communication: fix Synapse delegated auth

2025-12-31 16:05:32 -03:00 · 2025-12-31 16:05:32 -03:00 · 07ae28e1b1
commit 07ae28e1b1
parent 20df5cfb6e
1 changed files with 14 additions and 1 deletions
--- a/services/communication/synapse-rendered.yaml
+++ b/services/communication/synapse-rendered.yaml
@ -321,6 +321,7 @@ data:
    ## Signing Keys ##

    signing_key_path: "/synapse/keys/signing.key"
+    macaroon_secret_key: "@@MACAROON_SECRET_KEY@@"

    # The trusted servers to download signing keys from.
    trusted_key_servers:
@ -342,7 +343,7 @@ data:
      msc4222_enabled: true
    max_event_delay_duration: 24h
    password_config:
-      enabled: true
+      enabled: false
    turn_uris:
      - "turn:turn.live.bstein.dev:3478?transport=udp"
      - "turn:turn.live.bstein.dev:3478?transport=tcp"
@ -371,6 +372,9 @@ data:
    well_known_client:
      "m.homeserver":
        "base_url": "https://matrix.live.bstein.dev"
+      "org.matrix.msc2965.authentication":
+        "issuer": "https://matrix.live.bstein.dev/"
+        "account": "https://matrix.live.bstein.dev/account/"
      "org.matrix.msc4143.rtc_foci":
        - type: "livekit"
          livekit_service_url: "https://kit.live.bstein.dev/livekit/jwt"
@ -717,6 +721,7 @@ spec:
              export OIDC_CLIENT_SECRET_ESCAPED=$(echo "${OIDC_CLIENT_SECRET:-}" | sed 's/[\\/&]/\\&/g') && \
              export TURN_SECRET_ESCAPED=$(echo "${TURN_SECRET:-}" | sed 's/[\\/&]/\\&/g') && \
              export MAS_SHARED_SECRET_ESCAPED=$(echo "${MAS_SHARED_SECRET:-}" | sed 's/[\\/&]/\\&/g') && \
+              export MACAROON_SECRET_KEY_ESCAPED=$(echo "${MACAROON_SECRET_KEY:-}" | sed 's/[\\/&]/\\&/g') && \
              cat /synapse/secrets/*.yaml | \
                sed -e "s/@@POSTGRES_PASSWORD@@/${POSTGRES_PASSWORD:-}/" \
                    -e "s/@@REDIS_PASSWORD@@/${REDIS_PASSWORD:-}/" \
@ -731,6 +736,9 @@ spec:
              fi; \
              if [ -n "${MAS_SHARED_SECRET_ESCAPED}" ]; then \
                sed -i "s/@@MAS_SHARED_SECRET@@/${MAS_SHARED_SECRET_ESCAPED}/g" /synapse/runtime-config/homeserver.yaml; \
+              fi; \
+              if [ -n "${MACAROON_SECRET_KEY_ESCAPED}" ]; then \
+                sed -i "s/@@MACAROON_SECRET_KEY@@/${MACAROON_SECRET_KEY_ESCAPED}/g" /synapse/runtime-config/homeserver.yaml; \
              fi
              exec python -B -m synapse.app.homeserver \
                          -c /synapse/runtime-config/homeserver.yaml \
@ -761,6 +769,11 @@ spec:
                secretKeyRef:
                  name: mas-secrets-runtime
                  key: matrix_shared_secret
+            - name: MACAROON_SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: synapse-macaroon
+                  key: macaroon_secret_key
          image: "ghcr.io/element-hq/synapse:v1.144.0"
          imagePullPolicy: IfNotPresent
          securityContext: