Add support for Matrix Authentication Service

Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/3108

Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/3562

roles/custom/matrix-authentication-service/templates/bin/mas-cli.j2

@@ -0,0 +1,16 @@
+#jinja2: lstrip_blocks: "True"
+#!/bin/bash
+
+args=$@
+
+if [ $# -eq 0 ]; then
+    args="help"
+fi
+
+if [ -t 0 ]; then
+    tty_option="-it"
+else
+    tty_option=""
+fi
+
+{{ devture_systemd_docker_base_host_command_docker }} exec $tty_option matrix-authentication-service mas-cli $args

roles/custom/matrix-authentication-service/templates/bin/register-user.j2

@@ -0,0 +1,17 @@
+#jinja2: lstrip_blocks: "True"
+#!/bin/bash
+
+if [ $# -ne 3 ]; then
+	echo "Usage: "$0" <username> <password> <admin access: 0 or 1>"
+	exit 1
+fi
+
+user=$1
+password=$2
+admin=$3
+
+if [ "$admin" -eq "1" ]; then
+	{{ devture_systemd_docker_base_host_command_docker }} exec matrix-authentication-service mas-cli manage register-user --yes -p "$password" --admin "$user"
+else
+	{{ devture_systemd_docker_base_host_command_docker }} exec matrix-authentication-service mas-cli manage register-user --yes -p "$password" --no-admin "$user"
+fi

roles/custom/matrix-authentication-service/templates/config.yaml.j2

@@ -0,0 +1,82 @@
+#jinja2: lstrip_blocks: "True"
+http:
+  listeners:
+  - name: web
+    resources:
+    - name: discovery
+    - name: human
+    - name: oauth
+    - name: compat
+    - name: graphql
+    - name: assets
+    binds:
+    - address: '[::]:8080'
+    proxy_protocol: false
+    prefix: {{ matrix_authentication_service_path_prefix }}
+  - name: internal
+    resources:
+    - name: health
+    binds:
+    - host: localhost
+      port: 8081
+    proxy_protocol: false
+    prefix: {{ matrix_authentication_service_path_prefix }}
+  trusted_proxies: {{ matrix_authentication_service_config_http_trusted_proxies | to_json }}
+  public_base: {{ matrix_authentication_service_config_http_public_base | to_json }}
+  issuer: {{ matrix_authentication_service_config_http_issuer | to_json }}
+
+database:
+  host: {{ matrix_authentication_service_config_database_host | to_json }}
+  port: {{ matrix_authentication_service_config_database_port | to_json }}
+  username: {{ matrix_authentication_service_config_database_username | to_json }}
+  password: {{ matrix_authentication_service_config_database_password | to_json }}
+  database: {{ matrix_authentication_service_config_database_database | to_json }}
+  ssl_mode: {{ matrix_authentication_service_config_database_ssl_mode | to_json }}
+  max_connections: {{ matrix_authentication_service_config_database_max_connections | to_json }}
+  min_connections: {{ matrix_authentication_service_config_database_min_connections | to_json }}
+  connect_timeout: {{ matrix_authentication_service_config_database_connect_timeout | to_json }}
+  idle_timeout: {{ matrix_authentication_service_config_database_idle_timeout | to_json }}
+  max_lifetime: {{ matrix_authentication_service_config_database_max_lifetime | to_json }}
+
+email:
+  from: {{ matrix_authentication_service_config_email_from | to_json }}
+  reply_to: {{ matrix_authentication_service_config_email_reply_to | to_json }}
+  transport: {{ matrix_authentication_service_config_email_transport | to_json }}
+  {% if matrix_authentication_service_config_email_transport == 'smtp' %}
+  mode: {{ matrix_authentication_service_config_email_mode | to_json }}
+  hostname: {{ matrix_authentication_service_config_email_hostname | to_json }}
+  port: {{ matrix_authentication_service_config_email_port | int | to_json }}
+  {% if matrix_authentication_service_config_email_username %}
+  username: {{ matrix_authentication_service_config_email_username | to_json }}
+  {% endif %}
+  {% if matrix_authentication_service_config_email_password %}
+  password: {{ matrix_authentication_service_config_email_password | to_json }}
+  {% endif %}
+  {% endif %}
+secrets:
+  encryption: {{ matrix_authentication_service_config_secrets_encryption | to_json }}
+  keys: {{ matrix_authentication_service_config_secrets_keys | to_json }}
+
+passwords:
+  enabled: {{ matrix_authentication_service_config_passwords_enabled | to_json }}
+  schemes: {{ matrix_authentication_service_config_passwords_schemes | to_json }}
+  minimum_complexity: {{ matrix_authentication_service_config_passwords_minimum_complexity | to_json }}
+
+matrix:
+  homeserver: {{ matrix_authentication_service_config_matrix_homeserver | to_json }}
+  secret: {{ matrix_authentication_service_config_matrix_secret | to_json }}
+  endpoint: {{ matrix_authentication_service_config_matrix_endpoint | to_json }}
+
+account:
+  email_change_allowed: {{ matrix_authentication_service_config_account_email_change_allowed | to_json }}
+  displayname_change_allowed: {{ matrix_authentication_service_config_account_displayname_change_allowed | to_json }}
+  password_registration_enabled: {{ matrix_authentication_service_config_account_password_registration_enabled | to_json }}
+  password_change_allowed: {{ matrix_authentication_service_config_account_password_change_allowed | to_json }}
+  password_recovery_enabled: {{ matrix_authentication_service_config_account_password_recovery_enabled | to_json }}
+
+clients: {{ matrix_authentication_service_config_clients | to_json }}
+
+{% if matrix_authentication_service_config_upstream_oauth2_providers | length > 0 %}
+upstream_oauth2:
+  providers: {{ matrix_authentication_service_config_upstream_oauth2_providers | to_json }}
+{% endif %}

roles/custom/matrix-authentication-service/templates/env.j2

@@ -0,0 +1 @@
+{{ matrix_authentication_service_environment_variables_extension }}

roles/custom/matrix-authentication-service/templates/labels.j2

@@ -0,0 +1,134 @@
+{% if matrix_authentication_service_container_labels_traefik_enabled %}
+traefik.enable=true
+
+{% if matrix_authentication_service_container_labels_traefik_docker_network %}
+traefik.docker.network={{ matrix_authentication_service_container_labels_traefik_docker_network }}
+{% endif %}
+
+traefik.http.services.matrix-authentication-service.loadbalancer.server.port=8080
+
+########################################################################################
+#                                                                                      #
+# Public Main                                                                          #
+#                                                                                      #
+########################################################################################
+
+{% set main_middlewares = [] %}
+
+{% if matrix_authentication_service_container_labels_public_main_path_prefix != '/' %}
+traefik.http.middlewares.matrix-authentication-service-slashless-redirect.redirectregex.regex=({{ matrix_authentication_service_container_labels_public_main_path_prefix | quote }})$
+traefik.http.middlewares.matrix-authentication-service-slashless-redirect.redirectregex.replacement=${1}/
+{% set main_middlewares = main_middlewares + ['matrix-authentication-service-slashless-redirect'] %}
+{% endif %}
+
+{% if matrix_authentication_service_container_labels_traefik_additional_response_headers.keys() | length > 0 %}
+{% for name, value in matrix_authentication_service_container_labels_traefik_additional_response_headers.items() %}
+traefik.http.middlewares.matrix-authentication-service-add-headers.headers.customresponseheaders.{{ name }}={{ value }}
+{% endfor %}
+{% set main_middlewares = main_middlewares + ['matrix-authentication-service-add-headers'] %}
+{% endif %}
+
+traefik.http.routers.matrix-authentication-service.rule={{ matrix_authentication_service_container_labels_public_main_rule }}
+
+{% if matrix_authentication_service_container_labels_public_main_priority | int > 0 %}
+traefik.http.routers.matrix-authentication-service.priority={{ matrix_authentication_service_container_labels_public_main_priority }}
+{% endif %}
+
+traefik.http.routers.matrix-authentication-service.service=matrix-authentication-service
+
+{% if main_middlewares | length > 0 %}
+traefik.http.routers.matrix-authentication-service.middlewares={{ main_middlewares | join(',') }}
+{% endif %}
+
+traefik.http.routers.matrix-authentication-service.entrypoints={{ matrix_authentication_service_container_labels_public_main_entrypoints }}
+traefik.http.routers.matrix-authentication-service.tls={{ matrix_authentication_service_container_labels_public_main_tls | to_json }}
+{% if matrix_authentication_service_container_labels_public_main_tls %}
+traefik.http.routers.matrix-authentication-service.tls.certResolver={{ matrix_authentication_service_container_labels_public_main_tls_certResolver }}
+{% endif %}
+
+########################################################################################
+#                                                                                      #
+# /Public Main                                                                         #
+#                                                                                      #
+########################################################################################
+
+{% if matrix_authentication_service_container_labels_public_compatibility_layer_enabled %}
+########################################################################################
+#                                                                                      #
+# Public Compatibility Layer                                                           #
+#                                                                                      #
+########################################################################################
+
+{% set compatibility_layer_middlewares = [] %}
+
+{% if matrix_authentication_service_container_labels_public_main_path_prefix != '/' %}
+traefik.http.middlewares.matrix-authentication-service-add-prefix.addprefix.prefix={{ matrix_authentication_service_container_labels_public_main_path_prefix }}
+{% set compatibility_layer_middlewares = compatibility_layer_middlewares + ['matrix-authentication-service-add-prefix'] %}
+{% endif %}
+
+traefik.http.routers._internalmatrix-authentication-service-public-compatibility-layer.rule={{ matrix_authentication_service_container_labels_public_compatibility_layer_rule }}
+
+{% if matrix_authentication_service_container_labels_public_compatibility_layer_priority | int > 0 %}
+traefik.http.routers._internalmatrix-authentication-service-public-compatibility-layer.priority={{ matrix_authentication_service_container_labels_public_compatibility_layer_priority }}
+{% endif %}
+
+traefik.http.routers._internalmatrix-authentication-service-public-compatibility-layer.service=matrix-authentication-service
+
+{% if compatibility_layer_middlewares | length > 0 %}
+traefik.http.routers._internalmatrix-authentication-service-public-compatibility-layer.middlewares={{ compatibility_layer_middlewares | join(',') }}
+{% endif %}
+
+traefik.http.routers._internalmatrix-authentication-service-public-compatibility-layer.entrypoints={{ matrix_authentication_service_container_labels_public_compatibility_layer_entrypoints }}
+
+traefik.http.routers._internalmatrix-authentication-service-public-compatibility-layer.tls={{ matrix_authentication_service_container_labels_public_compatibility_layer_tls | to_json }}
+{% if matrix_authentication_service_container_labels_public_compatibility_layer_tls %}
+traefik.http.routers._internalmatrix-authentication-service-public-compatibility-layer.tls.certResolver={{ matrix_authentication_service_container_labels_public_compatibility_layer_tls_certResolver }}
+{% endif %}
+
+########################################################################################
+#                                                                                      #
+# /Public Compatibility Layer                                                          #
+#                                                                                      #
+########################################################################################
+{% endif %}
+
+
+{% if matrix_authentication_service_container_labels_internal_compatibility_layer_enabled %}
+########################################################################################
+#                                                                                      #
+# Internal Compatibility Layer                                                         #
+#                                                                                      #
+########################################################################################
+
+{% set compatibility_layer_middlewares = [] %}
+
+{% if matrix_authentication_service_container_labels_public_main_path_prefix != '/' %}
+traefik.http.middlewares.matrix-authentication-service-add-prefix.addprefix.prefix={{ matrix_authentication_service_container_labels_public_main_path_prefix }}
+{% set compatibility_layer_middlewares = compatibility_layer_middlewares + ['matrix-authentication-service-add-prefix'] %}
+{% endif %}
+
+traefik.http.routers._internalmatrix-authentication-service-internal-compatibility-layer.rule={{ matrix_authentication_service_container_labels_internal_compatibility_layer_rule }}
+
+{% if matrix_authentication_service_container_labels_internal_compatibility_layer_priority | int > 0 %}
+traefik.http.routers._internalmatrix-authentication-service-internal-compatibility-layer.priority={{ matrix_authentication_service_container_labels_internal_compatibility_layer_priority }}
+{% endif %}
+
+traefik.http.routers._internalmatrix-authentication-service-internal-compatibility-layer.service=matrix-authentication-service
+
+{% if compatibility_layer_middlewares | length > 0 %}
+traefik.http.routers._internalmatrix-authentication-service-internal-compatibility-layer.middlewares={{ compatibility_layer_middlewares | join(',') }}
+{% endif %}
+
+traefik.http.routers._internalmatrix-authentication-service-internal-compatibility-layer.entrypoints={{ matrix_authentication_service_container_labels_internal_compatibility_layer_entrypoints }}
+
+########################################################################################
+#                                                                                      #
+# /Internal Compatibility Layer                                                        #
+#                                                                                      #
+########################################################################################
+{% endif %}
+
+
+{% endif %}
+
+{{ matrix_authentication_service_container_labels_additional_labels }}

roles/custom/matrix-authentication-service/templates/provider/anthropic-config.yml.j2

@@ -0,0 +1,13 @@
+#jinja2: lstrip_blocks: "True"
+base_url: {{ matrix_authentication_service_config_agents_static_definitions_anthropic_config_base_url | to_json }}
+
+api_key: {{ matrix_authentication_service_config_agents_static_definitions_anthropic_config_api_key | to_json }}
+
+{% if matrix_authentication_service_config_agents_static_definitions_anthropic_config_text_generation_enabled %}
+text_generation:
+  model_id: {{ matrix_authentication_service_config_agents_static_definitions_anthropic_config_text_generation_model_id | to_json }}
+  prompt: {{ matrix_authentication_service_config_agents_static_definitions_anthropic_config_text_generation_prompt | to_json }}
+  temperature: {{ matrix_authentication_service_config_agents_static_definitions_anthropic_config_text_generation_temperature | to_json }}
+  max_response_tokens: {{ matrix_authentication_service_config_agents_static_definitions_anthropic_config_text_generation_max_response_tokens | int | to_json }}
+  max_context_tokens: {{ matrix_authentication_service_config_agents_static_definitions_anthropic_config_text_generation_max_context_tokens | int | to_json }}
+{% endif %}

roles/custom/matrix-authentication-service/templates/provider/groq-config.yml.j2

@@ -0,0 +1,18 @@
+#jinja2: lstrip_blocks: "True"
+base_url: {{ matrix_authentication_service_config_agents_static_definitions_groq_config_base_url | to_json }}
+
+api_key: {{ matrix_authentication_service_config_agents_static_definitions_groq_config_api_key | to_json }}
+
+{% if matrix_authentication_service_config_agents_static_definitions_groq_config_text_generation_enabled %}
+text_generation:
+  model_id: {{ matrix_authentication_service_config_agents_static_definitions_groq_config_text_generation_model_id | to_json }}
+  prompt: {{ matrix_authentication_service_config_agents_static_definitions_groq_config_text_generation_prompt | to_json }}
+  temperature: {{ matrix_authentication_service_config_agents_static_definitions_groq_config_text_generation_temperature | to_json }}
+  max_response_tokens: {{ matrix_authentication_service_config_agents_static_definitions_groq_config_text_generation_max_response_tokens | int | to_json }}
+  max_context_tokens: {{ matrix_authentication_service_config_agents_static_definitions_groq_config_text_generation_max_context_tokens | int | to_json }}
+{% endif %}
+
+{% if matrix_authentication_service_config_agents_static_definitions_groq_config_speech_to_text_enabled %}
+speech_to_text:
+  model_id: {{ matrix_authentication_service_config_agents_static_definitions_groq_config_speech_to_text_model_id | to_json }}
+{% endif %}

roles/custom/matrix-authentication-service/templates/provider/mistral-config.yml.j2

@@ -0,0 +1,13 @@
+#jinja2: lstrip_blocks: "True"
+base_url: {{ matrix_authentication_service_config_agents_static_definitions_mistral_config_base_url | to_json }}
+
+api_key: {{ matrix_authentication_service_config_agents_static_definitions_mistral_config_api_key | to_json }}
+
+{% if matrix_authentication_service_config_agents_static_definitions_mistral_config_text_generation_enabled %}
+text_generation:
+  model_id: {{ matrix_authentication_service_config_agents_static_definitions_mistral_config_text_generation_model_id | to_json }}
+  prompt: {{ matrix_authentication_service_config_agents_static_definitions_mistral_config_text_generation_prompt | to_json }}
+  temperature: {{ matrix_authentication_service_config_agents_static_definitions_mistral_config_text_generation_temperature | to_json }}
+  max_response_tokens: {{ matrix_authentication_service_config_agents_static_definitions_mistral_config_text_generation_max_response_tokens | int | to_json }}
+  max_context_tokens: {{ matrix_authentication_service_config_agents_static_definitions_mistral_config_text_generation_max_context_tokens | int | to_json }}
+{% endif %}

roles/custom/matrix-authentication-service/templates/provider/openai-config.yml.j2

@@ -0,0 +1,33 @@
+#jinja2: lstrip_blocks: "True"
+base_url: {{ matrix_authentication_service_config_agents_static_definitions_openai_config_base_url | to_json }}
+
+api_key: {{ matrix_authentication_service_config_agents_static_definitions_openai_config_api_key | to_json }}
+
+{% if matrix_authentication_service_config_agents_static_definitions_openai_config_text_generation_enabled %}
+text_generation:
+  model_id: {{ matrix_authentication_service_config_agents_static_definitions_openai_config_text_generation_model_id | to_json }}
+  prompt: {{ matrix_authentication_service_config_agents_static_definitions_openai_config_text_generation_prompt | to_json }}
+  temperature: {{ matrix_authentication_service_config_agents_static_definitions_openai_config_text_generation_temperature | to_json }}
+  max_response_tokens: {{ matrix_authentication_service_config_agents_static_definitions_openai_config_text_generation_max_response_tokens | int | to_json }}
+  max_context_tokens: {{ matrix_authentication_service_config_agents_static_definitions_openai_config_text_generation_max_context_tokens | int | to_json }}
+{% endif %}
+
+{% if matrix_authentication_service_config_agents_static_definitions_openai_config_speech_to_text_enabled %}
+speech_to_text:
+  model_id: {{ matrix_authentication_service_config_agents_static_definitions_openai_config_speech_to_text_model_id | to_json }}
+{% endif %}
+
+{% if matrix_authentication_service_config_agents_static_definitions_openai_config_text_to_speech_enabled %}
+text_to_speech:
+  model_id: {{ matrix_authentication_service_config_agents_static_definitions_openai_config_text_to_speech_model_id | to_json }}
+  voice: {{ matrix_authentication_service_config_agents_static_definitions_openai_config_text_to_speech_voice | to_json }}
+  speed: {{ matrix_authentication_service_config_agents_static_definitions_openai_config_text_to_speech_speed | float }}
+  response_format: {{ matrix_authentication_service_config_agents_static_definitions_openai_config_text_to_speech_response_format | to_json }}
+{% endif %}
+
+{% if matrix_authentication_service_config_agents_static_definitions_openai_config_image_generation_enabled %}
+image_generation:
+  model_id: {{ matrix_authentication_service_config_agents_static_definitions_openai_config_image_generation_model_id | to_json }}
+  style: {{ matrix_authentication_service_config_agents_static_definitions_openai_config_image_generation_style | to_json }}
+  size: {{ matrix_authentication_service_config_agents_static_definitions_openai_config_image_generation_size | to_json }}
+{% endif %}

roles/custom/matrix-authentication-service/templates/systemd/matrix-authentication-service.service.j2

@@ -0,0 +1,49 @@
+#jinja2: lstrip_blocks: "True"
+[Unit]
+Description=Matrix Authentication Service
+{% for service in matrix_authentication_service_systemd_required_services_list %}
+Requires={{ service }}
+After={{ service }}
+{% endfor %}
+{% for service in matrix_authentication_service_systemd_wanted_services_list %}
+Wants={{ service }}
+{% endfor %}
+DefaultDependencies=no
+
+[Service]
+Type=simple
+Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
+ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-authentication-service 2>/dev/null || true'
+ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-authentication-service 2>/dev/null || true'
+
+ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
+			--rm \
+			--name=matrix-authentication-service \
+			--log-driver=none \
+			--user={{ matrix_authentication_service_uid }}:{{ matrix_authentication_service_gid }} \
+			--cap-drop=ALL \
+			--read-only \
+			--network={{ matrix_authentication_service_container_network }} \
+			--env-file={{ matrix_authentication_service_config_path }}/env \
+			--label-file={{ matrix_authentication_service_config_path }}/labels \
+			--mount type=bind,src={{ matrix_authentication_service_config_path }}/config.yaml,dst=/config.yaml,ro \
+			--mount type=bind,src={{ matrix_authentication_service_data_keys_path }},dst=/keys,ro \
+			{% for arg in matrix_authentication_service_container_extra_arguments %}
+			{{ arg }} \
+			{% endfor %}
+			{{ matrix_authentication_service_container_image }}
+
+{% for network in matrix_authentication_service_container_additional_networks %}
+ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-authentication-service
+{% endfor %}
+
+ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-authentication-service
+
+ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-authentication-service 2>/dev/null || true'
+ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-authentication-service 2>/dev/null || true'
+Restart=always
+RestartSec=30
+SyslogIdentifier=matrix-authentication-service
+
+[Install]
+WantedBy=multi-user.target