matrix-docker-ansible-deploy/i18n/locales/jp/LC_MESSAGES/docs/configuring-playbook-matrix-authentication-service.po

1045 lines
43 KiB
Plaintext
Raw Normal View History

# SOME DESCRIPTIVE TITLE.
# Copyright (C) 2018-2024, Slavi Pantaleev, Aine Etke, MDAD community
# members
# This file is distributed under the same license as the
# matrix-docker-ansible-deploy package.
# FIRST AUTHOR <EMAIL@ADDRESS>, 2024.
#
#, fuzzy
msgid ""
msgstr ""
"Project-Id-Version: matrix-docker-ansible-deploy \n"
"Report-Msgid-Bugs-To: \n"
"POT-Creation-Date: 2024-12-16 12:05+0900\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language: jp\n"
"Language-Team: jp <LL@li.org>\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=utf-8\n"
"Content-Transfer-Encoding: 8bit\n"
"Generated-By: Babel 2.16.0\n"
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:1
msgid "Setting up Matrix Authentication Service (optional)"
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:3
msgid ""
"This playbook can install and configure [Matrix Authentication "
"Service](https://github.com/element-hq/matrix-authentication-service/) "
"(MAS) - a service operating alongside your existing [Synapse"
"](./configuring-playbook-synapse.md) homeserver and providing [better "
"authentication, session management and permissions in "
"Matrix](https://matrix.org/blog/2023/09/better-auth/)."
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:5
msgid ""
"Matrix Authentication Service is an implementation of [MSC3861: Next-"
"generation auth for Matrix, based on OAuth 2.0/OIDC](https://github.com"
"/matrix-org/matrix-spec-proposals/pull/3861) and still work in progress, "
"tracked at the [areweoidcyet.com](https://areweoidcyet.com/) website."
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:7
msgid ""
"**Before going through with starting to use Matrix Authentication "
"Service**, make sure to read:"
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:9
msgid ""
"the [Reasons to use Matrix Authentication Service](#reasons-to-use-"
"matrix-authentication-service) section below"
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:10
msgid "the [Expectations](#expectations) section below"
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:11
msgid "the [FAQ section on areweoidcyet.com](https://areweoidcyet.com/#faqs)"
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:13
msgid ""
"**If you've already been using Synapse** and have user accounts in its "
"database, you can [migrate to Matrix Authentication Service](#migrating-"
"an-existing-synapse-homeserver-to-matrix-authentication-service)."
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:15
msgid "Reasons to use Matrix Authentication Service"
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:17
msgid ""
"You may be wondering whether you should make the switch to Matrix "
"Authentication Service (MAS) or keep using your existing authentication "
"flow via Synapse (password-based or [OIDC](./configuring-playbook-"
"synapse.md#synapse--openid-connect-for-single-sign-on)-enabled)."
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:19
msgid ""
"Matrix Authentication Service is **still an experimental service** and "
"**not a default** for this Ansible playbook."
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:21
msgid ""
"The [Expectations](#expectations) section contains a list of what works "
"and what doesn't (**some services don't work with MAS yet**), as well as "
"the **relative irreversability** of the migration process."
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:23
msgid ""
"Below, we'll try to **highlight some potential reasons for switching** to"
" Matrix Authentication Service:"
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:25
msgid ""
"To use SSO in [Element X](https://element.io/blog/element-x-ignition/). "
"The old [Synapse OIDC](./configuring-playbook-synapse.md#synapse--openid-"
"connect-for-single-sign-on) login flow is only supported in old Element "
"clients and will not be supported in Element X. Element X will only "
"support the new SSO-based login flow provided by MAS, so if you want to "
"use SSO with Element X, you will need to switch to MAS."
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:27
msgid ""
"To help drive adoption of the \"Next-generation auth for Matrix\" by "
"switching to what's ultimately coming anyway"
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:29
msgid ""
"To help discover (and potentially fix) MAS integration issues with this "
"Ansible playbook"
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:31
msgid ""
"To help discover (and potentially fix) MAS integration issues with "
"various other Matrix components (bridges, bots, clients, etc.)"
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:33
msgid ""
"To reap some of the security benefits that Matrix Authentication Service "
"offers, as outlined in the [Better authentication, session management and"
" permissions in Matrix](https://matrix.org/blog/2023/09/better-auth/) "
"article."
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:35
msgid "Prerequisites"
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:37
msgid ""
"⚠️ the [Synapse](configuring-playbook-synapse.md) homeserver "
"implementation (which is the default for this playbook). Other homeserver"
" implementations ([Dendrite](./configuring-playbook-dendrite.md), "
"[Conduit](./configuring-playbook-conduit.md), etc.) do not support "
"integrating wtih Matrix Authentication Service yet."
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:39
msgid ""
"⚠️ **email sending** configured (see [Adjusting email-sending settings"
"](./configuring-playbook-email.md)), because **Matrix Authentication "
"Service [still insists](https://github.com/element-hq/matrix-"
"authentication-service/issues/1505) on having a verified email address "
"for each user** going through the new SSO-based login flow. It's also "
"possible to [work around email deliverability issues](#working-around-"
"email-deliverability-issues) if your email configuration is not working."
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:41
msgid ""
"❌ **disabling all password providers** for Synapse (things like [shared-"
"secret-auth](./configuring-playbook-shared-secret-auth.md), [rest-auth"
"](./configuring-playbook-rest-auth.md), [LDAP auth](./configuring-"
"playbook-ldap-auth.md), etc.) More details about this are available in "
"the [Expectations](#expectations) section below."
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:43
msgid "Expectations"
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:45
msgid ""
"This section details what you can expect when switching to the Matrix "
"Authentication Service (MAS)."
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:47
msgid ""
"❌ **Synapse password providers will need to be disabled**. You can no "
"longer use [shared-secret-auth](./configuring-playbook-shared-secret-"
"auth.md), [rest-auth](./configuring-playbook-rest-auth.md), [LDAP auth"
"](./configuring-playbook-ldap-auth.md), etc. When the authentication flow"
" is handled by MAS (not by Synapse anymore), it doesn't make sense to "
"extend the Synapse authentication flow with additional modules. Many "
"bridges used to rely on shared-secret-auth for doing double-puppeting "
"(impersonating other users), but most (at least the mautrix bridges) "
"nowadays use [Appservice Double Puppet](./configuring-playbook-"
"appservice-double-puppet.md) as a better alternative. Older/maintained "
"bridges may still rely on shared-secret-auth, as do other services like "
"[matrix-corporal](./configuring-playbook-matrix-corporal.md)."
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:49
msgid ""
"❌ Certain **tools like [synapse-admin](./configuring-playbook-synapse-"
"admin.md) do not have full compatibility with MAS yet**. synapse-admin "
"already supports [login with access token](https://github.com/etkecc"
"/synapse-admin/pull/58), browsing users (which Synapse will internally "
"fetch from MAS) and updating user avatars. However, editing users "
"(passwords, etc.) now needs to happen directly against MAS using the [MAS"
" Admin API](https://element-hq.github.io/matrix-authentication-"
"service/api/index.html), which synapse-admin cannot interact with yet."
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:51
msgid "❌ **Some services experience issues when authenticating via MAS**:"
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:53
msgid ""
"[Postmoogle](./configuring-playbook-bridge-postmoogle.md) works the first"
" time around, but it consistently fails after restarting:"
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:55
msgid ""
"cannot initialize matrix bot error=\"olm account is marked as shared, "
"keys seem to have disappeared from the server\""
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:57
msgid ""
"[matrix-reminder-bot](./configuring-playbook-bot-matrix-reminder-bot.md) "
"fails to start (see [element-hq/matrix-authentication-"
"service#3439](https://github.com/element-hq/matrix-authentication-"
"service/issues/3439))"
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:58
msgid "Other services may be similarly affected. This list is not exhaustive."
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:60
msgid ""
"❌ **Encrypted appservices** do not work yet (related to "
"[MSC4190](https://github.com/matrix-org/matrix-spec-proposals/pull/4190) "
"and [PR 17705 for Synapse](https://github.com/element-"
"hq/synapse/pull/17705)), so all bridges/bots that rely on encryption will"
" fail to start (see [this issue](https://github.com/spantaleev/matrix-"
"docker-ansible-deploy/issues/3658) for Hookshot). You can use these "
"bridges/bots only if you **keep end-to-bridge encryption disabled** "
"(which is the default setting)."
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:62
msgid ""
"⚠️ **You will need to have email sending configured** (see [Adjusting "
"email-sending settings](./configuring-playbook-email.md)), because "
"**Matrix Authentication Service [still insists](https://github.com"
"/element-hq/matrix-authentication-service/issues/1505) on having a "
"verified email address for each user** going through the new SSO-based "
"login flow. It's also possible to [work around email deliverability "
"issues](#working-around-email-deliverability-issues) if your email "
"configuration is not working."
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:64
msgid ""
"⚠️ [Migrating an existing Synapse homeserver to Matrix Authentication "
"Service](#migrating-an-existing-synapse-homeserver-to-matrix-"
"authentication-service) is **possible**, but requires **some playbook-"
"assisted manual work**. Migration is **reversible with no or minor issues"
" if done quickly enough**, but as users start logging in (creating new "
"login sessions) via the new MAS setup, disabling MAS and reverting back "
"to the Synapse user database will cause these new sessions to break."
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:66
msgid ""
"⚠️ [Migrating an existing Synapse homeserver to Matrix Authentication "
"Service](#migrating-an-existing-synapse-homeserver-to-matrix-"
"authentication-service) does not currently seem to preserve the \"admin\""
" flag for users (as found in the Synapse database). All users are "
"imported as non-admin - see [element-hq/matrix-authentication-"
"service#3440](https://github.com/element-hq/matrix-authentication-"
"service/issues/3440). You may need update the Matrix Authentication "
"Service's database manually and adjust the `can_request_admin` column in "
"the `users` table to `true` for users that need to be administrators "
"(e.g. `UPDATE users SET can_request_admin = true WHERE username = "
"'someone';`)"
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:68
msgid ""
"⚠️ Delegating user authentication to MAS causes **your Synapse server to "
"be completely dependant on one more service** for its operations. MAS is "
"quick & lightweight and should be stable enough already, but this is "
"something to keep in mind when making the switch."
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:70
msgid ""
"⚠️ If you've got [OIDC configured in Synapse](./configuring-playbook-"
"synapse.md#synapse--openid-connect-for-single-sign-on), you will need to "
"migrate your OIDC configuration to MAS by adding an [Upstream OAuth2 "
"configuration](#upstream-oauth2-configuration)."
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:72
msgid ""
"⚠️ A [compatibility layer](https://element-hq.github.io/matrix-"
"authentication-service/setup/homeserver.html#set-up-the-compatibility-"
"layer) is installed - all `/_matrix/client/*/login` (etc.) requests will "
"be routed to MAS instead of going to the homeserver. This is done both "
"publicly (e.g. `https://matrix.example.com/_matrix/client/*/login`) and "
"on the internal Traefik entrypoint (e.g. `https://matrix-"
"traefik:8008/_matrix/client/*/login`) which helps addon services reach "
"the homeserver's Client-Server API. You typically don't need to do "
"anything to make this work, but it's good to be aware of it, especially "
"if you have a [custom webserver setup](./configuring-playbook-own-"
"webserver.md)."
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:74
msgid ""
"✅ Your **existing login sessions will continue to work** (you won't get "
"logged out). Migration will require a bit of manual work and minutes of "
"downtime, but it's not too bad."
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:76
msgid ""
"✅ Various clients ([Cinny](./configuring-playbook-client-cinny.md), "
"[Element Web](./configuring-playbook-client-element-web.md), Element X, "
"FluffyChat) will be able to use the **new SSO-based login flow** provided"
" by Matrix Authentication Service"
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:78
msgid ""
"✅ The **old login flow** (called `m.login.password`) **will still "
"continue to work**, so clients (old Element Web, etc.) and bridges/bots "
"that don't support the new OIDC-based login flow will still work. Going "
"through the old login flow does not require users to have a verified "
"email address, as [is the case](https://github.com/element-hq/matrix-"
"authentication-service/issues/1505) for the new SSO-based login flow."
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:80
msgid ""
"✅ [Registering users](./registering-users.md) via **the playbook's "
"`register-user` tag remains unchanged**. The playbook automatically does "
"the right thing regardless of homeserver implementation (Synapse, "
"Dendrite, etc.) and whether MAS is enabled or not. When MAS is enabled, "
"the playbook will forward user-registration requests to MAS. Registering "
"users via the command-line is no longer done via the "
"`/matrix/synapse/bin/register` script, but via `/matrix/matrix-"
"authentication-service/bin/register-user`."
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:82
msgid ""
"✅ Users that are prepared by the playbook (for bots, bridges, etc.) will "
"continue to be registered automatically as expected. The playbook "
"automatically does the right thing regardless of homeserver "
"implementation (Synapse, Dendrite, etc.) and whether MAS is enabled or "
"not. When MAS is enabled, the playbook will forward user-registration "
"requests to MAS."
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:84
msgid "Installation flows"
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:86
msgid "New homeserver"
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:88
msgid ""
"For new homeservers (which don't have any users in their Synapse database"
" yet), follow the [Adjusting the playbook configuration](#adjusting-the-"
"playbook-configuration) instructions and then proceed with "
"[Installing](#installing)."
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:90
msgid "Existing homeserver"
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:92
msgid ""
"Other homeserver implementations ([Dendrite](./configuring-playbook-"
"dendrite.md), [Conduit](./configuring-playbook-conduit.md), etc.) do not "
"support integrating wtih Matrix Authentication Service yet."
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:94
msgid "For existing Synapse homeservers:"
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:96
msgid ""
"when following the [Adjusting the playbook configuration](#adjusting-the-"
"playbook-configuration) instructions, make sure to **disable the "
"integration between Synapse and MAS** by **uncommenting** the "
"`matrix_authentication_service_migration_in_progress: true` line as "
"described in the [Marking an existing homeserver for migration](#marking-"
"an-existing-homeserver-for-migration) section below."
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:98
msgid ""
"then follow the [Migrating an existing Synapse homeserver to Matrix "
"Authentication Service](#migrating-an-existing-synapse-homeserver-to-"
"matrix-authentication-service) instructions to perform the installation "
"and migration"
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:100
msgid "Adjusting the playbook configuration"
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:102
msgid ""
"To enable Matrix Authentication Service, add the following configuration "
"to your `inventory/host_vars/matrix.example.com/vars.yml` file:"
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:116
msgid ""
"In the sub-sections that follow, we'll cover some additional "
"configuration options that you may wish to adjust."
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:118
msgid ""
"There are many other configuration options available. Consult the "
"[`defaults/main.yml` file](../roles/custom/matrix-authentication-"
"service/defaults/main.yml) in the [matrix-authentication-service "
"role](../roles/custom/matrix-authentication-service/) to discover them."
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:120
msgid "Adjusting the Matrix Authentication Service URL"
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:122
msgid ""
"By default, this playbook installs the Matrix Authentication Service on "
"the `matrix.` subdomain, at the `/auth` path "
"(https://matrix.example.com/auth). This makes it easy to install it, "
"because it **doesn't require additional DNS records to be set up**. If "
"that's okay, you can skip this section."
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:124
msgid ""
"By tweaking the `matrix_authentication_service_hostname` and "
"`matrix_authentication_service_path_prefix` variables, you can easily "
"make the service available at a **different hostname and/or path** than "
"the default one."
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:126
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:149
msgid ""
"Example additional configuration for your "
"`inventory/host_vars/matrix.example.com/vars.yml` file:"
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:134
msgid "Marking an existing homeserver for migration"
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:136
msgid ""
"The [configuration above](#adjusting-the-playbook-configuration) "
"instructs existing users wishing to migrate to add "
"`matrix_authentication_service_migration_in_progress: true` to their "
"configuration."
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:138
msgid ""
"This is done temporarily. The migration steps are described in more "
"detail in the [Migrating an existing Synapse homeserver to Matrix "
"Authentication Service](#migrating-an-existing-synapse-homeserver-to-"
"matrix-authentication-service) section below."
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:140
msgid "Upstream OAuth2 configuration"
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:142
msgid ""
"To make Matrix Authentication Service delegate to an existing upstream "
"OAuth 2.0/OIDC provider, you can use its [`upstream_oauth2.providers` "
"setting](https://element-hq.github.io/matrix-authentication-"
"service/reference/configuration.html#upstream_oauth2providers)."
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:144
msgid ""
"The playbook exposes a "
"`matrix_authentication_service_config_upstream_oauth2_providers` variable"
" for controlling this setting."
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:261
msgid ""
"💡 Refer to the [`upstream_oauth2.providers` setting](https://element-"
"hq.github.io/matrix-authentication-"
"service/reference/configuration.html#upstream_oauth2providers) for the "
"most up-to-date schema and example for providers. The value shown above "
"here may be out of date."
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:263
msgid ""
"⚠️ The syntax for existing [OIDC providers configured in Synapse"
"](./configuring-playbook-synapse.md#synapse--openid-connect-for-single-"
"sign-on) is slightly different, so you will need to adjust your "
"configuration when switching from Synapse OIDC to MAS upstream OAuth2."
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:265
msgid ""
"⚠️ When [migrating an existing homeserver](#migrating-an-existing-"
"synapse-homeserver-to-matrix-authentication-service) which contains OIDC-"
"sourced users, you will need to:"
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:267
msgid ""
"[Configure upstream OIDC provider mapping for syn2mas](#configuring-"
"upstream-oidc-provider-mapping-for-syn2mas)"
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:268
msgid ""
"go through the [migrating an existing homeserver](#migrating-an-existing-"
"synapse-homeserver-to-matrix-authentication-service) process"
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:269
msgid ""
"remove all Synapse OIDC-related configuration (`matrix_synapse_oidc_*`) "
"to prevent it being in conflict with the MAS OIDC configuration"
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:271
msgid "Adjusting DNS records"
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:273
msgid ""
"If you've changed the default hostname, **you may need to adjust your "
"DNS** records to point the Matrix Authentication Service domain to the "
"Matrix server."
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:275
msgid "See [Configuring DNS](configuring-dns.md) for details about DNS changes."
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:277
msgid ""
"If you've decided to use the default hostname, you won't need to do any "
"extra DNS configuration."
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:279
msgid "Installing"
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:281
msgid ""
"Now that you've [adjusted the playbook configuration](#adjusting-the-"
"playbook-configuration) and [your DNS records](#adjusting-dns-records), "
"you can run the playbook with [playbook tags](playbook-tags.md) as below:"
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:288
msgid "**Notes**:"
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:290
msgid ""
"The shortcut commands with the [`just` program](just.md) are also "
"available: `just install-all` or `just setup-all`"
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:292
msgid ""
"`just install-all` is useful for maintaining your setup quickly ([2x-5x "
"faster](../CHANGELOG.md#2x-5x-performance-improvements-in-playbook-"
"runtime) than `just setup-all`) when its components remain unchanged. If "
"you adjust your `vars.yml` to remove other components, you'd need to run "
"`just setup-all`, or these components will still remain installed. Note "
"these shortcuts run the `ensure-matrix-users-created` tag too."
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:294
msgid ""
"If you're in the process of migrating an existing Synapse homeserver to "
"MAS, you should now follow the rest of the steps in the [Migrating an "
"existing Synapse homeserver to Matrix Authentication Service](#migrating-"
"an-existing-synapse-homeserver-to-matrix-authentication-service) guide."
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:296
msgid ""
"💡 After installation, you should [verify that Matrix Authentication "
"Service is installed correctly](#verify-that-matrix-authentication-"
"service-is-installed-correctly)."
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:298
msgid "Migrating an existing Synapse homeserver to Matrix Authentication Service"
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:300
msgid ""
"Our migration guide is loosely based on the upstream [Migrating an "
"existing homeserver](https://element-hq.github.io/matrix-authentication-"
"service/setup/migration.html) guide."
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:302
msgid ""
"Migration is done via a tool called `syn2mas`, which the playbook could "
"run for you (in a container)."
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:304
msgid "The installation + migration steps are like this:"
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:306
msgid ""
"[Adjust your configuration](#adjusting-the-playbook-configuration) to "
"**disable the integration between the homeserver and MAS**. This is done "
"by **uncommenting** the "
"`matrix_authentication_service_migration_in_progress: true` line."
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:308
msgid "Perform the initial [installation](#installing). At this point:"
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:310
msgid ""
"Matrix Authentication Service will be installed. Its database will be "
"empty, so it cannot validate existing access tokens or authentication "
"users yet."
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:312
msgid ""
"The homeserver will still continue to use its local database for "
"validating existing access tokens."
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:314
msgid ""
"Various [compatibility layer URLs](https://element-hq.github.io/matrix-"
"authentication-service/setup/homeserver.html#set-up-the-compatibility-"
"layer) are not yet installed. New login sessions will still be forwarded "
"to the homeserver, which is capable of completing them."
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:316
msgid ""
"The `matrix-user-creator` role would be suppressed, so that it doesn't "
"automatically attempt to create users (for bots, etc.) in the MAS "
"database. These user accounts likely already exist in Synapse's user "
"database and could be migrated over (via syn2mas, as per the steps "
"below), so creating them in the MAS database would have been unnecessary "
"and potentially problematic (conflicts during the syn2mas migration)."
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:318
msgid ""
"Consider taking a full [backup of your Postgres database](./maintenance-"
"postgres.md#backing-up-postgresql). This is done just in case. The "
"**syn2mas migration tool does not delete any data**, so it should be "
"possible to revert to your previous setup by merely disabling MAS and re-"
"running the playbook (no need to restore a Postgres backup). However, do "
"note that as users start logging in (creating new login sessions) via the"
" new MAS setup, disabling MAS and reverting back to the Synapse user "
"database will cause these new sessions to break."
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:320
msgid ""
"[Migrate your data from Synapse to Matrix Authentication Service using "
"syn2mas](#migrate-your-data-from-synapse-to-matrix-authentication-"
"service-using-syn2mas)"
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:322
msgid ""
"[Adjust your configuration](#adjusting-the-playbook-configuration) again,"
" to:"
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:324
msgid ""
"remove the `matrix_authentication_service_migration_in_progress: false` "
"line"
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:326
msgid ""
"if you had been using [OIDC providers configured in Synapse"
"](./configuring-playbook-synapse.md#synapse--openid-connect-for-single-"
"sign-on), remove all Synapse OIDC-related configuration "
"(`matrix_synapse_oidc_*`) to prevent it being in conflict with the MAS "
"OIDC configuration"
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:328
msgid "Perform the [installation](#installing) again. At this point:"
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:330
msgid "The homeserver will start delegating authentication to MAS."
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:332
msgid ""
"The compatibility layer URLs will be installed. New login sessions will "
"be completed by MAS."
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:334
msgid ""
"[Verify that Matrix Authentication Service is installed correctly"
"](#verify-that-matrix-authentication-service-is-installed-correctly)"
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:336
msgid ""
"Migrate your data from Synapse to Matrix Authentication Service using "
"syn2mas"
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:338
msgid ""
"We **don't** ask you to [run the `syn2mas` migration advisor "
"command](https://element-hq.github.io/matrix-authentication-"
"service/setup/migration.html#run-the-migration-advisor), because it only "
"gives you the green light if your Synapse configuration "
"(`homeserver.yaml`) is configured in a way that's compatible with MAS "
"(delegating authentication to MAS; disabling Synapse's password config; "
"etc.). Until we migrate your data with the `syn2mas` tool, we "
"intentionally avoid doing these changes to allow existing user sessions "
"to work."
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:340
msgid ""
"You can invoke the `syn2mas` tool via the playbook by running the "
"playbook's `matrix-authentication-service-syn2mas` tag. We recommend "
"first doing a [dry-run](#performing-a-syn2mas-dry-run) and then a [real "
"migration](#performing-a-real-syn2mas-migration)."
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:342
msgid "Configuring syn2mas"
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:344
msgid ""
"If you're using [OIDC with Synapse](./configuring-playbook-"
"synapse.md#synapse--openid-connect-for-single-sign-on), you will need to "
"[Configuring upstream OIDC provider mapping for syn2mas](#configuring-"
"upstream-oidc-provider-mapping-for-syn2mas)."
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:346
msgid ""
"If you only have local (non-OIDC) users in your Synapse database, you can"
" likely run `syn2mas` as-is (without doing additional configuration "
"changes)."
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:348
msgid ""
"When you're done with potentially configuring `syn2mas`, proceed to doing"
" a [dry-run](#performing-a-syn2mas-dry-run) and then a [real "
"migration](#performing-a-real-syn2mas-migration)."
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:350
msgid "Configuring upstream OIDC provider mapping for syn2mas"
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:352
msgid ""
"If you have existing OIDC users in your Synapse user database (which will"
" be the case if when using [OIDC with Synapse](./configuring-playbook-"
"synapse.md#synapse--openid-connect-for-single-sign-on)), you may need to "
"pass an additional `--upstreamProviderMapping` argument to the `syn2mas` "
"tool to tell it which provider (on the Synapse side) maps to which other "
"provider on the MAS side."
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:354
msgid "If you don't do this, `syn2mas` would report errors like this one:"
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:356
msgid ""
"[FATAL] migrate - [Failed to import external id 4264b0f0-4f11-4ddd-aedb-"
"b500e4d07c25 with oidc-keycloak for user @alice:example.com: Error: "
"Unknown upstream provider oidc-keycloak]"
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:358
msgid "Below is an example situation and a guide for how to solve it."
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:360
msgid ""
"If in `matrix_synapse_oidc_providers` your provider `idp_id` is (was) "
"named `keycloak`, in the Synapse database users would be associated with "
"the `oidc-keycloak` provider (note the `oidc-` prefix that was added "
"automatically by Synapse to your `idp_id` value)."
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:362
msgid ""
"The same OIDC provider may have an `id` of `01HFVBY12TMNTYTBV8W921M5FA` "
"on the MAS side, as defined in "
"`matrix_authentication_service_config_upstream_oauth2_providers` (see the"
" [Upstream OAuth2 configuration](#upstream-oauth2-configuration) section "
"above)."
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:364
msgid ""
"To tell `syn2mas` how the Synapse-configured OIDC provider maps to the "
"new MAS-configured OIDC provider, add this additional configuration to "
"your `inventory/host_vars/matrix.example.com/vars.yml` file:"
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:373
msgid "Performing a syn2mas dry-run"
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:375
msgid ""
"Having [configured syn2mas](#configuring-syn2mas), we recommend doing a "
"[dry-run](https://en.wikipedia.org/wiki/Dry_run_(testing)) first to "
"verify that everything will work out as expected."
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:377
msgid "A dry-run would not cause downtime, because it avoids stopping Synapse."
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:379
msgid "To perform a dry-run, run:"
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:385
msgid ""
"Observe the command output (especially the last line of the the syn2mas "
"output). If you are confident that the migration will work out as "
"expected, you can proceed with a [real migration](#performing-a-real-"
"syn2mas-migration)."
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:387
msgid "Performing a real syn2mas migration"
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:389
msgid "Before performing a real migration make sure:"
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:391
msgid "you've familiarized yourself with the [expectations](#expectations)"
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:393
msgid "you've performed a Postgres backup, just in case"
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:395
msgid ""
"you're aware of the irreversibility of the migration process without "
"disruption after users have created new login sessions via the new MAS "
"setup"
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:397
msgid ""
"you've [configured syn2mas](#configuring-syn2mas), especially if you've "
"used [OIDC with Synapse](./configuring-playbook-synapse.md#synapse"
"--openid-connect-for-single-sign-on)"
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:399
msgid ""
"you've performed a [syn2mas dry-run](#performing-a-syn2mas-dry-run) and "
"don't see any issues in its output"
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:401
msgid ""
"To perform a real migration, run the `matrix-authentication-service-"
"syn2mas` tag **without** the "
"`matrix_authentication_service_syn2mas_dry_run` variable:"
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:407
msgid ""
"Having performed a `syn2mas` migration once, trying to do it again will "
"report errors for users that were already migrated (e.g. \"Error: Unknown"
" upstream provider oauth-delegated\")."
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:409
msgid "Verify that Matrix Authentication Service is installed correctly"
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:411
msgid ""
"After [installation](#installing), run the `doctor` subcommand of the "
"[`mas-cli` command-line tool](https://element-hq.github.io/matrix-"
"authentication-service/reference/cli/index.html) to verify that MAS is "
"installed correctly."
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:413
msgid "You can do it:"
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:415
msgid ""
"either via the Ansible playbook's `matrix-authentication-service-mas-cli-"
"doctor` tag: `just run-tags matrix-authentication-service-mas-cli-doctor`"
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:417
msgid ""
"or by running the `mas-cli` script on the server (which invokes the `mas-"
"cli` tool inside a container): `/matrix/matrix-authentication-service/bin"
"/mas-cli doctor`"
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:419
msgid "If successful, you should see some output that looks like this:"
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:431
msgid "Management"
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:433
msgid ""
"You can use the [`mas-cli` command-line tool](https://element-"
"hq.github.io/matrix-authentication-service/reference/cli/index.html) "
"(exposed via the `/matrix/matrix-authentication-service/bin/mas-cli` "
"script) to perform administrative tasks against MAS."
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:435
msgid "This documentation page already mentions:"
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:437
msgid ""
"the `mas-cli doctor` sub-command in the [Verify that Matrix "
"Authentication Service is installed correctly](#verify-that-matrix-"
"authentication-service-is-installed-correctly) section, which you can run"
" via the CLI and via the Ansible playbook's `matrix-authentication-"
"service-mas-cli-doctor` tag"
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:439
msgid ""
"the `mas-cli manage register-user` sub-command in the [Registering users"
"](./registering-users.md) documentation"
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:441
msgid ""
"There are other sub-commands available. Run `/matrix/matrix-"
"authentication-service/bin/mas-cli` to get an overview."
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:443
msgid "User registration"
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:445
msgid ""
"After Matrix Authentication Service is [installed](#installing), users "
"need to be managed there (unless you're managing them in an [upstream "
"OAuth2 provider](#upstream-oauth2-configuration))."
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:447
msgid ""
"You can register users new users as described in the [Registering users"
"](./registering-users.md) documentation (via `mas-cli manage register-"
"user` or the Ansible playbook's `register-user` tag)."
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:449
msgid "Working around email deliverability issues"
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:451
msgid ""
"Because Matrix Authentication Service [still insists](https://github.com"
"/element-hq/matrix-authentication-service/issues/1505) on having a "
"verified email address for each user, you may need to work around email "
"deliverability issues if [your email-sending configuration"
"](./configuring-playbook-email.md) is not working."
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:453
msgid ""
"Matrix Authentication Service attempts to verify email addresses by "
"sending a verification email to the address specified by the user "
"whenever they log in to an account without a verified email address."
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:455
msgid ""
"If email delivery is not working, **you can retrieve the email "
"configuration code from the Matrix Authentication Service's logs** "
"(`journalctl -fu matrix-authentication-service`)."
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:457
msgid ""
"Alternatively, you can use the [`mas-cli` management tool](#management) "
"to manually verify email addresses for users. Example: `/matrix/matrix-"
"authentication-service/bin/mas-cli manage verify-email some.username "
"email@example.com`"
msgstr ""