From b710f45e5c72d0397382a4da2ba6538101b39c4a Mon Sep 17 00:00:00 2001
From: Brad Stein <Brad.Stein@gmail.com>
Date: Tue, 13 Jan 2026 20:59:35 -0300
Subject: [PATCH] comms: fix synapse runtime config injection

---
 services/comms/helmrelease.yaml | 52 ++++++++++++++++-----------------
 1 file changed, 26 insertions(+), 26 deletions(-)

diff --git a/services/comms/helmrelease.yaml b/services/comms/helmrelease.yaml
index 71fc5df..a7e180d 100644
--- a/services/comms/helmrelease.yaml
+++ b/services/comms/helmrelease.yaml
@@ -93,32 +93,32 @@ spec:
               name: synapse-macaroon
               key: macaroon_secret_key
       extraCommands:
-        - |
-          yaml_quote() { printf "%s" "$1" | sed "s/'/''/g"; }
-          cat > /synapse/config/conf.d/runtime-secrets.yaml <<EOF
-          oidc_providers:
-            - idp_id: keycloak
-              idp_name: Keycloak
-              issuer: https://sso.bstein.dev/realms/atlas
-              client_id: synapse
-              client_secret: '$(yaml_quote "${OIDC_CLIENT_SECRET:-}")'
-              client_auth_method: client_secret_post
-              scopes: ["openid", "profile", "email"]
-              authorization_endpoint: https://sso.bstein.dev/realms/atlas/protocol/openid-connect/auth
-              token_endpoint: https://sso.bstein.dev/realms/atlas/protocol/openid-connect/token
-              userinfo_endpoint: https://sso.bstein.dev/realms/atlas/protocol/openid-connect/userinfo
-              user_mapping_provider:
-                config:
-                  localpart_template: "{{ user.preferred_username }}"
-                  display_name_template: "{{ user.name }}"
-              allow_existing_users: true
-          matrix_authentication_service:
-            enabled: true
-            endpoint: http://matrix-authentication-service:8080/
-            secret: '$(yaml_quote "${MAS_SHARED_SECRET:-}")'
-          turn_shared_secret: '$(yaml_quote "${TURN_SECRET:-}")'
-          macaroon_secret_key: '$(yaml_quote "${MACAROON_SECRET_KEY:-}")'
-          EOF
+        - >-
+          esc() { printf "%s" "$1" | sed "s/'/''/g"; };
+          printf '%s\n'
+          "oidc_providers:"
+          "  - idp_id: keycloak"
+          "    idp_name: Keycloak"
+          "    issuer: https://sso.bstein.dev/realms/atlas"
+          "    client_id: synapse"
+          "    client_secret: '$(esc "${OIDC_CLIENT_SECRET:-}")'"
+          "    client_auth_method: client_secret_post"
+          "    scopes: [\"openid\", \"profile\", \"email\"]"
+          "    authorization_endpoint: https://sso.bstein.dev/realms/atlas/protocol/openid-connect/auth"
+          "    token_endpoint: https://sso.bstein.dev/realms/atlas/protocol/openid-connect/token"
+          "    userinfo_endpoint: https://sso.bstein.dev/realms/atlas/protocol/openid-connect/userinfo"
+          "    user_mapping_provider:"
+          "      config:"
+          "        localpart_template: \"{{ user.preferred_username }}\""
+          "        display_name_template: \"{{ user.name }}\""
+          "    allow_existing_users: true"
+          "matrix_authentication_service:"
+          "  enabled: true"
+          "  endpoint: http://matrix-authentication-service:8080/"
+          "  secret: '$(esc "${MAS_SHARED_SECRET:-}")'"
+          "turn_shared_secret: '$(esc "${TURN_SECRET:-}")'"
+          "macaroon_secret_key: '$(esc "${MACAROON_SECRET_KEY:-}")'"
+          > /synapse/config/conf.d/runtime-secrets.yaml
       nodeSelector:
         hardware: rpi5
       affinity: