diff --git a/CHANGELOG.md b/CHANGELOG.md index f8898755..d4c4e74f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,15 @@ +# 2020-04-03 + +## (Potential Backward Compatibility Break) ma1sd replaces mxisd + +Thanks to [Marcel Partap](https://github.com/eMPee584)'s efforts, the [mxisd](https://github.com/kamax-io/mxisd) identity server, which has been deprecated for a long time, has finally been replaced by [ma1sd](https://github.com/kamax-io/mxisd), a compatible fork. + +**If you're using the default playbook configuration**, you don't need to do anything -- your mxisd installation will be replaced with ma1sd and all existing data will be migrated automatically the next time you run the playbook. + +**If you're doing something more special** (defining custom `matrix_mxisd_*` variables), the playbook will ask you to rename them to `matrix_ma1sd_*`. +You're also encouraged to test that ma1sd works well for such a more custom setup. + + # 2020-03-29 ## Archlinux support diff --git a/README.md b/README.md index 7e64d893..b16a8dfe 100644 --- a/README.md +++ b/README.md @@ -20,13 +20,13 @@ Using this playbook, you can get the following services configured on your serve - (optional, default) a [Riot](https://riot.im/) web UI, which is configured to connect to your own Synapse server by default -- (optional, default) an [mxisd](https://github.com/kamax-io/mxisd) Matrix Identity server +- (optional, default) an [ma1sd](https://github.com/ma1uta/ma1sd) Matrix Identity server - (optional, default) an [Exim](https://www.exim.org/) mail server, through which all Matrix services send outgoing email (can be configured to relay through another SMTP server) - (optional, default) an [nginx](http://nginx.org/) web server, listening on ports 80 and 443 - standing in front of all the other services. Using your own webserver [is possible](docs/configuring-playbook-own-webserver.md) -- (optional, advanced) the [matrix-synapse-rest-auth](https://github.com/kamax-io/matrix-synapse-rest-auth) REST authentication password provider module +- (optional, advanced) the [matrix-synapse-rest-auth](https://github.com/ma1uta/matrix-synapse-rest-password-provider) REST authentication password provider module - (optional, advanced) the [matrix-synapse-shared-secret-auth](https://github.com/devture/matrix-synapse-shared-secret-auth) password provider module @@ -112,7 +112,7 @@ This playbook sets up your server using the following Docker images: - [vectorim/riot-web](https://hub.docker.com/r/vectorim/riot-web/) - the [Riot.im](https://about.riot.im/) web client (optional) -- [kamax/mxisd](https://hub.docker.com/r/kamax/mxisd/) - the [mxisd](https://github.com/kamax-io/mxisd) Matrix Identity server (optional) +- [ma1uta/ma1sd](https://hub.docker.com/r/ma1uta/ma1sd/) - the [ma1sd](https://github.com/ma1uta/ma1sd) Matrix Identity server (optional) - [postgres](https://hub.docker.com/_/postgres/) - the [Postgres](https://www.postgresql.org/) database server (optional) diff --git a/docs/configuring-dns.md b/docs/configuring-dns.md index 735b348f..29ddc61e 100644 --- a/docs/configuring-dns.md +++ b/docs/configuring-dns.md @@ -44,7 +44,7 @@ The `jitsi.` subdomain may be necessary, because this playbook coul ## `_matrix-identity._tcp` SRV record setup -To make the [mxisd](https://github.com/kamax-io/mxisd) Identity Server (which this playbook installs for you) be authoritative for your domain name, set up one more SRV record that looks like this: +To make the [ma1sd](https://github.com/ma1uta/ma1sd) Identity Server (which this playbook installs for you) be authoritative for your domain name, set up one more SRV record that looks like this: - Name: `_matrix-identity._tcp` (use this text as-is) - Content: `10 0 443 matrix.` (replace `` with your own) diff --git a/docs/configuring-playbook-ldap-auth.md b/docs/configuring-playbook-ldap-auth.md index c9f15c31..5144323a 100644 --- a/docs/configuring-playbook-ldap-auth.md +++ b/docs/configuring-playbook-ldap-auth.md @@ -28,5 +28,5 @@ If you wish for users to **authenticate only against configured password provide matrix_synapse_password_config_localdb_enabled: false ``` -## Using mxisd Identity Server for authentication -If you wish to use the mxisd Identity Server for LDAP authentication instead of [matrix-synapse-ldap3](https://github.com/matrix-org/matrix-synapse-ldap3) consult [Adjusting mxisd Identity Server configuration](configuring-playbook-mxisd.md#authentication). \ No newline at end of file +## Using ma1sd Identity Server for authentication +If you wish to use the ma1sd Identity Server for LDAP authentication instead of [matrix-synapse-ldap3](https://github.com/matrix-org/matrix-synapse-ldap3) consult [Adjusting ma1sd Identity Server configuration](configuring-playbook-ma1sd.md#authentication). diff --git a/docs/configuring-playbook-ma1sd.md b/docs/configuring-playbook-ma1sd.md new file mode 100644 index 00000000..da9ff21e --- /dev/null +++ b/docs/configuring-playbook-ma1sd.md @@ -0,0 +1,86 @@ +# Adjusting ma1sd Identity Server configuration (optional) + +By default, this playbook configures an [ma1sd](https://github.com/ma1uta/ma1sd) Identity Server for you. + +This server is private by default, potentially at the expense of user discoverability. + +ma1sd is a fork of [mxisd](https://github.com/kamax-io/mxisd) which was pronounced end of life 2019-06-21. + +## Matrix.org lookup forwarding + +To ensure maximum discovery, you can make your identity server also forward lookups to the central matrix.org Identity server (at the cost of potentially leaking all your contacts information). + +Enabling this is discouraged and you'd better [learn more](https://github.com/ma1uta/ma1sd/blob/master/docs/features/identity.md#lookups) before proceeding. + +Enabling matrix.org forwarding can happen with the following configuration: + +```yaml +matrix_ma1sd_matrixorg_forwarding_enabled: true +``` + + +## Customizing email templates + +If you'd like to change the default email templates used by ma1sd, take a look at the `matrix_ma1sd_threepid_medium_email_custom_` variables +(in the `roles/matrix-ma1sd/defaults/main.yml` file. + + +## ma1sd-controlled Registration + +To use the [Registration](https://github.com/ma1uta/ma1sd/blob/master/docs/features/registration.md) feature of ma1sd, you can make use of the following variables: + +- `matrix_synapse_enable_registration` - to enable user-initiated registration in Synapse + +- `matrix_synapse_registrations_require_3pid` - to control the types of 3pid (`'email'`, `'msisdn'`) required by the Synapse server for registering + +- variables prefixed with `matrix_nginx_proxy_proxy_matrix_3pid_registration_` (e.g. `matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled`) - to configure the integrated nginx webserver to send registration requests to ma1sd (instead of Synapse), so it can apply its additional functionality + +- `matrix_ma1sd_configuration_extension_yaml` - to configure ma1sd as required. See the [Registration feature's docs](https://github.com/ma1uta/ma1sd/blob/master/docs/features/registration.md) for inspiration. Also see the [Additional features](#additional-features) section below to learn more about how to use `matrix_ma1sd_configuration_extension_yaml`. + +## Authentication + +[Authentication](https://github.com/ma1uta/ma1sd/blob/master/docs/features/authentication.md) provides the possibility to use your own [Identity Stores](https://github.com/ma1uta/ma1sd/blob/master/docs/stores/README.md) (for example LDAP) to authenticate users on your Homeserver. The following configuration can be used to authenticate against an LDAP server: + +```yaml +matrix_synapse_ext_password_provider_rest_auth_enabled: true + +# matrix-ma1sd is the hostname of the ma1sd Docker container +matrix_synapse_ext_password_provider_rest_auth_endpoint: "http://matrix-ma1sd:8090" + +matrix_ma1sd_configuration_extension_yaml: | + ldap: + enabled: true + connection: + host: ldapHostnameOrIp + tls: false + port: 389 + baseDNs: ['OU=Users,DC=example,DC=org'] + bindDn: CN=My ma1sd User,OU=Users,DC=example,DC=org + bindPassword: TheUserPassword +``` + +## Additional features + +What this playbook configures for your is some bare minimum Identity Server functionality, so that you won't need to rely on external 3rd party services. + +A few variables can be toggled in this playbook to alter the ma1sd configuration that gets generated. + +Still, ma1sd can do much more. +You can refer to the [ma1sd website](https://github.com/ma1uta/ma1sd) for more details and configuration options. + +To use a more custom configuration, you can define a `matrix_ma1sd_configuration_extension_yaml` string variable +and put your configuration in it. +To learn more about how to do this, refer to the information about `matrix_ma1sd_configuration_extension_yaml` in the [default variables file](../roles/matrix-ma1sd/defaults/main.yml) of the ma1sd component. + + +## Troubleshooting + +If email address validation emails sent by ma1sd are not reaching you, you should look into [Adjusting email-sending settings](configuring-playbook-email.md). + +If you'd like additional logging information, temporarily enable verbose logging for ma1sd. + +Example configuration (`inventory/host_vars/matrix.DOMAIN/vars.yml`): + +```yaml +matrix_ma1sd_verbose_logging: true +``` diff --git a/docs/configuring-playbook-mxisd.md b/docs/configuring-playbook-mxisd.md deleted file mode 100644 index 29cec488..00000000 --- a/docs/configuring-playbook-mxisd.md +++ /dev/null @@ -1,85 +0,0 @@ -# Adjusting mxisd Identity Server configuration (optional) - -By default, this playbook configures an [mxisd](https://github.com/kamax-io/mxisd) Identity Server for you. - -This server is private by default, potentially at the expense of user discoverability. - - -## Matrix.org lookup forwarding - -To ensure maximum discovery, you can make your identity server also forward lookups to the central matrix.org Identity server (at the cost of potentially leaking all your contacts information). - -Enabling this is discouraged and you'd better [learn more](https://github.com/kamax-io/mxisd/blob/master/docs/features/identity.md#lookups) before proceeding. - -Enabling matrix.org forwarding can happen with the following configuration: - -```yaml -matrix_mxisd_matrixorg_forwarding_enabled: true -``` - - -## Customizing email templates - -If you'd like to change the default email templates used by mxisd, take a look at the `matrix_mxisd_threepid_medium_email_custom_` variables -(in the `roles/matrix-mxisd/defaults/main.yml` file. - - -## mxisd-controlled Registration - -To use the [Registration](https://github.com/kamax-matrix/mxisd/blob/master/docs/features/registration.md) feature of mxisd, you can make use of the following variables: - -- `matrix_synapse_enable_registration` - to enable user-initiated registration in Synapse - -- `matrix_synapse_registrations_require_3pid` - to control the types of 3pid (`'email'`, `'msisdn'`) required by the Synapse server for registering - -- variables prefixed with `matrix_nginx_proxy_proxy_matrix_3pid_registration_` (e.g. `matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled`) - to configure the integrated nginx webserver to send registration requests to mxisd (instead of Synapse), so it can apply its additional functionality - -- `matrix_mxisd_configuration_extension_yaml` - to configure mxisd as required. See the [Registration feature's docs](https://github.com/kamax-matrix/mxisd/blob/master/docs/features/registration.md) for inspiration. Also see the [Additional features](#additional-features) section below to learn more about how to use `matrix_mxisd_configuration_extension_yaml`. - -## Authentication - -[Authentication](https://github.com/kamax-matrix/mxisd/blob/master/docs/features/authentication.md) provides the possibility to use your own [Identity Stores](https://github.com/kamax-matrix/mxisd/blob/master/docs/stores/README.md) (for example LDAP) to authenticate users on your Homeserver. The following configuration can be used to authenticate against an LDAP server: - -```yaml -matrix_synapse_ext_password_provider_rest_auth_enabled: true - -# matrix-mxisd is the hostname of the mxisd Docker container -matrix_synapse_ext_password_provider_rest_auth_endpoint: "http://matrix-mxisd:8090" - -matrix_mxisd_configuration_extension_yaml: | - ldap: - enabled: true - connection: - host: ldapHostnameOrIp - tls: false - port: 389 - baseDNs: ['OU=Users,DC=example,DC=org'] - bindDn: CN=My Mxisd User,OU=Users,DC=example,DC=org - bindPassword: TheUserPassword -``` - -## Additional features - -What this playbook configures for your is some bare minimum Identity Server functionality, so that you won't need to rely on external 3rd party services. - -A few variables can be toggled in this playbook to alter the mxisd configuration that gets generated. - -Still, mxisd can do much more. -You can refer to the [mxisd website](https://github.com/kamax-io/mxisd) for more details and configuration options. - -To use a more custom configuration, you can define a `matrix_mxisd_configuration_extension_yaml` string variable -and put your configuration in it. -To learn more about how to do this, refer to the information about `matrix_mxisd_configuration_extension_yaml` in the [default variables file](../roles/matrix-mxisd/defaults/main.yml) of the mxisd component. - - -## Troubleshooting - -If email address validation emails sent by mxisd are not reaching you, you should look into [Adjusting email-sending settings](configuring-playbook-email.md). - -If you'd like additional logging information, temporarily enable verbose logging for mxisd. - -Example configuration (`inventory/host_vars/matrix.DOMAIN/vars.yml`): - -```yaml -matrix_mxisd_verbose_logging: true -``` \ No newline at end of file diff --git a/docs/configuring-playbook-rest-auth.md b/docs/configuring-playbook-rest-auth.md index f35c0f49..23644c9e 100644 --- a/docs/configuring-playbook-rest-auth.md +++ b/docs/configuring-playbook-rest-auth.md @@ -1,6 +1,6 @@ # Setting up the REST authentication password provider module (optional, advanced) -The playbook can install and configure [matrix-synapse-rest-auth](https://github.com/kamax-io/matrix-synapse-rest-auth) for you. +The playbook can install and configure [matrix-synapse-rest-auth](https://github.com/ma1uta/matrix-synapse-rest-password-provider) for you. See that project's documentation to learn what it does and why it might be useful to you. @@ -8,7 +8,7 @@ If you decide that you'd like to let this playbook install it for you, you need ```yaml matrix_synapse_ext_password_provider_rest_auth_enabled: true -matrix_synapse_ext_password_provider_rest_auth_endpoint: "http://matrix-mxisd:8090" +matrix_synapse_ext_password_provider_rest_auth_endpoint: "http://matrix-ma1sd:8090" matrix_synapse_ext_password_provider_rest_auth_registration_enforce_lowercase: false matrix_synapse_ext_password_provider_rest_auth_registration_profile_name_autofill: true matrix_synapse_ext_password_provider_rest_auth_login_profile_name_autofill: false diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 051abf16..4d0d2093 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -44,7 +44,7 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Using an external PostgreSQL server](configuring-playbook-external-postgres.md) (optional) -- [Adjusting mxisd Identity Server configuration](configuring-playbook-mxisd.md) (optional) +- [Adjusting ma1sd Identity Server configuration](configuring-playbook-ma1sd.md) (optional) - [Adjusting SSL certificate retrieval](configuring-playbook-ssl-certificates.md) (optional, advanced) diff --git a/docs/maintenance-and-troubleshooting.md b/docs/maintenance-and-troubleshooting.md index 5dd1ee3f..bccf3e2e 100644 --- a/docs/maintenance-and-troubleshooting.md +++ b/docs/maintenance-and-troubleshooting.md @@ -38,6 +38,6 @@ Re-run the playbook after making these configuration changes. See the dedicated [PostgreSQL Maintenance](maintenance-postgres.md) documentation page. -## Mxisd +## Ma1sd -See the dedicated [Adjusting mxisd Identity Server configuration](configuring-playbook-mxisd.md) documentation page. \ No newline at end of file +See the dedicated [Adjusting ma1sd Identity Server configuration](configuring-playbook-ma1sd.md) documentation page. diff --git a/docs/self-building.md b/docs/self-building.md index a4d6fad9..6b9a46d4 100644 --- a/docs/self-building.md +++ b/docs/self-building.md @@ -1,6 +1,6 @@ # Self-building -The playbook supports the self-building of some of its components. This may be useful for architectures besides x86_64, which have no Docker images right now (e g. the armv7 for the Raspberry Pi). Some playbook roles have been updated, so they build the necessary image on the host. It needs more space, as some build tools need to be present (like Java, for mxisd). +The playbook supports the self-building of some of its components. This may be useful for architectures besides x86_64, which have no Docker images right now (e g. the armv7 for the Raspberry Pi). Some playbook roles have been updated, so they build the necessary image on the host. It needs more space, as some build tools need to be present (like Java, for ma1sd). To use these modification there is a variable that needs to be switched to enable this functionality. Add this to your `vars.yaml` file: ```yaml @@ -12,7 +12,7 @@ List of roles where self-building the docker image is currently possible: - synapse - riot-web - coturn -- mxisd +- ma1sd - matrix-bridge-mautrix-facebook - matrix-bridge-mautrix-hangouts diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index c2dd5786..e9dbffb5 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -435,7 +435,7 @@ matrix_jitsi_web_stun_servers: | # By default, this playbook sets up a postfix mailer server (running in a container). # This is so that Synapse can send email reminders for unread messages. -# Other services (like mxisd), also use the mailer. +# Other services (like ma1sd), also use the mailer. matrix_mailer_enabled: true ###################################################################### @@ -448,41 +448,41 @@ matrix_mailer_enabled: true ###################################################################### # -# matrix-mxisd +# matrix-ma1sd # ###################################################################### -# By default, this playbook installs the mxisd identity server on the same domain as Synapse (`matrix_server_fqn_matrix`). +# By default, this playbook installs the ma1sd identity server on the same domain as Synapse (`matrix_server_fqn_matrix`). # If you wish to use the public identity servers (matrix.org, vector.im) instead of your own you may wish to disable this. -matrix_mxisd_enabled: true +matrix_ma1sd_enabled: true -matrix_mxisd_container_image_self_build: "{{ matrix_container_images_self_build }}" +matrix_ma1sd_container_image_self_build: "{{ matrix_container_images_self_build }}" -# Normally, matrix-nginx-proxy is enabled and nginx can reach mxisd over the container network. +# Normally, matrix-nginx-proxy is enabled and nginx can reach ma1sd over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose -# mxisd's web-server port. -matrix_mxisd_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8090' }}" +# ma1sd's web-server port. +matrix_ma1sd_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8090' }}" # We enable Synapse integration via its Postgres database by default. # When using another Identity store, you might wish to disable this and define -# your own configuration in `matrix_mxisd_configuration_extension_yaml`. -matrix_mxisd_synapsesql_enabled: true -matrix_mxisd_synapsesql_type: postgresql -matrix_mxisd_synapsesql_connection: //{{ matrix_synapse_database_host }}/{{ matrix_synapse_database_database }}?user={{ matrix_synapse_database_user | urlencode() }}&password={{ matrix_synapse_database_password | urlencode() }} +# your own configuration in `matrix_ma1sd_configuration_extension_yaml`. +matrix_ma1sd_synapsesql_enabled: true +matrix_ma1sd_synapsesql_type: postgresql +matrix_ma1sd_synapsesql_connection: //{{ matrix_synapse_database_host }}/{{ matrix_synapse_database_database }}?user={{ matrix_synapse_database_user | urlencode() }}&password={{ matrix_synapse_database_password | urlencode() }} -matrix_mxisd_dns_overwrite_enabled: true -matrix_mxisd_dns_overwrite_homeserver_client_name: "{{ matrix_server_fqn_matrix }}" -matrix_mxisd_dns_overwrite_homeserver_client_value: "http://{{ 'matrix-corporal:41080' if matrix_corporal_enabled else 'matrix-synapse:8008' }}" +matrix_ma1sd_dns_overwrite_enabled: true +matrix_ma1sd_dns_overwrite_homeserver_client_name: "{{ matrix_server_fqn_matrix }}" +matrix_ma1sd_dns_overwrite_homeserver_client_value: "http://{{ 'matrix-corporal:41080' if matrix_corporal_enabled else 'matrix-synapse:8008' }}" # By default, we send mail through the `matrix-mailer` service. -matrix_mxisd_threepid_medium_email_identity_from: "{{ matrix_mailer_sender_address }}" -matrix_mxisd_threepid_medium_email_connectors_smtp_host: "matrix-mailer" -matrix_mxisd_threepid_medium_email_connectors_smtp_port: 8025 -matrix_mxisd_threepid_medium_email_connectors_smtp_tls: 0 +matrix_ma1sd_threepid_medium_email_identity_from: "{{ matrix_mailer_sender_address }}" +matrix_ma1sd_threepid_medium_email_connectors_smtp_host: "matrix-mailer" +matrix_ma1sd_threepid_medium_email_connectors_smtp_port: 8025 +matrix_ma1sd_threepid_medium_email_connectors_smtp_tls: 0 -matrix_mxisd_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else false }}" +matrix_ma1sd_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else false }}" -matrix_mxisd_systemd_wanted_services_list: | +matrix_ma1sd_systemd_wanted_services_list: | {{ (['matrix-corporal.service'] if matrix_corporal_enabled else ['matrix-synapse.service']) + @@ -493,7 +493,7 @@ matrix_mxisd_systemd_wanted_services_list: | ###################################################################### # -# /matrix-mxisd +# /matrix-ma1sd # ###################################################################### @@ -523,8 +523,8 @@ matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: "{{ matrix_corporal_enable matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081" matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container: "127.0.0.1:41081" -matrix_nginx_proxy_proxy_matrix_identity_api_enabled: "{{ matrix_mxisd_enabled }}" -matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-mxisd:8090" +matrix_nginx_proxy_proxy_matrix_identity_api_enabled: "{{ matrix_ma1sd_enabled }}" +matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-ma1sd:8090" matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:8090" # By default, we do TLS termination for the Matrix Federation API (port 8448) at matrix-nginx-proxy. @@ -536,7 +536,7 @@ matrix_nginx_proxy_proxy_synapse_metrics: "{{ matrix_synapse_metrics_enabled }}" matrix_nginx_proxy_proxy_synapse_metrics_addr_with_container: "matrix-synapse:{{ matrix_synapse_metrics_port }}" matrix_nginx_proxy_proxy_synapse_metrics_addr_sans_container: "127.0.0.1:{{ matrix_synapse_metrics_port }}" -matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: "{{ matrix_mxisd_enabled }}" +matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: "{{ matrix_ma1sd_enabled }}" matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container }}" matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container }}" @@ -548,7 +548,7 @@ matrix_nginx_proxy_systemd_wanted_services_list: | + (['matrix-corporal.service'] if matrix_corporal_enabled else []) + - (['matrix-mxisd.service'] if matrix_mxisd_enabled else []) + (['matrix-ma1sd.service'] if matrix_ma1sd_enabled else []) + (['matrix-riot-web.service'] if matrix_riot_web_enabled else []) }} @@ -652,8 +652,13 @@ matrix_riot_web_jitsi_preferredDomain: "{{ matrix_server_fqn_jitsi if matrix_jit matrix_synapse_container_image_self_build: "{{ matrix_container_images_self_build }}" -# When mxisd is enabled, we can use it instead of the default public Identity servers. -matrix_synapse_trusted_third_party_id_servers: "{{ [matrix_server_fqn_matrix] if matrix_mxisd_enabled else matrix_synapse_id_servers_public }}" +# When ma1sd is enabled, we can use it instead of the default public Identity servers. +matrix_synapse_trusted_third_party_id_servers: "{{ [matrix_server_fqn_matrix] if matrix_ma1sd_enabled else matrix_synapse_id_servers_public }}" + +# When ma1sd is enabled, we can use it to validate email addresses and phone numbers. +# Synapse can validate email addresses by itself as well, but it's probably not what we want by default when we have an identity server. +matrix_synapse_account_threepid_delegates_email: "{{ 'http://matrix-ma1sd:8090' if matrix_ma1sd_enabled else '' }}" +matrix_synapse_account_threepid_delegates_msisdn: "{{ 'http://matrix-ma1sd:8090' if matrix_ma1sd_enabled else '' }}" # Normally, matrix-nginx-proxy is enabled and nginx can reach Synapse over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, diff --git a/roles/matrix-base/tasks/main.yml b/roles/matrix-base/tasks/main.yml index 909cad20..827a4101 100644 --- a/roles/matrix-base/tasks/main.yml +++ b/roles/matrix-base/tasks/main.yml @@ -21,7 +21,7 @@ when: run_setup|bool tags: - setup-all - - setup-mxisd + - setup-ma1sd - setup-synapse - setup-nginx-proxy diff --git a/roles/matrix-base/tasks/self_check_dns.yml b/roles/matrix-base/tasks/self_check_dns.yml index d17b2149..57c07b2b 100644 --- a/roles/matrix-base/tasks/self_check_dns.yml +++ b/roles/matrix-base/tasks/self_check_dns.yml @@ -5,16 +5,16 @@ - block: - set_fact: - dns_srv_record_check_mxisd: + dns_srv_record_check_ma1sd: service_and_protocol: "_matrix-identity._tcp" domain: "{{ (matrix_domain + '.') }}" expected_target: "{{ (matrix_server_fqn_matrix + '.') }}" expected_port: 443 - - name: Determine domains that we require certificates for (mxisd) + - name: Determine domains that we require certificates for (ma1sd) set_fact: - dns_srv_record_checks: "{{ dns_srv_record_checks + [dns_srv_record_check_mxisd] }}" - when: matrix_mxisd_enabled|bool + dns_srv_record_checks: "{{ dns_srv_record_checks + [dns_srv_record_check_ma1sd] }}" + when: matrix_ma1sd_enabled|bool - name: Perform DNS SRV checks include_tasks: "{{ role_path }}/tasks/self_check_dns_srv.yml" diff --git a/roles/matrix-ma1sd/defaults/main.yml b/roles/matrix-ma1sd/defaults/main.yml new file mode 100644 index 00000000..144f4932 --- /dev/null +++ b/roles/matrix-ma1sd/defaults/main.yml @@ -0,0 +1,178 @@ +# ma1sd is a Federated Matrix Identity Server +# See: https://github.com/ma1uta/ma1sd + +matrix_ma1sd_enabled: true + +matrix_ma1sd_container_image_self_build: false + +matrix_ma1sd_docker_image: "ma1uta/ma1sd:2.3.0" +matrix_ma1sd_docker_image_force_pull: "{{ matrix_ma1sd_docker_image.endswith(':latest') }}" + +matrix_ma1sd_base_path: "{{ matrix_base_data_path }}/ma1sd" +matrix_ma1sd_docker_src_files_path: "{{ matrix_ma1sd_base_path }}/docker-src" +matrix_ma1sd_config_path: "{{ matrix_ma1sd_base_path }}/config" +matrix_ma1sd_data_path: "{{ matrix_ma1sd_base_path }}/data" + +# Controls whether the matrix-ma1sd container exposes its HTTP port (tcp/8090 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:8090"), or empty string to not expose. +matrix_ma1sd_container_http_host_bind_port: '' + +# A list of extra arguments to pass to the container +matrix_ma1sd_container_extra_arguments: [] + +# List of systemd services that matrix-ma1sd.service depends on +matrix_ma1sd_systemd_required_services_list: ['docker.service'] + +# List of systemd services that matrix-ma1sd.service wants +matrix_ma1sd_systemd_wanted_services_list: [] + +# Your identity server is private by default. +# To ensure maximum discovery, you can make your identity server +# also forward lookups to the central matrix.org Identity server +# (at the cost of potentially leaking all your contacts information). +# Enabling this is discouraged. Learn more here: https://github.com/ma1uta/ma1sd/blob/master/docs/features/identity.md#lookups +matrix_ma1sd_matrixorg_forwarding_enabled: false + +# ma1sd has serveral supported identity stores. +# One of them is storing identities directly in Synapse's database. +# Learn more here: https://github.com/ma1uta/ma1sd/blob/master/docs/stores/synapse.md +matrix_ma1sd_synapsesql_enabled: false +matrix_ma1sd_synapsesql_type: "" +matrix_ma1sd_synapsesql_connection: "" + +# Setting up email-sending settings is required for using ma1sd. +matrix_ma1sd_threepid_medium_email_identity_from: "matrix@{{ matrix_domain }}" +matrix_ma1sd_threepid_medium_email_connectors_smtp_host: "" +matrix_ma1sd_threepid_medium_email_connectors_smtp_port: 587 +matrix_ma1sd_threepid_medium_email_connectors_smtp_tls: 1 +matrix_ma1sd_threepid_medium_email_connectors_smtp_login: "" +matrix_ma1sd_threepid_medium_email_connectors_smtp_password: "" + +# DNS overwrites are useful for telling ma1sd how it can reach the homeserver directly. +# Useful when reverse-proxying certain URLs (e.g. `/_matrix/client/r0/user_directory/search`) to ma1sd, +# so that ma1sd can rewrite the original URL to one that would reach the homeserver. +matrix_ma1sd_dns_overwrite_enabled: false +matrix_ma1sd_dns_overwrite_homeserver_client_name: "{{ matrix_server_fqn_matrix }}" +matrix_ma1sd_dns_overwrite_homeserver_client_value: "http://matrix-synapse:8008" + +# Override the default email templates +# To use this, fill in the template variables with the full desired template as a multi-line YAML variable +# +# More info: +# https://github.com/ma1uta/ma1sd/blob/master/docs/threepids/notification/template-generator.md +# https://github.com/ma1uta/ma1sd/tree/master/src/main/resources/threepids/email +matrix_ma1sd_threepid_medium_email_custom_templates_enabled: false +matrix_ma1sd_threepid_medium_email_custom_invite_template: "" +matrix_ma1sd_threepid_medium_email_custom_session_validation_template: "" +matrix_ma1sd_threepid_medium_email_custom_unbind_fraudulent_template: "" +matrix_ma1sd_threepid_medium_email_custom_matrixid_template: "" + +# Controls whether the self-check feature should validate SSL certificates. +matrix_ma1sd_self_check_validate_certificates: true + +# Controls ma1sd logging verbosity for troubleshooting. +# +# According to: https://github.com/ma1uta/ma1sd/blob/master/docs/troubleshooting.md#increase-verbosity +matrix_ma1sd_verbose_logging: false + +# Default ma1sd configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. +# +# For a more advanced customization, you can extend the default (see `matrix_ma1sd_configuration_extension_yaml`) +# or completely replace this variable with your own template. +matrix_ma1sd_configuration_yaml: | + #jinja2: lstrip_blocks: True + matrix: + domain: {{ matrix_domain }} + + server: + name: {{ matrix_server_fqn_matrix }} + + key: + path: /var/ma1sd/sign.key + + storage: + provider: + sqlite: + database: /var/ma1sd/ma1sd.db + + {% if matrix_ma1sd_dns_overwrite_enabled %} + dns: + overwrite: + homeserver: + client: + - name: {{ matrix_ma1sd_dns_overwrite_homeserver_client_name }} + value: {{ matrix_ma1sd_dns_overwrite_homeserver_client_value }} + {% endif %} + + {% if matrix_ma1sd_matrixorg_forwarding_enabled %} + forward: + servers: ['matrix-org'] + {% endif %} + + threepid: + medium: + email: + identity: + from: {{ matrix_ma1sd_threepid_medium_email_identity_from }} + connectors: + smtp: + host: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_host }} + port: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_port }} + tls: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_tls }} + login: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_login }} + password: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_password }} + {% if matrix_ma1sd_threepid_medium_email_custom_templates_enabled %} + generators: + template: + {% if matrix_ma1sd_threepid_medium_email_custom_invite_template %} + invite: '/var/ma1sd/invite-template.eml' + {% endif %} + {% if matrix_ma1sd_threepid_medium_email_custom_session_validation_template or matrix_ma1sd_threepid_medium_email_custom_unbind_fraudulent_template %} + session: + {% if matrix_ma1sd_threepid_medium_email_custom_session_validation_template %} + validation: '/var/ma1sd/validate-template.eml' + {% endif %} + {% if matrix_ma1sd_threepid_medium_email_custom_unbind_fraudulent_template %} + unbind: + frandulent: '/var/ma1sd/unbind-fraudulent.eml' + {% endif %} + {% endif %} + {% if matrix_ma1sd_threepid_medium_email_custom_matrixid_template %} + generic: + matrixId: '/var/ma1sd/mxid-template.eml' + {% endif %} + {% endif %} + + synapseSql: + enabled: {{ matrix_ma1sd_synapsesql_enabled }} + type: {{ matrix_ma1sd_synapsesql_type }} + connection: {{ matrix_ma1sd_synapsesql_connection }} + +matrix_ma1sd_configuration_extension_yaml: | + # Your custom YAML configuration for ma1sd goes here. + # This configuration extends the default starting configuration (`matrix_ma1sd_configuration_yaml`). + # + # You can override individual variables from the default configuration, or introduce new ones. + # + # If you need something more special, you can take full control by + # completely redefining `matrix_ma1sd_configuration_yaml`. + # + # Example configuration extension follows: + # + # ldap: + # enabled: true + # connection: + # host: ldapHostnameOrIp + # tls: false + # port: 389 + # baseDNs: ['OU=Users,DC=example,DC=org'] + # bindDn: CN=My Ma1sd User,OU=Users,DC=example,DC=org + # bindPassword: TheUserPassword + +matrix_ma1sd_configuration_extension: "{{ matrix_ma1sd_configuration_extension_yaml|from_yaml if matrix_ma1sd_configuration_extension_yaml|from_yaml is mapping else {} }}" + +# Holds the final ma1sd configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_ma1sd_configuration_yaml`. +matrix_ma1sd_configuration: "{{ matrix_ma1sd_configuration_yaml|from_yaml|combine(matrix_ma1sd_configuration_extension, recursive=True) }}" diff --git a/roles/matrix-mxisd/tasks/init.yml b/roles/matrix-ma1sd/tasks/init.yml similarity index 70% rename from roles/matrix-mxisd/tasks/init.yml rename to roles/matrix-ma1sd/tasks/init.yml index dcf1d053..31a2e28f 100644 --- a/roles/matrix-mxisd/tasks/init.yml +++ b/roles/matrix-ma1sd/tasks/init.yml @@ -1,10 +1,10 @@ - set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mxisd'] }}" - when: matrix_mxisd_enabled|bool + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-ma1sd'] }}" + when: matrix_ma1sd_enabled|bool # ansible lower than 2.8, does not support docker_image build parameters # for self buildig it is explicitly needed, so we rather fail here - name: Fail if running on Ansible lower than 2.8 and trying self building fail: - msg: "To self build Mxisd image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mxisd_container_image_self_build" + msg: "To self build ma1sd image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_ma1sd_container_image_self_build" diff --git a/roles/matrix-ma1sd/tasks/main.yml b/roles/matrix-ma1sd/tasks/main.yml new file mode 100644 index 00000000..f5ac34d6 --- /dev/null +++ b/roles/matrix-ma1sd/tasks/main.yml @@ -0,0 +1,21 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup|bool and matrix_ma1sd_enabled|bool" + tags: + - setup-all + - setup-ma1sd + +- import_tasks: "{{ role_path }}/tasks/setup_ma1sd.yml" + tags: + - setup-all + - setup-ma1sd + +- import_tasks: "{{ role_path }}/tasks/self_check_ma1sd.yml" + delegate_to: 127.0.0.1 + become: false + when: "run_self_check|bool and matrix_ma1sd_enabled|bool" + tags: + - self-check diff --git a/roles/matrix-ma1sd/tasks/migrate_mxisd.yml b/roles/matrix-ma1sd/tasks/migrate_mxisd.yml new file mode 100644 index 00000000..424880e2 --- /dev/null +++ b/roles/matrix-ma1sd/tasks/migrate_mxisd.yml @@ -0,0 +1,80 @@ +--- + +# This task is for migrating existing mxisd data when transitioning to the ma1sd fork. + +- name: Check for existent mxisd data + stat: + path: "{{ matrix_base_data_path }}/mxisd" + register: ma1sd_migrate_mxisd_data_dir_stat + +- name: Warn if mxisd data detected + debug: + msg: > + You seem to have an existing mxisd data folder in `{{ matrix_base_data_path }}`. + We are going to migrate it to ma1sd and rename the folder to mxisd.migrated. + when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists" + +- name: Check existence of old matrix-mxisd service + stat: + path: "{{ matrix_systemd_path }}/matrix-mxisd.service" + register: matrix_mxisd_service_stat + when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists" + +- name: Ensure matrix-mxisd is stopped + service: + name: matrix-mxisd + state: stopped + daemon_reload: yes + when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists and matrix_mxisd_service_stat.stat.exists" + +- name: Check existence of matrix-ma1sd service + stat: + path: "{{ matrix_systemd_path }}/matrix-ma1sd.service" + register: matrix_ma1sd_service_stat + when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists" + +- name: Ensure matrix-ma1sd is stopped + service: + name: matrix-ma1sd + state: stopped + daemon_reload: yes + when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists and matrix_ma1sd_service_stat.stat.exists" + +- name: Ensure ma1sd data path exist + file: + path: "{{ matrix_ma1sd_data_path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists" + +- name: Copy mxisd data files to ma1sd folder + copy: + src: "{{ item.src }}" + remote_src: true + dest: "{{ matrix_ma1sd_data_path }}/{{ item.dst_name }}" + mode: "preserve" + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + with_items: + - {"src": "{{ matrix_base_data_path }}/mxisd/data/mxisd.db", "dst_name": "ma1sd.db"} + - {"src": "{{ matrix_base_data_path }}/mxisd/data/sign.key", "dst_name": "sign.key"} + when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists" + +- name: Rename mxisd folder + command: "mv {{ matrix_base_data_path }}/mxisd {{ matrix_base_data_path }}/mxisd.migrated" + when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists" + +- name: Ensure outdated matrix-mxisd.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-mxisd.service" + state: absent + when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists" + +- name: Ensure systemd reloaded after removing outdated matrix-mxisd.service + service: + daemon_reload: yes + when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists" + + diff --git a/roles/matrix-ma1sd/tasks/self_check_ma1sd.yml b/roles/matrix-ma1sd/tasks/self_check_ma1sd.yml new file mode 100644 index 00000000..2e081263 --- /dev/null +++ b/roles/matrix-ma1sd/tasks/self_check_ma1sd.yml @@ -0,0 +1,21 @@ +--- + +- set_fact: + ma1sd_url_endpoint_public: "https://{{ matrix_server_fqn_matrix }}/_matrix/identity/api/v1" + +- name: Check ma1sd Identity Service + uri: + url: "{{ ma1sd_url_endpoint_public }}" + follow_redirects: none + validate_certs: "{{ matrix_ma1sd_self_check_validate_certificates }}" + register: result_ma1sd + ignore_errors: true + +- name: Fail if ma1sd Identity Service not working + fail: + msg: "Failed checking ma1sd is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ ma1sd_url_endpoint_public }}`). Is ma1sd running? Is port 443 open in your firewall? Full error: {{ result_ma1sd }}" + when: "result_ma1sd.failed or 'json' not in result_ma1sd" + +- name: Report working ma1sd Identity Service + debug: + msg: "ma1sd at `{{ matrix_server_fqn_matrix }}` is working (checked endpoint: `{{ ma1sd_url_endpoint_public }}`)" diff --git a/roles/matrix-ma1sd/tasks/setup_ma1sd.yml b/roles/matrix-ma1sd/tasks/setup_ma1sd.yml new file mode 100644 index 00000000..c197b64f --- /dev/null +++ b/roles/matrix-ma1sd/tasks/setup_ma1sd.yml @@ -0,0 +1,140 @@ +--- + +# +# Tasks related to setting up ma1sd +# + +- import_tasks: "{{ role_path }}/tasks/migrate_mxisd.yml" + when: matrix_ma1sd_enabled|bool + +- name: Ensure ma1sd paths exist + file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + with_items: + - { path: "{{ matrix_ma1sd_config_path }}", when: true } + - { path: "{{ matrix_ma1sd_data_path }}", when: true } + - { path: "{{ matrix_ma1sd_docker_src_files_path }}", when: "{{ matrix_ma1sd_container_image_self_build }}"} + when: matrix_ma1sd_enabled|bool and item.when + +- name: Ensure ma1sd image is pulled + docker_image: + name: "{{ matrix_ma1sd_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_ma1sd_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_ma1sd_docker_image_force_pull }}" + when: matrix_ma1sd_enabled|bool and not matrix_ma1sd_container_image_self_build + +- block: + - name: Ensure gradle is installed for self-building (Debian) + apt: + name: + - gradle + state: present + update_cache: yes + when: (ansible_os_family == 'Debian') + + - name: Ensure gradle is installed for self-building (CentOS) + fail: + msg: "Installing gradle on CentOS is currently not supported, so self-building ma1sd cannot happen at this time" + when: ansible_distribution == 'CentOS' + + - name: Ensure gradle is installed for self-building (Archlinux) + pacman: + name: + - gradle + state: latest + update_cache: yes + when: ansible_distribution == 'Archlinux' + + - name: Ensure ma1sd repository is present on self-build + git: + repo: https://github.com/ma1uta/ma1sd.git + dest: "{{ matrix_ma1sd_docker_src_files_path }}" + version: "v{{ matrix_ma1sd_docker_image.split(':')[1] }}" + force: "yes" + + - name: Ensure ma1sd Docker image is built + shell: "./gradlew dockerBuild" + args: + chdir: "{{ matrix_ma1sd_docker_src_files_path }}" + when: "matrix_ma1sd_enabled|bool and matrix_ma1sd_container_image_self_build" + +- name: Ensure ma1sd config installed + copy: + content: "{{ matrix_ma1sd_configuration|to_nice_yaml }}" + dest: "{{ matrix_ma1sd_config_path }}/ma1sd.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + when: matrix_ma1sd_enabled|bool + +- name: Ensure custom templates are installed if any + copy: + content: "{{ item.value }}" + dest: "{{ matrix_ma1sd_data_path }}/{{ item.location }}" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + with_items: + - {value: "{{ matrix_ma1sd_threepid_medium_email_custom_invite_template }}", location: 'invite-template.eml'} + - {value: "{{ matrix_ma1sd_threepid_medium_email_custom_session_validation_template }}", location: 'validate-template.eml'} + - {value: "{{ matrix_ma1sd_threepid_medium_email_custom_unbind_fraudulent_template }}", location: 'unbind-fraudulent.eml'} + - {value: "{{ matrix_ma1sd_threepid_medium_email_custom_matrixid_template }}", location: 'mxid-template.eml'} + when: "matrix_ma1sd_enabled|bool and matrix_ma1sd_threepid_medium_email_custom_templates_enabled|bool and item.value" + +- name: Ensure matrix-ma1sd.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-ma1sd.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-ma1sd.service" + mode: 0644 + register: matrix_ma1sd_systemd_service_result + when: matrix_ma1sd_enabled|bool + +- name: Ensure systemd reloaded after matrix-ma1sd.service installation + service: + daemon_reload: yes + when: "matrix_ma1sd_enabled|bool and matrix_ma1sd_systemd_service_result.changed" + +# +# Tasks related to getting rid of ma1sd (if it was previously enabled) +# + +- name: Check existence of matrix-ma1sd service + stat: + path: "{{ matrix_systemd_path }}/matrix-ma1sd.service" + register: matrix_ma1sd_service_stat + +- name: Ensure matrix-ma1sd is stopped + service: + name: matrix-ma1sd + state: stopped + daemon_reload: yes + register: stopping_result + when: "not matrix_ma1sd_enabled|bool and matrix_ma1sd_service_stat.stat.exists" + +- name: Ensure matrix-ma1sd.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-ma1sd.service" + state: absent + when: "not matrix_ma1sd_enabled|bool and matrix_ma1sd_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-ma1sd.service removal + service: + daemon_reload: yes + when: "not matrix_ma1sd_enabled|bool and matrix_ma1sd_service_stat.stat.exists" + +- name: Ensure Matrix ma1sd paths don't exist + file: + path: "{{ matrix_ma1sd_base_path }}" + state: absent + when: "not matrix_ma1sd_enabled|bool" + +- name: Ensure ma1sd Docker image doesn't exist + docker_image: + name: "{{ matrix_ma1sd_docker_image }}" + state: absent + when: "not matrix_ma1sd_enabled|bool" diff --git a/roles/matrix-ma1sd/tasks/validate_config.yml b/roles/matrix-ma1sd/tasks/validate_config.yml new file mode 100644 index 00000000..691fe0ac --- /dev/null +++ b/roles/matrix-ma1sd/tasks/validate_config.yml @@ -0,0 +1,66 @@ +--- + +- name: (Deprecation) Warn about ma1sd variables that are not used anymore + fail: + msg: > + The `{{ item }}` variable defined in your configuration is not used by this playbook anymore! + You'll need to adapt to the new way of extending ma1sd configuration. + See the CHANGELOG and the `matrix_ma1sd_configuration_extension_yaml` variable for more information and examples. + when: "item in vars" + with_items: + - 'matrix_ma1sd_ldap_enabled' + - 'matrix_ma1sd_ldap_connection_host' + - 'matrix_ma1sd_ldap_connection_tls' + - 'matrix_ma1sd_ldap_connection_port' + - 'matrix_ma1sd_ldap_connection_baseDn' + - 'matrix_ma1sd_ldap_connection_baseDns' + - 'matrix_ma1sd_ldap_connection_bindDn' + - 'matrix_ma1sd_ldap_connection_bindPassword' + - 'matrix_ma1sd_ldap_filter' + - 'matrix_ma1sd_ldap_attribute_uid_type' + - 'matrix_ma1sd_ldap_attribute_uid_value' + - 'matrix_ma1sd_ldap_connection_bindPassword' + - 'matrix_ma1sd_ldap_attribute_name' + - 'matrix_ma1sd_ldap_attribute_threepid_email' + - 'matrix_ma1sd_ldap_attribute_threepid_msisdn' + - 'matrix_ma1sd_ldap_identity_filter' + - 'matrix_ma1sd_ldap_identity_medium' + - 'matrix_ma1sd_ldap_auth_filter' + - 'matrix_ma1sd_ldap_directory_filter' + - 'matrix_ma1sd_template_config' + +- name: Ensure ma1sd configuration does not contain any dot-notation keys + fail: + msg: > + Since version 1.3.0, ma1sd will not accept property-style configuration keys. + You have defined a key (`{{ item.key }}`) which contains a dot. + Instead, use nesting. See: https://github.com/ma1uta/ma1sd/wiki/Upgrade-Notes#v130 + when: "'.' in item.key" + with_dict: "{{ matrix_ma1sd_configuration }}" + +- name: Fail if required ma1sd settings not defined + fail: + msg: > + You need to define a required configuration setting (`{{ item }}`) for using ma1sd. + when: "vars[item] == ''" + with_items: + - "matrix_ma1sd_threepid_medium_email_connectors_smtp_host" + +- name: (Deprecation) Catch and report renamed ma1sd variables + fail: + msg: >- + Your configuration contains a variable, which now has a different name. + Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). + when: "vars | dict2items | selectattr('key', 'match', item.old) | list | items2dict" + with_items: + - {'old': 'matrix_ma1sd_container_expose_port', 'new': ''} + +- name: (Deprecation) Catch and report mxisd variables + fail: + msg: >- + mxisd is deprecated and has been replaced with ma1sd (https://github.com/ma1uta/ma1sd), a compatible fork. + The playbook will migrate your existing mxisd configuration and data automatically, but you need to adjust variable names. + Please change your configuration (vars.yml) to rename all mxisd variables (`{{ item.old }}` -> `{{ item.new }}`). + when: "vars | dict2items | selectattr('key', 'match', item.old) | list | items2dict" + with_items: + - {'old': 'matrix_mxisd_.*', 'new': 'matrix_ma1sd_.*'} diff --git a/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 b/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 new file mode 100644 index 00000000..b316fc2b --- /dev/null +++ b/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 @@ -0,0 +1,46 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix ma1sd Identity server +{% for service in matrix_ma1sd_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_ma1sd_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} + +[Service] +Type=simple +ExecStartPre=-/usr/bin/docker kill matrix-ma1sd +ExecStartPre=-/usr/bin/docker rm matrix-ma1sd + +# ma1sd writes an SQLite shared library (libsqlitejdbc.so) to /tmp and executes it from there, +# so /tmp needs to be mounted with an exec option. +ExecStart=/usr/bin/docker run --rm --name matrix-ma1sd \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --read-only \ + --tmpfs=/tmp:rw,exec,nosuid,size=10m \ + --network={{ matrix_docker_network }} \ + {% if matrix_ma1sd_container_http_host_bind_port %} + -p {{ matrix_ma1sd_container_http_host_bind_port }}:8090 \ + {% endif %} + {% if matrix_ma1sd_verbose_logging %} + -e MA1SD_LOG_LEVEL=debug \ + {% endif %} + -v {{ matrix_ma1sd_config_path }}:/etc/ma1sd:ro \ + -v {{ matrix_ma1sd_data_path }}:/var/ma1sd:rw \ + {% for arg in matrix_ma1sd_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_ma1sd_docker_image }} + +ExecStop=-/usr/bin/docker kill matrix-ma1sd +ExecStop=-/usr/bin/docker rm matrix-ma1sd +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-ma1sd + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-ma1sd/vars/main.yml b/roles/matrix-ma1sd/vars/main.yml new file mode 100644 index 00000000..b6c97a59 --- /dev/null +++ b/roles/matrix-ma1sd/vars/main.yml @@ -0,0 +1,5 @@ +--- + +# Doing `|from_yaml` when the extension contains nothing yields an empty string (""). +# We need to ensure it's a dictionary or `|combine` (when building `matrix_ma1sd_configuration`) will fail later. +matrix_ma1sd_configuration_extension: "{{ matrix_ma1sd_configuration_extension_yaml|from_yaml if matrix_ma1sd_configuration_extension_yaml|from_yaml else {} }}" diff --git a/roles/matrix-mxisd/defaults/main.yml b/roles/matrix-mxisd/defaults/main.yml deleted file mode 100644 index 605f4028..00000000 --- a/roles/matrix-mxisd/defaults/main.yml +++ /dev/null @@ -1,178 +0,0 @@ -# mxisd is a Federated Matrix Identity Server -# See: https://github.com/kamax-matrix/mxisd - -matrix_mxisd_enabled: true - -matrix_mxisd_container_image_self_build: false - -matrix_mxisd_docker_image: "kamax/mxisd:1.4.6" -matrix_mxisd_docker_image_force_pull: "{{ matrix_mxisd_docker_image.endswith(':latest') }}" - -matrix_mxisd_base_path: "{{ matrix_base_data_path }}/mxisd" -matrix_mxisd_docker_src_files_path: "{{ matrix_mxisd_base_path }}/docker-src" -matrix_mxisd_config_path: "{{ matrix_mxisd_base_path }}/config" -matrix_mxisd_data_path: "{{ matrix_mxisd_base_path }}/data" - -# Controls whether the matrix-mxisd container exposes its HTTP port (tcp/8090 in the container). -# -# Takes an ":" or "" value (e.g. "127.0.0.1:8090"), or empty string to not expose. -matrix_mxisd_container_http_host_bind_port: '' - -# A list of extra arguments to pass to the container -matrix_mxisd_container_extra_arguments: [] - -# List of systemd services that matrix-mxisd.service depends on -matrix_mxisd_systemd_required_services_list: ['docker.service'] - -# List of systemd services that matrix-mxisd.service wants -matrix_mxisd_systemd_wanted_services_list: [] - -# Your identity server is private by default. -# To ensure maximum discovery, you can make your identity server -# also forward lookups to the central matrix.org Identity server -# (at the cost of potentially leaking all your contacts information). -# Enabling this is discouraged. Learn more here: https://github.com/kamax-io/mxisd/blob/master/docs/features/identity.md#lookups -matrix_mxisd_matrixorg_forwarding_enabled: false - -# mxisd has serveral supported identity stores. -# One of them is storing identities directly in Synapse's database. -# Learn more here: https://github.com/kamax-matrix/mxisd/blob/master/docs/stores/synapse.md -matrix_mxisd_synapsesql_enabled: false -matrix_mxisd_synapsesql_type: "" -matrix_mxisd_synapsesql_connection: "" - -# Setting up email-sending settings is required for using mxisd. -matrix_mxisd_threepid_medium_email_identity_from: "matrix@{{ matrix_domain }}" -matrix_mxisd_threepid_medium_email_connectors_smtp_host: "" -matrix_mxisd_threepid_medium_email_connectors_smtp_port: 587 -matrix_mxisd_threepid_medium_email_connectors_smtp_tls: 1 -matrix_mxisd_threepid_medium_email_connectors_smtp_login: "" -matrix_mxisd_threepid_medium_email_connectors_smtp_password: "" - -# DNS overwrites are useful for telling mxisd how it can reach the homeserver directly. -# Useful when reverse-proxying certain URLs (e.g. `/_matrix/client/r0/user_directory/search`) to mxisd, -# so that mxisd can rewrite the original URL to one that would reach the homeserver. -matrix_mxisd_dns_overwrite_enabled: false -matrix_mxisd_dns_overwrite_homeserver_client_name: "{{ matrix_server_fqn_matrix }}" -matrix_mxisd_dns_overwrite_homeserver_client_value: "http://matrix-synapse:8008" - -# Override the default email templates -# To use this, fill in the template variables with the full desired template as a multi-line YAML variable -# -# More info: -# https://github.com/kamax-matrix/mxisd/blob/master/docs/threepids/notification/template-generator.md -# https://github.com/kamax-matrix/mxisd/tree/master/src/main/resources/threepids/email -matrix_mxisd_threepid_medium_email_custom_templates_enabled: false -matrix_mxisd_threepid_medium_email_custom_invite_template: "" -matrix_mxisd_threepid_medium_email_custom_session_validation_template: "" -matrix_mxisd_threepid_medium_email_custom_unbind_fraudulent_template: "" -matrix_mxisd_threepid_medium_email_custom_matrixid_template: "" - -# Controls whether the self-check feature should validate SSL certificates. -matrix_mxisd_self_check_validate_certificates: true - -# Controls mxisd logging verbosity for troubleshooting. -# -# According to: https://github.com/kamax-matrix/mxisd/blob/master/docs/troubleshooting.md#increase-verbosity -matrix_mxisd_verbose_logging: false - -# Default mxisd configuration template which covers the generic use case. -# You can customize it by controlling the various variables inside it. -# -# For a more advanced customization, you can extend the default (see `matrix_mxisd_configuration_extension_yaml`) -# or completely replace this variable with your own template. -matrix_mxisd_configuration_yaml: | - #jinja2: lstrip_blocks: True - matrix: - domain: {{ matrix_domain }} - - server: - name: {{ matrix_server_fqn_matrix }} - - key: - path: /var/mxisd/sign.key - - storage: - provider: - sqlite: - database: /var/mxisd/mxisd.db - - {% if matrix_mxisd_dns_overwrite_enabled %} - dns: - overwrite: - homeserver: - client: - - name: {{ matrix_mxisd_dns_overwrite_homeserver_client_name }} - value: {{ matrix_mxisd_dns_overwrite_homeserver_client_value }} - {% endif %} - - {% if matrix_mxisd_matrixorg_forwarding_enabled %} - forward: - servers: ['matrix-org'] - {% endif %} - - threepid: - medium: - email: - identity: - from: {{ matrix_mxisd_threepid_medium_email_identity_from }} - connectors: - smtp: - host: {{ matrix_mxisd_threepid_medium_email_connectors_smtp_host }} - port: {{ matrix_mxisd_threepid_medium_email_connectors_smtp_port }} - tls: {{ matrix_mxisd_threepid_medium_email_connectors_smtp_tls }} - login: {{ matrix_mxisd_threepid_medium_email_connectors_smtp_login }} - password: {{ matrix_mxisd_threepid_medium_email_connectors_smtp_password }} - {% if matrix_mxisd_threepid_medium_email_custom_templates_enabled %} - generators: - template: - {% if matrix_mxisd_threepid_medium_email_custom_invite_template %} - invite: '/var/mxisd/invite-template.eml' - {% endif %} - {% if matrix_mxisd_threepid_medium_email_custom_session_validation_template or matrix_mxisd_threepid_medium_email_custom_unbind_fraudulent_template %} - session: - {% if matrix_mxisd_threepid_medium_email_custom_session_validation_template %} - validation: '/var/mxisd/validate-template.eml' - {% endif %} - {% if matrix_mxisd_threepid_medium_email_custom_unbind_fraudulent_template %} - unbind: - frandulent: '/var/mxisd/unbind-fraudulent.eml' - {% endif %} - {% endif %} - {% if matrix_mxisd_threepid_medium_email_custom_matrixid_template %} - generic: - matrixId: '/var/mxisd/mxid-template.eml' - {% endif %} - {% endif %} - - synapseSql: - enabled: {{ matrix_mxisd_synapsesql_enabled }} - type: {{ matrix_mxisd_synapsesql_type }} - connection: {{ matrix_mxisd_synapsesql_connection }} - -matrix_mxisd_configuration_extension_yaml: | - # Your custom YAML configuration for mxisd goes here. - # This configuration extends the default starting configuration (`matrix_mxisd_configuration_yaml`). - # - # You can override individual variables from the default configuration, or introduce new ones. - # - # If you need something more special, you can take full control by - # completely redefining `matrix_mxisd_configuration_yaml`. - # - # Example configuration extension follows: - # - # ldap: - # enabled: true - # connection: - # host: ldapHostnameOrIp - # tls: false - # port: 389 - # baseDNs: ['OU=Users,DC=example,DC=org'] - # bindDn: CN=My Mxisd User,OU=Users,DC=example,DC=org - # bindPassword: TheUserPassword - -matrix_mxisd_configuration_extension: "{{ matrix_mxisd_configuration_extension_yaml|from_yaml if matrix_mxisd_configuration_extension_yaml|from_yaml is mapping else {} }}" - -# Holds the final mxisd configuration (a combination of the default and its extension). -# You most likely don't need to touch this variable. Instead, see `matrix_mxisd_configuration_yaml`. -matrix_mxisd_configuration: "{{ matrix_mxisd_configuration_yaml|from_yaml|combine(matrix_mxisd_configuration_extension, recursive=True) }}" diff --git a/roles/matrix-mxisd/tasks/main.yml b/roles/matrix-mxisd/tasks/main.yml deleted file mode 100644 index 31970db4..00000000 --- a/roles/matrix-mxisd/tasks/main.yml +++ /dev/null @@ -1,21 +0,0 @@ -- import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup|bool and matrix_mxisd_enabled|bool" - tags: - - setup-all - - setup-mxisd - -- import_tasks: "{{ role_path }}/tasks/setup_mxisd.yml" - tags: - - setup-all - - setup-mxisd - -- import_tasks: "{{ role_path }}/tasks/self_check_mxisd.yml" - delegate_to: 127.0.0.1 - become: false - when: "run_self_check|bool and matrix_mxisd_enabled|bool" - tags: - - self-check diff --git a/roles/matrix-mxisd/tasks/self_check_mxisd.yml b/roles/matrix-mxisd/tasks/self_check_mxisd.yml deleted file mode 100644 index 137907bb..00000000 --- a/roles/matrix-mxisd/tasks/self_check_mxisd.yml +++ /dev/null @@ -1,21 +0,0 @@ ---- - -- set_fact: - mxisd_url_endpoint_public: "https://{{ matrix_server_fqn_matrix }}/_matrix/identity/api/v1" - -- name: Check mxisd Identity Service - uri: - url: "{{ mxisd_url_endpoint_public }}" - follow_redirects: none - validate_certs: "{{ matrix_mxisd_self_check_validate_certificates }}" - register: result_mxisd - ignore_errors: true - -- name: Fail if mxisd Identity Service not working - fail: - msg: "Failed checking mxisd is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ mxisd_url_endpoint_public }}`). Is mxisd running? Is port 443 open in your firewall? Full error: {{ result_mxisd }}" - when: "result_mxisd.failed or 'json' not in result_mxisd" - -- name: Report working mxisd Identity Service - debug: - msg: "mxisd at `{{ matrix_server_fqn_matrix }}` is working (checked endpoint: `{{ mxisd_url_endpoint_public }}`)" diff --git a/roles/matrix-mxisd/tasks/setup_mxisd.yml b/roles/matrix-mxisd/tasks/setup_mxisd.yml deleted file mode 100644 index 0ad36301..00000000 --- a/roles/matrix-mxisd/tasks/setup_mxisd.yml +++ /dev/null @@ -1,137 +0,0 @@ ---- - -# -# Tasks related to setting up mxisd -# - -- name: Ensure mxisd paths exist - file: - path: "{{ item.path }}" - state: directory - mode: 0750 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" - with_items: - - { path: "{{ matrix_mxisd_config_path }}", when: true } - - { path: "{{ matrix_mxisd_data_path }}", when: true } - - { path: "{{ matrix_mxisd_docker_src_files_path }}", when: "{{ matrix_mxisd_container_image_self_build }}"} - when: matrix_mxisd_enabled|bool and item.when - -- name: Ensure mxisd image is pulled - docker_image: - name: "{{ matrix_mxisd_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_mxisd_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mxisd_docker_image_force_pull }}" - when: matrix_mxisd_enabled|bool and not matrix_mxisd_container_image_self_build - -- block: - - name: Ensure gradle is installed for self-building (Debian) - apt: - name: - - gradle - state: present - update_cache: yes - when: (ansible_os_family == 'Debian') - - - name: Ensure gradle is installed for self-building (CentOS) - fail: - msg: "Installing gradle on CentOS is currently not supported, so self-building mxisd cannot happen at this time" - when: ansible_distribution == 'CentOS' - - - name: Ensure gradle is installed for self-building (Archlinux) - pacman: - name: - - gradle - state: latest - update_cache: yes - when: ansible_distribution == 'Archlinux' - - - name: Ensure mxisd repository is present on self-build - git: - repo: https://github.com/kamax-matrix/mxisd.git - dest: "{{ matrix_mxisd_docker_src_files_path }}" - version: "v{{ matrix_mxisd_docker_image.split(':')[1] }}" - force: "yes" - - - name: Ensure mxisd Docker image is built - shell: "./gradlew dockerBuild" - args: - chdir: "{{ matrix_mxisd_docker_src_files_path }}" - when: "matrix_mxisd_enabled|bool and matrix_mxisd_container_image_self_build" - -- name: Ensure mxisd config installed - copy: - content: "{{ matrix_mxisd_configuration|to_nice_yaml }}" - dest: "{{ matrix_mxisd_config_path }}/mxisd.yaml" - mode: 0644 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" - when: matrix_mxisd_enabled|bool - -- name: Ensure custom templates are installed if any - copy: - content: "{{ item.value }}" - dest: "{{ matrix_mxisd_data_path }}/{{ item.location }}" - mode: 0644 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" - with_items: - - {value: "{{ matrix_mxisd_threepid_medium_email_custom_invite_template }}", location: 'invite-template.eml'} - - {value: "{{ matrix_mxisd_threepid_medium_email_custom_session_validation_template }}", location: 'validate-template.eml'} - - {value: "{{ matrix_mxisd_threepid_medium_email_custom_unbind_fraudulent_template }}", location: 'unbind-fraudulent.eml'} - - {value: "{{ matrix_mxisd_threepid_medium_email_custom_matrixid_template }}", location: 'mxid-template.eml'} - when: "matrix_mxisd_enabled|bool and matrix_mxisd_threepid_medium_email_custom_templates_enabled|bool and item.value" - -- name: Ensure matrix-mxisd.service installed - template: - src: "{{ role_path }}/templates/systemd/matrix-mxisd.service.j2" - dest: "{{ matrix_systemd_path }}/matrix-mxisd.service" - mode: 0644 - register: matrix_mxisd_systemd_service_result - when: matrix_mxisd_enabled|bool - -- name: Ensure systemd reloaded after matrix-mxisd.service installation - service: - daemon_reload: yes - when: "matrix_mxisd_enabled|bool and matrix_mxisd_systemd_service_result.changed" - -# -# Tasks related to getting rid of mxisd (if it was previously enabled) -# - -- name: Check existence of matrix-mxisd service - stat: - path: "{{ matrix_systemd_path }}/matrix-mxisd.service" - register: matrix_mxisd_service_stat - -- name: Ensure matrix-mxisd is stopped - service: - name: matrix-mxisd - state: stopped - daemon_reload: yes - register: stopping_result - when: "not matrix_mxisd_enabled|bool and matrix_mxisd_service_stat.stat.exists" - -- name: Ensure matrix-mxisd.service doesn't exist - file: - path: "{{ matrix_systemd_path }}/matrix-mxisd.service" - state: absent - when: "not matrix_mxisd_enabled|bool and matrix_mxisd_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-mxisd.service removal - service: - daemon_reload: yes - when: "not matrix_mxisd_enabled|bool and matrix_mxisd_service_stat.stat.exists" - -- name: Ensure Matrix mxisd paths don't exist - file: - path: "{{ matrix_mxisd_base_path }}" - state: absent - when: "not matrix_mxisd_enabled|bool" - -- name: Ensure mxisd Docker image doesn't exist - docker_image: - name: "{{ matrix_mxisd_docker_image }}" - state: absent - when: "not matrix_mxisd_enabled|bool" diff --git a/roles/matrix-mxisd/tasks/validate_config.yml b/roles/matrix-mxisd/tasks/validate_config.yml deleted file mode 100644 index 200a43a3..00000000 --- a/roles/matrix-mxisd/tasks/validate_config.yml +++ /dev/null @@ -1,57 +0,0 @@ ---- - -- name: (Deprecation) Warn about mxisd variables that are not used anymore - fail: - msg: > - The `{{ item }}` variable defined in your configuration is not used by this playbook anymore! - You'll need to adapt to the new way of extending mxisd configuration. - See the CHANGELOG and the `matrix_mxisd_configuration_extension_yaml` variable for more information and examples. - when: "item in vars" - with_items: - - 'matrix_mxisd_ldap_enabled' - - 'matrix_mxisd_ldap_connection_host' - - 'matrix_mxisd_ldap_connection_tls' - - 'matrix_mxisd_ldap_connection_port' - - 'matrix_mxisd_ldap_connection_baseDn' - - 'matrix_mxisd_ldap_connection_baseDns' - - 'matrix_mxisd_ldap_connection_bindDn' - - 'matrix_mxisd_ldap_connection_bindPassword' - - 'matrix_mxisd_ldap_filter' - - 'matrix_mxisd_ldap_attribute_uid_type' - - 'matrix_mxisd_ldap_attribute_uid_value' - - 'matrix_mxisd_ldap_connection_bindPassword' - - 'matrix_mxisd_ldap_attribute_name' - - 'matrix_mxisd_ldap_attribute_threepid_email' - - 'matrix_mxisd_ldap_attribute_threepid_msisdn' - - 'matrix_mxisd_ldap_identity_filter' - - 'matrix_mxisd_ldap_identity_medium' - - 'matrix_mxisd_ldap_auth_filter' - - 'matrix_mxisd_ldap_directory_filter' - - 'matrix_mxisd_template_config' - -- name: Ensure mxisd configuration does not contain any dot-notation keys - fail: - msg: > - Since version 1.3.0, mxisd will not accept property-style configuration keys. - You have defined a key (`{{ item.key }}`) which contains a dot. - Instead, use nesting. See: https://github.com/kamax-matrix/mxisd/wiki/Upgrade#v130 - when: "'.' in item.key" - with_dict: "{{ matrix_mxisd_configuration }}" - -- name: Fail if required mxisd settings not defined - fail: - msg: > - You need to define a required configuration setting (`{{ item }}`) for using mxisd. - when: "vars[item] == ''" - with_items: - - "matrix_mxisd_threepid_medium_email_connectors_smtp_host" - - -- name: (Deprecation) Catch and report renamed mxisd variables - fail: - msg: >- - Your configuration contains a variable, which now has a different name. - Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). - when: "item.old in vars" - with_items: - - {'old': 'matrix_mxisd_container_expose_port', 'new': ''} diff --git a/roles/matrix-mxisd/templates/systemd/matrix-mxisd.service.j2 b/roles/matrix-mxisd/templates/systemd/matrix-mxisd.service.j2 deleted file mode 100644 index d60740f5..00000000 --- a/roles/matrix-mxisd/templates/systemd/matrix-mxisd.service.j2 +++ /dev/null @@ -1,46 +0,0 @@ -#jinja2: lstrip_blocks: "True" -[Unit] -Description=Matrix mxisd Identity server -{% for service in matrix_mxisd_systemd_required_services_list %} -Requires={{ service }} -After={{ service }} -{% endfor %} -{% for service in matrix_mxisd_systemd_wanted_services_list %} -Wants={{ service }} -{% endfor %} - -[Service] -Type=simple -ExecStartPre=-/usr/bin/docker kill matrix-mxisd -ExecStartPre=-/usr/bin/docker rm matrix-mxisd - -# mxisd writes an SQLite shared library (libsqlitejdbc.so) to /tmp and executes it from there, -# so /tmp needs to be mounted with an exec option. -ExecStart=/usr/bin/docker run --rm --name matrix-mxisd \ - --log-driver=none \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --cap-drop=ALL \ - --read-only \ - --tmpfs=/tmp:rw,exec,nosuid,size=10m \ - --network={{ matrix_docker_network }} \ - {% if matrix_mxisd_container_http_host_bind_port %} - -p {{ matrix_mxisd_container_http_host_bind_port }}:8090 \ - {% endif %} - {% if matrix_mxisd_verbose_logging %} - -e MXISD_LOG_LEVEL=debug \ - {% endif %} - -v {{ matrix_mxisd_config_path }}:/etc/mxisd:ro \ - -v {{ matrix_mxisd_data_path }}:/var/mxisd:rw \ - {% for arg in matrix_mxisd_container_extra_arguments %} - {{ arg }} \ - {% endfor %} - {{ matrix_mxisd_docker_image }} - -ExecStop=-/usr/bin/docker kill matrix-mxisd -ExecStop=-/usr/bin/docker rm matrix-mxisd -Restart=always -RestartSec=30 -SyslogIdentifier=matrix-mxisd - -[Install] -WantedBy=multi-user.target diff --git a/roles/matrix-mxisd/vars/main.yml b/roles/matrix-mxisd/vars/main.yml deleted file mode 100644 index f5fbf9ad..00000000 --- a/roles/matrix-mxisd/vars/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- - -# Doing `|from_yaml` when the extension contains nothing yields an empty string (""). -# We need to ensure it's a dictionary or `|combine` (when building `matrix_mxisd_configuration`) will fail later. -matrix_mxisd_configuration_extension: "{{ matrix_mxisd_configuration_extension_yaml|from_yaml if matrix_mxisd_configuration_extension_yaml|from_yaml else {} }}" \ No newline at end of file diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 8f3f0481..12d314f5 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -116,21 +116,21 @@ matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container: "127.0.0.1:410 # Controls whether proxying for the User Directory Search API (`/_matrix/client/r0/user_directory/search`) should be done (on the matrix domain). # This can be used to forward the API endpoint to another service, augmenting the functionality of Synapse's own User Directory Search. -# To learn more, see: https://github.com/kamax-matrix/mxisd/blob/master/docs/features/directory.md +# To learn more, see: https://github.com/ma1uta/ma1sd/blob/master/docs/features/directory.md matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: false -matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "matrix-mxisd:8090" +matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "matrix-ma1sd:8090" matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "127.0.0.1:8090" # Controls whether proxying for 3PID-based registration (`/_matrix/client/r0/register/(email|msisdn)/requestToken`) should be done (on the matrix domain). # This allows another service to control registrations involving 3PIDs. -# To learn more, see: https://github.com/kamax-matrix/mxisd/blob/master/docs/features/registration.md +# To learn more, see: https://github.com/ma1uta/ma1sd/blob/master/docs/features/registration.md matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled: false -matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_with_container: "matrix-mxisd:8090" +matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_with_container: "matrix-ma1sd:8090" matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_sans_container: "127.0.0.1:8090" # Controls whether proxying for the Identity API (`/_matrix/identity`) should be done (on the matrix domain) matrix_nginx_proxy_proxy_matrix_identity_api_enabled: false -matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-mxisd:8090" +matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-ma1sd:8090" matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:8090" # Controls whether proxying for metrics (`/_synapse/metrics`) should be done (on the matrix domain) diff --git a/roles/matrix-nginx-proxy/tasks/self_check_well_known.yml b/roles/matrix-nginx-proxy/tasks/self_check_well_known.yml index 6aaf9cb3..be1b6555 100644 --- a/roles/matrix-nginx-proxy/tasks/self_check_well_known.yml +++ b/roles/matrix-nginx-proxy/tasks/self_check_well_known.yml @@ -18,7 +18,7 @@ follow_redirects: safe validate_certs: "{{ matrix_nginx_proxy_self_check_validate_certificates }}" - - name: Determine domains that we require certificates for (mxisd) + - name: Determine domains that we require certificates for (ma1sd) set_fact: well_known_file_checks: "{{ well_known_file_checks + [well_known_file_check_matrix_server] }}" when: matrix_well_known_matrix_server_enabled|bool diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index f896f232..38cd2321 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -164,6 +164,14 @@ matrix_synapse_enable_group_creation: false # A list of 3PID types which users must supply when registering (possible values: email, msisdn). matrix_synapse_registrations_require_3pid: [] +# The server to use for email threepid validation. When empty, Synapse does it by itself. +# Otherwise, this should be pointed to an identity server. +matrix_synapse_account_threepid_delegates_email: '' + +# The server to use for phone number threepid validation. When empty, validation cannot happen, as Synapse doesn't support it. +# To make it work, this should be pointed to an identity server. +matrix_synapse_account_threepid_delegates_msisdn: '' + # Users who register on this homeserver will automatically be joined to these rooms. # Rooms are to be specified using addresses (e.g. `#address:example.com`) matrix_synapse_auto_join_rooms: [] diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index b3adcac9..310421e9 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -1060,8 +1060,8 @@ trusted_third_party_id_servers: # If a delegate is specified, the config option public_baseurl must also be filled out. # account_threepid_delegates: - #email: https://example.com # Delegate email sending to example.com - #msisdn: http://localhost:8090 # Delegate SMS sending to this local process + email: {{ matrix_synapse_account_threepid_delegates_email|to_json }} + msisdn: {{ matrix_synapse_account_threepid_delegates_msisdn|to_json }} # Users who register on this homeserver will automatically be joined # to these rooms diff --git a/setup.yml b/setup.yml index 61d448f3..5baee8f3 100755 --- a/setup.yml +++ b/setup.yml @@ -19,7 +19,7 @@ - matrix-synapse - matrix-riot-web - matrix-jitsi - - matrix-mxisd + - matrix-ma1sd - matrix-dimension - matrix-email2matrix - matrix-nginx-proxy