comms: fix synapse runtime config injection

2026-01-13 20:59:35 -03:00 · 2026-01-13 20:59:35 -03:00 · b710f45e5c
commit b710f45e5c
parent e6a3ae5f7b
1 changed files with 26 additions and 26 deletions
--- a/services/comms/helmrelease.yaml
+++ b/services/comms/helmrelease.yaml
@ -93,32 +93,32 @@ spec:
              name: synapse-macaroon
              key: macaroon_secret_key
      extraCommands:
-        - |
+        - >-
-          yaml_quote() { printf "%s" "$1" | sed "s/'/''/g"; }
+          esc() { printf "%s" "$1" | sed "s/'/''/g"; };
-          cat > /synapse/config/conf.d/runtime-secrets.yaml <<EOF
+          printf '%s\n'
-          oidc_providers:
+          "oidc_providers:"
-            - idp_id: keycloak
+          "  - idp_id: keycloak"
-              idp_name: Keycloak
+          "    idp_name: Keycloak"
-              issuer: https://sso.bstein.dev/realms/atlas
+          "    issuer: https://sso.bstein.dev/realms/atlas"
-              client_id: synapse
+          "    client_id: synapse"
-              client_secret: '$(yaml_quote "${OIDC_CLIENT_SECRET:-}")'
+          "    client_secret: '$(esc "${OIDC_CLIENT_SECRET:-}")'"
-              client_auth_method: client_secret_post
+          "    client_auth_method: client_secret_post"
-              scopes: ["openid", "profile", "email"]
+          "    scopes: [\"openid\", \"profile\", \"email\"]"
-              authorization_endpoint: https://sso.bstein.dev/realms/atlas/protocol/openid-connect/auth
+          "    authorization_endpoint: https://sso.bstein.dev/realms/atlas/protocol/openid-connect/auth"
-              token_endpoint: https://sso.bstein.dev/realms/atlas/protocol/openid-connect/token
+          "    token_endpoint: https://sso.bstein.dev/realms/atlas/protocol/openid-connect/token"
-              userinfo_endpoint: https://sso.bstein.dev/realms/atlas/protocol/openid-connect/userinfo
+          "    userinfo_endpoint: https://sso.bstein.dev/realms/atlas/protocol/openid-connect/userinfo"
-              user_mapping_provider:
+          "    user_mapping_provider:"
-                config:
+          "      config:"
-                  localpart_template: "{{ user.preferred_username }}"
+          "        localpart_template: \"{{ user.preferred_username }}\""
-                  display_name_template: "{{ user.name }}"
+          "        display_name_template: \"{{ user.name }}\""
-              allow_existing_users: true
+          "    allow_existing_users: true"
-          matrix_authentication_service:
+          "matrix_authentication_service:"
-            enabled: true
+          "  enabled: true"
-            endpoint: http://matrix-authentication-service:8080/
+          "  endpoint: http://matrix-authentication-service:8080/"
-            secret: '$(yaml_quote "${MAS_SHARED_SECRET:-}")'
+          "  secret: '$(esc "${MAS_SHARED_SECRET:-}")'"
-          turn_shared_secret: '$(yaml_quote "${TURN_SECRET:-}")'
+          "turn_shared_secret: '$(esc "${TURN_SECRET:-}")'"
-          macaroon_secret_key: '$(yaml_quote "${MACAROON_SECRET_KEY:-}")'
+          "macaroon_secret_key: '$(esc "${MACAROON_SECRET_KEY:-}")'"
-          EOF
+          > /synapse/config/conf.d/runtime-secrets.yaml
      nodeSelector:
        hardware: rpi5
      affinity: