comms: restore MAS and OIDC secrets in synapse

services/comms/helmrelease.yaml

@@ -71,6 +71,54 @@ spec:
         limits:
           cpu: "2"
           memory: 3Gi
+      extraEnv:
+        - name: OIDC_CLIENT_SECRET
+          valueFrom:
+            secretKeyRef:
+              name: synapse-oidc
+              key: client-secret
+        - name: TURN_SECRET
+          valueFrom:
+            secretKeyRef:
+              name: turn-shared-secret
+              key: TURN_STATIC_AUTH_SECRET
+        - name: MAS_SHARED_SECRET
+          valueFrom:
+            secretKeyRef:
+              name: mas-secrets-runtime
+              key: matrix_shared_secret
+        - name: MACAROON_SECRET_KEY
+          valueFrom:
+            secretKeyRef:
+              name: synapse-macaroon
+              key: macaroon_secret_key
+      extraCommands:
+        - |
+          yaml_quote() { printf "%s" "$1" | sed "s/'/''/g"; }
+          cat > /synapse/config/conf.d/runtime-secrets.yaml <<EOF
+          oidc_providers:
+            - idp_id: keycloak
+              idp_name: Keycloak
+              issuer: https://sso.bstein.dev/realms/atlas
+              client_id: synapse
+              client_secret: '$(yaml_quote "${OIDC_CLIENT_SECRET:-}")'
+              client_auth_method: client_secret_post
+              scopes: ["openid", "profile", "email"]
+              authorization_endpoint: https://sso.bstein.dev/realms/atlas/protocol/openid-connect/auth
+              token_endpoint: https://sso.bstein.dev/realms/atlas/protocol/openid-connect/token
+              userinfo_endpoint: https://sso.bstein.dev/realms/atlas/protocol/openid-connect/userinfo
+              user_mapping_provider:
+                config:
+                  localpart_template: "{{ user.preferred_username }}"
+                  display_name_template: "{{ user.name }}"
+              allow_existing_users: true
+          matrix_authentication_service:
+            enabled: true
+            endpoint: http://matrix-authentication-service:8080/
+            secret: '$(yaml_quote "${MAS_SHARED_SECRET:-}")'
+          turn_shared_secret: '$(yaml_quote "${TURN_SECRET:-}")'
+          macaroon_secret_key: '$(yaml_quote "${MACAROON_SECRET_KEY:-}")'
+          EOF
       nodeSelector:
         hardware: rpi5
       affinity:
@@ -117,22 +165,6 @@ spec:
       password_config:
         enabled: true
       oidc_enabled: true
-      oidc_providers:
-        - idp_id: keycloak
-          idp_name: Keycloak
-          issuer: https://sso.bstein.dev/realms/atlas
-          client_id: synapse
-          client_secret: "@@OIDC_CLIENT_SECRET@@"
-          client_auth_method: client_secret_post
-          scopes: ["openid", "profile", "email"]
-          authorization_endpoint: https://sso.bstein.dev/realms/atlas/protocol/openid-connect/auth
-          token_endpoint: https://sso.bstein.dev/realms/atlas/protocol/openid-connect/token
-          userinfo_endpoint: https://sso.bstein.dev/realms/atlas/protocol/openid-connect/userinfo
-          user_mapping_provider:
-            config:
-              localpart_template: "{{ user.preferred_username }}"
-              display_name_template: "{{ user.name }}"
-          allow_existing_users: true
       rc_message:
         per_second: 0.5
         burst_count: 30
@@ -151,9 +183,18 @@ spec:
           per_second: 5
       room_list_publication_rules:
         - action: allow
+      turn_uris:
+        - "turn:turn.live.bstein.dev:3478?transport=udp"
+        - "turn:turn.live.bstein.dev:3478?transport=tcp"
+        - "turns:turn.live.bstein.dev:5349?transport=tcp"
+      turn_allow_guests: true
+      turn_user_lifetime: 86400000
       well_known_client:
         "m.homeserver":
           "base_url": "https://matrix.live.bstein.dev"
+        "org.matrix.msc2965.authentication":
+          "issuer": "https://matrix.live.bstein.dev/"
+          "account": "https://matrix.live.bstein.dev/account/"
         "org.matrix.msc4143.rtc_foci":
           - type: "livekit"
             livekit_service_url: "https://kit.live.bstein.dev/livekit/jwt"