From 34523476487c96ad4b2a51c4ed1e62b2b2489977 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 24 Jun 2020 09:42:41 +0300 Subject: [PATCH 1/7] Suggest base domain serving in configuring-well-known.md Fixes #545 (Github Issue). --- docs/configuring-well-known.md | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/docs/configuring-well-known.md b/docs/configuring-well-known.md index 21a4343e..959d3506 100644 --- a/docs/configuring-well-known.md +++ b/docs/configuring-well-known.md @@ -48,12 +48,12 @@ If you're managing the base domain by yourself somehow, you'll need to set up se To make things easy for you to set up, this playbook generates and hosts 2 well-known files on the Matrix domain's server (e.g. `https://matrix.example.com/.well-known/matrix/server` and `https://matrix.example.com/.well-known/matrix/client`), even though this is the wrong place to host them. -You have 2 options when it comes to installing the files on the base domain's server: +You have 3 options when it comes to installing the files on the base domain's server: ### (Option 1): **Copying the files manually** to your base domain's server -**Hint**: Option 2 (below) is generally a better way to do this. Make sure to go with that one, if possible. +**Hint**: Option 2 and 3 (below) are generally a better way to do this. Make sure to go with them, if possible. All you need to do is: @@ -65,7 +65,16 @@ This is relatively easy to do and possibly your only choice if you can only host It is, however, **a little fragile**, as future updates performed by this playbook may regenerate the well-known files and you may need to notice that and copy them over again. -### (Option 2): **Setting up reverse-proxying** of the well-known files from the base domain's server to the Matrix server +### (Option 2): **Serving the base domain** from the Matrix server via the playbook + +If you don't need the base domain (e.g. `example.com`) for anything else (hosting a website, etc.), you can point it to the Matrix server's IP address and tell the playbook to configure it. + +This is the easiest way to set up well-known serving -- letting the playbook handle the whole base domain for you (including SSL certificates, etc.). However, if you need to use the base domain for other things (such as hosting some website, etc.), going with Option 1 or Option 2 might be more suitable. + +See [Serving the base domain](configuring-playbook-base-domain-serving.md) to learn how the playbook can help you set it up. + + +### (Option 3): **Setting up reverse-proxying** of the well-known files from the base domain's server to the Matrix server This option is less fragile and generally better. From d44541ff6e97b5a61f8cc316b8e385fa184277cc Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 24 Jun 2020 10:22:19 +0300 Subject: [PATCH 2/7] Mention matrix_synapse_allow_public_rooms_over_federation in the docs Fixes #502 (Github Issue) --- docs/configuring-playbook-federation.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/docs/configuring-playbook-federation.md b/docs/configuring-playbook-federation.md index ad818ab2..1e4ad61e 100644 --- a/docs/configuring-playbook-federation.md +++ b/docs/configuring-playbook-federation.md @@ -17,6 +17,17 @@ matrix_synapse_federation_domain_whitelist: If you wish to disable federation, you can do that with an empty list (`[]`), or better yet by completely disabling federation (see below). +## Exposing the room directory over federation + +By default, your server's public rooms directory is not exposed to other servers via federation. + +If you wish to expose it, add this to your configuration file (`inventory/host_vars/matrix./vars.yml`): + +```yaml +matrix_synapse_allow_public_rooms_over_federation: true +``` + + ## Disabling federation To completely disable federation, isolating your server from the rest of the Matrix network, add this to your configuration file (`inventory/host_vars/matrix./vars.yml`): From 5c5f1c6ab96c4af559a272e69c561b34f25f9b15 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 24 Jun 2020 11:38:51 +0300 Subject: [PATCH 3/7] Add support for telling Riot to not default to E2EE Related to https://github.com/vector-im/riot-web/pull/13914 --- roles/matrix-base/defaults/main.yml | 5 +++++ .../templates/static-files/well-known/matrix-client.j2 | 5 +++++ 2 files changed, 10 insertions(+) diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index 8a860b1e..3a147124 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -56,6 +56,11 @@ matrix_integration_manager_ui_url: ~ # See: https://github.com/vector-im/riot-web/blob/develop/docs/jitsi.md#configuring-riot-to-use-your-self-hosted-jitsi-server matrix_riot_jitsi_preferredDomain: '' +# Controls whether Riot should use End-to-End Encryption by default. +# Setting this to false will update `/.well-known/matrix/client` and tell Riot clients to avoid E2EE. +# See: https://github.com/vector-im/riot-web/blob/develop/docs/e2ee.md +matrix_riot_e2ee_default: true + # The Docker network that all services would be put into matrix_docker_network: "matrix" diff --git a/roles/matrix-base/templates/static-files/well-known/matrix-client.j2 b/roles/matrix-base/templates/static-files/well-known/matrix-client.j2 index edbaa62e..a4c1c439 100644 --- a/roles/matrix-base/templates/static-files/well-known/matrix-client.j2 +++ b/roles/matrix-base/templates/static-files/well-known/matrix-client.j2 @@ -23,4 +23,9 @@ "preferredDomain": {{ matrix_riot_jitsi_preferredDomain|to_json }} } {% endif %} + {% if not matrix_riot_e2ee_default %}, + "im.vector.riot.e2ee": { + "default": false + } + {% endif %} } From 3527200ac4feaa0986d0ffec80f41afc38a60cee Mon Sep 17 00:00:00 2001 From: Justin Croonenberghs Date: Wed, 24 Jun 2020 16:34:28 -0500 Subject: [PATCH 4/7] Added config hint for SMS verification --- docs/configuring-playbook-ma1sd.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/docs/configuring-playbook-ma1sd.md b/docs/configuring-playbook-ma1sd.md index da9ff21e..8b392965 100644 --- a/docs/configuring-playbook-ma1sd.md +++ b/docs/configuring-playbook-ma1sd.md @@ -72,6 +72,20 @@ To use a more custom configuration, you can define a `matrix_ma1sd_configuration and put your configuration in it. To learn more about how to do this, refer to the information about `matrix_ma1sd_configuration_extension_yaml` in the [default variables file](../roles/matrix-ma1sd/defaults/main.yml) of the ma1sd component. +## Example: SMS verification + +If your use case requires mobile verification, it is quite simple to integrate ma1sd with Twilio, an online telephony services gateway. Their prices are reasonable for low-volume projects and integration can be done with the following configuration: + +```matrix_ma1sd_configuration_extension_yaml: | + threepid: + medium: + msisdn: + connectors: + twilio: + account_sid: '' + auth_token: '' + number: '+' +``` ## Troubleshooting From 25290f780cecc693554ff4cbb96023b4862dc041 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 25 Jun 2020 08:22:12 +0300 Subject: [PATCH 5/7] Link to Twilio --- docs/configuring-playbook-ma1sd.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-ma1sd.md b/docs/configuring-playbook-ma1sd.md index 8b392965..cd61fec1 100644 --- a/docs/configuring-playbook-ma1sd.md +++ b/docs/configuring-playbook-ma1sd.md @@ -74,7 +74,7 @@ To learn more about how to do this, refer to the information about `matrix_ma1sd ## Example: SMS verification -If your use case requires mobile verification, it is quite simple to integrate ma1sd with Twilio, an online telephony services gateway. Their prices are reasonable for low-volume projects and integration can be done with the following configuration: +If your use case requires mobile verification, it is quite simple to integrate ma1sd with [Twilio](https://www.twilio.com/), an online telephony services gateway. Their prices are reasonable for low-volume projects and integration can be done with the following configuration: ```matrix_ma1sd_configuration_extension_yaml: | threepid: From 224c21878efdb24b0a9f6ff09d594673b2c044b9 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 25 Jun 2020 08:26:09 +0300 Subject: [PATCH 6/7] Fix code block a bit Related to #549 (Github Pull Request) --- docs/configuring-playbook-ma1sd.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/configuring-playbook-ma1sd.md b/docs/configuring-playbook-ma1sd.md index cd61fec1..03d1ecde 100644 --- a/docs/configuring-playbook-ma1sd.md +++ b/docs/configuring-playbook-ma1sd.md @@ -76,7 +76,8 @@ To learn more about how to do this, refer to the information about `matrix_ma1sd If your use case requires mobile verification, it is quite simple to integrate ma1sd with [Twilio](https://www.twilio.com/), an online telephony services gateway. Their prices are reasonable for low-volume projects and integration can be done with the following configuration: -```matrix_ma1sd_configuration_extension_yaml: | +```yaml +matrix_ma1sd_configuration_extension_yaml: | threepid: medium: msisdn: From 671cd517973e9cb25590a195997ec39ef657d0de Mon Sep 17 00:00:00 2001 From: Julian Foad Date: Fri, 26 Jun 2020 15:13:58 +0100 Subject: [PATCH 7/7] Improve the example Traefik config. Use playbook variables instead of textual place-holders for the domain names. --- docs/configuring-playbook-own-webserver.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index 4adcd934..f97f622f 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -144,8 +144,7 @@ matrix_nginx_proxy_container_extra_arguments: - '--label "traefik.enable=true"' # The Nginx proxy container will receive traffic from these subdomains - # (Replace DOMAIN with your domain, e.g. example.com) - - '--label "traefik.http.routers.matrix-nginx-proxy.rule=Host(`matrix.DOMAIN`,`riot.DOMAIN`,`dimension.DOMAIN`)"' + - '--label "traefik.http.routers.matrix-nginx-proxy.rule=Host(`{{ matrix_server_fqn_matrix }}`,`{{ matrix_server_fqn_riot }}`,`{{ matrix_server_fqn_dimension }}`)"' # (The 'web-secure' entrypoint must bind to port 443 in Traefik config) - '--label "traefik.http.routers.matrix-nginx-proxy.entrypoints=web-secure"' @@ -161,8 +160,7 @@ matrix_synapse_container_extra_arguments: - '--label "traefik.enable=true"' # The Synapse container will receive traffic from this subdomain - # (Replace DOMAIN with your domain, e.g. example.com) - - '--label "traefik.http.routers.matrix-synapse.rule=Host(`matrix.DOMAIN`)"' + - '--label "traefik.http.routers.matrix-synapse.rule=Host(`{{ matrix_server_fqn_matrix }}`)"' # (The 'synapse' entrypoint must bind to port 8448 in Traefik config) - '--label "traefik.http.routers.matrix-synapse.entrypoints=synapse"'