From 07ae28e1b15ba805bb79ca60714b52ec7df71e26 Mon Sep 17 00:00:00 2001
From: Brad Stein <Brad.Stein@gmail.com>
Date: Wed, 31 Dec 2025 16:05:32 -0300
Subject: [PATCH] communication: fix Synapse delegated auth

---
 services/communication/synapse-rendered.yaml | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/services/communication/synapse-rendered.yaml b/services/communication/synapse-rendered.yaml
index c824b5d..14d0024 100644
--- a/services/communication/synapse-rendered.yaml
+++ b/services/communication/synapse-rendered.yaml
@@ -321,6 +321,7 @@ data:
     ## Signing Keys ##
 
     signing_key_path: "/synapse/keys/signing.key"
+    macaroon_secret_key: "@@MACAROON_SECRET_KEY@@"
 
     # The trusted servers to download signing keys from.
     trusted_key_servers:
@@ -342,7 +343,7 @@ data:
       msc4222_enabled: true
     max_event_delay_duration: 24h
     password_config:
-      enabled: true
+      enabled: false
     turn_uris:
       - "turn:turn.live.bstein.dev:3478?transport=udp"
       - "turn:turn.live.bstein.dev:3478?transport=tcp"
@@ -371,6 +372,9 @@ data:
     well_known_client:
       "m.homeserver":
         "base_url": "https://matrix.live.bstein.dev"
+      "org.matrix.msc2965.authentication":
+        "issuer": "https://matrix.live.bstein.dev/"
+        "account": "https://matrix.live.bstein.dev/account/"
       "org.matrix.msc4143.rtc_foci":
         - type: "livekit"
           livekit_service_url: "https://kit.live.bstein.dev/livekit/jwt"
@@ -717,6 +721,7 @@ spec:
               export OIDC_CLIENT_SECRET_ESCAPED=$(echo "${OIDC_CLIENT_SECRET:-}" | sed 's/[\\/&]/\\&/g') && \
               export TURN_SECRET_ESCAPED=$(echo "${TURN_SECRET:-}" | sed 's/[\\/&]/\\&/g') && \
               export MAS_SHARED_SECRET_ESCAPED=$(echo "${MAS_SHARED_SECRET:-}" | sed 's/[\\/&]/\\&/g') && \
+              export MACAROON_SECRET_KEY_ESCAPED=$(echo "${MACAROON_SECRET_KEY:-}" | sed 's/[\\/&]/\\&/g') && \
               cat /synapse/secrets/*.yaml | \
                 sed -e "s/@@POSTGRES_PASSWORD@@/${POSTGRES_PASSWORD:-}/" \
                     -e "s/@@REDIS_PASSWORD@@/${REDIS_PASSWORD:-}/" \
@@ -731,6 +736,9 @@ spec:
               fi; \
               if [ -n "${MAS_SHARED_SECRET_ESCAPED}" ]; then \
                 sed -i "s/@@MAS_SHARED_SECRET@@/${MAS_SHARED_SECRET_ESCAPED}/g" /synapse/runtime-config/homeserver.yaml; \
+              fi; \
+              if [ -n "${MACAROON_SECRET_KEY_ESCAPED}" ]; then \
+                sed -i "s/@@MACAROON_SECRET_KEY@@/${MACAROON_SECRET_KEY_ESCAPED}/g" /synapse/runtime-config/homeserver.yaml; \
               fi
               exec python -B -m synapse.app.homeserver \
                           -c /synapse/runtime-config/homeserver.yaml \
@@ -761,6 +769,11 @@ spec:
                 secretKeyRef:
                   name: mas-secrets-runtime
                   key: matrix_shared_secret
+            - name: MACAROON_SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: synapse-macaroon
+                  key: macaroon_secret_key
           image: "ghcr.io/element-hq/synapse:v1.144.0"
           imagePullPolicy: IfNotPresent
           securityContext: