infrastructure/playbooks/roles/synapse/vars/main.yml

---
synapse_svc:
  domain: "{{ all_services | service_get_domain(role_name) }}"
  docker_host: synapse-admin
  port: 80
  caddy_extra: |
    handle /_matrix/* {
        reverse_proxy synapse:8008
    }
    handle /_synapse/* {
        reverse_proxy synapse:8008
    }
  extra_svcs:
    - domain: matrix.serguzim.me:8448
      docker_host: synapse
      port: 8008
  db:
    host: "{{ postgres.host }}"
    user: "{{ opentofu.postgresql_data.synapse.user }}"
    pass: "{{ opentofu.postgresql_data.synapse.pass }}"
    database: "{{ opentofu.postgresql_data.synapse.database }}"
  config_path: config

synapse_env:
  SYNAPSE_CONFIG_PATH: "{{ ('/', svc.config_path) | path_join }}"
  REACT_APP_SERVER: https://matrix.serguzim.me

synapse_yml:
  server_name: msrg.cc
  pid_file: "{{ (svc.config_path, 'homeserver.pid') | path_join }}"
  public_baseurl: https://matrix.serguzim.me/
  allow_public_rooms_without_auth: true
  allow_public_rooms_over_federation: true

  listeners:
    - port: 8008
      tls: false
      type: http
      x_forwarded: true
      resources:
        - names:
            - client
            - federation
            - metrics
          compress: false

  admin_contact: mailto:{{ admin_email }}

  acme:
    enabled: false

  database:
    name: psycopg2
    args:
      user: "{{ svc.db.user }}"
      password: "{{ svc.db.pass }}"
      database: "{{ svc.db.database }}"
      host: "{{ svc.db.host }}"
      cp_min: 5
      cp_max: 10

  log_config: "{{ (svc.config_path, 'msrg.cc.log.config') | path_join }}"
  media_store_path: /media_store
  max_upload_size: 500M
  enable_registration: false
  enable_metrics: true
  report_stats: true

  macaroon_secret_key: "{{ vault_synapse.macaroon_secret_key }}"
  form_secret: "{{ vault_synapse.form_secret }}"
  signing_key_path: "{{ (svc.config_path, 'msrg.cc.signing.key') | path_join }}"

  trusted_key_servers:
    - server_name: matrix.org
  suppress_key_server_warning: true

  oidc_providers:
    - idp_id: auth_serguzim_me
      idp_name: auth.serguzim.me
      issuer: "{{ opentofu.authentik_data.synapse.base_url }}"
      client_id: "{{ opentofu.authentik_data.synapse.client_id }}"
      client_secret: "{{ opentofu.authentik_data.synapse.client_secret }}"
      scopes:
        - openid
        - profile
        - email
      user_mapping_provider:
        config:
          localpart_template: "{{ '{{ user.preferred_username }}' }}"
          display_name_template: "{{ '{{ user.name }}' }}"

  email:
    smtp_host: mail.serguzim.me
    smtp_port: 587
    smtp_user: "{{ opentofu.mailcow_data.synapse.address }}"
    smtp_pass: "{{ opentofu.mailcow_data.synapse.password }}"
    require_transport_security: true
    notif_from: "matrix <{{ opentofu.mailcow_data.synapse.address }}>"

synapse_compose:
  watchtower: update
  image: ghcr.io/element-hq/synapse:latest
  volumes:
    - ./config:/config
    - media_store:/media_store
  file:
    services:
      synapse-admin:
        image: awesometechnologies/synapse-admin
        restart: always
        labels:
          com.centurylinklabs.watchtower.enable: true
        env_file:
          - service.env
        networks:
          apps:
            aliases:
              - synapse-admin
    volumes:
      media_store: