Do not install the ma1sd identity server by default
As mentioned in the changelog, this is a breaking change.
This commit is contained in:
parent
123fe29c68
commit
958d089b68
17
CHANGELOG.md
17
CHANGELOG.md
@ -1,3 +1,20 @@
|
|||||||
|
# 2022-03-17
|
||||||
|
|
||||||
|
## (Compatibility Break) ma1sd identity server no longer installed by default
|
||||||
|
|
||||||
|
The playbook no longer installs the [ma1sd](https://github.com/ma1uta/ma1sd) identity server by default. The next time you run the playbook, ma1sd will be uninstalled from your server, unless you explicitly enable the ma1sd service (see how below).
|
||||||
|
|
||||||
|
The main reason we used to install ma1sd by default in the past was to prevent Element from talking to the `matrix.org` / `vector.im` identity servers, by forcing it to talk to our own self-hosted (but otherwise useless) identity server instead, thus preventing contact list leaks.
|
||||||
|
|
||||||
|
Since Element no longer defaults to using a public identity server if another one is not provided, we can stop installing ma1sd.
|
||||||
|
|
||||||
|
If you need to install the ma1sd identity server for some reason, you can explicitly enable it by adding this to your `vars.yml` file:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
matrix_ma1sd_enabled: true
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
# 2022-02-12
|
# 2022-02-12
|
||||||
|
|
||||||
## matrix_encryption_disabler support
|
## matrix_encryption_disabler support
|
||||||
|
@ -31,7 +31,7 @@ Using this playbook, you can get the following services configured on your serve
|
|||||||
|
|
||||||
- (optional, default) an [Element](https://app.element.io/) ([formerly Riot](https://element.io/previously-riot)) web UI, which is configured to connect to your own Synapse server by default
|
- (optional, default) an [Element](https://app.element.io/) ([formerly Riot](https://element.io/previously-riot)) web UI, which is configured to connect to your own Synapse server by default
|
||||||
|
|
||||||
- (optional, default) a [ma1sd](https://github.com/ma1uta/ma1sd) Matrix Identity server
|
- (optional) a [ma1sd](https://github.com/ma1uta/ma1sd) Matrix Identity server
|
||||||
|
|
||||||
- (optional, default) an [Exim](https://www.exim.org/) mail server, through which all Matrix services send outgoing email (can be configured to relay through another SMTP server)
|
- (optional, default) an [Exim](https://www.exim.org/) mail server, through which all Matrix services send outgoing email (can be configured to relay through another SMTP server)
|
||||||
|
|
||||||
|
@ -62,11 +62,11 @@ The `cinny.<your-domain>` subdomain may be necessary, because this playbook coul
|
|||||||
|
|
||||||
## `_matrix-identity._tcp` SRV record setup
|
## `_matrix-identity._tcp` SRV record setup
|
||||||
|
|
||||||
To make the [ma1sd](https://github.com/ma1uta/ma1sd) Identity Server (which this playbook installs for you) enable its federation features, set up an SRV record that looks like this:
|
To make the [ma1sd](https://github.com/ma1uta/ma1sd) Identity Server (which this playbook may optionally install for you) enable its federation features, set up an SRV record that looks like this:
|
||||||
- Name: `_matrix-identity._tcp` (use this text as-is)
|
- Name: `_matrix-identity._tcp` (use this text as-is)
|
||||||
- Content: `10 0 443 matrix.<your-domain>` (replace `<your-domain>` with your own)
|
- Content: `10 0 443 matrix.<your-domain>` (replace `<your-domain>` with your own)
|
||||||
|
|
||||||
This is an optional feature. See [ma1sd's documentation](https://github.com/ma1uta/ma1sd/wiki/mxisd-and-your-privacy#choices-are-never-easy) for information on the privacy implications of setting up this SRV record.
|
This is an optional feature for the optionally-installed [ma1sd service](configuring-playbook-ma1sd.md). See [ma1sd's documentation](https://github.com/ma1uta/ma1sd/wiki/mxisd-and-your-privacy#choices-are-never-easy) for information on the privacy implications of setting up this SRV record.
|
||||||
|
|
||||||
Note: This `_matrix-identity._tcp` SRV record for the identity server is different from the `_matrix._tcp` that can be used for Synapse delegation. See [howto-server-delegation.md](howto-server-delegation.md) for more information about delegation.
|
Note: This `_matrix-identity._tcp` SRV record for the identity server is different from the `_matrix._tcp` that can be used for Synapse delegation. See [howto-server-delegation.md](howto-server-delegation.md) for more information about delegation.
|
||||||
|
|
||||||
|
@ -1,24 +1,22 @@
|
|||||||
# Adjusting ma1sd Identity Server configuration (optional)
|
# Adjusting ma1sd Identity Server configuration (optional)
|
||||||
|
|
||||||
By default, this playbook configures an [ma1sd](https://github.com/ma1uta/ma1sd) Identity Server for you.
|
The playbook can configure the [ma1sd](https://github.com/ma1uta/ma1sd) Identity Server for you.
|
||||||
|
|
||||||
|
ma1sd, being an Identity Server, is not strictly needed. It is only used for 3PIDs (3rd party identifiers like E-mail and phone numbers) and some [enhanced features](https://github.com/ma1uta/ma1sd/#features).
|
||||||
|
|
||||||
This server is private by default, potentially at the expense of user discoverability.
|
This server is private by default, potentially at the expense of user discoverability.
|
||||||
|
|
||||||
*ma1sd is a fork of [mxisd](https://github.com/kamax-io/mxisd) which was pronounced end of life 2019-06-21.*
|
*ma1sd is a fork of [mxisd](https://github.com/kamax-io/mxisd) which was pronounced end of life 2019-06-21.*
|
||||||
|
|
||||||
**Note**: enabling ma1sd (which is also the default), means that the `openid` API endpoints will be exposed on the Matrix Federation port (usually `8448`), even if [federation](configuring-playbook-federation.md) is disabled. It's something to be aware of, especially in terms of firewall whitelisting (make sure port `8448` is accessible).
|
**Note**: enabling ma1sd, means that the `openid` API endpoints will be exposed on the Matrix Federation port (usually `8448`), even if [federation](configuring-playbook-federation.md) is disabled. It's something to be aware of, especially in terms of firewall whitelisting (make sure port `8448` is accessible).
|
||||||
|
|
||||||
|
To enable ma1sd, use the following additional configuration in your `vars.yml` file:
|
||||||
## Disabling ma1sd
|
|
||||||
|
|
||||||
ma1sd, being an Identity Server, is not strictly needed. It is only used for 3PIDs (3rd party identifiers like E-mail and phone numbers) and some [enhanced features](https://github.com/ma1uta/ma1sd/#features).
|
|
||||||
|
|
||||||
If you'd like for the playbook to not install ma1sd (or to uninstall it if it was previously installed), you can disable it in your configuration file (`inventory/host_vars/matrix.<your-domain>/vars.yml`):
|
|
||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
matrix_ma1sd_enabled: false
|
matrix_ma1sd_enabled: true
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
## Matrix.org lookup forwarding
|
## Matrix.org lookup forwarding
|
||||||
|
|
||||||
To ensure maximum discovery, you can make your identity server also forward lookups to the central matrix.org Identity server (at the cost of potentially leaking all your contacts information).
|
To ensure maximum discovery, you can make your identity server also forward lookups to the central matrix.org Identity server (at the cost of potentially leaking all your contacts information).
|
||||||
|
@ -47,8 +47,6 @@ When you're done with all the configuration you'd like to do, continue with [Ins
|
|||||||
|
|
||||||
- [Using an external PostgreSQL server](configuring-playbook-external-postgres.md) (optional)
|
- [Using an external PostgreSQL server](configuring-playbook-external-postgres.md) (optional)
|
||||||
|
|
||||||
- [Adjusting ma1sd Identity Server configuration](configuring-playbook-ma1sd.md) (optional)
|
|
||||||
|
|
||||||
- [Adjusting SSL certificate retrieval](configuring-playbook-ssl-certificates.md) (optional, advanced)
|
- [Adjusting SSL certificate retrieval](configuring-playbook-ssl-certificates.md) (optional, advanced)
|
||||||
|
|
||||||
- [Serving your base domain using this playbook's nginx server](configuring-playbook-base-domain-serving.md) (optional)
|
- [Serving your base domain using this playbook's nginx server](configuring-playbook-base-domain-serving.md) (optional)
|
||||||
@ -69,11 +67,14 @@ When you're done with all the configuration you'd like to do, continue with [Ins
|
|||||||
- [Adjusting email-sending settings](configuring-playbook-email.md) (optional)
|
- [Adjusting email-sending settings](configuring-playbook-email.md) (optional)
|
||||||
|
|
||||||
- [Setting up Hydrogen](configuring-playbook-client-hydrogen.md) - a new lightweight matrix client with legacy and mobile browser support (optional)
|
- [Setting up Hydrogen](configuring-playbook-client-hydrogen.md) - a new lightweight matrix client with legacy and mobile browser support (optional)
|
||||||
|
|
||||||
- [Setting up Cinny](configuring-playbook-client-cinny.md) - a web client focusing primarily on simple, elegant and secure interface (optional)
|
- [Setting up Cinny](configuring-playbook-client-cinny.md) - a web client focusing primarily on simple, elegant and secure interface (optional)
|
||||||
|
|
||||||
|
|
||||||
### Authentication and user-related
|
### Authentication and user-related
|
||||||
|
|
||||||
|
- [Setting up an ma1sd Identity Server](configuring-playbook-ma1sd.md) (optional)
|
||||||
|
|
||||||
- [Setting up Synapse Admin](configuring-playbook-synapse-admin.md) (optional)
|
- [Setting up Synapse Admin](configuring-playbook-synapse-admin.md) (optional)
|
||||||
|
|
||||||
- [Setting up matrix-registration](configuring-playbook-matrix-registration.md) (optional)
|
- [Setting up matrix-registration](configuring-playbook-matrix-registration.md) (optional)
|
||||||
|
@ -15,8 +15,6 @@ These services are enabled and used by default, but you can turn them off, if yo
|
|||||||
|
|
||||||
- [vectorim/element-web](https://hub.docker.com/r/vectorim/element-web/) - the [Element](https://element.io/) web client (optional)
|
- [vectorim/element-web](https://hub.docker.com/r/vectorim/element-web/) - the [Element](https://element.io/) web client (optional)
|
||||||
|
|
||||||
- [ma1uta/ma1sd](https://hub.docker.com/r/ma1uta/ma1sd/) - the [ma1sd](https://github.com/ma1uta/ma1sd) Matrix Identity server (optional)
|
|
||||||
|
|
||||||
- [postgres](https://hub.docker.com/_/postgres/) - the [Postgres](https://www.postgresql.org/) database server (optional)
|
- [postgres](https://hub.docker.com/_/postgres/) - the [Postgres](https://www.postgresql.org/) database server (optional)
|
||||||
|
|
||||||
- [devture/exim-relay](https://hub.docker.com/r/devture/exim-relay/) - the [Exim](https://www.exim.org/) email server (optional)
|
- [devture/exim-relay](https://hub.docker.com/r/devture/exim-relay/) - the [Exim](https://www.exim.org/) email server (optional)
|
||||||
@ -30,6 +28,8 @@ These services are enabled and used by default, but you can turn them off, if yo
|
|||||||
|
|
||||||
These services are not part of our default installation, but can be enabled by [configuring the playbook](configuring-playbook.md) (either before the initial installation or any time later):
|
These services are not part of our default installation, but can be enabled by [configuring the playbook](configuring-playbook.md) (either before the initial installation or any time later):
|
||||||
|
|
||||||
|
- [ma1uta/ma1sd](https://hub.docker.com/r/ma1uta/ma1sd/) - the [ma1sd](https://github.com/ma1uta/ma1sd) Matrix Identity server (optional)
|
||||||
|
|
||||||
- [matrixdotorg/dendrite-monolith](https://hub.docker.com/r/matrixdotorg/dendrite-monolith/) - the official [Dendrite](https://github.com/matrix-org/dendrite) Matrix homeserver (optional)
|
- [matrixdotorg/dendrite-monolith](https://hub.docker.com/r/matrixdotorg/dendrite-monolith/) - the official [Dendrite](https://github.com/matrix-org/dendrite) Matrix homeserver (optional)
|
||||||
|
|
||||||
- [ewoutp/goofys](https://hub.docker.com/r/ewoutp/goofys/) - the [Goofys](https://github.com/kahing/goofys) Amazon [S3](https://aws.amazon.com/s3/) file-system-mounting program (optional)
|
- [ewoutp/goofys](https://hub.docker.com/r/ewoutp/goofys/) - the [Goofys](https://github.com/kahing/goofys) Amazon [S3](https://aws.amazon.com/s3/) file-system-mounting program (optional)
|
||||||
|
@ -1328,9 +1328,16 @@ matrix_mailer_container_image_self_build: "{{ matrix_architecture not in ['amd64
|
|||||||
#
|
#
|
||||||
######################################################################
|
######################################################################
|
||||||
|
|
||||||
# By default, this playbook installs the ma1sd identity server on the same domain as Synapse (`matrix_server_fqn_matrix`).
|
# We no longer install the ma1sd identity server by default.
|
||||||
# If you wish to use the public identity servers (matrix.org, vector.im) instead of your own you may wish to disable this.
|
#
|
||||||
matrix_ma1sd_enabled: true
|
# The main reason we used to install ma1sd by default in the past was to
|
||||||
|
# prevent Element from talking to the `matrix.org` / `vector.im` identity servers,
|
||||||
|
# by forcing it to talk to our own self-hosted (but otherwise useless) identity server instead,
|
||||||
|
# thus preventing contact list leaks.
|
||||||
|
#
|
||||||
|
# Since Element no longer defaults to using a public identity server if another one is not provided,
|
||||||
|
# we can stop installing ma1sd.
|
||||||
|
matrix_ma1sd_enabled: false
|
||||||
|
|
||||||
matrix_ma1sd_container_image_self_build: "{{ matrix_architecture != 'amd64' }}"
|
matrix_ma1sd_container_image_self_build: "{{ matrix_architecture != 'amd64' }}"
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user