Initial work on support for matrix-corporal v2
This commit is contained in:
Slavi Pantaleev
parent
6f51c1ed96
commit
28d86e3aaa
|
|
@ -11,7 +11,9 @@ The playbook can install and configure [matrix-corporal](https://github.com/devt
|
|||
In short, it's a sort of automation and firewalling service, which is helpful if you're instaling Matrix services in a controlled corporate environment.
|
||||
See that project's documentation to learn what it does and why it might be useful to you.
|
||||
|
||||
If you decide that you'd like to let this playbook install it for you, you'd need to also [set up the Shared Secret Auth password provider module](configuring-playbook-shared-secret-auth.md).
|
||||
If you decide that you'd like to let this playbook install it for you, you'd need to also:
|
||||
- (required) [set up the Shared Secret Auth password provider module](configuring-playbook-shared-secret-auth.md)
|
||||
- (optional, but encouraged) [set up the REST authentication password provider module](configuring-playbook-rest-auth.md)
|
||||
|
||||
|
||||
## Playbook configuration
|
||||
|
|
@ -24,6 +26,15 @@ You would then need some configuration like this:
|
|||
matrix_synapse_ext_password_provider_shared_secret_auth_enabled: true
|
||||
matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret: YOUR_SHARED_SECRET_GOES_HERE
|
||||
|
||||
# When matrix-corporal is acting as the primary authentication provider,
|
||||
# you need to set up the REST authentication password provider module
|
||||
# to make Interactive User Authentication work.
|
||||
# This is necessary for certain user actions (like E2EE, device management, etc).
|
||||
#
|
||||
# See configuring-playbook-rest-auth.md
|
||||
matrix_synapse_ext_password_provider_rest_auth_enabled: true
|
||||
matrix_synapse_ext_password_provider_rest_auth_endpoint: "http://matrix-corporal:41080/_matrix/corporal"
|
||||
|
||||
matrix_corporal_enabled: true
|
||||
|
||||
matrix_corporal_policy_provider_config: |
|
||||
|
|
@ -40,9 +51,9 @@ matrix_corporal_policy_provider_config: |
|
|||
matrix_corporal_http_api_enabled: true
|
||||
matrix_corporal_http_api_auth_token: "AUTH_TOKEN_HERE"
|
||||
|
||||
# If you need to change the reconciliator user's id from the default (matrix-corporal)..
|
||||
# If you need to change matrix-corporal's user id from the default (matrix-corporal).
|
||||
# In any case, you need to make sure this Matrix user is created on your server.
|
||||
matrix_corporal_reconciliation_user_id_local_part: "matrix-corporal"
|
||||
matrix_corporal_corporal_user_id_local_part: "matrix-corporal"
|
||||
|
||||
# Because Corporal peridoically performs lots of user logins from the same IP,
|
||||
# you may need raise Synapse's ratelimits.
|
||||
|
|
|
|||
|
|
@ -674,6 +674,9 @@ matrix_corporal_matrix_homeserver_api_endpoint: "http://matrix-synapse:8008"
|
|||
|
||||
matrix_corporal_matrix_auth_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret }}"
|
||||
|
||||
# This is only useful if there's REST auth provider to make use of it.
|
||||
matrix_corporal_http_gateway_internal_rest_auth_enabled: "{{ matrix_synapse_ext_password_provider_rest_auth_enabled }}"
|
||||
|
||||
matrix_corporal_matrix_registration_shared_secret: "{{ matrix_synapse_registration_shared_secret }}"
|
||||
|
||||
######################################################################
|
||||
|
|
|
|||
|
|
@ -24,7 +24,7 @@ matrix_corporal_systemd_required_services_list: ['docker.service']
|
|||
|
||||
matrix_corporal_docker_image: "{{ matrix_corporal_docker_image_name_prefix }}devture/matrix-corporal:{{ matrix_corporal_docker_image_tag }}"
|
||||
matrix_corporal_docker_image_name_prefix: "{{ 'localhost/' if matrix_corporal_container_image_self_build else 'docker.io/' }}"
|
||||
matrix_corporal_docker_image_tag: "1.11.0"
|
||||
matrix_corporal_docker_image_tag: "2.0.0"
|
||||
matrix_corporal_docker_image_force_pull: "{{ matrix_corporal_docker_image.endswith(':latest') }}"
|
||||
|
||||
matrix_corporal_base_path: "{{ matrix_base_data_path }}/corporal"
|
||||
|
|
@ -50,10 +50,16 @@ matrix_corporal_matrix_registration_shared_secret: ""
|
|||
matrix_corporal_matrix_timeout_milliseconds: 45000
|
||||
|
||||
matrix_corporal_reconciliation_retry_interval_milliseconds: 30000
|
||||
matrix_corporal_reconciliation_user_id_local_part: "matrix-corporal"
|
||||
matrix_corporal_corporal_user_id_local_part: "matrix-corporal"
|
||||
|
||||
matrix_corporal_http_gateway_timeout_milliseconds: 60000
|
||||
|
||||
# If enabled, matrix-corporal exposes a `POST /_matrix/corporal/_matrix-internal/identity/v1/check_credentials` API
|
||||
# on the gateway (Client-Server API) server.
|
||||
# This API can then be used together with the REST Auth password provider by pointing it to matrix-corporal (e.g. `http://matrix-corporal:41080/_matrix/corporal`).
|
||||
# Doing so allows Interactive Authentication to work.
|
||||
matrix_corporal_http_gateway_internal_rest_auth_enabled: false
|
||||
|
||||
matrix_corporal_http_api_enabled: false
|
||||
matrix_corporal_http_api_auth_token: ""
|
||||
matrix_corporal_http_api_timeout_milliseconds: 15000
|
||||
|
|
|
|||
|
|
@ -16,7 +16,6 @@
|
|||
msg: "The Matrix Corporal HTTP API is enabled (`matrix_corporal_http_api_enabled`), but no auth token has been set in `matrix_corporal_http_api_auth_token`"
|
||||
when: "matrix_corporal_http_api_enabled|bool and matrix_corporal_http_api_auth_token == ''"
|
||||
|
||||
|
||||
- name: (Deprecation) Catch and report renamed corporal variables
|
||||
fail:
|
||||
msg: >-
|
||||
|
|
@ -25,3 +24,4 @@
|
|||
when: "item.old in vars"
|
||||
with_items:
|
||||
- {'old': 'matrix_corporal_container_expose_ports', 'new': '<superseded by matrix_corporal_container_http_gateway_host_bind_port and matrix_corporal_container_http_api_host_bind_port>'}
|
||||
- {'old': 'matrix_corporal_reconciliation_user_id_local_part', 'new': 'matrix_corporal_corporal_user_id_local_part'}
|
||||
|
|
|
|||
|
|
@ -7,14 +7,20 @@
|
|||
"TimeoutMilliseconds": {{ matrix_corporal_matrix_timeout_milliseconds }}
|
||||
},
|
||||
|
||||
"Corporal": {
|
||||
"UserId": "@{{ matrix_corporal_corporal_user_id_local_part }}:{{ matrix_domain }}"
|
||||
},
|
||||
|
||||
"Reconciliation": {
|
||||
"UserId": "@{{ matrix_corporal_reconciliation_user_id_local_part }}:{{ matrix_domain }}",
|
||||
"RetryIntervalMilliseconds": {{ matrix_corporal_reconciliation_retry_interval_milliseconds }}
|
||||
},
|
||||
|
||||
"HttpGateway": {
|
||||
"ListenAddress": "0.0.0.0:41080",
|
||||
"TimeoutMilliseconds": {{ matrix_corporal_http_gateway_timeout_milliseconds }}
|
||||
"TimeoutMilliseconds": {{ matrix_corporal_http_gateway_timeout_milliseconds }},
|
||||
"InternalRESTAuth": {
|
||||
"Enabled": {{ matrix_corporal_http_gateway_internal_rest_auth_enabled|to_json }}
|
||||
}
|
||||
},
|
||||
|
||||
"HttpApi": {
|
||||
|
|
|
|||
Loading…
Reference in New Issue