From 187dedf9204334043c330b4062f0dc69e15993d9 Mon Sep 17 00:00:00 2001 From: Marcel Partap Date: Tue, 31 Dec 2019 21:35:37 +0100 Subject: [PATCH 01/17] Duplicate matrix-mxisd role for matrix-ma1sd fork (adapting strings and URLs) --- ...mxisd.md => configuring-playbook-ma1sd.md} | 0 roles/matrix-ma1sd/defaults/main.yml | 175 +++++++++++++++++ .../tasks/init.yml | 8 +- roles/matrix-ma1sd/tasks/main.yml | 21 +++ roles/matrix-ma1sd/tasks/self_check_ma1sd.yml | 21 +++ roles/matrix-ma1sd/tasks/setup_ma1sd.yml | 137 ++++++++++++++ roles/matrix-ma1sd/tasks/validate_config.yml | 57 ++++++ .../templates/systemd/matrix-ma1sd.service.j2 | 46 +++++ .../vars/main.yml | 4 +- roles/matrix-mxisd/defaults/main.yml | 178 ------------------ roles/matrix-mxisd/tasks/main.yml | 21 --- roles/matrix-mxisd/tasks/self_check_mxisd.yml | 21 --- roles/matrix-mxisd/tasks/setup_mxisd.yml | 137 -------------- roles/matrix-mxisd/tasks/validate_config.yml | 57 ------ .../templates/systemd/matrix-mxisd.service.j2 | 46 ----- 15 files changed, 463 insertions(+), 466 deletions(-) rename docs/{configuring-playbook-mxisd.md => configuring-playbook-ma1sd.md} (100%) create mode 100644 roles/matrix-ma1sd/defaults/main.yml rename roles/{matrix-mxisd => matrix-ma1sd}/tasks/init.yml (70%) create mode 100644 roles/matrix-ma1sd/tasks/main.yml create mode 100644 roles/matrix-ma1sd/tasks/self_check_ma1sd.yml create mode 100644 roles/matrix-ma1sd/tasks/setup_ma1sd.yml create mode 100644 roles/matrix-ma1sd/tasks/validate_config.yml create mode 100644 roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 rename roles/{matrix-mxisd => matrix-ma1sd}/vars/main.yml (51%) delete mode 100644 roles/matrix-mxisd/defaults/main.yml delete mode 100644 roles/matrix-mxisd/tasks/main.yml delete mode 100644 roles/matrix-mxisd/tasks/self_check_mxisd.yml delete mode 100644 roles/matrix-mxisd/tasks/setup_mxisd.yml delete mode 100644 roles/matrix-mxisd/tasks/validate_config.yml delete mode 100644 roles/matrix-mxisd/templates/systemd/matrix-mxisd.service.j2 diff --git a/docs/configuring-playbook-mxisd.md b/docs/configuring-playbook-ma1sd.md similarity index 100% rename from docs/configuring-playbook-mxisd.md rename to docs/configuring-playbook-ma1sd.md diff --git a/roles/matrix-ma1sd/defaults/main.yml b/roles/matrix-ma1sd/defaults/main.yml new file mode 100644 index 000000000..f3f604d3f --- /dev/null +++ b/roles/matrix-ma1sd/defaults/main.yml @@ -0,0 +1,175 @@ +# ma1sd is a Federated Matrix Identity Server +# See: https://github.com/ma1uta/ma1sd + +matrix_ma1sd_enabled: true + +matrix_ma1sd_docker_image: "ma1uta/ma1sd:1.4.6" +matrix_ma1sd_docker_image_force_pull: "{{ matrix_ma1sd_docker_image.endswith(':latest') }}" + +matrix_ma1sd_base_path: "{{ matrix_base_data_path }}/ma1sd" +matrix_ma1sd_config_path: "{{ matrix_ma1sd_base_path }}/config" +matrix_ma1sd_data_path: "{{ matrix_ma1sd_base_path }}/data" + +# Controls whether the matrix-ma1sd container exposes its HTTP port (tcp/8090 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:8090"), or empty string to not expose. +matrix_ma1sd_container_http_host_bind_port: '' + +# A list of extra arguments to pass to the container +matrix_ma1sd_container_extra_arguments: [] + +# List of systemd services that matrix-ma1sd.service depends on +matrix_ma1sd_systemd_required_services_list: ['docker.service'] + +# List of systemd services that matrix-ma1sd.service wants +matrix_ma1sd_systemd_wanted_services_list: [] + +# Your identity server is private by default. +# To ensure maximum discovery, you can make your identity server +# also forward lookups to the central matrix.org Identity server +# (at the cost of potentially leaking all your contacts information). +# Enabling this is discouraged. Learn more here: https://github.com/ma1uta/ma1sd/blob/master/docs/features/identity.md#lookups +matrix_ma1sd_matrixorg_forwarding_enabled: false + +# ma1sd has serveral supported identity stores. +# One of them is storing identities directly in Synapse's database. +# Learn more here: https://github.com/ma1uta/ma1sd/blob/master/docs/stores/synapse.md +matrix_ma1sd_synapsesql_enabled: false +matrix_ma1sd_synapsesql_type: "" +matrix_ma1sd_synapsesql_connection: "" + +# Setting up email-sending settings is required for using ma1sd. +matrix_ma1sd_threepid_medium_email_identity_from: "matrix@{{ matrix_domain }}" +matrix_ma1sd_threepid_medium_email_connectors_smtp_host: "" +matrix_ma1sd_threepid_medium_email_connectors_smtp_port: 587 +matrix_ma1sd_threepid_medium_email_connectors_smtp_tls: 1 +matrix_ma1sd_threepid_medium_email_connectors_smtp_login: "" +matrix_ma1sd_threepid_medium_email_connectors_smtp_password: "" + +# DNS overwrites are useful for telling ma1sd how it can reach the homeserver directly. +# Useful when reverse-proxying certain URLs (e.g. `/_matrix/client/r0/user_directory/search`) to ma1sd, +# so that ma1sd can rewrite the original URL to one that would reach the homeserver. +matrix_ma1sd_dns_overwrite_enabled: false +matrix_ma1sd_dns_overwrite_homeserver_client_name: "{{ matrix_server_fqn_matrix }}" +matrix_ma1sd_dns_overwrite_homeserver_client_value: "http://matrix-synapse:8008" + +# Override the default email templates +# To use this, fill in the template variables with the full desired template as a multi-line YAML variable +# +# More info: +# https://github.com/ma1uta/ma1sd/blob/master/docs/threepids/notification/template-generator.md +# https://github.com/ma1uta/ma1sd/tree/master/src/main/resources/threepids/email +matrix_ma1sd_threepid_medium_email_custom_templates_enabled: false +matrix_ma1sd_threepid_medium_email_custom_invite_template: "" +matrix_ma1sd_threepid_medium_email_custom_session_validation_template: "" +matrix_ma1sd_threepid_medium_email_custom_unbind_fraudulent_template: "" +matrix_ma1sd_threepid_medium_email_custom_matrixid_template: "" + +# Controls whether the self-check feature should validate SSL certificates. +matrix_ma1sd_self_check_validate_certificates: true + +# Controls ma1sd logging verbosity for troubleshooting. +# +# According to: https://github.com/ma1uta/ma1sd/blob/master/docs/troubleshooting.md#increase-verbosity +matrix_ma1sd_verbose_logging: false + +# Default ma1sd configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. +# +# For a more advanced customization, you can extend the default (see `matrix_ma1sd_configuration_extension_yaml`) +# or completely replace this variable with your own template. +matrix_ma1sd_configuration_yaml: | + #jinja2: lstrip_blocks: True + matrix: + domain: {{ matrix_domain }} + + server: + name: {{ matrix_server_fqn_matrix }} + + key: + path: /var/ma1sd/sign.key + + storage: + provider: + sqlite: + database: /var/ma1sd/ma1sd.db + + {% if matrix_ma1sd_dns_overwrite_enabled %} + dns: + overwrite: + homeserver: + client: + - name: {{ matrix_ma1sd_dns_overwrite_homeserver_client_name }} + value: {{ matrix_ma1sd_dns_overwrite_homeserver_client_value }} + {% endif %} + + {% if matrix_ma1sd_matrixorg_forwarding_enabled %} + forward: + servers: ['matrix-org'] + {% endif %} + + threepid: + medium: + email: + identity: + from: {{ matrix_ma1sd_threepid_medium_email_identity_from }} + connectors: + smtp: + host: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_host }} + port: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_port }} + tls: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_tls }} + login: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_login }} + password: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_password }} + {% if matrix_ma1sd_threepid_medium_email_custom_templates_enabled %} + generators: + template: + {% if matrix_ma1sd_threepid_medium_email_custom_invite_template %} + invite: '/var/ma1sd/invite-template.eml' + {% endif %} + {% if matrix_ma1sd_threepid_medium_email_custom_session_validation_template or matrix_ma1sd_threepid_medium_email_custom_unbind_fraudulent_template %} + session: + {% if matrix_ma1sd_threepid_medium_email_custom_session_validation_template %} + validation: '/var/ma1sd/validate-template.eml' + {% endif %} + {% if matrix_ma1sd_threepid_medium_email_custom_unbind_fraudulent_template %} + unbind: + frandulent: '/var/ma1sd/unbind-fraudulent.eml' + {% endif %} + {% endif %} + {% if matrix_ma1sd_threepid_medium_email_custom_matrixid_template %} + generic: + matrixId: '/var/ma1sd/mxid-template.eml' + {% endif %} + {% endif %} + + synapseSql: + enabled: {{ matrix_ma1sd_synapsesql_enabled }} + type: {{ matrix_ma1sd_synapsesql_type }} + connection: {{ matrix_ma1sd_synapsesql_connection }} + +matrix_ma1sd_configuration_extension_yaml: | + # Your custom YAML configuration for ma1sd goes here. + # This configuration extends the default starting configuration (`matrix_ma1sd_configuration_yaml`). + # + # You can override individual variables from the default configuration, or introduce new ones. + # + # If you need something more special, you can take full control by + # completely redefining `matrix_ma1sd_configuration_yaml`. + # + # Example configuration extension follows: + # + # ldap: + # enabled: true + # connection: + # host: ldapHostnameOrIp + # tls: false + # port: 389 + # baseDNs: ['OU=Users,DC=example,DC=org'] + # bindDn: CN=My Ma1sd User,OU=Users,DC=example,DC=org + # bindPassword: TheUserPassword + +matrix_ma1sd_configuration_extension: "{{ matrix_ma1sd_configuration_extension_yaml|from_yaml if matrix_ma1sd_configuration_extension_yaml|from_yaml is mapping else {} }}" + +# Holds the final ma1sd configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_ma1sd_configuration_yaml`. +matrix_ma1sd_configuration: "{{ matrix_ma1sd_configuration_yaml|from_yaml|combine(matrix_ma1sd_configuration_extension, recursive=True) }}" diff --git a/roles/matrix-mxisd/tasks/init.yml b/roles/matrix-ma1sd/tasks/init.yml similarity index 70% rename from roles/matrix-mxisd/tasks/init.yml rename to roles/matrix-ma1sd/tasks/init.yml index dcf1d0532..31a2e28f9 100644 --- a/roles/matrix-mxisd/tasks/init.yml +++ b/roles/matrix-ma1sd/tasks/init.yml @@ -1,10 +1,10 @@ - set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mxisd'] }}" - when: matrix_mxisd_enabled|bool + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-ma1sd'] }}" + when: matrix_ma1sd_enabled|bool # ansible lower than 2.8, does not support docker_image build parameters # for self buildig it is explicitly needed, so we rather fail here - name: Fail if running on Ansible lower than 2.8 and trying self building fail: - msg: "To self build Mxisd image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mxisd_container_image_self_build" + msg: "To self build ma1sd image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_ma1sd_container_image_self_build" diff --git a/roles/matrix-ma1sd/tasks/main.yml b/roles/matrix-ma1sd/tasks/main.yml new file mode 100644 index 000000000..f5ac34d65 --- /dev/null +++ b/roles/matrix-ma1sd/tasks/main.yml @@ -0,0 +1,21 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup|bool and matrix_ma1sd_enabled|bool" + tags: + - setup-all + - setup-ma1sd + +- import_tasks: "{{ role_path }}/tasks/setup_ma1sd.yml" + tags: + - setup-all + - setup-ma1sd + +- import_tasks: "{{ role_path }}/tasks/self_check_ma1sd.yml" + delegate_to: 127.0.0.1 + become: false + when: "run_self_check|bool and matrix_ma1sd_enabled|bool" + tags: + - self-check diff --git a/roles/matrix-ma1sd/tasks/self_check_ma1sd.yml b/roles/matrix-ma1sd/tasks/self_check_ma1sd.yml new file mode 100644 index 000000000..2e0812630 --- /dev/null +++ b/roles/matrix-ma1sd/tasks/self_check_ma1sd.yml @@ -0,0 +1,21 @@ +--- + +- set_fact: + ma1sd_url_endpoint_public: "https://{{ matrix_server_fqn_matrix }}/_matrix/identity/api/v1" + +- name: Check ma1sd Identity Service + uri: + url: "{{ ma1sd_url_endpoint_public }}" + follow_redirects: none + validate_certs: "{{ matrix_ma1sd_self_check_validate_certificates }}" + register: result_ma1sd + ignore_errors: true + +- name: Fail if ma1sd Identity Service not working + fail: + msg: "Failed checking ma1sd is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ ma1sd_url_endpoint_public }}`). Is ma1sd running? Is port 443 open in your firewall? Full error: {{ result_ma1sd }}" + when: "result_ma1sd.failed or 'json' not in result_ma1sd" + +- name: Report working ma1sd Identity Service + debug: + msg: "ma1sd at `{{ matrix_server_fqn_matrix }}` is working (checked endpoint: `{{ ma1sd_url_endpoint_public }}`)" diff --git a/roles/matrix-ma1sd/tasks/setup_ma1sd.yml b/roles/matrix-ma1sd/tasks/setup_ma1sd.yml new file mode 100644 index 000000000..483d7f9c0 --- /dev/null +++ b/roles/matrix-ma1sd/tasks/setup_ma1sd.yml @@ -0,0 +1,137 @@ +--- + +# +# Tasks related to setting up ma1sd +# + +- name: Ensure ma1sd paths exist + file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + with_items: + - { path: "{{ matrix_ma1sd_config_path }}", when: true } + - { path: "{{ matrix_ma1sd_data_path }}", when: true } + - { path: "{{ matrix_ma1sd_docker_src_files_path }}", when: "{{ matrix_ma1sd_container_image_self_build }}"} + when: matrix_ma1sd_enabled|bool and item.when + +- name: Ensure ma1sd image is pulled + docker_image: + name: "{{ matrix_ma1sd_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_ma1sd_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_ma1sd_docker_image_force_pull }}" + when: matrix_ma1sd_enabled|bool and not matrix_ma1sd_container_image_self_build + +- block: + - name: Ensure gradle is installed for self-building (Debian) + apt: + name: + - gradle + state: present + update_cache: yes + when: (ansible_os_family == 'Debian') + + - name: Ensure gradle is installed for self-building (CentOS) + fail: + msg: "Installing gradle on CentOS is currently not supported, so self-building ma1sd cannot happen at this time" + when: ansible_distribution == 'CentOS' + + - name: Ensure gradle is installed for self-building (Archlinux) + pacman: + name: + - gradle + state: latest + update_cache: yes + when: ansible_distribution == 'Archlinux' + + - name: Ensure ma1sd repository is present on self-build + git: + repo: https://github.com/ma1uta/ma1sd.git + dest: "{{ matrix_ma1sd_docker_src_files_path }}" + version: "v{{ matrix_ma1sd_docker_image.split(':')[1] }}" + force: "yes" + + - name: Ensure ma1sd Docker image is built + shell: "./gradlew dockerBuild" + args: + chdir: "{{ matrix_ma1sd_docker_src_files_path }}" + when: "matrix_ma1sd_enabled|bool and matrix_ma1sd_container_image_self_build" + +- name: Ensure ma1sd config installed + copy: + content: "{{ matrix_ma1sd_configuration|to_nice_yaml }}" + dest: "{{ matrix_ma1sd_config_path }}/ma1sd.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + when: matrix_ma1sd_enabled|bool + +- name: Ensure custom templates are installed if any + copy: + content: "{{ item.value }}" + dest: "{{ matrix_ma1sd_data_path }}/{{ item.location }}" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + with_items: + - {value: "{{ matrix_ma1sd_threepid_medium_email_custom_invite_template }}", location: 'invite-template.eml'} + - {value: "{{ matrix_ma1sd_threepid_medium_email_custom_session_validation_template }}", location: 'validate-template.eml'} + - {value: "{{ matrix_ma1sd_threepid_medium_email_custom_unbind_fraudulent_template }}", location: 'unbind-fraudulent.eml'} + - {value: "{{ matrix_ma1sd_threepid_medium_email_custom_matrixid_template }}", location: 'mxid-template.eml'} + when: "matrix_ma1sd_enabled|bool and matrix_ma1sd_threepid_medium_email_custom_templates_enabled|bool and item.value" + +- name: Ensure matrix-ma1sd.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-ma1sd.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-ma1sd.service" + mode: 0644 + register: matrix_ma1sd_systemd_service_result + when: matrix_ma1sd_enabled|bool + +- name: Ensure systemd reloaded after matrix-ma1sd.service installation + service: + daemon_reload: yes + when: "matrix_ma1sd_enabled|bool and matrix_ma1sd_systemd_service_result.changed" + +# +# Tasks related to getting rid of ma1sd (if it was previously enabled) +# + +- name: Check existence of matrix-ma1sd service + stat: + path: "{{ matrix_systemd_path }}/matrix-ma1sd.service" + register: matrix_ma1sd_service_stat + +- name: Ensure matrix-ma1sd is stopped + service: + name: matrix-ma1sd + state: stopped + daemon_reload: yes + register: stopping_result + when: "not matrix_ma1sd_enabled|bool and matrix_ma1sd_service_stat.stat.exists" + +- name: Ensure matrix-ma1sd.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-ma1sd.service" + state: absent + when: "not matrix_ma1sd_enabled|bool and matrix_ma1sd_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-ma1sd.service removal + service: + daemon_reload: yes + when: "not matrix_ma1sd_enabled|bool and matrix_ma1sd_service_stat.stat.exists" + +- name: Ensure Matrix ma1sd paths don't exist + file: + path: "{{ matrix_ma1sd_base_path }}" + state: absent + when: "not matrix_ma1sd_enabled|bool" + +- name: Ensure ma1sd Docker image doesn't exist + docker_image: + name: "{{ matrix_ma1sd_docker_image }}" + state: absent + when: "not matrix_ma1sd_enabled|bool" diff --git a/roles/matrix-ma1sd/tasks/validate_config.yml b/roles/matrix-ma1sd/tasks/validate_config.yml new file mode 100644 index 000000000..07a170065 --- /dev/null +++ b/roles/matrix-ma1sd/tasks/validate_config.yml @@ -0,0 +1,57 @@ +--- + +- name: (Deprecation) Warn about ma1sd variables that are not used anymore + fail: + msg: > + The `{{ item }}` variable defined in your configuration is not used by this playbook anymore! + You'll need to adapt to the new way of extending ma1sd configuration. + See the CHANGELOG and the `matrix_ma1sd_configuration_extension_yaml` variable for more information and examples. + when: "item in vars" + with_items: + - 'matrix_ma1sd_ldap_enabled' + - 'matrix_ma1sd_ldap_connection_host' + - 'matrix_ma1sd_ldap_connection_tls' + - 'matrix_ma1sd_ldap_connection_port' + - 'matrix_ma1sd_ldap_connection_baseDn' + - 'matrix_ma1sd_ldap_connection_baseDns' + - 'matrix_ma1sd_ldap_connection_bindDn' + - 'matrix_ma1sd_ldap_connection_bindPassword' + - 'matrix_ma1sd_ldap_filter' + - 'matrix_ma1sd_ldap_attribute_uid_type' + - 'matrix_ma1sd_ldap_attribute_uid_value' + - 'matrix_ma1sd_ldap_connection_bindPassword' + - 'matrix_ma1sd_ldap_attribute_name' + - 'matrix_ma1sd_ldap_attribute_threepid_email' + - 'matrix_ma1sd_ldap_attribute_threepid_msisdn' + - 'matrix_ma1sd_ldap_identity_filter' + - 'matrix_ma1sd_ldap_identity_medium' + - 'matrix_ma1sd_ldap_auth_filter' + - 'matrix_ma1sd_ldap_directory_filter' + - 'matrix_ma1sd_template_config' + +- name: Ensure ma1sd configuration does not contain any dot-notation keys + fail: + msg: > + Since version 1.3.0, ma1sd will not accept property-style configuration keys. + You have defined a key (`{{ item.key }}`) which contains a dot. + Instead, use nesting. See: https://github.com/kamax-matrix/mxisd/wiki/Upgrade-Notes#v130 + when: "'.' in item.key" + with_dict: "{{ matrix_ma1sd_configuration }}" + +- name: Fail if required ma1sd settings not defined + fail: + msg: > + You need to define a required configuration setting (`{{ item }}`) for using ma1sd. + when: "vars[item] == ''" + with_items: + - "matrix_ma1sd_threepid_medium_email_connectors_smtp_host" + + +- name: (Deprecation) Catch and report renamed ma1sd variables + fail: + msg: >- + Your configuration contains a variable, which now has a different name. + Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). + when: "item.old in vars" + with_items: + - {'old': 'matrix_ma1sd_container_expose_port', 'new': ''} diff --git a/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 b/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 new file mode 100644 index 000000000..b316fc2bc --- /dev/null +++ b/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 @@ -0,0 +1,46 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix ma1sd Identity server +{% for service in matrix_ma1sd_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_ma1sd_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} + +[Service] +Type=simple +ExecStartPre=-/usr/bin/docker kill matrix-ma1sd +ExecStartPre=-/usr/bin/docker rm matrix-ma1sd + +# ma1sd writes an SQLite shared library (libsqlitejdbc.so) to /tmp and executes it from there, +# so /tmp needs to be mounted with an exec option. +ExecStart=/usr/bin/docker run --rm --name matrix-ma1sd \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --read-only \ + --tmpfs=/tmp:rw,exec,nosuid,size=10m \ + --network={{ matrix_docker_network }} \ + {% if matrix_ma1sd_container_http_host_bind_port %} + -p {{ matrix_ma1sd_container_http_host_bind_port }}:8090 \ + {% endif %} + {% if matrix_ma1sd_verbose_logging %} + -e MA1SD_LOG_LEVEL=debug \ + {% endif %} + -v {{ matrix_ma1sd_config_path }}:/etc/ma1sd:ro \ + -v {{ matrix_ma1sd_data_path }}:/var/ma1sd:rw \ + {% for arg in matrix_ma1sd_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_ma1sd_docker_image }} + +ExecStop=-/usr/bin/docker kill matrix-ma1sd +ExecStop=-/usr/bin/docker rm matrix-ma1sd +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-ma1sd + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-mxisd/vars/main.yml b/roles/matrix-ma1sd/vars/main.yml similarity index 51% rename from roles/matrix-mxisd/vars/main.yml rename to roles/matrix-ma1sd/vars/main.yml index f5fbf9ad9..dfaf58bdf 100644 --- a/roles/matrix-mxisd/vars/main.yml +++ b/roles/matrix-ma1sd/vars/main.yml @@ -1,5 +1,5 @@ --- # Doing `|from_yaml` when the extension contains nothing yields an empty string (""). -# We need to ensure it's a dictionary or `|combine` (when building `matrix_mxisd_configuration`) will fail later. -matrix_mxisd_configuration_extension: "{{ matrix_mxisd_configuration_extension_yaml|from_yaml if matrix_mxisd_configuration_extension_yaml|from_yaml else {} }}" \ No newline at end of file +# We need to ensure it's a dictionary or `|combine` (when building `matrix_ma1sd_configuration`) will fail later. +matrix_ma1sd_configuration_extension: "{{ matrix_ma1sd_configuration_extension_yaml|from_yaml if matrix_ma1sd_configuration_extension_yaml|from_yaml else {} }}" \ No newline at end of file diff --git a/roles/matrix-mxisd/defaults/main.yml b/roles/matrix-mxisd/defaults/main.yml deleted file mode 100644 index 605f40281..000000000 --- a/roles/matrix-mxisd/defaults/main.yml +++ /dev/null @@ -1,178 +0,0 @@ -# mxisd is a Federated Matrix Identity Server -# See: https://github.com/kamax-matrix/mxisd - -matrix_mxisd_enabled: true - -matrix_mxisd_container_image_self_build: false - -matrix_mxisd_docker_image: "kamax/mxisd:1.4.6" -matrix_mxisd_docker_image_force_pull: "{{ matrix_mxisd_docker_image.endswith(':latest') }}" - -matrix_mxisd_base_path: "{{ matrix_base_data_path }}/mxisd" -matrix_mxisd_docker_src_files_path: "{{ matrix_mxisd_base_path }}/docker-src" -matrix_mxisd_config_path: "{{ matrix_mxisd_base_path }}/config" -matrix_mxisd_data_path: "{{ matrix_mxisd_base_path }}/data" - -# Controls whether the matrix-mxisd container exposes its HTTP port (tcp/8090 in the container). -# -# Takes an ":" or "" value (e.g. "127.0.0.1:8090"), or empty string to not expose. -matrix_mxisd_container_http_host_bind_port: '' - -# A list of extra arguments to pass to the container -matrix_mxisd_container_extra_arguments: [] - -# List of systemd services that matrix-mxisd.service depends on -matrix_mxisd_systemd_required_services_list: ['docker.service'] - -# List of systemd services that matrix-mxisd.service wants -matrix_mxisd_systemd_wanted_services_list: [] - -# Your identity server is private by default. -# To ensure maximum discovery, you can make your identity server -# also forward lookups to the central matrix.org Identity server -# (at the cost of potentially leaking all your contacts information). -# Enabling this is discouraged. Learn more here: https://github.com/kamax-io/mxisd/blob/master/docs/features/identity.md#lookups -matrix_mxisd_matrixorg_forwarding_enabled: false - -# mxisd has serveral supported identity stores. -# One of them is storing identities directly in Synapse's database. -# Learn more here: https://github.com/kamax-matrix/mxisd/blob/master/docs/stores/synapse.md -matrix_mxisd_synapsesql_enabled: false -matrix_mxisd_synapsesql_type: "" -matrix_mxisd_synapsesql_connection: "" - -# Setting up email-sending settings is required for using mxisd. -matrix_mxisd_threepid_medium_email_identity_from: "matrix@{{ matrix_domain }}" -matrix_mxisd_threepid_medium_email_connectors_smtp_host: "" -matrix_mxisd_threepid_medium_email_connectors_smtp_port: 587 -matrix_mxisd_threepid_medium_email_connectors_smtp_tls: 1 -matrix_mxisd_threepid_medium_email_connectors_smtp_login: "" -matrix_mxisd_threepid_medium_email_connectors_smtp_password: "" - -# DNS overwrites are useful for telling mxisd how it can reach the homeserver directly. -# Useful when reverse-proxying certain URLs (e.g. `/_matrix/client/r0/user_directory/search`) to mxisd, -# so that mxisd can rewrite the original URL to one that would reach the homeserver. -matrix_mxisd_dns_overwrite_enabled: false -matrix_mxisd_dns_overwrite_homeserver_client_name: "{{ matrix_server_fqn_matrix }}" -matrix_mxisd_dns_overwrite_homeserver_client_value: "http://matrix-synapse:8008" - -# Override the default email templates -# To use this, fill in the template variables with the full desired template as a multi-line YAML variable -# -# More info: -# https://github.com/kamax-matrix/mxisd/blob/master/docs/threepids/notification/template-generator.md -# https://github.com/kamax-matrix/mxisd/tree/master/src/main/resources/threepids/email -matrix_mxisd_threepid_medium_email_custom_templates_enabled: false -matrix_mxisd_threepid_medium_email_custom_invite_template: "" -matrix_mxisd_threepid_medium_email_custom_session_validation_template: "" -matrix_mxisd_threepid_medium_email_custom_unbind_fraudulent_template: "" -matrix_mxisd_threepid_medium_email_custom_matrixid_template: "" - -# Controls whether the self-check feature should validate SSL certificates. -matrix_mxisd_self_check_validate_certificates: true - -# Controls mxisd logging verbosity for troubleshooting. -# -# According to: https://github.com/kamax-matrix/mxisd/blob/master/docs/troubleshooting.md#increase-verbosity -matrix_mxisd_verbose_logging: false - -# Default mxisd configuration template which covers the generic use case. -# You can customize it by controlling the various variables inside it. -# -# For a more advanced customization, you can extend the default (see `matrix_mxisd_configuration_extension_yaml`) -# or completely replace this variable with your own template. -matrix_mxisd_configuration_yaml: | - #jinja2: lstrip_blocks: True - matrix: - domain: {{ matrix_domain }} - - server: - name: {{ matrix_server_fqn_matrix }} - - key: - path: /var/mxisd/sign.key - - storage: - provider: - sqlite: - database: /var/mxisd/mxisd.db - - {% if matrix_mxisd_dns_overwrite_enabled %} - dns: - overwrite: - homeserver: - client: - - name: {{ matrix_mxisd_dns_overwrite_homeserver_client_name }} - value: {{ matrix_mxisd_dns_overwrite_homeserver_client_value }} - {% endif %} - - {% if matrix_mxisd_matrixorg_forwarding_enabled %} - forward: - servers: ['matrix-org'] - {% endif %} - - threepid: - medium: - email: - identity: - from: {{ matrix_mxisd_threepid_medium_email_identity_from }} - connectors: - smtp: - host: {{ matrix_mxisd_threepid_medium_email_connectors_smtp_host }} - port: {{ matrix_mxisd_threepid_medium_email_connectors_smtp_port }} - tls: {{ matrix_mxisd_threepid_medium_email_connectors_smtp_tls }} - login: {{ matrix_mxisd_threepid_medium_email_connectors_smtp_login }} - password: {{ matrix_mxisd_threepid_medium_email_connectors_smtp_password }} - {% if matrix_mxisd_threepid_medium_email_custom_templates_enabled %} - generators: - template: - {% if matrix_mxisd_threepid_medium_email_custom_invite_template %} - invite: '/var/mxisd/invite-template.eml' - {% endif %} - {% if matrix_mxisd_threepid_medium_email_custom_session_validation_template or matrix_mxisd_threepid_medium_email_custom_unbind_fraudulent_template %} - session: - {% if matrix_mxisd_threepid_medium_email_custom_session_validation_template %} - validation: '/var/mxisd/validate-template.eml' - {% endif %} - {% if matrix_mxisd_threepid_medium_email_custom_unbind_fraudulent_template %} - unbind: - frandulent: '/var/mxisd/unbind-fraudulent.eml' - {% endif %} - {% endif %} - {% if matrix_mxisd_threepid_medium_email_custom_matrixid_template %} - generic: - matrixId: '/var/mxisd/mxid-template.eml' - {% endif %} - {% endif %} - - synapseSql: - enabled: {{ matrix_mxisd_synapsesql_enabled }} - type: {{ matrix_mxisd_synapsesql_type }} - connection: {{ matrix_mxisd_synapsesql_connection }} - -matrix_mxisd_configuration_extension_yaml: | - # Your custom YAML configuration for mxisd goes here. - # This configuration extends the default starting configuration (`matrix_mxisd_configuration_yaml`). - # - # You can override individual variables from the default configuration, or introduce new ones. - # - # If you need something more special, you can take full control by - # completely redefining `matrix_mxisd_configuration_yaml`. - # - # Example configuration extension follows: - # - # ldap: - # enabled: true - # connection: - # host: ldapHostnameOrIp - # tls: false - # port: 389 - # baseDNs: ['OU=Users,DC=example,DC=org'] - # bindDn: CN=My Mxisd User,OU=Users,DC=example,DC=org - # bindPassword: TheUserPassword - -matrix_mxisd_configuration_extension: "{{ matrix_mxisd_configuration_extension_yaml|from_yaml if matrix_mxisd_configuration_extension_yaml|from_yaml is mapping else {} }}" - -# Holds the final mxisd configuration (a combination of the default and its extension). -# You most likely don't need to touch this variable. Instead, see `matrix_mxisd_configuration_yaml`. -matrix_mxisd_configuration: "{{ matrix_mxisd_configuration_yaml|from_yaml|combine(matrix_mxisd_configuration_extension, recursive=True) }}" diff --git a/roles/matrix-mxisd/tasks/main.yml b/roles/matrix-mxisd/tasks/main.yml deleted file mode 100644 index 31970db42..000000000 --- a/roles/matrix-mxisd/tasks/main.yml +++ /dev/null @@ -1,21 +0,0 @@ -- import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup|bool and matrix_mxisd_enabled|bool" - tags: - - setup-all - - setup-mxisd - -- import_tasks: "{{ role_path }}/tasks/setup_mxisd.yml" - tags: - - setup-all - - setup-mxisd - -- import_tasks: "{{ role_path }}/tasks/self_check_mxisd.yml" - delegate_to: 127.0.0.1 - become: false - when: "run_self_check|bool and matrix_mxisd_enabled|bool" - tags: - - self-check diff --git a/roles/matrix-mxisd/tasks/self_check_mxisd.yml b/roles/matrix-mxisd/tasks/self_check_mxisd.yml deleted file mode 100644 index 137907bb3..000000000 --- a/roles/matrix-mxisd/tasks/self_check_mxisd.yml +++ /dev/null @@ -1,21 +0,0 @@ ---- - -- set_fact: - mxisd_url_endpoint_public: "https://{{ matrix_server_fqn_matrix }}/_matrix/identity/api/v1" - -- name: Check mxisd Identity Service - uri: - url: "{{ mxisd_url_endpoint_public }}" - follow_redirects: none - validate_certs: "{{ matrix_mxisd_self_check_validate_certificates }}" - register: result_mxisd - ignore_errors: true - -- name: Fail if mxisd Identity Service not working - fail: - msg: "Failed checking mxisd is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ mxisd_url_endpoint_public }}`). Is mxisd running? Is port 443 open in your firewall? Full error: {{ result_mxisd }}" - when: "result_mxisd.failed or 'json' not in result_mxisd" - -- name: Report working mxisd Identity Service - debug: - msg: "mxisd at `{{ matrix_server_fqn_matrix }}` is working (checked endpoint: `{{ mxisd_url_endpoint_public }}`)" diff --git a/roles/matrix-mxisd/tasks/setup_mxisd.yml b/roles/matrix-mxisd/tasks/setup_mxisd.yml deleted file mode 100644 index 0ad363011..000000000 --- a/roles/matrix-mxisd/tasks/setup_mxisd.yml +++ /dev/null @@ -1,137 +0,0 @@ ---- - -# -# Tasks related to setting up mxisd -# - -- name: Ensure mxisd paths exist - file: - path: "{{ item.path }}" - state: directory - mode: 0750 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" - with_items: - - { path: "{{ matrix_mxisd_config_path }}", when: true } - - { path: "{{ matrix_mxisd_data_path }}", when: true } - - { path: "{{ matrix_mxisd_docker_src_files_path }}", when: "{{ matrix_mxisd_container_image_self_build }}"} - when: matrix_mxisd_enabled|bool and item.when - -- name: Ensure mxisd image is pulled - docker_image: - name: "{{ matrix_mxisd_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_mxisd_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mxisd_docker_image_force_pull }}" - when: matrix_mxisd_enabled|bool and not matrix_mxisd_container_image_self_build - -- block: - - name: Ensure gradle is installed for self-building (Debian) - apt: - name: - - gradle - state: present - update_cache: yes - when: (ansible_os_family == 'Debian') - - - name: Ensure gradle is installed for self-building (CentOS) - fail: - msg: "Installing gradle on CentOS is currently not supported, so self-building mxisd cannot happen at this time" - when: ansible_distribution == 'CentOS' - - - name: Ensure gradle is installed for self-building (Archlinux) - pacman: - name: - - gradle - state: latest - update_cache: yes - when: ansible_distribution == 'Archlinux' - - - name: Ensure mxisd repository is present on self-build - git: - repo: https://github.com/kamax-matrix/mxisd.git - dest: "{{ matrix_mxisd_docker_src_files_path }}" - version: "v{{ matrix_mxisd_docker_image.split(':')[1] }}" - force: "yes" - - - name: Ensure mxisd Docker image is built - shell: "./gradlew dockerBuild" - args: - chdir: "{{ matrix_mxisd_docker_src_files_path }}" - when: "matrix_mxisd_enabled|bool and matrix_mxisd_container_image_self_build" - -- name: Ensure mxisd config installed - copy: - content: "{{ matrix_mxisd_configuration|to_nice_yaml }}" - dest: "{{ matrix_mxisd_config_path }}/mxisd.yaml" - mode: 0644 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" - when: matrix_mxisd_enabled|bool - -- name: Ensure custom templates are installed if any - copy: - content: "{{ item.value }}" - dest: "{{ matrix_mxisd_data_path }}/{{ item.location }}" - mode: 0644 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" - with_items: - - {value: "{{ matrix_mxisd_threepid_medium_email_custom_invite_template }}", location: 'invite-template.eml'} - - {value: "{{ matrix_mxisd_threepid_medium_email_custom_session_validation_template }}", location: 'validate-template.eml'} - - {value: "{{ matrix_mxisd_threepid_medium_email_custom_unbind_fraudulent_template }}", location: 'unbind-fraudulent.eml'} - - {value: "{{ matrix_mxisd_threepid_medium_email_custom_matrixid_template }}", location: 'mxid-template.eml'} - when: "matrix_mxisd_enabled|bool and matrix_mxisd_threepid_medium_email_custom_templates_enabled|bool and item.value" - -- name: Ensure matrix-mxisd.service installed - template: - src: "{{ role_path }}/templates/systemd/matrix-mxisd.service.j2" - dest: "{{ matrix_systemd_path }}/matrix-mxisd.service" - mode: 0644 - register: matrix_mxisd_systemd_service_result - when: matrix_mxisd_enabled|bool - -- name: Ensure systemd reloaded after matrix-mxisd.service installation - service: - daemon_reload: yes - when: "matrix_mxisd_enabled|bool and matrix_mxisd_systemd_service_result.changed" - -# -# Tasks related to getting rid of mxisd (if it was previously enabled) -# - -- name: Check existence of matrix-mxisd service - stat: - path: "{{ matrix_systemd_path }}/matrix-mxisd.service" - register: matrix_mxisd_service_stat - -- name: Ensure matrix-mxisd is stopped - service: - name: matrix-mxisd - state: stopped - daemon_reload: yes - register: stopping_result - when: "not matrix_mxisd_enabled|bool and matrix_mxisd_service_stat.stat.exists" - -- name: Ensure matrix-mxisd.service doesn't exist - file: - path: "{{ matrix_systemd_path }}/matrix-mxisd.service" - state: absent - when: "not matrix_mxisd_enabled|bool and matrix_mxisd_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-mxisd.service removal - service: - daemon_reload: yes - when: "not matrix_mxisd_enabled|bool and matrix_mxisd_service_stat.stat.exists" - -- name: Ensure Matrix mxisd paths don't exist - file: - path: "{{ matrix_mxisd_base_path }}" - state: absent - when: "not matrix_mxisd_enabled|bool" - -- name: Ensure mxisd Docker image doesn't exist - docker_image: - name: "{{ matrix_mxisd_docker_image }}" - state: absent - when: "not matrix_mxisd_enabled|bool" diff --git a/roles/matrix-mxisd/tasks/validate_config.yml b/roles/matrix-mxisd/tasks/validate_config.yml deleted file mode 100644 index 200a43a3c..000000000 --- a/roles/matrix-mxisd/tasks/validate_config.yml +++ /dev/null @@ -1,57 +0,0 @@ ---- - -- name: (Deprecation) Warn about mxisd variables that are not used anymore - fail: - msg: > - The `{{ item }}` variable defined in your configuration is not used by this playbook anymore! - You'll need to adapt to the new way of extending mxisd configuration. - See the CHANGELOG and the `matrix_mxisd_configuration_extension_yaml` variable for more information and examples. - when: "item in vars" - with_items: - - 'matrix_mxisd_ldap_enabled' - - 'matrix_mxisd_ldap_connection_host' - - 'matrix_mxisd_ldap_connection_tls' - - 'matrix_mxisd_ldap_connection_port' - - 'matrix_mxisd_ldap_connection_baseDn' - - 'matrix_mxisd_ldap_connection_baseDns' - - 'matrix_mxisd_ldap_connection_bindDn' - - 'matrix_mxisd_ldap_connection_bindPassword' - - 'matrix_mxisd_ldap_filter' - - 'matrix_mxisd_ldap_attribute_uid_type' - - 'matrix_mxisd_ldap_attribute_uid_value' - - 'matrix_mxisd_ldap_connection_bindPassword' - - 'matrix_mxisd_ldap_attribute_name' - - 'matrix_mxisd_ldap_attribute_threepid_email' - - 'matrix_mxisd_ldap_attribute_threepid_msisdn' - - 'matrix_mxisd_ldap_identity_filter' - - 'matrix_mxisd_ldap_identity_medium' - - 'matrix_mxisd_ldap_auth_filter' - - 'matrix_mxisd_ldap_directory_filter' - - 'matrix_mxisd_template_config' - -- name: Ensure mxisd configuration does not contain any dot-notation keys - fail: - msg: > - Since version 1.3.0, mxisd will not accept property-style configuration keys. - You have defined a key (`{{ item.key }}`) which contains a dot. - Instead, use nesting. See: https://github.com/kamax-matrix/mxisd/wiki/Upgrade#v130 - when: "'.' in item.key" - with_dict: "{{ matrix_mxisd_configuration }}" - -- name: Fail if required mxisd settings not defined - fail: - msg: > - You need to define a required configuration setting (`{{ item }}`) for using mxisd. - when: "vars[item] == ''" - with_items: - - "matrix_mxisd_threepid_medium_email_connectors_smtp_host" - - -- name: (Deprecation) Catch and report renamed mxisd variables - fail: - msg: >- - Your configuration contains a variable, which now has a different name. - Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). - when: "item.old in vars" - with_items: - - {'old': 'matrix_mxisd_container_expose_port', 'new': ''} diff --git a/roles/matrix-mxisd/templates/systemd/matrix-mxisd.service.j2 b/roles/matrix-mxisd/templates/systemd/matrix-mxisd.service.j2 deleted file mode 100644 index d60740f52..000000000 --- a/roles/matrix-mxisd/templates/systemd/matrix-mxisd.service.j2 +++ /dev/null @@ -1,46 +0,0 @@ -#jinja2: lstrip_blocks: "True" -[Unit] -Description=Matrix mxisd Identity server -{% for service in matrix_mxisd_systemd_required_services_list %} -Requires={{ service }} -After={{ service }} -{% endfor %} -{% for service in matrix_mxisd_systemd_wanted_services_list %} -Wants={{ service }} -{% endfor %} - -[Service] -Type=simple -ExecStartPre=-/usr/bin/docker kill matrix-mxisd -ExecStartPre=-/usr/bin/docker rm matrix-mxisd - -# mxisd writes an SQLite shared library (libsqlitejdbc.so) to /tmp and executes it from there, -# so /tmp needs to be mounted with an exec option. -ExecStart=/usr/bin/docker run --rm --name matrix-mxisd \ - --log-driver=none \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --cap-drop=ALL \ - --read-only \ - --tmpfs=/tmp:rw,exec,nosuid,size=10m \ - --network={{ matrix_docker_network }} \ - {% if matrix_mxisd_container_http_host_bind_port %} - -p {{ matrix_mxisd_container_http_host_bind_port }}:8090 \ - {% endif %} - {% if matrix_mxisd_verbose_logging %} - -e MXISD_LOG_LEVEL=debug \ - {% endif %} - -v {{ matrix_mxisd_config_path }}:/etc/mxisd:ro \ - -v {{ matrix_mxisd_data_path }}:/var/mxisd:rw \ - {% for arg in matrix_mxisd_container_extra_arguments %} - {{ arg }} \ - {% endfor %} - {{ matrix_mxisd_docker_image }} - -ExecStop=-/usr/bin/docker kill matrix-mxisd -ExecStop=-/usr/bin/docker rm matrix-mxisd -Restart=always -RestartSec=30 -SyslogIdentifier=matrix-mxisd - -[Install] -WantedBy=multi-user.target From 5fedd6cbf03be1b049d3f9b57dc090fa9195abec Mon Sep 17 00:00:00 2001 From: Marcel Partap Date: Tue, 7 Jan 2020 19:04:26 +0100 Subject: [PATCH 02/17] Replace mxisd with ma1sd in docs, fixing URLs --- README.md | 6 +-- docs/configuring-dns.md | 2 +- docs/configuring-playbook-ldap-auth.md | 4 +- docs/configuring-playbook-ma1sd.md | 49 +++++++++++++------------ docs/configuring-playbook-rest-auth.md | 4 +- docs/configuring-playbook.md | 2 +- docs/maintenance-and-troubleshooting.md | 4 +- 7 files changed, 36 insertions(+), 35 deletions(-) diff --git a/README.md b/README.md index 7e64d8937..b16a8dfea 100644 --- a/README.md +++ b/README.md @@ -20,13 +20,13 @@ Using this playbook, you can get the following services configured on your serve - (optional, default) a [Riot](https://riot.im/) web UI, which is configured to connect to your own Synapse server by default -- (optional, default) an [mxisd](https://github.com/kamax-io/mxisd) Matrix Identity server +- (optional, default) an [ma1sd](https://github.com/ma1uta/ma1sd) Matrix Identity server - (optional, default) an [Exim](https://www.exim.org/) mail server, through which all Matrix services send outgoing email (can be configured to relay through another SMTP server) - (optional, default) an [nginx](http://nginx.org/) web server, listening on ports 80 and 443 - standing in front of all the other services. Using your own webserver [is possible](docs/configuring-playbook-own-webserver.md) -- (optional, advanced) the [matrix-synapse-rest-auth](https://github.com/kamax-io/matrix-synapse-rest-auth) REST authentication password provider module +- (optional, advanced) the [matrix-synapse-rest-auth](https://github.com/ma1uta/matrix-synapse-rest-password-provider) REST authentication password provider module - (optional, advanced) the [matrix-synapse-shared-secret-auth](https://github.com/devture/matrix-synapse-shared-secret-auth) password provider module @@ -112,7 +112,7 @@ This playbook sets up your server using the following Docker images: - [vectorim/riot-web](https://hub.docker.com/r/vectorim/riot-web/) - the [Riot.im](https://about.riot.im/) web client (optional) -- [kamax/mxisd](https://hub.docker.com/r/kamax/mxisd/) - the [mxisd](https://github.com/kamax-io/mxisd) Matrix Identity server (optional) +- [ma1uta/ma1sd](https://hub.docker.com/r/ma1uta/ma1sd/) - the [ma1sd](https://github.com/ma1uta/ma1sd) Matrix Identity server (optional) - [postgres](https://hub.docker.com/_/postgres/) - the [Postgres](https://www.postgresql.org/) database server (optional) diff --git a/docs/configuring-dns.md b/docs/configuring-dns.md index 735b348fb..29ddc61ed 100644 --- a/docs/configuring-dns.md +++ b/docs/configuring-dns.md @@ -44,7 +44,7 @@ The `jitsi.` subdomain may be necessary, because this playbook coul ## `_matrix-identity._tcp` SRV record setup -To make the [mxisd](https://github.com/kamax-io/mxisd) Identity Server (which this playbook installs for you) be authoritative for your domain name, set up one more SRV record that looks like this: +To make the [ma1sd](https://github.com/ma1uta/ma1sd) Identity Server (which this playbook installs for you) be authoritative for your domain name, set up one more SRV record that looks like this: - Name: `_matrix-identity._tcp` (use this text as-is) - Content: `10 0 443 matrix.` (replace `` with your own) diff --git a/docs/configuring-playbook-ldap-auth.md b/docs/configuring-playbook-ldap-auth.md index c9f15c317..5144323ad 100644 --- a/docs/configuring-playbook-ldap-auth.md +++ b/docs/configuring-playbook-ldap-auth.md @@ -28,5 +28,5 @@ If you wish for users to **authenticate only against configured password provide matrix_synapse_password_config_localdb_enabled: false ``` -## Using mxisd Identity Server for authentication -If you wish to use the mxisd Identity Server for LDAP authentication instead of [matrix-synapse-ldap3](https://github.com/matrix-org/matrix-synapse-ldap3) consult [Adjusting mxisd Identity Server configuration](configuring-playbook-mxisd.md#authentication). \ No newline at end of file +## Using ma1sd Identity Server for authentication +If you wish to use the ma1sd Identity Server for LDAP authentication instead of [matrix-synapse-ldap3](https://github.com/matrix-org/matrix-synapse-ldap3) consult [Adjusting ma1sd Identity Server configuration](configuring-playbook-ma1sd.md#authentication). diff --git a/docs/configuring-playbook-ma1sd.md b/docs/configuring-playbook-ma1sd.md index 29cec488d..da9ff21e1 100644 --- a/docs/configuring-playbook-ma1sd.md +++ b/docs/configuring-playbook-ma1sd.md @@ -1,52 +1,53 @@ -# Adjusting mxisd Identity Server configuration (optional) +# Adjusting ma1sd Identity Server configuration (optional) -By default, this playbook configures an [mxisd](https://github.com/kamax-io/mxisd) Identity Server for you. +By default, this playbook configures an [ma1sd](https://github.com/ma1uta/ma1sd) Identity Server for you. This server is private by default, potentially at the expense of user discoverability. +ma1sd is a fork of [mxisd](https://github.com/kamax-io/mxisd) which was pronounced end of life 2019-06-21. ## Matrix.org lookup forwarding To ensure maximum discovery, you can make your identity server also forward lookups to the central matrix.org Identity server (at the cost of potentially leaking all your contacts information). -Enabling this is discouraged and you'd better [learn more](https://github.com/kamax-io/mxisd/blob/master/docs/features/identity.md#lookups) before proceeding. +Enabling this is discouraged and you'd better [learn more](https://github.com/ma1uta/ma1sd/blob/master/docs/features/identity.md#lookups) before proceeding. Enabling matrix.org forwarding can happen with the following configuration: ```yaml -matrix_mxisd_matrixorg_forwarding_enabled: true +matrix_ma1sd_matrixorg_forwarding_enabled: true ``` ## Customizing email templates -If you'd like to change the default email templates used by mxisd, take a look at the `matrix_mxisd_threepid_medium_email_custom_` variables -(in the `roles/matrix-mxisd/defaults/main.yml` file. +If you'd like to change the default email templates used by ma1sd, take a look at the `matrix_ma1sd_threepid_medium_email_custom_` variables +(in the `roles/matrix-ma1sd/defaults/main.yml` file. -## mxisd-controlled Registration +## ma1sd-controlled Registration -To use the [Registration](https://github.com/kamax-matrix/mxisd/blob/master/docs/features/registration.md) feature of mxisd, you can make use of the following variables: +To use the [Registration](https://github.com/ma1uta/ma1sd/blob/master/docs/features/registration.md) feature of ma1sd, you can make use of the following variables: - `matrix_synapse_enable_registration` - to enable user-initiated registration in Synapse - `matrix_synapse_registrations_require_3pid` - to control the types of 3pid (`'email'`, `'msisdn'`) required by the Synapse server for registering -- variables prefixed with `matrix_nginx_proxy_proxy_matrix_3pid_registration_` (e.g. `matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled`) - to configure the integrated nginx webserver to send registration requests to mxisd (instead of Synapse), so it can apply its additional functionality +- variables prefixed with `matrix_nginx_proxy_proxy_matrix_3pid_registration_` (e.g. `matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled`) - to configure the integrated nginx webserver to send registration requests to ma1sd (instead of Synapse), so it can apply its additional functionality -- `matrix_mxisd_configuration_extension_yaml` - to configure mxisd as required. See the [Registration feature's docs](https://github.com/kamax-matrix/mxisd/blob/master/docs/features/registration.md) for inspiration. Also see the [Additional features](#additional-features) section below to learn more about how to use `matrix_mxisd_configuration_extension_yaml`. +- `matrix_ma1sd_configuration_extension_yaml` - to configure ma1sd as required. See the [Registration feature's docs](https://github.com/ma1uta/ma1sd/blob/master/docs/features/registration.md) for inspiration. Also see the [Additional features](#additional-features) section below to learn more about how to use `matrix_ma1sd_configuration_extension_yaml`. ## Authentication -[Authentication](https://github.com/kamax-matrix/mxisd/blob/master/docs/features/authentication.md) provides the possibility to use your own [Identity Stores](https://github.com/kamax-matrix/mxisd/blob/master/docs/stores/README.md) (for example LDAP) to authenticate users on your Homeserver. The following configuration can be used to authenticate against an LDAP server: +[Authentication](https://github.com/ma1uta/ma1sd/blob/master/docs/features/authentication.md) provides the possibility to use your own [Identity Stores](https://github.com/ma1uta/ma1sd/blob/master/docs/stores/README.md) (for example LDAP) to authenticate users on your Homeserver. The following configuration can be used to authenticate against an LDAP server: ```yaml matrix_synapse_ext_password_provider_rest_auth_enabled: true -# matrix-mxisd is the hostname of the mxisd Docker container -matrix_synapse_ext_password_provider_rest_auth_endpoint: "http://matrix-mxisd:8090" +# matrix-ma1sd is the hostname of the ma1sd Docker container +matrix_synapse_ext_password_provider_rest_auth_endpoint: "http://matrix-ma1sd:8090" -matrix_mxisd_configuration_extension_yaml: | +matrix_ma1sd_configuration_extension_yaml: | ldap: enabled: true connection: @@ -54,7 +55,7 @@ matrix_mxisd_configuration_extension_yaml: | tls: false port: 389 baseDNs: ['OU=Users,DC=example,DC=org'] - bindDn: CN=My Mxisd User,OU=Users,DC=example,DC=org + bindDn: CN=My ma1sd User,OU=Users,DC=example,DC=org bindPassword: TheUserPassword ``` @@ -62,24 +63,24 @@ matrix_mxisd_configuration_extension_yaml: | What this playbook configures for your is some bare minimum Identity Server functionality, so that you won't need to rely on external 3rd party services. -A few variables can be toggled in this playbook to alter the mxisd configuration that gets generated. +A few variables can be toggled in this playbook to alter the ma1sd configuration that gets generated. -Still, mxisd can do much more. -You can refer to the [mxisd website](https://github.com/kamax-io/mxisd) for more details and configuration options. +Still, ma1sd can do much more. +You can refer to the [ma1sd website](https://github.com/ma1uta/ma1sd) for more details and configuration options. -To use a more custom configuration, you can define a `matrix_mxisd_configuration_extension_yaml` string variable +To use a more custom configuration, you can define a `matrix_ma1sd_configuration_extension_yaml` string variable and put your configuration in it. -To learn more about how to do this, refer to the information about `matrix_mxisd_configuration_extension_yaml` in the [default variables file](../roles/matrix-mxisd/defaults/main.yml) of the mxisd component. +To learn more about how to do this, refer to the information about `matrix_ma1sd_configuration_extension_yaml` in the [default variables file](../roles/matrix-ma1sd/defaults/main.yml) of the ma1sd component. ## Troubleshooting -If email address validation emails sent by mxisd are not reaching you, you should look into [Adjusting email-sending settings](configuring-playbook-email.md). +If email address validation emails sent by ma1sd are not reaching you, you should look into [Adjusting email-sending settings](configuring-playbook-email.md). -If you'd like additional logging information, temporarily enable verbose logging for mxisd. +If you'd like additional logging information, temporarily enable verbose logging for ma1sd. Example configuration (`inventory/host_vars/matrix.DOMAIN/vars.yml`): ```yaml -matrix_mxisd_verbose_logging: true -``` \ No newline at end of file +matrix_ma1sd_verbose_logging: true +``` diff --git a/docs/configuring-playbook-rest-auth.md b/docs/configuring-playbook-rest-auth.md index f35c0f49e..23644c9eb 100644 --- a/docs/configuring-playbook-rest-auth.md +++ b/docs/configuring-playbook-rest-auth.md @@ -1,6 +1,6 @@ # Setting up the REST authentication password provider module (optional, advanced) -The playbook can install and configure [matrix-synapse-rest-auth](https://github.com/kamax-io/matrix-synapse-rest-auth) for you. +The playbook can install and configure [matrix-synapse-rest-auth](https://github.com/ma1uta/matrix-synapse-rest-password-provider) for you. See that project's documentation to learn what it does and why it might be useful to you. @@ -8,7 +8,7 @@ If you decide that you'd like to let this playbook install it for you, you need ```yaml matrix_synapse_ext_password_provider_rest_auth_enabled: true -matrix_synapse_ext_password_provider_rest_auth_endpoint: "http://matrix-mxisd:8090" +matrix_synapse_ext_password_provider_rest_auth_endpoint: "http://matrix-ma1sd:8090" matrix_synapse_ext_password_provider_rest_auth_registration_enforce_lowercase: false matrix_synapse_ext_password_provider_rest_auth_registration_profile_name_autofill: true matrix_synapse_ext_password_provider_rest_auth_login_profile_name_autofill: false diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 051abf166..4d0d2093b 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -44,7 +44,7 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Using an external PostgreSQL server](configuring-playbook-external-postgres.md) (optional) -- [Adjusting mxisd Identity Server configuration](configuring-playbook-mxisd.md) (optional) +- [Adjusting ma1sd Identity Server configuration](configuring-playbook-ma1sd.md) (optional) - [Adjusting SSL certificate retrieval](configuring-playbook-ssl-certificates.md) (optional, advanced) diff --git a/docs/maintenance-and-troubleshooting.md b/docs/maintenance-and-troubleshooting.md index 5dd1ee3f5..bccf3e2ee 100644 --- a/docs/maintenance-and-troubleshooting.md +++ b/docs/maintenance-and-troubleshooting.md @@ -38,6 +38,6 @@ Re-run the playbook after making these configuration changes. See the dedicated [PostgreSQL Maintenance](maintenance-postgres.md) documentation page. -## Mxisd +## Ma1sd -See the dedicated [Adjusting mxisd Identity Server configuration](configuring-playbook-mxisd.md) documentation page. \ No newline at end of file +See the dedicated [Adjusting ma1sd Identity Server configuration](configuring-playbook-ma1sd.md) documentation page. From 9d0803cdf934775c7c5338643a3b79957eb451af Mon Sep 17 00:00:00 2001 From: Marcel Partap Date: Wed, 8 Jan 2020 22:26:24 +0100 Subject: [PATCH 03/17] Specify up-to-date version 2.2.2 of ma1sd docker image --- roles/matrix-ma1sd/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-ma1sd/defaults/main.yml b/roles/matrix-ma1sd/defaults/main.yml index f3f604d3f..4ae87e3de 100644 --- a/roles/matrix-ma1sd/defaults/main.yml +++ b/roles/matrix-ma1sd/defaults/main.yml @@ -3,7 +3,7 @@ matrix_ma1sd_enabled: true -matrix_ma1sd_docker_image: "ma1uta/ma1sd:1.4.6" +matrix_ma1sd_docker_image: "ma1uta/ma1sd:2.2.2" matrix_ma1sd_docker_image_force_pull: "{{ matrix_ma1sd_docker_image.endswith(':latest') }}" matrix_ma1sd_base_path: "{{ matrix_base_data_path }}/ma1sd" From 874e2e1fc0b775ff20f500e7b7f49aa23112a892 Mon Sep 17 00:00:00 2001 From: Marcel Partap Date: Wed, 8 Jan 2020 22:31:44 +0100 Subject: [PATCH 04/17] Rename variables (s/mxisd/ma1sd/) and adapt roles --- group_vars/matrix_servers | 56 +++++++++---------- roles/matrix-base/tasks/main.yml | 2 +- roles/matrix-base/tasks/self_check_dns.yml | 8 +-- roles/matrix-nginx-proxy/defaults/main.yml | 10 ++-- .../tasks/self_check_well_known.yml | 2 +- setup.yml | 2 +- 6 files changed, 40 insertions(+), 40 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index c2dd57866..9efd15391 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -435,7 +435,7 @@ matrix_jitsi_web_stun_servers: | # By default, this playbook sets up a postfix mailer server (running in a container). # This is so that Synapse can send email reminders for unread messages. -# Other services (like mxisd), also use the mailer. +# Other services (like ma1sd), also use the mailer. matrix_mailer_enabled: true ###################################################################### @@ -448,41 +448,41 @@ matrix_mailer_enabled: true ###################################################################### # -# matrix-mxisd +# matrix-ma1sd # ###################################################################### -# By default, this playbook installs the mxisd identity server on the same domain as Synapse (`matrix_server_fqn_matrix`). +# By default, this playbook installs the ma1sd identity server on the same domain as Synapse (`matrix_server_fqn_matrix`). # If you wish to use the public identity servers (matrix.org, vector.im) instead of your own you may wish to disable this. -matrix_mxisd_enabled: true +matrix_ma1sd_enabled: true -matrix_mxisd_container_image_self_build: "{{ matrix_container_images_self_build }}" +matrix_ma1sd_container_image_self_build: "{{ matrix_container_images_self_build }}" -# Normally, matrix-nginx-proxy is enabled and nginx can reach mxisd over the container network. +# Normally, matrix-nginx-proxy is enabled and nginx can reach ma1sd over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose -# mxisd's web-server port. -matrix_mxisd_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8090' }}" +# ma1sd's web-server port. +matrix_ma1sd_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8090' }}" # We enable Synapse integration via its Postgres database by default. # When using another Identity store, you might wish to disable this and define -# your own configuration in `matrix_mxisd_configuration_extension_yaml`. -matrix_mxisd_synapsesql_enabled: true -matrix_mxisd_synapsesql_type: postgresql -matrix_mxisd_synapsesql_connection: //{{ matrix_synapse_database_host }}/{{ matrix_synapse_database_database }}?user={{ matrix_synapse_database_user | urlencode() }}&password={{ matrix_synapse_database_password | urlencode() }} +# your own configuration in `matrix_ma1sd_configuration_extension_yaml`. +matrix_ma1sd_synapsesql_enabled: true +matrix_ma1sd_synapsesql_type: postgresql +matrix_ma1sd_synapsesql_connection: //{{ matrix_synapse_database_host }}/{{ matrix_synapse_database_database }}?user={{ matrix_synapse_database_user | urlencode() }}&password={{ matrix_synapse_database_password | urlencode() }} -matrix_mxisd_dns_overwrite_enabled: true -matrix_mxisd_dns_overwrite_homeserver_client_name: "{{ matrix_server_fqn_matrix }}" -matrix_mxisd_dns_overwrite_homeserver_client_value: "http://{{ 'matrix-corporal:41080' if matrix_corporal_enabled else 'matrix-synapse:8008' }}" +matrix_ma1sd_dns_overwrite_enabled: true +matrix_ma1sd_dns_overwrite_homeserver_client_name: "{{ matrix_server_fqn_matrix }}" +matrix_ma1sd_dns_overwrite_homeserver_client_value: "http://{{ 'matrix-corporal:41080' if matrix_corporal_enabled else 'matrix-synapse:8008' }}" # By default, we send mail through the `matrix-mailer` service. -matrix_mxisd_threepid_medium_email_identity_from: "{{ matrix_mailer_sender_address }}" -matrix_mxisd_threepid_medium_email_connectors_smtp_host: "matrix-mailer" -matrix_mxisd_threepid_medium_email_connectors_smtp_port: 8025 -matrix_mxisd_threepid_medium_email_connectors_smtp_tls: 0 +matrix_ma1sd_threepid_medium_email_identity_from: "{{ matrix_mailer_sender_address }}" +matrix_ma1sd_threepid_medium_email_connectors_smtp_host: "matrix-mailer" +matrix_ma1sd_threepid_medium_email_connectors_smtp_port: 8025 +matrix_ma1sd_threepid_medium_email_connectors_smtp_tls: 0 -matrix_mxisd_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else false }}" +matrix_ma1sd_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else false }}" -matrix_mxisd_systemd_wanted_services_list: | +matrix_ma1sd_systemd_wanted_services_list: | {{ (['matrix-corporal.service'] if matrix_corporal_enabled else ['matrix-synapse.service']) + @@ -493,7 +493,7 @@ matrix_mxisd_systemd_wanted_services_list: | ###################################################################### # -# /matrix-mxisd +# /matrix-ma1sd # ###################################################################### @@ -523,8 +523,8 @@ matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: "{{ matrix_corporal_enable matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081" matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container: "127.0.0.1:41081" -matrix_nginx_proxy_proxy_matrix_identity_api_enabled: "{{ matrix_mxisd_enabled }}" -matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-mxisd:8090" +matrix_nginx_proxy_proxy_matrix_identity_api_enabled: "{{ matrix_ma1sd_enabled }}" +matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-ma1sd:8090" matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:8090" # By default, we do TLS termination for the Matrix Federation API (port 8448) at matrix-nginx-proxy. @@ -536,7 +536,7 @@ matrix_nginx_proxy_proxy_synapse_metrics: "{{ matrix_synapse_metrics_enabled }}" matrix_nginx_proxy_proxy_synapse_metrics_addr_with_container: "matrix-synapse:{{ matrix_synapse_metrics_port }}" matrix_nginx_proxy_proxy_synapse_metrics_addr_sans_container: "127.0.0.1:{{ matrix_synapse_metrics_port }}" -matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: "{{ matrix_mxisd_enabled }}" +matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: "{{ matrix_ma1sd_enabled }}" matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container }}" matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container }}" @@ -548,7 +548,7 @@ matrix_nginx_proxy_systemd_wanted_services_list: | + (['matrix-corporal.service'] if matrix_corporal_enabled else []) + - (['matrix-mxisd.service'] if matrix_mxisd_enabled else []) + (['matrix-ma1sd.service'] if matrix_ma1sd_enabled else []) + (['matrix-riot-web.service'] if matrix_riot_web_enabled else []) }} @@ -652,8 +652,8 @@ matrix_riot_web_jitsi_preferredDomain: "{{ matrix_server_fqn_jitsi if matrix_jit matrix_synapse_container_image_self_build: "{{ matrix_container_images_self_build }}" -# When mxisd is enabled, we can use it instead of the default public Identity servers. -matrix_synapse_trusted_third_party_id_servers: "{{ [matrix_server_fqn_matrix] if matrix_mxisd_enabled else matrix_synapse_id_servers_public }}" +# When ma1sd is enabled, we can use it instead of the default public Identity servers. +matrix_synapse_trusted_third_party_id_servers: "{{ [matrix_server_fqn_matrix] if matrix_ma1sd_enabled else matrix_synapse_id_servers_public }}" # Normally, matrix-nginx-proxy is enabled and nginx can reach Synapse over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, diff --git a/roles/matrix-base/tasks/main.yml b/roles/matrix-base/tasks/main.yml index 909cad200..827a41013 100644 --- a/roles/matrix-base/tasks/main.yml +++ b/roles/matrix-base/tasks/main.yml @@ -21,7 +21,7 @@ when: run_setup|bool tags: - setup-all - - setup-mxisd + - setup-ma1sd - setup-synapse - setup-nginx-proxy diff --git a/roles/matrix-base/tasks/self_check_dns.yml b/roles/matrix-base/tasks/self_check_dns.yml index d17b2149a..57c07b2b1 100644 --- a/roles/matrix-base/tasks/self_check_dns.yml +++ b/roles/matrix-base/tasks/self_check_dns.yml @@ -5,16 +5,16 @@ - block: - set_fact: - dns_srv_record_check_mxisd: + dns_srv_record_check_ma1sd: service_and_protocol: "_matrix-identity._tcp" domain: "{{ (matrix_domain + '.') }}" expected_target: "{{ (matrix_server_fqn_matrix + '.') }}" expected_port: 443 - - name: Determine domains that we require certificates for (mxisd) + - name: Determine domains that we require certificates for (ma1sd) set_fact: - dns_srv_record_checks: "{{ dns_srv_record_checks + [dns_srv_record_check_mxisd] }}" - when: matrix_mxisd_enabled|bool + dns_srv_record_checks: "{{ dns_srv_record_checks + [dns_srv_record_check_ma1sd] }}" + when: matrix_ma1sd_enabled|bool - name: Perform DNS SRV checks include_tasks: "{{ role_path }}/tasks/self_check_dns_srv.yml" diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 8f3f0481b..12d314f5b 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -116,21 +116,21 @@ matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container: "127.0.0.1:410 # Controls whether proxying for the User Directory Search API (`/_matrix/client/r0/user_directory/search`) should be done (on the matrix domain). # This can be used to forward the API endpoint to another service, augmenting the functionality of Synapse's own User Directory Search. -# To learn more, see: https://github.com/kamax-matrix/mxisd/blob/master/docs/features/directory.md +# To learn more, see: https://github.com/ma1uta/ma1sd/blob/master/docs/features/directory.md matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: false -matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "matrix-mxisd:8090" +matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "matrix-ma1sd:8090" matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "127.0.0.1:8090" # Controls whether proxying for 3PID-based registration (`/_matrix/client/r0/register/(email|msisdn)/requestToken`) should be done (on the matrix domain). # This allows another service to control registrations involving 3PIDs. -# To learn more, see: https://github.com/kamax-matrix/mxisd/blob/master/docs/features/registration.md +# To learn more, see: https://github.com/ma1uta/ma1sd/blob/master/docs/features/registration.md matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled: false -matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_with_container: "matrix-mxisd:8090" +matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_with_container: "matrix-ma1sd:8090" matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_sans_container: "127.0.0.1:8090" # Controls whether proxying for the Identity API (`/_matrix/identity`) should be done (on the matrix domain) matrix_nginx_proxy_proxy_matrix_identity_api_enabled: false -matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-mxisd:8090" +matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-ma1sd:8090" matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:8090" # Controls whether proxying for metrics (`/_synapse/metrics`) should be done (on the matrix domain) diff --git a/roles/matrix-nginx-proxy/tasks/self_check_well_known.yml b/roles/matrix-nginx-proxy/tasks/self_check_well_known.yml index 6aaf9cb31..be1b65553 100644 --- a/roles/matrix-nginx-proxy/tasks/self_check_well_known.yml +++ b/roles/matrix-nginx-proxy/tasks/self_check_well_known.yml @@ -18,7 +18,7 @@ follow_redirects: safe validate_certs: "{{ matrix_nginx_proxy_self_check_validate_certificates }}" - - name: Determine domains that we require certificates for (mxisd) + - name: Determine domains that we require certificates for (ma1sd) set_fact: well_known_file_checks: "{{ well_known_file_checks + [well_known_file_check_matrix_server] }}" when: matrix_well_known_matrix_server_enabled|bool diff --git a/setup.yml b/setup.yml index 61d448f31..5baee8f35 100755 --- a/setup.yml +++ b/setup.yml @@ -19,7 +19,7 @@ - matrix-synapse - matrix-riot-web - matrix-jitsi - - matrix-mxisd + - matrix-ma1sd - matrix-dimension - matrix-email2matrix - matrix-nginx-proxy From 8c5c2e5eec2dfe54d8b2540b122996b07a0ce174 Mon Sep 17 00:00:00 2001 From: Marcel Partap Date: Fri, 27 Mar 2020 19:31:15 +0100 Subject: [PATCH 05/17] Bump ma1sd version to 2.3.0 --- roles/matrix-ma1sd/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-ma1sd/defaults/main.yml b/roles/matrix-ma1sd/defaults/main.yml index 4ae87e3de..686358110 100644 --- a/roles/matrix-ma1sd/defaults/main.yml +++ b/roles/matrix-ma1sd/defaults/main.yml @@ -3,7 +3,7 @@ matrix_ma1sd_enabled: true -matrix_ma1sd_docker_image: "ma1uta/ma1sd:2.2.2" +matrix_ma1sd_docker_image: "ma1uta/ma1sd:2.3.0" matrix_ma1sd_docker_image_force_pull: "{{ matrix_ma1sd_docker_image.endswith(':latest') }}" matrix_ma1sd_base_path: "{{ matrix_base_data_path }}/ma1sd" From c2d384d2ef0070097baf39df8858638dc8829286 Mon Sep 17 00:00:00 2001 From: Marcel Partap Date: Thu, 2 Apr 2020 10:43:40 +0200 Subject: [PATCH 06/17] some more mxisd to ma1sd string/URL replacements --- docs/self-building.md | 4 ++-- roles/matrix-ma1sd/tasks/validate_config.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/self-building.md b/docs/self-building.md index a4d6fad9c..6b9a46d49 100644 --- a/docs/self-building.md +++ b/docs/self-building.md @@ -1,6 +1,6 @@ # Self-building -The playbook supports the self-building of some of its components. This may be useful for architectures besides x86_64, which have no Docker images right now (e g. the armv7 for the Raspberry Pi). Some playbook roles have been updated, so they build the necessary image on the host. It needs more space, as some build tools need to be present (like Java, for mxisd). +The playbook supports the self-building of some of its components. This may be useful for architectures besides x86_64, which have no Docker images right now (e g. the armv7 for the Raspberry Pi). Some playbook roles have been updated, so they build the necessary image on the host. It needs more space, as some build tools need to be present (like Java, for ma1sd). To use these modification there is a variable that needs to be switched to enable this functionality. Add this to your `vars.yaml` file: ```yaml @@ -12,7 +12,7 @@ List of roles where self-building the docker image is currently possible: - synapse - riot-web - coturn -- mxisd +- ma1sd - matrix-bridge-mautrix-facebook - matrix-bridge-mautrix-hangouts diff --git a/roles/matrix-ma1sd/tasks/validate_config.yml b/roles/matrix-ma1sd/tasks/validate_config.yml index 07a170065..3adb47562 100644 --- a/roles/matrix-ma1sd/tasks/validate_config.yml +++ b/roles/matrix-ma1sd/tasks/validate_config.yml @@ -34,7 +34,7 @@ msg: > Since version 1.3.0, ma1sd will not accept property-style configuration keys. You have defined a key (`{{ item.key }}`) which contains a dot. - Instead, use nesting. See: https://github.com/kamax-matrix/mxisd/wiki/Upgrade-Notes#v130 + Instead, use nesting. See: https://github.com/ma1uta/ma1sd/wiki/Upgrade-Notes#v130 when: "'.' in item.key" with_dict: "{{ matrix_ma1sd_configuration }}" From ed34d0ac396658a265e5fbeed131439a669d5898 Mon Sep 17 00:00:00 2001 From: Marcel Partap Date: Thu, 2 Apr 2020 10:50:07 +0200 Subject: [PATCH 07/17] fix "noeol" ("No newline at end of file" == missing 0A byte at file end) --- roles/matrix-ma1sd/vars/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-ma1sd/vars/main.yml b/roles/matrix-ma1sd/vars/main.yml index dfaf58bdf..b6c97a593 100644 --- a/roles/matrix-ma1sd/vars/main.yml +++ b/roles/matrix-ma1sd/vars/main.yml @@ -2,4 +2,4 @@ # Doing `|from_yaml` when the extension contains nothing yields an empty string (""). # We need to ensure it's a dictionary or `|combine` (when building `matrix_ma1sd_configuration`) will fail later. -matrix_ma1sd_configuration_extension: "{{ matrix_ma1sd_configuration_extension_yaml|from_yaml if matrix_ma1sd_configuration_extension_yaml|from_yaml else {} }}" \ No newline at end of file +matrix_ma1sd_configuration_extension: "{{ matrix_ma1sd_configuration_extension_yaml|from_yaml if matrix_ma1sd_configuration_extension_yaml|from_yaml else {} }}" From 92672f89490003ef0c4c35ca039ae74a608ebe91 Mon Sep 17 00:00:00 2001 From: Marcel Partap Date: Thu, 2 Apr 2020 10:55:35 +0200 Subject: [PATCH 08/17] matrix-ma1sd/tasks/validate_config.yml: can ansible process regex in when statements? --- roles/matrix-ma1sd/tasks/validate_config.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/matrix-ma1sd/tasks/validate_config.yml b/roles/matrix-ma1sd/tasks/validate_config.yml index 3adb47562..edbd54192 100644 --- a/roles/matrix-ma1sd/tasks/validate_config.yml +++ b/roles/matrix-ma1sd/tasks/validate_config.yml @@ -55,3 +55,4 @@ when: "item.old in vars" with_items: - {'old': 'matrix_ma1sd_container_expose_port', 'new': ''} + - {'old': 'matrix_mxisd_.*', 'new': 'matrix_ma1sd_.*'} From e4ceeccd1464b9840d8d88245f7f786f63103026 Mon Sep 17 00:00:00 2001 From: Marcel Partap Date: Thu, 2 Apr 2020 17:19:40 +0200 Subject: [PATCH 09/17] Add mxisd => ma1sd migration task --- roles/matrix-ma1sd/tasks/migrate_mxisd.yml | 79 ++++++++++++++++++++++ roles/matrix-ma1sd/tasks/setup_ma1sd.yml | 3 + 2 files changed, 82 insertions(+) create mode 100644 roles/matrix-ma1sd/tasks/migrate_mxisd.yml diff --git a/roles/matrix-ma1sd/tasks/migrate_mxisd.yml b/roles/matrix-ma1sd/tasks/migrate_mxisd.yml new file mode 100644 index 000000000..2d92de629 --- /dev/null +++ b/roles/matrix-ma1sd/tasks/migrate_mxisd.yml @@ -0,0 +1,79 @@ +--- + +# This task is for migrating existing mxisd data when transitioning to the ma1sd fork. + +- name: Check for existent mxisd data + stat: + path: "{{ matrix_base_data_path }}/mxisd" + register: ma1sd_migrate_mxisd_data_dir_stat + +- name: Warn if mxisd data detected + debug: + msg: > + You seem to have an existing mxisd data folder in `{{ matrix_base_data_path }}`. + We are going to migrate it to ma1sd and rename the folder to mxisd.migrated. + when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists" + +- name: Check existence of old matrix-mxisd service + stat: + path: "{{ matrix_systemd_path }}/matrix-mxisd.service" + register: matrix_mxisd_service_stat + when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists" + +- name: Ensure matrix-mxisd is stopped + service: + name: matrix-mxisd + state: stopped + daemon_reload: yes + when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists and matrix_mxisd_service_stat.stat.exists" + +- name: Check existence of matrix-ma1sd service + stat: + path: "{{ matrix_systemd_path }}/matrix-ma1sd.service" + register: matrix_ma1sd_service_stat + when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists" + +- name: Ensure matrix-ma1sd is stopped + service: + name: matrix-ma1sd + state: stopped + daemon_reload: yes + when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists and matrix_ma1sd_service_stat.stat.exists" + +- name: Ensure ma1sd data path exist + file: + path: "{{ matrix_ma1sd_data_path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists" + +- name: Copy mxisd data files to ma1sd folder + copy: + src: "{{ item }}" + dest: "{{ matrix_ma1sd_data_path }}/" + mode: "preserve" + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + with_items: + - "{{ matrix_base_data_path }}/mxisd/data/mxisd.db" + - "{{ matrix_base_data_path }}/mxisd/data/sign.key" + when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists" + +- name: Rename mxisd folder + command: "mv {{ matrix_base_data_path }}/mxisd {{ matrix_base_data_path }}/mxisd.migrated" + when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists" + +- name: Ensure outdated matrix-mxisd.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-mxisd.service" + state: absent + when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists" + +- name: Ensure systemd reloaded after removing outdated matrix-mxisd.service + service: + daemon_reload: yes + when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists" + + diff --git a/roles/matrix-ma1sd/tasks/setup_ma1sd.yml b/roles/matrix-ma1sd/tasks/setup_ma1sd.yml index 483d7f9c0..c197b64f9 100644 --- a/roles/matrix-ma1sd/tasks/setup_ma1sd.yml +++ b/roles/matrix-ma1sd/tasks/setup_ma1sd.yml @@ -4,6 +4,9 @@ # Tasks related to setting up ma1sd # +- import_tasks: "{{ role_path }}/tasks/migrate_mxisd.yml" + when: matrix_ma1sd_enabled|bool + - name: Ensure ma1sd paths exist file: path: "{{ item.path }}" From 4172345d34ae75f039db49bd81ceca33ee483da8 Mon Sep 17 00:00:00 2001 From: Marcel Partap Date: Thu, 2 Apr 2020 17:20:06 +0200 Subject: [PATCH 10/17] Fix regex matching against old variable names in ma1sd validation task --- roles/matrix-ma1sd/tasks/validate_config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-ma1sd/tasks/validate_config.yml b/roles/matrix-ma1sd/tasks/validate_config.yml index edbd54192..da2bdc1b1 100644 --- a/roles/matrix-ma1sd/tasks/validate_config.yml +++ b/roles/matrix-ma1sd/tasks/validate_config.yml @@ -52,7 +52,7 @@ msg: >- Your configuration contains a variable, which now has a different name. Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). - when: "item.old in vars" + when: "vars | dict2items | selectattr('key', 'match', item.old) | list | items2dict" with_items: - {'old': 'matrix_ma1sd_container_expose_port', 'new': ''} - {'old': 'matrix_mxisd_.*', 'new': 'matrix_ma1sd_.*'} From 59ccff9babcbf79fe6dac31600d01b057a9b1412 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 3 Apr 2020 09:27:22 +0300 Subject: [PATCH 11/17] Fix mxisd -> ma1sd file copying When the playbook executes on a remote host (as it usually does), we need to explicitly say `src` is a remote file and not relative to the playbook. --- roles/matrix-ma1sd/tasks/migrate_mxisd.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/matrix-ma1sd/tasks/migrate_mxisd.yml b/roles/matrix-ma1sd/tasks/migrate_mxisd.yml index 2d92de629..256e83fe6 100644 --- a/roles/matrix-ma1sd/tasks/migrate_mxisd.yml +++ b/roles/matrix-ma1sd/tasks/migrate_mxisd.yml @@ -52,6 +52,7 @@ - name: Copy mxisd data files to ma1sd folder copy: src: "{{ item }}" + remote_src: true dest: "{{ matrix_ma1sd_data_path }}/" mode: "preserve" owner: "{{ matrix_user_username }}" From be1951133889018bf780a9caa99c2a9e7bbdecdc Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 3 Apr 2020 09:28:44 +0300 Subject: [PATCH 12/17] Add missing container self-build variables for ma1sd --- roles/matrix-ma1sd/defaults/main.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/roles/matrix-ma1sd/defaults/main.yml b/roles/matrix-ma1sd/defaults/main.yml index 686358110..144f4932e 100644 --- a/roles/matrix-ma1sd/defaults/main.yml +++ b/roles/matrix-ma1sd/defaults/main.yml @@ -3,10 +3,13 @@ matrix_ma1sd_enabled: true +matrix_ma1sd_container_image_self_build: false + matrix_ma1sd_docker_image: "ma1uta/ma1sd:2.3.0" matrix_ma1sd_docker_image_force_pull: "{{ matrix_ma1sd_docker_image.endswith(':latest') }}" matrix_ma1sd_base_path: "{{ matrix_base_data_path }}/ma1sd" +matrix_ma1sd_docker_src_files_path: "{{ matrix_ma1sd_base_path }}/docker-src" matrix_ma1sd_config_path: "{{ matrix_ma1sd_base_path }}/config" matrix_ma1sd_data_path: "{{ matrix_ma1sd_base_path }}/data" From a4ea2f850b7e71cbc470f9bc6a9270a45c8f4cbc Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 3 Apr 2020 09:42:14 +0300 Subject: [PATCH 13/17] Provide a friendlier migration message from people using matrix_mxisd_ variables --- roles/matrix-ma1sd/tasks/validate_config.yml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/roles/matrix-ma1sd/tasks/validate_config.yml b/roles/matrix-ma1sd/tasks/validate_config.yml index da2bdc1b1..691fe0ac9 100644 --- a/roles/matrix-ma1sd/tasks/validate_config.yml +++ b/roles/matrix-ma1sd/tasks/validate_config.yml @@ -46,7 +46,6 @@ with_items: - "matrix_ma1sd_threepid_medium_email_connectors_smtp_host" - - name: (Deprecation) Catch and report renamed ma1sd variables fail: msg: >- @@ -55,4 +54,13 @@ when: "vars | dict2items | selectattr('key', 'match', item.old) | list | items2dict" with_items: - {'old': 'matrix_ma1sd_container_expose_port', 'new': ''} + +- name: (Deprecation) Catch and report mxisd variables + fail: + msg: >- + mxisd is deprecated and has been replaced with ma1sd (https://github.com/ma1uta/ma1sd), a compatible fork. + The playbook will migrate your existing mxisd configuration and data automatically, but you need to adjust variable names. + Please change your configuration (vars.yml) to rename all mxisd variables (`{{ item.old }}` -> `{{ item.new }}`). + when: "vars | dict2items | selectattr('key', 'match', item.old) | list | items2dict" + with_items: - {'old': 'matrix_mxisd_.*', 'new': 'matrix_ma1sd_.*'} From a0b82d223419431153601144441553a755ee97a6 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 3 Apr 2020 09:53:31 +0300 Subject: [PATCH 14/17] Fix mxisd -> ma1sd data migration (mxisd.db -> ma1sd.db) --- roles/matrix-ma1sd/tasks/migrate_mxisd.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/matrix-ma1sd/tasks/migrate_mxisd.yml b/roles/matrix-ma1sd/tasks/migrate_mxisd.yml index 256e83fe6..424880e2e 100644 --- a/roles/matrix-ma1sd/tasks/migrate_mxisd.yml +++ b/roles/matrix-ma1sd/tasks/migrate_mxisd.yml @@ -51,15 +51,15 @@ - name: Copy mxisd data files to ma1sd folder copy: - src: "{{ item }}" + src: "{{ item.src }}" remote_src: true - dest: "{{ matrix_ma1sd_data_path }}/" + dest: "{{ matrix_ma1sd_data_path }}/{{ item.dst_name }}" mode: "preserve" owner: "{{ matrix_user_username }}" group: "{{ matrix_user_username }}" with_items: - - "{{ matrix_base_data_path }}/mxisd/data/mxisd.db" - - "{{ matrix_base_data_path }}/mxisd/data/sign.key" + - {"src": "{{ matrix_base_data_path }}/mxisd/data/mxisd.db", "dst_name": "ma1sd.db"} + - {"src": "{{ matrix_base_data_path }}/mxisd/data/sign.key", "dst_name": "sign.key"} when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists" - name: Rename mxisd folder From 845f5f007b3ab8d3479e1ecd1d9ff9e07f5474fe Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 3 Apr 2020 10:08:37 +0300 Subject: [PATCH 15/17] Make Synapse use ma1sd (if enabled) for threepid registration --- group_vars/matrix_servers | 5 +++++ roles/matrix-synapse/defaults/main.yml | 8 ++++++++ roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 | 4 ++-- 3 files changed, 15 insertions(+), 2 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 9efd15391..e9dbffb5a 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -655,6 +655,11 @@ matrix_synapse_container_image_self_build: "{{ matrix_container_images_self_buil # When ma1sd is enabled, we can use it instead of the default public Identity servers. matrix_synapse_trusted_third_party_id_servers: "{{ [matrix_server_fqn_matrix] if matrix_ma1sd_enabled else matrix_synapse_id_servers_public }}" +# When ma1sd is enabled, we can use it to validate email addresses and phone numbers. +# Synapse can validate email addresses by itself as well, but it's probably not what we want by default when we have an identity server. +matrix_synapse_account_threepid_delegates_email: "{{ 'http://matrix-ma1sd:8090' if matrix_ma1sd_enabled else '' }}" +matrix_synapse_account_threepid_delegates_msisdn: "{{ 'http://matrix-ma1sd:8090' if matrix_ma1sd_enabled else '' }}" + # Normally, matrix-nginx-proxy is enabled and nginx can reach Synapse over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, # you can expose Synapse's ports to the host. diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index f896f2324..38cd23216 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -164,6 +164,14 @@ matrix_synapse_enable_group_creation: false # A list of 3PID types which users must supply when registering (possible values: email, msisdn). matrix_synapse_registrations_require_3pid: [] +# The server to use for email threepid validation. When empty, Synapse does it by itself. +# Otherwise, this should be pointed to an identity server. +matrix_synapse_account_threepid_delegates_email: '' + +# The server to use for phone number threepid validation. When empty, validation cannot happen, as Synapse doesn't support it. +# To make it work, this should be pointed to an identity server. +matrix_synapse_account_threepid_delegates_msisdn: '' + # Users who register on this homeserver will automatically be joined to these rooms. # Rooms are to be specified using addresses (e.g. `#address:example.com`) matrix_synapse_auto_join_rooms: [] diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index b3adcac9d..310421e9b 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -1060,8 +1060,8 @@ trusted_third_party_id_servers: # If a delegate is specified, the config option public_baseurl must also be filled out. # account_threepid_delegates: - #email: https://example.com # Delegate email sending to example.com - #msisdn: http://localhost:8090 # Delegate SMS sending to this local process + email: {{ matrix_synapse_account_threepid_delegates_email|to_json }} + msisdn: {{ matrix_synapse_account_threepid_delegates_msisdn|to_json }} # Users who register on this homeserver will automatically be joined # to these rooms From 7266542356691a0a3f109c4f4d43898a24721dff Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 3 Apr 2020 10:41:36 +0300 Subject: [PATCH 16/17] Announce ma1sd -> mxisd migration --- CHANGELOG.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index f88987553..72ead398e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,15 @@ +# 2020-04-03 + +## (Potential Backward Compatibility Break) ma1sd replaces mxisd + +The [mxisd](https://github.com/kamax-io/mxisd) identity server, which has been deprecated for a long time, has been replaced by [ma1sd](https://github.com/kamax-io/mxisd), a compatible fork. + +**If you're using the default playbook configuration**, you don't need to do anything -- your mxisd installation will be replaced with ma1sd and all existing data will be migrated automatically the next time you run the playbook. + +**If you're doing something more special** (defining custom `matrix_mxisd_*` variables), the playbook will ask you to rename them to `matrix_ma1sd_*`. +You're also encouraged to test that ma1sd works well for such a more custom setup. + + # 2020-03-29 ## Archlinux support From 2fad4ee7d8482d48c099e66e327cb95bc28c2d74 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 3 Apr 2020 10:43:47 +0300 Subject: [PATCH 17/17] Adjust changelog to give credit where credit is due --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 72ead398e..d4c4e74f8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,7 +2,7 @@ ## (Potential Backward Compatibility Break) ma1sd replaces mxisd -The [mxisd](https://github.com/kamax-io/mxisd) identity server, which has been deprecated for a long time, has been replaced by [ma1sd](https://github.com/kamax-io/mxisd), a compatible fork. +Thanks to [Marcel Partap](https://github.com/eMPee584)'s efforts, the [mxisd](https://github.com/kamax-io/mxisd) identity server, which has been deprecated for a long time, has finally been replaced by [ma1sd](https://github.com/kamax-io/mxisd), a compatible fork. **If you're using the default playbook configuration**, you don't need to do anything -- your mxisd installation will be replaced with ma1sd and all existing data will be migrated automatically the next time you run the playbook.