diff --git a/docs/configuring-playbook-mxisd.md b/docs/configuring-playbook-ma1sd.md similarity index 100% rename from docs/configuring-playbook-mxisd.md rename to docs/configuring-playbook-ma1sd.md diff --git a/roles/matrix-ma1sd/defaults/main.yml b/roles/matrix-ma1sd/defaults/main.yml new file mode 100644 index 00000000..f3f604d3 --- /dev/null +++ b/roles/matrix-ma1sd/defaults/main.yml @@ -0,0 +1,175 @@ +# ma1sd is a Federated Matrix Identity Server +# See: https://github.com/ma1uta/ma1sd + +matrix_ma1sd_enabled: true + +matrix_ma1sd_docker_image: "ma1uta/ma1sd:1.4.6" +matrix_ma1sd_docker_image_force_pull: "{{ matrix_ma1sd_docker_image.endswith(':latest') }}" + +matrix_ma1sd_base_path: "{{ matrix_base_data_path }}/ma1sd" +matrix_ma1sd_config_path: "{{ matrix_ma1sd_base_path }}/config" +matrix_ma1sd_data_path: "{{ matrix_ma1sd_base_path }}/data" + +# Controls whether the matrix-ma1sd container exposes its HTTP port (tcp/8090 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:8090"), or empty string to not expose. +matrix_ma1sd_container_http_host_bind_port: '' + +# A list of extra arguments to pass to the container +matrix_ma1sd_container_extra_arguments: [] + +# List of systemd services that matrix-ma1sd.service depends on +matrix_ma1sd_systemd_required_services_list: ['docker.service'] + +# List of systemd services that matrix-ma1sd.service wants +matrix_ma1sd_systemd_wanted_services_list: [] + +# Your identity server is private by default. +# To ensure maximum discovery, you can make your identity server +# also forward lookups to the central matrix.org Identity server +# (at the cost of potentially leaking all your contacts information). +# Enabling this is discouraged. Learn more here: https://github.com/ma1uta/ma1sd/blob/master/docs/features/identity.md#lookups +matrix_ma1sd_matrixorg_forwarding_enabled: false + +# ma1sd has serveral supported identity stores. +# One of them is storing identities directly in Synapse's database. +# Learn more here: https://github.com/ma1uta/ma1sd/blob/master/docs/stores/synapse.md +matrix_ma1sd_synapsesql_enabled: false +matrix_ma1sd_synapsesql_type: "" +matrix_ma1sd_synapsesql_connection: "" + +# Setting up email-sending settings is required for using ma1sd. +matrix_ma1sd_threepid_medium_email_identity_from: "matrix@{{ matrix_domain }}" +matrix_ma1sd_threepid_medium_email_connectors_smtp_host: "" +matrix_ma1sd_threepid_medium_email_connectors_smtp_port: 587 +matrix_ma1sd_threepid_medium_email_connectors_smtp_tls: 1 +matrix_ma1sd_threepid_medium_email_connectors_smtp_login: "" +matrix_ma1sd_threepid_medium_email_connectors_smtp_password: "" + +# DNS overwrites are useful for telling ma1sd how it can reach the homeserver directly. +# Useful when reverse-proxying certain URLs (e.g. `/_matrix/client/r0/user_directory/search`) to ma1sd, +# so that ma1sd can rewrite the original URL to one that would reach the homeserver. +matrix_ma1sd_dns_overwrite_enabled: false +matrix_ma1sd_dns_overwrite_homeserver_client_name: "{{ matrix_server_fqn_matrix }}" +matrix_ma1sd_dns_overwrite_homeserver_client_value: "http://matrix-synapse:8008" + +# Override the default email templates +# To use this, fill in the template variables with the full desired template as a multi-line YAML variable +# +# More info: +# https://github.com/ma1uta/ma1sd/blob/master/docs/threepids/notification/template-generator.md +# https://github.com/ma1uta/ma1sd/tree/master/src/main/resources/threepids/email +matrix_ma1sd_threepid_medium_email_custom_templates_enabled: false +matrix_ma1sd_threepid_medium_email_custom_invite_template: "" +matrix_ma1sd_threepid_medium_email_custom_session_validation_template: "" +matrix_ma1sd_threepid_medium_email_custom_unbind_fraudulent_template: "" +matrix_ma1sd_threepid_medium_email_custom_matrixid_template: "" + +# Controls whether the self-check feature should validate SSL certificates. +matrix_ma1sd_self_check_validate_certificates: true + +# Controls ma1sd logging verbosity for troubleshooting. +# +# According to: https://github.com/ma1uta/ma1sd/blob/master/docs/troubleshooting.md#increase-verbosity +matrix_ma1sd_verbose_logging: false + +# Default ma1sd configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. +# +# For a more advanced customization, you can extend the default (see `matrix_ma1sd_configuration_extension_yaml`) +# or completely replace this variable with your own template. +matrix_ma1sd_configuration_yaml: | + #jinja2: lstrip_blocks: True + matrix: + domain: {{ matrix_domain }} + + server: + name: {{ matrix_server_fqn_matrix }} + + key: + path: /var/ma1sd/sign.key + + storage: + provider: + sqlite: + database: /var/ma1sd/ma1sd.db + + {% if matrix_ma1sd_dns_overwrite_enabled %} + dns: + overwrite: + homeserver: + client: + - name: {{ matrix_ma1sd_dns_overwrite_homeserver_client_name }} + value: {{ matrix_ma1sd_dns_overwrite_homeserver_client_value }} + {% endif %} + + {% if matrix_ma1sd_matrixorg_forwarding_enabled %} + forward: + servers: ['matrix-org'] + {% endif %} + + threepid: + medium: + email: + identity: + from: {{ matrix_ma1sd_threepid_medium_email_identity_from }} + connectors: + smtp: + host: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_host }} + port: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_port }} + tls: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_tls }} + login: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_login }} + password: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_password }} + {% if matrix_ma1sd_threepid_medium_email_custom_templates_enabled %} + generators: + template: + {% if matrix_ma1sd_threepid_medium_email_custom_invite_template %} + invite: '/var/ma1sd/invite-template.eml' + {% endif %} + {% if matrix_ma1sd_threepid_medium_email_custom_session_validation_template or matrix_ma1sd_threepid_medium_email_custom_unbind_fraudulent_template %} + session: + {% if matrix_ma1sd_threepid_medium_email_custom_session_validation_template %} + validation: '/var/ma1sd/validate-template.eml' + {% endif %} + {% if matrix_ma1sd_threepid_medium_email_custom_unbind_fraudulent_template %} + unbind: + frandulent: '/var/ma1sd/unbind-fraudulent.eml' + {% endif %} + {% endif %} + {% if matrix_ma1sd_threepid_medium_email_custom_matrixid_template %} + generic: + matrixId: '/var/ma1sd/mxid-template.eml' + {% endif %} + {% endif %} + + synapseSql: + enabled: {{ matrix_ma1sd_synapsesql_enabled }} + type: {{ matrix_ma1sd_synapsesql_type }} + connection: {{ matrix_ma1sd_synapsesql_connection }} + +matrix_ma1sd_configuration_extension_yaml: | + # Your custom YAML configuration for ma1sd goes here. + # This configuration extends the default starting configuration (`matrix_ma1sd_configuration_yaml`). + # + # You can override individual variables from the default configuration, or introduce new ones. + # + # If you need something more special, you can take full control by + # completely redefining `matrix_ma1sd_configuration_yaml`. + # + # Example configuration extension follows: + # + # ldap: + # enabled: true + # connection: + # host: ldapHostnameOrIp + # tls: false + # port: 389 + # baseDNs: ['OU=Users,DC=example,DC=org'] + # bindDn: CN=My Ma1sd User,OU=Users,DC=example,DC=org + # bindPassword: TheUserPassword + +matrix_ma1sd_configuration_extension: "{{ matrix_ma1sd_configuration_extension_yaml|from_yaml if matrix_ma1sd_configuration_extension_yaml|from_yaml is mapping else {} }}" + +# Holds the final ma1sd configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_ma1sd_configuration_yaml`. +matrix_ma1sd_configuration: "{{ matrix_ma1sd_configuration_yaml|from_yaml|combine(matrix_ma1sd_configuration_extension, recursive=True) }}" diff --git a/roles/matrix-mxisd/tasks/init.yml b/roles/matrix-ma1sd/tasks/init.yml similarity index 70% rename from roles/matrix-mxisd/tasks/init.yml rename to roles/matrix-ma1sd/tasks/init.yml index dcf1d053..31a2e28f 100644 --- a/roles/matrix-mxisd/tasks/init.yml +++ b/roles/matrix-ma1sd/tasks/init.yml @@ -1,10 +1,10 @@ - set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mxisd'] }}" - when: matrix_mxisd_enabled|bool + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-ma1sd'] }}" + when: matrix_ma1sd_enabled|bool # ansible lower than 2.8, does not support docker_image build parameters # for self buildig it is explicitly needed, so we rather fail here - name: Fail if running on Ansible lower than 2.8 and trying self building fail: - msg: "To self build Mxisd image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mxisd_container_image_self_build" + msg: "To self build ma1sd image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_ma1sd_container_image_self_build" diff --git a/roles/matrix-ma1sd/tasks/main.yml b/roles/matrix-ma1sd/tasks/main.yml new file mode 100644 index 00000000..f5ac34d6 --- /dev/null +++ b/roles/matrix-ma1sd/tasks/main.yml @@ -0,0 +1,21 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup|bool and matrix_ma1sd_enabled|bool" + tags: + - setup-all + - setup-ma1sd + +- import_tasks: "{{ role_path }}/tasks/setup_ma1sd.yml" + tags: + - setup-all + - setup-ma1sd + +- import_tasks: "{{ role_path }}/tasks/self_check_ma1sd.yml" + delegate_to: 127.0.0.1 + become: false + when: "run_self_check|bool and matrix_ma1sd_enabled|bool" + tags: + - self-check diff --git a/roles/matrix-ma1sd/tasks/self_check_ma1sd.yml b/roles/matrix-ma1sd/tasks/self_check_ma1sd.yml new file mode 100644 index 00000000..2e081263 --- /dev/null +++ b/roles/matrix-ma1sd/tasks/self_check_ma1sd.yml @@ -0,0 +1,21 @@ +--- + +- set_fact: + ma1sd_url_endpoint_public: "https://{{ matrix_server_fqn_matrix }}/_matrix/identity/api/v1" + +- name: Check ma1sd Identity Service + uri: + url: "{{ ma1sd_url_endpoint_public }}" + follow_redirects: none + validate_certs: "{{ matrix_ma1sd_self_check_validate_certificates }}" + register: result_ma1sd + ignore_errors: true + +- name: Fail if ma1sd Identity Service not working + fail: + msg: "Failed checking ma1sd is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ ma1sd_url_endpoint_public }}`). Is ma1sd running? Is port 443 open in your firewall? Full error: {{ result_ma1sd }}" + when: "result_ma1sd.failed or 'json' not in result_ma1sd" + +- name: Report working ma1sd Identity Service + debug: + msg: "ma1sd at `{{ matrix_server_fqn_matrix }}` is working (checked endpoint: `{{ ma1sd_url_endpoint_public }}`)" diff --git a/roles/matrix-ma1sd/tasks/setup_ma1sd.yml b/roles/matrix-ma1sd/tasks/setup_ma1sd.yml new file mode 100644 index 00000000..483d7f9c --- /dev/null +++ b/roles/matrix-ma1sd/tasks/setup_ma1sd.yml @@ -0,0 +1,137 @@ +--- + +# +# Tasks related to setting up ma1sd +# + +- name: Ensure ma1sd paths exist + file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + with_items: + - { path: "{{ matrix_ma1sd_config_path }}", when: true } + - { path: "{{ matrix_ma1sd_data_path }}", when: true } + - { path: "{{ matrix_ma1sd_docker_src_files_path }}", when: "{{ matrix_ma1sd_container_image_self_build }}"} + when: matrix_ma1sd_enabled|bool and item.when + +- name: Ensure ma1sd image is pulled + docker_image: + name: "{{ matrix_ma1sd_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_ma1sd_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_ma1sd_docker_image_force_pull }}" + when: matrix_ma1sd_enabled|bool and not matrix_ma1sd_container_image_self_build + +- block: + - name: Ensure gradle is installed for self-building (Debian) + apt: + name: + - gradle + state: present + update_cache: yes + when: (ansible_os_family == 'Debian') + + - name: Ensure gradle is installed for self-building (CentOS) + fail: + msg: "Installing gradle on CentOS is currently not supported, so self-building ma1sd cannot happen at this time" + when: ansible_distribution == 'CentOS' + + - name: Ensure gradle is installed for self-building (Archlinux) + pacman: + name: + - gradle + state: latest + update_cache: yes + when: ansible_distribution == 'Archlinux' + + - name: Ensure ma1sd repository is present on self-build + git: + repo: https://github.com/ma1uta/ma1sd.git + dest: "{{ matrix_ma1sd_docker_src_files_path }}" + version: "v{{ matrix_ma1sd_docker_image.split(':')[1] }}" + force: "yes" + + - name: Ensure ma1sd Docker image is built + shell: "./gradlew dockerBuild" + args: + chdir: "{{ matrix_ma1sd_docker_src_files_path }}" + when: "matrix_ma1sd_enabled|bool and matrix_ma1sd_container_image_self_build" + +- name: Ensure ma1sd config installed + copy: + content: "{{ matrix_ma1sd_configuration|to_nice_yaml }}" + dest: "{{ matrix_ma1sd_config_path }}/ma1sd.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + when: matrix_ma1sd_enabled|bool + +- name: Ensure custom templates are installed if any + copy: + content: "{{ item.value }}" + dest: "{{ matrix_ma1sd_data_path }}/{{ item.location }}" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + with_items: + - {value: "{{ matrix_ma1sd_threepid_medium_email_custom_invite_template }}", location: 'invite-template.eml'} + - {value: "{{ matrix_ma1sd_threepid_medium_email_custom_session_validation_template }}", location: 'validate-template.eml'} + - {value: "{{ matrix_ma1sd_threepid_medium_email_custom_unbind_fraudulent_template }}", location: 'unbind-fraudulent.eml'} + - {value: "{{ matrix_ma1sd_threepid_medium_email_custom_matrixid_template }}", location: 'mxid-template.eml'} + when: "matrix_ma1sd_enabled|bool and matrix_ma1sd_threepid_medium_email_custom_templates_enabled|bool and item.value" + +- name: Ensure matrix-ma1sd.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-ma1sd.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-ma1sd.service" + mode: 0644 + register: matrix_ma1sd_systemd_service_result + when: matrix_ma1sd_enabled|bool + +- name: Ensure systemd reloaded after matrix-ma1sd.service installation + service: + daemon_reload: yes + when: "matrix_ma1sd_enabled|bool and matrix_ma1sd_systemd_service_result.changed" + +# +# Tasks related to getting rid of ma1sd (if it was previously enabled) +# + +- name: Check existence of matrix-ma1sd service + stat: + path: "{{ matrix_systemd_path }}/matrix-ma1sd.service" + register: matrix_ma1sd_service_stat + +- name: Ensure matrix-ma1sd is stopped + service: + name: matrix-ma1sd + state: stopped + daemon_reload: yes + register: stopping_result + when: "not matrix_ma1sd_enabled|bool and matrix_ma1sd_service_stat.stat.exists" + +- name: Ensure matrix-ma1sd.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-ma1sd.service" + state: absent + when: "not matrix_ma1sd_enabled|bool and matrix_ma1sd_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-ma1sd.service removal + service: + daemon_reload: yes + when: "not matrix_ma1sd_enabled|bool and matrix_ma1sd_service_stat.stat.exists" + +- name: Ensure Matrix ma1sd paths don't exist + file: + path: "{{ matrix_ma1sd_base_path }}" + state: absent + when: "not matrix_ma1sd_enabled|bool" + +- name: Ensure ma1sd Docker image doesn't exist + docker_image: + name: "{{ matrix_ma1sd_docker_image }}" + state: absent + when: "not matrix_ma1sd_enabled|bool" diff --git a/roles/matrix-ma1sd/tasks/validate_config.yml b/roles/matrix-ma1sd/tasks/validate_config.yml new file mode 100644 index 00000000..07a17006 --- /dev/null +++ b/roles/matrix-ma1sd/tasks/validate_config.yml @@ -0,0 +1,57 @@ +--- + +- name: (Deprecation) Warn about ma1sd variables that are not used anymore + fail: + msg: > + The `{{ item }}` variable defined in your configuration is not used by this playbook anymore! + You'll need to adapt to the new way of extending ma1sd configuration. + See the CHANGELOG and the `matrix_ma1sd_configuration_extension_yaml` variable for more information and examples. + when: "item in vars" + with_items: + - 'matrix_ma1sd_ldap_enabled' + - 'matrix_ma1sd_ldap_connection_host' + - 'matrix_ma1sd_ldap_connection_tls' + - 'matrix_ma1sd_ldap_connection_port' + - 'matrix_ma1sd_ldap_connection_baseDn' + - 'matrix_ma1sd_ldap_connection_baseDns' + - 'matrix_ma1sd_ldap_connection_bindDn' + - 'matrix_ma1sd_ldap_connection_bindPassword' + - 'matrix_ma1sd_ldap_filter' + - 'matrix_ma1sd_ldap_attribute_uid_type' + - 'matrix_ma1sd_ldap_attribute_uid_value' + - 'matrix_ma1sd_ldap_connection_bindPassword' + - 'matrix_ma1sd_ldap_attribute_name' + - 'matrix_ma1sd_ldap_attribute_threepid_email' + - 'matrix_ma1sd_ldap_attribute_threepid_msisdn' + - 'matrix_ma1sd_ldap_identity_filter' + - 'matrix_ma1sd_ldap_identity_medium' + - 'matrix_ma1sd_ldap_auth_filter' + - 'matrix_ma1sd_ldap_directory_filter' + - 'matrix_ma1sd_template_config' + +- name: Ensure ma1sd configuration does not contain any dot-notation keys + fail: + msg: > + Since version 1.3.0, ma1sd will not accept property-style configuration keys. + You have defined a key (`{{ item.key }}`) which contains a dot. + Instead, use nesting. See: https://github.com/kamax-matrix/mxisd/wiki/Upgrade-Notes#v130 + when: "'.' in item.key" + with_dict: "{{ matrix_ma1sd_configuration }}" + +- name: Fail if required ma1sd settings not defined + fail: + msg: > + You need to define a required configuration setting (`{{ item }}`) for using ma1sd. + when: "vars[item] == ''" + with_items: + - "matrix_ma1sd_threepid_medium_email_connectors_smtp_host" + + +- name: (Deprecation) Catch and report renamed ma1sd variables + fail: + msg: >- + Your configuration contains a variable, which now has a different name. + Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). + when: "item.old in vars" + with_items: + - {'old': 'matrix_ma1sd_container_expose_port', 'new': ''} diff --git a/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 b/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 new file mode 100644 index 00000000..b316fc2b --- /dev/null +++ b/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 @@ -0,0 +1,46 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix ma1sd Identity server +{% for service in matrix_ma1sd_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_ma1sd_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} + +[Service] +Type=simple +ExecStartPre=-/usr/bin/docker kill matrix-ma1sd +ExecStartPre=-/usr/bin/docker rm matrix-ma1sd + +# ma1sd writes an SQLite shared library (libsqlitejdbc.so) to /tmp and executes it from there, +# so /tmp needs to be mounted with an exec option. +ExecStart=/usr/bin/docker run --rm --name matrix-ma1sd \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --read-only \ + --tmpfs=/tmp:rw,exec,nosuid,size=10m \ + --network={{ matrix_docker_network }} \ + {% if matrix_ma1sd_container_http_host_bind_port %} + -p {{ matrix_ma1sd_container_http_host_bind_port }}:8090 \ + {% endif %} + {% if matrix_ma1sd_verbose_logging %} + -e MA1SD_LOG_LEVEL=debug \ + {% endif %} + -v {{ matrix_ma1sd_config_path }}:/etc/ma1sd:ro \ + -v {{ matrix_ma1sd_data_path }}:/var/ma1sd:rw \ + {% for arg in matrix_ma1sd_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_ma1sd_docker_image }} + +ExecStop=-/usr/bin/docker kill matrix-ma1sd +ExecStop=-/usr/bin/docker rm matrix-ma1sd +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-ma1sd + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-ma1sd/vars/main.yml b/roles/matrix-ma1sd/vars/main.yml new file mode 100644 index 00000000..dfaf58bd --- /dev/null +++ b/roles/matrix-ma1sd/vars/main.yml @@ -0,0 +1,5 @@ +--- + +# Doing `|from_yaml` when the extension contains nothing yields an empty string (""). +# We need to ensure it's a dictionary or `|combine` (when building `matrix_ma1sd_configuration`) will fail later. +matrix_ma1sd_configuration_extension: "{{ matrix_ma1sd_configuration_extension_yaml|from_yaml if matrix_ma1sd_configuration_extension_yaml|from_yaml else {} }}" \ No newline at end of file diff --git a/roles/matrix-mxisd/defaults/main.yml b/roles/matrix-mxisd/defaults/main.yml deleted file mode 100644 index 605f4028..00000000 --- a/roles/matrix-mxisd/defaults/main.yml +++ /dev/null @@ -1,178 +0,0 @@ -# mxisd is a Federated Matrix Identity Server -# See: https://github.com/kamax-matrix/mxisd - -matrix_mxisd_enabled: true - -matrix_mxisd_container_image_self_build: false - -matrix_mxisd_docker_image: "kamax/mxisd:1.4.6" -matrix_mxisd_docker_image_force_pull: "{{ matrix_mxisd_docker_image.endswith(':latest') }}" - -matrix_mxisd_base_path: "{{ matrix_base_data_path }}/mxisd" -matrix_mxisd_docker_src_files_path: "{{ matrix_mxisd_base_path }}/docker-src" -matrix_mxisd_config_path: "{{ matrix_mxisd_base_path }}/config" -matrix_mxisd_data_path: "{{ matrix_mxisd_base_path }}/data" - -# Controls whether the matrix-mxisd container exposes its HTTP port (tcp/8090 in the container). -# -# Takes an ":" or "" value (e.g. "127.0.0.1:8090"), or empty string to not expose. -matrix_mxisd_container_http_host_bind_port: '' - -# A list of extra arguments to pass to the container -matrix_mxisd_container_extra_arguments: [] - -# List of systemd services that matrix-mxisd.service depends on -matrix_mxisd_systemd_required_services_list: ['docker.service'] - -# List of systemd services that matrix-mxisd.service wants -matrix_mxisd_systemd_wanted_services_list: [] - -# Your identity server is private by default. -# To ensure maximum discovery, you can make your identity server -# also forward lookups to the central matrix.org Identity server -# (at the cost of potentially leaking all your contacts information). -# Enabling this is discouraged. Learn more here: https://github.com/kamax-io/mxisd/blob/master/docs/features/identity.md#lookups -matrix_mxisd_matrixorg_forwarding_enabled: false - -# mxisd has serveral supported identity stores. -# One of them is storing identities directly in Synapse's database. -# Learn more here: https://github.com/kamax-matrix/mxisd/blob/master/docs/stores/synapse.md -matrix_mxisd_synapsesql_enabled: false -matrix_mxisd_synapsesql_type: "" -matrix_mxisd_synapsesql_connection: "" - -# Setting up email-sending settings is required for using mxisd. -matrix_mxisd_threepid_medium_email_identity_from: "matrix@{{ matrix_domain }}" -matrix_mxisd_threepid_medium_email_connectors_smtp_host: "" -matrix_mxisd_threepid_medium_email_connectors_smtp_port: 587 -matrix_mxisd_threepid_medium_email_connectors_smtp_tls: 1 -matrix_mxisd_threepid_medium_email_connectors_smtp_login: "" -matrix_mxisd_threepid_medium_email_connectors_smtp_password: "" - -# DNS overwrites are useful for telling mxisd how it can reach the homeserver directly. -# Useful when reverse-proxying certain URLs (e.g. `/_matrix/client/r0/user_directory/search`) to mxisd, -# so that mxisd can rewrite the original URL to one that would reach the homeserver. -matrix_mxisd_dns_overwrite_enabled: false -matrix_mxisd_dns_overwrite_homeserver_client_name: "{{ matrix_server_fqn_matrix }}" -matrix_mxisd_dns_overwrite_homeserver_client_value: "http://matrix-synapse:8008" - -# Override the default email templates -# To use this, fill in the template variables with the full desired template as a multi-line YAML variable -# -# More info: -# https://github.com/kamax-matrix/mxisd/blob/master/docs/threepids/notification/template-generator.md -# https://github.com/kamax-matrix/mxisd/tree/master/src/main/resources/threepids/email -matrix_mxisd_threepid_medium_email_custom_templates_enabled: false -matrix_mxisd_threepid_medium_email_custom_invite_template: "" -matrix_mxisd_threepid_medium_email_custom_session_validation_template: "" -matrix_mxisd_threepid_medium_email_custom_unbind_fraudulent_template: "" -matrix_mxisd_threepid_medium_email_custom_matrixid_template: "" - -# Controls whether the self-check feature should validate SSL certificates. -matrix_mxisd_self_check_validate_certificates: true - -# Controls mxisd logging verbosity for troubleshooting. -# -# According to: https://github.com/kamax-matrix/mxisd/blob/master/docs/troubleshooting.md#increase-verbosity -matrix_mxisd_verbose_logging: false - -# Default mxisd configuration template which covers the generic use case. -# You can customize it by controlling the various variables inside it. -# -# For a more advanced customization, you can extend the default (see `matrix_mxisd_configuration_extension_yaml`) -# or completely replace this variable with your own template. -matrix_mxisd_configuration_yaml: | - #jinja2: lstrip_blocks: True - matrix: - domain: {{ matrix_domain }} - - server: - name: {{ matrix_server_fqn_matrix }} - - key: - path: /var/mxisd/sign.key - - storage: - provider: - sqlite: - database: /var/mxisd/mxisd.db - - {% if matrix_mxisd_dns_overwrite_enabled %} - dns: - overwrite: - homeserver: - client: - - name: {{ matrix_mxisd_dns_overwrite_homeserver_client_name }} - value: {{ matrix_mxisd_dns_overwrite_homeserver_client_value }} - {% endif %} - - {% if matrix_mxisd_matrixorg_forwarding_enabled %} - forward: - servers: ['matrix-org'] - {% endif %} - - threepid: - medium: - email: - identity: - from: {{ matrix_mxisd_threepid_medium_email_identity_from }} - connectors: - smtp: - host: {{ matrix_mxisd_threepid_medium_email_connectors_smtp_host }} - port: {{ matrix_mxisd_threepid_medium_email_connectors_smtp_port }} - tls: {{ matrix_mxisd_threepid_medium_email_connectors_smtp_tls }} - login: {{ matrix_mxisd_threepid_medium_email_connectors_smtp_login }} - password: {{ matrix_mxisd_threepid_medium_email_connectors_smtp_password }} - {% if matrix_mxisd_threepid_medium_email_custom_templates_enabled %} - generators: - template: - {% if matrix_mxisd_threepid_medium_email_custom_invite_template %} - invite: '/var/mxisd/invite-template.eml' - {% endif %} - {% if matrix_mxisd_threepid_medium_email_custom_session_validation_template or matrix_mxisd_threepid_medium_email_custom_unbind_fraudulent_template %} - session: - {% if matrix_mxisd_threepid_medium_email_custom_session_validation_template %} - validation: '/var/mxisd/validate-template.eml' - {% endif %} - {% if matrix_mxisd_threepid_medium_email_custom_unbind_fraudulent_template %} - unbind: - frandulent: '/var/mxisd/unbind-fraudulent.eml' - {% endif %} - {% endif %} - {% if matrix_mxisd_threepid_medium_email_custom_matrixid_template %} - generic: - matrixId: '/var/mxisd/mxid-template.eml' - {% endif %} - {% endif %} - - synapseSql: - enabled: {{ matrix_mxisd_synapsesql_enabled }} - type: {{ matrix_mxisd_synapsesql_type }} - connection: {{ matrix_mxisd_synapsesql_connection }} - -matrix_mxisd_configuration_extension_yaml: | - # Your custom YAML configuration for mxisd goes here. - # This configuration extends the default starting configuration (`matrix_mxisd_configuration_yaml`). - # - # You can override individual variables from the default configuration, or introduce new ones. - # - # If you need something more special, you can take full control by - # completely redefining `matrix_mxisd_configuration_yaml`. - # - # Example configuration extension follows: - # - # ldap: - # enabled: true - # connection: - # host: ldapHostnameOrIp - # tls: false - # port: 389 - # baseDNs: ['OU=Users,DC=example,DC=org'] - # bindDn: CN=My Mxisd User,OU=Users,DC=example,DC=org - # bindPassword: TheUserPassword - -matrix_mxisd_configuration_extension: "{{ matrix_mxisd_configuration_extension_yaml|from_yaml if matrix_mxisd_configuration_extension_yaml|from_yaml is mapping else {} }}" - -# Holds the final mxisd configuration (a combination of the default and its extension). -# You most likely don't need to touch this variable. Instead, see `matrix_mxisd_configuration_yaml`. -matrix_mxisd_configuration: "{{ matrix_mxisd_configuration_yaml|from_yaml|combine(matrix_mxisd_configuration_extension, recursive=True) }}" diff --git a/roles/matrix-mxisd/tasks/main.yml b/roles/matrix-mxisd/tasks/main.yml deleted file mode 100644 index 31970db4..00000000 --- a/roles/matrix-mxisd/tasks/main.yml +++ /dev/null @@ -1,21 +0,0 @@ -- import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup|bool and matrix_mxisd_enabled|bool" - tags: - - setup-all - - setup-mxisd - -- import_tasks: "{{ role_path }}/tasks/setup_mxisd.yml" - tags: - - setup-all - - setup-mxisd - -- import_tasks: "{{ role_path }}/tasks/self_check_mxisd.yml" - delegate_to: 127.0.0.1 - become: false - when: "run_self_check|bool and matrix_mxisd_enabled|bool" - tags: - - self-check diff --git a/roles/matrix-mxisd/tasks/self_check_mxisd.yml b/roles/matrix-mxisd/tasks/self_check_mxisd.yml deleted file mode 100644 index 137907bb..00000000 --- a/roles/matrix-mxisd/tasks/self_check_mxisd.yml +++ /dev/null @@ -1,21 +0,0 @@ ---- - -- set_fact: - mxisd_url_endpoint_public: "https://{{ matrix_server_fqn_matrix }}/_matrix/identity/api/v1" - -- name: Check mxisd Identity Service - uri: - url: "{{ mxisd_url_endpoint_public }}" - follow_redirects: none - validate_certs: "{{ matrix_mxisd_self_check_validate_certificates }}" - register: result_mxisd - ignore_errors: true - -- name: Fail if mxisd Identity Service not working - fail: - msg: "Failed checking mxisd is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ mxisd_url_endpoint_public }}`). Is mxisd running? Is port 443 open in your firewall? Full error: {{ result_mxisd }}" - when: "result_mxisd.failed or 'json' not in result_mxisd" - -- name: Report working mxisd Identity Service - debug: - msg: "mxisd at `{{ matrix_server_fqn_matrix }}` is working (checked endpoint: `{{ mxisd_url_endpoint_public }}`)" diff --git a/roles/matrix-mxisd/tasks/setup_mxisd.yml b/roles/matrix-mxisd/tasks/setup_mxisd.yml deleted file mode 100644 index 0ad36301..00000000 --- a/roles/matrix-mxisd/tasks/setup_mxisd.yml +++ /dev/null @@ -1,137 +0,0 @@ ---- - -# -# Tasks related to setting up mxisd -# - -- name: Ensure mxisd paths exist - file: - path: "{{ item.path }}" - state: directory - mode: 0750 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" - with_items: - - { path: "{{ matrix_mxisd_config_path }}", when: true } - - { path: "{{ matrix_mxisd_data_path }}", when: true } - - { path: "{{ matrix_mxisd_docker_src_files_path }}", when: "{{ matrix_mxisd_container_image_self_build }}"} - when: matrix_mxisd_enabled|bool and item.when - -- name: Ensure mxisd image is pulled - docker_image: - name: "{{ matrix_mxisd_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_mxisd_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mxisd_docker_image_force_pull }}" - when: matrix_mxisd_enabled|bool and not matrix_mxisd_container_image_self_build - -- block: - - name: Ensure gradle is installed for self-building (Debian) - apt: - name: - - gradle - state: present - update_cache: yes - when: (ansible_os_family == 'Debian') - - - name: Ensure gradle is installed for self-building (CentOS) - fail: - msg: "Installing gradle on CentOS is currently not supported, so self-building mxisd cannot happen at this time" - when: ansible_distribution == 'CentOS' - - - name: Ensure gradle is installed for self-building (Archlinux) - pacman: - name: - - gradle - state: latest - update_cache: yes - when: ansible_distribution == 'Archlinux' - - - name: Ensure mxisd repository is present on self-build - git: - repo: https://github.com/kamax-matrix/mxisd.git - dest: "{{ matrix_mxisd_docker_src_files_path }}" - version: "v{{ matrix_mxisd_docker_image.split(':')[1] }}" - force: "yes" - - - name: Ensure mxisd Docker image is built - shell: "./gradlew dockerBuild" - args: - chdir: "{{ matrix_mxisd_docker_src_files_path }}" - when: "matrix_mxisd_enabled|bool and matrix_mxisd_container_image_self_build" - -- name: Ensure mxisd config installed - copy: - content: "{{ matrix_mxisd_configuration|to_nice_yaml }}" - dest: "{{ matrix_mxisd_config_path }}/mxisd.yaml" - mode: 0644 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" - when: matrix_mxisd_enabled|bool - -- name: Ensure custom templates are installed if any - copy: - content: "{{ item.value }}" - dest: "{{ matrix_mxisd_data_path }}/{{ item.location }}" - mode: 0644 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" - with_items: - - {value: "{{ matrix_mxisd_threepid_medium_email_custom_invite_template }}", location: 'invite-template.eml'} - - {value: "{{ matrix_mxisd_threepid_medium_email_custom_session_validation_template }}", location: 'validate-template.eml'} - - {value: "{{ matrix_mxisd_threepid_medium_email_custom_unbind_fraudulent_template }}", location: 'unbind-fraudulent.eml'} - - {value: "{{ matrix_mxisd_threepid_medium_email_custom_matrixid_template }}", location: 'mxid-template.eml'} - when: "matrix_mxisd_enabled|bool and matrix_mxisd_threepid_medium_email_custom_templates_enabled|bool and item.value" - -- name: Ensure matrix-mxisd.service installed - template: - src: "{{ role_path }}/templates/systemd/matrix-mxisd.service.j2" - dest: "{{ matrix_systemd_path }}/matrix-mxisd.service" - mode: 0644 - register: matrix_mxisd_systemd_service_result - when: matrix_mxisd_enabled|bool - -- name: Ensure systemd reloaded after matrix-mxisd.service installation - service: - daemon_reload: yes - when: "matrix_mxisd_enabled|bool and matrix_mxisd_systemd_service_result.changed" - -# -# Tasks related to getting rid of mxisd (if it was previously enabled) -# - -- name: Check existence of matrix-mxisd service - stat: - path: "{{ matrix_systemd_path }}/matrix-mxisd.service" - register: matrix_mxisd_service_stat - -- name: Ensure matrix-mxisd is stopped - service: - name: matrix-mxisd - state: stopped - daemon_reload: yes - register: stopping_result - when: "not matrix_mxisd_enabled|bool and matrix_mxisd_service_stat.stat.exists" - -- name: Ensure matrix-mxisd.service doesn't exist - file: - path: "{{ matrix_systemd_path }}/matrix-mxisd.service" - state: absent - when: "not matrix_mxisd_enabled|bool and matrix_mxisd_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-mxisd.service removal - service: - daemon_reload: yes - when: "not matrix_mxisd_enabled|bool and matrix_mxisd_service_stat.stat.exists" - -- name: Ensure Matrix mxisd paths don't exist - file: - path: "{{ matrix_mxisd_base_path }}" - state: absent - when: "not matrix_mxisd_enabled|bool" - -- name: Ensure mxisd Docker image doesn't exist - docker_image: - name: "{{ matrix_mxisd_docker_image }}" - state: absent - when: "not matrix_mxisd_enabled|bool" diff --git a/roles/matrix-mxisd/tasks/validate_config.yml b/roles/matrix-mxisd/tasks/validate_config.yml deleted file mode 100644 index 200a43a3..00000000 --- a/roles/matrix-mxisd/tasks/validate_config.yml +++ /dev/null @@ -1,57 +0,0 @@ ---- - -- name: (Deprecation) Warn about mxisd variables that are not used anymore - fail: - msg: > - The `{{ item }}` variable defined in your configuration is not used by this playbook anymore! - You'll need to adapt to the new way of extending mxisd configuration. - See the CHANGELOG and the `matrix_mxisd_configuration_extension_yaml` variable for more information and examples. - when: "item in vars" - with_items: - - 'matrix_mxisd_ldap_enabled' - - 'matrix_mxisd_ldap_connection_host' - - 'matrix_mxisd_ldap_connection_tls' - - 'matrix_mxisd_ldap_connection_port' - - 'matrix_mxisd_ldap_connection_baseDn' - - 'matrix_mxisd_ldap_connection_baseDns' - - 'matrix_mxisd_ldap_connection_bindDn' - - 'matrix_mxisd_ldap_connection_bindPassword' - - 'matrix_mxisd_ldap_filter' - - 'matrix_mxisd_ldap_attribute_uid_type' - - 'matrix_mxisd_ldap_attribute_uid_value' - - 'matrix_mxisd_ldap_connection_bindPassword' - - 'matrix_mxisd_ldap_attribute_name' - - 'matrix_mxisd_ldap_attribute_threepid_email' - - 'matrix_mxisd_ldap_attribute_threepid_msisdn' - - 'matrix_mxisd_ldap_identity_filter' - - 'matrix_mxisd_ldap_identity_medium' - - 'matrix_mxisd_ldap_auth_filter' - - 'matrix_mxisd_ldap_directory_filter' - - 'matrix_mxisd_template_config' - -- name: Ensure mxisd configuration does not contain any dot-notation keys - fail: - msg: > - Since version 1.3.0, mxisd will not accept property-style configuration keys. - You have defined a key (`{{ item.key }}`) which contains a dot. - Instead, use nesting. See: https://github.com/kamax-matrix/mxisd/wiki/Upgrade#v130 - when: "'.' in item.key" - with_dict: "{{ matrix_mxisd_configuration }}" - -- name: Fail if required mxisd settings not defined - fail: - msg: > - You need to define a required configuration setting (`{{ item }}`) for using mxisd. - when: "vars[item] == ''" - with_items: - - "matrix_mxisd_threepid_medium_email_connectors_smtp_host" - - -- name: (Deprecation) Catch and report renamed mxisd variables - fail: - msg: >- - Your configuration contains a variable, which now has a different name. - Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). - when: "item.old in vars" - with_items: - - {'old': 'matrix_mxisd_container_expose_port', 'new': ''} diff --git a/roles/matrix-mxisd/templates/systemd/matrix-mxisd.service.j2 b/roles/matrix-mxisd/templates/systemd/matrix-mxisd.service.j2 deleted file mode 100644 index d60740f5..00000000 --- a/roles/matrix-mxisd/templates/systemd/matrix-mxisd.service.j2 +++ /dev/null @@ -1,46 +0,0 @@ -#jinja2: lstrip_blocks: "True" -[Unit] -Description=Matrix mxisd Identity server -{% for service in matrix_mxisd_systemd_required_services_list %} -Requires={{ service }} -After={{ service }} -{% endfor %} -{% for service in matrix_mxisd_systemd_wanted_services_list %} -Wants={{ service }} -{% endfor %} - -[Service] -Type=simple -ExecStartPre=-/usr/bin/docker kill matrix-mxisd -ExecStartPre=-/usr/bin/docker rm matrix-mxisd - -# mxisd writes an SQLite shared library (libsqlitejdbc.so) to /tmp and executes it from there, -# so /tmp needs to be mounted with an exec option. -ExecStart=/usr/bin/docker run --rm --name matrix-mxisd \ - --log-driver=none \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --cap-drop=ALL \ - --read-only \ - --tmpfs=/tmp:rw,exec,nosuid,size=10m \ - --network={{ matrix_docker_network }} \ - {% if matrix_mxisd_container_http_host_bind_port %} - -p {{ matrix_mxisd_container_http_host_bind_port }}:8090 \ - {% endif %} - {% if matrix_mxisd_verbose_logging %} - -e MXISD_LOG_LEVEL=debug \ - {% endif %} - -v {{ matrix_mxisd_config_path }}:/etc/mxisd:ro \ - -v {{ matrix_mxisd_data_path }}:/var/mxisd:rw \ - {% for arg in matrix_mxisd_container_extra_arguments %} - {{ arg }} \ - {% endfor %} - {{ matrix_mxisd_docker_image }} - -ExecStop=-/usr/bin/docker kill matrix-mxisd -ExecStop=-/usr/bin/docker rm matrix-mxisd -Restart=always -RestartSec=30 -SyslogIdentifier=matrix-mxisd - -[Install] -WantedBy=multi-user.target diff --git a/roles/matrix-mxisd/vars/main.yml b/roles/matrix-mxisd/vars/main.yml deleted file mode 100644 index f5fbf9ad..00000000 --- a/roles/matrix-mxisd/vars/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- - -# Doing `|from_yaml` when the extension contains nothing yields an empty string (""). -# We need to ensure it's a dictionary or `|combine` (when building `matrix_mxisd_configuration`) will fail later. -matrix_mxisd_configuration_extension: "{{ matrix_mxisd_configuration_extension_yaml|from_yaml if matrix_mxisd_configuration_extension_yaml|from_yaml else {} }}" \ No newline at end of file