This extends the collection with support for seamless authentication at the Jitsi server using Matrix OpenID. 1. New role for installing the [Matrix User Verification Service](https://github.com/matrix-org/matrix-user-verification-service) 2. Changes to Jitsi role: Installing Jitsi Prosody Mods and configuring Jitsi Auth 3. Changes to Jitsi and nginx-proxy roles: Serving .well-known/element/jitsi from jitsi.DOMAIN 4. We updated the Jitsi documentation on authentication and added documentation for the user verification service.housekeeping^2
parent
f400093865
commit
42e4e50f5b
@ -0,0 +1,116 @@
|
|||||||
|
# Setting up Matrix User Verification Service (optional)
|
||||||
|
|
||||||
|
**[Matrix User Verification Service](https://github.com/matrix-org/matrix-user-verification-service) (hereafter: UVS) can only be installed after Matrix services are installed and running.**
|
||||||
|
If you're just installing Matrix services for the first time, please continue with the [Configuration](configuring-playbook.md) / [Installation](installing.md) flow and come back here later.
|
||||||
|
|
||||||
|
Currently, the main purpose of this role is to allow Jitsi to authenticate matrix users and check if they are authorized to join a conference. Please refer to the documentation of the [Matrix User Verification Service](https://github.com/matrix-org/matrix-user-verification-service) to understand how it works.
|
||||||
|
|
||||||
|
**Note**: enabling Matrix User Verification Service, means that the `openid` API endpoints will be exposed on the Matrix Federation port (usually `8448`), even if [federation](configuring-playbook-federation.md) is disabled.
|
||||||
|
|
||||||
|
If the Jitsi server is also configured by this collection, all plugging of variables and secrets is handled in `group_vars/matrix_servers`.
|
||||||
|
|
||||||
|
__Some general concepts of UVS may be helpful to understand the rest, so here they are:__
|
||||||
|
|
||||||
|
UVS can be used to verify two claims:
|
||||||
|
|
||||||
|
* (A) Whether a given OpenID token is valid for a given server and
|
||||||
|
* (B) whether a user is member of a given room and the corresponding PowerLevel
|
||||||
|
|
||||||
|
Verifying an OpenID token id done by finding the corresponding Homeserver via '.well-known/matrix/server' for the given domain.
|
||||||
|
The configured `matrix_user_verification_service_uvs_homeserver_url` does **not** factor into this.
|
||||||
|
By default, this collection only checks against `matrix_server_fqn_matrix`.
|
||||||
|
Therefore, the request will be made against the public openid API for `matrix_server_fqn_matrix`.
|
||||||
|
|
||||||
|
Verifying RoomMembership and PowerLevel is done against `matrix_user_verification_service_uvs_homeserver_url` which is by default done via the docker network.
|
||||||
|
UVS will verify the validity of the token beforehand though.
|
||||||
|
|
||||||
|
## Prerequisites
|
||||||
|
|
||||||
|
In order to use UVS, an admin token for the configured homeserver must be supplied. For now this means configuring Synapse and creating the token before installing UVS.
|
||||||
|
|
||||||
|
## Enable
|
||||||
|
|
||||||
|
[Matrix User Verification Service](https://github.com/matrix-org/matrix-user-verification-service) installation is disabled by default unless required by Jitsi (see group_vars/matrix_servers).
|
||||||
|
You can enable it in your configuration file (`inventory/host_vars/matrix.<your-domain>/vars.yml`):
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
matrix_user_verification_service_enabled: true
|
||||||
|
```
|
||||||
|
|
||||||
|
## Configuration
|
||||||
|
|
||||||
|
The only required configuration variable is `matrix_user_verification_service_uvs_access_token` (see below).
|
||||||
|
|
||||||
|
For a list of all configuration options see the role defaults [`roles/matrix-user-verification-service/defaults/main.yml`](../roles/custom/matrix-user-verification-service/defaults/main.yml).
|
||||||
|
But be aware of all the plugging happening in `group_vars/matrix_servers`.
|
||||||
|
|
||||||
|
In the default configuration, the UVS Server is only reachable via the docker network, which is fine if e.g. Jitsi is also running in a container on the host.
|
||||||
|
However, it is possible to expose UVS via setting `matrix_user_verification_service_container_http_host_bind_port`. Be aware that the normally used port (3000) may collide with Grafana.
|
||||||
|
|
||||||
|
### Access token
|
||||||
|
|
||||||
|
The Synapse Access Token is used to verify RoomMembership and PowerLevel against the configured homeserver_url (which is plugged in group_vars).
|
||||||
|
|
||||||
|
We recommend that you create a dedicated Matrix user for uvs (`uvs` is a good username).
|
||||||
|
Follow our [Registering users](registering-users.md) guide to register a user with administration privileges.
|
||||||
|
|
||||||
|
You are required to specify an access token (belonging to this new user) for UVS to work.
|
||||||
|
To get an access token for the UVS user, you can follow the documentation on [how to do obtain an access token](obtaining-access-tokens.md).
|
||||||
|
|
||||||
|
**Access tokens are sensitive information. Do not include them in any bug reports, messages, or logs. Do not share the access token with anyone.**
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
matrix_user_verification_service_uvs_access_token: "YOUR ACCESS TOKEN HERE"
|
||||||
|
```
|
||||||
|
|
||||||
|
### (Optional) Auth Token
|
||||||
|
|
||||||
|
It is possible to set an API Auth Token to restrict access to the UVS. If this is set, anyone making a request to UVS must provide it via the header "Authorization: Bearer TOKEN"
|
||||||
|
|
||||||
|
By default, the token will be derived from `matrix_homeserver_generic_secret_key` in `group_vars/matrix_servers`.
|
||||||
|
To set your own Token, simply put the following in your host_vars.
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
matrix_user_verification_service_uvs_auth_token: "TOKEN"
|
||||||
|
```
|
||||||
|
|
||||||
|
In case Jitsi is also managed by this collection and 'matrix' authentication in Jitsi is enabled, this collection will automatically configure Jitsi to use the configured auth token.
|
||||||
|
|
||||||
|
### (Optional) Federation
|
||||||
|
|
||||||
|
In theory (however currently untested), UVS can handle federation. Simply set:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
matrix_user_verification_service_uvs_openid_verify_server_name: ~
|
||||||
|
```
|
||||||
|
|
||||||
|
using host_vars to override the group_vars.
|
||||||
|
|
||||||
|
This will instruct UVS to verify the OpenID token against any domain given in a request.
|
||||||
|
Homeserver discovery is done via '.well-known/matrix/server' of the given domain.
|
||||||
|
|
||||||
|
## Installation
|
||||||
|
|
||||||
|
After these variables have been set, please run the following command to re-run setup and to restart UVS:
|
||||||
|
|
||||||
|
```
|
||||||
|
ansible-playbook -i inventory/hosts setup.yml --tags=setup-matrix-user-verification-service,start
|
||||||
|
```
|
||||||
|
|
||||||
|
## Logging
|
||||||
|
|
||||||
|
The configuration variable `UVS_LOG_LEVEL` can be set to:
|
||||||
|
- warning
|
||||||
|
- info
|
||||||
|
- debug
|
||||||
|
|
||||||
|
## TLS Certificate Checking
|
||||||
|
If the matrix Homeserver does not provide a valid TLS certificate, UVS will fail with the following error message:
|
||||||
|
|
||||||
|
> message: 'No response received: [object Object]',
|
||||||
|
|
||||||
|
This also applies to self-signed and let's encrypt staging certificates.
|
||||||
|
|
||||||
|
To disable certificate validation altogether (INSECURE! Not suitable for production use!) set: `NODE_TLS_REJECT_UNAUTHORIZED=0`
|
||||||
|
|
||||||
|
Alternatively, it is possible to inject your own CA certificates into the container by mounting a PEM file with additional trusted CAs into the container and pointing the `NODE_EXTRA_CA_CERTS` environment variable to it.
|
@ -0,0 +1,62 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
- ansible.builtin.set_fact:
|
||||||
|
matrix_jitsi_prosody_self_check_uvs_health_url: "{{ matrix_jitsi_prosody_auth_matrix_uvs_location }}/health"
|
||||||
|
matrix_jitsi_element_jitsi_well_known_url: "{{ matrix_jitsi_web_public_url }}/.well-known/element/jitsi"
|
||||||
|
|
||||||
|
- name: Check if jitsi serves the .well-known/element/jitsi
|
||||||
|
ansible.builtin.uri:
|
||||||
|
url: "{{ matrix_jitsi_element_jitsi_well_known_url }}"
|
||||||
|
follow_redirects: none
|
||||||
|
return_content: true
|
||||||
|
validate_certs: "{{ matrix_jitsi_self_check_validate_certificates }}"
|
||||||
|
headers:
|
||||||
|
Origin: example.com
|
||||||
|
check_mode: false
|
||||||
|
register: result_well_known_jitsi_element_jitsi
|
||||||
|
ignore_errors: true
|
||||||
|
|
||||||
|
- name: Fail if .well-known not working
|
||||||
|
ansible.builtin.fail:
|
||||||
|
msg: |
|
||||||
|
Failed checking that the Jitsi well-known file for Element auth is configured at `{{ matrix_jitsi_element_jitsi_well_known_url }}`
|
||||||
|
Full error: {{ result_well_known_jitsi_element_jitsi }}
|
||||||
|
when: "result_well_known_jitsi_element_jitsi.failed"
|
||||||
|
|
||||||
|
- name: Parse JSON for well-known payload at the matrix hostname
|
||||||
|
ansible.builtin.set_fact:
|
||||||
|
well_known_matrix_payload: "{{ result_well_known_jitsi_element_jitsi.content | from_json }}"
|
||||||
|
|
||||||
|
- name: Fail if .well-known not CORS-aware
|
||||||
|
ansible.builtin.fail:
|
||||||
|
msg: "The well-known file on `{{ matrix_jitsi_element_jitsi_well_known_url }}` is not CORS-aware. The file needs to be served with an Access-Control-Allow-Origin header set."
|
||||||
|
when: "'access_control_allow_origin' not in result_well_known_jitsi_element_jitsi"
|
||||||
|
|
||||||
|
- name: Report working .well-known
|
||||||
|
ansible.builtin.debug:
|
||||||
|
msg: "well-known is configured correctly at `{{ matrix_jitsi_element_jitsi_well_known_url }}`"
|
||||||
|
|
||||||
|
- name: Check if we can reach the user verification service and if it's healthy
|
||||||
|
ansible.builtin.command:
|
||||||
|
argv:
|
||||||
|
- "docker"
|
||||||
|
- "exec"
|
||||||
|
- "matrix-jitsi-prosody"
|
||||||
|
- "wget"
|
||||||
|
- "-O"
|
||||||
|
- "-"
|
||||||
|
- "--quiet"
|
||||||
|
- "{{ matrix_jitsi_prosody_self_check_uvs_health_url | quote }}"
|
||||||
|
register: matrix_jitsi_prosody_self_check_uvs_result
|
||||||
|
ignore_errors: true
|
||||||
|
|
||||||
|
- name: Fail if user verification service is not (reachable and healthy)
|
||||||
|
ansible.builtin.fail:
|
||||||
|
msg: |
|
||||||
|
Failed checking user verification service is up (checked endpoint: `{{ matrix_jitsi_prosody_self_check_uvs_health_url }}`).
|
||||||
|
Full error: {{ matrix_jitsi_prosody_self_check_uvs_result }}
|
||||||
|
when: "matrix_jitsi_prosody_self_check_uvs_result.failed"
|
||||||
|
|
||||||
|
- name: Report healthy user verification service
|
||||||
|
ansible.builtin.debug:
|
||||||
|
msg: "User verification service is working (checked endpoint: `{{ matrix_jitsi_prosody_self_check_uvs_health_url }}`)"
|
@ -0,0 +1,17 @@
|
|||||||
|
---
|
||||||
|
#
|
||||||
|
# Tasks related to configuring Jitsi internal authentication on a running prosody instance.
|
||||||
|
#
|
||||||
|
|
||||||
|
- name: Ensure Jitsi internal authentication users are configured
|
||||||
|
ansible.builtin.shell: "{{ devture_systemd_docker_base_host_command_docker }} exec matrix-jitsi-prosody prosodyctl --config /config/prosody.cfg.lua register {{ item.username | quote }} meet.jitsi {{ item.password | quote }}"
|
||||||
|
with_items: "{{ matrix_jitsi_prosody_auth_internal_accounts }}"
|
||||||
|
when:
|
||||||
|
- matrix_jitsi_prosody_auth_internal_accounts|length > 0
|
||||||
|
register: matrix_jitsi_user_configuration_result
|
||||||
|
changed_when: matrix_jitsi_user_configuration_result.rc == 0
|
||||||
|
no_log: true
|
||||||
|
|
||||||
|
#
|
||||||
|
# Tasks related to clean up after configuring internal authentication.
|
||||||
|
#
|
@ -1,42 +0,0 @@
|
|||||||
---
|
|
||||||
#
|
|
||||||
# Start Necessary Services
|
|
||||||
#
|
|
||||||
|
|
||||||
- name: Ensure matrix-jitsi-prosody container is running
|
|
||||||
ansible.builtin.systemd:
|
|
||||||
state: started
|
|
||||||
name: matrix-jitsi-prosody
|
|
||||||
register: matrix_jitsi_prosody_start_result
|
|
||||||
|
|
||||||
|
|
||||||
#
|
|
||||||
# Tasks related to configuring Jitsi internal authentication
|
|
||||||
#
|
|
||||||
|
|
||||||
- name: Ensure Jitsi internal authentication users are configured
|
|
||||||
ansible.builtin.shell: "{{ devture_systemd_docker_base_host_command_docker }} exec matrix-jitsi-prosody prosodyctl --config /config/prosody.cfg.lua register {{ item.username | quote }} meet.jitsi {{ item.password | quote }}"
|
|
||||||
with_items: "{{ matrix_jitsi_prosody_auth_internal_accounts }}"
|
|
||||||
when:
|
|
||||||
- matrix_jitsi_auth_type == "internal"
|
|
||||||
- matrix_jitsi_prosody_auth_internal_accounts|length > 0
|
|
||||||
register: matrix_jitsi_user_configuration_result
|
|
||||||
changed_when: matrix_jitsi_user_configuration_result.rc == 0
|
|
||||||
no_log: true
|
|
||||||
|
|
||||||
#
|
|
||||||
# Tasks related to configuring other Jitsi authentication mechanisms
|
|
||||||
#
|
|
||||||
|
|
||||||
#
|
|
||||||
# Tasks related to cleaning after Jitsi authentication configuration
|
|
||||||
#
|
|
||||||
|
|
||||||
#
|
|
||||||
# Stop Necessary Services
|
|
||||||
#
|
|
||||||
- name: Ensure matrix-jitsi-prosody container is stopped if necessary
|
|
||||||
ansible.builtin.systemd:
|
|
||||||
state: stopped
|
|
||||||
name: matrix-jitsi-prosody
|
|
||||||
when: matrix_jitsi_prosody_start_result.changed | bool
|
|
@ -0,0 +1,13 @@
|
|||||||
|
- name: Checkout Prosody Auth Matrix User Verification Plugin Repo
|
||||||
|
ansible.builtin.git:
|
||||||
|
repo: "{{ matrix_jitsi_prosody_auth_matrix_user_verification_repo_location }}"
|
||||||
|
dest: "{{ matrix_jitsi_prosody_auth_matrix_user_verification_repo_target }}"
|
||||||
|
version: "{{ matrix_jitsi_prosody_auth_matrix_user_verification_repo_version }}"
|
||||||
|
|
||||||
|
- name: Install Prosody Auth Matrix User Verification Plugin
|
||||||
|
ansible.builtin.copy:
|
||||||
|
remote_src: yes
|
||||||
|
src: "{{ matrix_jitsi_prosody_auth_matrix_user_verification_repo_target }}/{{ item.path }}"
|
||||||
|
dest: "{{ matrix_jitsi_prosody_plugins_path }}/{{ item.path }}"
|
||||||
|
with_items: "{{ matrix_jitsi_prosody_auth_matrix_files }}"
|
||||||
|
when: item.when | bool
|
@ -0,0 +1,26 @@
|
|||||||
|
- name: Remove all files regarding prosody mod auth_matrix_user_verification and .well-known/element/jitsi
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: "{{ item }}"
|
||||||
|
state: absent
|
||||||
|
with_flattened:
|
||||||
|
- "{{ matrix_static_files_base_path }}/.well-known/element/jitsi"
|
||||||
|
- "{{ matrix_jitsi_prosody_auth_matrix_user_verification_repo_target }}"
|
||||||
|
- "{{ matrix_jitsi_prosody_auth_matrix_files | map(attribute='path') | map('regex_replace', '^', matrix_jitsi_prosody_plugins_path+'/') | list }}"
|
||||||
|
register: matrix_jitsi_prosody_auth_matrix_user_verification_uninstalled
|
||||||
|
|
||||||
|
- name: Remove .well-known/element directory if empty
|
||||||
|
ansible.builtin.command:
|
||||||
|
argv:
|
||||||
|
- rmdir
|
||||||
|
- "{{ matrix_static_files_base_path }}/.well-known/element"
|
||||||
|
removes: "{{matrix_static_files_base_path}}/.well-known/element"
|
||||||
|
ignore_errors: yes
|
||||||
|
|
||||||
|
- when: matrix_jitsi_prosody_auth_matrix_user_verification_uninstalled.changed
|
||||||
|
block:
|
||||||
|
- name: Populate service facts
|
||||||
|
ansible.builtin.service_facts:
|
||||||
|
|
||||||
|
- name: Ensure prosody is restarted later on if currently running
|
||||||
|
set_fact:
|
||||||
|
matrix_jitsi_prosody_require_restart: "{{ true if ansible_facts.services['matrix-jitsi-prosody.service']['state'] == 'running' else false }}"
|
@ -0,0 +1,49 @@
|
|||||||
|
---
|
||||||
|
#####
|
||||||
|
#
|
||||||
|
# This tasks file starts and stops (if state before was stopped) a prosody container during setup to run commands,
|
||||||
|
# that require a running prosody container.
|
||||||
|
# The task is called in ../setup_jitsi_prosody_install.yml.
|
||||||
|
#
|
||||||
|
# Important: The task is called conditionally, as to only start if really needed.
|
||||||
|
# So if you add or change anything - remember to also change the 'when' in: ../setup_jitsi_prosody_install.yml
|
||||||
|
#
|
||||||
|
#####
|
||||||
|
|
||||||
|
#
|
||||||
|
# Start Necessary Services
|
||||||
|
#
|
||||||
|
|
||||||
|
- name: Ensure matrix-jitsi-prosody container is running
|
||||||
|
ansible.builtin.systemd:
|
||||||
|
state: "{{ 'restarted' if matrix_jitsi_prosody_require_restart | d(false) | bool else 'started' }}"
|
||||||
|
name: matrix-jitsi-prosody
|
||||||
|
register: matrix_jitsi_prosody_start_result
|
||||||
|
|
||||||
|
# If the flag was set, we can safely disable now.
|
||||||
|
- name: Disable require restart flag
|
||||||
|
set_fact:
|
||||||
|
matrix_jitsi_prosody_require_restart: false
|
||||||
|
|
||||||
|
#
|
||||||
|
# Tasks related to configuring Jitsi internal authentication
|
||||||
|
#
|
||||||
|
|
||||||
|
- name: Ensure internal authentication is properly configured
|
||||||
|
ansible.builtin.include_tasks:
|
||||||
|
file: "{{ role_path }}/tasks/util/prosody_post_setup_hooks/setup_jitsi_auth_internal.yml"
|
||||||
|
when: matrix_jitsi_enable_auth | bool and matrix_jitsi_auth_type == "internal"
|
||||||
|
|
||||||
|
#
|
||||||
|
# Tasks related to ...
|
||||||
|
#
|
||||||
|
|
||||||
|
|
||||||
|
#
|
||||||
|
# Stop Necessary Services
|
||||||
|
#
|
||||||
|
- name: Ensure matrix-jitsi-prosody container is stopped if necessary
|
||||||
|
ansible.builtin.systemd:
|
||||||
|
state: stopped
|
||||||
|
name: matrix-jitsi-prosody
|
||||||
|
when: matrix_jitsi_prosody_start_result.changed | bool
|
@ -0,0 +1,81 @@
|
|||||||
|
---
|
||||||
|
# Set this to the display name for ansible used in Output e.g. fail_msg
|
||||||
|
matrix_user_verification_service_ansible_name: "Matrix User Verification Service"
|
||||||
|
|
||||||
|
# Enable by default. This is overwritten in provided group vars.
|
||||||
|
matrix_user_verification_service_enabled: true
|
||||||
|
|
||||||
|
# Fix version tag
|
||||||
|
matrix_user_verification_service_version: "v2.0.0"
|
||||||
|
|
||||||
|
# Paths
|
||||||
|
matrix_user_verification_service_base_path: "{{ matrix_base_data_path }}/user-verification-service"
|
||||||
|
# We need the docker src directory to be named user_verification_service. See: https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/588
|
||||||
|
matrix_user_verification_service_docker_src_files_path: "{{ matrix_user_verification_service_base_path }}/docker-src/user-verification-service"
|
||||||
|
matrix_user_verification_service_config_path: "{{ matrix_user_verification_service_base_path }}/config"
|
||||||
|
matrix_user_verification_service_config_env_file: "{{ matrix_user_verification_service_config_path }}/.env"
|
||||||
|
|
||||||
|
# Set this to true in order to not use the docker image from docker hub, but rather build locally
|
||||||
|
matrix_user_verification_service_container_image_self_build: false
|
||||||
|
matrix_user_verification_service_container_image_self_build_repo: "https://github.com/matrix-org/matrix-user-verification-service.git"
|
||||||
|
matrix_user_verification_service_container_image_self_build_branch: "{{ matrix_user_verification_service_version }}"
|
||||||
|
|
||||||
|
# Docker
|
||||||
|
matrix_user_verification_service_docker_image_name_prefix: "{{ 'localhost/' if matrix_user_verification_service_container_image_self_build else matrix_container_global_registry_prefix }}"
|
||||||
|
matrix_user_verification_service_docker_image: "{{ matrix_user_verification_service_docker_image_name_prefix }}matrixdotorg/matrix-user-verification-service:{{ matrix_user_verification_service_version }}"
|
||||||
|
matrix_user_verification_service_docker_image_force_pull: "{{ matrix_user_verification_service_docker_image.endswith(':latest') }}"
|
||||||
|
|
||||||
|
matrix_user_verification_service_container_name: "matrix-user-verification-service"
|
||||||
|
# Normally this would run on port 3000 however that may conflict with grafana. It is thus advised to change this port.
|
||||||
|
#matrix_user_verification_service_container_http_host_bind_port:
|
||||||
|
matrix_user_verification_service_container_extra_arguments: []
|
||||||
|
# Systemd
|
||||||
|
matrix_user_verification_service_systemd_required_services_list: []
|
||||||
|
matrix_user_verification_service_systemd_wanted_services_list: []
|
||||||
|
matrix_user_verification_service_systemd_service_basename: "matrix-user-verification-service"
|
||||||
|
matrix_user_verification_service_systemd_service_name: "{{ matrix_user_verification_service_systemd_service_basename }}.service"
|
||||||
|
|
||||||
|
# Matrix User Verification Service Configuration
|
||||||
|
## REQUIRED
|
||||||
|
|
||||||
|
# Homeserver client API admin token (synapse only)- Required for the service to verify room membership
|
||||||
|
# matrix_user_verification_service_uvs_access_token:
|
||||||
|
|
||||||
|
# homeserver client api url
|
||||||
|
# matrix_user_verification_service_uvs_homeserver_url: ""
|
||||||
|
# disable check for non private ip range of homeserver. e.g. set to `true` if your homeserver domain resolves to a private ip.
|
||||||
|
matrix_user_verification_service_uvs_disable_ip_blacklist: false
|
||||||
|
|
||||||
|
## OPTIONAL
|
||||||
|
|
||||||
|
# Auth token to protect the API
|
||||||
|
# If this is set any calls to the provided API endpoints
|
||||||
|
# need have the header "Authorization: Bearer changeme".
|
||||||
|
# matrix_user_verification_service_uvs_auth_token: changeme
|
||||||
|
|
||||||
|
# Matrix server name to verify OpenID tokens against. See below section.
|
||||||
|
# Defaults to empty value which means verification is made against
|
||||||
|
# whatever Matrix server name passed in with the token
|
||||||
|
# matrix_user_verification_service_uvs_openid_verify_server_name: matrix.org
|
||||||
|
|
||||||
|
# Log level, defaults to 'info'
|
||||||
|
# See choices here: https://github.com/winstonjs/winston#logging-levels
|
||||||
|
# matrix_user_verification_service_uvs_log_level: info
|
||||||
|
|
||||||
|
|
||||||
|
######################################################################
|
||||||
|
##### #####
|
||||||
|
##### Variables used in this role which are not set by this role #####
|
||||||
|
##### #####
|
||||||
|
######################################################################
|
||||||
|
|
||||||
|
# matrix_user_username
|
||||||
|
# matrix_user_groupname
|
||||||
|
# matrix_user_uid
|
||||||
|
# matrix_user_gid
|
||||||
|
# matrix_container_global_registry_prefix
|
||||||
|
# matrix_docker_network
|
||||||
|
# devture_systemd_docker_base_systemd_path
|
||||||
|
# devture_systemd_docker_base_systemd_unit_home_path
|
||||||
|
# devture_systemd_docker_base_host_command_sh
|
||||||
|
# devture_systemd_docker_base_host_command_docker
|
@ -0,0 +1,6 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
- name: Ensure systemd reloaded after matrix-user-verification-service.service installation
|
||||||
|
service:
|
||||||
|
daemon_reload: yes
|
||||||
|
listen: "reload matrix-user-verification-service"
|
@ -0,0 +1,24 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
- name: verify all necessary variables are present
|
||||||
|
assert:
|
||||||
|
that:
|
||||||
|
- matrix_user_verification_service_uvs_access_token is defined and matrix_user_verification_service_uvs_access_token|length
|
||||||
|
- matrix_user_verification_service_uvs_homeserver_url is defined and matrix_user_verification_service_uvs_homeserver_url|length
|
||||||
|
fail_msg: "Missing variable in {{ matrix_user_verification_service_ansible_name }} role"
|
||||||
|
|
||||||
|
- block:
|
||||||
|
- when: run_setup | bool and matrix_user_verification_service_enabled | bool
|
||||||
|
ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
|
||||||
|
tags:
|
||||||
|
- setup-all
|
||||||
|
- setup-user-verification-service
|
||||||
|
- install-all
|
||||||
|
- install-user-verification-service
|
||||||
|
|
||||||
|
- block:
|
||||||
|
- when: run_setup | bool and not matrix_user_verification_service_enabled | bool
|
||||||
|
ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
|
||||||
|
tags:
|
||||||
|
- setup-all
|
||||||
|
- setup-user-verification-service
|
@ -0,0 +1,42 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
- name: "Ensure Matrix User Verification Service paths exist"
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: "{{ item.path }}"
|
||||||
|
state: directory
|
||||||
|
mode: 0750
|
||||||
|
owner: "{{ matrix_user_username }}"
|
||||||
|
group: "{{ matrix_user_groupname }}"
|
||||||
|
with_items:
|
||||||
|
- { path: "{{ matrix_user_verification_service_config_path }}", when: true }
|
||||||
|
- { path: "{{ matrix_user_verification_service_docker_src_files_path }}", when: "{{ matrix_user_verification_service_container_image_self_build }}" }
|
||||||
|
when: item.when | bool
|
||||||
|
|
||||||
|
- name: Ensure Matrix User Verification Service image is pulled
|
||||||
|
community.docker.docker_image:
|
||||||
|
name: "{{ matrix_user_verification_service_docker_image }}"
|
||||||
|
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
|
||||||
|
force_source: "{{ matrix_user_verification_service_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
|
||||||
|
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_user_verification_service_docker_image_force_pull }}"
|
||||||
|
when: "not matrix_user_verification_service_container_image_self_build | bool"
|
||||||
|
register: result
|
||||||
|
retries: "{{ devture_playbook_help_container_retries_count }}"
|
||||||
|
delay: "{{ devture_playbook_help_container_retries_delay }}"
|
||||||
|
until: result is not failed
|
||||||
|
|
||||||
|
#- block:
|
||||||
|
# TODO
|
||||||
|
# when: "matrix_user_verification_service_container_image_self_build|bool"
|
||||||
|
|
||||||
|
- name: write env file
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: "{{ role_path }}/templates/.env.j2"
|
||||||
|
dest: "{{ matrix_user_verification_service_config_env_file }}"
|
||||||
|
mode: 0644
|
||||||
|
|
||||||
|
- name: Ensure matrix-user-verification-service.service installed
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: "{{ role_path }}/templates/systemd/matrix-user-verification-service.service.j2"
|
||||||
|
dest: "{{ devture_systemd_docker_base_systemd_path }}/{{ matrix_user_verification_service_systemd_service_name }}"
|
||||||
|
mode: 0644
|
||||||
|
notify: "reload matrix-user-verification-service"
|
@ -0,0 +1,35 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
- name: Check existence of matrix-user-verification-service service
|
||||||
|
stat:
|
||||||
|
path: "{{ matrix_systemd_path }}/{{ matrix_user_verification_service_systemd_service_name }}"
|
||||||
|
register: matrix_user_verification_service_service_stat
|
||||||
|
|
||||||
|
- name: Ensure matrix-user-verification-service is stopped
|
||||||
|
service:
|
||||||
|
name: "{{ matrix_user_verification_service_systemd_service_basename }}"
|
||||||
|
state: stopped
|
||||||
|
daemon_reload: yes
|
||||||
|
register: stopping_result
|
||||||
|
when: "matrix_user_verification_service_service_stat.stat.exists|bool"
|
||||||
|
|
||||||
|
- name: Ensure matrix-user-verification-service.service doesn't exist
|
||||||
|
file:
|
||||||
|
path: "{{ matrix_systemd_path }}/{{ matrix_user_verification_service_systemd_service_name }}"
|
||||||
|
state: absent
|
||||||
|
when: "matrix_user_verification_service_service_stat.stat.exists|bool"
|
||||||
|
|
||||||
|
- name: Ensure systemd reloaded after matrix-user-verification-service.service removal
|
||||||
|
service:
|
||||||
|
daemon_reload: yes
|
||||||
|
when: "matrix_user_verification_service_service_stat.stat.exists|bool"
|
||||||
|
|
||||||
|
- name: Ensure Matrix user-verification-service paths don't exist
|
||||||
|
file:
|
||||||
|
path: "{{ matrix_user_verification_service_base_path }}"
|
||||||
|
state: absent
|
||||||
|
|
||||||
|
- name: Ensure user-verification-service Docker image doesn't exist
|
||||||
|
docker_image:
|
||||||
|
name: "{{ matrix_user_verification_service_docker_image }}"
|
||||||
|
state: absent
|
@ -0,0 +1,14 @@
|
|||||||
|
UVS_ACCESS_TOKEN={{ matrix_user_verification_service_uvs_access_token }}
|
||||||
|
UVS_HOMESERVER_URL={{ matrix_user_verification_service_uvs_homeserver_url }}
|
||||||
|
UVS_DISABLE_IP_BLACKLIST={{ matrix_user_verification_service_uvs_disable_ip_blacklist }}
|
||||||
|
|
||||||
|
{% if matrix_user_verification_service_uvs_auth_token is defined and matrix_user_verification_service_uvs_auth_token|length %}
|
||||||
|
UVS_AUTH_TOKEN={{ matrix_user_verification_service_uvs_auth_token }}
|
||||||
|
{% endif %}
|
||||||
|
{% if matrix_user_verification_service_uvs_openid_verify_server_name is defined and matrix_user_verification_service_uvs_openid_verify_server_name|length %}
|
||||||
|
UVS_OPENID_VERIFY_SERVER_NAME={{ matrix_user_verification_service_uvs_openid_verify_server_name }}
|
||||||
|
{% endif %}
|
||||||
|
{% if matrix_user_verification_service_uvs_log_level is defined and matrix_user_verification_service_uvs_log_level|length %}
|
||||||
|
UVS_LOG_LEVEL={{ matrix_user_verification_service_uvs_log_level }}
|
||||||
|
{% endif %}
|
||||||
|
|
@ -0,0 +1,42 @@
|
|||||||
|
#jinja2: lstrip_blocks: "True"
|
||||||
|
[Unit]
|
||||||
|
Description={{ matrix_user_verification_service_ansible_name }}
|
||||||
|
{% for service in matrix_user_verification_service_systemd_required_services_list %}
|
||||||
|
Requires={{ service }}
|
||||||
|
After={{ service }}
|
||||||
|
{% endfor %}
|
||||||
|
{% for service in matrix_user_verification_service_systemd_wanted_services_list %}
|
||||||
|
Wants={{ service }}
|
||||||
|
{% endfor %}
|
||||||
|
DefaultDependencies=no
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=simple
|
||||||
|
Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
|
||||||
|
ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill {{ matrix_user_verification_service_container_name }} 2>/dev/null'
|
||||||
|
ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm {{ matrix_user_verification_service_container_name }} 2>/dev/null'
|
||||||
|
|
||||||
|
|
||||||
|
ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name {{ matrix_user_verification_service_container_name }}\
|
||||||
|
--log-driver=none \
|
||||||
|
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
|
||||||
|
--cap-drop=ALL \
|
||||||
|
--read-only \
|
||||||
|
--network={{ matrix_docker_network }} \
|
||||||
|
{% if matrix_user_verification_service_container_http_host_bind_port %}
|
||||||
|
-p {{ matrix_user_verification_service_container_http_host_bind_port }}:3000 \
|
||||||
|
{% endif %}
|
||||||
|
--mount type=bind,src={{ matrix_user_verification_service_config_env_file }},dst=/app/.env,ro \
|
||||||
|
{% for arg in matrix_user_verification_service_container_extra_arguments %}
|
||||||
|
{{ arg }} \
|
||||||
|
{% endfor %}
|
||||||
|
{{ matrix_user_verification_service_docker_image }}
|
||||||
|
|
||||||
|
ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill {{ matrix_user_verification_service_container_name }} 2>/dev/null'
|
||||||
|
ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm {{ matrix_user_verification_service_container_name }} 2>/dev/null'
|
||||||
|
Restart=always
|
||||||
|
RestartSec=30
|
||||||
|
SyslogIdentifier={{ matrix_user_verification_service_systemd_service_basename }}
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
Loading…
Reference in new issue