---
version: "3.8"

# Matrix Authentication Service (MAS) — optional overlay for Element X / OIDC-native auth.

services:
  mas:
    image: ghcr.io/element-hq/matrix-authentication-service:1.14.0
    command: ["server", "--config=/etc/mas/config.yaml"]
    environment:
      - DOMAIN
      - SERVER_NAME
      - STACK_NAME
    networks:
      - internal
    configs:
      - source: mas_config
        target: /etc/mas/config.yaml
    secrets:
      - db_password
      - mas_encryption
      - mas_synapse_shared
      - mas_signing_rsa
    deploy:
      restart_policy:
        condition: on-failure

  app:
    secrets:
      - mas_synapse_shared

configs:
  mas_config:
    name: ${STACK_NAME}_mas_config_${MAS_CONFIG_VERSION}
    file: mas.config.yaml.tmpl
    template_driver: golang

secrets:
  mas_encryption:
    external: true
    name: ${STACK_NAME}_mas_encryption_${SECRET_MAS_ENCRYPTION_VERSION}
  mas_synapse_shared:
    external: true
    name: ${STACK_NAME}_mas_synapse_shared_${SECRET_MAS_SYNAPSE_SHARED_VERSION}
  mas_signing_rsa:
    external: true
    name: ${STACK_NAME}_mas_signing_rsa_${SECRET_MAS_SIGNING_RSA_VERSION}