From 74093dfb155f2c41108cbea427d7a7ff05f08869 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 15 Aug 2018 10:23:22 +0300 Subject: [PATCH] Add mxisd Identity Server support --- CHANGELOG.md | 8 ++ README.md | 4 + docs/configuring-dns.md | 8 +- docs/configuring-playbook-mxisd.md | 33 +++++++++ docs/configuring-playbook.md | 2 + roles/matrix-server/defaults/main.yml | 43 ++++++++++- roles/matrix-server/tasks/main.yml | 5 ++ roles/matrix-server/tasks/setup_mxisd.yml | 74 +++++++++++++++++++ roles/matrix-server/tasks/start.yml | 4 + .../templates/mxisd/mxisd.yaml.j2 | 19 +++++ .../nginx-conf.d/matrix-synapse.conf.j2 | 14 ++++ .../templates/riot-web/config.json.j2 | 2 +- .../templates/synapse/homeserver.yaml.j2 | 6 +- .../templates/systemd/matrix-mxisd.service.j2 | 29 ++++++++ .../systemd/matrix-nginx-proxy.service.j2 | 3 + 15 files changed, 247 insertions(+), 7 deletions(-) create mode 100644 docs/configuring-playbook-mxisd.md create mode 100644 roles/matrix-server/tasks/setup_mxisd.yml create mode 100644 roles/matrix-server/templates/mxisd/mxisd.yaml.j2 create mode 100644 roles/matrix-server/templates/systemd/matrix-mxisd.service.j2 diff --git a/CHANGELOG.md b/CHANGELOG.md index 1956ac8e..f079951d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,11 @@ +# 2018-08-15 + +## mxisd Identity Server support + +The playbook now sets up an [mxisd](https://github.com/kamax-io/mxisd) Identity Server for you by default. +Additional details are available in [Adjusting mxisd Identity Server configuration](docs/configuring-playbook-mxisd.md). + + # 2018-08-14 ## Email-sending support diff --git a/README.md b/README.md index ee5d8e03..843d8008 100644 --- a/README.md +++ b/README.md @@ -20,6 +20,8 @@ Using this playbook, you can get the following services configured on your serve - (optional default) a [Riot](https://riot.im/) web UI, which is configured to connect to your own Matrix Synapse server by default +- (optional default) an [mxisd](https://github.com/kamax-io/mxisd) Matrix Identity server + - (optional default) a [Postfix](http://www.postfix.org/) mail server, through which all Matrix services send outgoing email (can be configured to relay through another SMTP server) - (optional default) an [nginx](http://nginx.org/) web server, listening on ports 80 and 443 - standing in front of all the other services. Using your own webserver [is possible](#using-your-own-webserver-instead-of-this-playbooks-nginx-proxy-optional) @@ -72,6 +74,8 @@ This playbook sets up your server using the following Docker images: - [avhost/docker-matrix-riot](https://hub.docker.com/r/avhost/docker-matrix-riot/) - the [Riot.im](https://about.riot.im/) web client (optional) +- [kamax/mxisd](https://hub.docker.com/r/kamax/mxisd/) - the [mxisd](https://github.com/kamax-io/mxisd) Matrix Identity server (optional) + - [postgres](https://hub.docker.com/_/postgres/) - the [Postgres](https://www.postgresql.org/) database server (optional) - [cloudproto/goofys](https://hub.docker.com/r/cloudproto/goofys/) - the [Goofys](https://github.com/kahing/goofys) Amazon [S3](https://aws.amazon.com/s3/) file-system-mounting program (optional) diff --git a/docs/configuring-dns.md b/docs/configuring-dns.md index 8d9d60a1..434416ad 100644 --- a/docs/configuring-dns.md +++ b/docs/configuring-dns.md @@ -12,8 +12,12 @@ The SRV record should look like this: - Name: `_matrix._tcp` (use this text as-is) - Content: `10 0 8448 matrix.` (replace `` with your own) -Once you've set up this DNS SRV record, you should create 2 other domain names (`matrix.` and `riot.`) and point both of them to your new server's IP address (DNS `A` record or `CNAME` is fine). +To make the [mxisd](https://github.com/kamax-io/mxisd) Identity Server (which this playbook installs for you) be authoritative for your domain name, set up one more SRV record that looks like this: +- Name: `_matrix-identity._tcp` (use this text as-is) +- Content: `10 0 443 matrix.` (replace `` with your own) -This playbook can then install all the services on that new server and you'll be able to join the Matrix network as `@:`, even though everything is installed elsewhere (not on ``). +Once you've set up these DNS SRV records, you should create 2 other domain names (`matrix.` and `riot.`) and point both of them to your new server's IP address (DNS `A` record or `CNAME` is fine). + +This playbook can then install all the services on that new server and you'll be able to join the Matrix network as `@:`. When ready to proceed, continue with [Configuring this Ansible playbook](configuring-playbook.md). \ No newline at end of file diff --git a/docs/configuring-playbook-mxisd.md b/docs/configuring-playbook-mxisd.md new file mode 100644 index 00000000..ae6be2c2 --- /dev/null +++ b/docs/configuring-playbook-mxisd.md @@ -0,0 +1,33 @@ +# Adjusting mxisd Identity Server configuration (optional) + +By default, this playbook configures an [mxisd](https://github.com/kamax-io/mxisd) Identity Server for you. + +This server is private by default, potentially at the expense of user discoverability. + + +## Matrix.org lookup forwarding + +To ensure maximum discovery, you can make your identity server also forward lookups to the central matrix.org Identity server (at the cost of potentially leaking all your contacts information). + +Enabling this is discouraged and you'd better [learn more](https://github.com/kamax-io/mxisd/blob/master/docs/features/identity.md#lookups) before proceeding. + +Enabling matrix.org forwarding can happen with the following configuration: + +```yaml +matrix_mxisd_matrixorg_forwarding_enabled: true +``` + + +## Additional features + +What this playbook configures for your is some bare minimum Identity Server functionality, so that you won't need to rely on external 3rd party services. + +Still, mxisd can do much more. +You can refer to the [mxisd website](https://github.com/kamax-io/mxisd) for more details. + +You can override the `matrix_mxisd_template_config` variable and use your own custom configuration template. + + +## Troubleshooting + +If email address validation emails sent by mxisd are not reaching you, you should look into [Adjusting email-sending settings](configuring-playbook-email.md). \ No newline at end of file diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index a83d2742..58f2133b 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -29,4 +29,6 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Using an external PostgreSQL server](configuring-playbook-external-postgres.md) (optional) +- [Adjusting mxisd Identity Server configuration](configuring-playbook-mxisd.md) (optional) + - [Using your own webserver, instead of this playbook's nginx proxy](configuring-playbook-own-webserver.md) (optional) \ No newline at end of file diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index 56674332..429c57fc 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -46,6 +46,16 @@ matrix_synapse_macaroon_secret_key: "" matrix_synapse_registration_shared_secret: "{{ matrix_synapse_macaroon_secret_key }}" matrix_synapse_form_secret: "{{ matrix_synapse_macaroon_secret_key }}" +# These are the identity servers that would be trusted by Synapse if mxisd is NOT enabled +matrix_synapse_id_servers_public: ['vector.im', 'riot.im', 'matrix.org'] + +# These are the identity servers that would be trusted by Synapse if mxisd IS enabled +matrix_synapse_id_servers_own: "['{{ hostname_matrix }}']" + +# The final list of identity servers to use for Synapse. +# The first one would also be used as riot-web's default identity server. +matrix_synapse_trusted_third_party_id_servers: "{{ matrix_synapse_id_servers_own if matrix_mxisd_enabled else matrix_synapse_id_servers_public }}" + matrix_synapse_max_upload_size_mb: 10 matrix_synapse_max_log_file_size_mb: 100 matrix_synapse_max_log_files_count: 10 @@ -58,7 +68,6 @@ matrix_coturn_base_path: "{{ matrix_base_data_path }}/coturn" matrix_coturn_config_path: "{{ matrix_coturn_base_path }}/turnserver.conf" matrix_scratchpad_dir: "{{ matrix_base_data_path }}/scratchpad" - matrix_docker_image_postgres_v9: "postgres:9.6.10-alpine" matrix_docker_image_postgres_v10: "postgres:10.5-alpine" matrix_docker_image_postgres_latest: "{{ matrix_docker_image_postgres_v10 }}" @@ -70,6 +79,7 @@ matrix_docker_image_s3fs: "xueshanf/s3fs:latest" matrix_docker_image_goofys: "cloudproto/goofys:latest" matrix_docker_image_coturn: "instrumentisto/coturn:4.5.0.7" matrix_docker_image_mailer: "panubo/postfix:latest" +matrix_docker_image_mxisd: "kamax/mxisd:1.1.1" # The Docker network that all services would be put into matrix_docker_network: "matrix" @@ -84,14 +94,17 @@ matrix_coturn_turn_udp_max_port: 49172 matrix_coturn_turn_external_ip_address: "{{ ansible_host }}" + matrix_s3_media_store_enabled: false matrix_s3_media_store_bucket_name: "your-bucket-name" matrix_s3_media_store_aws_access_key: "your-aws-access-key" matrix_s3_media_store_aws_secret_key: "your-aws-secret-key" matrix_s3_media_store_region: "eu-central-1" + # By default, this playbook sets up a postfix mailer server (running in a container). # This is so that Matrix Synapse can send email reminders for unread messages. +# Other services (like mxisd), however, also use that mailer to send emails through it. matrix_mailer_enabled: true matrix_mailer_sender_address: "matrix@{{ hostname_identity }}" @@ -102,11 +115,39 @@ matrix_mailer_relay_auth: false matrix_mailer_relay_auth_username: "" matrix_mailer_relay_auth_password: "" + +# By default, this playbook installs the mxisd identity server on the same domain as Synapse (`hostname_matrix`). +# If you wish to use the public identity servers (matrix.org, vector.im, riot.im) instead of your own, +# you may wish to disable this. +matrix_mxisd_enabled: true + +matrix_mxisd_base_path: "{{ matrix_base_data_path }}/mxisd" +matrix_mxisd_config_path: "{{ matrix_mxisd_base_path }}/config" +matrix_mxisd_data_path: "{{ matrix_mxisd_base_path }}/data" + +# Your identity server is private by default. +# To ensure maximum discovery, you can make your identity server +# also forward lookups to the central matrix.org Identity server +# (at the cost of potentially leaking all your contacts information). +# Enabling this is discouraged. Learn more here: https://github.com/kamax-io/mxisd/blob/master/docs/features/identity.md#lookups +matrix_mxisd_matrixorg_forwarding_enabled: false + +# Specifies which template files to use when configuring mxisd. +# If you'd like to have your own different configuration, feel free to copy and paste +# the original files into your inventory (e.g. in `inventory/host_vars//`) +# and then change the specific host's `vars.yaml` file like this: +# matrix_mxisd_template_config: "{{ playbook_dir }}/inventory/host_vars//mxisd.yaml.j2" +matrix_mxisd_template_config: "{{ role_path }}/templates/mxisd/mxisd.yaml.j2" + + # By default, this playbook installs the Riot.IM web UI on the `hostname_riot` domain. # If you wish to connect to your Matrix server by other means, # you may wish to disable this. matrix_riot_web_enabled: true +matrix_riot_web_default_identity_server_url: "https://{{ matrix_synapse_trusted_third_party_id_servers[0] }}" + + # By default, this playbook sets up its own nginx proxy server on port 80/443. # This is fine if you're dedicating the whole server to Matrix. # But in case that's not the case, you may wish to prevent that diff --git a/roles/matrix-server/tasks/main.yml b/roles/matrix-server/tasks/main.yml index 2808d003..c1447b23 100644 --- a/roles/matrix-server/tasks/main.yml +++ b/roles/matrix-server/tasks/main.yml @@ -42,6 +42,11 @@ - setup-all - setup-mailer +- include: tasks/setup_mxisd.yml + tags: + - setup-all + - setup-mxisd + - include: tasks/setup_synapse.yml tags: - setup-all diff --git a/roles/matrix-server/tasks/setup_mxisd.yml b/roles/matrix-server/tasks/setup_mxisd.yml new file mode 100644 index 00000000..5c10c9ad --- /dev/null +++ b/roles/matrix-server/tasks/setup_mxisd.yml @@ -0,0 +1,74 @@ +--- + +# +# Tasks related to setting up mxisd +# + +- name: Fail if mailer is not enabled + fail: + msg: "You need to enable the mailer service (matrix_mailer_enabled) to install mxisd" + when: "matrix_mxisd_enabled and not matrix_mailer_enabled" + +- name: Ensure mxisd paths exist + file: + path: "{{ item }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + with_items: + - "{{ matrix_mxisd_config_path }}" + - "{{ matrix_mxisd_data_path }}" + when: matrix_mxisd_enabled + +- name: Ensure mxisd image is pulled + docker_image: + name: "{{ matrix_docker_image_mxisd }}" + when: matrix_mxisd_enabled + +- name: Ensure mxisd config installed + template: + src: "{{ matrix_mxisd_template_config }}" + dest: "{{ matrix_mxisd_config_path }}/mxisd.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + when: matrix_mxisd_enabled + +- name: Ensure matrix-mxisd.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-mxisd.service.j2" + dest: "/etc/systemd/system/matrix-mxisd.service" + mode: 0644 + when: matrix_mxisd_enabled + +# +# Tasks related to getting rid of mxisd (if it was previously enabled) +# + +- name: Check existence of matrix-mxisd service + stat: path="/etc/systemd/system/matrix-mxisd.service" + register: matrix_mxisd_service_stat + +- name: Ensure matrix-mxisd is stopped + service: name=matrix-mxisd state=stopped daemon_reload=yes + register: stopping_result + when: "not matrix_mxisd_enabled and matrix_mxisd_service_stat.stat.exists" + +- name: Ensure matrix-mxisd.service doesn't exist + file: + path: "/etc/systemd/system/matrix-mxisd.service" + state: absent + when: "not matrix_mxisd_enabled and matrix_mxisd_service_stat.stat.exists" + +- name: Ensure Matrix mxisd paths don't exist + file: + path: "{{ matrix_mxisd_base_path }}" + state: absent + when: "not matrix_mxisd_enabled" + +- name: Ensure mxisd Docker image doesn't exist + docker_image: + name: "{{ matrix_docker_image_mxisd }}" + state: absent + when: "not matrix_mxisd_enabled" \ No newline at end of file diff --git a/roles/matrix-server/tasks/start.yml b/roles/matrix-server/tasks/start.yml index 80469456..c2cedca4 100644 --- a/roles/matrix-server/tasks/start.yml +++ b/roles/matrix-server/tasks/start.yml @@ -15,6 +15,10 @@ service: name=matrix-mailer enabled=yes state=restarted daemon_reload=yes when: matrix_mailer_enabled +- name: Ensure matrix-mxisd autoruns and is restarted + service: name=matrix-mxisd enabled=yes state=restarted daemon_reload=yes + when: matrix_mxisd_enabled + - name: Ensure matrix-synapse autoruns and is restarted service: name=matrix-synapse enabled=yes state=restarted daemon_reload=yes diff --git a/roles/matrix-server/templates/mxisd/mxisd.yaml.j2 b/roles/matrix-server/templates/mxisd/mxisd.yaml.j2 new file mode 100644 index 00000000..99c2d3d6 --- /dev/null +++ b/roles/matrix-server/templates/mxisd/mxisd.yaml.j2 @@ -0,0 +1,19 @@ +matrix.domain: {{ hostname_identity }} +server.name: {{ hostname_matrix }} + +key.path: /var/mxisd/sign.key + +storage.provider.sqlite.database: /var/mxisd/mxisd.db + +threepid.medium.email.identity.from: {{ matrix_mailer_sender_address }} +threepid.medium.email.connectors.smtp.host: matrix-mailer +threepid.medium.email.connectors.smtp.port: 587 +threepid.medium.email.connectors.smtp.tls: 0 + +synapseSql.enabled: true +synapseSql.type: postgresql +synapseSql.connection: //{{ matrix_postgres_connection_hostname }}/{{ matrix_postgres_db_name }}?user={{ matrix_postgres_connection_username }}&password={{ matrix_postgres_connection_password }} + +{% if matrix_mxisd_matrixorg_forwarding_enabled %} +forward.servers: ['matrix-org'] +{% endif %} \ No newline at end of file diff --git a/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 b/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 index 300705a0..706a41a5 100644 --- a/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2 @@ -39,6 +39,20 @@ server { ssl_prefer_server_ciphers on; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; + {% if matrix_mxisd_enabled %} + location /_matrix/identity { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "matrix-mxisd:8090"; + proxy_pass http://$backend; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://localhost:8090; + {% endif %} + } + {% endif %} + location /_matrix { {% if matrix_nginx_proxy_enabled %} {# Use the embedded DNS resolver in Docker containers to discover the service #} diff --git a/roles/matrix-server/templates/riot-web/config.json.j2 b/roles/matrix-server/templates/riot-web/config.json.j2 index ea2fed53..abb7f0e1 100644 --- a/roles/matrix-server/templates/riot-web/config.json.j2 +++ b/roles/matrix-server/templates/riot-web/config.json.j2 @@ -1,6 +1,6 @@ { "default_hs_url": "https://{{ hostname_matrix }}", - "default_is_url": "https://vector.im", + "default_is_url": "{{ matrix_riot_web_default_identity_server_url }}", "disable_custom_urls": true, "disable_guests": false, "brand": "Riot", diff --git a/roles/matrix-server/templates/synapse/homeserver.yaml.j2 b/roles/matrix-server/templates/synapse/homeserver.yaml.j2 index fa0e396b..64020d33 100644 --- a/roles/matrix-server/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-server/templates/synapse/homeserver.yaml.j2 @@ -446,9 +446,9 @@ allow_guest_access: False # The list of identity servers trusted to verify third party # identifiers by this server. trusted_third_party_id_servers: - - matrix.org - - vector.im - - riot.im +{% for server in matrix_synapse_trusted_third_party_id_servers %} + - {{ server }} +{% endfor %} # Users who register on this homeserver will automatically be joined # to these rooms diff --git a/roles/matrix-server/templates/systemd/matrix-mxisd.service.j2 b/roles/matrix-server/templates/systemd/matrix-mxisd.service.j2 new file mode 100644 index 00000000..637965c0 --- /dev/null +++ b/roles/matrix-server/templates/systemd/matrix-mxisd.service.j2 @@ -0,0 +1,29 @@ +[Unit] +Description=Matrix mxisd identity server +After=docker.service +Requires=docker.service +{% if not matrix_postgres_use_external %} +Requires=matrix-postgres.service +After=matrix-postgres.service +{% endif %} + +[Service] +Type=simple +ExecStartPre=-/usr/bin/docker kill matrix-mxisd +ExecStartPre=-/usr/bin/docker rm matrix-mxisd +ExecStart=/usr/bin/docker run --rm --name matrix-mxisd \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --network={{ matrix_docker_network }} \ + {% if not matrix_nginx_proxy_enabled %} + -p 127.0.0.1:8090:8090 \ + {% endif %} + -v {{ matrix_mxisd_config_path }}:/etc/mxisd:ro \ + -v {{ matrix_mxisd_data_path }}:/var/mxisd \ + {{ matrix_docker_image_mxisd }} +ExecStop=-/usr/bin/docker kill matrix-mxisd +ExecStop=-/usr/bin/docker rm matrix-mxisd +Restart=always +RestartSec=30 + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 b/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 index c97478f1..dc096d51 100644 --- a/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 +++ b/roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2 @@ -6,6 +6,9 @@ Wants=matrix-synapse.service {% if matrix_riot_web_enabled %} Wants=matrix-riot-web.service {% endif %} +{% if matrix_mxisd_enabled %} +Wants=matrix-mxisd.service +{% endif %} [Service] Type=simple