services/synapse: SAML2 integration, element-web

2026-02-09 12:29:19 -08:00 · 2021-09-25 03:49:15 +01:00 · 2021-09-25 03:49:15 +01:00 · 9563a957ec
commit 9563a957ec
parent a81432f8ab
1 changed files with 133 additions and 0 deletions
--- a/config/services/synapse.nix
+++ b/config/services/synapse.nix
@ -42,6 +42,106 @@ with lib;
    group = "matrix-synapse";
  };

+  secrets.files.saml2-cert = {
+    source = config.kw.secrets.repo.synapse-cert.source;
+    owner = "matrix-synapse";
+    group = "matrix-synapse";
+  };
+
+  secrets.files.saml2-privkey = {
+    source = config.kw.secrets.repo.synapse-key.source;
+    owner = "matrix-synapse";
+    group = "matrix-synapse";
+  };
+
+  secrets.files.saml2-map = {
+    fileName = "map.py";
+    text = ''
+MAP = {
+    "identifier": "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
+    "fro": {
+        'uid': 'uid',
+        'displayName': 'displayName',
+    },
+    "to": {
+        'uid': 'uid',
+        'displayName': 'displayName',
+    }
+}
+    '';
+    owner = "matrix-synapse";
+    group = "matrix-synapse";
+  };
+
+  secrets.files.saml2-config = {
+    fileName = "saml2-config.py";
+    text = ''
+import saml2
+from saml2.saml import NAME_FORMAT_URI
+
+BASE = "https://kittywit.ch/"
+
+CONFIG = {
+    "entityid": "matrix-kittywit.ch",
+    "description": "Matrix Server",
+    "service": {
+        "sp": {
+            "name": "matrix-login",
+            "endpoints": {
+                "single_sign_on_service": [
+                    (BASE + "_matrix/saml2/authn_response", saml2.BINDING_HTTP_POST),
+                ],
+                "assertion_consumer_service": [
+                    (BASE + "_matrix/saml2/authn_response", saml2.BINDING_HTTP_POST),
+                ],
+                #"single_logout_service": [
+                #    (BASE + "_matrix/saml2/logout", saml2.BINDING_HTTP_POST),
+                #],
+            },
+            "required_attributes": ["uid",],
+            "optional_attributes": ["displayName"],
+            "sign_assertion": True,
+            "sign_response": True,
+        }
+    },
+    "debug": 0,
+    "key_file": "${config.secrets.files.saml2-privkey.path}",
+    "cert_file": "${config.secrets.files.saml2-cert.path}",
+    "encryption_keypairs": [
+        {
+            "key_file": "${config.secrets.files.saml2-privkey.path}",
+            "cert_file": "${config.secrets.files.saml2-cert.path}",
+        }
+    ],
+    "attribute_map_dir": "${builtins.dirOf config.secrets.files.saml2-map.path}",
+    "metadata": {
+        "remote": [
+          {
+          "url": "https://auth.kittywit.ch/auth/realms/kittywitch/protocol/saml/descriptor",
+          },
+        ],
+    },
+    # If you want to have organization and contact_person for the pysaml2 config
+    #"organization": {
+    #    "name": "Example AB",
+    #    "display_name": [("Example AB", "se"), ("Example Co.", "en")],
+    #    "url": "http://example.com/roland",
+    #},
+    #"contact_person": [{
+    #    "given_name": "Example",
+    #    "sur_name": "Example",
+    #    "email_address": ["example@example.com"],
+    #    "contact_type": "technical",
+    #    },
+    #],
+    # Make sure to have xmlsec1 installed on your host(s)!
+    "xmlsec_binary": "${pkgs.xmlsec}/bin/xmlsec1",
+}
+    '';
+    owner = "matrix-synapse";
+    group = "matrix-synapse";
+  };
+
  services.matrix-synapse.extraConfigFiles = [
    config.secrets.files.matrix-registration-secret.path
  ];
@ -84,6 +184,7 @@ with lib;
    ];
    rc_messages_per_second = mkDefault "0.1";
    rc_message_burst_count = mkDefault "25.0";
+    public_baseurl = "https://${config.network.dns.domain}";
    url_preview_enabled = mkDefault true;
    enable_registration = mkDefault false;
    enable_metrics = mkDefault false;
@ -92,6 +193,16 @@ with lib;
    allow_guest_access = mkDefault true;
    extraConfig = ''
      suppress_key_server_warning: true
+      saml2_config:
+        sp_config:
+          metadata:
+            remote:
+              - url: https://auth.kittywit.ch/auth/realms/kittywitch/protocol/saml/descriptor
+        config_path: "${config.secrets.files.saml2-config.path}"
+        user_mapping_provider:
+          config:
+        password_config:
+          enabled: false
    '';
    listeners = [{
      port = 8008;
@ -176,6 +287,28 @@ with lib;
    after = [ "network.target" ];
  };

+  deploy.tf.dns.records.services_element = {
+    inherit (config.network.dns) zone;
+    domain = "element";
+    cname = { inherit (config.network.addresses.public) target; };
+  };
+
+  services.nginx.virtualHosts."element.${config.network.dns.domain}" = {
+    forceSSL = true;
+    enableACME = true;
+    extraConfig = ''
+      keepalive_requests 100000;
+    '';
+    root = pkgs.element-web.override {
+      conf = {
+        default_server_config."m.homeserver" = {
+          "base_url" = "https://${config.network.dns.domain}:443";
+          "server_name" = "kittywit.ch";
+        };
+      };
+    };
+  };
+
  services.nginx.virtualHosts."${config.network.dns.domain}" = {
    # allegedly fixes https://github.com/poljar/weechat-matrix/issues/240
    extraConfig = ''