mirror of
https://github.com/spantaleev/matrix-docker-ansible-deploy.git
synced 2025-01-08 20:35:23 +00:00
214 lines
11 KiB
Plaintext
214 lines
11 KiB
Plaintext
# SOME DESCRIPTIVE TITLE.
|
|
# Copyright (C) 2018-2024, Slavi Pantaleev, Aine Etke, MDAD community members
|
|
# This file is distributed under the same license as the matrix-docker-ansible-deploy package.
|
|
# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
|
|
#
|
|
#, fuzzy
|
|
msgid ""
|
|
msgstr ""
|
|
"Project-Id-Version: matrix-docker-ansible-deploy \n"
|
|
"Report-Msgid-Bugs-To: \n"
|
|
"POT-Creation-Date: 2024-12-28 10:25+0200\n"
|
|
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
|
|
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
|
|
"Language-Team: LANGUAGE <LL@li.org>\n"
|
|
"MIME-Version: 1.0\n"
|
|
"Content-Type: text/plain; charset=UTF-8\n"
|
|
"Content-Transfer-Encoding: 8bit\n"
|
|
|
|
#: ../../../docs/configuring-playbook-user-verification-service.md:1
|
|
msgid "Setting up Matrix User Verification Service (optional)"
|
|
msgstr ""
|
|
|
|
#: ../../../docs/configuring-playbook-user-verification-service.md:3
|
|
msgid "**[Matrix User Verification Service](https://github.com/matrix-org/matrix-user-verification-service) (hereafter: UVS) can only be installed after Matrix services are installed and running.** If you're just installing Matrix services for the first time, please continue with the [Configuration](configuring-playbook.md) / [Installation](installing.md) flow and come back here later."
|
|
msgstr ""
|
|
|
|
#: ../../../docs/configuring-playbook-user-verification-service.md:5
|
|
msgid "Currently, the main purpose of this role is to allow Jitsi to authenticate Matrix users and check if they are authorized to join a conference. Please refer to the documentation of the [Matrix User Verification Service](https://github.com/matrix-org/matrix-user-verification-service) to understand how it works."
|
|
msgstr ""
|
|
|
|
#: ../../../docs/configuring-playbook-user-verification-service.md:7
|
|
msgid "**Note**: enabling Matrix User Verification Service, means that the `openid` API endpoints will be exposed on the Matrix Federation port (usually `8448`), even if [federation](configuring-playbook-federation.md) is disabled."
|
|
msgstr ""
|
|
|
|
#: ../../../docs/configuring-playbook-user-verification-service.md:9
|
|
msgid "If the Jitsi server is also configured by this playbook, all plugging of variables and secrets is handled in `group_vars/matrix_servers`."
|
|
msgstr ""
|
|
|
|
#: ../../../docs/configuring-playbook-user-verification-service.md:11
|
|
msgid "__Some general concepts of UVS may be helpful to understand the rest, so here they are:__"
|
|
msgstr ""
|
|
|
|
#: ../../../docs/configuring-playbook-user-verification-service.md:13
|
|
msgid "UVS can be used to verify two claims:"
|
|
msgstr ""
|
|
|
|
#: ../../../docs/configuring-playbook-user-verification-service.md:15
|
|
msgid "(A) Whether a given OpenID token is valid for a given server and"
|
|
msgstr ""
|
|
|
|
#: ../../../docs/configuring-playbook-user-verification-service.md:16
|
|
msgid "(B) whether a user is member of a given room and the corresponding PowerLevel"
|
|
msgstr ""
|
|
|
|
#: ../../../docs/configuring-playbook-user-verification-service.md:18
|
|
msgid "Verifying an OpenID token ID done by finding the corresponding Homeserver via '.well-known/matrix/server' for the given domain. The configured `matrix_user_verification_service_uvs_homeserver_url` does **not** factor into this. By default, this playbook only checks against `matrix_server_fqn_matrix`. Therefore, the request will be made against the public openid API for `matrix_server_fqn_matrix`."
|
|
msgstr ""
|
|
|
|
#: ../../../docs/configuring-playbook-user-verification-service.md:20
|
|
msgid "Verifying RoomMembership and PowerLevel is done against `matrix_user_verification_service_uvs_homeserver_url` which is by default done via the docker network. UVS will verify the validity of the token beforehand though."
|
|
msgstr ""
|
|
|
|
#: ../../../docs/configuring-playbook-user-verification-service.md:22
|
|
msgid "Prerequisites"
|
|
msgstr ""
|
|
|
|
#: ../../../docs/configuring-playbook-user-verification-service.md:24
|
|
msgid "In order to use UVS, an admin token for the configured homeserver must be supplied. For now this means configuring Synapse and creating the token before installing UVS."
|
|
msgstr ""
|
|
|
|
#: ../../../docs/configuring-playbook-user-verification-service.md:26
|
|
msgid "Enable"
|
|
msgstr ""
|
|
|
|
#: ../../../docs/configuring-playbook-user-verification-service.md:28
|
|
msgid "To enable Matrix User Verification Service, add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file:"
|
|
msgstr ""
|
|
|
|
#: ../../../docs/configuring-playbook-user-verification-service.md:34
|
|
msgid "Configuration"
|
|
msgstr ""
|
|
|
|
#: ../../../docs/configuring-playbook-user-verification-service.md:36
|
|
msgid "The only required configuration variable is `matrix_user_verification_service_uvs_access_token` (see below)."
|
|
msgstr ""
|
|
|
|
#: ../../../docs/configuring-playbook-user-verification-service.md:38
|
|
msgid "For a list of all configuration options see the role defaults [`roles/matrix-user-verification-service/defaults/main.yml`](../roles/custom/matrix-user-verification-service/defaults/main.yml). But be aware of all the plugging happening in `group_vars/matrix_servers`."
|
|
msgstr ""
|
|
|
|
#: ../../../docs/configuring-playbook-user-verification-service.md:40
|
|
msgid "In the default configuration, the UVS Server is only reachable via the docker network, which is fine if e.g. Jitsi is also running in a container on the host. However, it is possible to expose UVS via setting `matrix_user_verification_service_container_http_host_bind_port`."
|
|
msgstr ""
|
|
|
|
#: ../../../docs/configuring-playbook-user-verification-service.md:42
|
|
msgid "Obtain an access token"
|
|
msgstr ""
|
|
|
|
#: ../../../docs/configuring-playbook-user-verification-service.md:44
|
|
msgid "The Synapse Access Token is used to verify RoomMembership and PowerLevel against `matrix_user_verification_service_uvs_homeserver_url`."
|
|
msgstr ""
|
|
|
|
#: ../../../docs/configuring-playbook-user-verification-service.md:46
|
|
msgid "We recommend that you create a dedicated Matrix user for uvs (`uvs` is a good username). Follow our [Registering users](registering-users.md) guide to register a user with administration privileges."
|
|
msgstr ""
|
|
|
|
#: ../../../docs/configuring-playbook-user-verification-service.md:48
|
|
msgid "You are required to specify an access token (belonging to this new user) for UVS to work. Refer to the documentation on [how to obtain an access token](obtaining-access-tokens.md)."
|
|
msgstr ""
|
|
|
|
#: ../../../docs/configuring-playbook-user-verification-service.md:50
|
|
msgid "⚠️ **Warning**: Access tokens are sensitive information. Do not include them in any bug reports, messages, or logs. Do not share the access token with anyone."
|
|
msgstr ""
|
|
|
|
#: ../../../docs/configuring-playbook-user-verification-service.md:56
|
|
msgid "Custom Auth Token (optional)"
|
|
msgstr ""
|
|
|
|
#: ../../../docs/configuring-playbook-user-verification-service.md:58
|
|
msgid "It is possible to set an API Auth Token to restrict access to the UVS. If this is enabled, anyone making a request to UVS must provide it via the header \"Authorization: Bearer TOKEN\""
|
|
msgstr ""
|
|
|
|
#: ../../../docs/configuring-playbook-user-verification-service.md:60
|
|
msgid "By default, the token will be derived from `matrix_homeserver_generic_secret_key` in `group_vars/matrix_servers`."
|
|
msgstr ""
|
|
|
|
#: ../../../docs/configuring-playbook-user-verification-service.md:62
|
|
msgid "To set your own Token, add the following configuration to your `vars.yml` file:"
|
|
msgstr ""
|
|
|
|
#: ../../../docs/configuring-playbook-user-verification-service.md:68
|
|
msgid "In case Jitsi is also managed by this playbook and 'matrix' authentication in Jitsi is enabled, this collection will automatically configure Jitsi to use the configured auth token."
|
|
msgstr ""
|
|
|
|
#: ../../../docs/configuring-playbook-user-verification-service.md:70
|
|
msgid "Disable Auth (optional)"
|
|
msgstr ""
|
|
|
|
#: ../../../docs/configuring-playbook-user-verification-service.md:72
|
|
msgid "Authorization is enabled by default. To disable it, add the following configuration to your `vars.yml` file:"
|
|
msgstr ""
|
|
|
|
#: ../../../docs/configuring-playbook-user-verification-service.md:78
|
|
msgid "Federation (optional)"
|
|
msgstr ""
|
|
|
|
#: ../../../docs/configuring-playbook-user-verification-service.md:80
|
|
msgid "In theory (however currently untested), UVS can handle federation. To enable it, add the following configuration to your `vars.yml` file:"
|
|
msgstr ""
|
|
|
|
#: ../../../docs/configuring-playbook-user-verification-service.md:86
|
|
msgid "This will instruct UVS to verify the OpenID token against any domain given in a request. Homeserver discovery is done via '.well-known/matrix/server' of the given domain."
|
|
msgstr ""
|
|
|
|
#: ../../../docs/configuring-playbook-user-verification-service.md:88
|
|
msgid "Installing"
|
|
msgstr ""
|
|
|
|
#: ../../../docs/configuring-playbook-user-verification-service.md:90
|
|
msgid "After configuring the playbook, run it with [playbook tags](playbook-tags.md) as below:"
|
|
msgstr ""
|
|
|
|
#: ../../../docs/configuring-playbook-user-verification-service.md:97
|
|
msgid "The shortcut commands with the [`just` program](just.md) are also available: `just install-service matrix-user-verification-service` or `just setup-all`"
|
|
msgstr ""
|
|
|
|
#: ../../../docs/configuring-playbook-user-verification-service.md:99
|
|
msgid "`just install-service matrix-user-verification-service` is useful for maintaining your setup quickly when its components remain unchanged. If you adjust your `vars.yml` to remove other components, you'd need to run `just setup-all`, or these components will still remain installed. Note `just setup-all` runs the `ensure-matrix-users-created` tag too."
|
|
msgstr ""
|
|
|
|
#: ../../../docs/configuring-playbook-user-verification-service.md:101
|
|
msgid "Logging"
|
|
msgstr ""
|
|
|
|
#: ../../../docs/configuring-playbook-user-verification-service.md:103
|
|
msgid "The configuration variable `UVS_LOG_LEVEL` can be set to:"
|
|
msgstr ""
|
|
|
|
#: ../../../docs/configuring-playbook-user-verification-service.md:104
|
|
msgid "warning"
|
|
msgstr ""
|
|
|
|
#: ../../../docs/configuring-playbook-user-verification-service.md:105
|
|
msgid "info"
|
|
msgstr ""
|
|
|
|
#: ../../../docs/configuring-playbook-user-verification-service.md:106
|
|
msgid "debug"
|
|
msgstr ""
|
|
|
|
#: ../../../docs/configuring-playbook-user-verification-service.md:108
|
|
msgid "TLS Certificate Checking"
|
|
msgstr ""
|
|
|
|
#: ../../../docs/configuring-playbook-user-verification-service.md:110
|
|
msgid "If the Matrix Homeserver does not provide a valid TLS certificate, UVS will fail with the following error message:"
|
|
msgstr ""
|
|
|
|
#: ../../../docs/configuring-playbook-user-verification-service.md:112
|
|
msgid "message: 'No response received: [object Object]',"
|
|
msgstr ""
|
|
|
|
#: ../../../docs/configuring-playbook-user-verification-service.md:114
|
|
msgid "This also applies to self-signed and let's encrypt staging certificates."
|
|
msgstr ""
|
|
|
|
#: ../../../docs/configuring-playbook-user-verification-service.md:116
|
|
msgid "To disable certificate validation altogether (INSECURE! Not suitable for production use!) set: `NODE_TLS_REJECT_UNAUTHORIZED=0`"
|
|
msgstr ""
|
|
|
|
#: ../../../docs/configuring-playbook-user-verification-service.md:118
|
|
msgid "Alternatively, it is possible to inject your own CA certificates into the container by mounting a PEM file with additional trusted CAs into the container and pointing the `NODE_EXTRA_CA_CERTS` environment variable to it."
|
|
msgstr ""
|