(mas): enable internal admin API 2026-01-01 18:22:32 -03:00			`- name: adminapi`
communication: make MAS listen on IPv4 2025-12-31 15:57:33 -03:00			`binds:`
comms(mas): enable internal admin API 2026-01-01 18:22:32 -03:00			`- address: "0.0.0.0:8081"`
communication: add matrix-authentication-service 2025-12-31 15:37:54 -03:00
			`database:`
			`uri: "postgresql://mas:@@MAS_DB_PASSWORD@@@postgres-service.postgres.svc.cluster.local:5432/mas?sslmode=prefer"`

comms(mas): enable internal admin API 2026-01-01 18:22:32 -03:00			`clients:`
			`- client_id: 01KDXMVQBQ5JNY6SEJPZW6Z8BM`
			`client_auth_method: client_secret_basic`
comms: fix mas vault file paths 2026-01-15 23:56:32 -03:00			`client_secret_file: /vault/secrets/mas-admin-secret`
comms(mas): enable internal admin API 2026-01-01 18:22:32 -03:00
communication: add matrix-authentication-service 2025-12-31 15:37:54 -03:00			`secrets:`
comms: fix mas vault file paths 2026-01-15 23:56:32 -03:00			`encryption_file: /vault/secrets/mas-encryption`
communication: wire MAS secrets via init render 2025-12-31 15:49:21 -03:00			`keys:`
			`- kid: "othrys-rsa-1"`
comms: fix mas vault file paths 2026-01-15 23:56:32 -03:00			`key_file: /vault/secrets/mas-rsa-key`
communication: add matrix-authentication-service 2025-12-31 15:37:54 -03:00
			`passwords:`
			`enabled: true`
communication: prep syn2mas migrate (bcrypt, disable guests) 2025-12-31 18:27:04 -03:00			`schemes:`
			`- version: 1`
			`algorithm: bcrypt`
communication: add matrix-authentication-service 2025-12-31 15:37:54 -03:00
			`matrix:`
			`kind: synapse`
			`homeserver: live.bstein.dev`
			`endpoint: "http://othrys-synapse-matrix-synapse:8008/"`
communication: wire MAS secrets via init render 2025-12-31 15:49:21 -03:00			`secret: "@@MATRIX_SHARED_SECRET@@"`
communication: add matrix-authentication-service 2025-12-31 15:37:54 -03:00
			`upstream_oauth2:`
			`providers:`
			`- id: 01KDTTKYCYTAAAQKMAKZZ5CPW3`
			`synapse_idp_id: oidc-keycloak`
			`issuer: "https://sso.bstein.dev/realms/atlas"`
			`human_name: "Keycloak"`
			`brand_name: "keycloak"`
			`client_id: "othrys-mas"`
communication: wire MAS secrets via init render 2025-12-31 15:49:21 -03:00			`client_secret: "@@KEYCLOAK_CLIENT_SECRET@@"`
communication: add matrix-authentication-service 2025-12-31 15:37:54 -03:00			`token_endpoint_auth_method: client_secret_post`
			`scope: "openid profile email"`
			`claims_imports:`
			`localpart:`
			`action: require`
			`template: "{{ user.preferred_username }}"`
			`on_conflict: add`
			`displayname:`
			`action: force`
			`template: "{{ user.name }}"`
			`email:`
			`action: force`
			`template: "{{ user.email }}"`

			`policy:`
			`data:`
comms(mas): enable internal admin API 2026-01-01 18:22:32 -03:00			`admin_clients:`
			`- 01KDXMVQBQ5JNY6SEJPZW6Z8BM`
communication: add matrix-authentication-service 2025-12-31 15:37:54 -03:00			`client_registration:`
			`allow_insecure_uris: true`
			`allow_host_mismatch: true`
			`allow_missing_client_uri: true`