diff --git a/tf-stage-1/modules/kc-client/client.tf b/tf-stage-1/modules/kc-client/client.tf index 877f63e..97f5e24 100644 --- a/tf-stage-1/modules/kc-client/client.tf +++ b/tf-stage-1/modules/kc-client/client.tf @@ -28,7 +28,8 @@ resource "keycloak_openid_client" "client" { implicit_flow_enabled = false direct_access_grants_enabled = true service_accounts_enabled = false - frontchannel_logout_enabled = false + frontchannel_logout_enabled = var.frontchannel_logout_enabled + oauth2_device_authorization_grant_enabled = var.device_authorization_grant_enabled } diff --git a/tf-stage-1/modules/kc-client/variables.tf b/tf-stage-1/modules/kc-client/variables.tf index 5a8fe81..4508788 100644 --- a/tf-stage-1/modules/kc-client/variables.tf +++ b/tf-stage-1/modules/kc-client/variables.tf @@ -68,6 +68,14 @@ variable "enabled" { # Default settings for all clients: +variable "device_authorization_grant_enabled" { + type = bool + default = false +} +variable "frontchannel_logout_enabled" { + type = bool + default = false +} variable "login_theme" { type = string diff --git a/tf-stage-1/secrets.yml b/tf-stage-1/secrets.yml index c2498af..61e84a7 100644 --- a/tf-stage-1/secrets.yml +++ b/tf-stage-1/secrets.yml @@ -2,6 +2,7 @@ TF_VAR_grafana_secret: !var keycloak/grafana/secret TF_VAR_hedgedoc_secret: !var keycloak/hedgedoc/secret TF_VAR_miniflux_secret: !var keycloak/miniflux/secret +TF_VAR_synapse_secret: !var keycloak/synapse/secret TF_VAR_keycloak_client_secret: !var keycloak/terraform/secret TF_VAR_cloudflare_api_token: !var extern/cloudflare/api_token TF_VAR_cloudflare_account_id: !var extern/cloudflare/account_id diff --git a/tf-stage-1/service_synapse.tf b/tf-stage-1/service_synapse.tf new file mode 100644 index 0000000..b392a70 --- /dev/null +++ b/tf-stage-1/service_synapse.tf @@ -0,0 +1,30 @@ +module "synapseclient" { + source = "./modules/kc-client" + + realm = var.realm + client_id = "synapse" + client_name = "Matrix - Synapse" + client_secret = var.synapse_secret + description = "Synapse Homeserver for unruhig.eu" + root_url = "https://snapse.unruhig.eu" + admin_url = "" + base_url = "" + valid_redirect_uris = ["https://synapse.unruhig.eu/_synapse/client/oidc/callback", "https://unruhig.eu/_synapse/client/oidc/callback"] + web_origins = [] + device_authorization_grant_enabled = true + frontchannel_logout_enabled = true +} + + +resource "keycloak_openid_user_attribute_protocol_mapper" "mx-localpart-mapper" { + realm_id = module.synapseclient.realm.id + client_id = module.synapseclient.client.id + name = "mx local part" + + user_attribute = "mx_localpart" + claim_name = "mx_localpart" + add_to_id_token = true + add_to_access_token = true + add_to_userinfo = true +} + diff --git a/tf-stage-1/user_ialistannen.tf b/tf-stage-1/user_ialistannen.tf index c39a0ab..5838636 100644 --- a/tf-stage-1/user_ialistannen.tf +++ b/tf-stage-1/user_ialistannen.tf @@ -6,8 +6,9 @@ data "keycloak_user" "ialistannen" { resource "keycloak_user_groups" "ialistannen_groups" { realm_id = data.keycloak_realm.realm.id user_id = data.keycloak_user.ialistannen.id - exhaustive = false + exhaustive = true group_ids = [ module.hedgedocclient.access_group.id, + module.synapseclient.access_group.id, ] } diff --git a/tf-stage-1/user_rad4day.tf b/tf-stage-1/user_rad4day.tf index 2269220..bac9d66 100644 --- a/tf-stage-1/user_rad4day.tf +++ b/tf-stage-1/user_rad4day.tf @@ -9,10 +9,11 @@ resource "keycloak_user_groups" "rad4day_groups" { exhaustive = false group_ids = [ module.giteaclient.access_group.id, - module.grafanaclient.access_group.id, module.giteaclient.admin_group.id, + module.grafanaclient.access_group.id, module.grafanaclient.admin_group.id, module.hedgedocclient.access_group.id, module.minifluxclient.access_group.id, + module.synapseclient.access_group.id, ] } diff --git a/tf-stage-1/variables.tf b/tf-stage-1/variables.tf index 15bdb86..33b8b46 100644 --- a/tf-stage-1/variables.tf +++ b/tf-stage-1/variables.tf @@ -16,6 +16,10 @@ variable "miniflux_secret" { type = string sensitive = true } +variable "synapse_secret" { + type = string + sensitive = true +} variable "cloudflare_api_token" { type = string sensitive = true