Add the ability to update user passwords with ansible (when using the matrix-postgres container).
This commit is contained in:
parent
1495be1e0e
commit
134faa3139
@ -12,6 +12,8 @@
|
|||||||
|
|
||||||
- [Registering users](registering-users.md)
|
- [Registering users](registering-users.md)
|
||||||
|
|
||||||
|
- [Updating users passwords](updating-users-passwords.md)
|
||||||
|
|
||||||
- [Configuring service discovery via .well-known](configuring-well-known.md)
|
- [Configuring service discovery via .well-known](configuring-well-known.md)
|
||||||
|
|
||||||
- [Maintenance / checking if services work](maintenance-checking-services.md)
|
- [Maintenance / checking if services work](maintenance-checking-services.md)
|
||||||
|
19
docs/updating-users-passwords.md
Normal file
19
docs/updating-users-passwords.md
Normal file
@ -0,0 +1,19 @@
|
|||||||
|
# Updating users passwords
|
||||||
|
|
||||||
|
If you are using the matrix-postgres container(default), you can do it via this Ansible playbook (make sure to edit the `<your-username>` and `<your-password>` part below):
|
||||||
|
|
||||||
|
ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=<your-username> password=<your-password>' --tags=update-user-password
|
||||||
|
|
||||||
|
**Note**: `<your-username>` is just a plain username (like `john`), not your full `@<username>:<your-domain>` identifier.
|
||||||
|
|
||||||
|
**You can then log in with that user** via the riot-web service that this playbook has created for you at a URL like this: `https://riot.<domain>/`.
|
||||||
|
|
||||||
|
If you are NOT using the matrix-postgres container, you can generate the password hash by using the command-line after **SSH**-ing to your server (requires that [all services have been started](#starting-the-services)):
|
||||||
|
|
||||||
|
docker exec -it matrix-synapse /usr/local/bin/hash_password -c /data/homeserver.yaml
|
||||||
|
|
||||||
|
and then connecting to the postgres server and executing:
|
||||||
|
|
||||||
|
UPDATE users SET password_hash = '<password-hash>' WHERE name = '@someone:server.com'
|
||||||
|
|
||||||
|
where `<password-hash>` is the hash returned by the docker command above.
|
@ -48,6 +48,7 @@ run_import_postgres: true
|
|||||||
run_upgrade_postgres: true
|
run_upgrade_postgres: true
|
||||||
run_start: true
|
run_start: true
|
||||||
run_register_user: true
|
run_register_user: true
|
||||||
|
run_update_user_password: true
|
||||||
run_import_sqlite_db: true
|
run_import_sqlite_db: true
|
||||||
run_import_media_store: true
|
run_import_media_store: true
|
||||||
run_self_check: true
|
run_self_check: true
|
||||||
|
@ -25,6 +25,7 @@
|
|||||||
- docker-python
|
- docker-python
|
||||||
- ntp
|
- ntp
|
||||||
- fuse
|
- fuse
|
||||||
|
- expect
|
||||||
state: latest
|
state: latest
|
||||||
update_cache: yes
|
update_cache: yes
|
||||||
when: ansible_distribution == 'CentOS'
|
when: ansible_distribution == 'CentOS'
|
||||||
@ -62,6 +63,7 @@
|
|||||||
- python-docker
|
- python-docker
|
||||||
- ntp
|
- ntp
|
||||||
- fuse
|
- fuse
|
||||||
|
- expect
|
||||||
state: latest
|
state: latest
|
||||||
update_cache: yes
|
update_cache: yes
|
||||||
when: ansible_os_family == 'Debian'
|
when: ansible_os_family == 'Debian'
|
||||||
|
@ -123,3 +123,10 @@
|
|||||||
debug:
|
debug:
|
||||||
msg: "Note: You are not using a local PostgreSQL database, but some old data remains from before in `{{ matrix_postgres_data_path }}`. Feel free to delete it."
|
msg: "Note: You are not using a local PostgreSQL database, but some old data remains from before in `{{ matrix_postgres_data_path }}`. Feel free to delete it."
|
||||||
when: "not matrix_postgres_enabled and matrix_postgres_data_path_stat.stat.exists"
|
when: "not matrix_postgres_enabled and matrix_postgres_data_path_stat.stat.exists"
|
||||||
|
|
||||||
|
- name: Ensure matrix-postgres-update-user-password-hash script created
|
||||||
|
template:
|
||||||
|
src: "{{ role_path }}/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2"
|
||||||
|
dest: "/usr/local/bin/matrix-postgres-update-user-password-hash"
|
||||||
|
mode: 0750
|
||||||
|
when: matrix_postgres_enabled
|
@ -0,0 +1,15 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
if [ $# -ne 2 ]; then
|
||||||
|
echo "Usage: "$0" <username> <password_hash>"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
docker run \
|
||||||
|
--rm \
|
||||||
|
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
|
||||||
|
--cap-drop=ALL \
|
||||||
|
--env-file={{ matrix_postgres_base_path }}/env-postgres-psql \
|
||||||
|
--network {{ matrix_docker_network }} \
|
||||||
|
{{ matrix_postgres_docker_image_to_use }} \
|
||||||
|
psql -h {{ matrix_postgres_connection_hostname }} -c "UPDATE users set password_hash='$2' WHERE name = '@$1:{{ matrix_domain }}'"
|
@ -37,3 +37,8 @@
|
|||||||
when: run_self_check
|
when: run_self_check
|
||||||
tags:
|
tags:
|
||||||
- self-check
|
- self-check
|
||||||
|
|
||||||
|
- import_tasks: "{{ role_path }}/tasks/update_user_password.yml"
|
||||||
|
when: run_update_user_password
|
||||||
|
tags:
|
||||||
|
- update-user-password
|
@ -79,3 +79,9 @@
|
|||||||
dest: "/usr/local/bin/matrix-synapse-register-user"
|
dest: "/usr/local/bin/matrix-synapse-register-user"
|
||||||
mode: 0750
|
mode: 0750
|
||||||
|
|
||||||
|
- name: Ensure matrix-synapse-generate-password-hash script created
|
||||||
|
template:
|
||||||
|
src: "{{ role_path }}/templates/synapse/usr-local-bin/matrix-synapse-generate-password-hash.j2"
|
||||||
|
dest: "/usr/local/bin/matrix-synapse-generate-password-hash"
|
||||||
|
mode: 0750
|
||||||
|
|
||||||
|
48
roles/matrix-synapse/tasks/update_user_password.yml
Normal file
48
roles/matrix-synapse/tasks/update_user_password.yml
Normal file
@ -0,0 +1,48 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
- name: Fail if playbook called incorrectly
|
||||||
|
fail:
|
||||||
|
msg: "The `username` variable needs to be provided to this playbook, via --extra-vars"
|
||||||
|
when: "username is not defined or username == '<your-username>'"
|
||||||
|
|
||||||
|
- name: Fail if playbook called incorrectly
|
||||||
|
fail:
|
||||||
|
msg: "The `password` variable needs to be provided to this playbook, via --extra-vars"
|
||||||
|
when: "password is not defined or password == '<your-password>'"
|
||||||
|
|
||||||
|
- name: Fail if not using matrix-postgres container
|
||||||
|
fail:
|
||||||
|
msg: "This command is working only when matrix-postgres container is being used"
|
||||||
|
when: "not matrix_postgres_enabled"
|
||||||
|
|
||||||
|
- name: Ensure matrix-synapse is started
|
||||||
|
service:
|
||||||
|
name: matrix-synapse
|
||||||
|
state: started
|
||||||
|
daemon_reload: yes
|
||||||
|
register: start_result
|
||||||
|
|
||||||
|
- name: Ensure matrix-postgres is started
|
||||||
|
service:
|
||||||
|
name: matrix-postgres
|
||||||
|
state: started
|
||||||
|
daemon_reload: yes
|
||||||
|
register: postgres_start_result
|
||||||
|
|
||||||
|
|
||||||
|
- name: Wait a while, so that Matrix Synapse can manage to start
|
||||||
|
pause:
|
||||||
|
seconds: 7
|
||||||
|
when: start_result.changed
|
||||||
|
|
||||||
|
- name: Wait a while, so that Matrix Postgres can manage to start
|
||||||
|
pause:
|
||||||
|
seconds: 7
|
||||||
|
when: postgres_start_result.changed
|
||||||
|
|
||||||
|
- name: Generate password hash
|
||||||
|
shell: "/usr/local/bin/matrix-synapse-generate-password-hash {{ password }}"
|
||||||
|
register: password_hash
|
||||||
|
|
||||||
|
- name: Update user password hash
|
||||||
|
shell: "/usr/local/bin/matrix-postgres-update-user-password-hash {{ username }} '{{ password_hash.stdout }}'"
|
@ -0,0 +1,31 @@
|
|||||||
|
#!/usr/bin/env expect
|
||||||
|
|
||||||
|
# Read the password string
|
||||||
|
set pass [lindex $argv 0]
|
||||||
|
|
||||||
|
# Check if password was provided
|
||||||
|
if { $pass == "" } {
|
||||||
|
puts "Usage: $argv0 <password>"
|
||||||
|
exit 1
|
||||||
|
}
|
||||||
|
|
||||||
|
# Disable output
|
||||||
|
log_user 0
|
||||||
|
|
||||||
|
# Execute password hashing script
|
||||||
|
spawn docker exec -it matrix-synapse /usr/local/bin/hash_password -c /data/homeserver.yaml
|
||||||
|
expect "Password: "
|
||||||
|
send "$pass\r"
|
||||||
|
expect "Confirm password: "
|
||||||
|
send "$pass\r"
|
||||||
|
expect "%"
|
||||||
|
|
||||||
|
# Save the hash output to a variable
|
||||||
|
set output $expect_out(buffer)
|
||||||
|
|
||||||
|
# Trim the whitespace
|
||||||
|
regexp {\S+} $output passwordHash
|
||||||
|
|
||||||
|
# Output the password hash
|
||||||
|
puts -nonewline stdout $passwordHash
|
||||||
|
close stdout
|
Loading…
Reference in New Issue
Block a user