Initial work on support for matrix-corporal v2

This commit is contained in:
Slavi Pantaleev 2021-01-16 23:47:14 +02:00
parent 6f51c1ed96
commit 28d86e3aaa
5 changed files with 34 additions and 8 deletions

View File

@ -11,7 +11,9 @@ The playbook can install and configure [matrix-corporal](https://github.com/devt
In short, it's a sort of automation and firewalling service, which is helpful if you're instaling Matrix services in a controlled corporate environment. In short, it's a sort of automation and firewalling service, which is helpful if you're instaling Matrix services in a controlled corporate environment.
See that project's documentation to learn what it does and why it might be useful to you. See that project's documentation to learn what it does and why it might be useful to you.
If you decide that you'd like to let this playbook install it for you, you'd need to also [set up the Shared Secret Auth password provider module](configuring-playbook-shared-secret-auth.md). If you decide that you'd like to let this playbook install it for you, you'd need to also:
- (required) [set up the Shared Secret Auth password provider module](configuring-playbook-shared-secret-auth.md)
- (optional, but encouraged) [set up the REST authentication password provider module](configuring-playbook-rest-auth.md)
## Playbook configuration ## Playbook configuration
@ -24,6 +26,15 @@ You would then need some configuration like this:
matrix_synapse_ext_password_provider_shared_secret_auth_enabled: true matrix_synapse_ext_password_provider_shared_secret_auth_enabled: true
matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret: YOUR_SHARED_SECRET_GOES_HERE matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret: YOUR_SHARED_SECRET_GOES_HERE
# When matrix-corporal is acting as the primary authentication provider,
# you need to set up the REST authentication password provider module
# to make Interactive User Authentication work.
# This is necessary for certain user actions (like E2EE, device management, etc).
#
# See configuring-playbook-rest-auth.md
matrix_synapse_ext_password_provider_rest_auth_enabled: true
matrix_synapse_ext_password_provider_rest_auth_endpoint: "http://matrix-corporal:41080/_matrix/corporal"
matrix_corporal_enabled: true matrix_corporal_enabled: true
matrix_corporal_policy_provider_config: | matrix_corporal_policy_provider_config: |
@ -40,9 +51,9 @@ matrix_corporal_policy_provider_config: |
matrix_corporal_http_api_enabled: true matrix_corporal_http_api_enabled: true
matrix_corporal_http_api_auth_token: "AUTH_TOKEN_HERE" matrix_corporal_http_api_auth_token: "AUTH_TOKEN_HERE"
# If you need to change the reconciliator user's id from the default (matrix-corporal).. # If you need to change matrix-corporal's user id from the default (matrix-corporal).
# In any case, you need to make sure this Matrix user is created on your server. # In any case, you need to make sure this Matrix user is created on your server.
matrix_corporal_reconciliation_user_id_local_part: "matrix-corporal" matrix_corporal_corporal_user_id_local_part: "matrix-corporal"
# Because Corporal peridoically performs lots of user logins from the same IP, # Because Corporal peridoically performs lots of user logins from the same IP,
# you may need raise Synapse's ratelimits. # you may need raise Synapse's ratelimits.

View File

@ -674,6 +674,9 @@ matrix_corporal_matrix_homeserver_api_endpoint: "http://matrix-synapse:8008"
matrix_corporal_matrix_auth_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret }}" matrix_corporal_matrix_auth_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret }}"
# This is only useful if there's REST auth provider to make use of it.
matrix_corporal_http_gateway_internal_rest_auth_enabled: "{{ matrix_synapse_ext_password_provider_rest_auth_enabled }}"
matrix_corporal_matrix_registration_shared_secret: "{{ matrix_synapse_registration_shared_secret }}" matrix_corporal_matrix_registration_shared_secret: "{{ matrix_synapse_registration_shared_secret }}"
###################################################################### ######################################################################

View File

@ -24,7 +24,7 @@ matrix_corporal_systemd_required_services_list: ['docker.service']
matrix_corporal_docker_image: "{{ matrix_corporal_docker_image_name_prefix }}devture/matrix-corporal:{{ matrix_corporal_docker_image_tag }}" matrix_corporal_docker_image: "{{ matrix_corporal_docker_image_name_prefix }}devture/matrix-corporal:{{ matrix_corporal_docker_image_tag }}"
matrix_corporal_docker_image_name_prefix: "{{ 'localhost/' if matrix_corporal_container_image_self_build else 'docker.io/' }}" matrix_corporal_docker_image_name_prefix: "{{ 'localhost/' if matrix_corporal_container_image_self_build else 'docker.io/' }}"
matrix_corporal_docker_image_tag: "1.11.0" matrix_corporal_docker_image_tag: "2.0.0"
matrix_corporal_docker_image_force_pull: "{{ matrix_corporal_docker_image.endswith(':latest') }}" matrix_corporal_docker_image_force_pull: "{{ matrix_corporal_docker_image.endswith(':latest') }}"
matrix_corporal_base_path: "{{ matrix_base_data_path }}/corporal" matrix_corporal_base_path: "{{ matrix_base_data_path }}/corporal"
@ -50,10 +50,16 @@ matrix_corporal_matrix_registration_shared_secret: ""
matrix_corporal_matrix_timeout_milliseconds: 45000 matrix_corporal_matrix_timeout_milliseconds: 45000
matrix_corporal_reconciliation_retry_interval_milliseconds: 30000 matrix_corporal_reconciliation_retry_interval_milliseconds: 30000
matrix_corporal_reconciliation_user_id_local_part: "matrix-corporal" matrix_corporal_corporal_user_id_local_part: "matrix-corporal"
matrix_corporal_http_gateway_timeout_milliseconds: 60000 matrix_corporal_http_gateway_timeout_milliseconds: 60000
# If enabled, matrix-corporal exposes a `POST /_matrix/corporal/_matrix-internal/identity/v1/check_credentials` API
# on the gateway (Client-Server API) server.
# This API can then be used together with the REST Auth password provider by pointing it to matrix-corporal (e.g. `http://matrix-corporal:41080/_matrix/corporal`).
# Doing so allows Interactive Authentication to work.
matrix_corporal_http_gateway_internal_rest_auth_enabled: false
matrix_corporal_http_api_enabled: false matrix_corporal_http_api_enabled: false
matrix_corporal_http_api_auth_token: "" matrix_corporal_http_api_auth_token: ""
matrix_corporal_http_api_timeout_milliseconds: 15000 matrix_corporal_http_api_timeout_milliseconds: 15000

View File

@ -16,7 +16,6 @@
msg: "The Matrix Corporal HTTP API is enabled (`matrix_corporal_http_api_enabled`), but no auth token has been set in `matrix_corporal_http_api_auth_token`" msg: "The Matrix Corporal HTTP API is enabled (`matrix_corporal_http_api_enabled`), but no auth token has been set in `matrix_corporal_http_api_auth_token`"
when: "matrix_corporal_http_api_enabled|bool and matrix_corporal_http_api_auth_token == ''" when: "matrix_corporal_http_api_enabled|bool and matrix_corporal_http_api_auth_token == ''"
- name: (Deprecation) Catch and report renamed corporal variables - name: (Deprecation) Catch and report renamed corporal variables
fail: fail:
msg: >- msg: >-
@ -25,3 +24,4 @@
when: "item.old in vars" when: "item.old in vars"
with_items: with_items:
- {'old': 'matrix_corporal_container_expose_ports', 'new': '<superseded by matrix_corporal_container_http_gateway_host_bind_port and matrix_corporal_container_http_api_host_bind_port>'} - {'old': 'matrix_corporal_container_expose_ports', 'new': '<superseded by matrix_corporal_container_http_gateway_host_bind_port and matrix_corporal_container_http_api_host_bind_port>'}
- {'old': 'matrix_corporal_reconciliation_user_id_local_part', 'new': 'matrix_corporal_corporal_user_id_local_part'}

View File

@ -7,14 +7,20 @@
"TimeoutMilliseconds": {{ matrix_corporal_matrix_timeout_milliseconds }} "TimeoutMilliseconds": {{ matrix_corporal_matrix_timeout_milliseconds }}
}, },
"Corporal": {
"UserId": "@{{ matrix_corporal_corporal_user_id_local_part }}:{{ matrix_domain }}"
},
"Reconciliation": { "Reconciliation": {
"UserId": "@{{ matrix_corporal_reconciliation_user_id_local_part }}:{{ matrix_domain }}",
"RetryIntervalMilliseconds": {{ matrix_corporal_reconciliation_retry_interval_milliseconds }} "RetryIntervalMilliseconds": {{ matrix_corporal_reconciliation_retry_interval_milliseconds }}
}, },
"HttpGateway": { "HttpGateway": {
"ListenAddress": "0.0.0.0:41080", "ListenAddress": "0.0.0.0:41080",
"TimeoutMilliseconds": {{ matrix_corporal_http_gateway_timeout_milliseconds }} "TimeoutMilliseconds": {{ matrix_corporal_http_gateway_timeout_milliseconds }},
"InternalRESTAuth": {
"Enabled": {{ matrix_corporal_http_gateway_internal_rest_auth_enabled|to_json }}
}
}, },
"HttpApi": { "HttpApi": {