finallycoffee/matrix-docker-ansible-deploy
5
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Add support for Matrix Authentication Service

Browse Source 
Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/3108

Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/3562
This commit is contained in:
Slavi Pantaleev
2024-10-19 14:31:14 +03:00
parent 8bdc8fd037
commit 8f16524789
38 changed files with 2170 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

596
roles/custom/matrix-authentication-service/defaults/main.yml Normal file
View File

@ -0,0 +1,596 @@
---
# matrix-authentication-service (MAS) is an OAuth 2.0 and OpenID Provider server for Matrix.
# Project source code URL: https://github.com/element-hq/matrix-authentication-service
matrix_authentication_service_enabled: true
matrix_authentication_service_hostname: ''
# Controls the path prefix for the authentication service.
# This value must either be `/` or not end with a slash (e.g. `/auth`).
matrix_authentication_service_path_prefix: /
matrix_authentication_service_container_image_self_build: false
matrix_authentication_service_container_repo: "https://github.com/element-hq/matrix-authentication-service.git"
matrix_authentication_service_container_repo_version: "{{ 'main' if matrix_authentication_service_version == 'latest' else ('v' + matrix_authentication_service_version) }}"
matrix_authentication_service_container_src_files_path: "{{ matrix_base_data_path }}/matrix-authentication-service/container-src"
# renovate: datasource=docker depName=ghcr.io/element-hq/matrix-authentication-service
matrix_authentication_service_version: 0.12.0
matrix_authentication_service_container_image: "{{ matrix_authentication_service_container_image_name_prefix }}element-hq/matrix-authentication-service:{{ matrix_authentication_service_version }}"
matrix_authentication_service_container_image_name_prefix: "{{ 'localhost/' if matrix_authentication_service_container_image_self_build else 'ghcr.io/' }}"
matrix_authentication_service_container_image_force_pull: "{{ matrix_authentication_service_container_image.endswith(':latest') }}"
matrix_authentication_service_base_path: "{{ matrix_base_data_path }}/matrix-authentication-service"
matrix_authentication_service_bin_path: "{{ matrix_authentication_service_base_path }}/bin"
matrix_authentication_service_config_path: "{{ matrix_authentication_service_base_path }}/config"
matrix_authentication_service_data_path: "{{ matrix_authentication_service_base_path }}/data"
matrix_authentication_service_data_keys_path: "{{ matrix_authentication_service_data_path }}/keys"
matrix_authentication_service_uid: "{{ matrix_user_uid }}"
matrix_authentication_service_gid: "{{ matrix_user_gid }}"
matrix_authentication_service_container_network: ""
matrix_authentication_service_container_additional_networks: "{{ matrix_authentication_service_container_additional_networks_auto + matrix_authentication_service_container_additional_networks_custom }}"
matrix_authentication_service_container_additional_networks_auto: []
matrix_authentication_service_container_additional_networks_custom: []
# A list of extra arguments to pass to the container
matrix_authentication_service_container_extra_arguments: []
# List of systemd services that matrix-authentication-service.service depends on
matrix_authentication_service_systemd_required_services_list: "{{ matrix_authentication_service_systemd_required_services_list_default + matrix_authentication_service_systemd_required_services_list_auto + matrix_authentication_service_systemd_required_services_list_custom }}"
matrix_authentication_service_systemd_required_services_list_default: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}"
matrix_authentication_service_systemd_required_services_list_auto: []
matrix_authentication_service_systemd_required_services_list_custom: []
# List of systemd services that matrix-authentication-service.service wants
matrix_authentication_service_systemd_wanted_services_list: "{{ matrix_authentication_service_systemd_wanted_services_list_auto + matrix_authentication_service_systemd_wanted_services_list_custom }}"
matrix_authentication_service_systemd_wanted_services_list_auto: []
matrix_authentication_service_systemd_wanted_services_list_custom: []
########################################################################################
# #
# Key management #
# #
########################################################################################
# Controls whether the playbook will manage the secrets keys for you.
#
# See:
# - matrix_authentication_service_config_secrets_keys
# - matrix_authentication_service_key_management_*
matrix_authentication_service_key_management_enabled: true
matrix_authentication_service_key_management_list: "{{ matrix_authentication_service_key_management_list_default + matrix_authentication_service_key_management_list_custom }}"
matrix_authentication_service_key_management_list_default: |-
{{
(
([
{
"config": {
"kid": matrix_authentication_service_key_management_rsa_2048_key_id,
"key_file": ("/keys/" + matrix_authentication_service_key_management_rsa_2048_key_file),
},
"key_file": matrix_authentication_service_key_management_rsa_2048_key_file,
"generation_command": matrix_authentication_service_key_management_rsa_2048_generation_command,
}
] if matrix_authentication_service_key_management_rsa_2048_enabled else [])
+
([
{
"config": {
"kid": matrix_authentication_service_key_management_ecdsa_p256_key_id,
"key_file": ("/keys/" + matrix_authentication_service_key_management_ecdsa_p256_key_file),
},
"key_file": matrix_authentication_service_key_management_ecdsa_p256_key_file,
"generation_command": matrix_authentication_service_key_management_ecdsa_p256_generation_command,
}
] if matrix_authentication_service_key_management_ecdsa_p256_enabled else [])
+
([
{
"config": {
"kid": matrix_authentication_service_key_management_ecdsa_p384_key_id,
"key_file": ("/keys/" + matrix_authentication_service_key_management_ecdsa_p384_key_file),
},
"key_file": matrix_authentication_service_key_management_ecdsa_p384_key_file,
"generation_command": matrix_authentication_service_key_management_ecdsa_p384_generation_command,
}
] if matrix_authentication_service_key_management_ecdsa_p384_enabled else [])
+
([
{
"config": {
"kid": matrix_authentication_service_key_management_ecdsa_k256_key_id,
"key_file": ("/keys/" + matrix_authentication_service_key_management_ecdsa_k256_key_file),
},
"key_file": matrix_authentication_service_key_management_ecdsa_k256_key_file,
"generation_command": matrix_authentication_service_key_management_ecdsa_k256_generation_command,
}
] if matrix_authentication_service_key_management_ecdsa_k256_enabled else [])
)
if matrix_authentication_service_key_management_enabled
else []
}}
matrix_authentication_service_key_management_list_custom: []
matrix_authentication_service_key_management_rsa_2048_enabled: true
matrix_authentication_service_key_management_rsa_2048_key_id: default-rsa
matrix_authentication_service_key_management_rsa_2048_key_file: rsa-2048.priv.pem
matrix_authentication_service_key_management_rsa_2048_generation_command: "openssl genpkey -algorithm RSA -out __KEY_FILE_PATH__ -pkeyopt rsa_keygen_bits:2048"
matrix_authentication_service_key_management_ecdsa_p256_enabled: true
matrix_authentication_service_key_management_ecdsa_p256_key_id: default-ecdsa-p256
matrix_authentication_service_key_management_ecdsa_p256_key_file: ecdsa-p256.priv.pem
matrix_authentication_service_key_management_ecdsa_p256_generation_command: "openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:prime256v1 -out __KEY_FILE_PATH__ -outform PEM"
matrix_authentication_service_key_management_ecdsa_p384_enabled: true
matrix_authentication_service_key_management_ecdsa_p384_key_id: default-ecdsa-p384
matrix_authentication_service_key_management_ecdsa_p384_key_file: ecdsa-p384.priv.pem
matrix_authentication_service_key_management_ecdsa_p384_generation_command: "openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:secp384r1 -out __KEY_FILE_PATH__ -outform PEM"
matrix_authentication_service_key_management_ecdsa_k256_enabled: true
matrix_authentication_service_key_management_ecdsa_k256_key_id: default-ecdsa-k256
matrix_authentication_service_key_management_ecdsa_k256_key_file: ecdsa-k256.priv.pem
matrix_authentication_service_key_management_ecdsa_k256_generation_command: "openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:secp256k1 -out __KEY_FILE_PATH__ -outform PEM"
########################################################################################
# #
# /Key management #
# #
########################################################################################
########################################################################################
# #
# Email configuration #
# #
########################################################################################
# Controls the `email.from` configuration setting.
matrix_authentication_service_config_email_from: '"{{ matrix_authentication_service_config_email_from_name }}" <{{ matrix_authentication_service_config_email_from_address }}>'
matrix_authentication_service_config_email_from_name: 'Matrix Authentication Service'
matrix_authentication_service_config_email_from_address: "matrix@{{ matrix_domain }}"
# Controls the `email.reply_to` configuration setting.
matrix_authentication_service_config_email_reply_to: '"{{ matrix_authentication_service_config_email_reply_to_name }}" <{{ matrix_authentication_service_config_email_reply_to_address }}>'
matrix_authentication_service_config_email_reply_to_name: "{{ matrix_authentication_service_config_email_from_name }}"
matrix_authentication_service_config_email_reply_to_address: "{{ matrix_authentication_service_config_email_from_address }}"
# Controls the `email.transport` configuration setting.
#
# Valid options are: blackhole, smtp, aws_ses
# Upstream reports that `sendmail` is supported as well,
# but this is not true when running it in a container image due to the `sendmail` binary not being included.
matrix_authentication_service_config_email_transport: blackhole
# Controls the `email.mode` configuration setting for SMTP.
# Options are 'plain', 'tls', or 'starttls'.
matrix_authentication_service_config_email_mode: plain
# Controls the `email.hostname` configuration setting for SMTP.
matrix_authentication_service_config_email_hostname: ""
# Controls the `email.port` configuration setting for SMTP.
matrix_authentication_service_config_email_port: 587
# Controls the `email.username` configuration setting for SMTP.
matrix_authentication_service_config_email_username: ""
# Controls the `email.password` configuration setting for SMTP.
matrix_authentication_service_config_email_password: ""
########################################################################################
# #
# /Email configuration #
# #
########################################################################################
########################################################################################
# #
# Account configuration #
# #
########################################################################################
# Controls the `account.email_change_allowed` configuration setting.
#
# Whether users are allowed to change their email addresses.
matrix_authentication_service_config_account_email_change_allowed: true
# Controls the `account.displayname_change_allowed` configuration setting.
#
# Whether users are allowed to change their display names.
# This should be in sync with the policy in the homeserver configuration.
matrix_authentication_service_config_account_displayname_change_allowed: true
# Controls the `account.password_registration_enabled` configuration setting.
#
# Whether to enable self-service password registration.
# This has no effect if password login is disabled.
matrix_authentication_service_config_account_password_registration_enabled: false
# Controls the `account.password_change_allowed` configuration setting.
#
# Whether users are allowed to change their passwords.
# This has no effect if password login is disabled.
matrix_authentication_service_config_account_password_change_allowed: true
# Controls the `account.password_recovery_enabled` configuration setting.
#
# Whether email-based password recovery is enabled
# This has no effect if password login is disabled.
matrix_authentication_service_config_account_password_recovery_enabled: false
########################################################################################
# #
# /Account configuration #
# #
########################################################################################
########################################################################################
# #
# Database configuration #
# #
########################################################################################
# Controls the `database.username` configuration setting.
matrix_authentication_service_config_database_username: 'matrix_authentication_service'
# Controls the `database.password` configuration setting.
matrix_authentication_service_config_database_password: ''
# Controls the `database.host` configuration setting.
matrix_authentication_service_config_database_host: ''
# Controls the `database.port` configuration setting.
matrix_authentication_service_config_database_port: 5432
# Controls the `database.database` configuration setting.
matrix_authentication_service_config_database_database: 'matrix_authentication_service'
# Controls the `database.ssl_mode` configuration setting.
matrix_authentication_service_config_database_ssl_mode: disable
# Controls the `database.max_connections` configuration setting.
matrix_authentication_service_config_database_max_connections: 10
# Controls the `database.min_connections` configuration setting.
matrix_authentication_service_config_database_min_connections: 0
# Controls the `database.connect_timeout` configuration setting.
matrix_authentication_service_config_database_connect_timeout: 30
# Controls the `database.idle_timeout` configuration setting.
matrix_authentication_service_config_database_idle_timeout: 600
# Controls the `database.max_lifetime` configuration setting.
matrix_authentication_service_config_database_max_lifetime: 1800
########################################################################################
# #
# /Database configuration #
# #
########################################################################################
########################################################################################
# #
# Secrets configuration #
# #
########################################################################################
# Controls the `secrets.encryption` configuration setting.
matrix_authentication_service_config_secrets_encryption: ''
# Controls the `secrets.keys` configuration setting.
matrix_authentication_service_config_secrets_keys: |-
{{
matrix_authentication_service_key_management_list | map(attribute='config') | list
if matrix_authentication_service_key_management_enabled
else []
}}
########################################################################################
# #
# /Secrets configuration #
# #
########################################################################################
########################################################################################
# #
# HTTP configuration #
# #
########################################################################################
# Controls the `http.public_base` configuration setting.
matrix_authentication_service_config_http_public_base: "https://{{ matrix_authentication_service_hostname }}{{ '/' if matrix_authentication_service_path_prefix == '/' else (matrix_authentication_service_path_prefix + '/') }}"
# Controls the `http.issuer` configuration setting.
matrix_authentication_service_config_http_issuer: "{{ matrix_authentication_service_config_http_public_base }}"
# Controls the `http.trusted_proxies` configuration setting.
matrix_authentication_service_config_http_trusted_proxies:
- 192.168.0.0/16
- 172.16.0.0/12
- 10.0.0.0/10
- 127.0.0.1/8
- fd00::/8
- ::1/128
########################################################################################
# #
# /HTTP configuration #
# #
########################################################################################
########################################################################################
# #
# Matrix configuration #
# #
########################################################################################
# Controls the `matrix.homeserver` configuration setting.
# The homeserver name, as per the `server_name` in the Synapse configuration file.
matrix_authentication_service_config_matrix_homeserver: ""
# Controls the `matrix.endpoint` configuration setting.
# URL to which the homeserver is accessible from the service
matrix_authentication_service_config_matrix_endpoint: ""
# Controls the `matrix.secret` configuration setting.
matrix_authentication_service_config_matrix_secret: ""
########################################################################################
# #
# /Matrix configuration #
# #
########################################################################################
########################################################################################
# #
# Passwords configuration #
# #
########################################################################################
# Controls the `passwords.enabled` configuration setting.
# Whether to enable the password database.
# If disabled, users will only be able to log in using upstream OIDC providers
matrix_authentication_service_config_passwords_enabled: true
# Controls the `passwords.schemes` configuration setting.
# List of password hashing schemes being used.
# Only change this if you know what you're doing
matrix_authentication_service_config_passwords_schemes:
- version: 1
algorithm: argon2id
# Controls the `passwords.minimum_complexity` configuration setting.
# Minimum complexity required for passwords, estimated by the zxcvbn algorithm
# Must be between 0 and 4, default is 3
# See https://github.com/dropbox/zxcvbn#usage for more information
matrix_authentication_service_config_passwords_minimum_complexity: 3
########################################################################################
# #
# /Passwords configuration #
# #
########################################################################################
########################################################################################
# #
# Clients configuration #
# #
########################################################################################
# Controls the `clients` configuration setting.
# List of clients to be used by the authentication service.
#
# See:
# - https://element-hq.github.io/matrix-authentication-service/reference/configuration.html#clients
# - https://element-hq.github.io/matrix-authentication-service/setup/homeserver.html#provision-a-client-for-the-homeserver-to-use
#
# To define your own, use `matrix_authentication_service_config_clients_custom`.
matrix_authentication_service_config_clients: "{{ matrix_authentication_service_config_clients_auto + matrix_authentication_service_config_clients_custom }}"
matrix_authentication_service_config_clients_auto: []
matrix_authentication_service_config_clients_custom: []
########################################################################################
# #
# /Clients configuration #
# #
########################################################################################
########################################################################################
# #
# Upstream OAuth2 configuration #
# #
########################################################################################
# Controls the `upstream_oauth2.providers` configuration setting.
# See:
# - https://element-hq.github.io/matrix-authentication-service/reference/configuration.html#upstream_oauth2providers
matrix_authentication_service_config_upstream_oauth2_providers: []
########################################################################################
# #
# /Upstream OAuth2 configuration #
# #
########################################################################################
# Holds the final Matrix Authentication Service configuration (a combination of the default and its extension).
# You most likely don't need to touch this variable. Instead, see `matrix_authentication_service_configuration_yaml` or `matrix_authentication_service_configuration_extension_yaml`.
matrix_authentication_service_configuration: "{{ matrix_authentication_service_configuration_yaml | from_yaml | combine(matrix_authentication_service_configuration_extension, recursive=True) }}"
# Default Matrix Authentication Service configuration template which covers the generic use case.
# You can customize it by controlling the various variables inside it.
#
# For a more advanced customization, you can extend the default (see `matrix_authentication_service_configuration_extension_yaml`)
# or completely replace this variable with your own template.
matrix_authentication_service_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}"
matrix_authentication_service_configuration_extension_yaml: |
# Your custom YAML configuration for Matrix Authentication Service goes here.
# This configuration extends the default starting configuration (`matrix_authentication_service_configuration_yaml`).
#
# You can override individual variables from the default configuration, or introduce new ones.
#
# If you need something more special, you can take full control by
# completely redefining `matrix_authentication_service_configuration_yaml`.
#
# Example configuration extension follows:
#
# user:
# password: something
matrix_authentication_service_configuration_extension: "{{ matrix_authentication_service_configuration_extension_yaml | from_yaml if matrix_authentication_service_configuration_extension_yaml | from_yaml is mapping else {} }}"
# Additional environment variables to pass to the Matrix Authentication Service container.
#
# Environment variables take priority over settings in the configuration file.
#
# Example:
# matrix_authentication_service_environment_variables_extension: |
# KEY=value
matrix_authentication_service_environment_variables_extension: ''
########################################################################################
# #
# Labels #
# #
########################################################################################
# matrix_authentication_service_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container.
# See `../templates/labels.j2` for details.
#
# To inject your own other container labels, see `matrix_authentication_service_container_labels_additional_labels`.
matrix_authentication_service_container_labels_traefik_enabled: true
matrix_authentication_service_container_labels_traefik_docker_network: "{{ matrix_authentication_service_container_network }}"
matrix_authentication_service_container_labels_traefik_entrypoints: web-secure
matrix_authentication_service_container_labels_traefik_tls_certResolver: default # noqa var-naming
matrix_authentication_service_container_labels_public_main_hostname: "{{ matrix_authentication_service_hostname }}"
# The path prefix must either be `/` or not end with a slash (e.g. `/auth`).
matrix_authentication_service_container_labels_public_main_path_prefix: "{{ matrix_authentication_service_path_prefix }}"
matrix_authentication_service_container_labels_public_main_rule: "Host(`{{ matrix_authentication_service_container_labels_public_main_hostname }}`){% if matrix_authentication_service_container_labels_public_main_path_prefix != '/' %} && PathPrefix(`{{ matrix_authentication_service_container_labels_public_main_path_prefix }}`){% endif %}"
matrix_authentication_service_container_labels_public_main_priority: 0
matrix_authentication_service_container_labels_public_main_entrypoints: "{{ matrix_authentication_service_container_labels_traefik_entrypoints }}"
matrix_authentication_service_container_labels_public_main_tls: "{{ matrix_authentication_service_container_labels_public_main_entrypoints != 'web' }}"
matrix_authentication_service_container_labels_public_main_tls_certResolver: "{{ matrix_authentication_service_container_labels_traefik_tls_certResolver }}" # noqa var-naming
# Controls whether labels will be added to expose the compatibility layer publicly.
#
# The service exposes a compatibility layer to allow legacy clients to authenticate using the service.
# This works by exposing a few Matrix endpoints that should be proxied to the service.
# The following Matrix Client-Server API endpoints need to be handled by the authentication service:
# - /_matrix/client/*/login
# - /_matrix/client/*/logout
# - /_matrix/client/*/refresh
#
# See:
# - https://element-hq.github.io/matrix-authentication-service/setup/homeserver.html#set-up-the-compatibility-layer
# - https://element-hq.github.io/matrix-authentication-service/setup/reverse-proxy.html#compatibility-layer
#
# Regardless of whether this is enabled, it may or may not take effect due to the value of other variables.
# See `matrix_authentication_service_container_labels_traefik_enabled`
matrix_authentication_service_container_labels_public_compatibility_layer_enabled: false
matrix_authentication_service_container_labels_public_compatibility_layer_hostname: ""
matrix_authentication_service_container_labels_public_compatibility_layer_path_regexp: "^/_matrix/client/(?P<version>([^/]+))/(?P<endpoint>(login|logout|refresh))"
matrix_authentication_service_container_labels_public_compatibility_layer_rule: "Host(`{{ matrix_authentication_service_container_labels_public_compatibility_layer_hostname }}`) && PathRegexp(`{{ matrix_authentication_service_container_labels_public_compatibility_layer_path_regexp }}`)"
matrix_authentication_service_container_labels_public_compatibility_layer_priority: 0
matrix_authentication_service_container_labels_public_compatibility_layer_entrypoints: "{{ matrix_authentication_service_container_labels_traefik_entrypoints }}"
matrix_authentication_service_container_labels_public_compatibility_layer_tls: "{{ matrix_authentication_service_container_labels_public_compatibility_layer_entrypoints != 'web' }}"
matrix_authentication_service_container_labels_public_compatibility_layer_tls_certResolver: "{{ matrix_authentication_service_container_labels_traefik_tls_certResolver }}" # noqa var-naming
# Controls whether labels will be added to expose the compatibility layer on the internal Traefik entrypoint.
# This is similar to `matrix_authentication_service_container_labels_public_compatibility_layer_enabled`, but the entrypoint and intent is different.
# Regardless of whether this is enabled, it may or may not take effect due to the value of other variables.
# See `matrix_authentication_service_container_labels_traefik_enabled`
matrix_authentication_service_container_labels_internal_compatibility_layer_enabled: false
matrix_authentication_service_container_labels_internal_compatibility_layer_path_regexp: "{{ matrix_authentication_service_container_labels_public_compatibility_layer_path_regexp }}"
matrix_authentication_service_container_labels_internal_compatibility_layer_rule: "PathRegexp(`{{ matrix_authentication_service_container_labels_internal_compatibility_layer_path_regexp }}`)"
matrix_authentication_service_container_labels_internal_compatibility_layer_priority: 0
matrix_authentication_service_container_labels_internal_compatibility_layer_entrypoints: ""
# Controls which additional headers to attach to all HTTP responses.
# To add your own headers, use `matrix_authentication_service_container_labels_traefik_additional_response_headers_custom`
matrix_authentication_service_container_labels_traefik_additional_response_headers: "{{ matrix_authentication_service_container_labels_traefik_additional_response_headers_auto | combine(matrix_authentication_service_container_labels_traefik_additional_response_headers_custom) }}"
matrix_authentication_service_container_labels_traefik_additional_response_headers_auto: {}
matrix_authentication_service_container_labels_traefik_additional_response_headers_custom: {}
# matrix_authentication_service_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
# See `../templates/labels.j2` for details.
#
# Example:
# matrix_authentication_service_container_labels_additional_labels: |
# my.label=1
# another.label="here"
matrix_authentication_service_container_labels_additional_labels: ''
########################################################################################
# #
# /Labels #
# #
########################################################################################
########################################################################################
# #
# syn2mas configuration #
# #
########################################################################################
matrix_authentication_service_syn2mas_start_wait_time_seconds: 5
matrix_authentication_service_syn2mas_dry_run: false
# renovate: datasource=docker depName=ghcr.io/element-hq/matrix-authentication-service/syn2mas
matrix_authentication_service_syn2mas_version: 0.12.0
matrix_authentication_service_syn2mas_container_image: "{{ matrix_authentication_service_container_image_name_prefix }}element-hq/matrix-authentication-service/syn2mas:{{ matrix_authentication_service_syn2mas_version }}"
matrix_authentication_service_syn2mas_container_image_name_prefix: "{{ 'localhost/' if matrix_authentication_service_container_image_self_build else 'ghcr.io/' }}"
matrix_authentication_service_syn2mas_container_image_force_pull: "{{ matrix_authentication_service_syn2mas_container_image.endswith(':latest') }}"
matrix_authentication_service_syn2mas_container_image_self_build: "{{ matrix_authentication_service_container_image_self_build }}"
matrix_authentication_service_syn2mas_container_network: "{{ matrix_authentication_service_container_network }}"
# Path to Synapse's homeserver.yaml configuration file.
matrix_authentication_service_syn2mas_synapse_homeserver_config_path: ""
########################################################################################
# #
# /syn2mas configuration #
# #
########################################################################################
########################################################################################
# #
# Misc #
# #
########################################################################################
# Controls whether a migration from a homeserver user database to Matrix Authentication Service is in progress.
#
# When this is set to `true`, the playbook will:
#
# - disable the integration between the homeserver and Matrix Authentication Service
# - avoid setting up the "compatibility layer" (that is, avoid installing container labels that capture login endpoints like `/_matrix/client/*/login`, etc.)
matrix_authentication_service_migration_in_progress: false
########################################################################################
# #
# /Misc #
# #
########################################################################################

103
roles/custom/matrix-authentication-service/tasks/install.yml Normal file
View File

@ -0,0 +1,103 @@
---
- name: Ensure Matrix Authentication Service paths exist
ansible.builtin.file:
path: "{{ item.path }}"
state: directory
mode: 0750
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
with_items:
- {path: "{{ matrix_authentication_service_base_path }}", when: true}
- {path: "{{ matrix_authentication_service_bin_path }}", when: true}
- {path: "{{ matrix_authentication_service_config_path }}", when: true}
- {path: "{{ matrix_authentication_service_data_path }}", when: true}
- {path: "{{ matrix_authentication_service_data_keys_path }}", when: true}
- {path: "{{ matrix_authentication_service_container_src_files_path }}", when: "{{ matrix_authentication_service_container_image_self_build }}"}
when: "item.when | bool"
- when: matrix_authentication_service_key_management_enabled | bool
block:
- name: Ensure openssl installed
ansible.builtin.package:
name: openssl
state: present
- name: Prepare private key
ansible.builtin.include_tasks: "{{ role_path }}/tasks/util/prepare_key.yml"
with_items: "{{ matrix_authentication_service_key_management_list }}"
loop_control:
loop_var: private_key_definition
- name: Ensure Matrix Authentication Service configuration installed
ansible.builtin.copy:
content: "{{ matrix_authentication_service_configuration | to_nice_yaml(indent=2, width=999999) }}"
dest: "{{ matrix_authentication_service_config_path }}/config.yaml"
mode: 0644
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
- name: Ensure Matrix Authentication Service support files created
ansible.builtin.template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
mode: "{{ item.mode }}"
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
with_items:
- src: "{{ role_path }}/templates/env.j2"
dest: "{{ matrix_authentication_service_config_path }}/env"
mode: '0644'
- src: "{{ role_path }}/templates/labels.j2"
dest: "{{ matrix_authentication_service_config_path }}/labels"
mode: '0644'
- src: "{{ role_path }}/templates/bin/register-user.j2"
dest: "{{ matrix_authentication_service_bin_path }}/register-user"
mode: '0755'
- src: "{{ role_path }}/templates/bin/mas-cli.j2"
dest: "{{ matrix_authentication_service_bin_path }}/mas-cli"
mode: '0755'
- name: Ensure Matrix Authentication Service container image is pulled
community.docker.docker_image:
name: "{{ matrix_authentication_service_container_image }}"
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
force_source: "{{ matrix_authentication_service_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_authentication_service_container_image_force_pull }}"
when: "not matrix_authentication_service_container_image_self_build | bool"
register: result
retries: "{{ devture_playbook_help_container_retries_count }}"
delay: "{{ devture_playbook_help_container_retries_delay }}"
until: result is not failed
- when: "matrix_authentication_service_container_image_self_build | bool"
block:
- name: Ensure Matrix Authentication Service repository is present on self-build
ansible.builtin.git:
repo: "{{ matrix_authentication_service_container_repo }}"
version: "{{ matrix_authentication_service_container_repo_version }}"
dest: "{{ matrix_authentication_service_container_src_files_path }}"
force: "yes"
become: true
become_user: "{{ matrix_user_username }}"
- name: Ensure Matrix Authentication Service container image is built
ansible.builtin.command:
cmd: |-
{{ devture_systemd_docker_base_host_command_docker }} buildx build
--tag={{ matrix_authentication_service_container_image }}
--file={{ matrix_authentication_service_container_src_files_path }}/Dockerfile
{{ matrix_authentication_service_container_src_files_path }}
changed_when: true
- name: Ensure Matrix Authentication Service container network is created
community.general.docker_network:
enable_ipv6: "{{ devture_systemd_docker_base_ipv6_enabled }}"
name: "{{ matrix_authentication_service_container_network }}"
driver: bridge
- name: Ensure matrix-authentication-service.service installed
ansible.builtin.template:
src: "{{ role_path }}/templates/systemd/matrix-authentication-service.service.j2"
dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-authentication-service.service"
mode: 0644

38
roles/custom/matrix-authentication-service/tasks/main.yml Normal file
View File

@ -0,0 +1,38 @@
---
- tags:
- setup-all
- setup-matrix-authentication-service
- install-all
- install-matrix-authentication-service
block:
- when: matrix_authentication_service_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
- when: matrix_authentication_service_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/install.yml"
- tags:
- matrix-authentication-service-syn2mas
block:
- when: matrix_authentication_service_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/syn2mas.yml"
- tags:
- matrix-authentication-service-mas-cli-doctor
block:
- when: matrix_authentication_service_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/mas_cli_doctor.yml"
- tags:
- register-user
block:
- when: matrix_authentication_service_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/register_user.yml"
- tags:
- setup-all
- setup-matrix-authentication-service
block:
- when: not matrix_authentication_service_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml"

32
roles/custom/matrix-authentication-service/tasks/mas_cli_doctor.yml Normal file
View File

@ -0,0 +1,32 @@
---
- name: Ensure Matrix Authentication Service is started
ansible.builtin.service:
name: matrix-authentication-service
state: started
daemon_reload: true
register: matrix_authentication_service_mas_ensure_started_result
- when: matrix_authentication_service_mas_ensure_started_result.changed | bool
name: Wait a bit, so that Matrix Authentication Service can start
ansible.builtin.wait_for:
timeout: "{{ matrix_authentication_service_syn2mas_start_wait_time_seconds }}"
delegate_to: 127.0.0.1
become: false
- name: Generate mas-cli doctor command
ansible.builtin.set_fact:
matrix_authentication_service_mas_cli_doctor_command: >-
{{ matrix_authentication_service_bin_path }}/mas-cli doctor
tags:
- skip_ansible_lint
- name: Run mas-cli doctor
ansible.builtin.command:
cmd: "{{ matrix_authentication_service_mas_cli_doctor_command }}"
register: matrix_authentication_service_mas_cli_doctor_command_result
changed_when: matrix_authentication_service_mas_cli_doctor_command_result.rc == 0
- name: Print mas-cli doctor command result
ansible.builtin.debug:
var: matrix_authentication_service_mas_cli_doctor_command_result

34
roles/custom/matrix-authentication-service/tasks/register_user.yml Normal file
View File

@ -0,0 +1,34 @@
---
- name: Fail if playbook called incorrectly
ansible.builtin.fail:
msg: "The `username` variable needs to be provided to this playbook, via --extra-vars"
when: "username is not defined or username == '<your-username>'"
- name: Fail if playbook called incorrectly
ansible.builtin.fail:
msg: "The `password` variable needs to be provided to this playbook, via --extra-vars"
when: "password is not defined or password == '<your-password>'"
- name: Fail if playbook called incorrectly
ansible.builtin.fail:
msg: "The `admin` variable needs to be provided to this playbook, via --extra-vars"
when: "admin is not defined or admin not in ['yes', 'no']"
- name: Ensure Matrix Authentication Service is started
ansible.builtin.service:
name: matrix-authentication-service
state: started
daemon_reload: true
register: matrix_authentication_service_start_result
- name: Wait a while, so that Matrix Authentication Service can start
ansible.builtin.pause:
seconds: 7
when: matrix_authentication_service_start_result.changed | bool
- name: Register user
ansible.builtin.command:
cmd: "{{ matrix_authentication_service_bin_path }}/register-user {{ username | quote }} {{ password | quote }} {{ '1' if admin == 'yes' else '0' }}"
register: matrix_authentication_service_register_user_result
changed_when: matrix_authentication_service_register_user_result.rc == 0

137
roles/custom/matrix-authentication-service/tasks/syn2mas.yml Normal file
View File

@ -0,0 +1,137 @@
---
- set_fact:
matrix_authentication_service_syn2mas_dry_run: "{{ matrix_authentication_service_syn2mas_dry_run | bool }}"
- name: Abort, if not using Synapse
when: not matrix_synapse_enabled | bool
ansible.builtin.fail:
msg: |-
You can only use syn2mas to migrate from Synapse to Matrix Authentication Service.
Other homeserver implementations are not supported.
- name: Fail if required matrix-authentication-service syn2mas settings not defined
ansible.builtin.fail:
msg: >-
You need to define a required configuration setting (`{{ item.name }}`).
when: "item.when | bool and vars[item.name] | length == 0"
with_items:
- {'name': 'matrix_authentication_service_syn2mas_synapse_homeserver_config_path', when: true}
- name: Check if Synapse homeserver config file exists
ansible.builtin.stat:
path: "{{ matrix_authentication_service_syn2mas_synapse_homeserver_config_path }}"
register: matrix_authentication_service_syn2mas_synapse_config_stat
- name: Fail if Synapse homeserver config file does not exist
ansible.builtin.fail:
msg: "The Synapse homeserver config file does not exist at the specified path: {{ matrix_authentication_service_syn2mas_synapse_homeserver_config_path }}"
when: not matrix_authentication_service_syn2mas_synapse_config_stat.stat.exists
- name: Ensure Matrix Authentication Service syn2mas container image is pulled
community.docker.docker_image:
name: "{{ matrix_authentication_service_syn2mas_container_image }}"
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
force_source: "{{ matrix_authentication_service_syn2mas_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_authentication_service_syn2mas_container_image_force_pull }}"
when: "not matrix_authentication_service_syn2mas_container_image_self_build | bool"
register: result
retries: "{{ devture_playbook_help_container_retries_count }}"
delay: "{{ devture_playbook_help_container_retries_delay }}"
until: result is not failed
- when: "matrix_authentication_service_syn2mas_container_image_self_build | bool"
block:
- name: Ensure Matrix Authentication Service repository is present on self-build
ansible.builtin.git:
repo: "{{ matrix_authentication_service_container_repo }}"
version: "{{ matrix_authentication_service_container_repo_version }}"
dest: "{{ matrix_authentication_service_container_src_files_path }}"
force: "yes"
become: true
become_user: "{{ matrix_user_username }}"
register: matrix_authentication_service_git_pull_results
- name: Ensure Matrix Authentication Service syn2mas container image is built
ansible.builtin.command:
cmd: |-
{{ devture_systemd_docker_base_host_command_docker }} buildx build
--tag={{ matrix_authentication_service_syn2mas_container_image }}
--file={{ matrix_authentication_service_container_src_files_path }}/tools/syn2mas/Dockerfile
{{ matrix_authentication_service_container_src_files_path }}/tools/syn2mas
changed_when: true
- name: Ensure Synapse is stopped
when: not matrix_authentication_service_syn2mas_dry_run | bool
ansible.builtin.service:
name: matrix-synapse
state: stopped
daemon_reload: true
register: matrix_authentication_service_synapse_ensure_stopped_result
# We probably don't necessarily need to stop this, because:
# - the upstream docs don't say we should.
# - while a migration is in progress (see `matrix_authentication_service_migration_in_progress`),
# we don't even add compatibility layer labels, so MAS would not be used anyway.
#
# Still, it's probably safer to stop it anyway.
- name: Ensure Matrix Authentication Service is stopped
ansible.builtin.service:
name: matrix-authentication-service
state: stopped
register: matrix_authentication_service_mas_ensure_stopped_result
- name: Generate syn2mas migration command
ansible.builtin.set_fact:
matrix_authentication_service_syn2mas_migration_command: >-
{{ devture_systemd_docker_base_host_command_docker }} run
--rm
--name=matrix-authentication-service-syn2mas
--log-driver=none
--user={{ matrix_authentication_service_uid }}:{{ matrix_authentication_service_gid }}
--cap-drop=ALL
--network={{ matrix_authentication_service_syn2mas_container_network }}
--mount type=bind,src={{ matrix_authentication_service_syn2mas_synapse_homeserver_config_path }},dst=/homeserver.yaml,ro
--mount type=bind,src={{ matrix_authentication_service_config_path }}/config.yaml,dst=/mas-config.yaml,ro
{{ matrix_authentication_service_syn2mas_container_image }}
--command=migrate
--synapseConfigFile=/homeserver.yaml
--masConfigFile=/mas-config.yaml
{% if matrix_authentication_service_syn2mas_dry_run | bool %}--dryRun{% endif %}
tags:
- skip_ansible_lint
# This is a hack.
# See: https://ansibledaily.com/print-to-standard-output-without-escaping/
#
# We want to run `debug: msg=".."`, but that dumps it as JSON and escapes double quotes within it,
# which ruins the command (`matrix_authentication_service_syn2mas_migration_command`)
- name: Note about syn2mas migration
ansible.builtin.set_fact:
dummy: true
with_items:
- >-
Running syn2mas migration using the following command: `{{ matrix_authentication_service_syn2mas_migration_command }}`.
If this crashes, you can stop Synapse (`systemctl stop matrix-synapse`) and run the command manually.
- name: Perform syn2mas migration
ansible.builtin.command:
cmd: "{{ matrix_authentication_service_syn2mas_migration_command }}"
register: matrix_authentication_service_syn2mas_migration_command_result
changed_when: matrix_authentication_service_syn2mas_migration_command_result.rc == 0
- name: Print syn2mas migration command result
ansible.builtin.debug:
var: matrix_authentication_service_syn2mas_migration_command_result
- when: "not matrix_authentication_service_syn2mas_dry_run and matrix_authentication_service_synapse_ensure_stopped_result.changed"
name: Ensure Synapse is started (if it previously was)
ansible.builtin.service:
name: matrix-synapse
state: started
- when: "not matrix_authentication_service_syn2mas_dry_run and matrix_authentication_service_mas_ensure_stopped_result.changed"
name: Ensure Matrix Authentication Service is started (if it previously was)
ansible.builtin.service:
name: matrix-authentication-service
state: started

25
roles/custom/matrix-authentication-service/tasks/uninstall.yml Normal file
View File

@ -0,0 +1,25 @@
---
- name: Check existence of matrix-authentication-service service
ansible.builtin.stat:
path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-authentication-service.service"
register: matrix_authentication_service_service_stat
- when: matrix_authentication_service_service_stat.stat.exists | bool
block:
- name: Ensure matrix-authentication-service is stopped
ansible.builtin.service:
name: matrix-authentication-service
state: stopped
enabled: false
daemon_reload: true
- name: Ensure matrix-authentication-service.service doesn't exist
ansible.builtin.file:
path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-authentication-service.service"
state: absent
- name: Ensure Matrix Authentication Service paths don't exist
ansible.builtin.file:
path: "{{ matrix_authentication_service_base_path }}"
state: absent

10
roles/custom/matrix-authentication-service/tasks/util/prepare_key.yml Normal file
View File

@ -0,0 +1,10 @@
- name: Prepare Matrix Authentication Service private key file path ({{ private_key_definition.key_file }})
ansible.builtin.set_fact:
matrix_authentication_service_private_key_file_path: "{{ matrix_authentication_service_data_keys_path }}/{{ private_key_definition.key_file }}"
- name: Prepare Matrix Authentication Service private key file ({{ private_key_definition.key_file }})
ansible.builtin.command:
cmd: "{{ private_key_definition.generation_command | replace('__KEY_FILE_PATH__', matrix_authentication_service_private_key_file_path) }}"
creates: "{{ matrix_authentication_service_private_key_file_path }}"
become: true
become_user: "{{ matrix_user_username }}"

31
roles/custom/matrix-authentication-service/tasks/validate_config.yml Normal file
View File

@ -0,0 +1,31 @@
---
- name: Fail if required matrix-authentication-service settings not defined
ansible.builtin.fail:
msg: >-
You need to define a required configuration setting (`{{ item.name }}`).
when: "item.when | bool and vars[item.name] | length == 0"
with_items:
- {'name': 'matrix_authentication_service_hostname', when: true}
- {'name': 'matrix_authentication_service_config_database_username', when: true}
- {'name': 'matrix_authentication_service_config_database_password', when: true}
- {'name': 'matrix_authentication_service_config_database_host', when: true}
- {'name': 'matrix_authentication_service_config_database_database', when: true}
- {'name': 'matrix_authentication_service_config_secrets_encryption', when: true}
- {'name': 'matrix_authentication_service_config_matrix_homeserver', when: true}
- {'name': 'matrix_authentication_service_config_matrix_secret', when: true}
- {'name': 'matrix_authentication_service_config_matrix_endpoint', when: true}
- {'name': 'matrix_authentication_service_container_labels_public_main_hostname', when: "{{ matrix_authentication_service_container_labels_traefik_enabled }}"}
- {'name': 'matrix_authentication_service_container_labels_public_compatibility_layer_hostname', when: "{{ matrix_authentication_service_container_labels_public_compatibility_layer_enabled }}"}
- {'name': 'matrix_authentication_service_container_labels_internal_compatibility_layer_entrypoints', when: "{{ matrix_authentication_service_container_labels_internal_compatibility_layer_enabled }}"}
- {'name': 'matrix_authentication_service_config_email_hostname', when: "{{ matrix_authentication_service_config_email_transport == 'smtp' }}"}
- name: Fail if matrix_authentication_service_config_secrets_encryption is not 64 characters long
ansible.builtin.fail:
msg: "matrix_authentication_service_config_secrets_encryption must be exactly 64 characters long (preferably generated via `openssl rand -hex 32`)"
when: "matrix_authentication_service_config_secrets_encryption | length != 64"
- name: Fail if matrix_authentication_service_config_email_transport is invalid
ansible.builtin.fail:
msg: "matrix_authentication_service_config_email_transport must be one of: blackhole, smtp, or aws_ses"
when: "matrix_authentication_service_config_email_transport not in ['blackhole', 'smtp', 'aws_ses']"

16
roles/custom/matrix-authentication-service/templates/bin/mas-cli.j2 Normal file
View File

@ -0,0 +1,16 @@
#jinja2: lstrip_blocks: "True"
#!/bin/bash
args=$@
if [ $# -eq 0 ]; then
args="help"
fi
if [ -t 0 ]; then
tty_option="-it"
else
tty_option=""
fi
{{ devture_systemd_docker_base_host_command_docker }} exec $tty_option matrix-authentication-service mas-cli $args

17
roles/custom/matrix-authentication-service/templates/bin/register-user.j2 Normal file
View File

@ -0,0 +1,17 @@
#jinja2: lstrip_blocks: "True"
#!/bin/bash
if [ $# -ne 3 ]; then
echo "Usage: "$0" <username> <password> <admin access: 0 or 1>"
exit 1
fi
user=$1
password=$2
admin=$3
if [ "$admin" -eq "1" ]; then
{{ devture_systemd_docker_base_host_command_docker }} exec matrix-authentication-service mas-cli manage register-user --yes -p "$password" --admin "$user"
else
{{ devture_systemd_docker_base_host_command_docker }} exec matrix-authentication-service mas-cli manage register-user --yes -p "$password" --no-admin "$user"
fi

82
roles/custom/matrix-authentication-service/templates/config.yaml.j2 Normal file
View File

@ -0,0 +1,82 @@
#jinja2: lstrip_blocks: "True"
http:
listeners:
- name: web
resources:
- name: discovery
- name: human
- name: oauth
- name: compat
- name: graphql
- name: assets
binds:
- address: '[::]:8080'
proxy_protocol: false
prefix: {{ matrix_authentication_service_path_prefix }}
- name: internal
resources:
- name: health
binds:
- host: localhost
port: 8081
proxy_protocol: false
prefix: {{ matrix_authentication_service_path_prefix }}
trusted_proxies: {{ matrix_authentication_service_config_http_trusted_proxies | to_json }}
public_base: {{ matrix_authentication_service_config_http_public_base | to_json }}
issuer: {{ matrix_authentication_service_config_http_issuer | to_json }}
database:
host: {{ matrix_authentication_service_config_database_host | to_json }}
port: {{ matrix_authentication_service_config_database_port | to_json }}
username: {{ matrix_authentication_service_config_database_username | to_json }}
password: {{ matrix_authentication_service_config_database_password | to_json }}
database: {{ matrix_authentication_service_config_database_database | to_json }}
ssl_mode: {{ matrix_authentication_service_config_database_ssl_mode | to_json }}
max_connections: {{ matrix_authentication_service_config_database_max_connections | to_json }}
min_connections: {{ matrix_authentication_service_config_database_min_connections | to_json }}
connect_timeout: {{ matrix_authentication_service_config_database_connect_timeout | to_json }}
idle_timeout: {{ matrix_authentication_service_config_database_idle_timeout | to_json }}
max_lifetime: {{ matrix_authentication_service_config_database_max_lifetime | to_json }}
email:
from: {{ matrix_authentication_service_config_email_from | to_json }}
reply_to: {{ matrix_authentication_service_config_email_reply_to | to_json }}
transport: {{ matrix_authentication_service_config_email_transport | to_json }}
{% if matrix_authentication_service_config_email_transport == 'smtp' %}
mode: {{ matrix_authentication_service_config_email_mode | to_json }}
hostname: {{ matrix_authentication_service_config_email_hostname | to_json }}
port: {{ matrix_authentication_service_config_email_port | int | to_json }}
{% if matrix_authentication_service_config_email_username %}
username: {{ matrix_authentication_service_config_email_username | to_json }}
{% endif %}
{% if matrix_authentication_service_config_email_password %}
password: {{ matrix_authentication_service_config_email_password | to_json }}
{% endif %}
{% endif %}
secrets:
encryption: {{ matrix_authentication_service_config_secrets_encryption | to_json }}
keys: {{ matrix_authentication_service_config_secrets_keys | to_json }}
passwords:
enabled: {{ matrix_authentication_service_config_passwords_enabled | to_json }}
schemes: {{ matrix_authentication_service_config_passwords_schemes | to_json }}
minimum_complexity: {{ matrix_authentication_service_config_passwords_minimum_complexity | to_json }}
matrix:
homeserver: {{ matrix_authentication_service_config_matrix_homeserver | to_json }}
secret: {{ matrix_authentication_service_config_matrix_secret | to_json }}
endpoint: {{ matrix_authentication_service_config_matrix_endpoint | to_json }}
account:
email_change_allowed: {{ matrix_authentication_service_config_account_email_change_allowed | to_json }}
displayname_change_allowed: {{ matrix_authentication_service_config_account_displayname_change_allowed | to_json }}
password_registration_enabled: {{ matrix_authentication_service_config_account_password_registration_enabled | to_json }}
password_change_allowed: {{ matrix_authentication_service_config_account_password_change_allowed | to_json }}
password_recovery_enabled: {{ matrix_authentication_service_config_account_password_recovery_enabled | to_json }}
clients: {{ matrix_authentication_service_config_clients | to_json }}
{% if matrix_authentication_service_config_upstream_oauth2_providers | length > 0 %}
upstream_oauth2:
providers: {{ matrix_authentication_service_config_upstream_oauth2_providers | to_json }}
{% endif %}

1
roles/custom/matrix-authentication-service/templates/env.j2 Normal file
View File

@ -0,0 +1 @@
{{ matrix_authentication_service_environment_variables_extension }}

134
roles/custom/matrix-authentication-service/templates/labels.j2 Normal file
View File

@ -0,0 +1,134 @@
{% if matrix_authentication_service_container_labels_traefik_enabled %}
traefik.enable=true
{% if matrix_authentication_service_container_labels_traefik_docker_network %}
traefik.docker.network={{ matrix_authentication_service_container_labels_traefik_docker_network }}
{% endif %}
traefik.http.services.matrix-authentication-service.loadbalancer.server.port=8080
########################################################################################
# #
# Public Main #
# #
########################################################################################
{% set main_middlewares = [] %}
{% if matrix_authentication_service_container_labels_public_main_path_prefix != '/' %}
traefik.http.middlewares.matrix-authentication-service-slashless-redirect.redirectregex.regex=({{ matrix_authentication_service_container_labels_public_main_path_prefix | quote }})$
traefik.http.middlewares.matrix-authentication-service-slashless-redirect.redirectregex.replacement=${1}/
{% set main_middlewares = main_middlewares + ['matrix-authentication-service-slashless-redirect'] %}
{% endif %}
{% if matrix_authentication_service_container_labels_traefik_additional_response_headers.keys() | length > 0 %}
{% for name, value in matrix_authentication_service_container_labels_traefik_additional_response_headers.items() %}
traefik.http.middlewares.matrix-authentication-service-add-headers.headers.customresponseheaders.{{ name }}={{ value }}
{% endfor %}
{% set main_middlewares = main_middlewares + ['matrix-authentication-service-add-headers'] %}
{% endif %}
traefik.http.routers.matrix-authentication-service.rule={{ matrix_authentication_service_container_labels_public_main_rule }}
{% if matrix_authentication_service_container_labels_public_main_priority | int > 0 %}
traefik.http.routers.matrix-authentication-service.priority={{ matrix_authentication_service_container_labels_public_main_priority }}
{% endif %}
traefik.http.routers.matrix-authentication-service.service=matrix-authentication-service
{% if main_middlewares | length > 0 %}
traefik.http.routers.matrix-authentication-service.middlewares={{ main_middlewares | join(',') }}
{% endif %}
traefik.http.routers.matrix-authentication-service.entrypoints={{ matrix_authentication_service_container_labels_public_main_entrypoints }}
traefik.http.routers.matrix-authentication-service.tls={{ matrix_authentication_service_container_labels_public_main_tls | to_json }}
{% if matrix_authentication_service_container_labels_public_main_tls %}
traefik.http.routers.matrix-authentication-service.tls.certResolver={{ matrix_authentication_service_container_labels_public_main_tls_certResolver }}
{% endif %}
########################################################################################
# #
# /Public Main #
# #
########################################################################################
{% if matrix_authentication_service_container_labels_public_compatibility_layer_enabled %}
########################################################################################
# #
# Public Compatibility Layer #
# #
########################################################################################
{% set compatibility_layer_middlewares = [] %}
{% if matrix_authentication_service_container_labels_public_main_path_prefix != '/' %}
traefik.http.middlewares.matrix-authentication-service-add-prefix.addprefix.prefix={{ matrix_authentication_service_container_labels_public_main_path_prefix }}
{% set compatibility_layer_middlewares = compatibility_layer_middlewares + ['matrix-authentication-service-add-prefix'] %}
{% endif %}
traefik.http.routers._internalmatrix-authentication-service-public-compatibility-layer.rule={{ matrix_authentication_service_container_labels_public_compatibility_layer_rule }}
{% if matrix_authentication_service_container_labels_public_compatibility_layer_priority | int > 0 %}
traefik.http.routers._internalmatrix-authentication-service-public-compatibility-layer.priority={{ matrix_authentication_service_container_labels_public_compatibility_layer_priority }}
{% endif %}
traefik.http.routers._internalmatrix-authentication-service-public-compatibility-layer.service=matrix-authentication-service
{% if compatibility_layer_middlewares | length > 0 %}
traefik.http.routers._internalmatrix-authentication-service-public-compatibility-layer.middlewares={{ compatibility_layer_middlewares | join(',') }}
{% endif %}
traefik.http.routers._internalmatrix-authentication-service-public-compatibility-layer.entrypoints={{ matrix_authentication_service_container_labels_public_compatibility_layer_entrypoints }}
traefik.http.routers._internalmatrix-authentication-service-public-compatibility-layer.tls={{ matrix_authentication_service_container_labels_public_compatibility_layer_tls | to_json }}
{% if matrix_authentication_service_container_labels_public_compatibility_layer_tls %}
traefik.http.routers._internalmatrix-authentication-service-public-compatibility-layer.tls.certResolver={{ matrix_authentication_service_container_labels_public_compatibility_layer_tls_certResolver }}
{% endif %}
########################################################################################
# #
# /Public Compatibility Layer #
# #
########################################################################################
{% endif %}
{% if matrix_authentication_service_container_labels_internal_compatibility_layer_enabled %}
########################################################################################
# #
# Internal Compatibility Layer #
# #
########################################################################################
{% set compatibility_layer_middlewares = [] %}
{% if matrix_authentication_service_container_labels_public_main_path_prefix != '/' %}
traefik.http.middlewares.matrix-authentication-service-add-prefix.addprefix.prefix={{ matrix_authentication_service_container_labels_public_main_path_prefix }}
{% set compatibility_layer_middlewares = compatibility_layer_middlewares + ['matrix-authentication-service-add-prefix'] %}
{% endif %}
traefik.http.routers._internalmatrix-authentication-service-internal-compatibility-layer.rule={{ matrix_authentication_service_container_labels_internal_compatibility_layer_rule }}
{% if matrix_authentication_service_container_labels_internal_compatibility_layer_priority | int > 0 %}
traefik.http.routers._internalmatrix-authentication-service-internal-compatibility-layer.priority={{ matrix_authentication_service_container_labels_internal_compatibility_layer_priority }}
{% endif %}
traefik.http.routers._internalmatrix-authentication-service-internal-compatibility-layer.service=matrix-authentication-service
{% if compatibility_layer_middlewares | length > 0 %}
traefik.http.routers._internalmatrix-authentication-service-internal-compatibility-layer.middlewares={{ compatibility_layer_middlewares | join(',') }}
{% endif %}
traefik.http.routers._internalmatrix-authentication-service-internal-compatibility-layer.entrypoints={{ matrix_authentication_service_container_labels_internal_compatibility_layer_entrypoints }}
########################################################################################
# #
# /Internal Compatibility Layer #
# #
########################################################################################
{% endif %}
{% endif %}
{{ matrix_authentication_service_container_labels_additional_labels }}

13
roles/custom/matrix-authentication-service/templates/provider/anthropic-config.yml.j2 Normal file
View File

@ -0,0 +1,13 @@
#jinja2: lstrip_blocks: "True"
base_url: {{ matrix_authentication_service_config_agents_static_definitions_anthropic_config_base_url | to_json }}
api_key: {{ matrix_authentication_service_config_agents_static_definitions_anthropic_config_api_key | to_json }}
{% if matrix_authentication_service_config_agents_static_definitions_anthropic_config_text_generation_enabled %}
text_generation:
model_id: {{ matrix_authentication_service_config_agents_static_definitions_anthropic_config_text_generation_model_id | to_json }}
prompt: {{ matrix_authentication_service_config_agents_static_definitions_anthropic_config_text_generation_prompt | to_json }}
temperature: {{ matrix_authentication_service_config_agents_static_definitions_anthropic_config_text_generation_temperature | to_json }}
max_response_tokens: {{ matrix_authentication_service_config_agents_static_definitions_anthropic_config_text_generation_max_response_tokens | int | to_json }}
max_context_tokens: {{ matrix_authentication_service_config_agents_static_definitions_anthropic_config_text_generation_max_context_tokens | int | to_json }}
{% endif %}

18
roles/custom/matrix-authentication-service/templates/provider/groq-config.yml.j2 Normal file
View File

@ -0,0 +1,18 @@
#jinja2: lstrip_blocks: "True"
base_url: {{ matrix_authentication_service_config_agents_static_definitions_groq_config_base_url | to_json }}
api_key: {{ matrix_authentication_service_config_agents_static_definitions_groq_config_api_key | to_json }}
{% if matrix_authentication_service_config_agents_static_definitions_groq_config_text_generation_enabled %}
text_generation:
model_id: {{ matrix_authentication_service_config_agents_static_definitions_groq_config_text_generation_model_id | to_json }}
prompt: {{ matrix_authentication_service_config_agents_static_definitions_groq_config_text_generation_prompt | to_json }}
temperature: {{ matrix_authentication_service_config_agents_static_definitions_groq_config_text_generation_temperature | to_json }}
max_response_tokens: {{ matrix_authentication_service_config_agents_static_definitions_groq_config_text_generation_max_response_tokens | int | to_json }}
max_context_tokens: {{ matrix_authentication_service_config_agents_static_definitions_groq_config_text_generation_max_context_tokens | int | to_json }}
{% endif %}
{% if matrix_authentication_service_config_agents_static_definitions_groq_config_speech_to_text_enabled %}
speech_to_text:
model_id: {{ matrix_authentication_service_config_agents_static_definitions_groq_config_speech_to_text_model_id | to_json }}
{% endif %}

13
roles/custom/matrix-authentication-service/templates/provider/mistral-config.yml.j2 Normal file
View File

@ -0,0 +1,13 @@
#jinja2: lstrip_blocks: "True"
base_url: {{ matrix_authentication_service_config_agents_static_definitions_mistral_config_base_url | to_json }}
api_key: {{ matrix_authentication_service_config_agents_static_definitions_mistral_config_api_key | to_json }}
{% if matrix_authentication_service_config_agents_static_definitions_mistral_config_text_generation_enabled %}
text_generation:
model_id: {{ matrix_authentication_service_config_agents_static_definitions_mistral_config_text_generation_model_id | to_json }}
prompt: {{ matrix_authentication_service_config_agents_static_definitions_mistral_config_text_generation_prompt | to_json }}
temperature: {{ matrix_authentication_service_config_agents_static_definitions_mistral_config_text_generation_temperature | to_json }}
max_response_tokens: {{ matrix_authentication_service_config_agents_static_definitions_mistral_config_text_generation_max_response_tokens | int | to_json }}
max_context_tokens: {{ matrix_authentication_service_config_agents_static_definitions_mistral_config_text_generation_max_context_tokens | int | to_json }}
{% endif %}

33
roles/custom/matrix-authentication-service/templates/provider/openai-config.yml.j2 Normal file
View File

@ -0,0 +1,33 @@
#jinja2: lstrip_blocks: "True"
base_url: {{ matrix_authentication_service_config_agents_static_definitions_openai_config_base_url | to_json }}
api_key: {{ matrix_authentication_service_config_agents_static_definitions_openai_config_api_key | to_json }}
{% if matrix_authentication_service_config_agents_static_definitions_openai_config_text_generation_enabled %}
text_generation:
model_id: {{ matrix_authentication_service_config_agents_static_definitions_openai_config_text_generation_model_id | to_json }}
prompt: {{ matrix_authentication_service_config_agents_static_definitions_openai_config_text_generation_prompt | to_json }}
temperature: {{ matrix_authentication_service_config_agents_static_definitions_openai_config_text_generation_temperature | to_json }}
max_response_tokens: {{ matrix_authentication_service_config_agents_static_definitions_openai_config_text_generation_max_response_tokens | int | to_json }}
max_context_tokens: {{ matrix_authentication_service_config_agents_static_definitions_openai_config_text_generation_max_context_tokens | int | to_json }}
{% endif %}
{% if matrix_authentication_service_config_agents_static_definitions_openai_config_speech_to_text_enabled %}
speech_to_text:
model_id: {{ matrix_authentication_service_config_agents_static_definitions_openai_config_speech_to_text_model_id | to_json }}
{% endif %}
{% if matrix_authentication_service_config_agents_static_definitions_openai_config_text_to_speech_enabled %}
text_to_speech:
model_id: {{ matrix_authentication_service_config_agents_static_definitions_openai_config_text_to_speech_model_id | to_json }}
voice: {{ matrix_authentication_service_config_agents_static_definitions_openai_config_text_to_speech_voice | to_json }}
speed: {{ matrix_authentication_service_config_agents_static_definitions_openai_config_text_to_speech_speed | float }}
response_format: {{ matrix_authentication_service_config_agents_static_definitions_openai_config_text_to_speech_response_format | to_json }}
{% endif %}
{% if matrix_authentication_service_config_agents_static_definitions_openai_config_image_generation_enabled %}
image_generation:
model_id: {{ matrix_authentication_service_config_agents_static_definitions_openai_config_image_generation_model_id | to_json }}
style: {{ matrix_authentication_service_config_agents_static_definitions_openai_config_image_generation_style | to_json }}
size: {{ matrix_authentication_service_config_agents_static_definitions_openai_config_image_generation_size | to_json }}
{% endif %}

49
roles/custom/matrix-authentication-service/templates/systemd/matrix-authentication-service.service.j2 Normal file
View File

@ -0,0 +1,49 @@
#jinja2: lstrip_blocks: "True"
[Unit]
Description=Matrix Authentication Service
{% for service in matrix_authentication_service_systemd_required_services_list %}
Requires={{ service }}
After={{ service }}
{% endfor %}
{% for service in matrix_authentication_service_systemd_wanted_services_list %}
Wants={{ service }}
{% endfor %}
DefaultDependencies=no
[Service]
Type=simple
Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-authentication-service 2>/dev/null || true'
ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-authentication-service 2>/dev/null || true'
ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
--rm \
--name=matrix-authentication-service \
--log-driver=none \
--user={{ matrix_authentication_service_uid }}:{{ matrix_authentication_service_gid }} \
--cap-drop=ALL \
--read-only \
--network={{ matrix_authentication_service_container_network }} \
--env-file={{ matrix_authentication_service_config_path }}/env \
--label-file={{ matrix_authentication_service_config_path }}/labels \
--mount type=bind,src={{ matrix_authentication_service_config_path }}/config.yaml,dst=/config.yaml,ro \
--mount type=bind,src={{ matrix_authentication_service_data_keys_path }},dst=/keys,ro \
{% for arg in matrix_authentication_service_container_extra_arguments %}
{{ arg }} \
{% endfor %}
{{ matrix_authentication_service_container_image }}
{% for network in matrix_authentication_service_container_additional_networks %}
ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-authentication-service
{% endfor %}
ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-authentication-service
ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-authentication-service 2>/dev/null || true'
ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-authentication-service 2>/dev/null || true'
Restart=always
RestartSec=30
SyslogIdentifier=matrix-authentication-service
[Install]
WantedBy=multi-user.target

6
roles/custom/matrix-authentication-service/vars/main.yml Normal file
View File

@ -0,0 +1,6 @@
---
# Like `matrix_authentication_service_config_http_public_base` but a private base URL only accessible from within the container network.
matrix_authentication_service_http_base_container_url: "http://matrix-authentication-service:8080{{ '/' if matrix_authentication_service_path_prefix == '/' else (matrix_authentication_service_path_prefix + '/') }}"
matrix_authentication_service_account_management_url: "{{ matrix_authentication_service_config_http_public_base }}account"

7
roles/custom/matrix-static-files/defaults/main.yml
View File

@ -145,6 +145,13 @@ matrix_static_files_file_matrix_client_property_m_integrations_managers_ui_url:
# See: https://github.com/element-hq/element-web/blob/develop/docs/jitsi.md#configuring-element-to-use-your-self-hosted-jitsi-server
matrix_static_files_file_matrix_client_property_io_element_jitsi_preferred_domain: ""
# Controls if the org.matrix.msc3575.authentication section of the /.well-known/matrix/client file is enabled.
matrix_static_files_file_matrix_client_property_org_matrix_msc2965_authentication_enabled: false
# Controls the org.matrix.msc2965.authentication/issuer property in the /.well-known/matrix/client file
matrix_static_files_file_matrix_client_property_org_matrix_msc2965_authentication_issuer: ""
# Controls the org.matrix.msc2965.authentication/account property in the /.well-known/matrix/client file
matrix_static_files_file_matrix_client_property_org_matrix_msc2965_authentication_account: ""
# Controls the org.matrix.msc3575.proxy/url (sliding sync) property in the /.well-known/matrix/client file
matrix_static_files_file_matrix_client_property_org_matrix_msc3575_proxy_url: ""

5
roles/custom/matrix-static-files/tasks/validate_config.yml
View File

@ -4,7 +4,7 @@
ansible.builtin.fail:
msg: >-
You need to define a required configuration setting (`{{ item.name }}`).
when: "item.when | bool and vars[item.name] == ''"
when: "item.when | bool and vars[item.name] | length == 0"
with_items:
- {'name': 'matrix_static_files_container_labels_well_known_matrix_endpoint_traefik_hostname', when: "{{ matrix_static_files_container_labels_well_known_matrix_endpoint_enabled }}"}
- {'name': 'matrix_static_files_container_labels_well_known_matrix_endpoint_traefik_path_prefix', when: "{{ matrix_static_files_container_labels_well_known_matrix_endpoint_enabled }}"}
@ -13,3 +13,6 @@
- {'name': 'matrix_static_files_container_labels_base_domain_traefik_path_prefix', when: "{{ matrix_static_files_container_labels_base_domain_enabled }}"}
- {'name': 'matrix_static_files_container_labels_base_domain_root_path_redirection_url', when: "{{ matrix_static_files_container_labels_base_domain_enabled and matrix_static_files_container_labels_base_domain_root_path_redirection_enabled }}"}
- {'name': 'matrix_static_files_file_matrix_client_property_org_matrix_msc2965_authentication_issuer', when: "{{ matrix_static_files_file_matrix_client_property_org_matrix_msc2965_authentication_enabled and matrix_static_files_container_labels_base_domain_root_path_redirection_enabled }}"}
- {'name': 'matrix_static_files_file_matrix_client_property_org_matrix_msc2965_authentication_account', when: "{{ matrix_static_files_file_matrix_client_property_org_matrix_msc2965_authentication_enabled and matrix_static_files_container_labels_base_domain_root_path_redirection_enabled }}"}

6
roles/custom/matrix-static-files/templates/public/.well-known/matrix/client.j2
View File

@ -30,6 +30,12 @@
"url": "{{ matrix_static_files_file_matrix_client_property_org_matrix_msc3575_proxy_url }}"
}
{% endif %}
{% if matrix_static_files_file_matrix_client_property_org_matrix_msc2965_authentication_enabled %},
"org.matrix.msc2965.authentication": {
"issuer": {{ matrix_static_files_file_matrix_client_property_org_matrix_msc2965_authentication_issuer | to_json }},
"account": {{ matrix_static_files_file_matrix_client_property_org_matrix_msc2965_authentication_account | to_json }}
}
{% endif %}
{% if matrix_static_files_file_matrix_client_property_m_tile_server_entries_enabled %},
"m.tile_server": {
"map_style_url": "{{ matrix_static_files_file_matrix_client_property_m_tile_server_map_style_url }}"

60
roles/custom/matrix-synapse/defaults/main.yml
View File

@ -1129,6 +1129,61 @@ matrix_synapse_email_client_base_url: "{{ 'https' if matrix_playbook_ssl_enabled
matrix_synapse_email_invite_client_location: "https://app.element.io"
################################################################################
#
# Next-generation auth for Matrix, based on OAuth 2.0/OIDC
#
################################################################################
# Controls whether to enable the "Next-generation auth for Matrix, based on OAuth 2.0/OIDC" experimental feature.
#
# See:
# - https://matrix.org/blog/2023/09/better-auth/
# - https://github.com/matrix-org/matrix-spec-proposals/pull/3861
matrix_synapse_experimental_features_msc3861_enabled: false
# Specifies the issuer URL for the OAuth 2.0/OIDC authentication provider.
#
# This can be set to a private (container) URL.
#
# Example: https://matrix.example.com/auth/
matrix_synapse_experimental_features_msc3861_issuer: ''
# Specifies the introspection endpoint URL for the OAuth 2.0/OIDC authentication provider.
#
# This can be set to a private (container) URL.
#
# If this is left empty, `{issuer}/.well-known/openid-configuration` will be fetched and the `introspection_endpoint` will be extracted from there.
# We define it explicitly, because this allows us to override it and use an internal (container network) URL instead of using the public one.
# Avoiding public addresses is an optimization that decreases overhead due to public networking and SSL termination.
#
# Example: https://matrix.example.com/auth/oauth2/introspect
matrix_synapse_experimental_features_msc3861_introspection_endpoint: "{{ matrix_synapse_experimental_features_msc3861_issuer + 'oauth2/introspect' }}"
# A unique identifier for the client.
#
# It must be a valid ULID (https://github.com/ulid/spec),
# and it happens that 0000000000000000000SYNAPSE is a valid ULID.
matrix_synapse_experimental_features_msc3861_client_id: '0000000000000000000SYNAPSE'
matrix_synapse_experimental_features_msc3861_client_auth_method: client_secret_basic
matrix_synapse_experimental_features_msc3861_client_secret: ''
# A token that can be used to make admin API calls.
# Matches `matrix.secret` in the matrix-authentication-service config
matrix_synapse_experimental_features_msc3861_admin_token: ''
# URL to advertise to clients where users can self-manage their account.
matrix_synapse_experimental_features_msc3861_account_management_url: ''
################################################################################
#
# /Next-generation auth for Matrix, based on OAuth 2.0/OIDC
#
################################################################################
# Enable this to activate the REST auth password provider module.
# See: https://github.com/ma1uta/matrix-synapse-rest-password-provider
matrix_synapse_ext_password_provider_rest_auth_enabled: false
@ -1406,3 +1461,8 @@ matrix_synapse_configuration_extension: "{{ matrix_synapse_configuration_extensi
# Holds the final Synapse configuration (a combination of the default and its extension).
# You most likely don't need to touch this variable. Instead, see `matrix_synapse_configuration_yaml`.
matrix_synapse_configuration: "{{ matrix_synapse_configuration_yaml | from_yaml | combine(matrix_synapse_configuration_extension, recursive=True) }}"
# Holds the path to the register-user script provided by the Matrix Authentication Service.
# When the Matrix Authentication Service is enabled, the register-user script from this role cannot be used
# and users will be pointed to the one provided by Matrix Authentication Service.
matrix_synapse_register_user_script_matrix_authentication_service_path: ""

2
roles/custom/matrix-synapse/tasks/main.yml
View File

@ -54,7 +54,7 @@
- tags:
- register-user
block:
- when: matrix_synapse_enabled | bool
- when: matrix_synapse_enabled and not matrix_synapse_experimental_features_msc3861_enabled
ansible.builtin.include_tasks: "{{ role_path }}/tasks/register_user.yml"
- tags:

23
roles/custom/matrix-synapse/tasks/validate_config.yml
View File

@ -4,7 +4,7 @@
ansible.builtin.fail:
msg: >-
You need to define a required configuration setting (`{{ item.name }}`).
when: "item.when | bool and vars[item.name] == ''"
when: "item.when | bool and vars[item.name] | length == 0"
with_items:
- {'name': 'matrix_synapse_username', when: true}
- {'name': 'matrix_synapse_uid', when: true}
@ -32,6 +32,13 @@
- {'name': 'matrix_synapse_metrics_proxying_hostname', when: "{{ matrix_synapse_metrics_proxying_enabled }}"}
- {'name': 'matrix_synapse_metrics_proxying_path_prefix', when: "{{ matrix_synapse_metrics_proxying_enabled }}"}
- {'name': 'matrix_synapse_experimental_features_msc3861_issuer', when: "{{ matrix_synapse_experimental_features_msc3861_enabled }}"}
- {'name': 'matrix_synapse_experimental_features_msc3861_client_id', when: "{{ matrix_synapse_experimental_features_msc3861_enabled }}"}
- {'name': 'matrix_synapse_experimental_features_msc3861_client_auth_method', when: "{{ matrix_synapse_experimental_features_msc3861_enabled }}"}
- {'name': 'matrix_synapse_experimental_features_msc3861_client_secret', when: "{{ matrix_synapse_experimental_features_msc3861_enabled }}"}
- {'name': 'matrix_synapse_experimental_features_msc3861_admin_token', when: "{{ matrix_synapse_experimental_features_msc3861_enabled }}"}
- {'name': 'matrix_synapse_experimental_features_msc3861_account_management_url', when: "{{ matrix_synapse_experimental_features_msc3861_enabled }}"}
- name: Fail if asking for more than 1 instance of single-instance workers
ansible.builtin.fail:
msg: >-
@ -133,3 +140,17 @@
when:
- matrix_synapse_auto_accept_invites_enabled
- matrix_synapse_ext_synapse_auto_accept_invite_enabled
- name: Fail if known Synapse password provider modules are enabled when auth is delegated to Matrix Authentication Service
ansible.builtin.fail:
msg: "When Synapse is delegating authentication to Matrix Authentication Service, it does not make sense to enable password provider modules, because it is not Synapse that is handling authentication. Please disable {{ item }} before enabling Matrix Authentication Service integration for Synapse. Synapse will refuse to start otherwise."
when: matrix_synapse_experimental_features_msc3861_enabled and vars[item] | bool
with_items:
- matrix_synapse_ext_password_provider_rest_auth_enabled
- matrix_synapse_ext_password_provider_shared_secret_auth_enabled
- matrix_synapse_ext_password_provider_ldap_enabled
- name: Fail if password config is enabled for Synapse when auth is delegated to Matrix Authentication Service
ansible.builtin.fail:
msg: "When Synapse is delegating authentication to Matrix Authentication Service, it doesn't make sense to enable the password config (`matrix_synapse_password_config_enabled: true`), because it is not Synapse that is handling authentication. Please remove your `matrix_synapse_password_config_enabled: true` setting before enabling Matrix Authentication Service integration for Synapse. Synapse will refuse to start otherwise."
when: matrix_synapse_experimental_features_msc3861_enabled and matrix_synapse_password_config_enabled

6
roles/custom/matrix-synapse/templates/synapse/bin/register-user.j2
View File

@ -1,6 +1,11 @@
#jinja2: lstrip_blocks: "True"
#!/bin/bash
{% if matrix_synapse_experimental_features_msc3861_enabled %}
echo "Registering users is handled by the Matrix Authentication Service, so you cannot use this script anymore."
echo "Consider using the {{ matrix_synapse_register_user_script_matrix_authentication_service_path }} script instead."
exit 2
{% else %}
if [ $# -ne 3 ]; then
echo "Usage: "$0" <username> <password> <admin access: 0 or 1>"
exit 1
@ -15,3 +20,4 @@ if [ "$admin" -eq "1" ]; then
else
{{ devture_systemd_docker_base_host_command_docker }} exec matrix-synapse register_new_matrix_user -u "$user" -p "$password" -c /data/homeserver.yaml --no-admin http://localhost:{{ matrix_synapse_container_client_api_port }}
fi
{% endif %}

12
roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2
View File

@ -2974,5 +2974,17 @@ background_updates:
#
#default_batch_size: 50
experimental_features:
{% if matrix_synapse_experimental_features_msc3861_enabled %}
msc3861:
enabled: true
issuer: {{ matrix_synapse_experimental_features_msc3861_issuer | to_json }}
introspection_endpoint: {{ matrix_synapse_experimental_features_msc3861_introspection_endpoint | to_json }}
client_id: {{ matrix_synapse_experimental_features_msc3861_client_id | to_json }}
client_auth_method: {{ matrix_synapse_experimental_features_msc3861_client_auth_method | to_json }}
client_secret: {{ matrix_synapse_experimental_features_msc3861_client_secret | to_json }}
admin_token: {{ matrix_synapse_experimental_features_msc3861_admin_token | to_json }}
account_management_url: {{ matrix_synapse_experimental_features_msc3861_account_management_url | to_json }}
{% endif %}
# vim:ft=yaml

60
roles/custom/matrix-user-creator/tasks/setup.yml
View File

@ -8,22 +8,48 @@
# Suppress logging to avoid dumping the credentials to the shell
no_log: true
- name: Ensure homeserver is started before creating Matrix users
ansible.builtin.service:
name: "matrix-{{ matrix_homeserver_implementation }}.service"
state: started
daemon_reload: true
register: matrix_user_registrator_homeserver_start_result
- when: not matrix_authentication_service_enabled | bool
block:
- name: Ensure homeserver is started before creating Matrix users
ansible.builtin.service:
name: "matrix-{{ matrix_homeserver_implementation }}.service"
state: started
daemon_reload: true
register: matrix_user_registrator_homeserver_start_result
- name: Wait a while, so that the homeserver can manage to start before creating Matrix users
ansible.builtin.pause:
seconds: "{{ matrix_user_creator_homeserver_start_wait_time_seconds }}"
when: matrix_user_registrator_homeserver_start_result.changed | bool
- name: Wait a while, so that the homeserver can manage to start before creating Matrix users
ansible.builtin.pause:
seconds: "{{ matrix_user_creator_homeserver_start_wait_time_seconds }}"
when: matrix_user_registrator_homeserver_start_result.changed | bool
- name: Ensure Matrix users are created
ansible.builtin.include_tasks: "{{ role_path }}/tasks/util/ensure_user_registered_{{ matrix_homeserver_implementation }}.yml"
with_items: "{{ matrix_user_creator_users }}"
loop_control:
loop_var: user
# Suppress logging to avoid dumping the credentials to the shell
no_log: true
- name: Ensure Matrix users are created for homeservers
when: not matrix_authentication_service_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/util/ensure_user_registered_{{ matrix_homeserver_implementation }}.yml"
with_items: "{{ matrix_user_creator_users }}"
loop_control:
loop_var: user
# Suppress logging to avoid dumping the credentials to the shell
no_log: true
- when: matrix_authentication_service_enabled | bool
block:
- name: Ensure Matrix Authentication Service is started before creating Matrix users
ansible.builtin.service:
name: "matrix-authentication-service.service"
state: started
daemon_reload: true
register: matrix_user_registrator_mas_start_result
- name: Wait a while, so that the Matrix Authentication Service can manage to start before creating Matrix users
ansible.builtin.pause:
seconds: "{{ matrix_user_creator_homeserver_start_wait_time_seconds }}"
when: matrix_user_registrator_mas_start_result.changed | bool
- name: Ensure Matrix users are created for Matrix Authentication Service
when: matrix_authentication_service_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/util/ensure_user_registered_matrix_authentication_service.yml"
with_items: "{{ matrix_user_creator_users }}"
loop_control:
loop_var: user
# Suppress logging to avoid dumping the credentials to the shell
no_log: true

19
roles/custom/matrix-user-creator/tasks/util/ensure_user_registered_matrix_authentication_service.yml Normal file
View File

@ -0,0 +1,19 @@
---
- name: Ensure Matrix Authentication Service user registered - {{ user.username | quote }}
ansible.builtin.command:
cmd: |-
{{ devture_systemd_docker_base_host_command_docker }} exec matrix-authentication-service
mas-cli manage register-user
-p {{ user.initial_password | quote }}
--yes
--ignore-password-complexity
{% if user.initial_type == 'admin' %}
--admin
{% else %}
--no-admin
{% endif %}
{{ user.username | quote }}
register: matrix_authentication_service_register_user_result
changed_when: "matrix_authentication_service_register_user_result.rc == 0 and 'Error: User already exists' not in matrix_authentication_service_register_user_result.stderr"
failed_when: "matrix_authentication_service_register_user_result.rc != 0 and 'Error: User already exists' not in matrix_authentication_service_register_user_result.stderr"