From fe20c5e0a8d1f95bdb7661d71eab01ad9f37ef20 Mon Sep 17 00:00:00 2001 From: TheOneWithTheBraid Date: Sun, 21 Aug 2022 11:04:47 +0200 Subject: [PATCH 01/18] feat: include matrix_ldap_registration_proxy Fixes: #1144 Signed-off-by: TheOneWithTheBraid --- .../defaults/main.yml | 47 ++++++++++++++ .../tasks/init.yml | 11 ++++ .../tasks/main.yml | 30 +++++++++ ...f_check_matrix_ldap_registration_proxy.yml | 22 +++++++ .../tasks/setup_install.yml | 63 +++++++++++++++++++ .../tasks/setup_uninstall.yml | 36 +++++++++++ .../tasks/validate_config.yml | 0 .../templates/ldap-registration-proxy.env.j2 | 32 ++++++++++ .../matrix-ldap-registration-proxy.service.j2 | 43 +++++++++++++ .../vars/main.yml | 5 ++ 10 files changed, 289 insertions(+) create mode 100644 roles/matrix-ldap-registration-proxy/defaults/main.yml create mode 100644 roles/matrix-ldap-registration-proxy/tasks/init.yml create mode 100644 roles/matrix-ldap-registration-proxy/tasks/main.yml create mode 100644 roles/matrix-ldap-registration-proxy/tasks/self_check_matrix_ldap_registration_proxy.yml create mode 100644 roles/matrix-ldap-registration-proxy/tasks/setup_install.yml create mode 100644 roles/matrix-ldap-registration-proxy/tasks/setup_uninstall.yml create mode 100644 roles/matrix-ldap-registration-proxy/tasks/validate_config.yml create mode 100644 roles/matrix-ldap-registration-proxy/templates/ldap-registration-proxy.env.j2 create mode 100644 roles/matrix-ldap-registration-proxy/templates/systemd/matrix-ldap-registration-proxy.service.j2 create mode 100644 roles/matrix-ldap-registration-proxy/vars/main.yml diff --git a/roles/matrix-ldap-registration-proxy/defaults/main.yml b/roles/matrix-ldap-registration-proxy/defaults/main.yml new file mode 100644 index 000000000..5516f4f9c --- /dev/null +++ b/roles/matrix-ldap-registration-proxy/defaults/main.yml @@ -0,0 +1,47 @@ +--- +# matrix_ldap_registration_proxy - Want to build a large-scale Matrix server using external registration on LDAP? +# Project source code URL: https://gitlab.com/activism.international/matrix_ldap_registration_proxy + +matrix_ldap_registration_proxy_enabled: false + +matrix_ldap_registration_proxy_container_image_self_build_repo: "https://gitlab.com/activism.international/matrix_ldap_registration_proxy.git" +matrix_ldap_registration_proxy_container_image_self_build_branch: "{{ matrix_ldap_registration_proxy_version }}" + +matrix_ldap_registration_proxy_version: "296246afc6a9b3105e67fcf6621cf05ebc74b873" + +matrix_ldap_registration_proxy_base_path: "{{ matrix_base_data_path }}/matrix_ldap_registration_proxy" +# We need the docker src directory to be named matrix_ldap_registration_proxy. +matrix_ldap_registration_proxy_docker_src_files_path: "{{ matrix_ldap_registration_proxy_base_path }}/docker-src/matrix_ldap_registration_proxy" +matrix_ldap_registration_proxy_config_path: "{{ matrix_ldap_registration_proxy_base_path }}/config" + +matrix_ldap_registration_proxy_ldap_uri: "{{ matrix_synapse_ext_password_provider_ldap_uri }}" +matrix_ldap_registration_proxy_ldap_base_dn: "{{ matrix_synapse_ext_password_provider_ldap_base }}" +matrix_ldap_registration_proxy_ldap_user: "{{ matrix_synapse_ext_password_provider_ldap_bind_dn }}" +matrix_ldap_registration_proxy_ldap_password: "{{ matrix_synapse_ext_password_provider_ldap_bind_password }}" +matrix_ldap_registration_proxy_matrix_server_name: "{{ matrix_domain }}" +matrix_ldap_registration_proxy_matrix_server_url: "https://{{ matrix_server_fqn_matrix }}" + +# Controls whether the self-check feature should validate SSL certificates. +matrix_matrix_ldap_registration_proxy_self_check_validate_certificates: true + +matrix_ldap_registration_proxy_container_port: 8080 +# Controls whether the matrix_ldap_registration_proxy container exposes its HTTP port (tcp/{{ matrix_ldap_registration_proxy_container_port }} in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:8080"), or empty string to not expose. +matrix_ldap_registration_proxy_container_http_host_bind_port: '' + +# A list of extra arguments to pass to the container +matrix_ldap_registration_proxy_container_extra_arguments: [] + +# List of systemd services that matrix_ldap_registration_proxy.service depends on +matrix_ldap_registration_proxy_systemd_required_services_list: ['docker.service'] + +# List of systemd services that matrix_ldap_registration_proxy.service wants +matrix_ldap_registration_proxy_systemd_wanted_services_list: [] + +# Default ma1sd configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. +matrix_ldap_registration_proxy_configuration_env: "{{ lookup('template', 'templates/ldap-registration-proxy.env.j2') }}" + +# Holds the final ma1sd configuration (a combination of the default and its extension). +matrix_ldap_registration_proxy_configuration: "{{ matrix_ldap_registration_proxy_configuration_env }}" diff --git a/roles/matrix-ldap-registration-proxy/tasks/init.yml b/roles/matrix-ldap-registration-proxy/tasks/init.yml new file mode 100644 index 000000000..312165cc4 --- /dev/null +++ b/roles/matrix-ldap-registration-proxy/tasks/init.yml @@ -0,0 +1,11 @@ +--- +# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070 +# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407 +- name: Fail if trying to self-build on Ansible < 2.8 + ansible.builtin.fail: + msg: "To self-build the matrix_ldap_registration_proxy image, you should use Ansible 2.8 or higher. See docs/ansible.md" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_matrix_ldap_registration_proxy_container_image_self_build and matrix_matrix_ldap_registration_proxy_enabled | bool" + +- ansible.builtin.set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-matrix-ldap-registration-proxy.service'] }}" + when: matrix_matrix_ldap_registration_proxy_enabled | bool diff --git a/roles/matrix-ldap-registration-proxy/tasks/main.yml b/roles/matrix-ldap-registration-proxy/tasks/main.yml new file mode 100644 index 000000000..720d27ba8 --- /dev/null +++ b/roles/matrix-ldap-registration-proxy/tasks/main.yml @@ -0,0 +1,30 @@ +--- + +- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup | bool and matrix_matrix_ldap_registration_proxy_enabled | bool" + tags: + - setup-all + - setup-matrix-ldap-registration-proxy + +- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml" + when: "run_setup | bool and matrix_matrix_ldap_registration_proxy_enabled | bool" + tags: + - setup-all + - setup-matrix-ldap-registration-proxy + +- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + when: "run_setup | bool and not matrix_matrix_ldap_registration_proxy_enabled | bool" + tags: + - setup-all + - setup-matrix-ldap-registration-proxy + +- ansible.builtin.import_tasks: "{{ role_path }}/tasks/self_check_matrix_ldap_registration_proxy.yml" + delegate_to: 127.0.0.1 + become: false + when: "run_self_check | bool and matrix_matrix_ldap_registration_proxy_enabled | bool" + tags: + - self-check diff --git a/roles/matrix-ldap-registration-proxy/tasks/self_check_matrix_ldap_registration_proxy.yml b/roles/matrix-ldap-registration-proxy/tasks/self_check_matrix_ldap_registration_proxy.yml new file mode 100644 index 000000000..ce46c45af --- /dev/null +++ b/roles/matrix-ldap-registration-proxy/tasks/self_check_matrix_ldap_registration_proxy.yml @@ -0,0 +1,22 @@ +--- + +- ansible.builtin.set_fact: + matrix_ldap_registration_proxy_url_endpoint_public: "https://{{ matrix_server_fqn_matrix }}/_matrix/client/r0/register" + +- name: Check matrix_ldap_registration_proxy Service + ansible.builtin.uri: + url: "{{ matrix_ldap_registration_proxy_url_endpoint_public }}" + follow_redirects: none + validate_certs: "{{ matrix_matrix_ldap_registration_proxy_self_check_validate_certificates }}" + check_mode: false + register: result_matrix_ldap_registration_proxy + ignore_errors: true + +- name: Fail if matrix_ldap_registration_proxy Service not working + ansible.builtin.fail: + msg: "Failed checking matrix_ldap_registration_proxy is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_ldap_registration_proxy_url_endpoint_public }}`). Is matrix_ldap_registration_proxy running? Is port 443 open in your firewall? Full error: {{ result_matrix_ldap_registration_proxy }}" + when: "result_matrix_ldap_registration_proxy.failed or 'json' not in result_matrix_ldap_registration_proxy" + +- name: Report working matrix_ldap_registration_proxy Service + ansible.builtin.debug: + msg: "matrix_ldap_registration_proxy at `{{ matrix_server_fqn_matrix }}` is working (checked endpoint: `{{ matrix_ldap_registration_proxy_url_endpoint_public }}`)" diff --git a/roles/matrix-ldap-registration-proxy/tasks/setup_install.yml b/roles/matrix-ldap-registration-proxy/tasks/setup_install.yml new file mode 100644 index 000000000..1f0307ec3 --- /dev/null +++ b/roles/matrix-ldap-registration-proxy/tasks/setup_install.yml @@ -0,0 +1,63 @@ +--- + +- name: Ensure matrix_ldap_registration_proxy paths exist + ansible.builtin.file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - {path: "{{ matrix_ldap_registration_proxy_config_path }}", when: true} + - {path: "{{ matrix_ldap_registration_proxy_docker_src_files_path }}", when: true} + when: "item.when | bool" + +- ansible.builtin.set_fact: + matrix_ldap_registration_proxy_requires_restart: false + +- name: Ensure matrix_ldap_registration_proxy repository is present on self-build + ansible.builtin.git: + repo: "{{ matrix_ldap_registration_proxy_container_image_self_build_repo }}" + dest: "{{ matrix_ldap_registration_proxy_docker_src_files_path }}" + version: "{{ matrix_ldap_registration_proxy_container_image_self_build_branch }}" + force: "yes" + become: true + become_user: "{{ matrix_user_username }}" + register: matrix_ldap_registration_proxy_git_pull_results + +- name: Ensure matrix_ldap_registration_proxy Docker image is built + docker_image: + name: "{{ matrix_ldap_registration_proxy_docker_image }}" + source: build + force_source: "{{ matrix_ldap_registration_proxy_git_pull_results.changed }}" + build: + dockerfile: Dockerfile + path: "{{ matrix_ldap_registration_proxy_docker_src_files_path }}" + pull: true + when: true + +- name: Ensure matrix_ldap_registration_proxy config installed + ansible.builtin.copy: + content: "{{ matrix_ldap_registration_proxy_configuration }}" + dest: "{{ matrix_ldap_registration_proxy_config_path }}/ldap-registration-proxy.env" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure matrix-ldap-registration-proxy.service installed + ansible.builtin.template: + src: "{{ role_path }}/templates/systemd/matrix-ldap-registration-proxy.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-ldap-registration-proxy.service" + mode: 0644 + register: matrix_ldap_registration_proxy_systemd_service_result + +- name: Ensure systemd reloaded after matrix-ldap-registration-proxy.service installation + ansible.builtin.service: + daemon_reload: true + when: "matrix_ldap_registration_proxy_systemd_service_result.changed | bool" + +- name: Ensure matrix-ldap-registration-proxy.service restarted, if necessary + ansible.builtin.service: + name: "matrix-ldap-registration-proxy.service" + state: restarted + when: "matrix_ldap_registration_proxy_requires_restart | bool" diff --git a/roles/matrix-ldap-registration-proxy/tasks/setup_uninstall.yml b/roles/matrix-ldap-registration-proxy/tasks/setup_uninstall.yml new file mode 100644 index 000000000..cc542edf3 --- /dev/null +++ b/roles/matrix-ldap-registration-proxy/tasks/setup_uninstall.yml @@ -0,0 +1,36 @@ +--- + +- name: Check existence of matrix-matrix_ldap_registration_proxy service + ansible.builtin.stat: + path: "{{ matrix_systemd_path }}/matrix-ldap-registration-proxy.service" + register: matrix_matrix_ldap_registration_proxy_service_stat + +- name: Ensure matrix-matrix_ldap_registration_proxy is stopped + ansible.builtin.service: + name: matrix-matrix_ldap_registration_proxy + state: stopped + enabled: false + daemon_reload: true + register: stopping_result + when: "matrix_matrix_ldap_registration_proxy_service_stat.stat.exists | bool" + +- name: Ensure matrix-ldap-registration-proxy.service doesn't exist + ansible.builtin.file: + path: "{{ matrix_systemd_path }}/matrix-ldap-registration-proxy.service" + state: absent + when: "matrix_matrix_ldap_registration_proxy_service_stat.stat.exists | bool" + +- name: Ensure systemd reloaded after matrix-ldap-registration-proxy.service removal + ansible.builtin.service: + daemon_reload: true + when: "matrix_matrix_ldap_registration_proxy_service_stat.stat.exists | bool" + +- name: Ensure Matrix matrix_ldap_registration_proxy paths don't exist + ansible.builtin.file: + path: "{{ matrix_matrix_ldap_registration_proxy_base_path }}" + state: absent + +- name: Ensure matrix_ldap_registration_proxy Docker image doesn't exist + docker_image: + name: "{{ matrix_matrix_ldap_registration_proxy_docker_image }}" + state: absent diff --git a/roles/matrix-ldap-registration-proxy/tasks/validate_config.yml b/roles/matrix-ldap-registration-proxy/tasks/validate_config.yml new file mode 100644 index 000000000..e69de29bb diff --git a/roles/matrix-ldap-registration-proxy/templates/ldap-registration-proxy.env.j2 b/roles/matrix-ldap-registration-proxy/templates/ldap-registration-proxy.env.j2 new file mode 100644 index 000000000..e7ee29ba1 --- /dev/null +++ b/roles/matrix-ldap-registration-proxy/templates/ldap-registration-proxy.env.j2 @@ -0,0 +1,32 @@ +# please specify the configuration here +# +# these settings are mandatory + +# The server to connect to. Please note it must be accessible from the Docker network +# example: `ldap://127.0.0.1:389` +LDAP_SERVER={{ matrix_ldap_registration_proxy_ldap_uri }} + +# the base DN used for user creation + +LDAP_BASE_DN={{ matrix_ldap_registration_proxy_ldap_base_dn }} + +# the privileged user used for user creation including it's DN +# example: `uid=admin,cn=users,cn=accounts,dc=example,dc=org` + +LDAP_USER={{ matrix_ldap_registration_proxy_ldap_user }} + +# the password of the `LDAP_USER` used for authentication +LDAP_PASSWORD={{ matrix_ldap_registration_proxy_ldap_password }} + +# the human-readable server name of your Matrix server as used in the Matrix ID +# example: `example.org` +MATRIX_SERVER_NAME={{ matrix_ldap_registration_proxy_matrix_server_name }} + +# the url to access the Matrix server API without trailing `/` +# example: `https://matrix.example.org` +MATRIX_SERVER_URL={{ matrix_ldap_registration_proxy_matrix_server_url }} + +# these settings are optional: + +# Specify the port to listen on. Default to 8080 +LISTEN_PORT={{ matrix_ldap_registration_proxy_container_port }} diff --git a/roles/matrix-ldap-registration-proxy/templates/systemd/matrix-ldap-registration-proxy.service.j2 b/roles/matrix-ldap-registration-proxy/templates/systemd/matrix-ldap-registration-proxy.service.j2 new file mode 100644 index 000000000..afbabe729 --- /dev/null +++ b/roles/matrix-ldap-registration-proxy/templates/systemd/matrix-ldap-registration-proxy.service.j2 @@ -0,0 +1,43 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=matrix_ldap_registration_proxy +{% for service in matrix_ldap_registration_proxy_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_ldap_registration_proxy_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ matrix_systemd_unit_home_path }}" +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-matrix_ldap_registration_proxy 2>/dev/null || true' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-matrix_ldap_registration_proxy 2>/dev/null || true' + +# matrix_ldap_registration_proxy writes an SQLite shared library (libsqlitejdbc.so) to /tmp and executes it from there, +# so /tmp needs to be mounted with an exec option. +ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-ldap-registration-proxy \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --read-only \ + --network={{ matrix_docker_network }} \ + {% if matrix_ldap_registration_proxy_container_http_host_bind_port %} + -p {{ matrix_ldap_registration_proxy_container_http_host_bind_port }}:{{ matrix_ldap_registration_proxy_container_port }} \ + {% endif %} + --env-file {{ matrix_ldap_registration_proxy_config_path }}/ldap-registration-proxy.env \ + {% for arg in matrix_ldap_registration_proxy_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_ldap_registration_proxy_docker_image }} + +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-ldap-registration-proxy 2>/dev/null || true' +ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-ldap-registration-proxy 2>/dev/null || true' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-ldap-registration-proxy + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-ldap-registration-proxy/vars/main.yml b/roles/matrix-ldap-registration-proxy/vars/main.yml new file mode 100644 index 000000000..3adc735e9 --- /dev/null +++ b/roles/matrix-ldap-registration-proxy/vars/main.yml @@ -0,0 +1,5 @@ +--- + +# Doing `|from_yaml` when the extension contains nothing yields an empty string (""). +# We need to ensure it's a dictionary or `|combine` (when building `matrix_ma1sd_configuration`) will fail later. +matrix_ma1sd_configuration_extension: "{{ matrix_ma1sd_configuration_extension_yaml | from_yaml if matrix_ma1sd_configuration_extension_yaml | from_yaml else {} }}" From b112480793d10b373645f1969fe2dc03cd8c9d85 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Sun, 4 Sep 2022 08:44:49 +0200 Subject: [PATCH 02/18] Remove ma1sd leftovers --- roles/matrix-ldap-registration-proxy/vars/main.yml | 5 ----- 1 file changed, 5 deletions(-) delete mode 100644 roles/matrix-ldap-registration-proxy/vars/main.yml diff --git a/roles/matrix-ldap-registration-proxy/vars/main.yml b/roles/matrix-ldap-registration-proxy/vars/main.yml deleted file mode 100644 index 3adc735e9..000000000 --- a/roles/matrix-ldap-registration-proxy/vars/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- - -# Doing `|from_yaml` when the extension contains nothing yields an empty string (""). -# We need to ensure it's a dictionary or `|combine` (when building `matrix_ma1sd_configuration`) will fail later. -matrix_ma1sd_configuration_extension: "{{ matrix_ma1sd_configuration_extension_yaml | from_yaml if matrix_ma1sd_configuration_extension_yaml | from_yaml else {} }}" From 88f416638571ba5c88f0815827ff6d518e91412f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Sun, 4 Sep 2022 08:46:56 +0200 Subject: [PATCH 03/18] Validate that basic LDAP settings are provided --- .../tasks/validate_config.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/roles/matrix-ldap-registration-proxy/tasks/validate_config.yml b/roles/matrix-ldap-registration-proxy/tasks/validate_config.yml index e69de29bb..6b52af9c8 100644 --- a/roles/matrix-ldap-registration-proxy/tasks/validate_config.yml +++ b/roles/matrix-ldap-registration-proxy/tasks/validate_config.yml @@ -0,0 +1,12 @@ +--- + +- name: Fail if required settings not defined + ansible.builtin.fail: + msg: >- + You need to define a required configuration setting (`{{ item }}`). + when: "vars[item] == ''" + with_items: + - "matrix_ldap_registration_proxy_ldap_uri" + - "matrix_ldap_registration_proxy_ldap_base_dn" + - "matrix_ldap_registration_proxy_ldap_user" + - "matrix_ldap_registration_proxy_ldap_password" From ab33024665548238933f0ce4a01d36edbd814887 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Sun, 4 Sep 2022 08:53:26 +0200 Subject: [PATCH 04/18] Make role enabled in role but turn it off in group vars --- group_vars/matrix_servers | 14 ++++++++++++++ .../defaults/main.yml | 2 +- 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 074e06e9c..bbfdcf3e9 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1538,6 +1538,20 @@ matrix_jitsi_etherpad_base: "{{ matrix_etherpad_base_url if matrix_etherpad_enab # /matrix-jitsi # ###################################################################### +###################################################################### +# +# matrix-ldap-registration-proxy +# +###################################################################### + +# This is only for users with a specific LDAP setup +matrix_ldap_registration_proxy_enabled: false + +###################################################################### +# +# /matrix-ldap-registration-proxy +# +###################################################################### ###################################################################### # diff --git a/roles/matrix-ldap-registration-proxy/defaults/main.yml b/roles/matrix-ldap-registration-proxy/defaults/main.yml index 5516f4f9c..44a670c15 100644 --- a/roles/matrix-ldap-registration-proxy/defaults/main.yml +++ b/roles/matrix-ldap-registration-proxy/defaults/main.yml @@ -2,7 +2,7 @@ # matrix_ldap_registration_proxy - Want to build a large-scale Matrix server using external registration on LDAP? # Project source code URL: https://gitlab.com/activism.international/matrix_ldap_registration_proxy -matrix_ldap_registration_proxy_enabled: false +matrix_ldap_registration_proxy_enabled: true matrix_ldap_registration_proxy_container_image_self_build_repo: "https://gitlab.com/activism.international/matrix_ldap_registration_proxy.git" matrix_ldap_registration_proxy_container_image_self_build_branch: "{{ matrix_ldap_registration_proxy_version }}" From 54def0b1e1103cf9b236a5e2a352c826f3a4900e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Sun, 4 Sep 2022 08:56:03 +0200 Subject: [PATCH 05/18] Avoid cross-referencing of variables in role, move to group vars --- group_vars/matrix_servers | 6 ++++++ roles/matrix-ldap-registration-proxy/defaults/main.yml | 8 ++++---- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index bbfdcf3e9..92cc5c591 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1547,6 +1547,12 @@ matrix_jitsi_etherpad_base: "{{ matrix_etherpad_base_url if matrix_etherpad_enab # This is only for users with a specific LDAP setup matrix_ldap_registration_proxy_enabled: false +# Use the LDAP values specified for the synapse role to setup LDAP proxy +matrix_ldap_registration_proxy_ldap_uri: "{{ matrix_synapse_ext_password_provider_ldap_uri }}" +matrix_ldap_registration_proxy_ldap_base_dn: "{{ matrix_synapse_ext_password_provider_ldap_base }}" +matrix_ldap_registration_proxy_ldap_user: "{{ matrix_synapse_ext_password_provider_ldap_bind_dn }}" +matrix_ldap_registration_proxy_ldap_password: "{{ matrix_synapse_ext_password_provider_ldap_bind_password }}" + ###################################################################### # # /matrix-ldap-registration-proxy diff --git a/roles/matrix-ldap-registration-proxy/defaults/main.yml b/roles/matrix-ldap-registration-proxy/defaults/main.yml index 44a670c15..4165c5910 100644 --- a/roles/matrix-ldap-registration-proxy/defaults/main.yml +++ b/roles/matrix-ldap-registration-proxy/defaults/main.yml @@ -14,10 +14,10 @@ matrix_ldap_registration_proxy_base_path: "{{ matrix_base_data_path }}/matrix_ld matrix_ldap_registration_proxy_docker_src_files_path: "{{ matrix_ldap_registration_proxy_base_path }}/docker-src/matrix_ldap_registration_proxy" matrix_ldap_registration_proxy_config_path: "{{ matrix_ldap_registration_proxy_base_path }}/config" -matrix_ldap_registration_proxy_ldap_uri: "{{ matrix_synapse_ext_password_provider_ldap_uri }}" -matrix_ldap_registration_proxy_ldap_base_dn: "{{ matrix_synapse_ext_password_provider_ldap_base }}" -matrix_ldap_registration_proxy_ldap_user: "{{ matrix_synapse_ext_password_provider_ldap_bind_dn }}" -matrix_ldap_registration_proxy_ldap_password: "{{ matrix_synapse_ext_password_provider_ldap_bind_password }}" +matrix_ldap_registration_proxy_ldap_uri: "" +matrix_ldap_registration_proxy_ldap_base_dn: "" +matrix_ldap_registration_proxy_ldap_user: "" +matrix_ldap_registration_proxy_ldap_password: "" matrix_ldap_registration_proxy_matrix_server_name: "{{ matrix_domain }}" matrix_ldap_registration_proxy_matrix_server_url: "https://{{ matrix_server_fqn_matrix }}" From 7665c5e048dbd14ed5854fea36d38817927eec20 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Sun, 4 Sep 2022 08:59:07 +0200 Subject: [PATCH 06/18] Remove ma1sd leftovers --- roles/matrix-ldap-registration-proxy/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-ldap-registration-proxy/defaults/main.yml b/roles/matrix-ldap-registration-proxy/defaults/main.yml index 4165c5910..15f597495 100644 --- a/roles/matrix-ldap-registration-proxy/defaults/main.yml +++ b/roles/matrix-ldap-registration-proxy/defaults/main.yml @@ -39,9 +39,9 @@ matrix_ldap_registration_proxy_systemd_required_services_list: ['docker.service' # List of systemd services that matrix_ldap_registration_proxy.service wants matrix_ldap_registration_proxy_systemd_wanted_services_list: [] -# Default ma1sd configuration template which covers the generic use case. +# Default LDAP configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. matrix_ldap_registration_proxy_configuration_env: "{{ lookup('template', 'templates/ldap-registration-proxy.env.j2') }}" -# Holds the final ma1sd configuration (a combination of the default and its extension). +# Holds the final LDAP configuration (a combination of the default and its extension). matrix_ldap_registration_proxy_configuration: "{{ matrix_ldap_registration_proxy_configuration_env }}" From 949ca115fede8a143df2dde7efdea4fdcdb3eea3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Sun, 4 Sep 2022 09:09:09 +0200 Subject: [PATCH 07/18] Use a template option for the env with variable extension --- .../matrix-ldap-registration-proxy/defaults/main.yml | 11 ++++++----- .../tasks/setup_install.yml | 4 ++-- .../templates/ldap-registration-proxy.env.j2 | 3 +++ 3 files changed, 11 insertions(+), 7 deletions(-) diff --git a/roles/matrix-ldap-registration-proxy/defaults/main.yml b/roles/matrix-ldap-registration-proxy/defaults/main.yml index 15f597495..469a2f295 100644 --- a/roles/matrix-ldap-registration-proxy/defaults/main.yml +++ b/roles/matrix-ldap-registration-proxy/defaults/main.yml @@ -39,9 +39,10 @@ matrix_ldap_registration_proxy_systemd_required_services_list: ['docker.service' # List of systemd services that matrix_ldap_registration_proxy.service wants matrix_ldap_registration_proxy_systemd_wanted_services_list: [] -# Default LDAP configuration template which covers the generic use case. -# You can customize it by controlling the various variables inside it. -matrix_ldap_registration_proxy_configuration_env: "{{ lookup('template', 'templates/ldap-registration-proxy.env.j2') }}" +# Additional environment variables to pass to the LDAP proxy environment variables. +# +# Example: +# matrix_ldap_registration_proxy_env_variables_extension: | +# KEY=value +matrix_ldap_registration_proxy_env_variables_extension: '' -# Holds the final LDAP configuration (a combination of the default and its extension). -matrix_ldap_registration_proxy_configuration: "{{ matrix_ldap_registration_proxy_configuration_env }}" diff --git a/roles/matrix-ldap-registration-proxy/tasks/setup_install.yml b/roles/matrix-ldap-registration-proxy/tasks/setup_install.yml index 1f0307ec3..870373370 100644 --- a/roles/matrix-ldap-registration-proxy/tasks/setup_install.yml +++ b/roles/matrix-ldap-registration-proxy/tasks/setup_install.yml @@ -37,8 +37,8 @@ when: true - name: Ensure matrix_ldap_registration_proxy config installed - ansible.builtin.copy: - content: "{{ matrix_ldap_registration_proxy_configuration }}" + ansible.builtin.template: + src: "{{ role_path }}/templates/ldap-registration-proxy.env.j2" dest: "{{ matrix_ldap_registration_proxy_config_path }}/ldap-registration-proxy.env" mode: 0644 owner: "{{ matrix_user_username }}" diff --git a/roles/matrix-ldap-registration-proxy/templates/ldap-registration-proxy.env.j2 b/roles/matrix-ldap-registration-proxy/templates/ldap-registration-proxy.env.j2 index e7ee29ba1..581a0b0d8 100644 --- a/roles/matrix-ldap-registration-proxy/templates/ldap-registration-proxy.env.j2 +++ b/roles/matrix-ldap-registration-proxy/templates/ldap-registration-proxy.env.j2 @@ -30,3 +30,6 @@ MATRIX_SERVER_URL={{ matrix_ldap_registration_proxy_matrix_server_url }} # Specify the port to listen on. Default to 8080 LISTEN_PORT={{ matrix_ldap_registration_proxy_container_port }} + +# Use this to extend the configuration with custom variables +{{ matrix_ldap_registration_proxy_env_variables_extension }} From 3bc64fb6cc8d2f0a1b2d4decdc5c95a369420a50 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Sun, 4 Sep 2022 09:09:59 +0200 Subject: [PATCH 08/18] Remove selfcheck --- .../tasks/main.yml | 7 ------ ...f_check_matrix_ldap_registration_proxy.yml | 22 ------------------- 2 files changed, 29 deletions(-) delete mode 100644 roles/matrix-ldap-registration-proxy/tasks/self_check_matrix_ldap_registration_proxy.yml diff --git a/roles/matrix-ldap-registration-proxy/tasks/main.yml b/roles/matrix-ldap-registration-proxy/tasks/main.yml index 720d27ba8..576fc1f48 100644 --- a/roles/matrix-ldap-registration-proxy/tasks/main.yml +++ b/roles/matrix-ldap-registration-proxy/tasks/main.yml @@ -21,10 +21,3 @@ tags: - setup-all - setup-matrix-ldap-registration-proxy - -- ansible.builtin.import_tasks: "{{ role_path }}/tasks/self_check_matrix_ldap_registration_proxy.yml" - delegate_to: 127.0.0.1 - become: false - when: "run_self_check | bool and matrix_matrix_ldap_registration_proxy_enabled | bool" - tags: - - self-check diff --git a/roles/matrix-ldap-registration-proxy/tasks/self_check_matrix_ldap_registration_proxy.yml b/roles/matrix-ldap-registration-proxy/tasks/self_check_matrix_ldap_registration_proxy.yml deleted file mode 100644 index ce46c45af..000000000 --- a/roles/matrix-ldap-registration-proxy/tasks/self_check_matrix_ldap_registration_proxy.yml +++ /dev/null @@ -1,22 +0,0 @@ ---- - -- ansible.builtin.set_fact: - matrix_ldap_registration_proxy_url_endpoint_public: "https://{{ matrix_server_fqn_matrix }}/_matrix/client/r0/register" - -- name: Check matrix_ldap_registration_proxy Service - ansible.builtin.uri: - url: "{{ matrix_ldap_registration_proxy_url_endpoint_public }}" - follow_redirects: none - validate_certs: "{{ matrix_matrix_ldap_registration_proxy_self_check_validate_certificates }}" - check_mode: false - register: result_matrix_ldap_registration_proxy - ignore_errors: true - -- name: Fail if matrix_ldap_registration_proxy Service not working - ansible.builtin.fail: - msg: "Failed checking matrix_ldap_registration_proxy is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_ldap_registration_proxy_url_endpoint_public }}`). Is matrix_ldap_registration_proxy running? Is port 443 open in your firewall? Full error: {{ result_matrix_ldap_registration_proxy }}" - when: "result_matrix_ldap_registration_proxy.failed or 'json' not in result_matrix_ldap_registration_proxy" - -- name: Report working matrix_ldap_registration_proxy Service - ansible.builtin.debug: - msg: "matrix_ldap_registration_proxy at `{{ matrix_server_fqn_matrix }}` is working (checked endpoint: `{{ matrix_ldap_registration_proxy_url_endpoint_public }}`)" From 43bca57798c010146ac7a31ec8c5d979f4429e95 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Sun, 4 Sep 2022 19:38:27 +0200 Subject: [PATCH 09/18] Add nginx rewrite for registration --- .../defaults/main.yml | 4 ++++ .../templates/nginx/conf.d/matrix-domain.conf.j2 | 14 ++++++++++++++ 2 files changed, 18 insertions(+) diff --git a/roles/matrix-ldap-registration-proxy/defaults/main.yml b/roles/matrix-ldap-registration-proxy/defaults/main.yml index 469a2f295..712e1101d 100644 --- a/roles/matrix-ldap-registration-proxy/defaults/main.yml +++ b/roles/matrix-ldap-registration-proxy/defaults/main.yml @@ -30,6 +30,10 @@ matrix_ldap_registration_proxy_container_port: 8080 # Takes an ":" or "" value (e.g. "127.0.0.1:8080"), or empty string to not expose. matrix_ldap_registration_proxy_container_http_host_bind_port: '' +matrix_ldap_registration_proxy_registration_addr_with_container: "matrix-ldap_-egistration-proxy:{{ matrix_ldap_registration_proxy_container_port }}" +matrix_ldap_registration_proxy_registration_addr_sans_container: "127.0.0.1:{{ matrix_ldap_registration_proxy_container_port }}" + + # A list of extra arguments to pass to the container matrix_ldap_registration_proxy_container_extra_arguments: [] diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 index 2895ba14a..0e16e3e31 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 @@ -129,6 +129,20 @@ } {% endif %} + {% if matrix_ldap_registration_proxy_enabled %} + location _matrix/client/r0/register { + {% if matrix_nginx_proxy_enabled %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "{{ matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_with_container }}"; + proxy_pass http://$backend/register; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_sans_container }}/register; + {% endif %} + } + {% endif %} + {% for configuration_block in matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks %} {{- configuration_block }} {% endfor %} From e5ba1daad4a8e7c0b4caabbc0f668401778a5640 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Mon, 5 Sep 2022 21:48:19 +0200 Subject: [PATCH 10/18] Remove matrix LDAP proxy config from nginx role --- .../templates/nginx/conf.d/matrix-domain.conf.j2 | 14 -------------- 1 file changed, 14 deletions(-) diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 index 0e16e3e31..2895ba14a 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 @@ -129,20 +129,6 @@ } {% endif %} - {% if matrix_ldap_registration_proxy_enabled %} - location _matrix/client/r0/register { - {% if matrix_nginx_proxy_enabled %} - {# Use the embedded DNS resolver in Docker containers to discover the service #} - resolver 127.0.0.11 valid=5s; - set $backend "{{ matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_with_container }}"; - proxy_pass http://$backend/register; - {% else %} - {# Generic configuration for use outside of our container setup #} - proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_sans_container }}/register; - {% endif %} - } - {% endif %} - {% for configuration_block in matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks %} {{- configuration_block }} {% endfor %} From 3aa2c8e535e81407782672e76ebd5be27be123e0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Mon, 5 Sep 2022 21:52:43 +0200 Subject: [PATCH 11/18] Inject nginx configuration for ldap proxy at runtime --- .../tasks/init.yml | 51 ++++++++++++++++++- 1 file changed, 49 insertions(+), 2 deletions(-) diff --git a/roles/matrix-ldap-registration-proxy/tasks/init.yml b/roles/matrix-ldap-registration-proxy/tasks/init.yml index 312165cc4..15017333b 100644 --- a/roles/matrix-ldap-registration-proxy/tasks/init.yml +++ b/roles/matrix-ldap-registration-proxy/tasks/init.yml @@ -4,8 +4,55 @@ - name: Fail if trying to self-build on Ansible < 2.8 ansible.builtin.fail: msg: "To self-build the matrix_ldap_registration_proxy image, you should use Ansible 2.8 or higher. See docs/ansible.md" - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_matrix_ldap_registration_proxy_container_image_self_build and matrix_matrix_ldap_registration_proxy_enabled | bool" + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_ldap_registration_proxy_container_image_self_build and matrix_ldap_registration_proxy_enabled | bool" - ansible.builtin.set_fact: matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-matrix-ldap-registration-proxy.service'] }}" - when: matrix_matrix_ldap_registration_proxy_enabled | bool + when: matrix_ldap_registration_proxy_enabled | bool + +- block: + - name: Fail if matrix-nginx-proxy role already executed + ansible.builtin.fail: + msg: >- + Trying to append Matrix LDAP registration proxy's reverse-proxying configuration to matrix-nginx-proxy, + but it's pointless since the matrix-nginx-proxy role had already executed. + To fix this, please change the order of roles in your playbook, + so that the matrix-nginx-proxy role would run after the matrix-bridge-mautrix-telegram role. + when: matrix_nginx_proxy_role_executed | default(False) | bool + + - name: Generate Matrix LDAP registration proxy proxying configuration for matrix-nginx-proxy + ansible.builtin.set_fact: + matrix_ldap_registration_proxy_matrix_nginx_proxy_configuration: | + location {{ matrix_ldap_registration_proxy_public_endpoint }} { + {% if matrix_nginx_proxy_enabled | default(False) %} + {# Use the embedded DNS resolver in Docker containers to discover the service #} + resolver 127.0.0.11 valid=5s; + set $backend "{{ matrix_ldap_registration_proxy_registration_addr_with_container }}"; + proxy_pass http://$backend/register;; + {% else %} + {# Generic configuration for use outside of our container setup #} + proxy_pass http://{{ matrix_ldap_registration_proxy_registration_addr_sans_container }}/register; + {% endif %} + } + + - name: Register Matrix LDAP registration proxy proxying configuration with matrix-nginx-proxy + ansible.builtin.set_fact: + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: | + {{ + matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks | default([]) + + + [matrix_ldap_registration_proxy_matrix_nginx_proxy_configuration] + }} + - name: Warn about reverse-proxying if matrix-nginx-proxy not used + ansible.builtin.debug: + msg: >- + NOTE: You've enabled the Matrix LDAP registration proxy bridge but are not using the matrix-nginx-proxy + reverse proxy. + Please make sure that you're proxying the `{{ matrix_ldap_registration_proxy_public_endpoint }}` + URL endpoint to the matrix-matrix-ldap-proxy container. + You can expose the container's port using the `matrix_ldap_registration_proxy_container_http_host_bind_port` variable. + when: "not matrix_nginx_proxy_enabled | default(False) | bool" + + tags: + - always + when: matrix_ldap_registration_proxy_enabled | bool and matrix_ldap_registration_proxy_appservice_public_enabled | bool From d03d0dc89797303a36ae01a11aea95b6b7db4f0c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Mon, 5 Sep 2022 21:54:10 +0200 Subject: [PATCH 12/18] Add role to setup.yml --- setup.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/setup.yml b/setup.yml index 3b7d235d3..0086b032c 100755 --- a/setup.yml +++ b/setup.yml @@ -59,6 +59,7 @@ - matrix-client-hydrogen - matrix-client-cinny - matrix-jitsi + - matrix-ldap-registration-proxy - matrix-ma1sd - matrix-dimension - matrix-etherpad From 24effe36b6e490d13ddd02726ff5692fd3bb7224 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Tue, 6 Sep 2022 09:37:35 +0200 Subject: [PATCH 13/18] Fix typo --- roles/matrix-ldap-registration-proxy/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-ldap-registration-proxy/defaults/main.yml b/roles/matrix-ldap-registration-proxy/defaults/main.yml index 712e1101d..5a010f971 100644 --- a/roles/matrix-ldap-registration-proxy/defaults/main.yml +++ b/roles/matrix-ldap-registration-proxy/defaults/main.yml @@ -30,7 +30,7 @@ matrix_ldap_registration_proxy_container_port: 8080 # Takes an ":" or "" value (e.g. "127.0.0.1:8080"), or empty string to not expose. matrix_ldap_registration_proxy_container_http_host_bind_port: '' -matrix_ldap_registration_proxy_registration_addr_with_container: "matrix-ldap_-egistration-proxy:{{ matrix_ldap_registration_proxy_container_port }}" +matrix_ldap_registration_proxy_registration_addr_with_container: "matrix-ldap_registration-proxy:{{ matrix_ldap_registration_proxy_container_port }}" matrix_ldap_registration_proxy_registration_addr_sans_container: "127.0.0.1:{{ matrix_ldap_registration_proxy_container_port }}" From c7d8299398fdef5c798fcf41153b6d19f0d18b15 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Fri, 9 Sep 2022 16:01:36 +0200 Subject: [PATCH 14/18] Correct service name MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Julian-Samuel Gebühr --- .../systemd/matrix-ldap-registration-proxy.service.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-ldap-registration-proxy/templates/systemd/matrix-ldap-registration-proxy.service.j2 b/roles/matrix-ldap-registration-proxy/templates/systemd/matrix-ldap-registration-proxy.service.j2 index afbabe729..13ada897b 100644 --- a/roles/matrix-ldap-registration-proxy/templates/systemd/matrix-ldap-registration-proxy.service.j2 +++ b/roles/matrix-ldap-registration-proxy/templates/systemd/matrix-ldap-registration-proxy.service.j2 @@ -13,8 +13,8 @@ DefaultDependencies=no [Service] Type=simple Environment="HOME={{ matrix_systemd_unit_home_path }}" -ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-matrix_ldap_registration_proxy 2>/dev/null || true' -ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-matrix_ldap_registration_proxy 2>/dev/null || true' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-ldap-registration-proxy 2>/dev/null || true' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-ldap-registration-proxy 2>/dev/null || true' # matrix_ldap_registration_proxy writes an SQLite shared library (libsqlitejdbc.so) to /tmp and executes it from there, # so /tmp needs to be mounted with an exec option. From 0a4ce46e1ee89edce74f3bc7a8be2547c927fcfd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Fri, 16 Sep 2022 18:25:36 +0200 Subject: [PATCH 15/18] Add doc page MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Julian-Samuel Gebühr --- ...ng-playbook-matrix-ldap-registration-proxy.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 docs/configuring-playbook-matrix-ldap-registration-proxy.md diff --git a/docs/configuring-playbook-matrix-ldap-registration-proxy.md b/docs/configuring-playbook-matrix-ldap-registration-proxy.md new file mode 100644 index 000000000..661535f39 --- /dev/null +++ b/docs/configuring-playbook-matrix-ldap-registration-proxy.md @@ -0,0 +1,16 @@ +# Setting up matrix-ldap-registration-proxy (optional) + +The playbook can install and configure [matrix-ldap-registration-proxy](https://gitlab.com/activism.international/matrix_ldap_registration_proxy) for you. + +This proxy handles Matrix registration requests and forwards them to LDAP. + +**Please note:** This does support the full Matrix specification for registrations. It only provide a very coarse +implementation of a basic password registration. + +## Quickstart + +Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file: + +```yaml +matrix_ldap_registration_proxy_enabled: true +``` From db705aff4f226ae0685a39e7cbe2fc5036b40914 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Fri, 16 Sep 2022 19:15:33 +0200 Subject: [PATCH 16/18] Add documentation to readme/list of services MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Julian-Samuel Gebühr --- README.md | 2 ++ docs/configuring-playbook.md | 4 ++++ 2 files changed, 6 insertions(+) diff --git a/README.md b/README.md index 221e8a85b..4c64ee2cd 100644 --- a/README.md +++ b/README.md @@ -45,6 +45,8 @@ Using this playbook, you can get the following services configured on your serve - (optional, advanced) the [matrix-synapse-ldap3](https://github.com/matrix-org/matrix-synapse-ldap3) LDAP Auth password provider module +- (optional, advanced) the [matrix-ldap-registration-proxy](https://gitlab.com/activism.international/matrix_ldap_registration_proxy) a proxy that handles Matrix registration requests and forwards them to LDAP. + - (optional, advanced) the [synapse-simple-antispam](https://github.com/t2bot/synapse-simple-antispam) spam checker module - (optional, advanced) the [Matrix Corporal](https://github.com/devture/matrix-corporal) reconciliator and gateway for a managed Matrix server diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index b3b44b5ff..735dddf2b 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -86,6 +86,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Setting up the LDAP password provider module](configuring-playbook-ldap-auth.md) (optional, advanced) +- [Setting up the ldap-registration-proxy](configuring-playbook-matrix-ldap-registration-proxy.md) (optional, advanced) + - [Setting up Synapse Simple Antispam](configuring-playbook-synapse-simple-antispam.md) (optional, advanced) - [Setting up Matrix Corporal](configuring-playbook-matrix-corporal.md) (optional, advanced) @@ -179,3 +181,5 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Setting up the Sygnal push gateway](configuring-playbook-sygnal.md) (optional) - [Setting up the ntfy push notifications server](configuring-playbook-ntfy.md) (optional) + + From d23cef541ebd8c6cc21a1540a50215fddb184c94 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Fri, 16 Sep 2022 19:16:45 +0200 Subject: [PATCH 17/18] Redo exposing the service to nginx MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The Service is now exposed by default on port 8585 and forwarded by nginx to the specified endpoint Signed-off-by: Julian-Samuel Gebühr --- roles/matrix-ldap-registration-proxy/defaults/main.yml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/roles/matrix-ldap-registration-proxy/defaults/main.yml b/roles/matrix-ldap-registration-proxy/defaults/main.yml index 5a010f971..bf7f35643 100644 --- a/roles/matrix-ldap-registration-proxy/defaults/main.yml +++ b/roles/matrix-ldap-registration-proxy/defaults/main.yml @@ -28,10 +28,14 @@ matrix_ldap_registration_proxy_container_port: 8080 # Controls whether the matrix_ldap_registration_proxy container exposes its HTTP port (tcp/{{ matrix_ldap_registration_proxy_container_port }} in the container). # # Takes an ":" or "" value (e.g. "127.0.0.1:8080"), or empty string to not expose. -matrix_ldap_registration_proxy_container_http_host_bind_port: '' +matrix_ldap_registration_proxy_container_http_host_bind_port: '8585'}' -matrix_ldap_registration_proxy_registration_addr_with_container: "matrix-ldap_registration-proxy:{{ matrix_ldap_registration_proxy_container_port }}" -matrix_ldap_registration_proxy_registration_addr_sans_container: "127.0.0.1:{{ matrix_ldap_registration_proxy_container_port }}" +# `matrix_ldap_registration_proxy_container_http_host_bind_port_number_raw` contains the raw port number extracted from `matrix_ldap_registration_proxy_container_http_host_bind_port`, + # which can contain values like this: ('1234', '127.0.0.1:1234', '0.0.0.0:1234') + matrix_ldap_registration_proxy_container_http_host_bind_port_number_raw: "{{ '' if matrix_ldap_registration_proxy_container_http_host_bind_port == '' else (matrix_ldap_registration_proxy_container_http_host_bind_port.split(':')[1] if ':' in matrix_ldap_registration_proxy_container_http_host_bind_port else matrix_ldap_registration_proxy_container_http_host_bind_port) }}" + +matrix_ldap_registration_proxy_registration_addr_with_container: "matrix-ldap_registration-proxy:{{ matrix_ldap_registration_proxy_container_http_host_bind_port_number_raw }}" +matrix_ldap_registration_proxy_registration_addr_sans_container: "127.0.0.1:{{ matrix_ldap_registration_proxy_container_http_host_bind_port_number_raw }}" # A list of extra arguments to pass to the container From 2fa0ddcf539b73882be52a1aefaef93a01133fc4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Fri, 16 Sep 2022 19:25:00 +0200 Subject: [PATCH 18/18] TODO: Check if ths documentation is correct MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Julian-Samuel Gebühr --- ...ring-playbook-matrix-ldap-registration-proxy.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/docs/configuring-playbook-matrix-ldap-registration-proxy.md b/docs/configuring-playbook-matrix-ldap-registration-proxy.md index 661535f39..31b75a0be 100644 --- a/docs/configuring-playbook-matrix-ldap-registration-proxy.md +++ b/docs/configuring-playbook-matrix-ldap-registration-proxy.md @@ -14,3 +14,17 @@ Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars. ```yaml matrix_ldap_registration_proxy_enabled: true ``` + +That is enough if you use the synapse external password provider via LDAP. +If you want to use your own credentials add the following to your `inventory/host_vars/matrix.DOMAIN/vars.yml`: + + + +# LDAP credentials +```yaml +matrix_ldap_registration_proxy_ldap_uri: +matrix_ldap_registration_proxy_ldap_base_dn: +matrix_ldap_registration_proxy_ldap_user: +matrix_ldap_registration_proxy_ldap_password: +``` +TODO: is the block above correct? Else indicate that it can only be used with the LDAP password provider for Synapse