Keycloak: Add synapse client

2023-09-15 17:51:31 +02:00 · 2023-09-15 17:51:31 +02:00 · 8024ba0dad
commit 8024ba0dad
parent 3ec96eb1b3
7 changed files with 49 additions and 3 deletions
--- a/tf-stage-1/modules/kc-client/client.tf
+++ b/tf-stage-1/modules/kc-client/client.tf
@ -28,7 +28,8 @@ resource "keycloak_openid_client" "client" {
  implicit_flow_enabled        = false
  direct_access_grants_enabled = true
  service_accounts_enabled     = false
-  frontchannel_logout_enabled  = false
+  frontchannel_logout_enabled  = var.frontchannel_logout_enabled
+  oauth2_device_authorization_grant_enabled = var.device_authorization_grant_enabled

 }

--- a/tf-stage-1/modules/kc-client/variables.tf
+++ b/tf-stage-1/modules/kc-client/variables.tf
@ -68,6 +68,14 @@ variable "enabled" {


 # Default settings for all clients:
+variable "device_authorization_grant_enabled" {
+  type    = bool
+  default = false
+}
+variable "frontchannel_logout_enabled" {
+  type    = bool
+  default = false
+}

 variable "login_theme" {
  type    = string
--- a/tf-stage-1/secrets.yml
+++ b/tf-stage-1/secrets.yml
@ -2,6 +2,7 @@
 TF_VAR_grafana_secret: !var keycloak/grafana/secret
 TF_VAR_hedgedoc_secret: !var keycloak/hedgedoc/secret
 TF_VAR_miniflux_secret: !var keycloak/miniflux/secret
+TF_VAR_synapse_secret: !var keycloak/synapse/secret
 TF_VAR_keycloak_client_secret: !var keycloak/terraform/secret
 TF_VAR_cloudflare_api_token: !var extern/cloudflare/api_token
 TF_VAR_cloudflare_account_id: !var extern/cloudflare/account_id
--- a/tf-stage-1/service_synapse.tf
+++ b/tf-stage-1/service_synapse.tf
@ -0,0 +1,30 @@
+module "synapseclient" {
+  source = "./modules/kc-client"
+
+  realm                              = var.realm
+  client_id                          = "synapse"
+  client_name                        = "Matrix - Synapse"
+  client_secret                      = var.synapse_secret
+  description                        = "Synapse Homeserver for unruhig.eu"
+  root_url                           = "https://snapse.unruhig.eu"
+  admin_url                          = ""
+  base_url                           = ""
+  valid_redirect_uris                = ["https://synapse.unruhig.eu/_synapse/client/oidc/callback", "https://unruhig.eu/_synapse/client/oidc/callback"]
+  web_origins                        = []
+  device_authorization_grant_enabled = true
+  frontchannel_logout_enabled        = true
+}
+
+
+resource "keycloak_openid_user_attribute_protocol_mapper" "mx-localpart-mapper" {
+  realm_id  = module.synapseclient.realm.id
+  client_id = module.synapseclient.client.id
+  name      = "mx local part"
+
+  user_attribute      = "mx_localpart"
+  claim_name          = "mx_localpart"
+  add_to_id_token     = true
+  add_to_access_token = true
+  add_to_userinfo     = true
+}
+
--- a/tf-stage-1/user_ialistannen.tf
+++ b/tf-stage-1/user_ialistannen.tf
@ -6,8 +6,9 @@ data "keycloak_user" "ialistannen" {
 resource "keycloak_user_groups" "ialistannen_groups" {
  realm_id   = data.keycloak_realm.realm.id
  user_id    = data.keycloak_user.ialistannen.id
-  exhaustive = false
+  exhaustive = true
  group_ids = [
    module.hedgedocclient.access_group.id,
+    module.synapseclient.access_group.id,
  ]
 }
--- a/tf-stage-1/user_rad4day.tf
+++ b/tf-stage-1/user_rad4day.tf
@ -9,10 +9,11 @@ resource "keycloak_user_groups" "rad4day_groups" {
  exhaustive = false
  group_ids = [
    module.giteaclient.access_group.id,
-    module.grafanaclient.access_group.id,
    module.giteaclient.admin_group.id,
+    module.grafanaclient.access_group.id,
    module.grafanaclient.admin_group.id,
    module.hedgedocclient.access_group.id,
    module.minifluxclient.access_group.id,
+    module.synapseclient.access_group.id,
  ]
 }
--- a/tf-stage-1/variables.tf
+++ b/tf-stage-1/variables.tf
@ -16,6 +16,10 @@ variable "miniflux_secret" {
  type      = string
  sensitive = true
 }
+variable "synapse_secret" {
+  type      = string
+  sensitive = true
+}
 variable "cloudflare_api_token" {
  type      = string
  sensitive = true