Update matrix-registration-bot, improve authentication config (#2723)

* Adjust to new mrb docker versioning

* Stabilze authentication

* fix lint

* Move & document mrb password usage

* Add clean cache role

* Document clean cache

* Fix lint

* Update CHANGELOG.md

* Automate access tokens

* Improve changelog

* Make use of mrb's function to fetch API tokens

* Adjust changelog

* Use ansible.builtin.file to clear directory

* Fix typo

---------

Co-authored-by: Slavi Pantaleev <slavi@devture.com>
This commit is contained in:
Julian-Samuel Gebühr 2023-07-24 12:57:06 +02:00 committed by GitHub
parent 856a328e96
commit 14f7eed932
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
9 changed files with 83 additions and 38 deletions

View File

@ -1,3 +1,14 @@
# 2023-07-24
## matrix-registration-bot usage changed
[matrix-registration-bot](docs/configuring-playbook-bot-matrix-registration-bot.md) got some updates and now supports password-only-based login. Therefore the bot now doesn't need any manual configuration except setting a password in your `vars.yml`. The bot will be registered as admin and access tokens will be obtained automatically by the bot.
**For existing users** You need to set `matrix_bot_matrix_registration_bot_bot_password` if you previously only used `matrix_bot_matrix_registration_bot_bot_access_token`. Please also remove the following deprecated settings
* `matrix_bot_matrix_registration_bot_bot_access_token`
* `matrix_bot_matrix_registration_bot_api_token`
# 2023-07-21 # 2023-07-21
## mautrix-gmessages support ## mautrix-gmessages support

View File

@ -2,40 +2,30 @@
The playbook can install and configure [matrix-registration-bot](https://github.com/moan0s/matrix-registration-bot) for you. The playbook can install and configure [matrix-registration-bot](https://github.com/moan0s/matrix-registration-bot) for you.
The bot allows you to easily **create and manage registration tokens**. It can be used for an invitation-based server, The bot allows you to easily **create and manage registration tokens** aka. invitation codes.
where you invite someone by sending them a registration token. They can register as normal but have to provide a valid It can be used for an invitation-based server,
registration token in a final step of the registration. where you invite someone by sending them a registration token (loook like this: `rbalQ0zkaDSRQCOp`). They can register as normal but have to provide a valid registration token in a final step of the registration.
See the project's [documentation](https://github.com/moan0s/matrix-registration-bot#supported-commands) to learn what it See the project's [documentation](https://github.com/moan0s/matrix-registration-bot#supported-commands) to learn what it
does and why it might be useful to you. does and why it might be useful to you.
## Registering the bot user ## Configuration
By default, the playbook will set use the bot with a username like this: `@bot.matrix-registration-bot:DOMAIN`. To enable the bot, add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file:
(to use a different username, adjust the `matrix_bot_matrix_registration_bot_matrix_user_id_localpart` variable). For `matrix_bot_matrix_registration_bot_api_token`you need an access token with the permission to access the admin api. Access to the API is needed for all restricted actions of the bot (list, create etc..). Refer to the documentation on [how to obtain an access token](obtaining-access-tokens.md).
For [other bots supported by the playbook](configuring-playbook.md#bots), Matrix bot user accounts are created and put to use automatically. For `matrix-registration-bot`, however, this is not the case - you **need to register the bot user manually** before setting up the bot. You can use the playbook to [register a new user](registering-users.md):
```
ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=bot.matrix-registration-bot password=PASSWORD_FOR_THE_BOT admin=yes' --tags=register-user
```
Choose a strong password for the bot. You can generate a good password with a command like this: `pwgen -s 64 1`.
## Obtaining an admin access token
In order to use the bot you need to add an admin user's access token token to the configuration. Refer to the documentation on [how to obtain an access token](obtaining-access-tokens.md).
## Adjusting the playbook configuration
Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file:
```yaml ```yaml
matrix_bot_matrix_registration_bot_enabled: true matrix_bot_matrix_registration_bot_enabled: true
# Token obtained via logging into the bot account (see above)
matrix_bot_matrix_registration_bot_bot_access_token: "syt_bW9hbm9z_XXXXXXXXXXXXXr_2kuzbE" #By default, the playbook will set use the bot with a username like
## this: `@bot.matrix-registration-bot:DOMAIN`.
# To use a different username, uncomment & adjust the variable.
# matrix_bot_matrix_registration_bot_matrix_user_id_localpart: bot.matrix-registration-bot
# Generate a strong password here. Consider generating it with `pwgen -s 64 1`
matrix_bot_matrix_registration_bot_password: PASSWORD_FOR_THE_BOT
# Enables registration # Enables registration
matrix_synapse_enable_registration: true matrix_synapse_enable_registration: true
@ -44,6 +34,7 @@ matrix_synapse_enable_registration: true
matrix_synapse_registration_requires_token: true matrix_synapse_registration_requires_token: true
``` ```
The bot account will be automatically created.
## Installing ## Installing
@ -56,10 +47,16 @@ ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
## Usage ## Usage
To use the bot, create a **non-encrypted** room and invite `@bot.matrix-registration-bot:DOMAIN` (where `DOMAIN` is your base domain, not the `matrix.` domain). To use the bot, message `@bot.matrix-registration-bot:DOMAIN` (where `DOMAIN` is your base domain, not the `matrix.` domain).
In this room send `help` and the bot will reply with all options. In this room send `help` and the bot will reply with all options.
You can also refer to the upstream [Usage documentation](https://github.com/moan0s/matrix-registration-bot#supported-commands). You can also refer to the upstream [Usage documentation](https://github.com/moan0s/matrix-registration-bot#supported-commands).
If you have any questions, or if you need help setting it up, read the [troublshooting guide](https://github.com/moan0s/matrix-registration-bot/blob/main/docs/troubleshooting.md) If you have any questions, or if you need help setting it up, read the [troublshooting guide](https://github.com/moan0s/matrix-registration-bot/blob/main/docs/troubleshooting.md)
or join [#matrix-registration-bot:hyteck.de](https://matrix.to/#/#matrix-registration-bot:hyteck.de). or join [#matrix-registration-bot:hyteck.de](https://matrix.to/#/#matrix-registration-bot:hyteck.de).
To clean the cache (session&encryption data) after you changed the bot's username, changed the login methon form access_token to password etc.. you can use
```bash
just run-tags bot-matrix-registration-bot-clean-cache
```

View File

@ -4123,6 +4123,12 @@ matrix_conduit_systemd_required_services_list: |
matrix_user_creator_users_auto: | matrix_user_creator_users_auto: |
{{ {{
([{
'username': matrix_bot_matrix_registration_bot_matrix_user_id_localpart,
'initial_password': matrix_bot_matrix_registration_bot_bot_password,
'initial_type': 'admin',
}] if matrix_bot_matrix_registration_bot_enabled else [])
+
([{ ([{
'username': matrix_bot_matrix_reminder_bot_matrix_user_id_localpart, 'username': matrix_bot_matrix_reminder_bot_matrix_user_id_localpart,
'initial_password': matrix_bot_matrix_reminder_bot_matrix_user_password, 'initial_password': matrix_bot_matrix_reminder_bot_matrix_user_password,

View File

@ -8,8 +8,10 @@ matrix_bot_matrix_registration_bot_docker_repo: "https://github.com/moan0s/matri
matrix_bot_matrix_registration_bot_docker_repo_version: "{{ matrix_bot_matrix_registration_bot_version if matrix_bot_matrix_registration_bot_version != 'latest' else 'main' }}" matrix_bot_matrix_registration_bot_docker_repo_version: "{{ matrix_bot_matrix_registration_bot_version if matrix_bot_matrix_registration_bot_version != 'latest' else 'main' }}"
matrix_bot_matrix_registration_bot_docker_src_files_path: "{{ matrix_bot_matrix_registration_bot_base_path }}/docker-src" matrix_bot_matrix_registration_bot_docker_src_files_path: "{{ matrix_bot_matrix_registration_bot_base_path }}/docker-src"
matrix_bot_matrix_registration_bot_version: latest matrix_bot_matrix_registration_bot_version: 1.3.0
matrix_bot_matrix_registration_bot_docker_image: "{{ matrix_container_global_registry_prefix }}moanos/matrix-registration-bot:{{ matrix_bot_matrix_registration_bot_version }}" matrix_bot_matrix_registration_bot_docker_iteration: 0
matrix_bot_matrix_registration_bot_docker_tag: "{{ matrix_bot_matrix_registration_bot_version }}-{{ matrix_bot_matrix_registration_bot_docker_iteration}}"
matrix_bot_matrix_registration_bot_docker_image: "{{ matrix_container_global_registry_prefix }}moanos/matrix-registration-bot:{{ matrix_bot_matrix_registration_bot_docker_tag }}"
matrix_bot_matrix_registration_bot_docker_image_force_pull: "{{ matrix_bot_matrix_registration_bot_docker_image.endswith(':latest') }}" matrix_bot_matrix_registration_bot_docker_image_force_pull: "{{ matrix_bot_matrix_registration_bot_docker_image.endswith(':latest') }}"
matrix_bot_matrix_registration_bot_base_path: "{{ matrix_base_data_path }}/matrix-registration-bot" matrix_bot_matrix_registration_bot_base_path: "{{ matrix_base_data_path }}/matrix-registration-bot"
@ -19,15 +21,15 @@ matrix_bot_matrix_registration_bot_data_path: "{{ matrix_bot_matrix_registration
matrix_bot_matrix_registration_bot_bot_server: "https://{{ matrix_server_fqn_matrix }}" matrix_bot_matrix_registration_bot_bot_server: "https://{{ matrix_server_fqn_matrix }}"
matrix_bot_matrix_registration_bot_api_base_url: "https://{{ matrix_server_fqn_matrix }}" matrix_bot_matrix_registration_bot_api_base_url: "https://{{ matrix_server_fqn_matrix }}"
# The access token that the bot uses to communicate in Matrix chats
# This does not necessarily need to be a privileged (admin) access token.
matrix_bot_matrix_registration_bot_bot_access_token: ''
# The access token that the bot uses to call the Matrix API for creating registration tokens. # The bot's password (can also be used to login via a client like element)
# This needs to be a privileged (admin) access token. matrix_bot_matrix_registration_bot_bot_password: ''
# By default, we assume `matrix_bot_matrix_registration_bot_bot_access_token` is such a privileged token and we use it as is.
# If necessary, you can define your own other access token here, which might even be for a different Matrix user. # Optional variable that only needs to be set if the bot account is not admin
matrix_bot_matrix_registration_bot_api_token: "{{ matrix_bot_matrix_registration_bot_bot_access_token }}" # Needs to be a valid access token of an admin account
matrix_bot_matrix_registration_bot_api_token: ''
matrix_bot_matrix_registration_bot_device_id: "matrix-docker-ansible-deploy"
matrix_bot_matrix_registration_bot_logging_level: info matrix_bot_matrix_registration_bot_logging_level: info
matrix_bot_matrix_registration_environment_variables_extension: '' matrix_bot_matrix_registration_environment_variables_extension: ''

View File

@ -0,0 +1,12 @@
---
- name: Delete cache files
ansible.builtin.file:
state: "{{ item }}"
path: "{{ matrix_bot_matrix_registration_bot_data_path }}"
mode: 0750
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
with_items:
- absent
- directory

View File

@ -18,3 +18,9 @@
block: block:
- when: not matrix_bot_matrix_registration_bot_enabled | bool - when: not matrix_bot_matrix_registration_bot_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
- tags:
- bot-matrix-registration-bot-clean-cache
block:
- when: matrix_bot_matrix_registration_bot_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/clean_cache.yml"

View File

@ -9,7 +9,7 @@
group: "{{ matrix_user_groupname }}" group: "{{ matrix_user_groupname }}"
with_items: with_items:
- {path: "{{ matrix_bot_matrix_registration_bot_config_path }}", when: true} - {path: "{{ matrix_bot_matrix_registration_bot_config_path }}", when: true}
- - {path: "{{ matrix_bot_matrix_registration_bot_data_path }}", when: true} - {path: "{{ matrix_bot_matrix_registration_bot_data_path }}", when: true}
- {path: "{{ matrix_bot_matrix_registration_bot_docker_src_files_path }}", when: true} - {path: "{{ matrix_bot_matrix_registration_bot_docker_src_files_path }}", when: true}
when: "item.when | bool" when: "item.when | bool"

View File

@ -5,6 +5,13 @@
msg: >- msg: >-
You need to define a required configuration setting (`{{ item }}`). You need to define a required configuration setting (`{{ item }}`).
when: "vars[item] == ''" when: "vars[item] == ''"
with_items:
- "matrix_bot_matrix_registration_bot_bot_password"
- name: (Deprecation) Catch and report old settings
ansible.builtin.fail:
msg: >-
Your configuration contains a variable, which is deprecated - Please check the documentation on how to configure the matrix-registration-bot.
when: "item in vars"
with_items: with_items:
- "matrix_bot_matrix_registration_bot_bot_access_token" - "matrix_bot_matrix_registration_bot_bot_access_token"
- "matrix_bot_matrix_registration_bot_api_token"

View File

@ -1,12 +1,16 @@
bot: bot:
server: {{ matrix_bot_matrix_registration_bot_bot_server|to_json }} server: {{ matrix_bot_matrix_registration_bot_bot_server|to_json }}
username: {{ matrix_bot_matrix_registration_bot_matrix_user_id_localpart|to_json }} username: {{ matrix_bot_matrix_registration_bot_matrix_user_id_localpart|to_json }}
access_token: {{ matrix_bot_matrix_registration_bot_bot_access_token|to_json }} password: {{ matrix_bot_matrix_registration_bot_bot_password|to_json }}
api: api:
# API endpoint of the registration tokens # API endpoint of the registration tokens
base_url: {{ matrix_bot_matrix_registration_bot_api_base_url|to_json }} base_url: {{ matrix_bot_matrix_registration_bot_api_base_url|to_json }}
# Access token of an administrator on the server # Access token of an administrator on the server
{% if matrix_bot_matrix_registration_bot_api_token | length > 0 %}
token: {{ matrix_bot_matrix_registration_bot_api_token|to_json }} token: {{ matrix_bot_matrix_registration_bot_api_token|to_json }}
{% endif %}
logging: logging:
level: {{ matrix_bot_matrix_registration_bot_logging_level|to_json }} level: {{ matrix_bot_matrix_registration_bot_logging_level|to_json }}