Make registration proxy independent of other roles, document (#7)

* Make registration proxy independent of other roles, document Signed-off-by: Julian-Samuel Gebühr <julian-samuel@gebuehr.net> * Fix yml issues Signed-off-by: Julian-Samuel Gebühr <julian-samuel@gebuehr.net> * Remove undefined variable (as service HAS to be exposed Signed-off-by: Julian-Samuel Gebühr <julian-samuel@gebuehr.net> * Add registration endpint Defines the registration endpoint that should be intercepted/forwarded to the proxy Signed-off-by: Julian-Samuel Gebühr <julian-samuel@gebuehr.net> * Add image name Signed-off-by: Julian-Samuel Gebühr <julian-samuel@gebuehr.net> Signed-off-by: Julian-Samuel Gebühr <julian-samuel@gebuehr.net>
2022-09-29 18:00:14 +02:00 · 2022-09-29 18:00:14 +02:00 · 41e1da2ff4
commit 41e1da2ff4
parent dd5844524b
4 changed files with 59 additions and 60 deletions
--- a/docs/configuring-playbook-matrix-ldap-registration-proxy.md
+++ b/docs/configuring-playbook-matrix-ldap-registration-proxy.md
@ -13,18 +13,21 @@ Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.

 ```yaml
 matrix_ldap_registration_proxy_enabled: true
-```
-
-That is enough if you use the synapse external password provider via LDAP.
-If you want to use your own credentials add the following to your  `inventory/host_vars/matrix.DOMAIN/vars.yml`:
-
-
-
 # LDAP credentials
-```yaml
 matrix_ldap_registration_proxy_ldap_uri: <URI>
 matrix_ldap_registration_proxy_ldap_base_dn: <DN>
 matrix_ldap_registration_proxy_ldap_user: <USER>
 matrix_ldap_registration_proxy_ldap_password: <password>
 ```
-TODO: is the block above correct? Else indicate that it can only be used with the LDAP password provider for Synapse
+
+If you already use the [synapse external password provider via LDAP](docs/configuring-playbook-ldap-auth.md) (that is, you have `matrix_synapse_ext_password_provider_ldap_enabled: true` and other options in your configuration)
+you can use the following values as configuration:
+
+```yaml
+# Use the LDAP values specified for the synapse role to setup LDAP proxy
+matrix_ldap_registration_proxy_ldap_uri: "{{ matrix_synapse_ext_password_provider_ldap_uri }}"
+matrix_ldap_registration_proxy_ldap_base_dn: "{{ matrix_synapse_ext_password_provider_ldap_base }}"
+matrix_ldap_registration_proxy_ldap_user: "{{ matrix_synapse_ext_password_provider_ldap_bind_dn }}"
+matrix_ldap_registration_proxy_ldap_password: "{{ matrix_synapse_ext_password_provider_ldap_bind_password }}"
+```
+
--- a/group_vars/matrix_servers
+++ b/group_vars/matrix_servers
@ -1579,12 +1579,6 @@ matrix_jitsi_etherpad_base: "{{ matrix_etherpad_base_url if matrix_etherpad_enab
 # This is only for users with a specific LDAP setup
 matrix_ldap_registration_proxy_enabled: false

-# Use the LDAP values specified for the synapse role to setup LDAP proxy
-matrix_ldap_registration_proxy_ldap_uri: "{{ matrix_synapse_ext_password_provider_ldap_uri }}"
-matrix_ldap_registration_proxy_ldap_base_dn: "{{ matrix_synapse_ext_password_provider_ldap_base }}"
-matrix_ldap_registration_proxy_ldap_user: "{{ matrix_synapse_ext_password_provider_ldap_bind_dn }}"
-matrix_ldap_registration_proxy_ldap_password: "{{ matrix_synapse_ext_password_provider_ldap_bind_password }}"
-
 ######################################################################
 #
 # /matrix-ldap-registration-proxy
--- a/roles/matrix-ldap-registration-proxy/defaults/main.yml
+++ b/roles/matrix-ldap-registration-proxy/defaults/main.yml
@ -4,6 +4,7 @@

 matrix_ldap_registration_proxy_enabled: true

+matrix_ldap_registration_proxy_docker_image: matrix_ldap_registration_proxy
 matrix_ldap_registration_proxy_container_image_self_build_repo: "https://gitlab.com/activism.international/matrix_ldap_registration_proxy.git"
 matrix_ldap_registration_proxy_container_image_self_build_branch: "{{ matrix_ldap_registration_proxy_version }}"

@ -21,6 +22,8 @@ matrix_ldap_registration_proxy_ldap_password: ""
 matrix_ldap_registration_proxy_matrix_server_name: "{{ matrix_domain }}"
 matrix_ldap_registration_proxy_matrix_server_url: "https://{{ matrix_server_fqn_matrix }}"

+matrix_ldap_registration_proxy_registration_endpoint: "/_matrix/client/r0/register"
+
 # Controls whether the self-check feature should validate SSL certificates.
 matrix_matrix_ldap_registration_proxy_self_check_validate_certificates: true

@ -28,11 +31,11 @@ matrix_ldap_registration_proxy_container_port: 8080
 # Controls whether the matrix_ldap_registration_proxy container exposes its HTTP port (tcp/{{ matrix_ldap_registration_proxy_container_port }} in the container).
 #
 # Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8080"), or empty string to not expose.
-matrix_ldap_registration_proxy_container_http_host_bind_port: '8585'}'
+matrix_ldap_registration_proxy_container_http_host_bind_port: ''

 # `matrix_ldap_registration_proxy_container_http_host_bind_port_number_raw` contains the raw port number extracted from `matrix_ldap_registration_proxy_container_http_host_bind_port`,
- # which can contain values like this: ('1234', '127.0.0.1:1234', '0.0.0.0:1234')
- matrix_ldap_registration_proxy_container_http_host_bind_port_number_raw: "{{ '' if matrix_ldap_registration_proxy_container_http_host_bind_port == '' else (matrix_ldap_registration_proxy_container_http_host_bind_port.split(':')[1] if ':' in matrix_ldap_registration_proxy_container_http_host_bind_port else matrix_ldap_registration_proxy_container_http_host_bind_port) }}"
+# which can contain values like this: ('1234', '127.0.0.1:1234', '0.0.0.0:1234')
+matrix_ldap_registration_proxy_container_http_host_bind_port_number_raw: "{{ '' if matrix_ldap_registration_proxy_container_http_host_bind_port == '' else (matrix_ldap_registration_proxy_container_http_host_bind_port.split(':')[1] if ':' in matrix_ldap_registration_proxy_container_http_host_bind_port else matrix_ldap_registration_proxy_container_http_host_bind_port) }}"

 matrix_ldap_registration_proxy_registration_addr_with_container: "matrix-ldap_registration-proxy:{{  matrix_ldap_registration_proxy_container_http_host_bind_port_number_raw }}"
 matrix_ldap_registration_proxy_registration_addr_sans_container: "127.0.0.1:{{  matrix_ldap_registration_proxy_container_http_host_bind_port_number_raw }}"
@ -53,4 +56,3 @@ matrix_ldap_registration_proxy_systemd_wanted_services_list: []
 # matrix_ldap_registration_proxy_env_variables_extension: |
 #   KEY=value
 matrix_ldap_registration_proxy_env_variables_extension: ''
-
--- a/roles/matrix-ldap-registration-proxy/tasks/init.yml
+++ b/roles/matrix-ldap-registration-proxy/tasks/init.yml
@ -11,48 +11,48 @@
  when: matrix_ldap_registration_proxy_enabled | bool

 - block:
-   - name: Fail if matrix-nginx-proxy role already executed
-     ansible.builtin.fail:
-       msg: >-
-         Trying to append Matrix LDAP registration proxy's reverse-proxying configuration to matrix-nginx-proxy,
-         but it's pointless since the matrix-nginx-proxy role had already executed.
-         To fix this, please change the order of roles in your playbook,
-         so that the matrix-nginx-proxy role would run after the matrix-bridge-mautrix-telegram role.
-     when: matrix_nginx_proxy_role_executed | default(False) | bool
+    - name: Fail if matrix-nginx-proxy role already executed
+      ansible.builtin.fail:
+        msg: >-
+          Trying to append Matrix LDAP registration proxy's reverse-proxying configuration to matrix-nginx-proxy,
+          but it's pointless since the matrix-nginx-proxy role had already executed.
+          To fix this, please change the order of roles in your playbook,
+          so that the matrix-nginx-proxy role would run after the matrix-bridge-mautrix-telegram role.
+      when: matrix_nginx_proxy_role_executed | default(False) | bool

-   - name: Generate Matrix LDAP registration proxy proxying configuration for matrix-nginx-proxy
-     ansible.builtin.set_fact:
-       matrix_ldap_registration_proxy_matrix_nginx_proxy_configuration: |
-         location {{ matrix_ldap_registration_proxy_public_endpoint }} {
-         {% if matrix_nginx_proxy_enabled | default(False) %}
-            {# Use the embedded DNS resolver in Docker containers to discover the service #}
-            resolver 127.0.0.11 valid=5s;
-            set $backend "{{ matrix_ldap_registration_proxy_registration_addr_with_container }}";
-            proxy_pass http://$backend/register;;
-         {% else %}
-            {# Generic configuration for use outside of our container setup #}
-            proxy_pass http://{{ matrix_ldap_registration_proxy_registration_addr_sans_container }}/register;
-         {% endif %}
-         }
+    - name: Generate Matrix LDAP registration proxy proxying configuration for matrix-nginx-proxy
+      ansible.builtin.set_fact:
+        matrix_ldap_registration_proxy_matrix_nginx_proxy_configuration: |
+          location {{ matrix_ldap_registration_proxy_registration_endpoint }} {
+          {% if matrix_nginx_proxy_enabled | default(False) %}
+             {# Use the embedded DNS resolver in Docker containers to discover the service #}
+             resolver 127.0.0.11 valid=5s;
+             set $backend "{{ matrix_ldap_registration_proxy_registration_addr_with_container }}";
+             proxy_pass http://$backend/register;;
+          {% else %}
+             {# Generic configuration for use outside of our container setup #}
+             proxy_pass http://{{ matrix_ldap_registration_proxy_registration_addr_sans_container }}/register;
+          {% endif %}
+          }

-   - name: Register Matrix LDAP registration proxy proxying configuration with matrix-nginx-proxy
-     ansible.builtin.set_fact:
-       matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: |
-         {{
-           matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks | default([])
-           +
-           [matrix_ldap_registration_proxy_matrix_nginx_proxy_configuration]
-         }}
-   - name: Warn about reverse-proxying if matrix-nginx-proxy not used
-     ansible.builtin.debug:
-       msg: >-
-         NOTE: You've enabled the Matrix LDAP registration proxy bridge but are not using the matrix-nginx-proxy
-         reverse proxy.
-         Please make sure that you're proxying the `{{ matrix_ldap_registration_proxy_public_endpoint }}`
-         URL endpoint to the matrix-ldap-proxy container.
-         You can expose the container's port using the `matrix_ldap_registration_proxy_container_http_host_bind_port` variable.
-     when: "not matrix_nginx_proxy_enabled | default(False) | bool"
+    - name: Register Matrix LDAP registration proxy proxying configuration with matrix-nginx-proxy
+      ansible.builtin.set_fact:
+        matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: |
+          {{
+            matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks | default([])
+            +
+            [matrix_ldap_registration_proxy_matrix_nginx_proxy_configuration]
+          }}
+    - name: Warn about reverse-proxying if matrix-nginx-proxy not used
+      ansible.builtin.debug:
+        msg: >-
+          NOTE: You've enabled the Matrix LDAP registration proxy bridge but are not using the matrix-nginx-proxy
+          reverse proxy.
+          Please make sure that you're proxying the `{{ matrix_ldap_registration_proxy_public_endpoint }}`
+          URL endpoint to the matrix-ldap-proxy container.
+          You can expose the container's port using the `matrix_ldap_registration_proxy_container_http_host_bind_port` variable.
+      when: "not matrix_nginx_proxy_enabled | default(False) | bool"

  tags:
-   - always
-  when: matrix_ldap_registration_proxy_enabled | bool and matrix_ldap_registration_proxy_appservice_public_enabled | bool
+    - always
+  when: matrix_ldap_registration_proxy_enabled | bool