k8s/apps/matrix/external-secrets.yaml

---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: matrix-postgres-creds
spec:
  target:
    name: matrix-postgres-creds
    deletionPolicy: Delete
    template:
      type: Opaque
      data:
        synapse_db_password: |-
          {{ .synapse_db_password }}
        mas_db_password: |-
          {{ .mas_db_password }}
  data:
    - secretKey: synapse_db_password
      sourceRef:
        storeRef:
          name: vaultwarden-login
          kind: ClusterSecretStore
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        metadataPolicy: None
        key: 2a9deb39-ef22-433e-a1be-df1555625e22
        property: fields[14].value
    - secretKey: mas_db_password
      sourceRef:
        storeRef:
          name: vaultwarden-login
          kind: ClusterSecretStore
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        metadataPolicy: None
        key: 2a9deb39-ef22-433e-a1be-df1555625e22
        property: fields[15].value
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: matrix-oidc-config
spec:
  target:
    name: matrix-oidc-config
    deletionPolicy: Delete
    template:
      type: Opaque
      data:
        mas-oidc.yaml: |
          upstream_oauth2:
            providers:
              - id: authentik
                human_name: Authentik
                issuer: https://idm.hexor.cy/application/o/matrix/
                client_id: {{ .oauth_client_id }}
                client_secret: {{ .oauth_client_secret }}
                scope: "openid profile email"
                claims_imports:
                  localpart:
                    action: require
                    template: "{{ `{{ user.preferred_username }}` }}"
                  displayname:
                    action: suggest
                    template: "{{ `{{ user.name }}` }}"
                  email:
                    action: suggest
                    template: "{{ `{{ user.email }}` }}"
                    set_email_verification: always
  data:
    - secretKey: oauth_client_id
      sourceRef:
        storeRef:
          name: vaultwarden-login
          kind: ClusterSecretStore
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        metadataPolicy: None
        key: ca76867f-49f3-4a30-9ef3-b05af35ee49a
        property: fields[0].value
    - secretKey: oauth_client_secret
      sourceRef:
        storeRef:
          name: vaultwarden-login
          kind: ClusterSecretStore
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        metadataPolicy: None
        key: ca76867f-49f3-4a30-9ef3-b05af35ee49a
        property: fields[1].value
Added matrix 2026-03-16 10:04:13 +00:00			`---`
			`apiVersion: external-secrets.io/v1`
			`kind: ExternalSecret`
			`metadata:`
			`name: matrix-postgres-creds`
			`spec:`
			`target:`
			`name: matrix-postgres-creds`
			`deletionPolicy: Delete`
			`template:`
			`type: Opaque`
			`data:`
			`synapse_db_password: \|-`
			`{{ .synapse_db_password }}`
			`mas_db_password: \|-`
			`{{ .mas_db_password }}`
			`data:`
			`- secretKey: synapse_db_password`
			`sourceRef:`
			`storeRef:`
			`name: vaultwarden-login`
			`kind: ClusterSecretStore`
			`remoteRef:`
Added matrix 2026-03-16 10:28:17 +00:00			`conversionStrategy: Default`
			`decodingStrategy: None`
			`metadataPolicy: None`
			`key: 2a9deb39-ef22-433e-a1be-df1555625e22`
			`property: fields[14].value`
Added matrix 2026-03-16 10:04:13 +00:00			`- secretKey: mas_db_password`
			`sourceRef:`
			`storeRef:`
			`name: vaultwarden-login`
			`kind: ClusterSecretStore`
			`remoteRef:`
Added matrix 2026-03-16 10:28:17 +00:00			`conversionStrategy: Default`
			`decodingStrategy: None`
			`metadataPolicy: None`
			`key: 2a9deb39-ef22-433e-a1be-df1555625e22`
			`property: fields[15].value`
Added matrix 2026-03-16 10:04:13 +00:00			`---`
			`apiVersion: external-secrets.io/v1`
			`kind: ExternalSecret`
			`metadata:`
			`name: matrix-oidc-config`
			`spec:`
			`target:`
			`name: matrix-oidc-config`
			`deletionPolicy: Delete`
			`template:`
			`type: Opaque`
			`data:`
			`mas-oidc.yaml: \|`
			`upstream_oauth2:`
			`providers:`
			`- id: authentik`
			`human_name: Authentik`
			`issuer: https://idm.hexor.cy/application/o/matrix/`
			`client_id: {{ .oauth_client_id }}`
			`client_secret: {{ .oauth_client_secret }}`
			`scope: "openid profile email"`
			`claims_imports:`
			`localpart:`
			`action: require`
			template: "{{ `{{ user.preferred_username }}` }}"
			`displayname:`
			`action: suggest`
			template: "{{ `{{ user.name }}` }}"
			`email:`
			`action: suggest`
			template: "{{ `{{ user.email }}` }}"
			`set_email_verification: always`
			`data:`
			`- secretKey: oauth_client_id`
			`sourceRef:`
			`storeRef:`
			`name: vaultwarden-login`
			`kind: ClusterSecretStore`
			`remoteRef:`
Added matrix 2026-03-16 10:28:17 +00:00			`conversionStrategy: Default`
			`decodingStrategy: None`
			`metadataPolicy: None`
			`key: ca76867f-49f3-4a30-9ef3-b05af35ee49a`
			`property: fields[0].value`
Added matrix 2026-03-16 10:04:13 +00:00			`- secretKey: oauth_client_secret`
			`sourceRef:`
			`storeRef:`
			`name: vaultwarden-login`
			`kind: ClusterSecretStore`
			`remoteRef:`
Added matrix 2026-03-16 10:28:17 +00:00			`conversionStrategy: Default`
			`decodingStrategy: None`
			`metadataPolicy: None`
			`key: ca76867f-49f3-4a30-9ef3-b05af35ee49a`
			`property: fields[1].value`