finallycoffee/matrix-docker-ansible-deploy
5
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Matrix Authentication Support for Jitsi

Browse Source 
This extends the collection with support for seamless authentication at the Jitsi server using Matrix OpenID.

1. New role for installing the [Matrix User Verification Service](https://github.com/matrix-org/matrix-user-verification-service)
2. Changes to Jitsi role: Installing Jitsi Prosody Mods and configuring Jitsi Auth
3. Changes to Jitsi and nginx-proxy roles: Serving .well-known/element/jitsi from jitsi.DOMAIN
4. We updated the Jitsi documentation on authentication and added documentation for the user verification service.
This commit is contained in:
jakicoll
2023-01-04 13:45:37 +01:00
parent f400093865
commit 42e4e50f5b
25 changed files with 747 additions and 59 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
roles/custom/matrix-jitsi/defaults/main.yml
View File

@ -13,14 +13,16 @@ matrix_jitsi_enable_jaas_components: false
matrix_jitsi_enable_p2p: true
matrix_jitsi_enable_av_moderation: true
matrix_jitsi_enable_breakout_rooms: true
matrix_jitsi_disable_gravatar: true
# Authentication type, must be one of internal, jwt or ldap.
# Currently only internal and ldap mechanisms are supported by this playbook.
# Authentication type, must be one of internal, jwt, matrix or ldap.
# Currently, only internal, matrix and ldap mechanisms are supported by this playbook.
# matrix auth verifies against matrix openID, and requires a user-verification-service to run.
matrix_jitsi_auth_type: internal
# A list of Jitsi (Prosody) accounts to create using the internal authentication mechanism.
#
# Accounts added here and subsquently removed will not be automatically removed
# Accounts added here and subsequently removed will not be automatically removed
# from the Prosody server until user account cleaning is integrated into the playbook.
#
# Example:
@ -49,6 +51,23 @@ matrix_jitsi_ldap_tls_cacert_file: "/etc/ssl/certs/ca-certificates.crt"
matrix_jitsi_ldap_tls_cacert_dir: "/etc/ssl/certs"
matrix_jitsi_ldap_start_tls: false
# Auth type: matrix
matrix_jitsi_prosody_auth_matrix_user_verification_repo_location: "https://github.com/matrix-org/prosody-mod-auth-matrix-user-verification"
matrix_jitsi_prosody_auth_matrix_user_verification_repo_target: "{{ matrix_jitsi_prosody_ext_path }}/prosody_auth_matrix_user_verification"
matrix_jitsi_prosody_auth_matrix_user_verification_repo_version: "2839499cb03894d8cfc3e5b2219441427cb133d8" # v1.8.0
matrix_jitsi_prosody_auth_matrix_uvs_sync_power_levels: true
matrix_jitsi_prosody_auth_matrix_uvs_location: "{{ matrix_user_verification_service_container_url }}"
# Should match domain, see https://github.com/vector-im/element-web/pull/15114/commits/0410a6b3be82a41457275e4d1ce879dea146e092
matrix_jitsi_prosody_auth_matrix_jwt_app_id: "{{ matrix_server_fqn_jitsi }}"
matrix_jitsi_prosody_auth_matrix_files:
- path: "mod_auth_matrix_user_verification.lua"
when: true
- path: "mod_matrix_power_sync.lua"
when: "{{ matrix_jitsi_prosody_auth_matrix_uvs_sync_power_levels }}"
# Plugged in group_vars
#matrix_jitsi_prosody_auth_matrix_uvs_auth_token:
matrix_jitsi_timezone: UTC
matrix_jitsi_xmpp_domain: meet.jitsi
@ -180,6 +199,17 @@ matrix_jitsi_prosody_docker_image_force_pull: "{{ matrix_jitsi_prosody_docker_im
matrix_jitsi_prosody_base_path: "{{ matrix_base_data_path }}/jitsi/prosody"
matrix_jitsi_prosody_config_path: "{{ matrix_jitsi_prosody_base_path }}/config"
matrix_jitsi_prosody_plugins_path: "{{ matrix_jitsi_prosody_base_path }}/prosody-plugins-custom"
matrix_jitsi_prosody_ext_path: "{{ matrix_jitsi_prosody_base_path }}/ext"
# well known is currently only needed for auth type "matrix"
matrix_jitsi_require_well_known: "{{ matrix_jitsi_enable_auth | bool and matrix_jitsi_auth_type == 'matrix' }}"
matrix_jitsi_wellknown_element_jitsi_json: '{"auth": "openidtoken-jwt"}'
#
matrix_jitsi_muc_modules: |
{{
(['matrix_power_sync'] if matrix_jitsi_prosody_auth_matrix_uvs_sync_power_levels | bool else [])
}}
# A list of extra arguments to pass to the container
matrix_jitsi_prosody_container_extra_arguments: []

6
roles/custom/matrix-jitsi/tasks/main.yml
View File

@ -67,3 +67,9 @@
- setup-all
- setup-jitsi
- setup-additional-jitsi-jvb
- block:
- when: matrix_jitsi_enable_auth | bool and matrix_jitsi_auth_type == 'matrix'
ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check_matrix_auth.yml"
tags:
- self-check

62
roles/custom/matrix-jitsi/tasks/self_check_matrix_auth.yml Normal file
View File

@ -0,0 +1,62 @@
---
- ansible.builtin.set_fact:
matrix_jitsi_prosody_self_check_uvs_health_url: "{{ matrix_jitsi_prosody_auth_matrix_uvs_location }}/health"
matrix_jitsi_element_jitsi_well_known_url: "{{ matrix_jitsi_web_public_url }}/.well-known/element/jitsi"
- name: Check if jitsi serves the .well-known/element/jitsi
ansible.builtin.uri:
url: "{{ matrix_jitsi_element_jitsi_well_known_url }}"
follow_redirects: none
return_content: true
validate_certs: "{{ matrix_jitsi_self_check_validate_certificates }}"
headers:
Origin: example.com
check_mode: false
register: result_well_known_jitsi_element_jitsi
ignore_errors: true
- name: Fail if .well-known not working
ansible.builtin.fail:
msg: |
Failed checking that the Jitsi well-known file for Element auth is configured at `{{ matrix_jitsi_element_jitsi_well_known_url }}`
Full error: {{ result_well_known_jitsi_element_jitsi }}
when: "result_well_known_jitsi_element_jitsi.failed"
- name: Parse JSON for well-known payload at the matrix hostname
ansible.builtin.set_fact:
well_known_matrix_payload: "{{ result_well_known_jitsi_element_jitsi.content | from_json }}"
- name: Fail if .well-known not CORS-aware
ansible.builtin.fail:
msg: "The well-known file on `{{ matrix_jitsi_element_jitsi_well_known_url }}` is not CORS-aware. The file needs to be served with an Access-Control-Allow-Origin header set."
when: "'access_control_allow_origin' not in result_well_known_jitsi_element_jitsi"
- name: Report working .well-known
ansible.builtin.debug:
msg: "well-known is configured correctly at `{{ matrix_jitsi_element_jitsi_well_known_url }}`"
- name: Check if we can reach the user verification service and if it's healthy
ansible.builtin.command:
argv:
- "docker"
- "exec"
- "matrix-jitsi-prosody"
- "wget"
- "-O"
- "-"
- "--quiet"
- "{{ matrix_jitsi_prosody_self_check_uvs_health_url | quote }}"
register: matrix_jitsi_prosody_self_check_uvs_result
ignore_errors: true
- name: Fail if user verification service is not (reachable and healthy)
ansible.builtin.fail:
msg: |
Failed checking user verification service is up (checked endpoint: `{{ matrix_jitsi_prosody_self_check_uvs_health_url }}`).
Full error: {{ matrix_jitsi_prosody_self_check_uvs_result }}
when: "matrix_jitsi_prosody_self_check_uvs_result.failed"
- name: Report healthy user verification service
ansible.builtin.debug:
msg: "User verification service is working (checked endpoint: `{{ matrix_jitsi_prosody_self_check_uvs_health_url }}`)"

46
roles/custom/matrix-jitsi/tasks/setup_jitsi_prosody_install.yml
View File

@ -11,6 +11,7 @@
- {path: "{{ matrix_jitsi_prosody_base_path }}", when: true}
- {path: "{{ matrix_jitsi_prosody_config_path }}", when: true}
- {path: "{{ matrix_jitsi_prosody_plugins_path }}", when: true}
- {path: "{{ matrix_jitsi_prosody_ext_path }}", when: true}
when: item.when | bool
- name: Ensure jitsi-prosody Docker image is pulled
@ -32,6 +33,43 @@
group: "{{ matrix_user_groupname }}"
mode: 0640
# Configure matrix authentication.
- name: Install user verification plugin
ansible.builtin.include_tasks:
file: "{{ role_path }}/tasks/util/setup_jitsi_auth_uvs_install.yml"
when: matrix_jitsi_enable_auth | bool and matrix_jitsi_auth_type == "matrix"
- name: Manage Jitsi .well-known
when: matrix_jitsi_require_well_known | bool
block:
- name: Ensure .well-known directories exist
ansible.builtin.file:
path: "{{ item.path }}"
state: directory
mode: 0775
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
with_items:
- {path: "{{ matrix_static_files_base_path }}/.well-known/element", when: "{{ matrix_jitsi_enable_auth | bool and matrix_jitsi_auth_type == 'matrix' }}"}
when: item.when | bool
# Create .well-known/element/jitsi in the static file directory for nginx-proxy.
- name: Ensure Jitsi /.well-known/element/jitsi configured
ansible.builtin.copy:
content: "{{ matrix_jitsi_wellknown_element_jitsi_json }}"
dest: "{{ matrix_static_files_base_path }}/.well-known/element/jitsi"
mode: 0644
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
when: matrix_jitsi_enable_auth | bool and matrix_jitsi_auth_type == "matrix"
# END Block
# Remove matrix authentication if disabled
- name: Ensure user verification plugin is not present if matrix auth is disabled
ansible.builtin.include_tasks:
file: "{{ role_path }}/tasks/util/setup_jitsi_auth_uvs_uninstall.yml"
when: (not matrix_jitsi_enable_auth | bool) or (matrix_jitsi_auth_type != "matrix")
- name: Ensure matrix-jitsi-prosody.service file is installed
ansible.builtin.template:
src: "{{ role_path }}/templates/prosody/matrix-jitsi-prosody.service.j2"
@ -39,7 +77,9 @@
mode: 0644
register: matrix_jitsi_prosody_systemd_service_result
- name: Ensure authentication is properly configured
# Tasks that require a running prosody container are called in this file.
- name: Run prosody related tasks, that require a running container.
ansible.builtin.include_tasks:
file: "{{ role_path }}/tasks/util/setup_jitsi_auth.yml"
when: matrix_jitsi_enable_auth | bool
file: "{{ role_path }}/tasks/util/setup_jitsi_prosody_post_setup_hooks.yml"
when:
- matrix_jitsi_enable_auth | bool and matrix_jitsi_auth_type == "internal"

17
roles/custom/matrix-jitsi/tasks/util/prosody_post_setup_hooks/setup_jitsi_auth_internal.yml Normal file
View File

@ -0,0 +1,17 @@
---
#
# Tasks related to configuring Jitsi internal authentication on a running prosody instance.
#
- name: Ensure Jitsi internal authentication users are configured
ansible.builtin.shell: "{{ devture_systemd_docker_base_host_command_docker }} exec matrix-jitsi-prosody prosodyctl --config /config/prosody.cfg.lua register {{ item.username | quote }} meet.jitsi {{ item.password | quote }}"
with_items: "{{ matrix_jitsi_prosody_auth_internal_accounts }}"
when:
- matrix_jitsi_prosody_auth_internal_accounts|length > 0
register: matrix_jitsi_user_configuration_result
changed_when: matrix_jitsi_user_configuration_result.rc == 0
no_log: true
#
# Tasks related to clean up after configuring internal authentication.
#

42
roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth.yml
View File

@ -1,42 +0,0 @@
---
#
# Start Necessary Services
#
- name: Ensure matrix-jitsi-prosody container is running
ansible.builtin.systemd:
state: started
name: matrix-jitsi-prosody
register: matrix_jitsi_prosody_start_result
#
# Tasks related to configuring Jitsi internal authentication
#
- name: Ensure Jitsi internal authentication users are configured
ansible.builtin.shell: "{{ devture_systemd_docker_base_host_command_docker }} exec matrix-jitsi-prosody prosodyctl --config /config/prosody.cfg.lua register {{ item.username | quote }} meet.jitsi {{ item.password | quote }}"
with_items: "{{ matrix_jitsi_prosody_auth_internal_accounts }}"
when:
- matrix_jitsi_auth_type == "internal"
- matrix_jitsi_prosody_auth_internal_accounts|length > 0
register: matrix_jitsi_user_configuration_result
changed_when: matrix_jitsi_user_configuration_result.rc == 0
no_log: true
#
# Tasks related to configuring other Jitsi authentication mechanisms
#
#
# Tasks related to cleaning after Jitsi authentication configuration
#
#
# Stop Necessary Services
#
- name: Ensure matrix-jitsi-prosody container is stopped if necessary
ansible.builtin.systemd:
state: stopped
name: matrix-jitsi-prosody
when: matrix_jitsi_prosody_start_result.changed | bool

13
roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_install.yml Normal file
View File

@ -0,0 +1,13 @@
- name: Checkout Prosody Auth Matrix User Verification Plugin Repo
ansible.builtin.git:
repo: "{{ matrix_jitsi_prosody_auth_matrix_user_verification_repo_location }}"
dest: "{{ matrix_jitsi_prosody_auth_matrix_user_verification_repo_target }}"
version: "{{ matrix_jitsi_prosody_auth_matrix_user_verification_repo_version }}"
- name: Install Prosody Auth Matrix User Verification Plugin
ansible.builtin.copy:
remote_src: yes
src: "{{ matrix_jitsi_prosody_auth_matrix_user_verification_repo_target }}/{{ item.path }}"
dest: "{{ matrix_jitsi_prosody_plugins_path }}/{{ item.path }}"
with_items: "{{ matrix_jitsi_prosody_auth_matrix_files }}"
when: item.when | bool

26
roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_uninstall.yml Normal file
View File

@ -0,0 +1,26 @@
- name: Remove all files regarding prosody mod auth_matrix_user_verification and .well-known/element/jitsi
ansible.builtin.file:
path: "{{ item }}"
state: absent
with_flattened:
- "{{ matrix_static_files_base_path }}/.well-known/element/jitsi"
- "{{ matrix_jitsi_prosody_auth_matrix_user_verification_repo_target }}"
- "{{ matrix_jitsi_prosody_auth_matrix_files | map(attribute='path') | map('regex_replace', '^', matrix_jitsi_prosody_plugins_path+'/') | list }}"
register: matrix_jitsi_prosody_auth_matrix_user_verification_uninstalled
- name: Remove .well-known/element directory if empty
ansible.builtin.command:
argv:
- rmdir
- "{{ matrix_static_files_base_path }}/.well-known/element"
removes: "{{matrix_static_files_base_path}}/.well-known/element"
ignore_errors: yes
- when: matrix_jitsi_prosody_auth_matrix_user_verification_uninstalled.changed
block:
- name: Populate service facts
ansible.builtin.service_facts:
- name: Ensure prosody is restarted later on if currently running
set_fact:
matrix_jitsi_prosody_require_restart: "{{ true if ansible_facts.services['matrix-jitsi-prosody.service']['state'] == 'running' else false }}"

49
roles/custom/matrix-jitsi/tasks/util/setup_jitsi_prosody_post_setup_hooks.yml Normal file
View File

@ -0,0 +1,49 @@
---
#####
#
# This tasks file starts and stops (if state before was stopped) a prosody container during setup to run commands,
# that require a running prosody container.
# The task is called in ../setup_jitsi_prosody_install.yml.
#
# Important: The task is called conditionally, as to only start if really needed.
# So if you add or change anything - remember to also change the 'when' in: ../setup_jitsi_prosody_install.yml
#
#####
#
# Start Necessary Services
#
- name: Ensure matrix-jitsi-prosody container is running
ansible.builtin.systemd:
state: "{{ 'restarted' if matrix_jitsi_prosody_require_restart | d(false) | bool else 'started' }}"
name: matrix-jitsi-prosody
register: matrix_jitsi_prosody_start_result
# If the flag was set, we can safely disable now.
- name: Disable require restart flag
set_fact:
matrix_jitsi_prosody_require_restart: false
#
# Tasks related to configuring Jitsi internal authentication
#
- name: Ensure internal authentication is properly configured
ansible.builtin.include_tasks:
file: "{{ role_path }}/tasks/util/prosody_post_setup_hooks/setup_jitsi_auth_internal.yml"
when: matrix_jitsi_enable_auth | bool and matrix_jitsi_auth_type == "internal"
#
# Tasks related to ...
#
#
# Stop Necessary Services
#
- name: Ensure matrix-jitsi-prosody container is stopped if necessary
ansible.builtin.systemd:
state: stopped
name: matrix-jitsi-prosody
when: matrix_jitsi_prosody_start_result.changed | bool

15
roles/custom/matrix-jitsi/tasks/validate_config.yml
View File

@ -25,16 +25,25 @@
- "matrix_jitsi_jvb_auth_password"
- name: Fail if a Jitsi internal authentication account is not defined
- name: Fail if authentication is enabled, but not properly configured.
ansible.builtin.fail:
msg: >-
You have enabled authentication, but the configured auth type is missing required configuration.
Auth type 'internal':
At least one Jitsi user needs to be defined in `matrix_jitsi_prosody_auth_internal_accounts` when using internal authentication.
If you're setting up Jitsi for the first time, you may have missed a step.
Refer to our setup instructions (docs/configuring-playbook-jitsi.md).
Auth type 'matrix':
If you want to enable matrix_user_verification in jitsi,
please provide an auth token for the user verification service (uvs) using `matrix_jitsi_prosody_auth_matrix_uvs_auth_token`.
If the user-verfication-service is also managed by this playbook the token is derived from `matrix_homeserver_generic_secret_key` in the group vars.
when:
- matrix_jitsi_enable_auth | bool
- matrix_jitsi_auth_type == 'internal'
- matrix_jitsi_prosody_auth_internal_accounts|length == 0
- ((matrix_jitsi_auth_type == 'internal' and matrix_jitsi_prosody_auth_internal_accounts|length == 0)
or (matrix_jitsi_auth_type == 'matrix' and matrix_jitsi_prosody_auth_matrix_uvs_auth_token|length == 0))
- name: (Deprecation) Catch and report renamed settings

8
roles/custom/matrix-jitsi/templates/prosody/env.j2
View File

@ -41,6 +41,12 @@ LDAP_TLS_CACERT_DIR={{ matrix_jitsi_ldap_tls_cacert_dir }}
LDAP_START_TLS={{ 1 if matrix_jitsi_ldap_start_tls else 0 }}
LDAP_URL={{ matrix_jitsi_ldap_url }}
LDAP_USE_TLS={{ 1 if matrix_jitsi_ldap_use_tls else 0 }}
MATRIX_UVS_ISSUER={{ matrix_jitsi_prosody_auth_matrix_jwt_app_id }}
MATRIX_UVS_URL={{ matrix_jitsi_prosody_auth_matrix_uvs_location }}
{% if matrix_jitsi_prosody_auth_matrix_uvs_auth_token is defined %}
MATRIX_UVS_AUTH_TOKEN={{ matrix_jitsi_prosody_auth_matrix_uvs_auth_token }}
{% endif %}
MATRIX_UVS_SYNC_POWER_LEVELS={{ 'true' if matrix_jitsi_prosody_auth_matrix_uvs_sync_power_levels else 'false' }}
PUBLIC_URL={{ matrix_jitsi_web_public_url }}
TURN_CREDENTIALS={{ matrix_jitsi_turn_credentials }}
TURN_HOST={{ matrix_jitsi_turn_host }}
@ -55,7 +61,7 @@ XMPP_GUEST_DOMAIN={{ matrix_jitsi_xmpp_guest_domain }}
XMPP_MUC_DOMAIN={{ matrix_jitsi_xmpp_muc_domain }}
XMPP_INTERNAL_MUC_DOMAIN={{ matrix_jitsi_xmpp_internal_muc_domain }}
XMPP_MODULES={{ matrix_jitsi_xmpp_modules }}
XMPP_MUC_MODULES=
XMPP_MUC_MODULES={{ matrix_jitsi_muc_modules | join(',') }}
XMPP_INTERNAL_MUC_MODULES=
XMPP_RECORDER_DOMAIN={{ matrix_jitsi_recorder_domain }}
XMPP_CROSS_DOMAIN=true

4
roles/custom/matrix-jitsi/templates/web/custom-config.js.j2
View File

@ -11,6 +11,10 @@ config.p2p.stunServers = [
];
{% endif %}
{% if matrix_jitsi_disable_gravatar %}
config.gravatar = {'disabled': true};
{% endif %}
{% if matrix_jitsi_etherpad_enabled %}
config.etherpad_base = {{ (matrix_jitsi_etherpad_base + '/p/') |to_json }}
{% endif %}

2
roles/custom/matrix-nginx-proxy/defaults/main.yml
View File

@ -203,6 +203,8 @@ matrix_nginx_proxy_proxy_bot_go_neb_hostname: "{{ matrix_server_fqn_bot_go_neb }
# Controls whether proxying the jitsi domain should be done.
matrix_nginx_proxy_proxy_jitsi_enabled: false
matrix_nginx_proxy_proxy_jitsi_hostname: "{{ matrix_server_fqn_jitsi }}"
matrix_nginx_proxy_proxy_jitsi_manage_wellknown: false
matrix_nginx_proxy_proxy_jitsi_well_known_configuration_blocks: []
# Controls whether proxying the grafana domain should be done.
matrix_nginx_proxy_proxy_grafana_enabled: false

11
roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2
View File

@ -18,6 +18,15 @@
{{- configuration_block }}
{% endfor %}
{% if matrix_nginx_proxy_proxy_jitsi_manage_wellknown %}
location /.well-known {
root {{ matrix_static_files_base_path }};
expires 4h;
default_type application/json;
add_header Access-Control-Allow-Origin *;
}
{% endif %}
location / {
{% if matrix_nginx_proxy_enabled %}
{# Use the embedded DNS resolver in Docker containers to discover the service #}
@ -75,7 +84,7 @@
{% if matrix_nginx_proxy_enabled %}
resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s;
set $backend {{ matrix_jitsi_xmpp_bosh_url_base }};
proxy_pass $backend/xmpp-websocket;
proxy_pass $backend$request_uri;
{% else %}
{# Generic configuration for use outside of our container setup #}
proxy_pass http://127.0.0.1:5280;

81
roles/custom/matrix-user-verification-service/defaults/main.yml Normal file
View File

@ -0,0 +1,81 @@
---
# Set this to the display name for ansible used in Output e.g. fail_msg
matrix_user_verification_service_ansible_name: "Matrix User Verification Service"
# Enable by default. This is overwritten in provided group vars.
matrix_user_verification_service_enabled: true
# Fix version tag
matrix_user_verification_service_version: "v2.0.0"
# Paths
matrix_user_verification_service_base_path: "{{ matrix_base_data_path }}/user-verification-service"
# We need the docker src directory to be named user_verification_service. See: https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/588
matrix_user_verification_service_docker_src_files_path: "{{ matrix_user_verification_service_base_path }}/docker-src/user-verification-service"
matrix_user_verification_service_config_path: "{{ matrix_user_verification_service_base_path }}/config"
matrix_user_verification_service_config_env_file: "{{ matrix_user_verification_service_config_path }}/.env"
# Set this to true in order to not use the docker image from docker hub, but rather build locally
matrix_user_verification_service_container_image_self_build: false
matrix_user_verification_service_container_image_self_build_repo: "https://github.com/matrix-org/matrix-user-verification-service.git"
matrix_user_verification_service_container_image_self_build_branch: "{{ matrix_user_verification_service_version }}"
# Docker
matrix_user_verification_service_docker_image_name_prefix: "{{ 'localhost/' if matrix_user_verification_service_container_image_self_build else matrix_container_global_registry_prefix }}"
matrix_user_verification_service_docker_image: "{{ matrix_user_verification_service_docker_image_name_prefix }}matrixdotorg/matrix-user-verification-service:{{ matrix_user_verification_service_version }}"
matrix_user_verification_service_docker_image_force_pull: "{{ matrix_user_verification_service_docker_image.endswith(':latest') }}"
matrix_user_verification_service_container_name: "matrix-user-verification-service"
# Normally this would run on port 3000 however that may conflict with grafana. It is thus advised to change this port.
#matrix_user_verification_service_container_http_host_bind_port:
matrix_user_verification_service_container_extra_arguments: []
# Systemd
matrix_user_verification_service_systemd_required_services_list: []
matrix_user_verification_service_systemd_wanted_services_list: []
matrix_user_verification_service_systemd_service_basename: "matrix-user-verification-service"
matrix_user_verification_service_systemd_service_name: "{{ matrix_user_verification_service_systemd_service_basename }}.service"
# Matrix User Verification Service Configuration
## REQUIRED
# Homeserver client API admin token (synapse only)- Required for the service to verify room membership
# matrix_user_verification_service_uvs_access_token:
# homeserver client api url
# matrix_user_verification_service_uvs_homeserver_url: ""
# disable check for non private ip range of homeserver. e.g. set to `true` if your homeserver domain resolves to a private ip.
matrix_user_verification_service_uvs_disable_ip_blacklist: false
## OPTIONAL
# Auth token to protect the API
# If this is set any calls to the provided API endpoints
# need have the header "Authorization: Bearer changeme".
# matrix_user_verification_service_uvs_auth_token: changeme
# Matrix server name to verify OpenID tokens against. See below section.
# Defaults to empty value which means verification is made against
# whatever Matrix server name passed in with the token
# matrix_user_verification_service_uvs_openid_verify_server_name: matrix.org
# Log level, defaults to 'info'
# See choices here: https://github.com/winstonjs/winston#logging-levels
# matrix_user_verification_service_uvs_log_level: info
######################################################################
##### #####
##### Variables used in this role which are not set by this role #####
##### #####
######################################################################
# matrix_user_username
# matrix_user_groupname
# matrix_user_uid
# matrix_user_gid
# matrix_container_global_registry_prefix
# matrix_docker_network
# devture_systemd_docker_base_systemd_path
# devture_systemd_docker_base_systemd_unit_home_path
# devture_systemd_docker_base_host_command_sh
# devture_systemd_docker_base_host_command_docker

6
roles/custom/matrix-user-verification-service/handlers/main.yml Normal file
View File

@ -0,0 +1,6 @@
---
- name: Ensure systemd reloaded after matrix-user-verification-service.service installation
service:
daemon_reload: yes
listen: "reload matrix-user-verification-service"

24
roles/custom/matrix-user-verification-service/tasks/main.yml Normal file
View File

@ -0,0 +1,24 @@
---
- name: verify all necessary variables are present
assert:
that:
- matrix_user_verification_service_uvs_access_token is defined and matrix_user_verification_service_uvs_access_token|length
- matrix_user_verification_service_uvs_homeserver_url is defined and matrix_user_verification_service_uvs_homeserver_url|length
fail_msg: "Missing variable in {{ matrix_user_verification_service_ansible_name }} role"
- block:
- when: run_setup | bool and matrix_user_verification_service_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
tags:
- setup-all
- setup-user-verification-service
- install-all
- install-user-verification-service
- block:
- when: run_setup | bool and not matrix_user_verification_service_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
tags:
- setup-all
- setup-user-verification-service

42
roles/custom/matrix-user-verification-service/tasks/setup_install.yml Normal file
View File

@ -0,0 +1,42 @@
---
- name: "Ensure Matrix User Verification Service paths exist"
ansible.builtin.file:
path: "{{ item.path }}"
state: directory
mode: 0750
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
with_items:
- { path: "{{ matrix_user_verification_service_config_path }}", when: true }
- { path: "{{ matrix_user_verification_service_docker_src_files_path }}", when: "{{ matrix_user_verification_service_container_image_self_build }}" }
when: item.when | bool
- name: Ensure Matrix User Verification Service image is pulled
community.docker.docker_image:
name: "{{ matrix_user_verification_service_docker_image }}"
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
force_source: "{{ matrix_user_verification_service_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_user_verification_service_docker_image_force_pull }}"
when: "not matrix_user_verification_service_container_image_self_build | bool"
register: result
retries: "{{ devture_playbook_help_container_retries_count }}"
delay: "{{ devture_playbook_help_container_retries_delay }}"
until: result is not failed
#- block:
# TODO
# when: "matrix_user_verification_service_container_image_self_build|bool"
- name: write env file
ansible.builtin.template:
src: "{{ role_path }}/templates/.env.j2"
dest: "{{ matrix_user_verification_service_config_env_file }}"
mode: 0644
- name: Ensure matrix-user-verification-service.service installed
ansible.builtin.template:
src: "{{ role_path }}/templates/systemd/matrix-user-verification-service.service.j2"
dest: "{{ devture_systemd_docker_base_systemd_path }}/{{ matrix_user_verification_service_systemd_service_name }}"
mode: 0644
notify: "reload matrix-user-verification-service"

35
roles/custom/matrix-user-verification-service/tasks/setup_uninstall.yml Normal file
View File

@ -0,0 +1,35 @@
---
- name: Check existence of matrix-user-verification-service service
stat:
path: "{{ matrix_systemd_path }}/{{ matrix_user_verification_service_systemd_service_name }}"
register: matrix_user_verification_service_service_stat
- name: Ensure matrix-user-verification-service is stopped
service:
name: "{{ matrix_user_verification_service_systemd_service_basename }}"
state: stopped
daemon_reload: yes
register: stopping_result
when: "matrix_user_verification_service_service_stat.stat.exists|bool"
- name: Ensure matrix-user-verification-service.service doesn't exist
file:
path: "{{ matrix_systemd_path }}/{{ matrix_user_verification_service_systemd_service_name }}"
state: absent
when: "matrix_user_verification_service_service_stat.stat.exists|bool"
- name: Ensure systemd reloaded after matrix-user-verification-service.service removal
service:
daemon_reload: yes
when: "matrix_user_verification_service_service_stat.stat.exists|bool"
- name: Ensure Matrix user-verification-service paths don't exist
file:
path: "{{ matrix_user_verification_service_base_path }}"
state: absent
- name: Ensure user-verification-service Docker image doesn't exist
docker_image:
name: "{{ matrix_user_verification_service_docker_image }}"
state: absent

14
roles/custom/matrix-user-verification-service/templates/.env.j2 Normal file
View File

@ -0,0 +1,14 @@
UVS_ACCESS_TOKEN={{ matrix_user_verification_service_uvs_access_token }}
UVS_HOMESERVER_URL={{ matrix_user_verification_service_uvs_homeserver_url }}
UVS_DISABLE_IP_BLACKLIST={{ matrix_user_verification_service_uvs_disable_ip_blacklist }}
{% if matrix_user_verification_service_uvs_auth_token is defined and matrix_user_verification_service_uvs_auth_token|length %}
UVS_AUTH_TOKEN={{ matrix_user_verification_service_uvs_auth_token }}
{% endif %}
{% if matrix_user_verification_service_uvs_openid_verify_server_name is defined and matrix_user_verification_service_uvs_openid_verify_server_name|length %}
UVS_OPENID_VERIFY_SERVER_NAME={{ matrix_user_verification_service_uvs_openid_verify_server_name }}
{% endif %}
{% if matrix_user_verification_service_uvs_log_level is defined and matrix_user_verification_service_uvs_log_level|length %}
UVS_LOG_LEVEL={{ matrix_user_verification_service_uvs_log_level }}
{% endif %}

42
roles/custom/matrix-user-verification-service/templates/systemd/matrix-user-verification-service.service.j2 Normal file
View File

@ -0,0 +1,42 @@
#jinja2: lstrip_blocks: "True"
[Unit]
Description={{ matrix_user_verification_service_ansible_name }}
{% for service in matrix_user_verification_service_systemd_required_services_list %}
Requires={{ service }}
After={{ service }}
{% endfor %}
{% for service in matrix_user_verification_service_systemd_wanted_services_list %}
Wants={{ service }}
{% endfor %}
DefaultDependencies=no
[Service]
Type=simple
Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill {{ matrix_user_verification_service_container_name }} 2>/dev/null'
ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm {{ matrix_user_verification_service_container_name }} 2>/dev/null'
ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name {{ matrix_user_verification_service_container_name }}\
--log-driver=none \
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
--cap-drop=ALL \
--read-only \
--network={{ matrix_docker_network }} \
{% if matrix_user_verification_service_container_http_host_bind_port %}
-p {{ matrix_user_verification_service_container_http_host_bind_port }}:3000 \
{% endif %}
--mount type=bind,src={{ matrix_user_verification_service_config_env_file }},dst=/app/.env,ro \
{% for arg in matrix_user_verification_service_container_extra_arguments %}
{{ arg }} \
{% endfor %}
{{ matrix_user_verification_service_docker_image }}
ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill {{ matrix_user_verification_service_container_name }} 2>/dev/null'
ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm {{ matrix_user_verification_service_container_name }} 2>/dev/null'
Restart=always
RestartSec=30
SyslogIdentifier={{ matrix_user_verification_service_systemd_service_basename }}
[Install]
WantedBy=multi-user.target