# SOME DESCRIPTIVE TITLE. # Copyright (C) 2018-2024, Slavi Pantaleev, Aine Etke, MDAD community # members # This file is distributed under the same license as the # matrix-docker-ansible-deploy package. # FIRST AUTHOR , 2024. # #, fuzzy msgid "" msgstr "" "Project-Id-Version: matrix-docker-ansible-deploy \n" "Report-Msgid-Bugs-To: \n" "POT-Creation-Date: 2024-12-16 12:05+0900\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language: jp\n" "Language-Team: jp \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=utf-8\n" "Content-Transfer-Encoding: 8bit\n" "Generated-By: Babel 2.16.0\n" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:1 msgid "Setting up Matrix Authentication Service (optional)" msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:3 msgid "" "This playbook can install and configure [Matrix Authentication " "Service](https://github.com/element-hq/matrix-authentication-service/) " "(MAS) - a service operating alongside your existing [Synapse" "](./configuring-playbook-synapse.md) homeserver and providing [better " "authentication, session management and permissions in " "Matrix](https://matrix.org/blog/2023/09/better-auth/)." msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:5 msgid "" "Matrix Authentication Service is an implementation of [MSC3861: Next-" "generation auth for Matrix, based on OAuth 2.0/OIDC](https://github.com" "/matrix-org/matrix-spec-proposals/pull/3861) and still work in progress, " "tracked at the [areweoidcyet.com](https://areweoidcyet.com/) website." msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:7 msgid "" "**Before going through with starting to use Matrix Authentication " "Service**, make sure to read:" msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:9 msgid "" "the [Reasons to use Matrix Authentication Service](#reasons-to-use-" "matrix-authentication-service) section below" msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:10 msgid "the [Expectations](#expectations) section below" msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:11 msgid "the [FAQ section on areweoidcyet.com](https://areweoidcyet.com/#faqs)" msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:13 msgid "" "**If you've already been using Synapse** and have user accounts in its " "database, you can [migrate to Matrix Authentication Service](#migrating-" "an-existing-synapse-homeserver-to-matrix-authentication-service)." msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:15 msgid "Reasons to use Matrix Authentication Service" msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:17 msgid "" "You may be wondering whether you should make the switch to Matrix " "Authentication Service (MAS) or keep using your existing authentication " "flow via Synapse (password-based or [OIDC](./configuring-playbook-" "synapse.md#synapse--openid-connect-for-single-sign-on)-enabled)." msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:19 msgid "" "Matrix Authentication Service is **still an experimental service** and " "**not a default** for this Ansible playbook." msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:21 msgid "" "The [Expectations](#expectations) section contains a list of what works " "and what doesn't (**some services don't work with MAS yet**), as well as " "the **relative irreversability** of the migration process." msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:23 msgid "" "Below, we'll try to **highlight some potential reasons for switching** to" " Matrix Authentication Service:" msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:25 msgid "" "To use SSO in [Element X](https://element.io/blog/element-x-ignition/). " "The old [Synapse OIDC](./configuring-playbook-synapse.md#synapse--openid-" "connect-for-single-sign-on) login flow is only supported in old Element " "clients and will not be supported in Element X. Element X will only " "support the new SSO-based login flow provided by MAS, so if you want to " "use SSO with Element X, you will need to switch to MAS." msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:27 msgid "" "To help drive adoption of the \"Next-generation auth for Matrix\" by " "switching to what's ultimately coming anyway" msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:29 msgid "" "To help discover (and potentially fix) MAS integration issues with this " "Ansible playbook" msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:31 msgid "" "To help discover (and potentially fix) MAS integration issues with " "various other Matrix components (bridges, bots, clients, etc.)" msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:33 msgid "" "To reap some of the security benefits that Matrix Authentication Service " "offers, as outlined in the [Better authentication, session management and" " permissions in Matrix](https://matrix.org/blog/2023/09/better-auth/) " "article." msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:35 msgid "Prerequisites" msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:37 msgid "" "⚠️ the [Synapse](configuring-playbook-synapse.md) homeserver " "implementation (which is the default for this playbook). Other homeserver" " implementations ([Dendrite](./configuring-playbook-dendrite.md), " "[Conduit](./configuring-playbook-conduit.md), etc.) do not support " "integrating wtih Matrix Authentication Service yet." msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:39 msgid "" "⚠️ **email sending** configured (see [Adjusting email-sending settings" "](./configuring-playbook-email.md)), because **Matrix Authentication " "Service [still insists](https://github.com/element-hq/matrix-" "authentication-service/issues/1505) on having a verified email address " "for each user** going through the new SSO-based login flow. It's also " "possible to [work around email deliverability issues](#working-around-" "email-deliverability-issues) if your email configuration is not working." msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:41 msgid "" "❌ **disabling all password providers** for Synapse (things like [shared-" "secret-auth](./configuring-playbook-shared-secret-auth.md), [rest-auth" "](./configuring-playbook-rest-auth.md), [LDAP auth](./configuring-" "playbook-ldap-auth.md), etc.) More details about this are available in " "the [Expectations](#expectations) section below." msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:43 msgid "Expectations" msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:45 msgid "" "This section details what you can expect when switching to the Matrix " "Authentication Service (MAS)." msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:47 msgid "" "❌ **Synapse password providers will need to be disabled**. You can no " "longer use [shared-secret-auth](./configuring-playbook-shared-secret-" "auth.md), [rest-auth](./configuring-playbook-rest-auth.md), [LDAP auth" "](./configuring-playbook-ldap-auth.md), etc. When the authentication flow" " is handled by MAS (not by Synapse anymore), it doesn't make sense to " "extend the Synapse authentication flow with additional modules. Many " "bridges used to rely on shared-secret-auth for doing double-puppeting " "(impersonating other users), but most (at least the mautrix bridges) " "nowadays use [Appservice Double Puppet](./configuring-playbook-" "appservice-double-puppet.md) as a better alternative. Older/maintained " "bridges may still rely on shared-secret-auth, as do other services like " "[matrix-corporal](./configuring-playbook-matrix-corporal.md)." msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:49 msgid "" "❌ Certain **tools like [synapse-admin](./configuring-playbook-synapse-" "admin.md) do not have full compatibility with MAS yet**. synapse-admin " "already supports [login with access token](https://github.com/etkecc" "/synapse-admin/pull/58), browsing users (which Synapse will internally " "fetch from MAS) and updating user avatars. However, editing users " "(passwords, etc.) now needs to happen directly against MAS using the [MAS" " Admin API](https://element-hq.github.io/matrix-authentication-" "service/api/index.html), which synapse-admin cannot interact with yet." msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:51 msgid "❌ **Some services experience issues when authenticating via MAS**:" msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:53 msgid "" "[Postmoogle](./configuring-playbook-bridge-postmoogle.md) works the first" " time around, but it consistently fails after restarting:" msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:55 msgid "" "cannot initialize matrix bot error=\"olm account is marked as shared, " "keys seem to have disappeared from the server\"" msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:57 msgid "" "[matrix-reminder-bot](./configuring-playbook-bot-matrix-reminder-bot.md) " "fails to start (see [element-hq/matrix-authentication-" "service#3439](https://github.com/element-hq/matrix-authentication-" "service/issues/3439))" msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:58 msgid "Other services may be similarly affected. This list is not exhaustive." msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:60 msgid "" "❌ **Encrypted appservices** do not work yet (related to " "[MSC4190](https://github.com/matrix-org/matrix-spec-proposals/pull/4190) " "and [PR 17705 for Synapse](https://github.com/element-" "hq/synapse/pull/17705)), so all bridges/bots that rely on encryption will" " fail to start (see [this issue](https://github.com/spantaleev/matrix-" "docker-ansible-deploy/issues/3658) for Hookshot). You can use these " "bridges/bots only if you **keep end-to-bridge encryption disabled** " "(which is the default setting)." msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:62 msgid "" "⚠️ **You will need to have email sending configured** (see [Adjusting " "email-sending settings](./configuring-playbook-email.md)), because " "**Matrix Authentication Service [still insists](https://github.com" "/element-hq/matrix-authentication-service/issues/1505) on having a " "verified email address for each user** going through the new SSO-based " "login flow. It's also possible to [work around email deliverability " "issues](#working-around-email-deliverability-issues) if your email " "configuration is not working." msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:64 msgid "" "⚠️ [Migrating an existing Synapse homeserver to Matrix Authentication " "Service](#migrating-an-existing-synapse-homeserver-to-matrix-" "authentication-service) is **possible**, but requires **some playbook-" "assisted manual work**. Migration is **reversible with no or minor issues" " if done quickly enough**, but as users start logging in (creating new " "login sessions) via the new MAS setup, disabling MAS and reverting back " "to the Synapse user database will cause these new sessions to break." msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:66 msgid "" "⚠️ [Migrating an existing Synapse homeserver to Matrix Authentication " "Service](#migrating-an-existing-synapse-homeserver-to-matrix-" "authentication-service) does not currently seem to preserve the \"admin\"" " flag for users (as found in the Synapse database). All users are " "imported as non-admin - see [element-hq/matrix-authentication-" "service#3440](https://github.com/element-hq/matrix-authentication-" "service/issues/3440). You may need update the Matrix Authentication " "Service's database manually and adjust the `can_request_admin` column in " "the `users` table to `true` for users that need to be administrators " "(e.g. `UPDATE users SET can_request_admin = true WHERE username = " "'someone';`)" msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:68 msgid "" "⚠️ Delegating user authentication to MAS causes **your Synapse server to " "be completely dependant on one more service** for its operations. MAS is " "quick & lightweight and should be stable enough already, but this is " "something to keep in mind when making the switch." msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:70 msgid "" "⚠️ If you've got [OIDC configured in Synapse](./configuring-playbook-" "synapse.md#synapse--openid-connect-for-single-sign-on), you will need to " "migrate your OIDC configuration to MAS by adding an [Upstream OAuth2 " "configuration](#upstream-oauth2-configuration)." msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:72 msgid "" "⚠️ A [compatibility layer](https://element-hq.github.io/matrix-" "authentication-service/setup/homeserver.html#set-up-the-compatibility-" "layer) is installed - all `/_matrix/client/*/login` (etc.) requests will " "be routed to MAS instead of going to the homeserver. This is done both " "publicly (e.g. `https://matrix.example.com/_matrix/client/*/login`) and " "on the internal Traefik entrypoint (e.g. `https://matrix-" "traefik:8008/_matrix/client/*/login`) which helps addon services reach " "the homeserver's Client-Server API. You typically don't need to do " "anything to make this work, but it's good to be aware of it, especially " "if you have a [custom webserver setup](./configuring-playbook-own-" "webserver.md)." msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:74 msgid "" "✅ Your **existing login sessions will continue to work** (you won't get " "logged out). Migration will require a bit of manual work and minutes of " "downtime, but it's not too bad." msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:76 msgid "" "✅ Various clients ([Cinny](./configuring-playbook-client-cinny.md), " "[Element Web](./configuring-playbook-client-element-web.md), Element X, " "FluffyChat) will be able to use the **new SSO-based login flow** provided" " by Matrix Authentication Service" msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:78 msgid "" "✅ The **old login flow** (called `m.login.password`) **will still " "continue to work**, so clients (old Element Web, etc.) and bridges/bots " "that don't support the new OIDC-based login flow will still work. Going " "through the old login flow does not require users to have a verified " "email address, as [is the case](https://github.com/element-hq/matrix-" "authentication-service/issues/1505) for the new SSO-based login flow." msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:80 msgid "" "✅ [Registering users](./registering-users.md) via **the playbook's " "`register-user` tag remains unchanged**. The playbook automatically does " "the right thing regardless of homeserver implementation (Synapse, " "Dendrite, etc.) and whether MAS is enabled or not. When MAS is enabled, " "the playbook will forward user-registration requests to MAS. Registering " "users via the command-line is no longer done via the " "`/matrix/synapse/bin/register` script, but via `/matrix/matrix-" "authentication-service/bin/register-user`." msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:82 msgid "" "✅ Users that are prepared by the playbook (for bots, bridges, etc.) will " "continue to be registered automatically as expected. The playbook " "automatically does the right thing regardless of homeserver " "implementation (Synapse, Dendrite, etc.) and whether MAS is enabled or " "not. When MAS is enabled, the playbook will forward user-registration " "requests to MAS." msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:84 msgid "Installation flows" msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:86 msgid "New homeserver" msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:88 msgid "" "For new homeservers (which don't have any users in their Synapse database" " yet), follow the [Adjusting the playbook configuration](#adjusting-the-" "playbook-configuration) instructions and then proceed with " "[Installing](#installing)." msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:90 msgid "Existing homeserver" msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:92 msgid "" "Other homeserver implementations ([Dendrite](./configuring-playbook-" "dendrite.md), [Conduit](./configuring-playbook-conduit.md), etc.) do not " "support integrating wtih Matrix Authentication Service yet." msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:94 msgid "For existing Synapse homeservers:" msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:96 msgid "" "when following the [Adjusting the playbook configuration](#adjusting-the-" "playbook-configuration) instructions, make sure to **disable the " "integration between Synapse and MAS** by **uncommenting** the " "`matrix_authentication_service_migration_in_progress: true` line as " "described in the [Marking an existing homeserver for migration](#marking-" "an-existing-homeserver-for-migration) section below." msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:98 msgid "" "then follow the [Migrating an existing Synapse homeserver to Matrix " "Authentication Service](#migrating-an-existing-synapse-homeserver-to-" "matrix-authentication-service) instructions to perform the installation " "and migration" msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:100 msgid "Adjusting the playbook configuration" msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:102 msgid "" "To enable Matrix Authentication Service, add the following configuration " "to your `inventory/host_vars/matrix.example.com/vars.yml` file:" msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:116 msgid "" "In the sub-sections that follow, we'll cover some additional " "configuration options that you may wish to adjust." msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:118 msgid "" "There are many other configuration options available. Consult the " "[`defaults/main.yml` file](../roles/custom/matrix-authentication-" "service/defaults/main.yml) in the [matrix-authentication-service " "role](../roles/custom/matrix-authentication-service/) to discover them." msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:120 msgid "Adjusting the Matrix Authentication Service URL" msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:122 msgid "" "By default, this playbook installs the Matrix Authentication Service on " "the `matrix.` subdomain, at the `/auth` path " "(https://matrix.example.com/auth). This makes it easy to install it, " "because it **doesn't require additional DNS records to be set up**. If " "that's okay, you can skip this section." msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:124 msgid "" "By tweaking the `matrix_authentication_service_hostname` and " "`matrix_authentication_service_path_prefix` variables, you can easily " "make the service available at a **different hostname and/or path** than " "the default one." msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:126 #: ../../../docs/configuring-playbook-matrix-authentication-service.md:149 msgid "" "Example additional configuration for your " "`inventory/host_vars/matrix.example.com/vars.yml` file:" msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:134 msgid "Marking an existing homeserver for migration" msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:136 msgid "" "The [configuration above](#adjusting-the-playbook-configuration) " "instructs existing users wishing to migrate to add " "`matrix_authentication_service_migration_in_progress: true` to their " "configuration." msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:138 msgid "" "This is done temporarily. The migration steps are described in more " "detail in the [Migrating an existing Synapse homeserver to Matrix " "Authentication Service](#migrating-an-existing-synapse-homeserver-to-" "matrix-authentication-service) section below." msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:140 msgid "Upstream OAuth2 configuration" msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:142 msgid "" "To make Matrix Authentication Service delegate to an existing upstream " "OAuth 2.0/OIDC provider, you can use its [`upstream_oauth2.providers` " "setting](https://element-hq.github.io/matrix-authentication-" "service/reference/configuration.html#upstream_oauth2providers)." msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:144 msgid "" "The playbook exposes a " "`matrix_authentication_service_config_upstream_oauth2_providers` variable" " for controlling this setting." msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:261 msgid "" "💡 Refer to the [`upstream_oauth2.providers` setting](https://element-" "hq.github.io/matrix-authentication-" "service/reference/configuration.html#upstream_oauth2providers) for the " "most up-to-date schema and example for providers. The value shown above " "here may be out of date." msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:263 msgid "" "⚠️ The syntax for existing [OIDC providers configured in Synapse" "](./configuring-playbook-synapse.md#synapse--openid-connect-for-single-" "sign-on) is slightly different, so you will need to adjust your " "configuration when switching from Synapse OIDC to MAS upstream OAuth2." msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:265 msgid "" "⚠️ When [migrating an existing homeserver](#migrating-an-existing-" "synapse-homeserver-to-matrix-authentication-service) which contains OIDC-" "sourced users, you will need to:" msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:267 msgid "" "[Configure upstream OIDC provider mapping for syn2mas](#configuring-" "upstream-oidc-provider-mapping-for-syn2mas)" msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:268 msgid "" "go through the [migrating an existing homeserver](#migrating-an-existing-" "synapse-homeserver-to-matrix-authentication-service) process" msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:269 msgid "" "remove all Synapse OIDC-related configuration (`matrix_synapse_oidc_*`) " "to prevent it being in conflict with the MAS OIDC configuration" msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:271 msgid "Adjusting DNS records" msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:273 msgid "" "If you've changed the default hostname, **you may need to adjust your " "DNS** records to point the Matrix Authentication Service domain to the " "Matrix server." msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:275 msgid "See [Configuring DNS](configuring-dns.md) for details about DNS changes." msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:277 msgid "" "If you've decided to use the default hostname, you won't need to do any " "extra DNS configuration." msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:279 msgid "Installing" msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:281 msgid "" "Now that you've [adjusted the playbook configuration](#adjusting-the-" "playbook-configuration) and [your DNS records](#adjusting-dns-records), " "you can run the playbook with [playbook tags](playbook-tags.md) as below:" msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:288 msgid "**Notes**:" msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:290 msgid "" "The shortcut commands with the [`just` program](just.md) are also " "available: `just install-all` or `just setup-all`" msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:292 msgid "" "`just install-all` is useful for maintaining your setup quickly ([2x-5x " "faster](../CHANGELOG.md#2x-5x-performance-improvements-in-playbook-" "runtime) than `just setup-all`) when its components remain unchanged. If " "you adjust your `vars.yml` to remove other components, you'd need to run " "`just setup-all`, or these components will still remain installed. Note " "these shortcuts run the `ensure-matrix-users-created` tag too." msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:294 msgid "" "If you're in the process of migrating an existing Synapse homeserver to " "MAS, you should now follow the rest of the steps in the [Migrating an " "existing Synapse homeserver to Matrix Authentication Service](#migrating-" "an-existing-synapse-homeserver-to-matrix-authentication-service) guide." msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:296 msgid "" "💡 After installation, you should [verify that Matrix Authentication " "Service is installed correctly](#verify-that-matrix-authentication-" "service-is-installed-correctly)." msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:298 msgid "Migrating an existing Synapse homeserver to Matrix Authentication Service" msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:300 msgid "" "Our migration guide is loosely based on the upstream [Migrating an " "existing homeserver](https://element-hq.github.io/matrix-authentication-" "service/setup/migration.html) guide." msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:302 msgid "" "Migration is done via a tool called `syn2mas`, which the playbook could " "run for you (in a container)." msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:304 msgid "The installation + migration steps are like this:" msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:306 msgid "" "[Adjust your configuration](#adjusting-the-playbook-configuration) to " "**disable the integration between the homeserver and MAS**. This is done " "by **uncommenting** the " "`matrix_authentication_service_migration_in_progress: true` line." msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:308 msgid "Perform the initial [installation](#installing). At this point:" msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:310 msgid "" "Matrix Authentication Service will be installed. Its database will be " "empty, so it cannot validate existing access tokens or authentication " "users yet." msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:312 msgid "" "The homeserver will still continue to use its local database for " "validating existing access tokens." msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:314 msgid "" "Various [compatibility layer URLs](https://element-hq.github.io/matrix-" "authentication-service/setup/homeserver.html#set-up-the-compatibility-" "layer) are not yet installed. New login sessions will still be forwarded " "to the homeserver, which is capable of completing them." msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:316 msgid "" "The `matrix-user-creator` role would be suppressed, so that it doesn't " "automatically attempt to create users (for bots, etc.) in the MAS " "database. These user accounts likely already exist in Synapse's user " "database and could be migrated over (via syn2mas, as per the steps " "below), so creating them in the MAS database would have been unnecessary " "and potentially problematic (conflicts during the syn2mas migration)." msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:318 msgid "" "Consider taking a full [backup of your Postgres database](./maintenance-" "postgres.md#backing-up-postgresql). This is done just in case. The " "**syn2mas migration tool does not delete any data**, so it should be " "possible to revert to your previous setup by merely disabling MAS and re-" "running the playbook (no need to restore a Postgres backup). However, do " "note that as users start logging in (creating new login sessions) via the" " new MAS setup, disabling MAS and reverting back to the Synapse user " "database will cause these new sessions to break." msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:320 msgid "" "[Migrate your data from Synapse to Matrix Authentication Service using " "syn2mas](#migrate-your-data-from-synapse-to-matrix-authentication-" "service-using-syn2mas)" msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:322 msgid "" "[Adjust your configuration](#adjusting-the-playbook-configuration) again," " to:" msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:324 msgid "" "remove the `matrix_authentication_service_migration_in_progress: false` " "line" msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:326 msgid "" "if you had been using [OIDC providers configured in Synapse" "](./configuring-playbook-synapse.md#synapse--openid-connect-for-single-" "sign-on), remove all Synapse OIDC-related configuration " "(`matrix_synapse_oidc_*`) to prevent it being in conflict with the MAS " "OIDC configuration" msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:328 msgid "Perform the [installation](#installing) again. At this point:" msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:330 msgid "The homeserver will start delegating authentication to MAS." msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:332 msgid "" "The compatibility layer URLs will be installed. New login sessions will " "be completed by MAS." msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:334 msgid "" "[Verify that Matrix Authentication Service is installed correctly" "](#verify-that-matrix-authentication-service-is-installed-correctly)" msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:336 msgid "" "Migrate your data from Synapse to Matrix Authentication Service using " "syn2mas" msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:338 msgid "" "We **don't** ask you to [run the `syn2mas` migration advisor " "command](https://element-hq.github.io/matrix-authentication-" "service/setup/migration.html#run-the-migration-advisor), because it only " "gives you the green light if your Synapse configuration " "(`homeserver.yaml`) is configured in a way that's compatible with MAS " "(delegating authentication to MAS; disabling Synapse's password config; " "etc.). Until we migrate your data with the `syn2mas` tool, we " "intentionally avoid doing these changes to allow existing user sessions " "to work." msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:340 msgid "" "You can invoke the `syn2mas` tool via the playbook by running the " "playbook's `matrix-authentication-service-syn2mas` tag. We recommend " "first doing a [dry-run](#performing-a-syn2mas-dry-run) and then a [real " "migration](#performing-a-real-syn2mas-migration)." msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:342 msgid "Configuring syn2mas" msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:344 msgid "" "If you're using [OIDC with Synapse](./configuring-playbook-" "synapse.md#synapse--openid-connect-for-single-sign-on), you will need to " "[Configuring upstream OIDC provider mapping for syn2mas](#configuring-" "upstream-oidc-provider-mapping-for-syn2mas)." msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:346 msgid "" "If you only have local (non-OIDC) users in your Synapse database, you can" " likely run `syn2mas` as-is (without doing additional configuration " "changes)." msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:348 msgid "" "When you're done with potentially configuring `syn2mas`, proceed to doing" " a [dry-run](#performing-a-syn2mas-dry-run) and then a [real " "migration](#performing-a-real-syn2mas-migration)." msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:350 msgid "Configuring upstream OIDC provider mapping for syn2mas" msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:352 msgid "" "If you have existing OIDC users in your Synapse user database (which will" " be the case if when using [OIDC with Synapse](./configuring-playbook-" "synapse.md#synapse--openid-connect-for-single-sign-on)), you may need to " "pass an additional `--upstreamProviderMapping` argument to the `syn2mas` " "tool to tell it which provider (on the Synapse side) maps to which other " "provider on the MAS side." msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:354 msgid "If you don't do this, `syn2mas` would report errors like this one:" msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:356 msgid "" "[FATAL] migrate - [Failed to import external id 4264b0f0-4f11-4ddd-aedb-" "b500e4d07c25 with oidc-keycloak for user @alice:example.com: Error: " "Unknown upstream provider oidc-keycloak]" msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:358 msgid "Below is an example situation and a guide for how to solve it." msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:360 msgid "" "If in `matrix_synapse_oidc_providers` your provider `idp_id` is (was) " "named `keycloak`, in the Synapse database users would be associated with " "the `oidc-keycloak` provider (note the `oidc-` prefix that was added " "automatically by Synapse to your `idp_id` value)." msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:362 msgid "" "The same OIDC provider may have an `id` of `01HFVBY12TMNTYTBV8W921M5FA` " "on the MAS side, as defined in " "`matrix_authentication_service_config_upstream_oauth2_providers` (see the" " [Upstream OAuth2 configuration](#upstream-oauth2-configuration) section " "above)." msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:364 msgid "" "To tell `syn2mas` how the Synapse-configured OIDC provider maps to the " "new MAS-configured OIDC provider, add this additional configuration to " "your `inventory/host_vars/matrix.example.com/vars.yml` file:" msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:373 msgid "Performing a syn2mas dry-run" msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:375 msgid "" "Having [configured syn2mas](#configuring-syn2mas), we recommend doing a " "[dry-run](https://en.wikipedia.org/wiki/Dry_run_(testing)) first to " "verify that everything will work out as expected." msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:377 msgid "A dry-run would not cause downtime, because it avoids stopping Synapse." msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:379 msgid "To perform a dry-run, run:" msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:385 msgid "" "Observe the command output (especially the last line of the the syn2mas " "output). If you are confident that the migration will work out as " "expected, you can proceed with a [real migration](#performing-a-real-" "syn2mas-migration)." msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:387 msgid "Performing a real syn2mas migration" msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:389 msgid "Before performing a real migration make sure:" msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:391 msgid "you've familiarized yourself with the [expectations](#expectations)" msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:393 msgid "you've performed a Postgres backup, just in case" msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:395 msgid "" "you're aware of the irreversibility of the migration process without " "disruption after users have created new login sessions via the new MAS " "setup" msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:397 msgid "" "you've [configured syn2mas](#configuring-syn2mas), especially if you've " "used [OIDC with Synapse](./configuring-playbook-synapse.md#synapse" "--openid-connect-for-single-sign-on)" msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:399 msgid "" "you've performed a [syn2mas dry-run](#performing-a-syn2mas-dry-run) and " "don't see any issues in its output" msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:401 msgid "" "To perform a real migration, run the `matrix-authentication-service-" "syn2mas` tag **without** the " "`matrix_authentication_service_syn2mas_dry_run` variable:" msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:407 msgid "" "Having performed a `syn2mas` migration once, trying to do it again will " "report errors for users that were already migrated (e.g. \"Error: Unknown" " upstream provider oauth-delegated\")." msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:409 msgid "Verify that Matrix Authentication Service is installed correctly" msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:411 msgid "" "After [installation](#installing), run the `doctor` subcommand of the " "[`mas-cli` command-line tool](https://element-hq.github.io/matrix-" "authentication-service/reference/cli/index.html) to verify that MAS is " "installed correctly." msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:413 msgid "You can do it:" msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:415 msgid "" "either via the Ansible playbook's `matrix-authentication-service-mas-cli-" "doctor` tag: `just run-tags matrix-authentication-service-mas-cli-doctor`" msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:417 msgid "" "or by running the `mas-cli` script on the server (which invokes the `mas-" "cli` tool inside a container): `/matrix/matrix-authentication-service/bin" "/mas-cli doctor`" msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:419 msgid "If successful, you should see some output that looks like this:" msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:431 msgid "Management" msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:433 msgid "" "You can use the [`mas-cli` command-line tool](https://element-" "hq.github.io/matrix-authentication-service/reference/cli/index.html) " "(exposed via the `/matrix/matrix-authentication-service/bin/mas-cli` " "script) to perform administrative tasks against MAS." msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:435 msgid "This documentation page already mentions:" msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:437 msgid "" "the `mas-cli doctor` sub-command in the [Verify that Matrix " "Authentication Service is installed correctly](#verify-that-matrix-" "authentication-service-is-installed-correctly) section, which you can run" " via the CLI and via the Ansible playbook's `matrix-authentication-" "service-mas-cli-doctor` tag" msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:439 msgid "" "the `mas-cli manage register-user` sub-command in the [Registering users" "](./registering-users.md) documentation" msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:441 msgid "" "There are other sub-commands available. Run `/matrix/matrix-" "authentication-service/bin/mas-cli` to get an overview." msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:443 msgid "User registration" msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:445 msgid "" "After Matrix Authentication Service is [installed](#installing), users " "need to be managed there (unless you're managing them in an [upstream " "OAuth2 provider](#upstream-oauth2-configuration))." msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:447 msgid "" "You can register users new users as described in the [Registering users" "](./registering-users.md) documentation (via `mas-cli manage register-" "user` or the Ansible playbook's `register-user` tag)." msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:449 msgid "Working around email deliverability issues" msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:451 msgid "" "Because Matrix Authentication Service [still insists](https://github.com" "/element-hq/matrix-authentication-service/issues/1505) on having a " "verified email address for each user, you may need to work around email " "deliverability issues if [your email-sending configuration" "](./configuring-playbook-email.md) is not working." msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:453 msgid "" "Matrix Authentication Service attempts to verify email addresses by " "sending a verification email to the address specified by the user " "whenever they log in to an account without a verified email address." msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:455 msgid "" "If email delivery is not working, **you can retrieve the email " "configuration code from the Matrix Authentication Service's logs** " "(`journalctl -fu matrix-authentication-service`)." msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:457 msgid "" "Alternatively, you can use the [`mas-cli` management tool](#management) " "to manually verify email addresses for users. Example: `/matrix/matrix-" "authentication-service/bin/mas-cli manage verify-email some.username " "email@example.com`" msgstr ""