From 958d089b68d46d1810b3b508234bfc4809522f68 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 17 Mar 2022 17:58:59 +0200 Subject: [PATCH] Do not install the ma1sd identity server by default As mentioned in the changelog, this is a breaking change. --- CHANGELOG.md | 17 +++++++++++++++++ README.md | 2 +- docs/configuring-dns.md | 4 ++-- docs/configuring-playbook-ma1sd.md | 16 +++++++--------- docs/configuring-playbook.md | 5 +++-- docs/container-images.md | 4 ++-- group_vars/matrix_servers | 13 ++++++++++--- 7 files changed, 42 insertions(+), 19 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c1ac92e57..0196a1b06 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,20 @@ +# 2022-03-17 + +## (Compatibility Break) ma1sd identity server no longer installed by default + +The playbook no longer installs the [ma1sd](https://github.com/ma1uta/ma1sd) identity server by default. The next time you run the playbook, ma1sd will be uninstalled from your server, unless you explicitly enable the ma1sd service (see how below). + +The main reason we used to install ma1sd by default in the past was to prevent Element from talking to the `matrix.org` / `vector.im` identity servers, by forcing it to talk to our own self-hosted (but otherwise useless) identity server instead, thus preventing contact list leaks. + +Since Element no longer defaults to using a public identity server if another one is not provided, we can stop installing ma1sd. + +If you need to install the ma1sd identity server for some reason, you can explicitly enable it by adding this to your `vars.yml` file: + +```yaml +matrix_ma1sd_enabled: true +``` + + # 2022-02-12 ## matrix_encryption_disabler support diff --git a/README.md b/README.md index e1e901d0a..0e6bc51b6 100644 --- a/README.md +++ b/README.md @@ -31,7 +31,7 @@ Using this playbook, you can get the following services configured on your serve - (optional, default) an [Element](https://app.element.io/) ([formerly Riot](https://element.io/previously-riot)) web UI, which is configured to connect to your own Synapse server by default -- (optional, default) a [ma1sd](https://github.com/ma1uta/ma1sd) Matrix Identity server +- (optional) a [ma1sd](https://github.com/ma1uta/ma1sd) Matrix Identity server - (optional, default) an [Exim](https://www.exim.org/) mail server, through which all Matrix services send outgoing email (can be configured to relay through another SMTP server) diff --git a/docs/configuring-dns.md b/docs/configuring-dns.md index 4416c3bc1..c16ab2fca 100644 --- a/docs/configuring-dns.md +++ b/docs/configuring-dns.md @@ -62,11 +62,11 @@ The `cinny.` subdomain may be necessary, because this playbook coul ## `_matrix-identity._tcp` SRV record setup -To make the [ma1sd](https://github.com/ma1uta/ma1sd) Identity Server (which this playbook installs for you) enable its federation features, set up an SRV record that looks like this: +To make the [ma1sd](https://github.com/ma1uta/ma1sd) Identity Server (which this playbook may optionally install for you) enable its federation features, set up an SRV record that looks like this: - Name: `_matrix-identity._tcp` (use this text as-is) - Content: `10 0 443 matrix.` (replace `` with your own) -This is an optional feature. See [ma1sd's documentation](https://github.com/ma1uta/ma1sd/wiki/mxisd-and-your-privacy#choices-are-never-easy) for information on the privacy implications of setting up this SRV record. +This is an optional feature for the optionally-installed [ma1sd service](configuring-playbook-ma1sd.md). See [ma1sd's documentation](https://github.com/ma1uta/ma1sd/wiki/mxisd-and-your-privacy#choices-are-never-easy) for information on the privacy implications of setting up this SRV record. Note: This `_matrix-identity._tcp` SRV record for the identity server is different from the `_matrix._tcp` that can be used for Synapse delegation. See [howto-server-delegation.md](howto-server-delegation.md) for more information about delegation. diff --git a/docs/configuring-playbook-ma1sd.md b/docs/configuring-playbook-ma1sd.md index 70c507cba..e18a51c5d 100644 --- a/docs/configuring-playbook-ma1sd.md +++ b/docs/configuring-playbook-ma1sd.md @@ -1,24 +1,22 @@ # Adjusting ma1sd Identity Server configuration (optional) -By default, this playbook configures an [ma1sd](https://github.com/ma1uta/ma1sd) Identity Server for you. +The playbook can configure the [ma1sd](https://github.com/ma1uta/ma1sd) Identity Server for you. + +ma1sd, being an Identity Server, is not strictly needed. It is only used for 3PIDs (3rd party identifiers like E-mail and phone numbers) and some [enhanced features](https://github.com/ma1uta/ma1sd/#features). This server is private by default, potentially at the expense of user discoverability. *ma1sd is a fork of [mxisd](https://github.com/kamax-io/mxisd) which was pronounced end of life 2019-06-21.* -**Note**: enabling ma1sd (which is also the default), means that the `openid` API endpoints will be exposed on the Matrix Federation port (usually `8448`), even if [federation](configuring-playbook-federation.md) is disabled. It's something to be aware of, especially in terms of firewall whitelisting (make sure port `8448` is accessible). +**Note**: enabling ma1sd, means that the `openid` API endpoints will be exposed on the Matrix Federation port (usually `8448`), even if [federation](configuring-playbook-federation.md) is disabled. It's something to be aware of, especially in terms of firewall whitelisting (make sure port `8448` is accessible). - -## Disabling ma1sd - -ma1sd, being an Identity Server, is not strictly needed. It is only used for 3PIDs (3rd party identifiers like E-mail and phone numbers) and some [enhanced features](https://github.com/ma1uta/ma1sd/#features). - -If you'd like for the playbook to not install ma1sd (or to uninstall it if it was previously installed), you can disable it in your configuration file (`inventory/host_vars/matrix./vars.yml`): +To enable ma1sd, use the following additional configuration in your `vars.yml` file: ```yaml -matrix_ma1sd_enabled: false +matrix_ma1sd_enabled: true ``` + ## Matrix.org lookup forwarding To ensure maximum discovery, you can make your identity server also forward lookups to the central matrix.org Identity server (at the cost of potentially leaking all your contacts information). diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 9b1538834..3d5e6c2c7 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -47,8 +47,6 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Using an external PostgreSQL server](configuring-playbook-external-postgres.md) (optional) -- [Adjusting ma1sd Identity Server configuration](configuring-playbook-ma1sd.md) (optional) - - [Adjusting SSL certificate retrieval](configuring-playbook-ssl-certificates.md) (optional, advanced) - [Serving your base domain using this playbook's nginx server](configuring-playbook-base-domain-serving.md) (optional) @@ -69,11 +67,14 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Adjusting email-sending settings](configuring-playbook-email.md) (optional) - [Setting up Hydrogen](configuring-playbook-client-hydrogen.md) - a new lightweight matrix client with legacy and mobile browser support (optional) + - [Setting up Cinny](configuring-playbook-client-cinny.md) - a web client focusing primarily on simple, elegant and secure interface (optional) ### Authentication and user-related +- [Setting up an ma1sd Identity Server](configuring-playbook-ma1sd.md) (optional) + - [Setting up Synapse Admin](configuring-playbook-synapse-admin.md) (optional) - [Setting up matrix-registration](configuring-playbook-matrix-registration.md) (optional) diff --git a/docs/container-images.md b/docs/container-images.md index cf680d217..bf5885e06 100644 --- a/docs/container-images.md +++ b/docs/container-images.md @@ -15,8 +15,6 @@ These services are enabled and used by default, but you can turn them off, if yo - [vectorim/element-web](https://hub.docker.com/r/vectorim/element-web/) - the [Element](https://element.io/) web client (optional) -- [ma1uta/ma1sd](https://hub.docker.com/r/ma1uta/ma1sd/) - the [ma1sd](https://github.com/ma1uta/ma1sd) Matrix Identity server (optional) - - [postgres](https://hub.docker.com/_/postgres/) - the [Postgres](https://www.postgresql.org/) database server (optional) - [devture/exim-relay](https://hub.docker.com/r/devture/exim-relay/) - the [Exim](https://www.exim.org/) email server (optional) @@ -30,6 +28,8 @@ These services are enabled and used by default, but you can turn them off, if yo These services are not part of our default installation, but can be enabled by [configuring the playbook](configuring-playbook.md) (either before the initial installation or any time later): +- [ma1uta/ma1sd](https://hub.docker.com/r/ma1uta/ma1sd/) - the [ma1sd](https://github.com/ma1uta/ma1sd) Matrix Identity server (optional) + - [matrixdotorg/dendrite-monolith](https://hub.docker.com/r/matrixdotorg/dendrite-monolith/) - the official [Dendrite](https://github.com/matrix-org/dendrite) Matrix homeserver (optional) - [ewoutp/goofys](https://hub.docker.com/r/ewoutp/goofys/) - the [Goofys](https://github.com/kahing/goofys) Amazon [S3](https://aws.amazon.com/s3/) file-system-mounting program (optional) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index d938c76d7..32be903a5 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1328,9 +1328,16 @@ matrix_mailer_container_image_self_build: "{{ matrix_architecture not in ['amd64 # ###################################################################### -# By default, this playbook installs the ma1sd identity server on the same domain as Synapse (`matrix_server_fqn_matrix`). -# If you wish to use the public identity servers (matrix.org, vector.im) instead of your own you may wish to disable this. -matrix_ma1sd_enabled: true +# We no longer install the ma1sd identity server by default. +# +# The main reason we used to install ma1sd by default in the past was to +# prevent Element from talking to the `matrix.org` / `vector.im` identity servers, +# by forcing it to talk to our own self-hosted (but otherwise useless) identity server instead, +# thus preventing contact list leaks. +# +# Since Element no longer defaults to using a public identity server if another one is not provided, +# we can stop installing ma1sd. +matrix_ma1sd_enabled: false matrix_ma1sd_container_image_self_build: "{{ matrix_architecture != 'amd64' }}"