diff --git a/docs/configuring-playbook-matrix-authentication-service.md b/docs/configuring-playbook-matrix-authentication-service.md index 42c52b9c9..ba3c43b8c 100644 --- a/docs/configuring-playbook-matrix-authentication-service.md +++ b/docs/configuring-playbook-matrix-authentication-service.md @@ -157,6 +157,10 @@ matrix_authentication_service_config_upstream_oauth2_providers: - # A unique identifier for the provider # Must be a valid ULID id: 01HFVBY12TMNTYTBV8W921M5FA + # This can be set if you're migrating an existing (legacy) Synapse OIDC configuration. + # The value used here would most likely be "oidc" or "oidc-provider". + # See: https://element-hq.github.io/matrix-authentication-service/setup/migration.html#map-any-upstream-sso-providers + synapse_idp_id: null # The issuer URL, which will be used to discover the provider's configuration. # If discovery is enabled, this *must* exactly match the `issuer` field # advertised in `/.well-known/openid-configuration`. @@ -304,7 +308,7 @@ ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start Our migration guide is loosely based on the upstream [Migrating an existing homeserver](https://element-hq.github.io/matrix-authentication-service/setup/migration.html) guide. -Migration is done via a tool called `syn2mas`, which the playbook could run for you (in a container). +Migration is done via a sub-command called `syn2mas`, which the playbook could run for you (in a container). The installation + migration steps are like this: @@ -320,7 +324,7 @@ The installation + migration steps are like this: - The `matrix-user-creator` role would be suppressed, so that it doesn't automatically attempt to create users (for bots, etc.) in the MAS database. These user accounts likely already exist in Synapse's user database and could be migrated over (via syn2mas, as per the steps below), so creating them in the MAS database would have been unnecessary and potentially problematic (conflicts during the syn2mas migration). -3. Consider taking a full [backup of your Postgres database](./maintenance-postgres.md#backing-up-postgresql). This is done just in case. The **syn2mas migration tool does not delete any data**, so it should be possible to revert to your previous setup by merely disabling MAS and re-running the playbook (no need to restore a Postgres backup). However, do note that as users start logging in (creating new login sessions) via the new MAS setup, disabling MAS and reverting back to the Synapse user database will cause these new sessions to break. +3. Consider taking a full [backup of your Postgres database](./maintenance-postgres.md#backing-up-postgresql). This is done just in case. The **syn2mas migration command does not delete any data**, so it should be possible to revert to your previous setup by merely disabling MAS and re-running the playbook (no need to restore a Postgres backup). However, do note that as users start logging in (creating new login sessions) via the new MAS setup, disabling MAS and reverting back to the Synapse user database will cause these new sessions to break. 4. [Migrate your data from Synapse to Matrix Authentication Service using syn2mas](#migrate-your-data-from-synapse-to-matrix-authentication-service-using-syn2mas) @@ -340,9 +344,7 @@ The installation + migration steps are like this: ### Migrate your data from Synapse to Matrix Authentication Service using syn2mas -We **don't** ask you to [run the `syn2mas` migration advisor command](https://element-hq.github.io/matrix-authentication-service/setup/migration.html#run-the-migration-advisor), because it only gives you the green light if your Synapse configuration (`homeserver.yaml`) is configured in a way that's compatible with MAS (delegating authentication to MAS; disabling Synapse's password config; etc.). Until we migrate your data with the `syn2mas` tool, we intentionally avoid doing these changes to allow existing user sessions to work. - -You can invoke the `syn2mas` tool via the playbook by running the playbook's `matrix-authentication-service-syn2mas` tag. We recommend first doing a [dry-run](#performing-a-syn2mas-dry-run) and then a [real migration](#performing-a-real-syn2mas-migration). +You can invoke the `syn2mas` tool via the playbook by running the playbook's `matrix-authentication-service-mas-cli-syn2mas` tag. We recommend first doing a [dry-run](#performing-a-syn2mas-dry-run) and then a [real migration](#performing-a-real-syn2mas-migration). #### Configuring syn2mas @@ -354,26 +356,9 @@ When you're done with potentially configuring `syn2mas`, proceed to doing a [dry ##### Configuring upstream OIDC provider mapping for syn2mas -If you have existing OIDC users in your Synapse user database (which will be the case if when using [OIDC with Synapse](./configuring-playbook-synapse.md#synapse--openid-connect-for-single-sign-on)), you may need to pass an additional `--upstreamProviderMapping` argument to the `syn2mas` tool to tell it which provider (on the Synapse side) maps to which other provider on the MAS side. +Since Matrix Authentication Service v0.16.0 (which replaced the standalone `syn2mas` tool with a `mas-cli syn2mas` sub-command), OIDC configuration (mapping from your old OIDC configuration to your new one, etc) is meant to be configured in the Matrix Authentication Service configuration (via `matrix_authentication_service_config_upstream_oauth2_providers`) as a `synapse_idp_id` property for each provider. -If you don't do this, `syn2mas` would report errors like this one: - -> [FATAL] migrate - [Failed to import external id 4264b0f0-4f11-4ddd-aedb-b500e4d07c25 with oidc-keycloak for user @alice:example.com: Error: Unknown upstream provider oidc-keycloak] - -Below is an example situation and a guide for how to solve it. - -If in `matrix_synapse_oidc_providers` your provider `idp_id` is (was) named `keycloak`, in the Synapse database users would be associated with the `oidc-keycloak` provider (note the `oidc-` prefix that was added automatically by Synapse to your `idp_id` value). - -The same OIDC provider may have an `id` of `01HFVBY12TMNTYTBV8W921M5FA` on the MAS side, as defined in `matrix_authentication_service_config_upstream_oauth2_providers` (see the [Upstream OAuth2 configuration](#upstream-oauth2-configuration) section above). - -To tell `syn2mas` how the Synapse-configured OIDC provider maps to the new MAS-configured OIDC provider, add this additional configuration to your `vars.yml` file: - -```yaml -# Adjust the mapping below to match your provider IDs on the Synapse side and the MAS side. -# Don't forget that Synapse automatically adds an `oidc-` prefix to provider ids defined in its configuration. -matrix_authentication_service_syn2mas_process_extra_arguments: - - "--upstreamProviderMapping oidc-keycloak:01HFVBY12TMNTYTBV8W921M5FA" -``` +You can refer to the [Map any upstream SSO providers](https://element-hq.github.io/matrix-authentication-service/setup/migration.html#map-any-upstream-sso-providers) section of the MAS documentation for figuring out how to set the `synapse_idp_id` value in `matrix_authentication_service_config_upstream_oauth2_providers` correctly. #### Performing a syn2mas dry-run @@ -384,7 +369,7 @@ A dry-run would not cause downtime, because it avoids stopping Synapse. To perform a dry-run, run: ```sh -just run-tags matrix-authentication-service-syn2mas -e matrix_authentication_service_syn2mas_dry_run=true +just run-tags matrix-authentication-service-mas-cli-syn2mas -e matrix_authentication_service_syn2mas_migrate_dry_run=true ``` Observe the command output (especially the last line of the the syn2mas output). If you are confident that the migration will work out as expected, you can proceed with a [real migration](#performing-a-real-syn2mas-migration). @@ -403,13 +388,13 @@ Before performing a real migration make sure: - you've performed a [syn2mas dry-run](#performing-a-syn2mas-dry-run) and don't see any issues in its output -To perform a real migration, run the `matrix-authentication-service-syn2mas` tag **without** the `matrix_authentication_service_syn2mas_dry_run` variable: +To perform a real migration, run the `matrix-authentication-service-mas-cli-syn2mas` tag **without** the `matrix_authentication_service_syn2mas_migrate_dry_run` variable: ```sh -just run-tags matrix-authentication-service-syn2mas +just run-tags matrix-authentication-service-mas-cli-syn2mas ``` -Having performed a `syn2mas` migration once, trying to do it again will report errors for users that were already migrated (e.g. "Error: Unknown upstream provider oauth-delegated"). +Having performed a `syn2mas` migration once, trying to do it again will report errors (e.g. "Error: The MAS database is not empty: rows found in at least `users`. Please drop and recreate the database, then try again."). ## Verify that Matrix Authentication Service is installed correctly diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index b2c2b82a1..a62a2f387 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -688,8 +688,6 @@ matrix_authentication_service_config_email_from_address: "{{ exim_relay_sender_a matrix_authentication_service_container_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else matrix_authentication_service_container_image_registry_prefix_upstream_default }}" -matrix_authentication_service_syn2mas_container_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else matrix_authentication_service_syn2mas_container_image_registry_prefix_upstream_default }}" - matrix_authentication_service_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" matrix_authentication_service_container_network: "{{ matrix_homeserver_container_network }}" diff --git a/i18n/locales/bg/LC_MESSAGES/docs/configuring-playbook-matrix-authentication-service.po b/i18n/locales/bg/LC_MESSAGES/docs/configuring-playbook-matrix-authentication-service.po index 0b1dda626..554766af6 100644 --- a/i18n/locales/bg/LC_MESSAGES/docs/configuring-playbook-matrix-authentication-service.po +++ b/i18n/locales/bg/LC_MESSAGES/docs/configuring-playbook-matrix-authentication-service.po @@ -435,7 +435,7 @@ msgid "We **don't** ask you to [run the `syn2mas` migration advisor command](htt msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:340 -msgid "You can invoke the `syn2mas` tool via the playbook by running the playbook's `matrix-authentication-service-syn2mas` tag. We recommend first doing a [dry-run](#performing-a-syn2mas-dry-run) and then a [real migration](#performing-a-real-syn2mas-migration)." +msgid "You can invoke the `syn2mas` tool via the playbook by running the playbook's `matrix-authentication-service-mas-cli-syn2mas` tag. We recommend first doing a [dry-run](#performing-a-syn2mas-dry-run) and then a [real migration](#performing-a-real-syn2mas-migration)." msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:342 @@ -535,7 +535,7 @@ msgid "you've performed a [syn2mas dry-run](#performing-a-syn2mas-dry-run) and d msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:401 -msgid "To perform a real migration, run the `matrix-authentication-service-syn2mas` tag **without** the `matrix_authentication_service_syn2mas_dry_run` variable:" +msgid "To perform a real migration, run the `matrix-authentication-service-mas-cli-syn2mas` tag **without** the `matrix_authentication_service_syn2mas_migrate_dry_run` variable:" msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:407 diff --git a/i18n/locales/jp/LC_MESSAGES/docs/configuring-playbook-matrix-authentication-service.po b/i18n/locales/jp/LC_MESSAGES/docs/configuring-playbook-matrix-authentication-service.po index 776945591..84baf5f02 100644 --- a/i18n/locales/jp/LC_MESSAGES/docs/configuring-playbook-matrix-authentication-service.po +++ b/i18n/locales/jp/LC_MESSAGES/docs/configuring-playbook-matrix-authentication-service.po @@ -434,7 +434,7 @@ msgid "We **don't** ask you to [run the `syn2mas` migration advisor command](htt msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:340 -msgid "You can invoke the `syn2mas` tool via the playbook by running the playbook's `matrix-authentication-service-syn2mas` tag. We recommend first doing a [dry-run](#performing-a-syn2mas-dry-run) and then a [real migration](#performing-a-real-syn2mas-migration)." +msgid "You can invoke the `syn2mas` tool via the playbook by running the playbook's `matrix-authentication-service-mas-cli-syn2mas` tag. We recommend first doing a [dry-run](#performing-a-syn2mas-dry-run) and then a [real migration](#performing-a-real-syn2mas-migration)." msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:342 @@ -534,7 +534,7 @@ msgid "you've performed a [syn2mas dry-run](#performing-a-syn2mas-dry-run) and d msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:401 -msgid "To perform a real migration, run the `matrix-authentication-service-syn2mas` tag **without** the `matrix_authentication_service_syn2mas_dry_run` variable:" +msgid "To perform a real migration, run the `matrix-authentication-service-mas-cli-syn2mas` tag **without** the `matrix_authentication_service_syn2mas_migrate_dry_run` variable:" msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:407 diff --git a/i18n/translation-templates/docs/configuring-playbook-matrix-authentication-service.pot b/i18n/translation-templates/docs/configuring-playbook-matrix-authentication-service.pot index 3e94a3a36..da5f99e98 100644 --- a/i18n/translation-templates/docs/configuring-playbook-matrix-authentication-service.pot +++ b/i18n/translation-templates/docs/configuring-playbook-matrix-authentication-service.pot @@ -430,7 +430,7 @@ msgid "We **don't** ask you to [run the `syn2mas` migration advisor command](htt msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:340 -msgid "You can invoke the `syn2mas` tool via the playbook by running the playbook's `matrix-authentication-service-syn2mas` tag. We recommend first doing a [dry-run](#performing-a-syn2mas-dry-run) and then a [real migration](#performing-a-real-syn2mas-migration)." +msgid "You can invoke the `syn2mas` tool via the playbook by running the playbook's `matrix-authentication-service-mas-cli-syn2mas` tag. We recommend first doing a [dry-run](#performing-a-syn2mas-dry-run) and then a [real migration](#performing-a-real-syn2mas-migration)." msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:342 @@ -530,7 +530,7 @@ msgid "you've performed a [syn2mas dry-run](#performing-a-syn2mas-dry-run) and d msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:401 -msgid "To perform a real migration, run the `matrix-authentication-service-syn2mas` tag **without** the `matrix_authentication_service_syn2mas_dry_run` variable:" +msgid "To perform a real migration, run the `matrix-authentication-service-mas-cli-syn2mas` tag **without** the `matrix_authentication_service_syn2mas_migrate_dry_run` variable:" msgstr "" #: ../../../docs/configuring-playbook-matrix-authentication-service.md:407 diff --git a/roles/custom/matrix-authentication-service/defaults/main.yml b/roles/custom/matrix-authentication-service/defaults/main.yml index ba9ccd662..45981618d 100644 --- a/roles/custom/matrix-authentication-service/defaults/main.yml +++ b/roles/custom/matrix-authentication-service/defaults/main.yml @@ -22,7 +22,7 @@ matrix_authentication_service_container_repo_version: "{{ 'main' if matrix_authe matrix_authentication_service_container_src_files_path: "{{ matrix_base_data_path }}/matrix-authentication-service/container-src" # renovate: datasource=docker depName=ghcr.io/element-hq/matrix-authentication-service -matrix_authentication_service_version: 0.15.0 +matrix_authentication_service_version: 0.16.0 matrix_authentication_service_container_image_registry_prefix: "{{ 'localhost/' if matrix_authentication_service_container_image_self_build else matrix_authentication_service_container_image_registry_prefix_upstream }}" matrix_authentication_service_container_image_registry_prefix_upstream: "{{ matrix_authentication_service_container_image_registry_prefix_upstream_default }}" matrix_authentication_service_container_image_registry_prefix_upstream_default: "ghcr.io/" @@ -559,29 +559,34 @@ matrix_authentication_service_container_labels_additional_labels: '' matrix_authentication_service_syn2mas_start_wait_time_seconds: 5 -matrix_authentication_service_syn2mas_dry_run: false +# The syn2mas sub-command to run. +# Valid values: migrate, check +matrix_authentication_service_syn2mas_subcommand: migrate -# renovate: datasource=docker depName=ghcr.io/element-hq/matrix-authentication-service/syn2mas -matrix_authentication_service_syn2mas_version: 0.15.0 -matrix_authentication_service_syn2mas_container_image: "{{ matrix_authentication_service_syn2mas_container_image_registry_prefix }}element-hq/matrix-authentication-service/syn2mas:{{ matrix_authentication_service_syn2mas_version }}" -matrix_authentication_service_syn2mas_container_image_registry_prefix: "{{ 'localhost/' if matrix_authentication_service_container_image_self_build else matrix_authentication_service_syn2mas_container_image_registry_prefix_upstream }}" -matrix_authentication_service_syn2mas_container_image_registry_prefix_upstream: "{{ matrix_authentication_service_syn2mas_container_image_registry_prefix_upstream_default }}" -matrix_authentication_service_syn2mas_container_image_registry_prefix_upstream_default: ghcr.io/ -matrix_authentication_service_syn2mas_container_image_force_pull: "{{ matrix_authentication_service_syn2mas_container_image.endswith(':latest') }}" - -matrix_authentication_service_syn2mas_container_image_self_build: "{{ matrix_authentication_service_container_image_self_build }}" - -matrix_authentication_service_syn2mas_container_network: "{{ matrix_authentication_service_container_network }}" +# Whether to pass a `--dry-run` flag to the 'migrate' sub-command. +# See `matrix_authentication_service_syn2mas_subcommand` +matrix_authentication_service_syn2mas_migrate_dry_run: false # Path to Synapse's homeserver.yaml configuration file. matrix_authentication_service_syn2mas_synapse_homeserver_config_path: "" -# Additional arguments passed to the syn2mas process. +matrix_authentication_service_syn2mas_container_network: "{{ matrix_authentication_service_container_network }}" + +# Additional options passed to the syn2mas sub-command (e.g. `mas-cli syn2mas [OPTIONS] migrate|check`). +# Also see: `matrix_authentication_service_syn2mas_subcommand_extra_options` # # Example: -# matrix_authentication_service_syn2mas_process_extra_arguments: -# - "--upstreamProviderMapping oidc-keycloak:01H8PKNWKKRPCBW4YGH1RWV279" -matrix_authentication_service_syn2mas_process_extra_arguments: [] +# matrix_authentication_service_syn2mas_command_extra_options: +# - "--something" +matrix_authentication_service_syn2mas_command_extra_options: [] + +# Additional options passed to the syn2mas sub-command (e.g. `mas-cli syn2mas migrate|check [OPTIONS]`). +# Also see: `matrix_authentication_service_syn2mas_command_extra_options` +# +# Example: +# matrix_authentication_service_syn2mas_subcommand_extra_options: +# - "--dry-run" +matrix_authentication_service_syn2mas_subcommand_extra_options: [] ######################################################################################## # # diff --git a/roles/custom/matrix-authentication-service/tasks/main.yml b/roles/custom/matrix-authentication-service/tasks/main.yml index 6b6a07718..95c40fea7 100644 --- a/roles/custom/matrix-authentication-service/tasks/main.yml +++ b/roles/custom/matrix-authentication-service/tasks/main.yml @@ -9,18 +9,33 @@ - setup-matrix-authentication-service - install-all - install-matrix-authentication-service + - matrix-authentication-service-mas-cli-syn2mas block: - when: matrix_authentication_service_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" +- tags: + - setup-all + - setup-matrix-authentication-service + - install-all + - install-matrix-authentication-service + block: - when: matrix_authentication_service_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/install.yml" +# The tag 'matrix-authentication-service-syn2mas' has been replaced by the tag 'matrix-authentication-service-mas-cli-syn2mas'. - tags: - matrix-authentication-service-syn2mas + block: + - name: Warn about deprecated tag + ansible.builtin.fail: + msg: "WARNING: The 'matrix-authentication-service-syn2mas' tag has been replaced by 'matrix-authentication-service-mas-cli-syn2mas'. Please update your command." + +- tags: + - matrix-authentication-service-mas-cli-syn2mas block: - when: matrix_authentication_service_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/syn2mas.yml" + ansible.builtin.include_tasks: "{{ role_path }}/tasks/mas_cli_syn2mas.yml" - tags: - matrix-authentication-service-mas-cli-doctor diff --git a/roles/custom/matrix-authentication-service/tasks/syn2mas.yml b/roles/custom/matrix-authentication-service/tasks/mas_cli_syn2mas.yml similarity index 52% rename from roles/custom/matrix-authentication-service/tasks/syn2mas.yml rename to roles/custom/matrix-authentication-service/tasks/mas_cli_syn2mas.yml index 0a09d5351..90cb9ab74 100644 --- a/roles/custom/matrix-authentication-service/tasks/syn2mas.yml +++ b/roles/custom/matrix-authentication-service/tasks/mas_cli_syn2mas.yml @@ -6,7 +6,7 @@ --- - ansible.builtin.set_fact: - matrix_authentication_service_syn2mas_dry_run: "{{ matrix_authentication_service_syn2mas_dry_run | bool }}" + matrix_authentication_service_syn2mas_migrate_dry_run: "{{ matrix_authentication_service_syn2mas_migrate_dry_run | bool }}" - name: Abort, if not using Synapse when: not matrix_synapse_enabled | bool @@ -33,41 +33,8 @@ msg: "The Synapse homeserver config file does not exist at the specified path: {{ matrix_authentication_service_syn2mas_synapse_homeserver_config_path }}" when: not matrix_authentication_service_syn2mas_synapse_config_stat.stat.exists -- name: Ensure Matrix Authentication Service syn2mas container image is pulled - community.docker.docker_image: - name: "{{ matrix_authentication_service_syn2mas_container_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_authentication_service_syn2mas_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_authentication_service_syn2mas_container_image_force_pull }}" - when: "not matrix_authentication_service_syn2mas_container_image_self_build | bool" - register: result - retries: "{{ devture_playbook_help_container_retries_count }}" - delay: "{{ devture_playbook_help_container_retries_delay }}" - until: result is not failed - -- when: "matrix_authentication_service_syn2mas_container_image_self_build | bool" - block: - - name: Ensure Matrix Authentication Service repository is present on self-build - ansible.builtin.git: - repo: "{{ matrix_authentication_service_container_repo }}" - version: "{{ matrix_authentication_service_container_repo_version }}" - dest: "{{ matrix_authentication_service_container_src_files_path }}" - force: "yes" - become: true - become_user: "{{ matrix_user_name }}" - register: matrix_authentication_service_git_pull_results - - - name: Ensure Matrix Authentication Service syn2mas container image is built - ansible.builtin.command: - cmd: |- - {{ devture_systemd_docker_base_host_command_docker }} buildx build - --tag={{ matrix_authentication_service_syn2mas_container_image }} - --file={{ matrix_authentication_service_container_src_files_path }}/tools/syn2mas/Dockerfile - {{ matrix_authentication_service_container_src_files_path }}/tools/syn2mas - changed_when: true - - name: Ensure Synapse is stopped - when: not matrix_authentication_service_syn2mas_dry_run | bool + when: not matrix_authentication_service_syn2mas_migrate_dry_run | bool ansible.builtin.service: name: matrix-synapse state: stopped @@ -81,14 +48,19 @@ # # Still, it's probably safer to stop it anyway. - name: Ensure Matrix Authentication Service is stopped + when: not matrix_authentication_service_syn2mas_migrate_dry_run | bool ansible.builtin.service: name: matrix-authentication-service state: stopped register: matrix_authentication_service_mas_ensure_stopped_result +# This is similar to the command found in the systemd service file. +# +# We cannot use `docker exec` with the existing Matrix Authentication Service container here, +# because we need an additional mount (the Synapse homeserver config). - name: Generate syn2mas migration command ansible.builtin.set_fact: - matrix_authentication_service_syn2mas_migration_command: >- + matrix_authentication_service_mas_cli_syn2mas_command: >- {{ devture_systemd_docker_base_host_command_docker }} run --rm --name=matrix-authentication-service-syn2mas @@ -96,14 +68,16 @@ --user={{ matrix_authentication_service_uid }}:{{ matrix_authentication_service_gid }} --cap-drop=ALL --network={{ matrix_authentication_service_syn2mas_container_network }} + --mount type=bind,src={{ matrix_authentication_service_config_path }}/config.yaml,dst=/config.yaml,ro + --mount type=bind,src={{ matrix_authentication_service_data_keys_path }},dst=/keys,ro --mount type=bind,src={{ matrix_authentication_service_syn2mas_synapse_homeserver_config_path }},dst=/homeserver.yaml,ro - --mount type=bind,src={{ matrix_authentication_service_config_path }}/config.yaml,dst=/mas-config.yaml,ro - {{ matrix_authentication_service_syn2mas_container_image }} - --command=migrate - --synapseConfigFile=/homeserver.yaml - --masConfigFile=/mas-config.yaml - {{ matrix_authentication_service_syn2mas_process_extra_arguments | join(' ') }} - {% if matrix_authentication_service_syn2mas_dry_run | bool %}--dryRun{% endif %} + {{ matrix_authentication_service_container_image }} + syn2mas + --synapse-config=/homeserver.yaml + {{ matrix_authentication_service_syn2mas_command_extra_options | join(' ') }} + {{ matrix_authentication_service_syn2mas_subcommand }} + {{ '--dry-run' if matrix_authentication_service_syn2mas_migrate_dry_run and matrix_authentication_service_syn2mas_subcommand == 'migrate' else '' }} + {{ matrix_authentication_service_syn2mas_subcommand_extra_options | join(' ') }} tags: - skip_ansible_lint @@ -111,33 +85,33 @@ # See: https://ansibledaily.com/print-to-standard-output-without-escaping/ # # We want to run `debug: msg=".."`, but that dumps it as JSON and escapes double quotes within it, -# which ruins the command (`matrix_authentication_service_syn2mas_migration_command`). +# which ruins the command (`matrix_authentication_service_mas_cli_syn2mas_command`). - name: Note about syn2mas migration ansible.builtin.set_fact: dummy: true with_items: - >- - Running syn2mas migration using the following command: `{{ matrix_authentication_service_syn2mas_migration_command }}`. - If this crashes, you can stop Synapse (`systemctl stop matrix-synapse`) and run the command manually. + Running syn2mas migration using the following command: `{{ matrix_authentication_service_mas_cli_syn2mas_command }}`. + If this crashes, you can stop Synapse (`systemctl stop matrix-synapse`), start Matrix Authentication Service (`systemctl start matrix-authentication-service`) and run the command manually. - name: Perform syn2mas migration ansible.builtin.command: - cmd: "{{ matrix_authentication_service_syn2mas_migration_command }}" - register: matrix_authentication_service_syn2mas_migration_command_result - changed_when: matrix_authentication_service_syn2mas_migration_command_result.rc == 0 + cmd: "{{ matrix_authentication_service_mas_cli_syn2mas_command }}" + register: matrix_authentication_service_mas_cli_syn2mas_command_result + changed_when: matrix_authentication_service_mas_cli_syn2mas_command_result.rc == 0 - name: Print syn2mas migration command result ansible.builtin.debug: - var: matrix_authentication_service_syn2mas_migration_command_result + var: matrix_authentication_service_mas_cli_syn2mas_command_result - name: Ensure Synapse is started (if it previously was) - when: "not matrix_authentication_service_syn2mas_dry_run and matrix_authentication_service_synapse_ensure_stopped_result.changed" + when: "not matrix_authentication_service_syn2mas_migrate_dry_run and matrix_authentication_service_mas_cli_syn2mas_command_result.changed" ansible.builtin.service: name: matrix-synapse state: started - name: Ensure Matrix Authentication Service is started (if it previously was) - when: "not matrix_authentication_service_syn2mas_dry_run and matrix_authentication_service_mas_ensure_stopped_result.changed" + when: "not matrix_authentication_service_syn2mas_migrate_dry_run and matrix_authentication_service_mas_ensure_stopped_result.changed" ansible.builtin.service: name: matrix-authentication-service state: started diff --git a/roles/custom/matrix-authentication-service/tasks/validate_config.yml b/roles/custom/matrix-authentication-service/tasks/validate_config.yml index 7a0f50b83..d3c47844f 100644 --- a/roles/custom/matrix-authentication-service/tasks/validate_config.yml +++ b/roles/custom/matrix-authentication-service/tasks/validate_config.yml @@ -44,3 +44,11 @@ with_items: - {'old': 'matrix_authentication_service_container_image_name_prefix', 'new': 'matrix_authentication_service_container_image_registry_prefix'} - {'old': 'matrix_authentication_service_syn2mas_container_image_name_prefix', 'new': 'matrix_authentication_service_syn2mas_container_image_registry_prefix'} + - {'old': 'matrix_authentication_service_syn2mas_container_image', 'new': ''} + - {'old': 'matrix_authentication_service_syn2mas_container_image_registry_prefix', 'new': ''} + - {'old': 'matrix_authentication_service_syn2mas_container_image_registry_prefix_upstream', 'new': ''} + - {'old': 'matrix_authentication_service_syn2mas_container_image_registry_prefix_upstream_default', 'new': ''} + - {'old': 'matrix_authentication_service_syn2mas_container_image_force_pull', 'new': ''} + - {'old': 'matrix_authentication_service_syn2mas_container_image_self_build', 'new': ''} + - {'old': 'matrix_authentication_service_syn2mas_process_extra_arguments', 'new': 'matrix_authentication_service_syn2mas_command_extra_options or matrix_authentication_service_syn2mas_subcommand_extra_options'} + - {'old': 'matrix_authentication_service_syn2mas_dry_run', 'new': 'matrix_authentication_service_syn2mas_migrate_dry_run'}