From ea43d46b702142f5c0e5cedeba6698bef5eb7dc2 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 17 Aug 2018 09:02:12 +0300 Subject: [PATCH] Add matrix-synapse-rest-auth support --- CHANGELOG.md | 7 ++ README.md | 2 + docs/configuring-playbook-rest-auth.md | 15 +++ docs/configuring-playbook.md | 4 +- roles/matrix-server/defaults/main.yml | 26 ++++- roles/matrix-server/tasks/setup_synapse.yml | 98 +------------------ .../matrix-server/tasks/setup_synapse_ext.yml | 3 + .../tasks/setup_synapse_ext_rest_auth.yml | 45 +++++++++ .../tasks/setup_synapse_main.yml | 84 ++++++++++++++++ .../matrix-server/tasks/setup_synapse_pre.yml | 17 ++++ .../templates/synapse/homeserver.yaml.j2 | 18 +++- .../templates/synapse/synapse.log.config.j2 | 5 + .../systemd/matrix-synapse.service.j2 | 3 + 13 files changed, 229 insertions(+), 98 deletions(-) create mode 100644 docs/configuring-playbook-rest-auth.md create mode 100644 roles/matrix-server/tasks/setup_synapse_ext.yml create mode 100644 roles/matrix-server/tasks/setup_synapse_ext_rest_auth.yml create mode 100644 roles/matrix-server/tasks/setup_synapse_main.yml create mode 100644 roles/matrix-server/tasks/setup_synapse_pre.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index f9401b9d..9fddab89 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,12 @@ # 2018-08-17 +## REST auth support via matrix-synapse-rest-auth + +The playbook can now install and configure [matrix-synapse-rest-auth](https://github.com/kamax-io/matrix-synapse-rest-auth) for you. + +Additional details are available in [Setting up the REST authentication password provider module](docs/configuring-playbook-rest-auth.md). + + ## Compression improvements Shifted Matrix Synapse compression from happening in the Matrix Synapse, diff --git a/README.md b/README.md index 91fbcb6f..59c64832 100644 --- a/README.md +++ b/README.md @@ -26,6 +26,8 @@ Using this playbook, you can get the following services configured on your serve - (optional default) an [nginx](http://nginx.org/) web server, listening on ports 80 and 443 - standing in front of all the other services. Using your own webserver [is possible](#using-your-own-webserver-instead-of-this-playbooks-nginx-proxy-optional) +- (optional) the [matrix-synapse-rest-auth](https://github.com/kamax-io/matrix-synapse-rest-auth) REST authentication password provider module + Basically, this playbook aims to get you up-and-running with all the basic necessities around Matrix, without you having to do anything else. diff --git a/docs/configuring-playbook-rest-auth.md b/docs/configuring-playbook-rest-auth.md new file mode 100644 index 00000000..dc595b05 --- /dev/null +++ b/docs/configuring-playbook-rest-auth.md @@ -0,0 +1,15 @@ +# Setting up the REST authentication password provider module + +The playbook can now install and configure [matrix-synapse-rest-auth](https://github.com/kamax-io/matrix-synapse-rest-auth) for you. + +See that project's documentation to learn what it does and why it might be useful to you. + +If you decide that you'd like to let this playbook install it for you, you need soem configuration like this: + +```yaml +matrix_synapse_ext_password_provider_rest_auth_enabled: true +matrix_synapse_ext_password_provider_rest_auth_endpoint: "http://change.me.example.com:12345" +matrix_synapse_ext_password_provider_rest_auth_registration_enforce_lowercase: false +matrix_synapse_ext_password_provider_rest_auth_registration_profile_name_autofill: true +matrix_synapse_ext_password_provider_rest_auth_login_profile_name_autofill: false +``` \ No newline at end of file diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 58f2133b..2daf5767 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -31,4 +31,6 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Adjusting mxisd Identity Server configuration](configuring-playbook-mxisd.md) (optional) -- [Using your own webserver, instead of this playbook's nginx proxy](configuring-playbook-own-webserver.md) (optional) \ No newline at end of file +- [Using your own webserver, instead of this playbook's nginx proxy](configuring-playbook-own-webserver.md) (optional) + +- [Setting up the REST authentication password provider module](configuring-playbook-rest-auth.md) (optional) \ No newline at end of file diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index 429c57fc..25070d6f 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -33,6 +33,7 @@ matrix_synapse_config_dir_path: "{{ matrix_synapse_base_path }}/config" matrix_synapse_run_path: "{{ matrix_synapse_base_path }}/run" matrix_synapse_storage_path: "{{ matrix_synapse_base_path }}/storage" matrix_synapse_media_store_path: "{{ matrix_synapse_storage_path }}/media-store" +matrix_synapse_ext_path: "{{ matrix_synapse_base_path }}/ext" # Specifies which template files to use when configuring Synapse. # If you'd like to have your own different configuration, feel free to copy and paste @@ -60,6 +61,29 @@ matrix_synapse_max_upload_size_mb: 10 matrix_synapse_max_log_file_size_mb: 100 matrix_synapse_max_log_files_count: 10 +# A list of additional "volumes" to mount in the container. +# This list gets populated dynamically based on Synapse extensions that have been enabled. +# Contains definition objects like this: `{"src": "/outside", "dst": "/inside", "options": "rw|ro|slave|.."} +matrix_synapse_container_additional_volumes: [] + +# A list of additional loggers to register in synapse.log.config. +# This list gets populated dynamically based on Synapse extensions that have been enabled. +# Contains definition objects like this: `{"name": "..", "level": "DEBUG"} +matrix_synapse_additional_loggers: [] + +# This is set dynamically during execution depending on whether +# any password providers have been enabled or not. +matrix_synapse_password_providers_enabled: false + +# Enable this to activate the REST auth password provider module +# See: https://github.com/kamax-io/matrix-synapse-rest-auth +matrix_synapse_ext_password_provider_rest_auth_enabled: false +matrix_synapse_ext_password_provider_rest_auth_download_url: "https://raw.githubusercontent.com/kamax-io/matrix-synapse-rest-auth/v0.1.1/rest_auth_provider.py" +matrix_synapse_ext_password_provider_rest_auth_endpoint: "" +matrix_synapse_ext_password_provider_rest_auth_registration_enforce_lowercase: false +matrix_synapse_ext_password_provider_rest_auth_registration_profile_name_autofill: true +matrix_synapse_ext_password_provider_rest_auth_login_profile_name_autofill: false + matrix_postgres_data_path: "{{ matrix_base_data_path }}/postgres" matrix_nginx_proxy_data_path: "{{ matrix_base_data_path }}/nginx-proxy" matrix_nginx_proxy_confd_path: "{{ matrix_nginx_proxy_data_path }}/conf.d" @@ -159,4 +183,4 @@ matrix_ssl_renew_cron_time_definition: "15 4 */5 * *" # Specifies when to reload the matrix-nginx-proxy service so that # a new SSL certificate could go into effect. -matrix_nginx_proxy_reload_cron_time_definition: "20 4 */5 * *" +matrix_nginx_proxy_reload_cron_time_definition: "20 4 */5 * *" \ No newline at end of file diff --git a/roles/matrix-server/tasks/setup_synapse.yml b/roles/matrix-server/tasks/setup_synapse.yml index eb254e75..5c9348c3 100644 --- a/roles/matrix-server/tasks/setup_synapse.yml +++ b/roles/matrix-server/tasks/setup_synapse.yml @@ -1,99 +1,7 @@ --- -- name: Fail if Macaroon key is missing - fail: - msg: "You need to set a secret in the matrix_synapse_macaroon_secret_key variable" - when: "matrix_synapse_macaroon_secret_key == ''" +- include: tasks/setup_synapse_pre.yml -- name: Ensure Matrix Synapse paths exist - file: - path: "{{ item }}" - state: directory - mode: 0750 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" - with_items: - - "{{ matrix_synapse_config_dir_path }}" - - "{{ matrix_synapse_run_path }}" - - "{{ matrix_synapse_storage_path }}" - # We handle matrix_synapse_media_store_path below, not here, - # because if it's using S3fs and it's already mounted (from before), - # trying to chown/chmod it here will cause trouble. +- include: tasks/setup_synapse_ext.yml -# This will throw a Permission Denied error if already mounted using fuse -- name: Check Matrix Synapse media store path - stat: path="{{ matrix_synapse_media_store_path }}" - register: local_path_media_store_stat - ignore_errors: yes - -# This is separate and conditional, to ensure we don't execute it -# if the path already exists or we failed to check, because it's mounted using fuse. -- name: Ensure Matrix media store path exists - file: - path: "{{ matrix_synapse_media_store_path }}" - state: directory - mode: 0750 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" - when: "not local_path_media_store_stat.failed and not local_path_media_store_stat.stat.exists" - -- name: Ensure Matrix Docker image is pulled - docker_image: - name: "{{ matrix_docker_image_synapse }}" - -- name: Check if a Matrix Synapse configuration exists - stat: - path: "{{ matrix_synapse_config_dir_path }}/homeserver.yaml" - register: matrix_synapse_config_stat - -# We do this mostly so that the keys would get generated. -# We'll replace the rest of the configuration with our own templates below. -- name: Generate initial Matrix config - docker_container: - name: matrix-config - image: "{{ matrix_docker_image_synapse }}" - detach: no - cleanup: yes - command: generate - env: - SYNAPSE_CONFIG_PATH: "/data/homeserver.yaml" - SYNAPSE_SERVER_NAME: "{{ hostname_matrix }}" - SYNAPSE_REPORT_STATS: "no" - user: "{{ matrix_user_uid }}:{{ matrix_user_gid }}" - volumes: - - "{{ matrix_synapse_config_dir_path }}:/data" - when: "not matrix_synapse_config_stat.stat.exists" - -- name: Ensure Matrix homeserver config installed - template: - src: "{{ matrix_synapse_template_synapse_homeserver }}" - dest: "{{ matrix_synapse_config_dir_path }}/homeserver.yaml" - mode: 0644 - -- name: Ensure Matrix log config installed - template: - src: "{{ matrix_synapse_template_synapse_log }}" - dest: "{{ matrix_synapse_config_dir_path }}/{{ hostname_matrix }}.log.config" - mode: 0644 - -- name: Ensure matrix-synapse.service installed - template: - src: "{{ role_path }}/templates/systemd/matrix-synapse.service.j2" - dest: "/etc/systemd/system/matrix-synapse.service" - mode: 0644 - -- name: Ensure matrix-synapse-register-user script created - template: - src: "{{ role_path }}/templates/usr-local-bin/matrix-synapse-register-user.j2" - dest: "/usr/local/bin/matrix-synapse-register-user" - mode: 0750 - -- name: Allow access to Matrix ports in firewalld - firewalld: - port: "{{ item }}" - state: enabled - immediate: yes - permanent: yes - with_items: - - '8448/tcp' # Matrix federation - when: ansible_os_family == 'RedHat' +- include: tasks/setup_synapse_main.yml diff --git a/roles/matrix-server/tasks/setup_synapse_ext.yml b/roles/matrix-server/tasks/setup_synapse_ext.yml new file mode 100644 index 00000000..dd36b09c --- /dev/null +++ b/roles/matrix-server/tasks/setup_synapse_ext.yml @@ -0,0 +1,3 @@ +--- + +- include: tasks/setup_synapse_ext_rest_auth.yml \ No newline at end of file diff --git a/roles/matrix-server/tasks/setup_synapse_ext_rest_auth.yml b/roles/matrix-server/tasks/setup_synapse_ext_rest_auth.yml new file mode 100644 index 00000000..85098c0a --- /dev/null +++ b/roles/matrix-server/tasks/setup_synapse_ext_rest_auth.yml @@ -0,0 +1,45 @@ +--- + +# +# Tasks related to setting up matrix-synapse-rest-auth +# + +- name: Download matrix-synapse-rest-auth + get_url: + url: "{{ matrix_synapse_ext_password_provider_rest_auth_download_url }}" + dest: "{{ matrix_synapse_ext_path }}/rest_auth_provider.py" + mode: 0440 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + +- set_fact: + matrix_synapse_password_providers_enabled: true + when: "matrix_synapse_ext_password_provider_rest_auth_enabled" + +- set_fact: + matrix_synapse_container_additional_volumes: > + {{ matrix_synapse_container_additional_volumes }} + + + {{ [{'src': '{{ matrix_synapse_ext_path }}/rest_auth_provider.py', 'dst': '/usr/local/lib/python2.7/site-packages/rest_auth_provider.py', 'options': 'ro'}] }} + when: "matrix_synapse_ext_password_provider_rest_auth_enabled" + +- set_fact: + matrix_synapse_additional_loggers: > + {{ matrix_synapse_additional_loggers }} + + + {{ [{'name': 'rest_auth_provider', 'level': 'DEBUG'}] }} + when: "matrix_synapse_ext_password_provider_rest_auth_enabled" + +- debug: var="matrix_synapse_container_additional_volumes" + +- debug: var="matrix_synapse_additional_loggers" + +# +# Tasks related to getting rid of matrix-synapse-rest-auth (if it was previously enabled) +# + +- name: Ensure matrix-synapse-rest-auth doesn't exist + file: + path: "{{ matrix_synapse_ext_path }}/rest_auth_provider.py" + state: absent + when: "not matrix_synapse_ext_password_provider_rest_auth_enabled" \ No newline at end of file diff --git a/roles/matrix-server/tasks/setup_synapse_main.yml b/roles/matrix-server/tasks/setup_synapse_main.yml new file mode 100644 index 00000000..9a5169d2 --- /dev/null +++ b/roles/matrix-server/tasks/setup_synapse_main.yml @@ -0,0 +1,84 @@ +--- + +- name: Fail if Macaroon key is missing + fail: + msg: "You need to set a secret in the matrix_synapse_macaroon_secret_key variable" + when: "matrix_synapse_macaroon_secret_key == ''" + +# This will throw a Permission Denied error if already mounted using fuse +- name: Check Matrix Synapse media store path + stat: path="{{ matrix_synapse_media_store_path }}" + register: local_path_media_store_stat + ignore_errors: yes + +# This is separate and conditional, to ensure we don't execute it +# if the path already exists or we failed to check, because it's mounted using fuse. +- name: Ensure Matrix media store path exists + file: + path: "{{ matrix_synapse_media_store_path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + when: "not local_path_media_store_stat.failed and not local_path_media_store_stat.stat.exists" + +- name: Ensure Matrix Docker image is pulled + docker_image: + name: "{{ matrix_docker_image_synapse }}" + +- name: Check if a Matrix Synapse configuration exists + stat: + path: "{{ matrix_synapse_config_dir_path }}/homeserver.yaml" + register: matrix_synapse_config_stat + +# We do this mostly so that the keys would get generated. +# We'll replace the rest of the configuration with our own templates below. +- name: Generate initial Matrix config + docker_container: + name: matrix-config + image: "{{ matrix_docker_image_synapse }}" + detach: no + cleanup: yes + command: generate + env: + SYNAPSE_CONFIG_PATH: "/data/homeserver.yaml" + SYNAPSE_SERVER_NAME: "{{ hostname_matrix }}" + SYNAPSE_REPORT_STATS: "no" + user: "{{ matrix_user_uid }}:{{ matrix_user_gid }}" + volumes: + - "{{ matrix_synapse_config_dir_path }}:/data" + when: "not matrix_synapse_config_stat.stat.exists" + +- name: Ensure Matrix homeserver config installed + template: + src: "{{ matrix_synapse_template_synapse_homeserver }}" + dest: "{{ matrix_synapse_config_dir_path }}/homeserver.yaml" + mode: 0644 + +- name: Ensure Matrix log config installed + template: + src: "{{ matrix_synapse_template_synapse_log }}" + dest: "{{ matrix_synapse_config_dir_path }}/{{ hostname_matrix }}.log.config" + mode: 0644 + +- name: Ensure matrix-synapse.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-synapse.service.j2" + dest: "/etc/systemd/system/matrix-synapse.service" + mode: 0644 + +- name: Ensure matrix-synapse-register-user script created + template: + src: "{{ role_path }}/templates/usr-local-bin/matrix-synapse-register-user.j2" + dest: "/usr/local/bin/matrix-synapse-register-user" + mode: 0750 + +- name: Allow access to Matrix ports in firewalld + firewalld: + port: "{{ item }}" + state: enabled + immediate: yes + permanent: yes + with_items: + - '8448/tcp' # Matrix federation + when: ansible_os_family == 'RedHat' diff --git a/roles/matrix-server/tasks/setup_synapse_pre.yml b/roles/matrix-server/tasks/setup_synapse_pre.yml new file mode 100644 index 00000000..77fa51a1 --- /dev/null +++ b/roles/matrix-server/tasks/setup_synapse_pre.yml @@ -0,0 +1,17 @@ +--- + +- name: Ensure Matrix Synapse paths exist + file: + path: "{{ item }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + with_items: + - "{{ matrix_synapse_config_dir_path }}" + - "{{ matrix_synapse_run_path }}" + - "{{ matrix_synapse_storage_path }}" + - "{{ matrix_synapse_ext_path }}" + # We handle matrix_synapse_media_store_path elsewhere (in setup_synapse.yml), + # because if it's using S3fs and it's already mounted (from before), + # trying to chown/chmod it here will cause trouble. diff --git a/roles/matrix-server/templates/synapse/homeserver.yaml.j2 b/roles/matrix-server/templates/synapse/homeserver.yaml.j2 index 6c77af18..22cdef0b 100644 --- a/roles/matrix-server/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-server/templates/synapse/homeserver.yaml.j2 @@ -580,7 +580,23 @@ email: # #bind_dn: # #bind_password: # #filter: "(objectClass=posixAccount)" - +{% if matrix_synapse_password_providers_enabled %} +password_providers: +{% if matrix_synapse_ext_password_provider_rest_auth_enabled %} + - module: "rest_auth_provider.RestAuthProvider" + config: + endpoint: "{{ matrix_synapse_ext_password_provider_rest_auth_endpoint }}" + policy: + registration: + username: + enforceLowercase: {{ matrix_synapse_ext_password_provider_rest_auth_registration_enforce_lowercase }} + profile: + name: {{ matrix_synapse_ext_password_provider_rest_auth_registration_profile_name_autofill }} + login: + profile: + name: {{ matrix_synapse_ext_password_provider_rest_auth_login_profile_name_autofill }} +{% endif %} +{% endif %} # Clients requesting push notifications can either have the body of diff --git a/roles/matrix-server/templates/synapse/synapse.log.config.j2 b/roles/matrix-server/templates/synapse/synapse.log.config.j2 index 2b779653..2cd6ea57 100644 --- a/roles/matrix-server/templates/synapse/synapse.log.config.j2 +++ b/roles/matrix-server/templates/synapse/synapse.log.config.j2 @@ -32,6 +32,11 @@ loggers: # information such as access tokens. level: INFO +{% for logger in matrix_synapse_additional_loggers %} + {{ logger.name }}: + level: {{ logger.level }} +{% endfor %} + root: level: INFO handlers: [file, console] diff --git a/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 b/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 index 9918a21a..34ee8084 100644 --- a/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 +++ b/roles/matrix-server/templates/systemd/matrix-synapse.service.j2 @@ -34,6 +34,9 @@ ExecStart=/usr/bin/docker run --rm --name matrix-synapse \ -v {{ matrix_synapse_config_dir_path }}:/data \ -v {{ matrix_synapse_run_path }}:/matrix-run \ -v {{ matrix_synapse_storage_path }}:/matrix-storage:slave \ + {% for volume in matrix_synapse_container_additional_volumes %} + -v {{ volume.src }}:{{ volume.dst }}:{{ volume.options }} \ + {% endfor %} -e SYNAPSE_CONFIG_PATH=/data/homeserver.yaml \ {{ matrix_docker_image_synapse }} ExecStop=-/usr/bin/docker kill matrix-synapse