20c2aade3e
* Replace installation command shortcut for the "just" program with the most conservative raw ansible-playbook command
This commit replaces installation command shortcut ("recipe") for the "just" program with the raw ansible-playbook command, so that the shortcut will be added to it later. The command is so conservative that failure of the command will mean something is clearly broken.
Signed-off-by: Suguru Hirahara <acioustick@noreply.codeberg.org>
* Add comments about using setup-all instead of install-all
Signed-off-by: Suguru Hirahara <acioustick@noreply.codeberg.org>
* Add description about shortcut command with the "just" program to the ansible-playbook command with "setup-all" and "start" tags
It also explains difference between "just install-all" and "just setup-all" recipes. The explanation is based on docs/playbook-tags.md
Signed-off-by: Suguru Hirahara <acioustick@noreply.codeberg.org>
* Update raw ansible-playbook command to have it do what "just install-all" or "just setup-all" does
Since "just install-all" or "just setup-all" invokes "ensure-matrix-users-created" as well, it needs adding to the raw ansible-playbook command.
Signed-off-by: Suguru Hirahara <acioustick@noreply.codeberg.org>
* Remove "ensure-matrix-users-created" from the raw ansible-playbook command which does not need it
Also: update the "just" recipes accordingly. "just install-all" and "just setup-all" run "ensure-matrix-users-created" tag as well, therefore they need to be replaced with "run-tags" recipes to skip "ensure-matrix-users-created"
Signed-off-by: Suguru Hirahara <acioustick@noreply.codeberg.org>
* Update docs/configuring-playbook-etherpad.md: add ensure-matrix-users-created to the raw ansible-playbook
Signed-off-by: Suguru Hirahara <acioustick@noreply.codeberg.org>
* Add description about "ensure-matrix-users-created" and create a list with description about shortcut commands with "just"
This commit also fixes list item capitalization and punctuation.
Signed-off-by: Suguru Hirahara <acioustick@noreply.codeberg.org>
* Add notes bullet lists
Signed-off-by: Suguru Hirahara <acioustick@noreply.codeberg.org>
* Update docs/configuring-playbook-matrix-corporal.md and docs/configuring-playbook-email2matrix.md: adopt common instructions
Signed-off-by: Suguru Hirahara <acioustick@noreply.codeberg.org>
* Replace "run the installation command" with "run the playbook with tags"
Now that shortcut commands for the "just" program are displayed along with the existing "installation command", this commit replaces "run the installation command" with "run the playbook with tags" in order to prevent misunderstanding and confusion.
Signed-off-by: Suguru Hirahara <acioustick@noreply.codeberg.org>
* Add notes about changing passwords of users specified on vars.yml
Signed-off-by: Suguru Hirahara <acioustick@noreply.codeberg.org>
* Update docs/configuring-playbook-synapse-admin.md: add the playbook command and just recipes
Signed-off-by: Suguru Hirahara <acioustick@noreply.codeberg.org>
* Remove redundant blank lines
Signed-off-by: Suguru Hirahara <acioustick@noreply.codeberg.org>
* Update docs/configuring-playbook-alertmanager-receiver.md: remove the direction to proceed to Usage
Such a kind of direction is not used on other documentation, so it should be fine to just remove it.
Signed-off-by: Suguru Hirahara <acioustick@noreply.codeberg.org>
* Update docs/importing-synapse-media-store.md: code block for ansible-playbook
Signed-off-by: Suguru Hirahara <acioustick@noreply.codeberg.org>
---------
Signed-off-by: Suguru Hirahara <acioustick@noreply.codeberg.org>
Co-authored-by: Suguru Hirahara <acioustick@noreply.codeberg.org>
6.5 KiB
Setting up Matrix User Verification Service (optional)
Matrix User Verification Service (hereafter: UVS) can only be installed after Matrix services are installed and running. If you're just installing Matrix services for the first time, please continue with the Configuration / Installation flow and come back here later.
Currently, the main purpose of this role is to allow Jitsi to authenticate Matrix users and check if they are authorized to join a conference. Please refer to the documentation of the Matrix User Verification Service to understand how it works.
Note: enabling Matrix User Verification Service, means that the openid API endpoints will be exposed on the Matrix Federation port (usually 8448), even if federation is disabled.
If the Jitsi server is also configured by this playbook, all plugging of variables and secrets is handled in group_vars/matrix_servers.
Some general concepts of UVS may be helpful to understand the rest, so here they are:
UVS can be used to verify two claims:
- (A) Whether a given OpenID token is valid for a given server and
- (B) whether a user is member of a given room and the corresponding PowerLevel
Verifying an OpenID token ID done by finding the corresponding Homeserver via '.well-known/matrix/server' for the given domain. The configured matrix_user_verification_service_uvs_homeserver_url does not factor into this. By default, this playbook only checks against matrix_server_fqn_matrix. Therefore, the request will be made against the public openid API for matrix_server_fqn_matrix.
Verifying RoomMembership and PowerLevel is done against matrix_user_verification_service_uvs_homeserver_url which is by default done via the docker network. UVS will verify the validity of the token beforehand though.
Prerequisites
In order to use UVS, an admin token for the configured homeserver must be supplied. For now this means configuring Synapse and creating the token before installing UVS.
Enable
To enable Matrix User Verification Service, add the following configuration to your inventory/host_vars/matrix.example.com/vars.yml file:
matrix_user_verification_service_enabled: true
Configuration
The only required configuration variable is matrix_user_verification_service_uvs_access_token (see below).
For a list of all configuration options see the role defaults roles/matrix-user-verification-service/defaults/main.yml. But be aware of all the plugging happening in group_vars/matrix_servers.
In the default configuration, the UVS Server is only reachable via the docker network, which is fine if e.g. Jitsi is also running in a container on the host. However, it is possible to expose UVS via setting matrix_user_verification_service_container_http_host_bind_port.
Access token
The Synapse Access Token is used to verify RoomMembership and PowerLevel against matrix_user_verification_service_uvs_homeserver_url.
We recommend that you create a dedicated Matrix user for uvs (uvs is a good username). Follow our Registering users guide to register a user with administration privileges.
You are required to specify an access token (belonging to this new user) for UVS to work. To get an access token for the UVS user, you can follow the documentation on how to do obtain an access token.
Access tokens are sensitive information. Do not include them in any bug reports, messages, or logs. Do not share the access token with anyone.
matrix_user_verification_service_uvs_access_token: "YOUR ACCESS TOKEN HERE"
(Optional) Custom Auth Token
It is possible to set an API Auth Token to restrict access to the UVS. If this is enabled, anyone making a request to UVS must provide it via the header "Authorization: Bearer TOKEN"
By default, the token will be derived from matrix_homeserver_generic_secret_key in group_vars/matrix_servers.
To set your own Token, simply put the following in your host_vars.
matrix_user_verification_service_uvs_auth_token: "TOKEN"
In case Jitsi is also managed by this playbook and 'matrix' authentication in Jitsi is enabled, this collection will automatically configure Jitsi to use the configured auth token.
(Optional) Disable Auth
Authorization is enabled by default. To disable set
matrix_user_verification_service_uvs_require_auth: false
in your host_vars.
(Optional) Federation
In theory (however currently untested), UVS can handle federation. Simply set:
matrix_user_verification_service_uvs_pin_openid_verify_server_name: false
in your host_vars.
This will instruct UVS to verify the OpenID token against any domain given in a request. Homeserver discovery is done via '.well-known/matrix/server' of the given domain.
Installing
After these variables have been set, run the playbook with playbook tags as below to restart UVS:
ansible-playbook -i inventory/hosts setup.yml --tags=setup-matrix-user-verification-service,start
The shortcut commands with just program are also available: just run-tags setup-matrix-user-verification-service,start or just run-tags setup-all,start
just run-tags setup-matrix-user-verification-service,start is useful for maintaining your setup quickly when its components remain unchanged. If you adjust your vars.yml to remove other components, you'd need to run just run-tags setup-all,start, or these components will still remain installed. For more information about just shortcuts, take a look at this page: Running just commands
Logging
The configuration variable UVS_LOG_LEVEL can be set to:
- warning
- info
- debug
TLS Certificate Checking
If the Matrix Homeserver does not provide a valid TLS certificate, UVS will fail with the following error message:
message: 'No response received: [object Object]',
This also applies to self-signed and let's encrypt staging certificates.
To disable certificate validation altogether (INSECURE! Not suitable for production use!) set: NODE_TLS_REJECT_UNAUTHORIZED=0
Alternatively, it is possible to inject your own CA certificates into the container by mounting a PEM file with additional trusted CAs into the container and pointing the NODE_EXTRA_CA_CERTS environment variable to it.