finallycoffee/matrix-docker-ansible-deploy
finallycoffee/matrix-docker-ansible-deploy
5
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Upgrade Matrix Authentication Service (v0.15.0 -> v0.16.0) and adapt for the new syn2mas subcommand

Browse Source 
Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/4297

Supersedes https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/4300
This commit is contained in:
Slavi Pantaleev 2025-05-07 17:33:55 +03:00
parent 95ef383ef7
commit 19ccd491fb
9 changed files with 91 additions and 106 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
docs/configuring-playbook-matrix-authentication-service.md
View File

@ -157,6 +157,10 @@ matrix_authentication_service_config_upstream_oauth2_providers:
- # A unique identifier for the provider
# Must be a valid ULID
id: 01HFVBY12TMNTYTBV8W921M5FA
# This can be set if you're migrating an existing (legacy) Synapse OIDC configuration.
# The value used here would most likely be "oidc" or "oidc-provider".
# See: https://element-hq.github.io/matrix-authentication-service/setup/migration.html#map-any-upstream-sso-providers
synapse_idp_id: null
# The issuer URL, which will be used to discover the provider's configuration.
# If discovery is enabled, this *must* exactly match the `issuer` field
# advertised in `<issuer>/.well-known/openid-configuration`.
@ -304,7 +308,7 @@ ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
Our migration guide is loosely based on the upstream [Migrating an existing homeserver](https://element-hq.github.io/matrix-authentication-service/setup/migration.html) guide.
Migration is done via a tool called `syn2mas`, which the playbook could run for you (in a container).
Migration is done via a sub-command called `syn2mas`, which the playbook could run for you (in a container).
The installation + migration steps are like this:
@ -320,7 +324,7 @@ The installation + migration steps are like this:
- The `matrix-user-creator` role would be suppressed, so that it doesn't automatically attempt to create users (for bots, etc.) in the MAS database. These user accounts likely already exist in Synapse's user database and could be migrated over (via syn2mas, as per the steps below), so creating them in the MAS database would have been unnecessary and potentially problematic (conflicts during the syn2mas migration).
3. Consider taking a full [backup of your Postgres database](./maintenance-postgres.md#backing-up-postgresql). This is done just in case. The **syn2mas migration tool does not delete any data**, so it should be possible to revert to your previous setup by merely disabling MAS and re-running the playbook (no need to restore a Postgres backup). However, do note that as users start logging in (creating new login sessions) via the new MAS setup, disabling MAS and reverting back to the Synapse user database will cause these new sessions to break.
3. Consider taking a full [backup of your Postgres database](./maintenance-postgres.md#backing-up-postgresql). This is done just in case. The **syn2mas migration command does not delete any data**, so it should be possible to revert to your previous setup by merely disabling MAS and re-running the playbook (no need to restore a Postgres backup). However, do note that as users start logging in (creating new login sessions) via the new MAS setup, disabling MAS and reverting back to the Synapse user database will cause these new sessions to break.
4. [Migrate your data from Synapse to Matrix Authentication Service using syn2mas](#migrate-your-data-from-synapse-to-matrix-authentication-service-using-syn2mas)
@ -340,9 +344,7 @@ The installation + migration steps are like this:
### Migrate your data from Synapse to Matrix Authentication Service using syn2mas
We **don't** ask you to [run the `syn2mas` migration advisor command](https://element-hq.github.io/matrix-authentication-service/setup/migration.html#run-the-migration-advisor), because it only gives you the green light if your Synapse configuration (`homeserver.yaml`) is configured in a way that's compatible with MAS (delegating authentication to MAS; disabling Synapse's password config; etc.). Until we migrate your data with the `syn2mas` tool, we intentionally avoid doing these changes to allow existing user sessions to work.
You can invoke the `syn2mas` tool via the playbook by running the playbook's `matrix-authentication-service-syn2mas` tag. We recommend first doing a [dry-run](#performing-a-syn2mas-dry-run) and then a [real migration](#performing-a-real-syn2mas-migration).
You can invoke the `syn2mas` tool via the playbook by running the playbook's `matrix-authentication-service-mas-cli-syn2mas` tag. We recommend first doing a [dry-run](#performing-a-syn2mas-dry-run) and then a [real migration](#performing-a-real-syn2mas-migration).
#### Configuring syn2mas
@ -354,26 +356,9 @@ When you're done with potentially configuring `syn2mas`, proceed to doing a [dry
##### Configuring upstream OIDC provider mapping for syn2mas
If you have existing OIDC users in your Synapse user database (which will be the case if when using [OIDC with Synapse](./configuring-playbook-synapse.md#synapse--openid-connect-for-single-sign-on)), you may need to pass an additional `--upstreamProviderMapping` argument to the `syn2mas` tool to tell it which provider (on the Synapse side) maps to which other provider on the MAS side.
Since Matrix Authentication Service v0.16.0 (which replaced the standalone `syn2mas` tool with a `mas-cli syn2mas` sub-command), OIDC configuration (mapping from your old OIDC configuration to your new one, etc) is meant to be configured in the Matrix Authentication Service configuration (via `matrix_authentication_service_config_upstream_oauth2_providers`) as a `synapse_idp_id` property for each provider.
If you don't do this, `syn2mas` would report errors like this one:
> [FATAL] migrate - [Failed to import external id 4264b0f0-4f11-4ddd-aedb-b500e4d07c25 with oidc-keycloak for user @alice:example.com: Error: Unknown upstream provider oidc-keycloak]
Below is an example situation and a guide for how to solve it.
If in `matrix_synapse_oidc_providers` your provider `idp_id` is (was) named `keycloak`, in the Synapse database users would be associated with the `oidc-keycloak` provider (note the `oidc-` prefix that was added automatically by Synapse to your `idp_id` value).
The same OIDC provider may have an `id` of `01HFVBY12TMNTYTBV8W921M5FA` on the MAS side, as defined in `matrix_authentication_service_config_upstream_oauth2_providers` (see the [Upstream OAuth2 configuration](#upstream-oauth2-configuration) section above).
To tell `syn2mas` how the Synapse-configured OIDC provider maps to the new MAS-configured OIDC provider, add this additional configuration to your `vars.yml` file:
```yaml
# Adjust the mapping below to match your provider IDs on the Synapse side and the MAS side.
# Don't forget that Synapse automatically adds an `oidc-` prefix to provider ids defined in its configuration.
matrix_authentication_service_syn2mas_process_extra_arguments:
- "--upstreamProviderMapping oidc-keycloak:01HFVBY12TMNTYTBV8W921M5FA"
```
You can refer to the [Map any upstream SSO providers](https://element-hq.github.io/matrix-authentication-service/setup/migration.html#map-any-upstream-sso-providers) section of the MAS documentation for figuring out how to set the `synapse_idp_id` value in `matrix_authentication_service_config_upstream_oauth2_providers` correctly.
#### Performing a syn2mas dry-run
@ -384,7 +369,7 @@ A dry-run would not cause downtime, because it avoids stopping Synapse.
To perform a dry-run, run:
```sh
just run-tags matrix-authentication-service-syn2mas -e matrix_authentication_service_syn2mas_dry_run=true
just run-tags matrix-authentication-service-mas-cli-syn2mas -e matrix_authentication_service_syn2mas_migrate_dry_run=true
```
Observe the command output (especially the last line of the the syn2mas output). If you are confident that the migration will work out as expected, you can proceed with a [real migration](#performing-a-real-syn2mas-migration).
@ -403,13 +388,13 @@ Before performing a real migration make sure:
- you've performed a [syn2mas dry-run](#performing-a-syn2mas-dry-run) and don't see any issues in its output
To perform a real migration, run the `matrix-authentication-service-syn2mas` tag **without** the `matrix_authentication_service_syn2mas_dry_run` variable:
To perform a real migration, run the `matrix-authentication-service-mas-cli-syn2mas` tag **without** the `matrix_authentication_service_syn2mas_migrate_dry_run` variable:
```sh
just run-tags matrix-authentication-service-syn2mas
just run-tags matrix-authentication-service-mas-cli-syn2mas
```
Having performed a `syn2mas` migration once, trying to do it again will report errors for users that were already migrated (e.g. "Error: Unknown upstream provider oauth-delegated").
Having performed a `syn2mas` migration once, trying to do it again will report errors (e.g. "Error: The MAS database is not empty: rows found in at least `users`. Please drop and recreate the database, then try again.").
## Verify that Matrix Authentication Service is installed correctly

2
group_vars/matrix_servers
View File

@ -688,8 +688,6 @@ matrix_authentication_service_config_email_from_address: "{{ exim_relay_sender_a
matrix_authentication_service_container_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else matrix_authentication_service_container_image_registry_prefix_upstream_default }}"
matrix_authentication_service_syn2mas_container_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else matrix_authentication_service_syn2mas_container_image_registry_prefix_upstream_default }}"
matrix_authentication_service_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}"
matrix_authentication_service_container_network: "{{ matrix_homeserver_container_network }}"

4
i18n/locales/bg/LC_MESSAGES/docs/configuring-playbook-matrix-authentication-service.po
View File

@ -435,7 +435,7 @@ msgid "We **don't** ask you to [run the `syn2mas` migration advisor command](htt
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:340
msgid "You can invoke the `syn2mas` tool via the playbook by running the playbook's `matrix-authentication-service-syn2mas` tag. We recommend first doing a [dry-run](#performing-a-syn2mas-dry-run) and then a [real migration](#performing-a-real-syn2mas-migration)."
msgid "You can invoke the `syn2mas` tool via the playbook by running the playbook's `matrix-authentication-service-mas-cli-syn2mas` tag. We recommend first doing a [dry-run](#performing-a-syn2mas-dry-run) and then a [real migration](#performing-a-real-syn2mas-migration)."
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:342
@ -535,7 +535,7 @@ msgid "you've performed a [syn2mas dry-run](#performing-a-syn2mas-dry-run) and d
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:401
msgid "To perform a real migration, run the `matrix-authentication-service-syn2mas` tag **without** the `matrix_authentication_service_syn2mas_dry_run` variable:"
msgid "To perform a real migration, run the `matrix-authentication-service-mas-cli-syn2mas` tag **without** the `matrix_authentication_service_syn2mas_migrate_dry_run` variable:"
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:407

4
i18n/locales/jp/LC_MESSAGES/docs/configuring-playbook-matrix-authentication-service.po
View File

@ -434,7 +434,7 @@ msgid "We **don't** ask you to [run the `syn2mas` migration advisor command](htt
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:340
msgid "You can invoke the `syn2mas` tool via the playbook by running the playbook's `matrix-authentication-service-syn2mas` tag. We recommend first doing a [dry-run](#performing-a-syn2mas-dry-run) and then a [real migration](#performing-a-real-syn2mas-migration)."
msgid "You can invoke the `syn2mas` tool via the playbook by running the playbook's `matrix-authentication-service-mas-cli-syn2mas` tag. We recommend first doing a [dry-run](#performing-a-syn2mas-dry-run) and then a [real migration](#performing-a-real-syn2mas-migration)."
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:342
@ -534,7 +534,7 @@ msgid "you've performed a [syn2mas dry-run](#performing-a-syn2mas-dry-run) and d
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:401
msgid "To perform a real migration, run the `matrix-authentication-service-syn2mas` tag **without** the `matrix_authentication_service_syn2mas_dry_run` variable:"
msgid "To perform a real migration, run the `matrix-authentication-service-mas-cli-syn2mas` tag **without** the `matrix_authentication_service_syn2mas_migrate_dry_run` variable:"
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:407

4
i18n/translation-templates/docs/configuring-playbook-matrix-authentication-service.pot
View File

@ -430,7 +430,7 @@ msgid "We **don't** ask you to [run the `syn2mas` migration advisor command](htt
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:340
msgid "You can invoke the `syn2mas` tool via the playbook by running the playbook's `matrix-authentication-service-syn2mas` tag. We recommend first doing a [dry-run](#performing-a-syn2mas-dry-run) and then a [real migration](#performing-a-real-syn2mas-migration)."
msgid "You can invoke the `syn2mas` tool via the playbook by running the playbook's `matrix-authentication-service-mas-cli-syn2mas` tag. We recommend first doing a [dry-run](#performing-a-syn2mas-dry-run) and then a [real migration](#performing-a-real-syn2mas-migration)."
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:342
@ -530,7 +530,7 @@ msgid "you've performed a [syn2mas dry-run](#performing-a-syn2mas-dry-run) and d
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:401
msgid "To perform a real migration, run the `matrix-authentication-service-syn2mas` tag **without** the `matrix_authentication_service_syn2mas_dry_run` variable:"
msgid "To perform a real migration, run the `matrix-authentication-service-mas-cli-syn2mas` tag **without** the `matrix_authentication_service_syn2mas_migrate_dry_run` variable:"
msgstr ""
#: ../../../docs/configuring-playbook-matrix-authentication-service.md:407

39
roles/custom/matrix-authentication-service/defaults/main.yml
View File

@ -22,7 +22,7 @@ matrix_authentication_service_container_repo_version: "{{ 'main' if matrix_authe
matrix_authentication_service_container_src_files_path: "{{ matrix_base_data_path }}/matrix-authentication-service/container-src"
# renovate: datasource=docker depName=ghcr.io/element-hq/matrix-authentication-service
matrix_authentication_service_version: 0.15.0
matrix_authentication_service_version: 0.16.0
matrix_authentication_service_container_image_registry_prefix: "{{ 'localhost/' if matrix_authentication_service_container_image_self_build else matrix_authentication_service_container_image_registry_prefix_upstream }}"
matrix_authentication_service_container_image_registry_prefix_upstream: "{{ matrix_authentication_service_container_image_registry_prefix_upstream_default }}"
matrix_authentication_service_container_image_registry_prefix_upstream_default: "ghcr.io/"
@ -559,29 +559,34 @@ matrix_authentication_service_container_labels_additional_labels: ''
matrix_authentication_service_syn2mas_start_wait_time_seconds: 5
matrix_authentication_service_syn2mas_dry_run: false
# The syn2mas sub-command to run.
# Valid values: migrate, check
matrix_authentication_service_syn2mas_subcommand: migrate
# renovate: datasource=docker depName=ghcr.io/element-hq/matrix-authentication-service/syn2mas
matrix_authentication_service_syn2mas_version: 0.15.0
matrix_authentication_service_syn2mas_container_image: "{{ matrix_authentication_service_syn2mas_container_image_registry_prefix }}element-hq/matrix-authentication-service/syn2mas:{{ matrix_authentication_service_syn2mas_version }}"
matrix_authentication_service_syn2mas_container_image_registry_prefix: "{{ 'localhost/' if matrix_authentication_service_container_image_self_build else matrix_authentication_service_syn2mas_container_image_registry_prefix_upstream }}"
matrix_authentication_service_syn2mas_container_image_registry_prefix_upstream: "{{ matrix_authentication_service_syn2mas_container_image_registry_prefix_upstream_default }}"
matrix_authentication_service_syn2mas_container_image_registry_prefix_upstream_default: ghcr.io/
matrix_authentication_service_syn2mas_container_image_force_pull: "{{ matrix_authentication_service_syn2mas_container_image.endswith(':latest') }}"
matrix_authentication_service_syn2mas_container_image_self_build: "{{ matrix_authentication_service_container_image_self_build }}"
matrix_authentication_service_syn2mas_container_network: "{{ matrix_authentication_service_container_network }}"
# Whether to pass a `--dry-run` flag to the 'migrate' sub-command.
# See `matrix_authentication_service_syn2mas_subcommand`
matrix_authentication_service_syn2mas_migrate_dry_run: false
# Path to Synapse's homeserver.yaml configuration file.
matrix_authentication_service_syn2mas_synapse_homeserver_config_path: ""
# Additional arguments passed to the syn2mas process.
matrix_authentication_service_syn2mas_container_network: "{{ matrix_authentication_service_container_network }}"
# Additional options passed to the syn2mas sub-command (e.g. `mas-cli syn2mas [OPTIONS] migrate|check`).
# Also see: `matrix_authentication_service_syn2mas_subcommand_extra_options`
#
# Example:
# matrix_authentication_service_syn2mas_process_extra_arguments:
# - "--upstreamProviderMapping oidc-keycloak:01H8PKNWKKRPCBW4YGH1RWV279"
matrix_authentication_service_syn2mas_process_extra_arguments: []
# matrix_authentication_service_syn2mas_command_extra_options:
# - "--something"
matrix_authentication_service_syn2mas_command_extra_options: []
# Additional options passed to the syn2mas sub-command (e.g. `mas-cli syn2mas migrate|check [OPTIONS]`).
# Also see: `matrix_authentication_service_syn2mas_command_extra_options`
#
# Example:
# matrix_authentication_service_syn2mas_subcommand_extra_options:
# - "--dry-run"
matrix_authentication_service_syn2mas_subcommand_extra_options: []
########################################################################################
# #

17
roles/custom/matrix-authentication-service/tasks/main.yml
View File

@ -9,18 +9,33 @@
- setup-matrix-authentication-service
- install-all
- install-matrix-authentication-service
- matrix-authentication-service-mas-cli-syn2mas
block:
- when: matrix_authentication_service_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
- tags:
- setup-all
- setup-matrix-authentication-service
- install-all
- install-matrix-authentication-service
block:
- when: matrix_authentication_service_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/install.yml"
# The tag 'matrix-authentication-service-syn2mas' has been replaced by the tag 'matrix-authentication-service-mas-cli-syn2mas'.
- tags:
- matrix-authentication-service-syn2mas
block:
- name: Warn about deprecated tag
ansible.builtin.fail:
msg: "WARNING: The 'matrix-authentication-service-syn2mas' tag has been replaced by 'matrix-authentication-service-mas-cli-syn2mas'. Please update your command."
- tags:
- matrix-authentication-service-mas-cli-syn2mas
block:
- when: matrix_authentication_service_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/syn2mas.yml"
ansible.builtin.include_tasks: "{{ role_path }}/tasks/mas_cli_syn2mas.yml"
- tags:
- matrix-authentication-service-mas-cli-doctor

78
roles/custom/matrix-authentication-service/tasks/syn2mas.yml → roles/custom/matrix-authentication-service/tasks/mas_cli_syn2mas.yml
View File

@ -6,7 +6,7 @@
---
- ansible.builtin.set_fact:
matrix_authentication_service_syn2mas_dry_run: "{{ matrix_authentication_service_syn2mas_dry_run | bool }}"
matrix_authentication_service_syn2mas_migrate_dry_run: "{{ matrix_authentication_service_syn2mas_migrate_dry_run | bool }}"
- name: Abort, if not using Synapse
when: not matrix_synapse_enabled | bool
@ -33,41 +33,8 @@
msg: "The Synapse homeserver config file does not exist at the specified path: {{ matrix_authentication_service_syn2mas_synapse_homeserver_config_path }}"
when: not matrix_authentication_service_syn2mas_synapse_config_stat.stat.exists
- name: Ensure Matrix Authentication Service syn2mas container image is pulled
community.docker.docker_image:
name: "{{ matrix_authentication_service_syn2mas_container_image }}"
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
force_source: "{{ matrix_authentication_service_syn2mas_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_authentication_service_syn2mas_container_image_force_pull }}"
when: "not matrix_authentication_service_syn2mas_container_image_self_build | bool"
register: result
retries: "{{ devture_playbook_help_container_retries_count }}"
delay: "{{ devture_playbook_help_container_retries_delay }}"
until: result is not failed
- when: "matrix_authentication_service_syn2mas_container_image_self_build | bool"
block:
- name: Ensure Matrix Authentication Service repository is present on self-build
ansible.builtin.git:
repo: "{{ matrix_authentication_service_container_repo }}"
version: "{{ matrix_authentication_service_container_repo_version }}"
dest: "{{ matrix_authentication_service_container_src_files_path }}"
force: "yes"
become: true
become_user: "{{ matrix_user_name }}"
register: matrix_authentication_service_git_pull_results
- name: Ensure Matrix Authentication Service syn2mas container image is built
ansible.builtin.command:
cmd: |-
{{ devture_systemd_docker_base_host_command_docker }} buildx build
--tag={{ matrix_authentication_service_syn2mas_container_image }}
--file={{ matrix_authentication_service_container_src_files_path }}/tools/syn2mas/Dockerfile
{{ matrix_authentication_service_container_src_files_path }}/tools/syn2mas
changed_when: true
- name: Ensure Synapse is stopped
when: not matrix_authentication_service_syn2mas_dry_run | bool
when: not matrix_authentication_service_syn2mas_migrate_dry_run | bool
ansible.builtin.service:
name: matrix-synapse
state: stopped
@ -81,14 +48,19 @@
#
# Still, it's probably safer to stop it anyway.
- name: Ensure Matrix Authentication Service is stopped
when: not matrix_authentication_service_syn2mas_migrate_dry_run | bool
ansible.builtin.service:
name: matrix-authentication-service
state: stopped
register: matrix_authentication_service_mas_ensure_stopped_result
# This is similar to the command found in the systemd service file.
#
# We cannot use `docker exec` with the existing Matrix Authentication Service container here,
# because we need an additional mount (the Synapse homeserver config).
- name: Generate syn2mas migration command
ansible.builtin.set_fact:
matrix_authentication_service_syn2mas_migration_command: >-
matrix_authentication_service_mas_cli_syn2mas_command: >-
{{ devture_systemd_docker_base_host_command_docker }} run
--rm
--name=matrix-authentication-service-syn2mas
@ -96,14 +68,16 @@
--user={{ matrix_authentication_service_uid }}:{{ matrix_authentication_service_gid }}
--cap-drop=ALL
--network={{ matrix_authentication_service_syn2mas_container_network }}
--mount type=bind,src={{ matrix_authentication_service_config_path }}/config.yaml,dst=/config.yaml,ro
--mount type=bind,src={{ matrix_authentication_service_data_keys_path }},dst=/keys,ro
--mount type=bind,src={{ matrix_authentication_service_syn2mas_synapse_homeserver_config_path }},dst=/homeserver.yaml,ro
--mount type=bind,src={{ matrix_authentication_service_config_path }}/config.yaml,dst=/mas-config.yaml,ro
{{ matrix_authentication_service_syn2mas_container_image }}
--command=migrate
--synapseConfigFile=/homeserver.yaml
--masConfigFile=/mas-config.yaml
{{ matrix_authentication_service_syn2mas_process_extra_arguments | join(' ') }}
{% if matrix_authentication_service_syn2mas_dry_run | bool %}--dryRun{% endif %}
{{ matrix_authentication_service_container_image }}
syn2mas
--synapse-config=/homeserver.yaml
{{ matrix_authentication_service_syn2mas_command_extra_options | join(' ') }}
{{ matrix_authentication_service_syn2mas_subcommand }}
{{ '--dry-run' if matrix_authentication_service_syn2mas_migrate_dry_run and matrix_authentication_service_syn2mas_subcommand == 'migrate' else '' }}
{{ matrix_authentication_service_syn2mas_subcommand_extra_options | join(' ') }}
tags:
- skip_ansible_lint
@ -111,33 +85,33 @@
# See: https://ansibledaily.com/print-to-standard-output-without-escaping/
#
# We want to run `debug: msg=".."`, but that dumps it as JSON and escapes double quotes within it,
# which ruins the command (`matrix_authentication_service_syn2mas_migration_command`).
# which ruins the command (`matrix_authentication_service_mas_cli_syn2mas_command`).
- name: Note about syn2mas migration
ansible.builtin.set_fact:
dummy: true
with_items:
- >-
Running syn2mas migration using the following command: `{{ matrix_authentication_service_syn2mas_migration_command }}`.
If this crashes, you can stop Synapse (`systemctl stop matrix-synapse`) and run the command manually.
Running syn2mas migration using the following command: `{{ matrix_authentication_service_mas_cli_syn2mas_command }}`.
If this crashes, you can stop Synapse (`systemctl stop matrix-synapse`), start Matrix Authentication Service (`systemctl start matrix-authentication-service`) and run the command manually.
- name: Perform syn2mas migration
ansible.builtin.command:
cmd: "{{ matrix_authentication_service_syn2mas_migration_command }}"
register: matrix_authentication_service_syn2mas_migration_command_result
changed_when: matrix_authentication_service_syn2mas_migration_command_result.rc == 0
cmd: "{{ matrix_authentication_service_mas_cli_syn2mas_command }}"
register: matrix_authentication_service_mas_cli_syn2mas_command_result
changed_when: matrix_authentication_service_mas_cli_syn2mas_command_result.rc == 0
- name: Print syn2mas migration command result
ansible.builtin.debug:
var: matrix_authentication_service_syn2mas_migration_command_result
var: matrix_authentication_service_mas_cli_syn2mas_command_result
- name: Ensure Synapse is started (if it previously was)
when: "not matrix_authentication_service_syn2mas_dry_run and matrix_authentication_service_synapse_ensure_stopped_result.changed"
when: "not matrix_authentication_service_syn2mas_migrate_dry_run and matrix_authentication_service_mas_cli_syn2mas_command_result.changed"
ansible.builtin.service:
name: matrix-synapse
state: started
- name: Ensure Matrix Authentication Service is started (if it previously was)
when: "not matrix_authentication_service_syn2mas_dry_run and matrix_authentication_service_mas_ensure_stopped_result.changed"
when: "not matrix_authentication_service_syn2mas_migrate_dry_run and matrix_authentication_service_mas_ensure_stopped_result.changed"
ansible.builtin.service:
name: matrix-authentication-service
state: started

8
roles/custom/matrix-authentication-service/tasks/validate_config.yml
View File

@ -44,3 +44,11 @@
with_items:
- {'old': 'matrix_authentication_service_container_image_name_prefix', 'new': 'matrix_authentication_service_container_image_registry_prefix'}
- {'old': 'matrix_authentication_service_syn2mas_container_image_name_prefix', 'new': 'matrix_authentication_service_syn2mas_container_image_registry_prefix'}
- {'old': 'matrix_authentication_service_syn2mas_container_image', 'new': '<removed>'}
- {'old': 'matrix_authentication_service_syn2mas_container_image_registry_prefix', 'new': '<removed>'}
- {'old': 'matrix_authentication_service_syn2mas_container_image_registry_prefix_upstream', 'new': '<removed>'}
- {'old': 'matrix_authentication_service_syn2mas_container_image_registry_prefix_upstream_default', 'new': '<removed>'}
- {'old': 'matrix_authentication_service_syn2mas_container_image_force_pull', 'new': '<removed>'}
- {'old': 'matrix_authentication_service_syn2mas_container_image_self_build', 'new': '<removed>'}
- {'old': 'matrix_authentication_service_syn2mas_process_extra_arguments', 'new': 'matrix_authentication_service_syn2mas_command_extra_options or matrix_authentication_service_syn2mas_subcommand_extra_options'}
- {'old': 'matrix_authentication_service_syn2mas_dry_run', 'new': 'matrix_authentication_service_syn2mas_migrate_dry_run'}