From 82989b662aa02eb8b804d9977b2633c658bfb3c1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micka=C3=ABl=20Corni=C3=A8re?= Date: Sun, 29 Mar 2020 23:49:09 +0200 Subject: [PATCH 01/87] Fix bad network and bad path to postgre env --- .../usr-local-bin/matrix-change-user-admin-status.j2 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/matrix-postgres/templates/usr-local-bin/matrix-change-user-admin-status.j2 b/roles/matrix-postgres/templates/usr-local-bin/matrix-change-user-admin-status.j2 index 5f66ca6cd..861a0d0d7 100644 --- a/roles/matrix-postgres/templates/usr-local-bin/matrix-change-user-admin-status.j2 +++ b/roles/matrix-postgres/templates/usr-local-bin/matrix-change-user-admin-status.j2 @@ -13,7 +13,7 @@ docker run \ --rm \ --user=991:991 \ --cap-drop=ALL \ - --env-file=/matrix/postgres/env-postgres-psql \ - --network matrix \ + --env-file={{ matrix_postgres_base_path }}/env-postgres-psql \ + --network {{ matrix_docker_network }} \ postgres:12.1-alpine \ - psql -h matrix-postgres -c "UPDATE users set admin=$2 WHERE name like '@$1:{{ matrix_domain }}'" \ No newline at end of file + psql -h matrix-postgres -c "UPDATE users set admin=$2 WHERE name like '@$1:{{ matrix_domain }}'" From 067588b26293b3a627dc12fb4009c3238f8707de Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 30 Mar 2020 16:54:18 +0300 Subject: [PATCH 02/87] Upgrade riot-web --- docs/configuring-playbook-jitsi.md | 6 +----- roles/matrix-riot-web/defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/docs/configuring-playbook-jitsi.md b/docs/configuring-playbook-jitsi.md index 67d2830ce..f163976d0 100644 --- a/docs/configuring-playbook-jitsi.md +++ b/docs/configuring-playbook-jitsi.md @@ -23,10 +23,6 @@ Add this to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration: ```yaml matrix_jitsi_enabled: true - -# We only need this temporarily - until Jitsi integration in riot-web is finalized. -# Remove this line in the future, to switch back to a stable riot-web version. -matrix_riot_web_docker_image: "vectorim/riot-web:develop" ``` Then re-run the playbook: `ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start` @@ -36,4 +32,4 @@ Then re-run the playbook: `ansible-playbook -i inventory/hosts setup.yml --tags= You can use the self-hosted Jitsi server through Riot, through an Integration Manager like [Dimension](docs/configuring-playbook-dimension.md) or directly at `https://jitsi.DOMAIN`. -To use it via riot-web, make sure you've installed the `develop` version and fully reloaded your riot-web page (at `riot.DOMAIN`). Starting a video-conference in a room containing more than 2 members should then create a Jitsi widget which utilizes your self-hosted Jitsi server. +To use it via riot-web (the one configured by the playbook at `https://riot.DOMAIN`), just start a voice or a video call in a room containing more than 2 members and that would create a Jitsi widget which utilizes your self-hosted Jitsi server. diff --git a/roles/matrix-riot-web/defaults/main.yml b/roles/matrix-riot-web/defaults/main.yml index 808d4ffdb..9db8b9b8f 100644 --- a/roles/matrix-riot-web/defaults/main.yml +++ b/roles/matrix-riot-web/defaults/main.yml @@ -2,7 +2,7 @@ matrix_riot_web_enabled: true matrix_riot_web_container_image_self_build: false -matrix_riot_web_docker_image: "vectorim/riot-web:v1.5.13" +matrix_riot_web_docker_image: "vectorim/riot-web:v1.5.14" matrix_riot_web_docker_image_force_pull: "{{ matrix_riot_web_docker_image.endswith(':latest') }}" matrix_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web" From 26b73e3a4bb977f42fc6a5592b83d38e8ee4741e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 30 Mar 2020 17:00:10 +0300 Subject: [PATCH 03/87] Do not install unnecessary bash-completion --- roles/matrix-base/tasks/server_base/setup_archlinux.yml | 1 - roles/matrix-base/tasks/server_base/setup_centos.yml | 1 - roles/matrix-base/tasks/server_base/setup_debian.yml | 1 - roles/matrix-base/tasks/server_base/setup_raspbian.yml | 1 - 4 files changed, 4 deletions(-) diff --git a/roles/matrix-base/tasks/server_base/setup_archlinux.yml b/roles/matrix-base/tasks/server_base/setup_archlinux.yml index e68e4e99f..144e8b751 100644 --- a/roles/matrix-base/tasks/server_base/setup_archlinux.yml +++ b/roles/matrix-base/tasks/server_base/setup_archlinux.yml @@ -3,7 +3,6 @@ - name: Install host dependencies pacman: name: - - bash-completion - python-docker - ntp # TODO This needs to be verified. Which version do we need? diff --git a/roles/matrix-base/tasks/server_base/setup_centos.yml b/roles/matrix-base/tasks/server_base/setup_centos.yml index 2554e26e9..945c86ef1 100644 --- a/roles/matrix-base/tasks/server_base/setup_centos.yml +++ b/roles/matrix-base/tasks/server_base/setup_centos.yml @@ -20,7 +20,6 @@ - name: Ensure yum packages are installed yum: name: - - bash-completion - docker-python - ntp - fuse diff --git a/roles/matrix-base/tasks/server_base/setup_debian.yml b/roles/matrix-base/tasks/server_base/setup_debian.yml index c8325324c..9438a5f4b 100644 --- a/roles/matrix-base/tasks/server_base/setup_debian.yml +++ b/roles/matrix-base/tasks/server_base/setup_debian.yml @@ -27,7 +27,6 @@ - name: Ensure APT packages are installed apt: name: - - bash-completion - "python{{'3' if ansible_python.version.major == 3 else ''}}-docker" - ntp - fuse diff --git a/roles/matrix-base/tasks/server_base/setup_raspbian.yml b/roles/matrix-base/tasks/server_base/setup_raspbian.yml index e92842843..3a62a5db8 100644 --- a/roles/matrix-base/tasks/server_base/setup_raspbian.yml +++ b/roles/matrix-base/tasks/server_base/setup_raspbian.yml @@ -27,7 +27,6 @@ - name: Ensure APT packages are installed apt: name: - - bash-completion - python-docker - ntp - fuse From ca04ca9ffef0384e435b259d6e0131cfcdd21171 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 30 Mar 2020 17:04:56 +0300 Subject: [PATCH 04/87] Make it possible to change Jitsi web UI language Fixes #427 (Github Issue). --- roles/matrix-jitsi/defaults/main.yml | 3 +++ roles/matrix-jitsi/templates/web/config.js.j2 | 2 +- roles/matrix-jitsi/templates/web/interface_config.js.j2 | 2 +- 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index ae5dcb8f9..6eb36577d 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -51,6 +51,9 @@ matrix_jitsi_web_container_extra_arguments: [] # List of systemd services that matrix-jitsi-web.service depends on matrix_jitsi_web_systemd_required_services_list: ['docker.service'] +matrix_jitsi_web_config_defaultLanguage: 'en' +matrix_jitsi_web_interface_config_lang_detection: false + matrix_jitsi_prosody_docker_image: "jitsi/prosody:4101" matrix_jitsi_prosody_docker_image_force_pull: "{{ matrix_jitsi_prosody_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-jitsi/templates/web/config.js.j2 b/roles/matrix-jitsi/templates/web/config.js.j2 index f18471e1c..72bffbd53 100644 --- a/roles/matrix-jitsi/templates/web/config.js.j2 +++ b/roles/matrix-jitsi/templates/web/config.js.j2 @@ -263,7 +263,7 @@ hiddenDomain: {{ matrix_jitsi_recorder_domain|to_json }}, // disable1On1Mode: false, // Default language for the user interface. - // defaultLanguage: 'en', + defaultLanguage: {{ matrix_jitsi_web_config_defaultLanguage|to_json }}, // If true all users without a token will be considered guests and all users // with token will be considered non-guests. Only guests will be allowed to diff --git a/roles/matrix-jitsi/templates/web/interface_config.js.j2 b/roles/matrix-jitsi/templates/web/interface_config.js.j2 index dd5abc59d..737b924e4 100644 --- a/roles/matrix-jitsi/templates/web/interface_config.js.j2 +++ b/roles/matrix-jitsi/templates/web/interface_config.js.j2 @@ -30,7 +30,7 @@ var interfaceConfig = { APP_NAME: 'Jitsi Meet', NATIVE_APP_NAME: 'Jitsi Meet', PROVIDER_NAME: 'Jitsi', - LANG_DETECTION: false, // Allow i18n to detect the system language + LANG_DETECTION: {{ matrix_jitsi_web_interface_config_lang_detection|to_json }}, // Allow i18n to detect the system language INVITATION_POWERED_BY: true, /** From 584418ae0f07590f60162debcdac68f400b82deb Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 31 Mar 2020 10:30:07 +0300 Subject: [PATCH 05/87] Fix broken link --- docs/configuring-playbook-bridge-appservice-discord.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/configuring-playbook-bridge-appservice-discord.md b/docs/configuring-playbook-bridge-appservice-discord.md index 1db2aed66..0db6b0487 100644 --- a/docs/configuring-playbook-bridge-appservice-discord.md +++ b/docs/configuring-playbook-bridge-appservice-discord.md @@ -6,9 +6,9 @@ See the project's [documentation](https://github.com/Half-Shot/matrix-appservice Setup Instructions: -loosely based on [this](https://github.com/Half-Shot/matrix-appservice-discord#setting-up) +loosely based on [this](https://github.com/Half-Shot/matrix-appservice-discord#setting-up). -1. Create a Discord Application [here](https://discordapp.com/developers/applications/me/create). +1. Create a Discord Application [here](https://discordapp.com/developers/applications). 2. Retrieve Client ID and Bot token from this Application. 3. Enable the bridge with the following configuration in your `vars.yml` file: From bb2b2b4f1c00e2a599880ca47874ad9642b0167c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 31 Mar 2020 11:13:45 +0300 Subject: [PATCH 06/87] Clarify Discord bridging docs --- docs/configuring-playbook-bridge-appservice-discord.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/docs/configuring-playbook-bridge-appservice-discord.md b/docs/configuring-playbook-bridge-appservice-discord.md index 0db6b0487..8e9803f67 100644 --- a/docs/configuring-playbook-bridge-appservice-discord.md +++ b/docs/configuring-playbook-bridge-appservice-discord.md @@ -9,8 +9,9 @@ Setup Instructions: loosely based on [this](https://github.com/Half-Shot/matrix-appservice-discord#setting-up). 1. Create a Discord Application [here](https://discordapp.com/developers/applications). -2. Retrieve Client ID and Bot token from this Application. -3. Enable the bridge with the following configuration in your `vars.yml` file: +2. Retrieve Client ID. +3. Create a bot from the Bot tab and retrieve the Bot token. +4. Enable the bridge with the following configuration in your `vars.yml` file: ```yaml matrix_appservice_discord_enabled: true From 8bcc9712d06b8f39a461842dd37663ccd41f41b7 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 31 Mar 2020 11:45:32 +0300 Subject: [PATCH 07/87] Make follow_redirects configurable when checking /.well-known/matrix/client Discussed in #101 (Github Issue). --- roles/matrix-nginx-proxy/defaults/main.yml | 6 ++++++ roles/matrix-nginx-proxy/tasks/self_check_well_known.yml | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 5bf0fc0c8..8f3f0481b 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -184,6 +184,12 @@ matrix_nginx_proxy_ssl_protocols: "TLSv1.2 TLSv1.3" # Controls whether the self-check feature should validate SSL certificates. matrix_nginx_proxy_self_check_validate_certificates: true +# Controls whether redirects will be followed when checking the `/.well-known/matrix/client` resource. +# +# As per the spec (https://matrix.org/docs/spec/client_server/r0.6.0#well-known-uri), it shouldn't be, +# so we default to not following redirects as well. +matrix_nginx_proxy_self_check_well_known_matrix_client_follow_redirects: none + # By default, this playbook automatically retrieves and auto-renews # free SSL certificates from Let's Encrypt. # diff --git a/roles/matrix-nginx-proxy/tasks/self_check_well_known.yml b/roles/matrix-nginx-proxy/tasks/self_check_well_known.yml index 1e274ee36..6aaf9cb31 100644 --- a/roles/matrix-nginx-proxy/tasks/self_check_well_known.yml +++ b/roles/matrix-nginx-proxy/tasks/self_check_well_known.yml @@ -6,7 +6,7 @@ - path: /.well-known/matrix/client purpose: Client Discovery cors: true - follow_redirects: none + follow_redirects: "{{ matrix_nginx_proxy_self_check_well_known_matrix_client_follow_redirects }}" validate_certs: "{{ matrix_nginx_proxy_self_check_validate_certificates }}" - block: From b450afc12e73ca353a1979a07a9c4f2957e17558 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 1 Apr 2020 11:34:53 +0300 Subject: [PATCH 08/87] Make Discord bridge docs better --- ...ring-playbook-bridge-appservice-discord.md | 27 +++++++++++++++++-- 1 file changed, 25 insertions(+), 2 deletions(-) diff --git a/docs/configuring-playbook-bridge-appservice-discord.md b/docs/configuring-playbook-bridge-appservice-discord.md index 8e9803f67..dbd112267 100644 --- a/docs/configuring-playbook-bridge-appservice-discord.md +++ b/docs/configuring-playbook-bridge-appservice-discord.md @@ -4,9 +4,10 @@ The playbook can install and configure [matrix-appservice-discord](https://githu See the project's [documentation](https://github.com/Half-Shot/matrix-appservice-discord/blob/master/README.md) to learn what it does and why it might be useful to you. -Setup Instructions: -loosely based on [this](https://github.com/Half-Shot/matrix-appservice-discord#setting-up). +## Setup Instructions + +Instructions loosely based on [this](https://github.com/Half-Shot/matrix-appservice-discord#setting-up). 1. Create a Discord Application [here](https://discordapp.com/developers/applications). 2. Retrieve Client ID. @@ -25,3 +26,25 @@ matrix_appservice_discord_bot_token: "YOUR DISCORD APP BOT TOKEN" 7. Join the rooms by following this syntax `#_discord_guildid_channelid` - can be easily retrieved by logging into Discord in a browser and opening the desired channel. URL will have this format: `discordapp.com/channels/guild_id/channel_id` Other configuration options are available via the `matrix_appservice_discord_configuration_extension_yaml` variable. + + +## Getting Administrator access in a room + +By default, you won't have Administrator access in rooms created by the bridge. + +To [adjust room access privileges](#adjusting-room-access-privileges) or do various other things (change the room name subsequently, etc.), you'd wish to become an Administrator. + +There's the Discord bridge's guide for [setting privileges on bridge managed rooms](https://github.com/Half-Shot/matrix-appservice-discord/blob/master/docs/howto.md#set-privileges-on-bridge-managed-rooms). To do the same with our container setup, run the following command on the server: + +``` +docker exec -it matrix-appservice-discord /bin/sh -c 'cp /build/tools/adminme.js /tmp/adminme.js && cp /cfg/registration.yaml /tmp/discord-registration.yaml && cd /tmp && node /tmp/adminme.js -c /cfg/config.yaml -r "!ROOM_ID:SERVER" -u "@USER:SERVER" -p 100' +``` + + +## Adjusting room access privileges + +All rooms created by the bridge are **listed publicly** in your server's directory and **joinable by everyone** by default. + +To get more control of them, [make yourself a room Administrator](#getting-administrator-access-in-a-room) first. + +You can then unlist the room from the directory and change the join rules. From e1774c648a0de8778cbdee8f2b81ab887becff72 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 1 Apr 2020 18:11:12 +0300 Subject: [PATCH 09/87] Upgrade riot-web (v1.5.14 -> v1.5.15) --- roles/matrix-riot-web/defaults/main.yml | 2 +- roles/matrix-riot-web/templates/config.json.j2 | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/roles/matrix-riot-web/defaults/main.yml b/roles/matrix-riot-web/defaults/main.yml index 9db8b9b8f..e55de5346 100644 --- a/roles/matrix-riot-web/defaults/main.yml +++ b/roles/matrix-riot-web/defaults/main.yml @@ -2,7 +2,7 @@ matrix_riot_web_enabled: true matrix_riot_web_container_image_self_build: false -matrix_riot_web_docker_image: "vectorim/riot-web:v1.5.14" +matrix_riot_web_docker_image: "vectorim/riot-web:v1.5.15" matrix_riot_web_docker_image_force_pull: "{{ matrix_riot_web_docker_image.endswith(':latest') }}" matrix_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web" diff --git a/roles/matrix-riot-web/templates/config.json.j2 b/roles/matrix-riot-web/templates/config.json.j2 index 41cbee7cf..43d50ab51 100644 --- a/roles/matrix-riot-web/templates/config.json.j2 +++ b/roles/matrix-riot-web/templates/config.json.j2 @@ -32,8 +32,7 @@ }, {% if matrix_riot_web_jitsi_preferredDomain is not none %} "jitsi": { - "preferredDomain": {{ matrix_riot_web_jitsi_preferredDomain|to_json }}, - "externalApiUrl": "https://{{ matrix_riot_web_jitsi_preferredDomain }}/libs/external_api.min.js" + "preferredDomain": {{ matrix_riot_web_jitsi_preferredDomain|to_json }} }, {% endif %} "branding": { From 187dedf9204334043c330b4062f0dc69e15993d9 Mon Sep 17 00:00:00 2001 From: Marcel Partap Date: Tue, 31 Dec 2019 21:35:37 +0100 Subject: [PATCH 10/87] Duplicate matrix-mxisd role for matrix-ma1sd fork (adapting strings and URLs) --- ...mxisd.md => configuring-playbook-ma1sd.md} | 0 roles/matrix-ma1sd/defaults/main.yml | 175 +++++++++++++++++ .../tasks/init.yml | 8 +- roles/matrix-ma1sd/tasks/main.yml | 21 +++ roles/matrix-ma1sd/tasks/self_check_ma1sd.yml | 21 +++ roles/matrix-ma1sd/tasks/setup_ma1sd.yml | 137 ++++++++++++++ roles/matrix-ma1sd/tasks/validate_config.yml | 57 ++++++ .../templates/systemd/matrix-ma1sd.service.j2 | 46 +++++ roles/matrix-ma1sd/vars/main.yml | 5 + roles/matrix-mxisd/defaults/main.yml | 178 ------------------ roles/matrix-mxisd/tasks/main.yml | 21 --- roles/matrix-mxisd/tasks/self_check_mxisd.yml | 21 --- roles/matrix-mxisd/tasks/setup_mxisd.yml | 137 -------------- roles/matrix-mxisd/tasks/validate_config.yml | 57 ------ .../templates/systemd/matrix-mxisd.service.j2 | 46 ----- roles/matrix-mxisd/vars/main.yml | 5 - 16 files changed, 466 insertions(+), 469 deletions(-) rename docs/{configuring-playbook-mxisd.md => configuring-playbook-ma1sd.md} (100%) create mode 100644 roles/matrix-ma1sd/defaults/main.yml rename roles/{matrix-mxisd => matrix-ma1sd}/tasks/init.yml (70%) create mode 100644 roles/matrix-ma1sd/tasks/main.yml create mode 100644 roles/matrix-ma1sd/tasks/self_check_ma1sd.yml create mode 100644 roles/matrix-ma1sd/tasks/setup_ma1sd.yml create mode 100644 roles/matrix-ma1sd/tasks/validate_config.yml create mode 100644 roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 create mode 100644 roles/matrix-ma1sd/vars/main.yml delete mode 100644 roles/matrix-mxisd/defaults/main.yml delete mode 100644 roles/matrix-mxisd/tasks/main.yml delete mode 100644 roles/matrix-mxisd/tasks/self_check_mxisd.yml delete mode 100644 roles/matrix-mxisd/tasks/setup_mxisd.yml delete mode 100644 roles/matrix-mxisd/tasks/validate_config.yml delete mode 100644 roles/matrix-mxisd/templates/systemd/matrix-mxisd.service.j2 delete mode 100644 roles/matrix-mxisd/vars/main.yml diff --git a/docs/configuring-playbook-mxisd.md b/docs/configuring-playbook-ma1sd.md similarity index 100% rename from docs/configuring-playbook-mxisd.md rename to docs/configuring-playbook-ma1sd.md diff --git a/roles/matrix-ma1sd/defaults/main.yml b/roles/matrix-ma1sd/defaults/main.yml new file mode 100644 index 000000000..f3f604d3f --- /dev/null +++ b/roles/matrix-ma1sd/defaults/main.yml @@ -0,0 +1,175 @@ +# ma1sd is a Federated Matrix Identity Server +# See: https://github.com/ma1uta/ma1sd + +matrix_ma1sd_enabled: true + +matrix_ma1sd_docker_image: "ma1uta/ma1sd:1.4.6" +matrix_ma1sd_docker_image_force_pull: "{{ matrix_ma1sd_docker_image.endswith(':latest') }}" + +matrix_ma1sd_base_path: "{{ matrix_base_data_path }}/ma1sd" +matrix_ma1sd_config_path: "{{ matrix_ma1sd_base_path }}/config" +matrix_ma1sd_data_path: "{{ matrix_ma1sd_base_path }}/data" + +# Controls whether the matrix-ma1sd container exposes its HTTP port (tcp/8090 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:8090"), or empty string to not expose. +matrix_ma1sd_container_http_host_bind_port: '' + +# A list of extra arguments to pass to the container +matrix_ma1sd_container_extra_arguments: [] + +# List of systemd services that matrix-ma1sd.service depends on +matrix_ma1sd_systemd_required_services_list: ['docker.service'] + +# List of systemd services that matrix-ma1sd.service wants +matrix_ma1sd_systemd_wanted_services_list: [] + +# Your identity server is private by default. +# To ensure maximum discovery, you can make your identity server +# also forward lookups to the central matrix.org Identity server +# (at the cost of potentially leaking all your contacts information). +# Enabling this is discouraged. Learn more here: https://github.com/ma1uta/ma1sd/blob/master/docs/features/identity.md#lookups +matrix_ma1sd_matrixorg_forwarding_enabled: false + +# ma1sd has serveral supported identity stores. +# One of them is storing identities directly in Synapse's database. +# Learn more here: https://github.com/ma1uta/ma1sd/blob/master/docs/stores/synapse.md +matrix_ma1sd_synapsesql_enabled: false +matrix_ma1sd_synapsesql_type: "" +matrix_ma1sd_synapsesql_connection: "" + +# Setting up email-sending settings is required for using ma1sd. +matrix_ma1sd_threepid_medium_email_identity_from: "matrix@{{ matrix_domain }}" +matrix_ma1sd_threepid_medium_email_connectors_smtp_host: "" +matrix_ma1sd_threepid_medium_email_connectors_smtp_port: 587 +matrix_ma1sd_threepid_medium_email_connectors_smtp_tls: 1 +matrix_ma1sd_threepid_medium_email_connectors_smtp_login: "" +matrix_ma1sd_threepid_medium_email_connectors_smtp_password: "" + +# DNS overwrites are useful for telling ma1sd how it can reach the homeserver directly. +# Useful when reverse-proxying certain URLs (e.g. `/_matrix/client/r0/user_directory/search`) to ma1sd, +# so that ma1sd can rewrite the original URL to one that would reach the homeserver. +matrix_ma1sd_dns_overwrite_enabled: false +matrix_ma1sd_dns_overwrite_homeserver_client_name: "{{ matrix_server_fqn_matrix }}" +matrix_ma1sd_dns_overwrite_homeserver_client_value: "http://matrix-synapse:8008" + +# Override the default email templates +# To use this, fill in the template variables with the full desired template as a multi-line YAML variable +# +# More info: +# https://github.com/ma1uta/ma1sd/blob/master/docs/threepids/notification/template-generator.md +# https://github.com/ma1uta/ma1sd/tree/master/src/main/resources/threepids/email +matrix_ma1sd_threepid_medium_email_custom_templates_enabled: false +matrix_ma1sd_threepid_medium_email_custom_invite_template: "" +matrix_ma1sd_threepid_medium_email_custom_session_validation_template: "" +matrix_ma1sd_threepid_medium_email_custom_unbind_fraudulent_template: "" +matrix_ma1sd_threepid_medium_email_custom_matrixid_template: "" + +# Controls whether the self-check feature should validate SSL certificates. +matrix_ma1sd_self_check_validate_certificates: true + +# Controls ma1sd logging verbosity for troubleshooting. +# +# According to: https://github.com/ma1uta/ma1sd/blob/master/docs/troubleshooting.md#increase-verbosity +matrix_ma1sd_verbose_logging: false + +# Default ma1sd configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. +# +# For a more advanced customization, you can extend the default (see `matrix_ma1sd_configuration_extension_yaml`) +# or completely replace this variable with your own template. +matrix_ma1sd_configuration_yaml: | + #jinja2: lstrip_blocks: True + matrix: + domain: {{ matrix_domain }} + + server: + name: {{ matrix_server_fqn_matrix }} + + key: + path: /var/ma1sd/sign.key + + storage: + provider: + sqlite: + database: /var/ma1sd/ma1sd.db + + {% if matrix_ma1sd_dns_overwrite_enabled %} + dns: + overwrite: + homeserver: + client: + - name: {{ matrix_ma1sd_dns_overwrite_homeserver_client_name }} + value: {{ matrix_ma1sd_dns_overwrite_homeserver_client_value }} + {% endif %} + + {% if matrix_ma1sd_matrixorg_forwarding_enabled %} + forward: + servers: ['matrix-org'] + {% endif %} + + threepid: + medium: + email: + identity: + from: {{ matrix_ma1sd_threepid_medium_email_identity_from }} + connectors: + smtp: + host: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_host }} + port: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_port }} + tls: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_tls }} + login: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_login }} + password: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_password }} + {% if matrix_ma1sd_threepid_medium_email_custom_templates_enabled %} + generators: + template: + {% if matrix_ma1sd_threepid_medium_email_custom_invite_template %} + invite: '/var/ma1sd/invite-template.eml' + {% endif %} + {% if matrix_ma1sd_threepid_medium_email_custom_session_validation_template or matrix_ma1sd_threepid_medium_email_custom_unbind_fraudulent_template %} + session: + {% if matrix_ma1sd_threepid_medium_email_custom_session_validation_template %} + validation: '/var/ma1sd/validate-template.eml' + {% endif %} + {% if matrix_ma1sd_threepid_medium_email_custom_unbind_fraudulent_template %} + unbind: + frandulent: '/var/ma1sd/unbind-fraudulent.eml' + {% endif %} + {% endif %} + {% if matrix_ma1sd_threepid_medium_email_custom_matrixid_template %} + generic: + matrixId: '/var/ma1sd/mxid-template.eml' + {% endif %} + {% endif %} + + synapseSql: + enabled: {{ matrix_ma1sd_synapsesql_enabled }} + type: {{ matrix_ma1sd_synapsesql_type }} + connection: {{ matrix_ma1sd_synapsesql_connection }} + +matrix_ma1sd_configuration_extension_yaml: | + # Your custom YAML configuration for ma1sd goes here. + # This configuration extends the default starting configuration (`matrix_ma1sd_configuration_yaml`). + # + # You can override individual variables from the default configuration, or introduce new ones. + # + # If you need something more special, you can take full control by + # completely redefining `matrix_ma1sd_configuration_yaml`. + # + # Example configuration extension follows: + # + # ldap: + # enabled: true + # connection: + # host: ldapHostnameOrIp + # tls: false + # port: 389 + # baseDNs: ['OU=Users,DC=example,DC=org'] + # bindDn: CN=My Ma1sd User,OU=Users,DC=example,DC=org + # bindPassword: TheUserPassword + +matrix_ma1sd_configuration_extension: "{{ matrix_ma1sd_configuration_extension_yaml|from_yaml if matrix_ma1sd_configuration_extension_yaml|from_yaml is mapping else {} }}" + +# Holds the final ma1sd configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_ma1sd_configuration_yaml`. +matrix_ma1sd_configuration: "{{ matrix_ma1sd_configuration_yaml|from_yaml|combine(matrix_ma1sd_configuration_extension, recursive=True) }}" diff --git a/roles/matrix-mxisd/tasks/init.yml b/roles/matrix-ma1sd/tasks/init.yml similarity index 70% rename from roles/matrix-mxisd/tasks/init.yml rename to roles/matrix-ma1sd/tasks/init.yml index dcf1d0532..31a2e28f9 100644 --- a/roles/matrix-mxisd/tasks/init.yml +++ b/roles/matrix-ma1sd/tasks/init.yml @@ -1,10 +1,10 @@ - set_fact: - matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mxisd'] }}" - when: matrix_mxisd_enabled|bool + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-ma1sd'] }}" + when: matrix_ma1sd_enabled|bool # ansible lower than 2.8, does not support docker_image build parameters # for self buildig it is explicitly needed, so we rather fail here - name: Fail if running on Ansible lower than 2.8 and trying self building fail: - msg: "To self build Mxisd image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." - when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mxisd_container_image_self_build" + msg: "To self build ma1sd image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_ma1sd_container_image_self_build" diff --git a/roles/matrix-ma1sd/tasks/main.yml b/roles/matrix-ma1sd/tasks/main.yml new file mode 100644 index 000000000..f5ac34d65 --- /dev/null +++ b/roles/matrix-ma1sd/tasks/main.yml @@ -0,0 +1,21 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup|bool and matrix_ma1sd_enabled|bool" + tags: + - setup-all + - setup-ma1sd + +- import_tasks: "{{ role_path }}/tasks/setup_ma1sd.yml" + tags: + - setup-all + - setup-ma1sd + +- import_tasks: "{{ role_path }}/tasks/self_check_ma1sd.yml" + delegate_to: 127.0.0.1 + become: false + when: "run_self_check|bool and matrix_ma1sd_enabled|bool" + tags: + - self-check diff --git a/roles/matrix-ma1sd/tasks/self_check_ma1sd.yml b/roles/matrix-ma1sd/tasks/self_check_ma1sd.yml new file mode 100644 index 000000000..2e0812630 --- /dev/null +++ b/roles/matrix-ma1sd/tasks/self_check_ma1sd.yml @@ -0,0 +1,21 @@ +--- + +- set_fact: + ma1sd_url_endpoint_public: "https://{{ matrix_server_fqn_matrix }}/_matrix/identity/api/v1" + +- name: Check ma1sd Identity Service + uri: + url: "{{ ma1sd_url_endpoint_public }}" + follow_redirects: none + validate_certs: "{{ matrix_ma1sd_self_check_validate_certificates }}" + register: result_ma1sd + ignore_errors: true + +- name: Fail if ma1sd Identity Service not working + fail: + msg: "Failed checking ma1sd is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ ma1sd_url_endpoint_public }}`). Is ma1sd running? Is port 443 open in your firewall? Full error: {{ result_ma1sd }}" + when: "result_ma1sd.failed or 'json' not in result_ma1sd" + +- name: Report working ma1sd Identity Service + debug: + msg: "ma1sd at `{{ matrix_server_fqn_matrix }}` is working (checked endpoint: `{{ ma1sd_url_endpoint_public }}`)" diff --git a/roles/matrix-ma1sd/tasks/setup_ma1sd.yml b/roles/matrix-ma1sd/tasks/setup_ma1sd.yml new file mode 100644 index 000000000..483d7f9c0 --- /dev/null +++ b/roles/matrix-ma1sd/tasks/setup_ma1sd.yml @@ -0,0 +1,137 @@ +--- + +# +# Tasks related to setting up ma1sd +# + +- name: Ensure ma1sd paths exist + file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + with_items: + - { path: "{{ matrix_ma1sd_config_path }}", when: true } + - { path: "{{ matrix_ma1sd_data_path }}", when: true } + - { path: "{{ matrix_ma1sd_docker_src_files_path }}", when: "{{ matrix_ma1sd_container_image_self_build }}"} + when: matrix_ma1sd_enabled|bool and item.when + +- name: Ensure ma1sd image is pulled + docker_image: + name: "{{ matrix_ma1sd_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_ma1sd_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_ma1sd_docker_image_force_pull }}" + when: matrix_ma1sd_enabled|bool and not matrix_ma1sd_container_image_self_build + +- block: + - name: Ensure gradle is installed for self-building (Debian) + apt: + name: + - gradle + state: present + update_cache: yes + when: (ansible_os_family == 'Debian') + + - name: Ensure gradle is installed for self-building (CentOS) + fail: + msg: "Installing gradle on CentOS is currently not supported, so self-building ma1sd cannot happen at this time" + when: ansible_distribution == 'CentOS' + + - name: Ensure gradle is installed for self-building (Archlinux) + pacman: + name: + - gradle + state: latest + update_cache: yes + when: ansible_distribution == 'Archlinux' + + - name: Ensure ma1sd repository is present on self-build + git: + repo: https://github.com/ma1uta/ma1sd.git + dest: "{{ matrix_ma1sd_docker_src_files_path }}" + version: "v{{ matrix_ma1sd_docker_image.split(':')[1] }}" + force: "yes" + + - name: Ensure ma1sd Docker image is built + shell: "./gradlew dockerBuild" + args: + chdir: "{{ matrix_ma1sd_docker_src_files_path }}" + when: "matrix_ma1sd_enabled|bool and matrix_ma1sd_container_image_self_build" + +- name: Ensure ma1sd config installed + copy: + content: "{{ matrix_ma1sd_configuration|to_nice_yaml }}" + dest: "{{ matrix_ma1sd_config_path }}/ma1sd.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + when: matrix_ma1sd_enabled|bool + +- name: Ensure custom templates are installed if any + copy: + content: "{{ item.value }}" + dest: "{{ matrix_ma1sd_data_path }}/{{ item.location }}" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + with_items: + - {value: "{{ matrix_ma1sd_threepid_medium_email_custom_invite_template }}", location: 'invite-template.eml'} + - {value: "{{ matrix_ma1sd_threepid_medium_email_custom_session_validation_template }}", location: 'validate-template.eml'} + - {value: "{{ matrix_ma1sd_threepid_medium_email_custom_unbind_fraudulent_template }}", location: 'unbind-fraudulent.eml'} + - {value: "{{ matrix_ma1sd_threepid_medium_email_custom_matrixid_template }}", location: 'mxid-template.eml'} + when: "matrix_ma1sd_enabled|bool and matrix_ma1sd_threepid_medium_email_custom_templates_enabled|bool and item.value" + +- name: Ensure matrix-ma1sd.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-ma1sd.service.j2" + dest: "{{ matrix_systemd_path }}/matrix-ma1sd.service" + mode: 0644 + register: matrix_ma1sd_systemd_service_result + when: matrix_ma1sd_enabled|bool + +- name: Ensure systemd reloaded after matrix-ma1sd.service installation + service: + daemon_reload: yes + when: "matrix_ma1sd_enabled|bool and matrix_ma1sd_systemd_service_result.changed" + +# +# Tasks related to getting rid of ma1sd (if it was previously enabled) +# + +- name: Check existence of matrix-ma1sd service + stat: + path: "{{ matrix_systemd_path }}/matrix-ma1sd.service" + register: matrix_ma1sd_service_stat + +- name: Ensure matrix-ma1sd is stopped + service: + name: matrix-ma1sd + state: stopped + daemon_reload: yes + register: stopping_result + when: "not matrix_ma1sd_enabled|bool and matrix_ma1sd_service_stat.stat.exists" + +- name: Ensure matrix-ma1sd.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-ma1sd.service" + state: absent + when: "not matrix_ma1sd_enabled|bool and matrix_ma1sd_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-ma1sd.service removal + service: + daemon_reload: yes + when: "not matrix_ma1sd_enabled|bool and matrix_ma1sd_service_stat.stat.exists" + +- name: Ensure Matrix ma1sd paths don't exist + file: + path: "{{ matrix_ma1sd_base_path }}" + state: absent + when: "not matrix_ma1sd_enabled|bool" + +- name: Ensure ma1sd Docker image doesn't exist + docker_image: + name: "{{ matrix_ma1sd_docker_image }}" + state: absent + when: "not matrix_ma1sd_enabled|bool" diff --git a/roles/matrix-ma1sd/tasks/validate_config.yml b/roles/matrix-ma1sd/tasks/validate_config.yml new file mode 100644 index 000000000..07a170065 --- /dev/null +++ b/roles/matrix-ma1sd/tasks/validate_config.yml @@ -0,0 +1,57 @@ +--- + +- name: (Deprecation) Warn about ma1sd variables that are not used anymore + fail: + msg: > + The `{{ item }}` variable defined in your configuration is not used by this playbook anymore! + You'll need to adapt to the new way of extending ma1sd configuration. + See the CHANGELOG and the `matrix_ma1sd_configuration_extension_yaml` variable for more information and examples. + when: "item in vars" + with_items: + - 'matrix_ma1sd_ldap_enabled' + - 'matrix_ma1sd_ldap_connection_host' + - 'matrix_ma1sd_ldap_connection_tls' + - 'matrix_ma1sd_ldap_connection_port' + - 'matrix_ma1sd_ldap_connection_baseDn' + - 'matrix_ma1sd_ldap_connection_baseDns' + - 'matrix_ma1sd_ldap_connection_bindDn' + - 'matrix_ma1sd_ldap_connection_bindPassword' + - 'matrix_ma1sd_ldap_filter' + - 'matrix_ma1sd_ldap_attribute_uid_type' + - 'matrix_ma1sd_ldap_attribute_uid_value' + - 'matrix_ma1sd_ldap_connection_bindPassword' + - 'matrix_ma1sd_ldap_attribute_name' + - 'matrix_ma1sd_ldap_attribute_threepid_email' + - 'matrix_ma1sd_ldap_attribute_threepid_msisdn' + - 'matrix_ma1sd_ldap_identity_filter' + - 'matrix_ma1sd_ldap_identity_medium' + - 'matrix_ma1sd_ldap_auth_filter' + - 'matrix_ma1sd_ldap_directory_filter' + - 'matrix_ma1sd_template_config' + +- name: Ensure ma1sd configuration does not contain any dot-notation keys + fail: + msg: > + Since version 1.3.0, ma1sd will not accept property-style configuration keys. + You have defined a key (`{{ item.key }}`) which contains a dot. + Instead, use nesting. See: https://github.com/kamax-matrix/mxisd/wiki/Upgrade-Notes#v130 + when: "'.' in item.key" + with_dict: "{{ matrix_ma1sd_configuration }}" + +- name: Fail if required ma1sd settings not defined + fail: + msg: > + You need to define a required configuration setting (`{{ item }}`) for using ma1sd. + when: "vars[item] == ''" + with_items: + - "matrix_ma1sd_threepid_medium_email_connectors_smtp_host" + + +- name: (Deprecation) Catch and report renamed ma1sd variables + fail: + msg: >- + Your configuration contains a variable, which now has a different name. + Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). + when: "item.old in vars" + with_items: + - {'old': 'matrix_ma1sd_container_expose_port', 'new': ''} diff --git a/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 b/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 new file mode 100644 index 000000000..b316fc2bc --- /dev/null +++ b/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2 @@ -0,0 +1,46 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix ma1sd Identity server +{% for service in matrix_ma1sd_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_ma1sd_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} + +[Service] +Type=simple +ExecStartPre=-/usr/bin/docker kill matrix-ma1sd +ExecStartPre=-/usr/bin/docker rm matrix-ma1sd + +# ma1sd writes an SQLite shared library (libsqlitejdbc.so) to /tmp and executes it from there, +# so /tmp needs to be mounted with an exec option. +ExecStart=/usr/bin/docker run --rm --name matrix-ma1sd \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --read-only \ + --tmpfs=/tmp:rw,exec,nosuid,size=10m \ + --network={{ matrix_docker_network }} \ + {% if matrix_ma1sd_container_http_host_bind_port %} + -p {{ matrix_ma1sd_container_http_host_bind_port }}:8090 \ + {% endif %} + {% if matrix_ma1sd_verbose_logging %} + -e MA1SD_LOG_LEVEL=debug \ + {% endif %} + -v {{ matrix_ma1sd_config_path }}:/etc/ma1sd:ro \ + -v {{ matrix_ma1sd_data_path }}:/var/ma1sd:rw \ + {% for arg in matrix_ma1sd_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_ma1sd_docker_image }} + +ExecStop=-/usr/bin/docker kill matrix-ma1sd +ExecStop=-/usr/bin/docker rm matrix-ma1sd +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-ma1sd + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-ma1sd/vars/main.yml b/roles/matrix-ma1sd/vars/main.yml new file mode 100644 index 000000000..dfaf58bdf --- /dev/null +++ b/roles/matrix-ma1sd/vars/main.yml @@ -0,0 +1,5 @@ +--- + +# Doing `|from_yaml` when the extension contains nothing yields an empty string (""). +# We need to ensure it's a dictionary or `|combine` (when building `matrix_ma1sd_configuration`) will fail later. +matrix_ma1sd_configuration_extension: "{{ matrix_ma1sd_configuration_extension_yaml|from_yaml if matrix_ma1sd_configuration_extension_yaml|from_yaml else {} }}" \ No newline at end of file diff --git a/roles/matrix-mxisd/defaults/main.yml b/roles/matrix-mxisd/defaults/main.yml deleted file mode 100644 index 605f40281..000000000 --- a/roles/matrix-mxisd/defaults/main.yml +++ /dev/null @@ -1,178 +0,0 @@ -# mxisd is a Federated Matrix Identity Server -# See: https://github.com/kamax-matrix/mxisd - -matrix_mxisd_enabled: true - -matrix_mxisd_container_image_self_build: false - -matrix_mxisd_docker_image: "kamax/mxisd:1.4.6" -matrix_mxisd_docker_image_force_pull: "{{ matrix_mxisd_docker_image.endswith(':latest') }}" - -matrix_mxisd_base_path: "{{ matrix_base_data_path }}/mxisd" -matrix_mxisd_docker_src_files_path: "{{ matrix_mxisd_base_path }}/docker-src" -matrix_mxisd_config_path: "{{ matrix_mxisd_base_path }}/config" -matrix_mxisd_data_path: "{{ matrix_mxisd_base_path }}/data" - -# Controls whether the matrix-mxisd container exposes its HTTP port (tcp/8090 in the container). -# -# Takes an ":" or "" value (e.g. "127.0.0.1:8090"), or empty string to not expose. -matrix_mxisd_container_http_host_bind_port: '' - -# A list of extra arguments to pass to the container -matrix_mxisd_container_extra_arguments: [] - -# List of systemd services that matrix-mxisd.service depends on -matrix_mxisd_systemd_required_services_list: ['docker.service'] - -# List of systemd services that matrix-mxisd.service wants -matrix_mxisd_systemd_wanted_services_list: [] - -# Your identity server is private by default. -# To ensure maximum discovery, you can make your identity server -# also forward lookups to the central matrix.org Identity server -# (at the cost of potentially leaking all your contacts information). -# Enabling this is discouraged. Learn more here: https://github.com/kamax-io/mxisd/blob/master/docs/features/identity.md#lookups -matrix_mxisd_matrixorg_forwarding_enabled: false - -# mxisd has serveral supported identity stores. -# One of them is storing identities directly in Synapse's database. -# Learn more here: https://github.com/kamax-matrix/mxisd/blob/master/docs/stores/synapse.md -matrix_mxisd_synapsesql_enabled: false -matrix_mxisd_synapsesql_type: "" -matrix_mxisd_synapsesql_connection: "" - -# Setting up email-sending settings is required for using mxisd. -matrix_mxisd_threepid_medium_email_identity_from: "matrix@{{ matrix_domain }}" -matrix_mxisd_threepid_medium_email_connectors_smtp_host: "" -matrix_mxisd_threepid_medium_email_connectors_smtp_port: 587 -matrix_mxisd_threepid_medium_email_connectors_smtp_tls: 1 -matrix_mxisd_threepid_medium_email_connectors_smtp_login: "" -matrix_mxisd_threepid_medium_email_connectors_smtp_password: "" - -# DNS overwrites are useful for telling mxisd how it can reach the homeserver directly. -# Useful when reverse-proxying certain URLs (e.g. `/_matrix/client/r0/user_directory/search`) to mxisd, -# so that mxisd can rewrite the original URL to one that would reach the homeserver. -matrix_mxisd_dns_overwrite_enabled: false -matrix_mxisd_dns_overwrite_homeserver_client_name: "{{ matrix_server_fqn_matrix }}" -matrix_mxisd_dns_overwrite_homeserver_client_value: "http://matrix-synapse:8008" - -# Override the default email templates -# To use this, fill in the template variables with the full desired template as a multi-line YAML variable -# -# More info: -# https://github.com/kamax-matrix/mxisd/blob/master/docs/threepids/notification/template-generator.md -# https://github.com/kamax-matrix/mxisd/tree/master/src/main/resources/threepids/email -matrix_mxisd_threepid_medium_email_custom_templates_enabled: false -matrix_mxisd_threepid_medium_email_custom_invite_template: "" -matrix_mxisd_threepid_medium_email_custom_session_validation_template: "" -matrix_mxisd_threepid_medium_email_custom_unbind_fraudulent_template: "" -matrix_mxisd_threepid_medium_email_custom_matrixid_template: "" - -# Controls whether the self-check feature should validate SSL certificates. -matrix_mxisd_self_check_validate_certificates: true - -# Controls mxisd logging verbosity for troubleshooting. -# -# According to: https://github.com/kamax-matrix/mxisd/blob/master/docs/troubleshooting.md#increase-verbosity -matrix_mxisd_verbose_logging: false - -# Default mxisd configuration template which covers the generic use case. -# You can customize it by controlling the various variables inside it. -# -# For a more advanced customization, you can extend the default (see `matrix_mxisd_configuration_extension_yaml`) -# or completely replace this variable with your own template. -matrix_mxisd_configuration_yaml: | - #jinja2: lstrip_blocks: True - matrix: - domain: {{ matrix_domain }} - - server: - name: {{ matrix_server_fqn_matrix }} - - key: - path: /var/mxisd/sign.key - - storage: - provider: - sqlite: - database: /var/mxisd/mxisd.db - - {% if matrix_mxisd_dns_overwrite_enabled %} - dns: - overwrite: - homeserver: - client: - - name: {{ matrix_mxisd_dns_overwrite_homeserver_client_name }} - value: {{ matrix_mxisd_dns_overwrite_homeserver_client_value }} - {% endif %} - - {% if matrix_mxisd_matrixorg_forwarding_enabled %} - forward: - servers: ['matrix-org'] - {% endif %} - - threepid: - medium: - email: - identity: - from: {{ matrix_mxisd_threepid_medium_email_identity_from }} - connectors: - smtp: - host: {{ matrix_mxisd_threepid_medium_email_connectors_smtp_host }} - port: {{ matrix_mxisd_threepid_medium_email_connectors_smtp_port }} - tls: {{ matrix_mxisd_threepid_medium_email_connectors_smtp_tls }} - login: {{ matrix_mxisd_threepid_medium_email_connectors_smtp_login }} - password: {{ matrix_mxisd_threepid_medium_email_connectors_smtp_password }} - {% if matrix_mxisd_threepid_medium_email_custom_templates_enabled %} - generators: - template: - {% if matrix_mxisd_threepid_medium_email_custom_invite_template %} - invite: '/var/mxisd/invite-template.eml' - {% endif %} - {% if matrix_mxisd_threepid_medium_email_custom_session_validation_template or matrix_mxisd_threepid_medium_email_custom_unbind_fraudulent_template %} - session: - {% if matrix_mxisd_threepid_medium_email_custom_session_validation_template %} - validation: '/var/mxisd/validate-template.eml' - {% endif %} - {% if matrix_mxisd_threepid_medium_email_custom_unbind_fraudulent_template %} - unbind: - frandulent: '/var/mxisd/unbind-fraudulent.eml' - {% endif %} - {% endif %} - {% if matrix_mxisd_threepid_medium_email_custom_matrixid_template %} - generic: - matrixId: '/var/mxisd/mxid-template.eml' - {% endif %} - {% endif %} - - synapseSql: - enabled: {{ matrix_mxisd_synapsesql_enabled }} - type: {{ matrix_mxisd_synapsesql_type }} - connection: {{ matrix_mxisd_synapsesql_connection }} - -matrix_mxisd_configuration_extension_yaml: | - # Your custom YAML configuration for mxisd goes here. - # This configuration extends the default starting configuration (`matrix_mxisd_configuration_yaml`). - # - # You can override individual variables from the default configuration, or introduce new ones. - # - # If you need something more special, you can take full control by - # completely redefining `matrix_mxisd_configuration_yaml`. - # - # Example configuration extension follows: - # - # ldap: - # enabled: true - # connection: - # host: ldapHostnameOrIp - # tls: false - # port: 389 - # baseDNs: ['OU=Users,DC=example,DC=org'] - # bindDn: CN=My Mxisd User,OU=Users,DC=example,DC=org - # bindPassword: TheUserPassword - -matrix_mxisd_configuration_extension: "{{ matrix_mxisd_configuration_extension_yaml|from_yaml if matrix_mxisd_configuration_extension_yaml|from_yaml is mapping else {} }}" - -# Holds the final mxisd configuration (a combination of the default and its extension). -# You most likely don't need to touch this variable. Instead, see `matrix_mxisd_configuration_yaml`. -matrix_mxisd_configuration: "{{ matrix_mxisd_configuration_yaml|from_yaml|combine(matrix_mxisd_configuration_extension, recursive=True) }}" diff --git a/roles/matrix-mxisd/tasks/main.yml b/roles/matrix-mxisd/tasks/main.yml deleted file mode 100644 index 31970db42..000000000 --- a/roles/matrix-mxisd/tasks/main.yml +++ /dev/null @@ -1,21 +0,0 @@ -- import_tasks: "{{ role_path }}/tasks/init.yml" - tags: - - always - -- import_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: "run_setup|bool and matrix_mxisd_enabled|bool" - tags: - - setup-all - - setup-mxisd - -- import_tasks: "{{ role_path }}/tasks/setup_mxisd.yml" - tags: - - setup-all - - setup-mxisd - -- import_tasks: "{{ role_path }}/tasks/self_check_mxisd.yml" - delegate_to: 127.0.0.1 - become: false - when: "run_self_check|bool and matrix_mxisd_enabled|bool" - tags: - - self-check diff --git a/roles/matrix-mxisd/tasks/self_check_mxisd.yml b/roles/matrix-mxisd/tasks/self_check_mxisd.yml deleted file mode 100644 index 137907bb3..000000000 --- a/roles/matrix-mxisd/tasks/self_check_mxisd.yml +++ /dev/null @@ -1,21 +0,0 @@ ---- - -- set_fact: - mxisd_url_endpoint_public: "https://{{ matrix_server_fqn_matrix }}/_matrix/identity/api/v1" - -- name: Check mxisd Identity Service - uri: - url: "{{ mxisd_url_endpoint_public }}" - follow_redirects: none - validate_certs: "{{ matrix_mxisd_self_check_validate_certificates }}" - register: result_mxisd - ignore_errors: true - -- name: Fail if mxisd Identity Service not working - fail: - msg: "Failed checking mxisd is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ mxisd_url_endpoint_public }}`). Is mxisd running? Is port 443 open in your firewall? Full error: {{ result_mxisd }}" - when: "result_mxisd.failed or 'json' not in result_mxisd" - -- name: Report working mxisd Identity Service - debug: - msg: "mxisd at `{{ matrix_server_fqn_matrix }}` is working (checked endpoint: `{{ mxisd_url_endpoint_public }}`)" diff --git a/roles/matrix-mxisd/tasks/setup_mxisd.yml b/roles/matrix-mxisd/tasks/setup_mxisd.yml deleted file mode 100644 index 0ad363011..000000000 --- a/roles/matrix-mxisd/tasks/setup_mxisd.yml +++ /dev/null @@ -1,137 +0,0 @@ ---- - -# -# Tasks related to setting up mxisd -# - -- name: Ensure mxisd paths exist - file: - path: "{{ item.path }}" - state: directory - mode: 0750 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" - with_items: - - { path: "{{ matrix_mxisd_config_path }}", when: true } - - { path: "{{ matrix_mxisd_data_path }}", when: true } - - { path: "{{ matrix_mxisd_docker_src_files_path }}", when: "{{ matrix_mxisd_container_image_self_build }}"} - when: matrix_mxisd_enabled|bool and item.when - -- name: Ensure mxisd image is pulled - docker_image: - name: "{{ matrix_mxisd_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_mxisd_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mxisd_docker_image_force_pull }}" - when: matrix_mxisd_enabled|bool and not matrix_mxisd_container_image_self_build - -- block: - - name: Ensure gradle is installed for self-building (Debian) - apt: - name: - - gradle - state: present - update_cache: yes - when: (ansible_os_family == 'Debian') - - - name: Ensure gradle is installed for self-building (CentOS) - fail: - msg: "Installing gradle on CentOS is currently not supported, so self-building mxisd cannot happen at this time" - when: ansible_distribution == 'CentOS' - - - name: Ensure gradle is installed for self-building (Archlinux) - pacman: - name: - - gradle - state: latest - update_cache: yes - when: ansible_distribution == 'Archlinux' - - - name: Ensure mxisd repository is present on self-build - git: - repo: https://github.com/kamax-matrix/mxisd.git - dest: "{{ matrix_mxisd_docker_src_files_path }}" - version: "v{{ matrix_mxisd_docker_image.split(':')[1] }}" - force: "yes" - - - name: Ensure mxisd Docker image is built - shell: "./gradlew dockerBuild" - args: - chdir: "{{ matrix_mxisd_docker_src_files_path }}" - when: "matrix_mxisd_enabled|bool and matrix_mxisd_container_image_self_build" - -- name: Ensure mxisd config installed - copy: - content: "{{ matrix_mxisd_configuration|to_nice_yaml }}" - dest: "{{ matrix_mxisd_config_path }}/mxisd.yaml" - mode: 0644 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" - when: matrix_mxisd_enabled|bool - -- name: Ensure custom templates are installed if any - copy: - content: "{{ item.value }}" - dest: "{{ matrix_mxisd_data_path }}/{{ item.location }}" - mode: 0644 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" - with_items: - - {value: "{{ matrix_mxisd_threepid_medium_email_custom_invite_template }}", location: 'invite-template.eml'} - - {value: "{{ matrix_mxisd_threepid_medium_email_custom_session_validation_template }}", location: 'validate-template.eml'} - - {value: "{{ matrix_mxisd_threepid_medium_email_custom_unbind_fraudulent_template }}", location: 'unbind-fraudulent.eml'} - - {value: "{{ matrix_mxisd_threepid_medium_email_custom_matrixid_template }}", location: 'mxid-template.eml'} - when: "matrix_mxisd_enabled|bool and matrix_mxisd_threepid_medium_email_custom_templates_enabled|bool and item.value" - -- name: Ensure matrix-mxisd.service installed - template: - src: "{{ role_path }}/templates/systemd/matrix-mxisd.service.j2" - dest: "{{ matrix_systemd_path }}/matrix-mxisd.service" - mode: 0644 - register: matrix_mxisd_systemd_service_result - when: matrix_mxisd_enabled|bool - -- name: Ensure systemd reloaded after matrix-mxisd.service installation - service: - daemon_reload: yes - when: "matrix_mxisd_enabled|bool and matrix_mxisd_systemd_service_result.changed" - -# -# Tasks related to getting rid of mxisd (if it was previously enabled) -# - -- name: Check existence of matrix-mxisd service - stat: - path: "{{ matrix_systemd_path }}/matrix-mxisd.service" - register: matrix_mxisd_service_stat - -- name: Ensure matrix-mxisd is stopped - service: - name: matrix-mxisd - state: stopped - daemon_reload: yes - register: stopping_result - when: "not matrix_mxisd_enabled|bool and matrix_mxisd_service_stat.stat.exists" - -- name: Ensure matrix-mxisd.service doesn't exist - file: - path: "{{ matrix_systemd_path }}/matrix-mxisd.service" - state: absent - when: "not matrix_mxisd_enabled|bool and matrix_mxisd_service_stat.stat.exists" - -- name: Ensure systemd reloaded after matrix-mxisd.service removal - service: - daemon_reload: yes - when: "not matrix_mxisd_enabled|bool and matrix_mxisd_service_stat.stat.exists" - -- name: Ensure Matrix mxisd paths don't exist - file: - path: "{{ matrix_mxisd_base_path }}" - state: absent - when: "not matrix_mxisd_enabled|bool" - -- name: Ensure mxisd Docker image doesn't exist - docker_image: - name: "{{ matrix_mxisd_docker_image }}" - state: absent - when: "not matrix_mxisd_enabled|bool" diff --git a/roles/matrix-mxisd/tasks/validate_config.yml b/roles/matrix-mxisd/tasks/validate_config.yml deleted file mode 100644 index 200a43a3c..000000000 --- a/roles/matrix-mxisd/tasks/validate_config.yml +++ /dev/null @@ -1,57 +0,0 @@ ---- - -- name: (Deprecation) Warn about mxisd variables that are not used anymore - fail: - msg: > - The `{{ item }}` variable defined in your configuration is not used by this playbook anymore! - You'll need to adapt to the new way of extending mxisd configuration. - See the CHANGELOG and the `matrix_mxisd_configuration_extension_yaml` variable for more information and examples. - when: "item in vars" - with_items: - - 'matrix_mxisd_ldap_enabled' - - 'matrix_mxisd_ldap_connection_host' - - 'matrix_mxisd_ldap_connection_tls' - - 'matrix_mxisd_ldap_connection_port' - - 'matrix_mxisd_ldap_connection_baseDn' - - 'matrix_mxisd_ldap_connection_baseDns' - - 'matrix_mxisd_ldap_connection_bindDn' - - 'matrix_mxisd_ldap_connection_bindPassword' - - 'matrix_mxisd_ldap_filter' - - 'matrix_mxisd_ldap_attribute_uid_type' - - 'matrix_mxisd_ldap_attribute_uid_value' - - 'matrix_mxisd_ldap_connection_bindPassword' - - 'matrix_mxisd_ldap_attribute_name' - - 'matrix_mxisd_ldap_attribute_threepid_email' - - 'matrix_mxisd_ldap_attribute_threepid_msisdn' - - 'matrix_mxisd_ldap_identity_filter' - - 'matrix_mxisd_ldap_identity_medium' - - 'matrix_mxisd_ldap_auth_filter' - - 'matrix_mxisd_ldap_directory_filter' - - 'matrix_mxisd_template_config' - -- name: Ensure mxisd configuration does not contain any dot-notation keys - fail: - msg: > - Since version 1.3.0, mxisd will not accept property-style configuration keys. - You have defined a key (`{{ item.key }}`) which contains a dot. - Instead, use nesting. See: https://github.com/kamax-matrix/mxisd/wiki/Upgrade#v130 - when: "'.' in item.key" - with_dict: "{{ matrix_mxisd_configuration }}" - -- name: Fail if required mxisd settings not defined - fail: - msg: > - You need to define a required configuration setting (`{{ item }}`) for using mxisd. - when: "vars[item] == ''" - with_items: - - "matrix_mxisd_threepid_medium_email_connectors_smtp_host" - - -- name: (Deprecation) Catch and report renamed mxisd variables - fail: - msg: >- - Your configuration contains a variable, which now has a different name. - Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). - when: "item.old in vars" - with_items: - - {'old': 'matrix_mxisd_container_expose_port', 'new': ''} diff --git a/roles/matrix-mxisd/templates/systemd/matrix-mxisd.service.j2 b/roles/matrix-mxisd/templates/systemd/matrix-mxisd.service.j2 deleted file mode 100644 index d60740f52..000000000 --- a/roles/matrix-mxisd/templates/systemd/matrix-mxisd.service.j2 +++ /dev/null @@ -1,46 +0,0 @@ -#jinja2: lstrip_blocks: "True" -[Unit] -Description=Matrix mxisd Identity server -{% for service in matrix_mxisd_systemd_required_services_list %} -Requires={{ service }} -After={{ service }} -{% endfor %} -{% for service in matrix_mxisd_systemd_wanted_services_list %} -Wants={{ service }} -{% endfor %} - -[Service] -Type=simple -ExecStartPre=-/usr/bin/docker kill matrix-mxisd -ExecStartPre=-/usr/bin/docker rm matrix-mxisd - -# mxisd writes an SQLite shared library (libsqlitejdbc.so) to /tmp and executes it from there, -# so /tmp needs to be mounted with an exec option. -ExecStart=/usr/bin/docker run --rm --name matrix-mxisd \ - --log-driver=none \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --cap-drop=ALL \ - --read-only \ - --tmpfs=/tmp:rw,exec,nosuid,size=10m \ - --network={{ matrix_docker_network }} \ - {% if matrix_mxisd_container_http_host_bind_port %} - -p {{ matrix_mxisd_container_http_host_bind_port }}:8090 \ - {% endif %} - {% if matrix_mxisd_verbose_logging %} - -e MXISD_LOG_LEVEL=debug \ - {% endif %} - -v {{ matrix_mxisd_config_path }}:/etc/mxisd:ro \ - -v {{ matrix_mxisd_data_path }}:/var/mxisd:rw \ - {% for arg in matrix_mxisd_container_extra_arguments %} - {{ arg }} \ - {% endfor %} - {{ matrix_mxisd_docker_image }} - -ExecStop=-/usr/bin/docker kill matrix-mxisd -ExecStop=-/usr/bin/docker rm matrix-mxisd -Restart=always -RestartSec=30 -SyslogIdentifier=matrix-mxisd - -[Install] -WantedBy=multi-user.target diff --git a/roles/matrix-mxisd/vars/main.yml b/roles/matrix-mxisd/vars/main.yml deleted file mode 100644 index f5fbf9ad9..000000000 --- a/roles/matrix-mxisd/vars/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- - -# Doing `|from_yaml` when the extension contains nothing yields an empty string (""). -# We need to ensure it's a dictionary or `|combine` (when building `matrix_mxisd_configuration`) will fail later. -matrix_mxisd_configuration_extension: "{{ matrix_mxisd_configuration_extension_yaml|from_yaml if matrix_mxisd_configuration_extension_yaml|from_yaml else {} }}" \ No newline at end of file From 5fedd6cbf03be1b049d3f9b57dc090fa9195abec Mon Sep 17 00:00:00 2001 From: Marcel Partap Date: Tue, 7 Jan 2020 19:04:26 +0100 Subject: [PATCH 11/87] Replace mxisd with ma1sd in docs, fixing URLs --- README.md | 6 +-- docs/configuring-dns.md | 2 +- docs/configuring-playbook-ldap-auth.md | 4 +- docs/configuring-playbook-ma1sd.md | 49 +++++++++++++------------ docs/configuring-playbook-rest-auth.md | 4 +- docs/configuring-playbook.md | 2 +- docs/maintenance-and-troubleshooting.md | 4 +- 7 files changed, 36 insertions(+), 35 deletions(-) diff --git a/README.md b/README.md index 7e64d8937..b16a8dfea 100644 --- a/README.md +++ b/README.md @@ -20,13 +20,13 @@ Using this playbook, you can get the following services configured on your serve - (optional, default) a [Riot](https://riot.im/) web UI, which is configured to connect to your own Synapse server by default -- (optional, default) an [mxisd](https://github.com/kamax-io/mxisd) Matrix Identity server +- (optional, default) an [ma1sd](https://github.com/ma1uta/ma1sd) Matrix Identity server - (optional, default) an [Exim](https://www.exim.org/) mail server, through which all Matrix services send outgoing email (can be configured to relay through another SMTP server) - (optional, default) an [nginx](http://nginx.org/) web server, listening on ports 80 and 443 - standing in front of all the other services. Using your own webserver [is possible](docs/configuring-playbook-own-webserver.md) -- (optional, advanced) the [matrix-synapse-rest-auth](https://github.com/kamax-io/matrix-synapse-rest-auth) REST authentication password provider module +- (optional, advanced) the [matrix-synapse-rest-auth](https://github.com/ma1uta/matrix-synapse-rest-password-provider) REST authentication password provider module - (optional, advanced) the [matrix-synapse-shared-secret-auth](https://github.com/devture/matrix-synapse-shared-secret-auth) password provider module @@ -112,7 +112,7 @@ This playbook sets up your server using the following Docker images: - [vectorim/riot-web](https://hub.docker.com/r/vectorim/riot-web/) - the [Riot.im](https://about.riot.im/) web client (optional) -- [kamax/mxisd](https://hub.docker.com/r/kamax/mxisd/) - the [mxisd](https://github.com/kamax-io/mxisd) Matrix Identity server (optional) +- [ma1uta/ma1sd](https://hub.docker.com/r/ma1uta/ma1sd/) - the [ma1sd](https://github.com/ma1uta/ma1sd) Matrix Identity server (optional) - [postgres](https://hub.docker.com/_/postgres/) - the [Postgres](https://www.postgresql.org/) database server (optional) diff --git a/docs/configuring-dns.md b/docs/configuring-dns.md index 735b348fb..29ddc61ed 100644 --- a/docs/configuring-dns.md +++ b/docs/configuring-dns.md @@ -44,7 +44,7 @@ The `jitsi.` subdomain may be necessary, because this playbook coul ## `_matrix-identity._tcp` SRV record setup -To make the [mxisd](https://github.com/kamax-io/mxisd) Identity Server (which this playbook installs for you) be authoritative for your domain name, set up one more SRV record that looks like this: +To make the [ma1sd](https://github.com/ma1uta/ma1sd) Identity Server (which this playbook installs for you) be authoritative for your domain name, set up one more SRV record that looks like this: - Name: `_matrix-identity._tcp` (use this text as-is) - Content: `10 0 443 matrix.` (replace `` with your own) diff --git a/docs/configuring-playbook-ldap-auth.md b/docs/configuring-playbook-ldap-auth.md index c9f15c317..5144323ad 100644 --- a/docs/configuring-playbook-ldap-auth.md +++ b/docs/configuring-playbook-ldap-auth.md @@ -28,5 +28,5 @@ If you wish for users to **authenticate only against configured password provide matrix_synapse_password_config_localdb_enabled: false ``` -## Using mxisd Identity Server for authentication -If you wish to use the mxisd Identity Server for LDAP authentication instead of [matrix-synapse-ldap3](https://github.com/matrix-org/matrix-synapse-ldap3) consult [Adjusting mxisd Identity Server configuration](configuring-playbook-mxisd.md#authentication). \ No newline at end of file +## Using ma1sd Identity Server for authentication +If you wish to use the ma1sd Identity Server for LDAP authentication instead of [matrix-synapse-ldap3](https://github.com/matrix-org/matrix-synapse-ldap3) consult [Adjusting ma1sd Identity Server configuration](configuring-playbook-ma1sd.md#authentication). diff --git a/docs/configuring-playbook-ma1sd.md b/docs/configuring-playbook-ma1sd.md index 29cec488d..da9ff21e1 100644 --- a/docs/configuring-playbook-ma1sd.md +++ b/docs/configuring-playbook-ma1sd.md @@ -1,52 +1,53 @@ -# Adjusting mxisd Identity Server configuration (optional) +# Adjusting ma1sd Identity Server configuration (optional) -By default, this playbook configures an [mxisd](https://github.com/kamax-io/mxisd) Identity Server for you. +By default, this playbook configures an [ma1sd](https://github.com/ma1uta/ma1sd) Identity Server for you. This server is private by default, potentially at the expense of user discoverability. +ma1sd is a fork of [mxisd](https://github.com/kamax-io/mxisd) which was pronounced end of life 2019-06-21. ## Matrix.org lookup forwarding To ensure maximum discovery, you can make your identity server also forward lookups to the central matrix.org Identity server (at the cost of potentially leaking all your contacts information). -Enabling this is discouraged and you'd better [learn more](https://github.com/kamax-io/mxisd/blob/master/docs/features/identity.md#lookups) before proceeding. +Enabling this is discouraged and you'd better [learn more](https://github.com/ma1uta/ma1sd/blob/master/docs/features/identity.md#lookups) before proceeding. Enabling matrix.org forwarding can happen with the following configuration: ```yaml -matrix_mxisd_matrixorg_forwarding_enabled: true +matrix_ma1sd_matrixorg_forwarding_enabled: true ``` ## Customizing email templates -If you'd like to change the default email templates used by mxisd, take a look at the `matrix_mxisd_threepid_medium_email_custom_` variables -(in the `roles/matrix-mxisd/defaults/main.yml` file. +If you'd like to change the default email templates used by ma1sd, take a look at the `matrix_ma1sd_threepid_medium_email_custom_` variables +(in the `roles/matrix-ma1sd/defaults/main.yml` file. -## mxisd-controlled Registration +## ma1sd-controlled Registration -To use the [Registration](https://github.com/kamax-matrix/mxisd/blob/master/docs/features/registration.md) feature of mxisd, you can make use of the following variables: +To use the [Registration](https://github.com/ma1uta/ma1sd/blob/master/docs/features/registration.md) feature of ma1sd, you can make use of the following variables: - `matrix_synapse_enable_registration` - to enable user-initiated registration in Synapse - `matrix_synapse_registrations_require_3pid` - to control the types of 3pid (`'email'`, `'msisdn'`) required by the Synapse server for registering -- variables prefixed with `matrix_nginx_proxy_proxy_matrix_3pid_registration_` (e.g. `matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled`) - to configure the integrated nginx webserver to send registration requests to mxisd (instead of Synapse), so it can apply its additional functionality +- variables prefixed with `matrix_nginx_proxy_proxy_matrix_3pid_registration_` (e.g. `matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled`) - to configure the integrated nginx webserver to send registration requests to ma1sd (instead of Synapse), so it can apply its additional functionality -- `matrix_mxisd_configuration_extension_yaml` - to configure mxisd as required. See the [Registration feature's docs](https://github.com/kamax-matrix/mxisd/blob/master/docs/features/registration.md) for inspiration. Also see the [Additional features](#additional-features) section below to learn more about how to use `matrix_mxisd_configuration_extension_yaml`. +- `matrix_ma1sd_configuration_extension_yaml` - to configure ma1sd as required. See the [Registration feature's docs](https://github.com/ma1uta/ma1sd/blob/master/docs/features/registration.md) for inspiration. Also see the [Additional features](#additional-features) section below to learn more about how to use `matrix_ma1sd_configuration_extension_yaml`. ## Authentication -[Authentication](https://github.com/kamax-matrix/mxisd/blob/master/docs/features/authentication.md) provides the possibility to use your own [Identity Stores](https://github.com/kamax-matrix/mxisd/blob/master/docs/stores/README.md) (for example LDAP) to authenticate users on your Homeserver. The following configuration can be used to authenticate against an LDAP server: +[Authentication](https://github.com/ma1uta/ma1sd/blob/master/docs/features/authentication.md) provides the possibility to use your own [Identity Stores](https://github.com/ma1uta/ma1sd/blob/master/docs/stores/README.md) (for example LDAP) to authenticate users on your Homeserver. The following configuration can be used to authenticate against an LDAP server: ```yaml matrix_synapse_ext_password_provider_rest_auth_enabled: true -# matrix-mxisd is the hostname of the mxisd Docker container -matrix_synapse_ext_password_provider_rest_auth_endpoint: "http://matrix-mxisd:8090" +# matrix-ma1sd is the hostname of the ma1sd Docker container +matrix_synapse_ext_password_provider_rest_auth_endpoint: "http://matrix-ma1sd:8090" -matrix_mxisd_configuration_extension_yaml: | +matrix_ma1sd_configuration_extension_yaml: | ldap: enabled: true connection: @@ -54,7 +55,7 @@ matrix_mxisd_configuration_extension_yaml: | tls: false port: 389 baseDNs: ['OU=Users,DC=example,DC=org'] - bindDn: CN=My Mxisd User,OU=Users,DC=example,DC=org + bindDn: CN=My ma1sd User,OU=Users,DC=example,DC=org bindPassword: TheUserPassword ``` @@ -62,24 +63,24 @@ matrix_mxisd_configuration_extension_yaml: | What this playbook configures for your is some bare minimum Identity Server functionality, so that you won't need to rely on external 3rd party services. -A few variables can be toggled in this playbook to alter the mxisd configuration that gets generated. +A few variables can be toggled in this playbook to alter the ma1sd configuration that gets generated. -Still, mxisd can do much more. -You can refer to the [mxisd website](https://github.com/kamax-io/mxisd) for more details and configuration options. +Still, ma1sd can do much more. +You can refer to the [ma1sd website](https://github.com/ma1uta/ma1sd) for more details and configuration options. -To use a more custom configuration, you can define a `matrix_mxisd_configuration_extension_yaml` string variable +To use a more custom configuration, you can define a `matrix_ma1sd_configuration_extension_yaml` string variable and put your configuration in it. -To learn more about how to do this, refer to the information about `matrix_mxisd_configuration_extension_yaml` in the [default variables file](../roles/matrix-mxisd/defaults/main.yml) of the mxisd component. +To learn more about how to do this, refer to the information about `matrix_ma1sd_configuration_extension_yaml` in the [default variables file](../roles/matrix-ma1sd/defaults/main.yml) of the ma1sd component. ## Troubleshooting -If email address validation emails sent by mxisd are not reaching you, you should look into [Adjusting email-sending settings](configuring-playbook-email.md). +If email address validation emails sent by ma1sd are not reaching you, you should look into [Adjusting email-sending settings](configuring-playbook-email.md). -If you'd like additional logging information, temporarily enable verbose logging for mxisd. +If you'd like additional logging information, temporarily enable verbose logging for ma1sd. Example configuration (`inventory/host_vars/matrix.DOMAIN/vars.yml`): ```yaml -matrix_mxisd_verbose_logging: true -``` \ No newline at end of file +matrix_ma1sd_verbose_logging: true +``` diff --git a/docs/configuring-playbook-rest-auth.md b/docs/configuring-playbook-rest-auth.md index f35c0f49e..23644c9eb 100644 --- a/docs/configuring-playbook-rest-auth.md +++ b/docs/configuring-playbook-rest-auth.md @@ -1,6 +1,6 @@ # Setting up the REST authentication password provider module (optional, advanced) -The playbook can install and configure [matrix-synapse-rest-auth](https://github.com/kamax-io/matrix-synapse-rest-auth) for you. +The playbook can install and configure [matrix-synapse-rest-auth](https://github.com/ma1uta/matrix-synapse-rest-password-provider) for you. See that project's documentation to learn what it does and why it might be useful to you. @@ -8,7 +8,7 @@ If you decide that you'd like to let this playbook install it for you, you need ```yaml matrix_synapse_ext_password_provider_rest_auth_enabled: true -matrix_synapse_ext_password_provider_rest_auth_endpoint: "http://matrix-mxisd:8090" +matrix_synapse_ext_password_provider_rest_auth_endpoint: "http://matrix-ma1sd:8090" matrix_synapse_ext_password_provider_rest_auth_registration_enforce_lowercase: false matrix_synapse_ext_password_provider_rest_auth_registration_profile_name_autofill: true matrix_synapse_ext_password_provider_rest_auth_login_profile_name_autofill: false diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 051abf166..4d0d2093b 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -44,7 +44,7 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Using an external PostgreSQL server](configuring-playbook-external-postgres.md) (optional) -- [Adjusting mxisd Identity Server configuration](configuring-playbook-mxisd.md) (optional) +- [Adjusting ma1sd Identity Server configuration](configuring-playbook-ma1sd.md) (optional) - [Adjusting SSL certificate retrieval](configuring-playbook-ssl-certificates.md) (optional, advanced) diff --git a/docs/maintenance-and-troubleshooting.md b/docs/maintenance-and-troubleshooting.md index 5dd1ee3f5..bccf3e2ee 100644 --- a/docs/maintenance-and-troubleshooting.md +++ b/docs/maintenance-and-troubleshooting.md @@ -38,6 +38,6 @@ Re-run the playbook after making these configuration changes. See the dedicated [PostgreSQL Maintenance](maintenance-postgres.md) documentation page. -## Mxisd +## Ma1sd -See the dedicated [Adjusting mxisd Identity Server configuration](configuring-playbook-mxisd.md) documentation page. \ No newline at end of file +See the dedicated [Adjusting ma1sd Identity Server configuration](configuring-playbook-ma1sd.md) documentation page. From 9d0803cdf934775c7c5338643a3b79957eb451af Mon Sep 17 00:00:00 2001 From: Marcel Partap Date: Wed, 8 Jan 2020 22:26:24 +0100 Subject: [PATCH 12/87] Specify up-to-date version 2.2.2 of ma1sd docker image --- roles/matrix-ma1sd/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-ma1sd/defaults/main.yml b/roles/matrix-ma1sd/defaults/main.yml index f3f604d3f..4ae87e3de 100644 --- a/roles/matrix-ma1sd/defaults/main.yml +++ b/roles/matrix-ma1sd/defaults/main.yml @@ -3,7 +3,7 @@ matrix_ma1sd_enabled: true -matrix_ma1sd_docker_image: "ma1uta/ma1sd:1.4.6" +matrix_ma1sd_docker_image: "ma1uta/ma1sd:2.2.2" matrix_ma1sd_docker_image_force_pull: "{{ matrix_ma1sd_docker_image.endswith(':latest') }}" matrix_ma1sd_base_path: "{{ matrix_base_data_path }}/ma1sd" From 874e2e1fc0b775ff20f500e7b7f49aa23112a892 Mon Sep 17 00:00:00 2001 From: Marcel Partap Date: Wed, 8 Jan 2020 22:31:44 +0100 Subject: [PATCH 13/87] Rename variables (s/mxisd/ma1sd/) and adapt roles --- group_vars/matrix_servers | 56 +++++++++---------- roles/matrix-base/tasks/main.yml | 2 +- roles/matrix-base/tasks/self_check_dns.yml | 8 +-- roles/matrix-nginx-proxy/defaults/main.yml | 10 ++-- .../tasks/self_check_well_known.yml | 2 +- setup.yml | 2 +- 6 files changed, 40 insertions(+), 40 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index c2dd57866..9efd15391 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -435,7 +435,7 @@ matrix_jitsi_web_stun_servers: | # By default, this playbook sets up a postfix mailer server (running in a container). # This is so that Synapse can send email reminders for unread messages. -# Other services (like mxisd), also use the mailer. +# Other services (like ma1sd), also use the mailer. matrix_mailer_enabled: true ###################################################################### @@ -448,41 +448,41 @@ matrix_mailer_enabled: true ###################################################################### # -# matrix-mxisd +# matrix-ma1sd # ###################################################################### -# By default, this playbook installs the mxisd identity server on the same domain as Synapse (`matrix_server_fqn_matrix`). +# By default, this playbook installs the ma1sd identity server on the same domain as Synapse (`matrix_server_fqn_matrix`). # If you wish to use the public identity servers (matrix.org, vector.im) instead of your own you may wish to disable this. -matrix_mxisd_enabled: true +matrix_ma1sd_enabled: true -matrix_mxisd_container_image_self_build: "{{ matrix_container_images_self_build }}" +matrix_ma1sd_container_image_self_build: "{{ matrix_container_images_self_build }}" -# Normally, matrix-nginx-proxy is enabled and nginx can reach mxisd over the container network. +# Normally, matrix-nginx-proxy is enabled and nginx can reach ma1sd over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose -# mxisd's web-server port. -matrix_mxisd_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8090' }}" +# ma1sd's web-server port. +matrix_ma1sd_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8090' }}" # We enable Synapse integration via its Postgres database by default. # When using another Identity store, you might wish to disable this and define -# your own configuration in `matrix_mxisd_configuration_extension_yaml`. -matrix_mxisd_synapsesql_enabled: true -matrix_mxisd_synapsesql_type: postgresql -matrix_mxisd_synapsesql_connection: //{{ matrix_synapse_database_host }}/{{ matrix_synapse_database_database }}?user={{ matrix_synapse_database_user | urlencode() }}&password={{ matrix_synapse_database_password | urlencode() }} +# your own configuration in `matrix_ma1sd_configuration_extension_yaml`. +matrix_ma1sd_synapsesql_enabled: true +matrix_ma1sd_synapsesql_type: postgresql +matrix_ma1sd_synapsesql_connection: //{{ matrix_synapse_database_host }}/{{ matrix_synapse_database_database }}?user={{ matrix_synapse_database_user | urlencode() }}&password={{ matrix_synapse_database_password | urlencode() }} -matrix_mxisd_dns_overwrite_enabled: true -matrix_mxisd_dns_overwrite_homeserver_client_name: "{{ matrix_server_fqn_matrix }}" -matrix_mxisd_dns_overwrite_homeserver_client_value: "http://{{ 'matrix-corporal:41080' if matrix_corporal_enabled else 'matrix-synapse:8008' }}" +matrix_ma1sd_dns_overwrite_enabled: true +matrix_ma1sd_dns_overwrite_homeserver_client_name: "{{ matrix_server_fqn_matrix }}" +matrix_ma1sd_dns_overwrite_homeserver_client_value: "http://{{ 'matrix-corporal:41080' if matrix_corporal_enabled else 'matrix-synapse:8008' }}" # By default, we send mail through the `matrix-mailer` service. -matrix_mxisd_threepid_medium_email_identity_from: "{{ matrix_mailer_sender_address }}" -matrix_mxisd_threepid_medium_email_connectors_smtp_host: "matrix-mailer" -matrix_mxisd_threepid_medium_email_connectors_smtp_port: 8025 -matrix_mxisd_threepid_medium_email_connectors_smtp_tls: 0 +matrix_ma1sd_threepid_medium_email_identity_from: "{{ matrix_mailer_sender_address }}" +matrix_ma1sd_threepid_medium_email_connectors_smtp_host: "matrix-mailer" +matrix_ma1sd_threepid_medium_email_connectors_smtp_port: 8025 +matrix_ma1sd_threepid_medium_email_connectors_smtp_tls: 0 -matrix_mxisd_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else false }}" +matrix_ma1sd_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else false }}" -matrix_mxisd_systemd_wanted_services_list: | +matrix_ma1sd_systemd_wanted_services_list: | {{ (['matrix-corporal.service'] if matrix_corporal_enabled else ['matrix-synapse.service']) + @@ -493,7 +493,7 @@ matrix_mxisd_systemd_wanted_services_list: | ###################################################################### # -# /matrix-mxisd +# /matrix-ma1sd # ###################################################################### @@ -523,8 +523,8 @@ matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: "{{ matrix_corporal_enable matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081" matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container: "127.0.0.1:41081" -matrix_nginx_proxy_proxy_matrix_identity_api_enabled: "{{ matrix_mxisd_enabled }}" -matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-mxisd:8090" +matrix_nginx_proxy_proxy_matrix_identity_api_enabled: "{{ matrix_ma1sd_enabled }}" +matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-ma1sd:8090" matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:8090" # By default, we do TLS termination for the Matrix Federation API (port 8448) at matrix-nginx-proxy. @@ -536,7 +536,7 @@ matrix_nginx_proxy_proxy_synapse_metrics: "{{ matrix_synapse_metrics_enabled }}" matrix_nginx_proxy_proxy_synapse_metrics_addr_with_container: "matrix-synapse:{{ matrix_synapse_metrics_port }}" matrix_nginx_proxy_proxy_synapse_metrics_addr_sans_container: "127.0.0.1:{{ matrix_synapse_metrics_port }}" -matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: "{{ matrix_mxisd_enabled }}" +matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: "{{ matrix_ma1sd_enabled }}" matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container }}" matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container }}" @@ -548,7 +548,7 @@ matrix_nginx_proxy_systemd_wanted_services_list: | + (['matrix-corporal.service'] if matrix_corporal_enabled else []) + - (['matrix-mxisd.service'] if matrix_mxisd_enabled else []) + (['matrix-ma1sd.service'] if matrix_ma1sd_enabled else []) + (['matrix-riot-web.service'] if matrix_riot_web_enabled else []) }} @@ -652,8 +652,8 @@ matrix_riot_web_jitsi_preferredDomain: "{{ matrix_server_fqn_jitsi if matrix_jit matrix_synapse_container_image_self_build: "{{ matrix_container_images_self_build }}" -# When mxisd is enabled, we can use it instead of the default public Identity servers. -matrix_synapse_trusted_third_party_id_servers: "{{ [matrix_server_fqn_matrix] if matrix_mxisd_enabled else matrix_synapse_id_servers_public }}" +# When ma1sd is enabled, we can use it instead of the default public Identity servers. +matrix_synapse_trusted_third_party_id_servers: "{{ [matrix_server_fqn_matrix] if matrix_ma1sd_enabled else matrix_synapse_id_servers_public }}" # Normally, matrix-nginx-proxy is enabled and nginx can reach Synapse over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, diff --git a/roles/matrix-base/tasks/main.yml b/roles/matrix-base/tasks/main.yml index 909cad200..827a41013 100644 --- a/roles/matrix-base/tasks/main.yml +++ b/roles/matrix-base/tasks/main.yml @@ -21,7 +21,7 @@ when: run_setup|bool tags: - setup-all - - setup-mxisd + - setup-ma1sd - setup-synapse - setup-nginx-proxy diff --git a/roles/matrix-base/tasks/self_check_dns.yml b/roles/matrix-base/tasks/self_check_dns.yml index d17b2149a..57c07b2b1 100644 --- a/roles/matrix-base/tasks/self_check_dns.yml +++ b/roles/matrix-base/tasks/self_check_dns.yml @@ -5,16 +5,16 @@ - block: - set_fact: - dns_srv_record_check_mxisd: + dns_srv_record_check_ma1sd: service_and_protocol: "_matrix-identity._tcp" domain: "{{ (matrix_domain + '.') }}" expected_target: "{{ (matrix_server_fqn_matrix + '.') }}" expected_port: 443 - - name: Determine domains that we require certificates for (mxisd) + - name: Determine domains that we require certificates for (ma1sd) set_fact: - dns_srv_record_checks: "{{ dns_srv_record_checks + [dns_srv_record_check_mxisd] }}" - when: matrix_mxisd_enabled|bool + dns_srv_record_checks: "{{ dns_srv_record_checks + [dns_srv_record_check_ma1sd] }}" + when: matrix_ma1sd_enabled|bool - name: Perform DNS SRV checks include_tasks: "{{ role_path }}/tasks/self_check_dns_srv.yml" diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 8f3f0481b..12d314f5b 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -116,21 +116,21 @@ matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container: "127.0.0.1:410 # Controls whether proxying for the User Directory Search API (`/_matrix/client/r0/user_directory/search`) should be done (on the matrix domain). # This can be used to forward the API endpoint to another service, augmenting the functionality of Synapse's own User Directory Search. -# To learn more, see: https://github.com/kamax-matrix/mxisd/blob/master/docs/features/directory.md +# To learn more, see: https://github.com/ma1uta/ma1sd/blob/master/docs/features/directory.md matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: false -matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "matrix-mxisd:8090" +matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "matrix-ma1sd:8090" matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "127.0.0.1:8090" # Controls whether proxying for 3PID-based registration (`/_matrix/client/r0/register/(email|msisdn)/requestToken`) should be done (on the matrix domain). # This allows another service to control registrations involving 3PIDs. -# To learn more, see: https://github.com/kamax-matrix/mxisd/blob/master/docs/features/registration.md +# To learn more, see: https://github.com/ma1uta/ma1sd/blob/master/docs/features/registration.md matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled: false -matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_with_container: "matrix-mxisd:8090" +matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_with_container: "matrix-ma1sd:8090" matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_sans_container: "127.0.0.1:8090" # Controls whether proxying for the Identity API (`/_matrix/identity`) should be done (on the matrix domain) matrix_nginx_proxy_proxy_matrix_identity_api_enabled: false -matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-mxisd:8090" +matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-ma1sd:8090" matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:8090" # Controls whether proxying for metrics (`/_synapse/metrics`) should be done (on the matrix domain) diff --git a/roles/matrix-nginx-proxy/tasks/self_check_well_known.yml b/roles/matrix-nginx-proxy/tasks/self_check_well_known.yml index 6aaf9cb31..be1b65553 100644 --- a/roles/matrix-nginx-proxy/tasks/self_check_well_known.yml +++ b/roles/matrix-nginx-proxy/tasks/self_check_well_known.yml @@ -18,7 +18,7 @@ follow_redirects: safe validate_certs: "{{ matrix_nginx_proxy_self_check_validate_certificates }}" - - name: Determine domains that we require certificates for (mxisd) + - name: Determine domains that we require certificates for (ma1sd) set_fact: well_known_file_checks: "{{ well_known_file_checks + [well_known_file_check_matrix_server] }}" when: matrix_well_known_matrix_server_enabled|bool diff --git a/setup.yml b/setup.yml index 61d448f31..5baee8f35 100755 --- a/setup.yml +++ b/setup.yml @@ -19,7 +19,7 @@ - matrix-synapse - matrix-riot-web - matrix-jitsi - - matrix-mxisd + - matrix-ma1sd - matrix-dimension - matrix-email2matrix - matrix-nginx-proxy From 8c5c2e5eec2dfe54d8b2540b122996b07a0ce174 Mon Sep 17 00:00:00 2001 From: Marcel Partap Date: Fri, 27 Mar 2020 19:31:15 +0100 Subject: [PATCH 14/87] Bump ma1sd version to 2.3.0 --- roles/matrix-ma1sd/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-ma1sd/defaults/main.yml b/roles/matrix-ma1sd/defaults/main.yml index 4ae87e3de..686358110 100644 --- a/roles/matrix-ma1sd/defaults/main.yml +++ b/roles/matrix-ma1sd/defaults/main.yml @@ -3,7 +3,7 @@ matrix_ma1sd_enabled: true -matrix_ma1sd_docker_image: "ma1uta/ma1sd:2.2.2" +matrix_ma1sd_docker_image: "ma1uta/ma1sd:2.3.0" matrix_ma1sd_docker_image_force_pull: "{{ matrix_ma1sd_docker_image.endswith(':latest') }}" matrix_ma1sd_base_path: "{{ matrix_base_data_path }}/ma1sd" From c2d384d2ef0070097baf39df8858638dc8829286 Mon Sep 17 00:00:00 2001 From: Marcel Partap Date: Thu, 2 Apr 2020 10:43:40 +0200 Subject: [PATCH 15/87] some more mxisd to ma1sd string/URL replacements --- docs/self-building.md | 4 ++-- roles/matrix-ma1sd/tasks/validate_config.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/self-building.md b/docs/self-building.md index a4d6fad9c..6b9a46d49 100644 --- a/docs/self-building.md +++ b/docs/self-building.md @@ -1,6 +1,6 @@ # Self-building -The playbook supports the self-building of some of its components. This may be useful for architectures besides x86_64, which have no Docker images right now (e g. the armv7 for the Raspberry Pi). Some playbook roles have been updated, so they build the necessary image on the host. It needs more space, as some build tools need to be present (like Java, for mxisd). +The playbook supports the self-building of some of its components. This may be useful for architectures besides x86_64, which have no Docker images right now (e g. the armv7 for the Raspberry Pi). Some playbook roles have been updated, so they build the necessary image on the host. It needs more space, as some build tools need to be present (like Java, for ma1sd). To use these modification there is a variable that needs to be switched to enable this functionality. Add this to your `vars.yaml` file: ```yaml @@ -12,7 +12,7 @@ List of roles where self-building the docker image is currently possible: - synapse - riot-web - coturn -- mxisd +- ma1sd - matrix-bridge-mautrix-facebook - matrix-bridge-mautrix-hangouts diff --git a/roles/matrix-ma1sd/tasks/validate_config.yml b/roles/matrix-ma1sd/tasks/validate_config.yml index 07a170065..3adb47562 100644 --- a/roles/matrix-ma1sd/tasks/validate_config.yml +++ b/roles/matrix-ma1sd/tasks/validate_config.yml @@ -34,7 +34,7 @@ msg: > Since version 1.3.0, ma1sd will not accept property-style configuration keys. You have defined a key (`{{ item.key }}`) which contains a dot. - Instead, use nesting. See: https://github.com/kamax-matrix/mxisd/wiki/Upgrade-Notes#v130 + Instead, use nesting. See: https://github.com/ma1uta/ma1sd/wiki/Upgrade-Notes#v130 when: "'.' in item.key" with_dict: "{{ matrix_ma1sd_configuration }}" From ed34d0ac396658a265e5fbeed131439a669d5898 Mon Sep 17 00:00:00 2001 From: Marcel Partap Date: Thu, 2 Apr 2020 10:50:07 +0200 Subject: [PATCH 16/87] fix "noeol" ("No newline at end of file" == missing 0A byte at file end) --- roles/matrix-ma1sd/vars/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-ma1sd/vars/main.yml b/roles/matrix-ma1sd/vars/main.yml index dfaf58bdf..b6c97a593 100644 --- a/roles/matrix-ma1sd/vars/main.yml +++ b/roles/matrix-ma1sd/vars/main.yml @@ -2,4 +2,4 @@ # Doing `|from_yaml` when the extension contains nothing yields an empty string (""). # We need to ensure it's a dictionary or `|combine` (when building `matrix_ma1sd_configuration`) will fail later. -matrix_ma1sd_configuration_extension: "{{ matrix_ma1sd_configuration_extension_yaml|from_yaml if matrix_ma1sd_configuration_extension_yaml|from_yaml else {} }}" \ No newline at end of file +matrix_ma1sd_configuration_extension: "{{ matrix_ma1sd_configuration_extension_yaml|from_yaml if matrix_ma1sd_configuration_extension_yaml|from_yaml else {} }}" From 92672f89490003ef0c4c35ca039ae74a608ebe91 Mon Sep 17 00:00:00 2001 From: Marcel Partap Date: Thu, 2 Apr 2020 10:55:35 +0200 Subject: [PATCH 17/87] matrix-ma1sd/tasks/validate_config.yml: can ansible process regex in when statements? --- roles/matrix-ma1sd/tasks/validate_config.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/matrix-ma1sd/tasks/validate_config.yml b/roles/matrix-ma1sd/tasks/validate_config.yml index 3adb47562..edbd54192 100644 --- a/roles/matrix-ma1sd/tasks/validate_config.yml +++ b/roles/matrix-ma1sd/tasks/validate_config.yml @@ -55,3 +55,4 @@ when: "item.old in vars" with_items: - {'old': 'matrix_ma1sd_container_expose_port', 'new': ''} + - {'old': 'matrix_mxisd_.*', 'new': 'matrix_ma1sd_.*'} From e4ceeccd1464b9840d8d88245f7f786f63103026 Mon Sep 17 00:00:00 2001 From: Marcel Partap Date: Thu, 2 Apr 2020 17:19:40 +0200 Subject: [PATCH 18/87] Add mxisd => ma1sd migration task --- roles/matrix-ma1sd/tasks/migrate_mxisd.yml | 79 ++++++++++++++++++++++ roles/matrix-ma1sd/tasks/setup_ma1sd.yml | 3 + 2 files changed, 82 insertions(+) create mode 100644 roles/matrix-ma1sd/tasks/migrate_mxisd.yml diff --git a/roles/matrix-ma1sd/tasks/migrate_mxisd.yml b/roles/matrix-ma1sd/tasks/migrate_mxisd.yml new file mode 100644 index 000000000..2d92de629 --- /dev/null +++ b/roles/matrix-ma1sd/tasks/migrate_mxisd.yml @@ -0,0 +1,79 @@ +--- + +# This task is for migrating existing mxisd data when transitioning to the ma1sd fork. + +- name: Check for existent mxisd data + stat: + path: "{{ matrix_base_data_path }}/mxisd" + register: ma1sd_migrate_mxisd_data_dir_stat + +- name: Warn if mxisd data detected + debug: + msg: > + You seem to have an existing mxisd data folder in `{{ matrix_base_data_path }}`. + We are going to migrate it to ma1sd and rename the folder to mxisd.migrated. + when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists" + +- name: Check existence of old matrix-mxisd service + stat: + path: "{{ matrix_systemd_path }}/matrix-mxisd.service" + register: matrix_mxisd_service_stat + when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists" + +- name: Ensure matrix-mxisd is stopped + service: + name: matrix-mxisd + state: stopped + daemon_reload: yes + when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists and matrix_mxisd_service_stat.stat.exists" + +- name: Check existence of matrix-ma1sd service + stat: + path: "{{ matrix_systemd_path }}/matrix-ma1sd.service" + register: matrix_ma1sd_service_stat + when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists" + +- name: Ensure matrix-ma1sd is stopped + service: + name: matrix-ma1sd + state: stopped + daemon_reload: yes + when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists and matrix_ma1sd_service_stat.stat.exists" + +- name: Ensure ma1sd data path exist + file: + path: "{{ matrix_ma1sd_data_path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists" + +- name: Copy mxisd data files to ma1sd folder + copy: + src: "{{ item }}" + dest: "{{ matrix_ma1sd_data_path }}/" + mode: "preserve" + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + with_items: + - "{{ matrix_base_data_path }}/mxisd/data/mxisd.db" + - "{{ matrix_base_data_path }}/mxisd/data/sign.key" + when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists" + +- name: Rename mxisd folder + command: "mv {{ matrix_base_data_path }}/mxisd {{ matrix_base_data_path }}/mxisd.migrated" + when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists" + +- name: Ensure outdated matrix-mxisd.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/matrix-mxisd.service" + state: absent + when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists" + +- name: Ensure systemd reloaded after removing outdated matrix-mxisd.service + service: + daemon_reload: yes + when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists" + + diff --git a/roles/matrix-ma1sd/tasks/setup_ma1sd.yml b/roles/matrix-ma1sd/tasks/setup_ma1sd.yml index 483d7f9c0..c197b64f9 100644 --- a/roles/matrix-ma1sd/tasks/setup_ma1sd.yml +++ b/roles/matrix-ma1sd/tasks/setup_ma1sd.yml @@ -4,6 +4,9 @@ # Tasks related to setting up ma1sd # +- import_tasks: "{{ role_path }}/tasks/migrate_mxisd.yml" + when: matrix_ma1sd_enabled|bool + - name: Ensure ma1sd paths exist file: path: "{{ item.path }}" From 4172345d34ae75f039db49bd81ceca33ee483da8 Mon Sep 17 00:00:00 2001 From: Marcel Partap Date: Thu, 2 Apr 2020 17:20:06 +0200 Subject: [PATCH 19/87] Fix regex matching against old variable names in ma1sd validation task --- roles/matrix-ma1sd/tasks/validate_config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-ma1sd/tasks/validate_config.yml b/roles/matrix-ma1sd/tasks/validate_config.yml index edbd54192..da2bdc1b1 100644 --- a/roles/matrix-ma1sd/tasks/validate_config.yml +++ b/roles/matrix-ma1sd/tasks/validate_config.yml @@ -52,7 +52,7 @@ msg: >- Your configuration contains a variable, which now has a different name. Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). - when: "item.old in vars" + when: "vars | dict2items | selectattr('key', 'match', item.old) | list | items2dict" with_items: - {'old': 'matrix_ma1sd_container_expose_port', 'new': ''} - {'old': 'matrix_mxisd_.*', 'new': 'matrix_ma1sd_.*'} From 59ccff9babcbf79fe6dac31600d01b057a9b1412 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 3 Apr 2020 09:27:22 +0300 Subject: [PATCH 20/87] Fix mxisd -> ma1sd file copying When the playbook executes on a remote host (as it usually does), we need to explicitly say `src` is a remote file and not relative to the playbook. --- roles/matrix-ma1sd/tasks/migrate_mxisd.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/matrix-ma1sd/tasks/migrate_mxisd.yml b/roles/matrix-ma1sd/tasks/migrate_mxisd.yml index 2d92de629..256e83fe6 100644 --- a/roles/matrix-ma1sd/tasks/migrate_mxisd.yml +++ b/roles/matrix-ma1sd/tasks/migrate_mxisd.yml @@ -52,6 +52,7 @@ - name: Copy mxisd data files to ma1sd folder copy: src: "{{ item }}" + remote_src: true dest: "{{ matrix_ma1sd_data_path }}/" mode: "preserve" owner: "{{ matrix_user_username }}" From be1951133889018bf780a9caa99c2a9e7bbdecdc Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 3 Apr 2020 09:28:44 +0300 Subject: [PATCH 21/87] Add missing container self-build variables for ma1sd --- roles/matrix-ma1sd/defaults/main.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/roles/matrix-ma1sd/defaults/main.yml b/roles/matrix-ma1sd/defaults/main.yml index 686358110..144f4932e 100644 --- a/roles/matrix-ma1sd/defaults/main.yml +++ b/roles/matrix-ma1sd/defaults/main.yml @@ -3,10 +3,13 @@ matrix_ma1sd_enabled: true +matrix_ma1sd_container_image_self_build: false + matrix_ma1sd_docker_image: "ma1uta/ma1sd:2.3.0" matrix_ma1sd_docker_image_force_pull: "{{ matrix_ma1sd_docker_image.endswith(':latest') }}" matrix_ma1sd_base_path: "{{ matrix_base_data_path }}/ma1sd" +matrix_ma1sd_docker_src_files_path: "{{ matrix_ma1sd_base_path }}/docker-src" matrix_ma1sd_config_path: "{{ matrix_ma1sd_base_path }}/config" matrix_ma1sd_data_path: "{{ matrix_ma1sd_base_path }}/data" From a4ea2f850b7e71cbc470f9bc6a9270a45c8f4cbc Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 3 Apr 2020 09:42:14 +0300 Subject: [PATCH 22/87] Provide a friendlier migration message from people using matrix_mxisd_ variables --- roles/matrix-ma1sd/tasks/validate_config.yml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/roles/matrix-ma1sd/tasks/validate_config.yml b/roles/matrix-ma1sd/tasks/validate_config.yml index da2bdc1b1..691fe0ac9 100644 --- a/roles/matrix-ma1sd/tasks/validate_config.yml +++ b/roles/matrix-ma1sd/tasks/validate_config.yml @@ -46,7 +46,6 @@ with_items: - "matrix_ma1sd_threepid_medium_email_connectors_smtp_host" - - name: (Deprecation) Catch and report renamed ma1sd variables fail: msg: >- @@ -55,4 +54,13 @@ when: "vars | dict2items | selectattr('key', 'match', item.old) | list | items2dict" with_items: - {'old': 'matrix_ma1sd_container_expose_port', 'new': ''} + +- name: (Deprecation) Catch and report mxisd variables + fail: + msg: >- + mxisd is deprecated and has been replaced with ma1sd (https://github.com/ma1uta/ma1sd), a compatible fork. + The playbook will migrate your existing mxisd configuration and data automatically, but you need to adjust variable names. + Please change your configuration (vars.yml) to rename all mxisd variables (`{{ item.old }}` -> `{{ item.new }}`). + when: "vars | dict2items | selectattr('key', 'match', item.old) | list | items2dict" + with_items: - {'old': 'matrix_mxisd_.*', 'new': 'matrix_ma1sd_.*'} From a0b82d223419431153601144441553a755ee97a6 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 3 Apr 2020 09:53:31 +0300 Subject: [PATCH 23/87] Fix mxisd -> ma1sd data migration (mxisd.db -> ma1sd.db) --- roles/matrix-ma1sd/tasks/migrate_mxisd.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/matrix-ma1sd/tasks/migrate_mxisd.yml b/roles/matrix-ma1sd/tasks/migrate_mxisd.yml index 256e83fe6..424880e2e 100644 --- a/roles/matrix-ma1sd/tasks/migrate_mxisd.yml +++ b/roles/matrix-ma1sd/tasks/migrate_mxisd.yml @@ -51,15 +51,15 @@ - name: Copy mxisd data files to ma1sd folder copy: - src: "{{ item }}" + src: "{{ item.src }}" remote_src: true - dest: "{{ matrix_ma1sd_data_path }}/" + dest: "{{ matrix_ma1sd_data_path }}/{{ item.dst_name }}" mode: "preserve" owner: "{{ matrix_user_username }}" group: "{{ matrix_user_username }}" with_items: - - "{{ matrix_base_data_path }}/mxisd/data/mxisd.db" - - "{{ matrix_base_data_path }}/mxisd/data/sign.key" + - {"src": "{{ matrix_base_data_path }}/mxisd/data/mxisd.db", "dst_name": "ma1sd.db"} + - {"src": "{{ matrix_base_data_path }}/mxisd/data/sign.key", "dst_name": "sign.key"} when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists" - name: Rename mxisd folder From 845f5f007b3ab8d3479e1ecd1d9ff9e07f5474fe Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 3 Apr 2020 10:08:37 +0300 Subject: [PATCH 24/87] Make Synapse use ma1sd (if enabled) for threepid registration --- group_vars/matrix_servers | 5 +++++ roles/matrix-synapse/defaults/main.yml | 8 ++++++++ roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 | 4 ++-- 3 files changed, 15 insertions(+), 2 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 9efd15391..e9dbffb5a 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -655,6 +655,11 @@ matrix_synapse_container_image_self_build: "{{ matrix_container_images_self_buil # When ma1sd is enabled, we can use it instead of the default public Identity servers. matrix_synapse_trusted_third_party_id_servers: "{{ [matrix_server_fqn_matrix] if matrix_ma1sd_enabled else matrix_synapse_id_servers_public }}" +# When ma1sd is enabled, we can use it to validate email addresses and phone numbers. +# Synapse can validate email addresses by itself as well, but it's probably not what we want by default when we have an identity server. +matrix_synapse_account_threepid_delegates_email: "{{ 'http://matrix-ma1sd:8090' if matrix_ma1sd_enabled else '' }}" +matrix_synapse_account_threepid_delegates_msisdn: "{{ 'http://matrix-ma1sd:8090' if matrix_ma1sd_enabled else '' }}" + # Normally, matrix-nginx-proxy is enabled and nginx can reach Synapse over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, # you can expose Synapse's ports to the host. diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index f896f2324..38cd23216 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -164,6 +164,14 @@ matrix_synapse_enable_group_creation: false # A list of 3PID types which users must supply when registering (possible values: email, msisdn). matrix_synapse_registrations_require_3pid: [] +# The server to use for email threepid validation. When empty, Synapse does it by itself. +# Otherwise, this should be pointed to an identity server. +matrix_synapse_account_threepid_delegates_email: '' + +# The server to use for phone number threepid validation. When empty, validation cannot happen, as Synapse doesn't support it. +# To make it work, this should be pointed to an identity server. +matrix_synapse_account_threepid_delegates_msisdn: '' + # Users who register on this homeserver will automatically be joined to these rooms. # Rooms are to be specified using addresses (e.g. `#address:example.com`) matrix_synapse_auto_join_rooms: [] diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index b3adcac9d..310421e9b 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -1060,8 +1060,8 @@ trusted_third_party_id_servers: # If a delegate is specified, the config option public_baseurl must also be filled out. # account_threepid_delegates: - #email: https://example.com # Delegate email sending to example.com - #msisdn: http://localhost:8090 # Delegate SMS sending to this local process + email: {{ matrix_synapse_account_threepid_delegates_email|to_json }} + msisdn: {{ matrix_synapse_account_threepid_delegates_msisdn|to_json }} # Users who register on this homeserver will automatically be joined # to these rooms From 7266542356691a0a3f109c4f4d43898a24721dff Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 3 Apr 2020 10:41:36 +0300 Subject: [PATCH 25/87] Announce ma1sd -> mxisd migration --- CHANGELOG.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index f88987553..72ead398e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,15 @@ +# 2020-04-03 + +## (Potential Backward Compatibility Break) ma1sd replaces mxisd + +The [mxisd](https://github.com/kamax-io/mxisd) identity server, which has been deprecated for a long time, has been replaced by [ma1sd](https://github.com/kamax-io/mxisd), a compatible fork. + +**If you're using the default playbook configuration**, you don't need to do anything -- your mxisd installation will be replaced with ma1sd and all existing data will be migrated automatically the next time you run the playbook. + +**If you're doing something more special** (defining custom `matrix_mxisd_*` variables), the playbook will ask you to rename them to `matrix_ma1sd_*`. +You're also encouraged to test that ma1sd works well for such a more custom setup. + + # 2020-03-29 ## Archlinux support From 2fad4ee7d8482d48c099e66e327cb95bc28c2d74 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 3 Apr 2020 10:43:47 +0300 Subject: [PATCH 26/87] Adjust changelog to give credit where credit is due --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 72ead398e..d4c4e74f8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,7 +2,7 @@ ## (Potential Backward Compatibility Break) ma1sd replaces mxisd -The [mxisd](https://github.com/kamax-io/mxisd) identity server, which has been deprecated for a long time, has been replaced by [ma1sd](https://github.com/kamax-io/mxisd), a compatible fork. +Thanks to [Marcel Partap](https://github.com/eMPee584)'s efforts, the [mxisd](https://github.com/kamax-io/mxisd) identity server, which has been deprecated for a long time, has finally been replaced by [ma1sd](https://github.com/kamax-io/mxisd), a compatible fork. **If you're using the default playbook configuration**, you don't need to do anything -- your mxisd installation will be replaced with ma1sd and all existing data will be migrated automatically the next time you run the playbook. From 229c8e1c38599a8f75c77d1afd811607b3959426 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 3 Apr 2020 11:14:34 +0300 Subject: [PATCH 27/87] Adjust name in changelog --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d4c4e74f8..ab19c5b61 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,7 +14,7 @@ You're also encouraged to test that ma1sd works well for such a more custom setu ## Archlinux support -Thanks to [Christian](https://github.com/christianlupus)'s efforts, the playbook now supports installing to an [Archlinux](https://www.archlinux.org/) server. +Thanks to [Christian Lupus](https://github.com/christianlupus)'s efforts, the playbook now supports installing to an [Archlinux](https://www.archlinux.org/) server. # 2020-03-24 From c2d0304eb18a849f7383db3aed4c1d079c94955a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 3 Apr 2020 11:17:05 +0300 Subject: [PATCH 28/87] Fix incorrect URL --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ab19c5b61..ce8f9f3b0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,7 +2,7 @@ ## (Potential Backward Compatibility Break) ma1sd replaces mxisd -Thanks to [Marcel Partap](https://github.com/eMPee584)'s efforts, the [mxisd](https://github.com/kamax-io/mxisd) identity server, which has been deprecated for a long time, has finally been replaced by [ma1sd](https://github.com/kamax-io/mxisd), a compatible fork. +Thanks to [Marcel Partap](https://github.com/eMPee584)'s efforts, the [mxisd](https://github.com/kamax-io/mxisd) identity server, which has been deprecated for a long time, has finally been replaced by [ma1sd](https://github.com/ma1uta/ma1sd), a compatible fork. **If you're using the default playbook configuration**, you don't need to do anything -- your mxisd installation will be replaced with ma1sd and all existing data will be migrated automatically the next time you run the playbook. From c3efd2966ffe9d8396e133ad4d9f32c77c8b3aba Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 3 Apr 2020 13:12:03 +0300 Subject: [PATCH 29/87] Fix mxisd -> ma1sd migration for older versions of Ansible --- roles/matrix-ma1sd/tasks/migrate_mxisd.yml | 45 +++++++++------------- roles/matrix-ma1sd/tasks/setup_ma1sd.yml | 6 +-- 2 files changed, 22 insertions(+), 29 deletions(-) diff --git a/roles/matrix-ma1sd/tasks/migrate_mxisd.yml b/roles/matrix-ma1sd/tasks/migrate_mxisd.yml index 424880e2e..0331f7b97 100644 --- a/roles/matrix-ma1sd/tasks/migrate_mxisd.yml +++ b/roles/matrix-ma1sd/tasks/migrate_mxisd.yml @@ -4,13 +4,13 @@ - name: Check for existent mxisd data stat: - path: "{{ matrix_base_data_path }}/mxisd" + path: "{{ matrix_base_data_path }}/mxisd/data" register: ma1sd_migrate_mxisd_data_dir_stat - name: Warn if mxisd data detected debug: msg: > - You seem to have an existing mxisd data folder in `{{ matrix_base_data_path }}`. + You seem to have an existing mxisd folder in `{{ matrix_base_data_path }}/mxisd`. We are going to migrate it to ma1sd and rename the folder to mxisd.migrated. when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists" @@ -40,41 +40,34 @@ daemon_reload: yes when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists and matrix_ma1sd_service_stat.stat.exists" -- name: Ensure ma1sd data path exist - file: - path: "{{ matrix_ma1sd_data_path }}" - state: directory - mode: 0750 - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" - when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists" +# We use shell commands for the migration, because the Ansible copy module cannot +# recursively copy remote directories (like `/matrix/mxisd/data/sign.key`) in older versions of Ansible. +- block: + - name: Copy mxisd data files to ma1sd folder + command: "cp -ar {{ matrix_base_data_path }}/mxisd/data {{ matrix_ma1sd_base_path }}" -- name: Copy mxisd data files to ma1sd folder - copy: - src: "{{ item.src }}" - remote_src: true - dest: "{{ matrix_ma1sd_data_path }}/{{ item.dst_name }}" - mode: "preserve" - owner: "{{ matrix_user_username }}" - group: "{{ matrix_user_username }}" - with_items: - - {"src": "{{ matrix_base_data_path }}/mxisd/data/mxisd.db", "dst_name": "ma1sd.db"} - - {"src": "{{ matrix_base_data_path }}/mxisd/data/sign.key", "dst_name": "sign.key"} - when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists" + - name: Check existence of mxisd.db file + stat: + path: "{{ matrix_ma1sd_data_path }}/mxisd.db" + register: matrix_ma1sd_mxisd_db_stat -- name: Rename mxisd folder - command: "mv {{ matrix_base_data_path }}/mxisd {{ matrix_base_data_path }}/mxisd.migrated" + - name: Rename database (mxisd.db -> ma1sd.db) + command: "mv {{ matrix_ma1sd_data_path }}/mxisd.db {{ matrix_ma1sd_data_path }}/ma1sd.db" + when: "matrix_ma1sd_mxisd_db_stat.stat.exists" + + - name: Rename mxisd folder + command: "mv {{ matrix_base_data_path }}/mxisd {{ matrix_base_data_path }}/mxisd.migrated" when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists" - name: Ensure outdated matrix-mxisd.service doesn't exist file: path: "{{ matrix_systemd_path }}/matrix-mxisd.service" state: absent - when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists" + when: "matrix_ma1sd_service_stat.stat.exists" - name: Ensure systemd reloaded after removing outdated matrix-mxisd.service service: daemon_reload: yes - when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists" + when: "matrix_ma1sd_service_stat.stat.exists" diff --git a/roles/matrix-ma1sd/tasks/setup_ma1sd.yml b/roles/matrix-ma1sd/tasks/setup_ma1sd.yml index c197b64f9..57fc019a8 100644 --- a/roles/matrix-ma1sd/tasks/setup_ma1sd.yml +++ b/roles/matrix-ma1sd/tasks/setup_ma1sd.yml @@ -4,9 +4,6 @@ # Tasks related to setting up ma1sd # -- import_tasks: "{{ role_path }}/tasks/migrate_mxisd.yml" - when: matrix_ma1sd_enabled|bool - - name: Ensure ma1sd paths exist file: path: "{{ item.path }}" @@ -20,6 +17,9 @@ - { path: "{{ matrix_ma1sd_docker_src_files_path }}", when: "{{ matrix_ma1sd_container_image_self_build }}"} when: matrix_ma1sd_enabled|bool and item.when +- import_tasks: "{{ role_path }}/tasks/migrate_mxisd.yml" + when: matrix_ma1sd_enabled|bool + - name: Ensure ma1sd image is pulled docker_image: name: "{{ matrix_ma1sd_docker_image }}" From 5927ed56b0d4ef12d36bbce42ebbac76c96755e1 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 3 Apr 2020 13:55:23 +0300 Subject: [PATCH 30/87] Fix matrix_ma1sd_service_stat.stat.exists sometimes being undefined --- roles/matrix-ma1sd/tasks/migrate_mxisd.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/roles/matrix-ma1sd/tasks/migrate_mxisd.yml b/roles/matrix-ma1sd/tasks/migrate_mxisd.yml index 0331f7b97..1d9662042 100644 --- a/roles/matrix-ma1sd/tasks/migrate_mxisd.yml +++ b/roles/matrix-ma1sd/tasks/migrate_mxisd.yml @@ -18,14 +18,13 @@ stat: path: "{{ matrix_systemd_path }}/matrix-mxisd.service" register: matrix_mxisd_service_stat - when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists" - name: Ensure matrix-mxisd is stopped service: name: matrix-mxisd state: stopped daemon_reload: yes - when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists and matrix_mxisd_service_stat.stat.exists" + when: "matrix_mxisd_service_stat.stat.exists" - name: Check existence of matrix-ma1sd service stat: @@ -63,11 +62,11 @@ file: path: "{{ matrix_systemd_path }}/matrix-mxisd.service" state: absent - when: "matrix_ma1sd_service_stat.stat.exists" + when: "matrix_mxisd_service_stat.stat.exists" - name: Ensure systemd reloaded after removing outdated matrix-mxisd.service service: daemon_reload: yes - when: "matrix_ma1sd_service_stat.stat.exists" + when: "matrix_mxisd_service_stat.stat.exists" From f78fa3f32879836f5dfc7d9e5b80369814b50f76 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 3 Apr 2020 14:26:30 +0300 Subject: [PATCH 31/87] Upgrade Synapse (1.12.0 -> 1.12.3) --- roles/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 38cd23216..e2ab5fb81 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -5,7 +5,7 @@ matrix_synapse_enabled: true matrix_synapse_container_image_self_build: false -matrix_synapse_docker_image: "matrixdotorg/synapse:v1.12.0" +matrix_synapse_docker_image: "matrixdotorg/synapse:v1.12.3" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse" From 4ed0632327248515d91f480fb8441f57a1ca94c5 Mon Sep 17 00:00:00 2001 From: teutat3s <10206665+teutat3s@users.noreply.github.com> Date: Fri, 3 Apr 2020 18:36:23 +0200 Subject: [PATCH 32/87] fix jitsi guests mode according to docker-jitsi-meet repo --- roles/matrix-jitsi/templates/web/config.js.j2 | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/roles/matrix-jitsi/templates/web/config.js.j2 b/roles/matrix-jitsi/templates/web/config.js.j2 index 72bffbd53..8a167c8a9 100644 --- a/roles/matrix-jitsi/templates/web/config.js.j2 +++ b/roles/matrix-jitsi/templates/web/config.js.j2 @@ -18,9 +18,11 @@ var config = { // XMPP domain. domain: '{{ matrix_jitsi_xmpp_domain }}', + {% if matrix_jitsi_enable_auth %} {% if matrix_jitsi_enable_guests %} // When using authentication, domain for guest users. - anonymousdomain: 'guest.example.com', + anonymousdomain: '{{ matrix_jitsi_xmpp_guest_domain }}', + {% endif %} // Domain for authenticated users. Defaults to . authdomain: '{{ matrix_jitsi_xmpp_domain }}', From ea072eb38d598098f7d57df2a0e5befb10feabaf Mon Sep 17 00:00:00 2001 From: teutat3s <10206665+teutat3s@users.noreply.github.com> Date: Sat, 4 Apr 2020 02:16:20 +0200 Subject: [PATCH 33/87] add missing jitsi auth URL conditional --- .../templates/jicofo/sip-communicator.properties.j2 | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/matrix-jitsi/templates/jicofo/sip-communicator.properties.j2 b/roles/matrix-jitsi/templates/jicofo/sip-communicator.properties.j2 index 6736becc3..c62e04ffe 100644 --- a/roles/matrix-jitsi/templates/jicofo/sip-communicator.properties.j2 +++ b/roles/matrix-jitsi/templates/jicofo/sip-communicator.properties.j2 @@ -3,3 +3,7 @@ org.jitsi.jicofo.BRIDGE_MUC={{ matrix_jitsi_jvb_brewery_muc }}@{{ matrix_jitsi_x org.jitsi.jicofo.jibri.BREWERY={{ matrix_jitsi_jibri_brewery_muc }}@{{ matrix_jitsi_xmpp_internal_muc_domain }} org.jitsi.jicofo.jibri.PENDING_TIMEOUT=90 + +{% if matrix_jitsi_enable_auth %} +org.jitsi.jicofo.auth.URL=XMPP:{{ matrix_jitsi_xmpp_domain }} +{% endif %} From 9adddb19e2311165bb60b3d0a53394fd8d9be86e Mon Sep 17 00:00:00 2001 From: teutat3s <10206665+teutat3s@users.noreply.github.com> Date: Sat, 4 Apr 2020 03:34:49 +0200 Subject: [PATCH 34/87] fix whitespace --- roles/matrix-jitsi/templates/web/config.js.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-jitsi/templates/web/config.js.j2 b/roles/matrix-jitsi/templates/web/config.js.j2 index 8a167c8a9..3d7e5de75 100644 --- a/roles/matrix-jitsi/templates/web/config.js.j2 +++ b/roles/matrix-jitsi/templates/web/config.js.j2 @@ -21,7 +21,7 @@ var config = { {% if matrix_jitsi_enable_auth %} {% if matrix_jitsi_enable_guests %} // When using authentication, domain for guest users. - anonymousdomain: '{{ matrix_jitsi_xmpp_guest_domain }}', + anonymousdomain: '{{ matrix_jitsi_xmpp_guest_domain }}', {% endif %} // Domain for authenticated users. Defaults to . From 697e91aa059cd436a36c9ece7dc7c3e343144c8b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alin=20Tr=C4=83istaru?= Date: Sun, 29 Mar 2020 09:48:46 +0300 Subject: [PATCH 35/87] jitsi-web: add more defaults --- roles/matrix-jitsi/defaults/main.yml | 17 ++++++++++- roles/matrix-jitsi/templates/web/config.js.j2 | 2 ++ .../templates/web/interface_config.js.j2 | 28 +++++++++---------- 3 files changed, 32 insertions(+), 15 deletions(-) diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index 6eb36577d..6fa4c3407 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -53,7 +53,22 @@ matrix_jitsi_web_systemd_required_services_list: ['docker.service'] matrix_jitsi_web_config_defaultLanguage: 'en' matrix_jitsi_web_interface_config_lang_detection: false - +matrix_jitsi_web_config_start_with_audio_muted: false +matrix_jitsi_web_config_start_with_video_muted: false +matrix_jitsi_web_interface_config_show_jitsi_watermark: true +matrix_jitsi_web_interface_config_jitsi_watermark_link: "https://jitsi.org" +matrix_jitsi_web_interface_config_show_brand_watermark: false +matrix_jitsi_web_interface_config_brand_watermark_link: "" +matrix_jitsi_web_interface_config_show_watermark_for_guests: true +matrix_jitsi_web_interface_config_generate_room_names_on_welcome_page: true +matrix_jitsi_web_interface_config_display_welcome_page_content: true +matrix_jitsi_web_interface_config_app_name: "Jitsi Meet" +matrix_jitsi_web_interface_config_native_app_name: "Jitsi Meet" +matrix_jitsi_web_interface_config_provider_name: "Jitsi" +matrix_jitsi_web_interface_config_invitation_powered_by: true +matrix_jitsi_web_interface_config_show_powered_by: false +matrix_jitsi_web_interface_config_disable_transcription_subtitles: false +matrix_jisti_web_interface_config_show_deep_linking_image: false matrix_jitsi_prosody_docker_image: "jitsi/prosody:4101" matrix_jitsi_prosody_docker_image_force_pull: "{{ matrix_jitsi_prosody_docker_image.endswith(':latest') }}" diff --git a/roles/matrix-jitsi/templates/web/config.js.j2 b/roles/matrix-jitsi/templates/web/config.js.j2 index 8a167c8a9..58bcaf10d 100644 --- a/roles/matrix-jitsi/templates/web/config.js.j2 +++ b/roles/matrix-jitsi/templates/web/config.js.j2 @@ -93,6 +93,7 @@ var config = { // Start calls with audio muted. Unlike the option above, this one is only // applied locally. FIXME: having these 2 options is confusing. // startWithAudioMuted: false, + startWithAudioMuted: {{ matrix_jitsi_web_config_start_with_audio_muted|to_json }}, // Enabling it (with #params) will disable local audio output of remote // participants and to enable it back a reload is needed. @@ -137,6 +138,7 @@ var config = { // Start calls with video muted. Unlike the option above, this one is only // applied locally. FIXME: having these 2 options is confusing. // startWithVideoMuted: false, + startWithVideoMuted: {{ matrix_jitsi_web_config_start_with_video_muted|to_json }}, // If set to true, prefer to use the H.264 video codec (if supported). // Note that it's not recommended to do this because simulcast is not diff --git a/roles/matrix-jitsi/templates/web/interface_config.js.j2 b/roles/matrix-jitsi/templates/web/interface_config.js.j2 index 737b924e4..c56f8c8cc 100644 --- a/roles/matrix-jitsi/templates/web/interface_config.js.j2 +++ b/roles/matrix-jitsi/templates/web/interface_config.js.j2 @@ -16,22 +16,22 @@ var interfaceConfig = { TOOLBAR_ALWAYS_VISIBLE: false, DEFAULT_REMOTE_DISPLAY_NAME: 'Fellow Jitster', DEFAULT_LOCAL_DISPLAY_NAME: 'me', - SHOW_JITSI_WATERMARK: true, - JITSI_WATERMARK_LINK: 'https://jitsi.org', + SHOW_JITSI_WATERMARK: {{ matrix_jitsi_web_interface_config_show_jitsi_watermark|to_json }}, + JITSI_WATERMARK_LINK: {{ matrix_jitsi_web_interface_config_jitsi_watermark_link|to_json }}, // if watermark is disabled by default, it can be shown only for guests - SHOW_WATERMARK_FOR_GUESTS: true, - SHOW_BRAND_WATERMARK: false, - BRAND_WATERMARK_LINK: '', - SHOW_POWERED_BY: false, - SHOW_DEEP_LINKING_IMAGE: false, - GENERATE_ROOMNAMES_ON_WELCOME_PAGE: true, - DISPLAY_WELCOME_PAGE_CONTENT: true, - APP_NAME: 'Jitsi Meet', - NATIVE_APP_NAME: 'Jitsi Meet', - PROVIDER_NAME: 'Jitsi', + SHOW_WATERMARK_FOR_GUESTS: {{ matrix_jitsi_web_interface_config_show_watermark_for_guests|to_json }}, + SHOW_BRAND_WATERMARK: {{ matrix_jitsi_web_interface_config_show_brand_watermark|to_json }}, + BRAND_WATERMARK_LINK: {{ matrix_jitsi_web_interface_config_brand_watermark_link|to_json }}, + SHOW_POWERED_BY: {{ matrix_jitsi_web_interface_config_show_powered_by|to_json }}, + SHOW_DEEP_LINKING_IMAGE: {{ matrix_jisti_web_interface_config_show_deep_linking_image|to_json }}, + GENERATE_ROOMNAMES_ON_WELCOME_PAGE: {{ matrix_jitsi_web_interface_config_generate_room_names_on_welcome_page|to_json }}, + DISPLAY_WELCOME_PAGE_CONTENT: {{ matrix_jitsi_web_interface_config_display_welcome_page_content|to_json }}, + APP_NAME: {{ matrix_jitsi_web_interface_config_app_name|to_json }}, + NATIVE_APP_NAME: {{ matrix_jitsi_web_interface_config_native_app_name|to_json }}, + PROVIDER_NAME: {{ matrix_jitsi_web_interface_config_provider_name|to_json }}, LANG_DETECTION: {{ matrix_jitsi_web_interface_config_lang_detection|to_json }}, // Allow i18n to detect the system language - INVITATION_POWERED_BY: true, + INVITATION_POWERED_BY: {{ matrix_jitsi_web_interface_config_invitation_powered_by|to_json }}, /** * If we should show authentication block in profile @@ -92,7 +92,7 @@ var interfaceConfig = { * * @type {boolean} */ - DISABLE_TRANSCRIPTION_SUBTITLES: false, + DISABLE_TRANSCRIPTION_SUBTITLES: {{ matrix_jitsi_web_interface_config_disable_transcription_subtitles|to_json }}, /** * Whether the ringing sound in the call/ring overlay is disabled. If From d781c8fdf9bb111cddd45eed8cc63aa841eb7eb7 Mon Sep 17 00:00:00 2001 From: teutat3s <10206665+teutat3s@users.noreply.github.com> Date: Sun, 5 Apr 2020 03:30:14 +0200 Subject: [PATCH 36/87] add optional Jitsi internal auth+guests docs improve readability --- docs/configuring-playbook-jitsi.md | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/docs/configuring-playbook-jitsi.md b/docs/configuring-playbook-jitsi.md index f163976d0..a0c1c4418 100644 --- a/docs/configuring-playbook-jitsi.md +++ b/docs/configuring-playbook-jitsi.md @@ -25,8 +25,34 @@ Add this to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration: matrix_jitsi_enabled: true ``` +## (Optional) configure internal Jitsi authentication and guests mode + +By default the Jitsi Meet instance does not require any kind of login and is open to use for anyone without registration. +If you would like to control who is allowed to open meetings on your new Jitsi instance, then please follow this step to enable Jitsi's `internal` authentication and guests mode. With this optional configuration, all meeting rooms have to be opened by at least one registered user, after that guests are free to join. If a registered host is not present yet, guests are put on hold into a waiting room. +If you prefer an open Jitsi instance, please skip to [Apply changes](#apply-changes). + +Add these two lines to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration: + +```yaml +matrix_jitsi_enable_auth: true +matrix_jitsi_enable_guests: true +``` + +## Apply changes + Then re-run the playbook: `ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start` +## Required if configuring Jitsi with its internal authentication: register new users + +Until this gets integrated into the playbook, we need to register new users / meeting hosts for Jitsi manually. +Please SSH into your matrix host machine and execute the following command targeting the `matrix-jitsi-prosody` container: + +```bash +docker exec matrix-jitsi-prosody prosodyctl --config /config/prosody.cfg.lua register matrix-jitsi-web +``` + +Run this command for each user you would like to create, replacing `` and `` accordingly. After you've finished, please exit the host. + ## Usage From 604e581a970c3565f18af5a072c402fe9d374f86 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alin=20Tr=C4=83istaru?= Date: Sun, 5 Apr 2020 09:42:52 +0300 Subject: [PATCH 37/87] add ntpd defaults --- roles/matrix-base/defaults/main.yml | 3 +++ roles/matrix-base/tasks/server_base/setup.yml | 4 ++-- roles/matrix-base/tasks/server_base/setup_archlinux.yml | 2 +- roles/matrix-base/tasks/server_base/setup_centos.yml | 2 +- roles/matrix-base/tasks/server_base/setup_debian.yml | 2 +- roles/matrix-base/tasks/server_base/setup_raspbian.yml | 2 +- 6 files changed, 9 insertions(+), 6 deletions(-) diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index 6800df869..c6ed430b9 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -33,6 +33,9 @@ matrix_systemd_path: "/etc/systemd/system" matrix_cron_path: "/etc/cron.d" matrix_local_bin_path: "/usr/local/bin" +matrix_ntpd_package: "ntp" +matrix_ntpd_service: "{{ 'ntpd' if ansible_os_family == 'RedHat' or ansible_distribution == 'Archlinux' else 'ntp' }}" + matrix_homeserver_url: "https://{{ matrix_server_fqn_matrix }}" matrix_identity_server_url: ~ diff --git a/roles/matrix-base/tasks/server_base/setup.yml b/roles/matrix-base/tasks/server_base/setup.yml index 73abbec24..2425c82b6 100644 --- a/roles/matrix-base/tasks/server_base/setup.yml +++ b/roles/matrix-base/tasks/server_base/setup.yml @@ -18,8 +18,8 @@ state: started enabled: yes -- name: Ensure ntpd is started and autoruns +- name: "Ensure {{ matrix_ntpd_service }} is started and autoruns" service: - name: "{{ 'ntpd' if ansible_os_family == 'RedHat' or ansible_distribution == 'Archlinux' else 'ntp' }}" + name: "{{ matrix_ntpd_service }}" state: started enabled: yes diff --git a/roles/matrix-base/tasks/server_base/setup_archlinux.yml b/roles/matrix-base/tasks/server_base/setup_archlinux.yml index 144e8b751..3814305d6 100644 --- a/roles/matrix-base/tasks/server_base/setup_archlinux.yml +++ b/roles/matrix-base/tasks/server_base/setup_archlinux.yml @@ -4,7 +4,7 @@ pacman: name: - python-docker - - ntp + - "{{ matrix_ntpd_package }}" # TODO This needs to be verified. Which version do we need? - fuse3 - python-dnspython diff --git a/roles/matrix-base/tasks/server_base/setup_centos.yml b/roles/matrix-base/tasks/server_base/setup_centos.yml index 945c86ef1..77b2866af 100644 --- a/roles/matrix-base/tasks/server_base/setup_centos.yml +++ b/roles/matrix-base/tasks/server_base/setup_centos.yml @@ -21,7 +21,7 @@ yum: name: - docker-python - - ntp + - "{{ matrix_ntpd_package }}" - fuse state: latest update_cache: yes diff --git a/roles/matrix-base/tasks/server_base/setup_debian.yml b/roles/matrix-base/tasks/server_base/setup_debian.yml index 9438a5f4b..c54b3cb6f 100644 --- a/roles/matrix-base/tasks/server_base/setup_debian.yml +++ b/roles/matrix-base/tasks/server_base/setup_debian.yml @@ -28,7 +28,7 @@ apt: name: - "python{{'3' if ansible_python.version.major == 3 else ''}}-docker" - - ntp + - "{{ matrix_ntpd_package }}" - fuse state: latest update_cache: yes diff --git a/roles/matrix-base/tasks/server_base/setup_raspbian.yml b/roles/matrix-base/tasks/server_base/setup_raspbian.yml index 3a62a5db8..a9a5d20af 100644 --- a/roles/matrix-base/tasks/server_base/setup_raspbian.yml +++ b/roles/matrix-base/tasks/server_base/setup_raspbian.yml @@ -28,7 +28,7 @@ apt: name: - python-docker - - ntp + - "{{ matrix_ntpd_package }}" - fuse state: latest update_cache: yes From a04c67dbc4e00a76c6a4fe1b818f4f5727d8040e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 5 Apr 2020 10:01:55 +0300 Subject: [PATCH 38/87] Add information about rebuilding Jitsi Prosody configuration --- docs/configuring-playbook-jitsi.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/docs/configuring-playbook-jitsi.md b/docs/configuring-playbook-jitsi.md index a0c1c4418..9156f92b0 100644 --- a/docs/configuring-playbook-jitsi.md +++ b/docs/configuring-playbook-jitsi.md @@ -51,7 +51,13 @@ Please SSH into your matrix host machine and execute the following command targe docker exec matrix-jitsi-prosody prosodyctl --config /config/prosody.cfg.lua register matrix-jitsi-web ``` -Run this command for each user you would like to create, replacing `` and `` accordingly. After you've finished, please exit the host. +Run this command for each user you would like to create, replacing `` and `` accordingly. After you've finished, please exit the host. + +**If you get an error** like this: "Error: Account creation/modification not supported.", it's likely that you had previously installed Jitsi without auth/guest support. The playbook can't yet rebuild all configuration files for some Jitsi services (like `matrix-jitsi-prosody`), which may cause such an error. **If you encounter this error**, we encourage you to: +- stop all Jitsi services (`systemctl stop matrix-jitsi-*`) +- remove the Jitsi Prosody configuration & data (`rm -rf /matrix/jitsi/prosody`) +- rebuild Jitsi configuration and restart services (`ansible-playbook -i inventory/hosts setup.yml --tags=setup-jitsi,start`) +- try the previously-failing command once again ## Usage From 0ee2060c3131c2ab9e1894df61fe0154dda386b0 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 5 Apr 2020 10:03:51 +0300 Subject: [PATCH 39/87] Reorganize paragraphs a bit --- docs/configuring-playbook-jitsi.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/configuring-playbook-jitsi.md b/docs/configuring-playbook-jitsi.md index 9156f92b0..c2834244e 100644 --- a/docs/configuring-playbook-jitsi.md +++ b/docs/configuring-playbook-jitsi.md @@ -28,8 +28,10 @@ matrix_jitsi_enabled: true ## (Optional) configure internal Jitsi authentication and guests mode By default the Jitsi Meet instance does not require any kind of login and is open to use for anyone without registration. + +If you're fine with such an open Jitsi instance, please skip to [Apply changes](#apply-changes). + If you would like to control who is allowed to open meetings on your new Jitsi instance, then please follow this step to enable Jitsi's `internal` authentication and guests mode. With this optional configuration, all meeting rooms have to be opened by at least one registered user, after that guests are free to join. If a registered host is not present yet, guests are put on hold into a waiting room. -If you prefer an open Jitsi instance, please skip to [Apply changes](#apply-changes). Add these two lines to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration: From 70010c26abf542539ca3b3b5c66dca43ced602a4 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 5 Apr 2020 10:27:52 +0300 Subject: [PATCH 40/87] Update changelog with information on private Jitsi Related to #436 (Github Pull Request). --- CHANGELOG.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index ce8f9f3b0..af2c8910d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,14 @@ +# 2020-04-05 + +## Private Jitsi support + +The [Jitsi support](#jitsi-support) we had landed a few weeks ago was working well, but it was always open to the whole world. + +Running such an open instance is not desirable to most people, so [teutat3s](https://github.com/teutat3s) has contributed support for making Jitsi use authentication. + +To make your Jitsi server more private, see the [configure internal Jitsi authentication and guests mode](docs/configuring-playbook-jitsi.md#optional-configure-internal-jitsi-authentication-and-guests-mode) section in our Jitsi documentation. + + # 2020-04-03 ## (Potential Backward Compatibility Break) ma1sd replaces mxisd From eb8e162ac2a9def47e5b0c3c30924104b2ae1de7 Mon Sep 17 00:00:00 2001 From: Sean O'Neil Date: Sun, 5 Apr 2020 11:36:08 -0700 Subject: [PATCH 41/87] Update Caddy example in configuring-well-known to Caddy version 2 --- docs/configuring-well-known.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/configuring-well-known.md b/docs/configuring-well-known.md index 621dec0e9..8bf84ed16 100644 --- a/docs/configuring-well-known.md +++ b/docs/configuring-well-known.md @@ -107,7 +107,9 @@ server { **For Caddy**, it would be something like this: ```caddy -proxy /.well-known/matrix https://matrix.DOMAIN +reverse_proxy /.well-known/matrix/* https://matrix.DOMAIN { + header_up Host {http.reverse_proxy.upstream.hostport} +} ``` **For HAProxy**, it would be something like this: From 3d096a2b13866f2d60fdd4d0d91211aa8cad53cf Mon Sep 17 00:00:00 2001 From: Horvath Gergely Date: Mon, 6 Apr 2020 18:36:17 +0200 Subject: [PATCH 42/87] make selfbuild be forced on (and only) git master change --- roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml index 77f3346f8..82b55cea1 100644 --- a/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml @@ -36,17 +36,19 @@ dest: "{{ matrix_mautrix_facebook_docker_src_files_path }}" # version: "{{ matrix_coturn_docker_image.split(':')[1] }}" force: "yes" + register: matrix_mautrix_facebook_git_pull_results when: "matrix_mautrix_facebook_enabled|bool and matrix_mautrix_facebook_container_image_self_build" - name: Ensure Mautrix Facebook Docker image is built docker_image: name: "{{ matrix_mautrix_facebook_docker_image }}" source: build + force_source: yes build: dockerfile: Dockerfile path: "{{ matrix_mautrix_facebook_docker_src_files_path }}" pull: yes - when: "matrix_mautrix_facebook_enabled|bool and matrix_mautrix_facebook_container_image_self_build" + when: "matrix_mautrix_facebook_enabled|bool and matrix_mautrix_facebook_container_image_self_build and matrix_mautrix_facebook_git_pull_results.changed" - name: Check if an old database file already exists stat: From 17e7bae2cc502b5b0f7de88f1e73aff3baefc453 Mon Sep 17 00:00:00 2001 From: Horvath Gergely Date: Mon, 6 Apr 2020 18:42:15 +0200 Subject: [PATCH 43/87] make selfbuild be forced on (and only) git master change --- roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml b/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml index db1dc884b..ae962d34c 100644 --- a/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml +++ b/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml @@ -35,17 +35,19 @@ repo: https://github.com/tulir/mautrix-hangouts.git dest: "{{ matrix_mautrix_hangouts_docker_src_files_path }}" force: "yes" + register: matrix_mautrix_hangouts_git_pull_results when: "matrix_mautrix_hangouts_enabled|bool and matrix_mautrix_hangouts_container_image_self_build" - name: Ensure Mautrix Hangouts Docker image is built docker_image: name: "{{ matrix_mautrix_hangouts_docker_image }}" source: build + force_source: yes build: dockerfile: Dockerfile path: "{{ matrix_mautrix_hangouts_docker_src_files_path }}" pull: yes - when: "matrix_mautrix_hangouts_enabled|bool and matrix_mautrix_hangouts_container_image_self_build" + when: "matrix_mautrix_hangouts_enabled|bool and matrix_mautrix_hangouts_container_image_self_build and matrix_mautrix_hangouts_git_pull_results.changed" - name: Check if an old database file already exists stat: From fab1e23609f05a15a1f2b327df394986a06d5dd4 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 6 Apr 2020 21:35:49 +0300 Subject: [PATCH 44/87] Make a few more Jitsi Meet options configurable --- roles/matrix-jitsi/defaults/main.yml | 5 ++++- roles/matrix-jitsi/templates/web/config.js.j2 | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index 6fa4c3407..1fed1744e 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -52,9 +52,12 @@ matrix_jitsi_web_container_extra_arguments: [] matrix_jitsi_web_systemd_required_services_list: ['docker.service'] matrix_jitsi_web_config_defaultLanguage: 'en' -matrix_jitsi_web_interface_config_lang_detection: false matrix_jitsi_web_config_start_with_audio_muted: false matrix_jitsi_web_config_start_with_video_muted: false +matrix_jitsi_web_config_testing_enableFirefoxSimulcast: false +matrix_jitsi_web_config_testing_p2pTestMode: false + +matrix_jitsi_web_interface_config_lang_detection: false matrix_jitsi_web_interface_config_show_jitsi_watermark: true matrix_jitsi_web_interface_config_jitsi_watermark_link: "https://jitsi.org" matrix_jitsi_web_interface_config_show_brand_watermark: false diff --git a/roles/matrix-jitsi/templates/web/config.js.j2 b/roles/matrix-jitsi/templates/web/config.js.j2 index df57ca5c2..7e24d30b8 100644 --- a/roles/matrix-jitsi/templates/web/config.js.j2 +++ b/roles/matrix-jitsi/templates/web/config.js.j2 @@ -56,11 +56,11 @@ var config = { testing: { // Enables experimental simulcast support on Firefox. - enableFirefoxSimulcast: false, + enableFirefoxSimulcast: {{ matrix_jitsi_web_config_testing_enableFirefoxSimulcast|to_json }}, // P2P test mode disables automatic switching to P2P when there are 2 // participants in the conference. - p2pTestMode: false + p2pTestMode: {{ matrix_jitsi_web_config_testing_p2pTestMode|to_json }} // Enables the test specific features consumed by jitsi-meet-torture // testMode: false From f9d39f1c0cdb1f73000a254a43792d9c00f61f2b Mon Sep 17 00:00:00 2001 From: teutat3s <10206665+teutat3s@users.noreply.github.com> Date: Wed, 8 Apr 2020 01:59:30 +0200 Subject: [PATCH 45/87] update Jitsi, add generate-jitsi-passwords script --- .gitignore | 1 + docs/configuring-playbook-jitsi.md | 11 ++++ inventory/scripts/generate-jitsi-passwords.sh | 50 +++++++++++++++++++ roles/matrix-jitsi/defaults/main.yml | 8 +-- 4 files changed, 66 insertions(+), 4 deletions(-) create mode 100755 inventory/scripts/generate-jitsi-passwords.sh diff --git a/.gitignore b/.gitignore index e3f61b55f..32ab139fa 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,5 @@ /inventory/* !/inventory/.gitkeep !/inventory/host_vars/.gitkeep +!/inventory/scripts /roles/*/files/scratchpad diff --git a/docs/configuring-playbook-jitsi.md b/docs/configuring-playbook-jitsi.md index c2834244e..017cb4eb3 100644 --- a/docs/configuring-playbook-jitsi.md +++ b/docs/configuring-playbook-jitsi.md @@ -25,6 +25,17 @@ Add this to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration: matrix_jitsi_enabled: true ``` +## Securing your Jitsi instance with strong passwords + +Please use the bash script provided in this repo to generate strong passwords for your Jitsi instance. +Execute the following commands in your terminal from the root of this repo: +```bash +cd inventory/scripts +bash generate-jitsi-passwords.sh +``` + +The script will add the corresponding ansible variables and passwords generated with `openssl rand -hex 16` to the bottom of your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration. + ## (Optional) configure internal Jitsi authentication and guests mode By default the Jitsi Meet instance does not require any kind of login and is open to use for anyone without registration. diff --git a/inventory/scripts/generate-jitsi-passwords.sh b/inventory/scripts/generate-jitsi-passwords.sh new file mode 100755 index 000000000..2f0cb00c6 --- /dev/null +++ b/inventory/scripts/generate-jitsi-passwords.sh @@ -0,0 +1,50 @@ +#!/usr/bin/env bash +# This is a bash script for generating strong passwords for the Jitsi role in this ansible project: +# https://github.com/spantaleev/matrix-docker-ansible-deploy + +# This script assumes that you followed the documentation at https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-playbook.md and created a folder in the source code's directory like this: 'mkdir inventory/host_vars/matrix.' +# it will put the generated passwords for Jitsi at the end of the vars.yml file in that directory + +function generatePassword() { + openssl rand -hex 16 +} + +# helper function to get the matrix domain in the host_vars directory +function get_domain_dir() { + counter=0 + + for f in *; do + counter=$(( counter + 1 )) + if [ ! -d "$f" ]; then + echo "Error: could not find directory 'matrix.your.domain'" + echo "Did you create it already? Please first setup your matrix homeserver before running this script." + echo "You should start here: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/prerequisites.md" + exit 1 + elif [[ "$counter" -gt 1 ]]; then + echo "Error: multiple directories found in ../host_vars/. Only one directory like 'matrix.your.domain' expected." + echo "Please make sure there is only one directory holding your vars.yml for this ansible playbook." + echo "Cannot continue script, exiting." + exit 1 + fi + + # Will not set domain if zero or multiple directories are detected + domain=$f + done +} + +cd ../host_vars +get_domain_dir + +JICOFO_COMPONENT_SECRET=`generatePassword` +JICOFO_AUTH_PASSWORD=`generatePassword` +JVB_AUTH_PASSWORD=`generatePassword` +JIBRI_RECORDER_PASSWORD=`generatePassword` +JIBRI_XMPP_PASSWORD=`generatePassword` + +echo "" >> ../host_vars/${domain}/vars.yml +echo "Jitsi passwords generated by inventory/scripts/gen-passwords.sh" >> ../host_vars/${domain}/vars.yml +echo "matrix_jitsi_jicofo_component_secret: $JICOFO_COMPONENT_SECRET" >> ../host_vars/${domain}/vars.yml +echo "matrix_jitsi_jicofo_auth_password: $JICOFO_AUTH_PASSWORD" >> ../host_vars/${domain}/vars.yml +echo "matrix_jitsi_jvb_auth_password: $JVB_AUTH_PASSWORD" >> ../host_vars/${domain}/vars.yml +echo "matrix_jitsi_jibri_recorder_password: $JIBRI_RECORDER_PASSWORD" >> ../host_vars/${domain}/vars.yml +echo "matrix_jitsi_jibri_xmpp_password: $JIBRI_XMPP_PASSWORD" >> ../host_vars/${domain}/vars.yml diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index 1fed1744e..55f826773 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -28,7 +28,7 @@ matrix_jitsi_jibri_recorder_user: recorder matrix_jitsi_jibri_recorder_password: recorder-password -matrix_jitsi_web_docker_image: "jitsi/web:4101" +matrix_jitsi_web_docker_image: "jitsi/web:4384" matrix_jitsi_web_docker_image_force_pull: "{{ matrix_jitsi_web_docker_image.endswith(':latest') }}" matrix_jitsi_web_base_path: "{{ matrix_base_data_path }}/jitsi/web" @@ -73,7 +73,7 @@ matrix_jitsi_web_interface_config_show_powered_by: false matrix_jitsi_web_interface_config_disable_transcription_subtitles: false matrix_jisti_web_interface_config_show_deep_linking_image: false -matrix_jitsi_prosody_docker_image: "jitsi/prosody:4101" +matrix_jitsi_prosody_docker_image: "jitsi/prosody:4384" matrix_jitsi_prosody_docker_image_force_pull: "{{ matrix_jitsi_prosody_docker_image.endswith(':latest') }}" matrix_jitsi_prosody_base_path: "{{ matrix_base_data_path }}/jitsi/prosody" @@ -86,7 +86,7 @@ matrix_jitsi_prosody_container_extra_arguments: [] matrix_jitsi_prosody_systemd_required_services_list: ['docker.service'] -matrix_jitsi_jicofo_docker_image: "jitsi/jicofo:4101" +matrix_jitsi_jicofo_docker_image: "jitsi/jicofo:4384" matrix_jitsi_jicofo_docker_image_force_pull: "{{ matrix_jitsi_jicofo_docker_image.endswith(':latest') }}" matrix_jitsi_jicofo_base_path: "{{ matrix_base_data_path }}/jitsi/jicofo" @@ -103,7 +103,7 @@ matrix_jitsi_jicofo_auth_user: focus matrix_jitsi_jicofo_auth_password: passw0rd -matrix_jitsi_jvb_docker_image: "jitsi/jvb:4101" +matrix_jitsi_jvb_docker_image: "jitsi/jvb:4384" matrix_jitsi_jvb_docker_image_force_pull: "{{ matrix_jitsi_jvb_docker_image.endswith(':latest') }}" matrix_jitsi_jvb_base_path: "{{ matrix_base_data_path }}/jitsi/jvb" From 6a9eb89ea6ac5ce59bcdd023884fd8bdb782006f Mon Sep 17 00:00:00 2001 From: teutat3s <10206665+teutat3s@users.noreply.github.com> Date: Wed, 8 Apr 2020 02:04:59 +0200 Subject: [PATCH 46/87] fix whitespace --- inventory/scripts/generate-jitsi-passwords.sh | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/inventory/scripts/generate-jitsi-passwords.sh b/inventory/scripts/generate-jitsi-passwords.sh index 2f0cb00c6..244d977f7 100755 --- a/inventory/scripts/generate-jitsi-passwords.sh +++ b/inventory/scripts/generate-jitsi-passwords.sh @@ -12,21 +12,21 @@ function generatePassword() { # helper function to get the matrix domain in the host_vars directory function get_domain_dir() { counter=0 - + for f in *; do counter=$(( counter + 1 )) if [ ! -d "$f" ]; then - echo "Error: could not find directory 'matrix.your.domain'" - echo "Did you create it already? Please first setup your matrix homeserver before running this script." - echo "You should start here: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/prerequisites.md" - exit 1 - elif [[ "$counter" -gt 1 ]]; then - echo "Error: multiple directories found in ../host_vars/. Only one directory like 'matrix.your.domain' expected." - echo "Please make sure there is only one directory holding your vars.yml for this ansible playbook." - echo "Cannot continue script, exiting." - exit 1 - fi - + echo "Error: could not find directory 'matrix.your.domain'" + echo "Did you create it already? Please first setup your matrix homeserver before running this script." + echo "You should start here: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/prerequisites.md" + exit 1 + elif [[ "$counter" -gt 1 ]]; then + echo "Error: multiple directories found in ../host_vars/. Only one directory like 'matrix.your.domain' expected." + echo "Please make sure there is only one directory holding your vars.yml for this ansible playbook." + echo "Cannot continue script, exiting." + exit 1 + fi + # Will not set domain if zero or multiple directories are detected domain=$f done From f798605836e46cc73daa8da937a7ea46d7778087 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 8 Apr 2020 09:37:54 +0300 Subject: [PATCH 47/87] Undefine Jitsi secrets and require their (re-)definition --- docs/configuring-playbook-jitsi.md | 24 ++++++++++++++++---- roles/matrix-jitsi/defaults/main.yml | 10 ++++---- roles/matrix-jitsi/tasks/main.yml | 6 +++++ roles/matrix-jitsi/tasks/validate_config.yml | 21 +++++++++++++++++ 4 files changed, 51 insertions(+), 10 deletions(-) create mode 100644 roles/matrix-jitsi/tasks/validate_config.yml diff --git a/docs/configuring-playbook-jitsi.md b/docs/configuring-playbook-jitsi.md index 017cb4eb3..028d2b152 100644 --- a/docs/configuring-playbook-jitsi.md +++ b/docs/configuring-playbook-jitsi.md @@ -66,11 +66,7 @@ docker exec matrix-jitsi-prosody prosodyctl --config /config/prosody.cfg.lua reg Run this command for each user you would like to create, replacing `` and `` accordingly. After you've finished, please exit the host. -**If you get an error** like this: "Error: Account creation/modification not supported.", it's likely that you had previously installed Jitsi without auth/guest support. The playbook can't yet rebuild all configuration files for some Jitsi services (like `matrix-jitsi-prosody`), which may cause such an error. **If you encounter this error**, we encourage you to: -- stop all Jitsi services (`systemctl stop matrix-jitsi-*`) -- remove the Jitsi Prosody configuration & data (`rm -rf /matrix/jitsi/prosody`) -- rebuild Jitsi configuration and restart services (`ansible-playbook -i inventory/hosts setup.yml --tags=setup-jitsi,start`) -- try the previously-failing command once again +**If you get an error** like this: "Error: Account creation/modification not supported.", it's likely that you had previously installed Jitsi without auth/guest support. In such a case, you should look into [Rebuilding your Jitsi installation](#rebuilding-your-jitsi-installation). ## Usage @@ -78,3 +74,21 @@ Run this command for each user you would like to create, replacing `` You can use the self-hosted Jitsi server through Riot, through an Integration Manager like [Dimension](docs/configuring-playbook-dimension.md) or directly at `https://jitsi.DOMAIN`. To use it via riot-web (the one configured by the playbook at `https://riot.DOMAIN`), just start a voice or a video call in a room containing more than 2 members and that would create a Jitsi widget which utilizes your self-hosted Jitsi server. + + +## Troubleshooting + +### Rebuilding your Jitsi installation + +**If you ever run into any trouble** or **if you change configuration (`matrix_jitsi_*` variables) too much**, we urge you to rebuild your Jitsi setup. + +We normally don't require such manual intervention for other services, for Jitsi services generate a lot of configuration files on their own. + +These files are not all managed by Ansible (at least not yet), so you may sometimes need to delete them all and start fresh. + +To rebuild your Jitsi configuration: + +- SSH into the server and do this: + - stop all Jitsi services (`systemctl stop matrix-jitsi-*`). + - remove all Jitsi configuration & data (`rm -rf /matrix/jitsi`) +- ask Ansible to set up Jitsi anew and restart services (`ansible-playbook -i inventory/hosts setup.yml --tags=setup-jitsi,start`) diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index 55f826773..83511c4c5 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -23,9 +23,9 @@ matrix_jitsi_recorder_domain: recorder.meet.jitsi matrix_jitsi_jibri_brewery_muc: jibribrewery matrix_jitsi_jibri_pending_timeout: 90 matrix_jitsi_jibri_xmpp_user: jibri -matrix_jitsi_jibri_xmpp_password: jibri-password +matrix_jitsi_jibri_xmpp_password: '' matrix_jitsi_jibri_recorder_user: recorder -matrix_jitsi_jibri_recorder_password: recorder-password +matrix_jitsi_jibri_recorder_password: '' matrix_jitsi_web_docker_image: "jitsi/web:4384" @@ -98,9 +98,9 @@ matrix_jitsi_jicofo_container_extra_arguments: [] # List of systemd services that matrix-jitsi-jicofo.service depends on matrix_jitsi_jicofo_systemd_required_services_list: ['docker.service', 'matrix-jitsi-prosody.service'] -matrix_jitsi_jicofo_component_secret: s3cr37 +matrix_jitsi_jicofo_component_secret: '' matrix_jitsi_jicofo_auth_user: focus -matrix_jitsi_jicofo_auth_password: passw0rd +matrix_jitsi_jicofo_auth_password: '' matrix_jitsi_jvb_docker_image: "jitsi/jvb:4384" @@ -116,7 +116,7 @@ matrix_jitsi_jvb_container_extra_arguments: [] matrix_jitsi_jvb_systemd_required_services_list: ['docker.service', 'matrix-jitsi-prosody.service'] matrix_jitsi_jvb_auth_user: jvb -matrix_jitsi_jvb_auth_password: passw0rd +matrix_jitsi_jvb_auth_password: '' # STUN servers used by JVB on the server-side, so it can discover its own external IP address. # Pointing this to a STUN server running on the same Docker network may lead to incorrect IP address discovery. diff --git a/roles/matrix-jitsi/tasks/main.yml b/roles/matrix-jitsi/tasks/main.yml index 2bc4a57ff..e4f3508f3 100644 --- a/roles/matrix-jitsi/tasks/main.yml +++ b/roles/matrix-jitsi/tasks/main.yml @@ -2,6 +2,12 @@ tags: - always +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup|bool and matrix_jitsi_enabled|bool" + tags: + - setup-all + - setup-jitsi + - import_tasks: "{{ role_path }}/tasks/setup_jitsi_base.yml" when: run_setup|bool tags: diff --git a/roles/matrix-jitsi/tasks/validate_config.yml b/roles/matrix-jitsi/tasks/validate_config.yml new file mode 100644 index 000000000..ea92c914d --- /dev/null +++ b/roles/matrix-jitsi/tasks/validate_config.yml @@ -0,0 +1,21 @@ +--- + +- name: Fail if required Jitsi settings not defined + fail: + msg: >- + You need to define a required configuration setting (`{{ item }}`) for using Jitsi. + + If you're setting up Jitsi for the first time, you may have missed a step. + Refer to our setup instructions (docs/configuring-playbook-jitsi.md). + + If you had setup Jitsi successfully before and it's just now that you're observing this failure, + it means that your installation may be using some default passwords that the playbook used to define until now. + This is not secure and we urge you to rebuild your Jitsi setup. + Refer to the "Rebuilding your Jitsi installation" section in our setup instructions (docs/configuring-playbook-jitsi.md). + when: "vars[item] == ''" + with_items: + - "matrix_jitsi_jibri_xmpp_password" + - "matrix_jitsi_jibri_recorder_password" + - "matrix_jitsi_jicofo_component_secret" + - "matrix_jitsi_jicofo_auth_password" + - "matrix_jitsi_jvb_auth_password" From 976ccf3880561346853c7cd9292f8b19b9a64a14 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 8 Apr 2020 09:39:38 +0300 Subject: [PATCH 48/87] Fix typo --- docs/configuring-playbook-jitsi.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-jitsi.md b/docs/configuring-playbook-jitsi.md index 028d2b152..c7245e923 100644 --- a/docs/configuring-playbook-jitsi.md +++ b/docs/configuring-playbook-jitsi.md @@ -82,7 +82,7 @@ To use it via riot-web (the one configured by the playbook at `https://riot.DOMA **If you ever run into any trouble** or **if you change configuration (`matrix_jitsi_*` variables) too much**, we urge you to rebuild your Jitsi setup. -We normally don't require such manual intervention for other services, for Jitsi services generate a lot of configuration files on their own. +We normally don't require such manual intervention for other services, but Jitsi services generate a lot of configuration files on their own. These files are not all managed by Ansible (at least not yet), so you may sometimes need to delete them all and start fresh. From b181f0268072a80b541e1e519c32c2def730dc5c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 8 Apr 2020 09:55:44 +0300 Subject: [PATCH 49/87] Use dollar sign instead of backtick Co-Authored-By: Sandro --- inventory/scripts/generate-jitsi-passwords.sh | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/inventory/scripts/generate-jitsi-passwords.sh b/inventory/scripts/generate-jitsi-passwords.sh index 244d977f7..ae6d471a8 100755 --- a/inventory/scripts/generate-jitsi-passwords.sh +++ b/inventory/scripts/generate-jitsi-passwords.sh @@ -35,11 +35,11 @@ function get_domain_dir() { cd ../host_vars get_domain_dir -JICOFO_COMPONENT_SECRET=`generatePassword` -JICOFO_AUTH_PASSWORD=`generatePassword` -JVB_AUTH_PASSWORD=`generatePassword` -JIBRI_RECORDER_PASSWORD=`generatePassword` -JIBRI_XMPP_PASSWORD=`generatePassword` +JICOFO_COMPONENT_SECRET=$(generatePassword) +JICOFO_AUTH_PASSWORD=$(generatePassword) +JVB_AUTH_PASSWORD=$(generatePassword) +JIBRI_RECORDER_PASSWORD=$(generatePassword) +JIBRI_XMPP_PASSWORD=$(generatePassword) echo "" >> ../host_vars/${domain}/vars.yml echo "Jitsi passwords generated by inventory/scripts/gen-passwords.sh" >> ../host_vars/${domain}/vars.yml From 1b27e0f812c652eb91504c3d8af24264b10039ce Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 8 Apr 2020 10:05:10 +0300 Subject: [PATCH 50/87] Make generate-jitsi-passwords.sh less magical --- docs/configuring-playbook-jitsi.md | 16 +++---- inventory/scripts/generate-jitsi-passwords.sh | 44 +++++-------------- 2 files changed, 17 insertions(+), 43 deletions(-) diff --git a/docs/configuring-playbook-jitsi.md b/docs/configuring-playbook-jitsi.md index c7245e923..1a3f10c7c 100644 --- a/docs/configuring-playbook-jitsi.md +++ b/docs/configuring-playbook-jitsi.md @@ -23,18 +23,16 @@ Add this to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration: ```yaml matrix_jitsi_enabled: true -``` - -## Securing your Jitsi instance with strong passwords -Please use the bash script provided in this repo to generate strong passwords for your Jitsi instance. -Execute the following commands in your terminal from the root of this repo: -```bash -cd inventory/scripts -bash generate-jitsi-passwords.sh +# Run `bash inventory/scripts/generate-jitsi-passwords.sh` to generate these passwords, +# or define your own strong passwords manually. +matrix_jitsi_jicofo_component_secret: "" +matrix_jitsi_jicofo_auth_password: "" +matrix_jitsi_jvb_auth_password: "" +matrix_jitsi_jibri_recorder_password: "" +matrix_jitsi_jibri_xmpp_password: "" ``` -The script will add the corresponding ansible variables and passwords generated with `openssl rand -hex 16` to the bottom of your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration. ## (Optional) configure internal Jitsi authentication and guests mode diff --git a/inventory/scripts/generate-jitsi-passwords.sh b/inventory/scripts/generate-jitsi-passwords.sh index ae6d471a8..eacfa7d88 100755 --- a/inventory/scripts/generate-jitsi-passwords.sh +++ b/inventory/scripts/generate-jitsi-passwords.sh @@ -2,38 +2,14 @@ # This is a bash script for generating strong passwords for the Jitsi role in this ansible project: # https://github.com/spantaleev/matrix-docker-ansible-deploy -# This script assumes that you followed the documentation at https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-playbook.md and created a folder in the source code's directory like this: 'mkdir inventory/host_vars/matrix.' -# it will put the generated passwords for Jitsi at the end of the vars.yml file in that directory - function generatePassword() { openssl rand -hex 16 } -# helper function to get the matrix domain in the host_vars directory -function get_domain_dir() { - counter=0 - - for f in *; do - counter=$(( counter + 1 )) - if [ ! -d "$f" ]; then - echo "Error: could not find directory 'matrix.your.domain'" - echo "Did you create it already? Please first setup your matrix homeserver before running this script." - echo "You should start here: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/prerequisites.md" - exit 1 - elif [[ "$counter" -gt 1 ]]; then - echo "Error: multiple directories found in ../host_vars/. Only one directory like 'matrix.your.domain' expected." - echo "Please make sure there is only one directory holding your vars.yml for this ansible playbook." - echo "Cannot continue script, exiting." - exit 1 - fi - - # Will not set domain if zero or multiple directories are detected - domain=$f - done -} +echo "# If this script fails, it's likely because you don't have the openssl tool installed." +echo "# Install it before using this script, or simply create your own passwords manually." -cd ../host_vars -get_domain_dir +echo "" JICOFO_COMPONENT_SECRET=$(generatePassword) JICOFO_AUTH_PASSWORD=$(generatePassword) @@ -41,10 +17,10 @@ JVB_AUTH_PASSWORD=$(generatePassword) JIBRI_RECORDER_PASSWORD=$(generatePassword) JIBRI_XMPP_PASSWORD=$(generatePassword) -echo "" >> ../host_vars/${domain}/vars.yml -echo "Jitsi passwords generated by inventory/scripts/gen-passwords.sh" >> ../host_vars/${domain}/vars.yml -echo "matrix_jitsi_jicofo_component_secret: $JICOFO_COMPONENT_SECRET" >> ../host_vars/${domain}/vars.yml -echo "matrix_jitsi_jicofo_auth_password: $JICOFO_AUTH_PASSWORD" >> ../host_vars/${domain}/vars.yml -echo "matrix_jitsi_jvb_auth_password: $JVB_AUTH_PASSWORD" >> ../host_vars/${domain}/vars.yml -echo "matrix_jitsi_jibri_recorder_password: $JIBRI_RECORDER_PASSWORD" >> ../host_vars/${domain}/vars.yml -echo "matrix_jitsi_jibri_xmpp_password: $JIBRI_XMPP_PASSWORD" >> ../host_vars/${domain}/vars.yml +echo "# Paste these variables into your inventory/host_vars/matrix.DOMAIN/vars.yml file:" +echo "" +echo "matrix_jitsi_jicofo_component_secret: "$JICOFO_COMPONENT_SECRET +echo "matrix_jitsi_jicofo_auth_password: "$JICOFO_AUTH_PASSWORD +echo "matrix_jitsi_jvb_auth_password: "$JVB_AUTH_PASSWORD +echo "matrix_jitsi_jibri_recorder_password: "$JIBRI_RECORDER_PASSWORD +echo "matrix_jitsi_jibri_xmpp_password: "$JIBRI_XMPP_PASSWORD From dcce276b8696fda1460bffbb6040a365eaf19bc6 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 8 Apr 2020 10:05:43 +0300 Subject: [PATCH 51/87] Rename script file --- docs/configuring-playbook-jitsi.md | 2 +- ...{generate-jitsi-passwords.sh => jitsi-generate-passwords.sh} | 0 2 files changed, 1 insertion(+), 1 deletion(-) rename inventory/scripts/{generate-jitsi-passwords.sh => jitsi-generate-passwords.sh} (100%) diff --git a/docs/configuring-playbook-jitsi.md b/docs/configuring-playbook-jitsi.md index 1a3f10c7c..d6ff1c8a4 100644 --- a/docs/configuring-playbook-jitsi.md +++ b/docs/configuring-playbook-jitsi.md @@ -24,7 +24,7 @@ Add this to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration: ```yaml matrix_jitsi_enabled: true -# Run `bash inventory/scripts/generate-jitsi-passwords.sh` to generate these passwords, +# Run `bash inventory/scripts/jitsi-generate-passwords.sh` to generate these passwords, # or define your own strong passwords manually. matrix_jitsi_jicofo_component_secret: "" matrix_jitsi_jicofo_auth_password: "" diff --git a/inventory/scripts/generate-jitsi-passwords.sh b/inventory/scripts/jitsi-generate-passwords.sh similarity index 100% rename from inventory/scripts/generate-jitsi-passwords.sh rename to inventory/scripts/jitsi-generate-passwords.sh From 14786071afaf55ac56aecb2c2a33071af70da62c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 8 Apr 2020 10:23:51 +0300 Subject: [PATCH 52/87] Pass JVB_AUTH_PASSWORD environment variable to make JVB startup happy We define this password in the `sip-communicator.properties` configuration file, so this is not needed for actually running JVB. However, it does a (useless) safety check during container startup, and we need to make that check happy. --- roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml | 7 +++++++ roles/matrix-jitsi/templates/jvb/env.j2 | 1 + .../matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 | 1 + 3 files changed, 9 insertions(+) create mode 100644 roles/matrix-jitsi/templates/jvb/env.j2 diff --git a/roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml b/roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml index e4d652eda..f442fc6e7 100644 --- a/roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml +++ b/roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml @@ -34,6 +34,13 @@ - logging.properties when: matrix_jitsi_enabled|bool +- name: Ensure jitsi-jvb environment variables file created + template: + src: "{{ role_path }}/templates/jvb/env.j2" + dest: "{{ matrix_jitsi_jvb_base_path }}/env" + mode: 0640 + when: matrix_jitsi_enabled|bool + - name: Ensure matrix-jitsi-jvb.service installed template: src: "{{ role_path }}/templates/jvb/matrix-jitsi-jvb.service.j2" diff --git a/roles/matrix-jitsi/templates/jvb/env.j2 b/roles/matrix-jitsi/templates/jvb/env.j2 new file mode 100644 index 000000000..423070dbd --- /dev/null +++ b/roles/matrix-jitsi/templates/jvb/env.j2 @@ -0,0 +1 @@ +JVB_AUTH_PASSWORD={{ matrix_jitsi_jvb_auth_password }} diff --git a/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 b/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 index 03aef079e..5df5807a7 100644 --- a/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 +++ b/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2 @@ -14,6 +14,7 @@ ExecStartPre=-/usr/bin/docker rm matrix-jitsi-jvb ExecStart=/usr/bin/docker run --rm --name matrix-jitsi-jvb \ --log-driver=none \ --network={{ matrix_docker_network }} \ + --env-file={{ matrix_jitsi_jvb_base_path }}/env \ {% if matrix_jitsi_jvb_container_rtp_udp_host_bind_port %} -p {{ matrix_jitsi_jvb_container_rtp_udp_host_bind_port }}:{{ matrix_jitsi_jvb_rtp_udp_port }}/udp \ {% endif %} From 25d51d3de3eacebd8ce61ffedc7fd967f1a11cf1 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 8 Apr 2020 16:46:41 +0300 Subject: [PATCH 53/87] Fix typo --- docs/self-building.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/self-building.md b/docs/self-building.md index 6b9a46d49..bef358521 100644 --- a/docs/self-building.md +++ b/docs/self-building.md @@ -4,7 +4,7 @@ The playbook supports the self-building of some of its components. This may be u To use these modification there is a variable that needs to be switched to enable this functionality. Add this to your `vars.yaml` file: ```yaml -matrix_container_images_self_build = true +matrix_container_images_self_build: true ``` Setting that variable will self-build every role which supports self-building. Self-building can be set on a per-role basis as well. From 61fffa169c63e042549b7ac99dda533945ca0d69 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 8 Apr 2020 19:08:15 +0300 Subject: [PATCH 54/87] Use Jitsi STUN servers instead of Google ones These are some new defaults that we switch to, to follow upstream changes: - https://github.com/jitsi/docker-jitsi-meet/commit/264df04 - https://github.com/jitsi/jitsi-meet/commit/3121494d4b149108bd94185e2a4b22b8eafdc794 --- group_vars/matrix_servers | 2 +- roles/matrix-jitsi/defaults/main.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index e9dbffb5a..ef753e17e 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -416,7 +416,7 @@ matrix_jitsi_web_stun_servers: | matrix_server_fqn_matrix + ':3478', ] if matrix_coturn_enabled - else [ 'stun.l.google.com:19302', 'stun1.l.google.com:19302', 'stun2.l.google.com:19302'] + else [ 'meet-jit-si-turnrelay.jitsi.net:443'] }} ###################################################################### diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index 83511c4c5..44a279c78 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -38,7 +38,7 @@ matrix_jitsi_web_transcripts_path: "{{ matrix_jitsi_web_base_path }}/transcripts matrix_jitsi_web_public_url: "https://{{ matrix_server_fqn_jitsi }}" # STUN servers used in the web UI. Feel free to point them to your own STUN server. -matrix_jitsi_web_stun_servers: ['stun.l.google.com:19302', 'stun1.l.google.com:19302', 'stun2.l.google.com:19302'] +matrix_jitsi_web_stun_servers: ['meet-jit-si-turnrelay.jitsi.net:443'] # Controls whether the matrix-jitsi-web container exposes its HTTP port (tcp/80 in the container). # @@ -120,7 +120,7 @@ matrix_jitsi_jvb_auth_password: '' # STUN servers used by JVB on the server-side, so it can discover its own external IP address. # Pointing this to a STUN server running on the same Docker network may lead to incorrect IP address discovery. -matrix_jitsi_jvb_stun_servers: ['stun.l.google.com:19302', 'stun1.l.google.com:19302', 'stun2.l.google.com:19302'] +matrix_jitsi_jvb_stun_servers: ['meet-jit-si-turnrelay.jitsi.net:443'] matrix_jitsi_jvb_brewery_muc: jvbbrewery matrix_jitsi_jvb_rtp_udp_port: 10000 From 110720714756d39b6e72859eb4371fd81be2c8b9 Mon Sep 17 00:00:00 2001 From: Rodrigo Belem Date: Mon, 16 Mar 2020 20:33:11 -0400 Subject: [PATCH 55/87] Initial mx-puppet-skype bridge role --- group_vars/matrix_servers | 29 +++ .../defaults/main.yml | 209 ++++++++++++++++++ .../tasks/init.yml | 23 ++ .../tasks/main.yml | 21 ++ .../tasks/setup_install.yml | 93 ++++++++ .../tasks/setup_uninstall.yml | 24 ++ .../tasks/validate_config.yml | 10 + .../systemd/matrix-mx-puppet-skype.service.j2 | 38 ++++ setup.yml | 1 + 9 files changed, 448 insertions(+) create mode 100644 roles/matrix-bridge-mx-puppet-skype/defaults/main.yml create mode 100644 roles/matrix-bridge-mx-puppet-skype/tasks/init.yml create mode 100644 roles/matrix-bridge-mx-puppet-skype/tasks/main.yml create mode 100644 roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml create mode 100644 roles/matrix-bridge-mx-puppet-skype/tasks/setup_uninstall.yml create mode 100644 roles/matrix-bridge-mx-puppet-skype/tasks/validate_config.yml create mode 100644 roles/matrix-bridge-mx-puppet-skype/templates/systemd/matrix-mx-puppet-skype.service.j2 diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index ef753e17e..a1fb3740a 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -290,6 +290,35 @@ matrix_mautrix_whatsapp_login_shared_secret: "{{ matrix_synapse_ext_password_pro ###################################################################### +###################################################################### +# +# matrix-bridge-mx-puppet-skype +# +###################################################################### + +# We don't enable bridges by default. +matrix_mx_puppet_skype_enabled: false + +matrix_mx_puppet_skype_systemd_required_services_list: | + {{ + ['docker.service'] + + + (['matrix-synapse.service'] if matrix_synapse_enabled else []) + }} + +matrix_mx_puppet_skype_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'whats.as.token') | to_uuid }}" + +matrix_mx_puppet_skype_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'whats.hs.token') | to_uuid }}" + +matrix_mx_puppet_skype_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" + +###################################################################### +# +# /matrix-bridge-mx-puppet-skype +# +###################################################################### + + ###################################################################### # # matrix-corporal diff --git a/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml b/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml new file mode 100644 index 000000000..9eb2c9643 --- /dev/null +++ b/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml @@ -0,0 +1,209 @@ +# Mx Puppet Skype is a Matrix <-> Skype bridge +# See: https://github.com/Sorunome/mx-puppet-skype + +matrix_mx_puppet_skype_enabled: true + +matrix_mx_puppet_skype_container_image_self_build: false + +matrix_mx_puppet_skype_docker_image: "sorunome/mx-puppet-skype:latest" +matrix_mx_puppet_skype_docker_image_force_pull: "{{ matrix_mx_puppet_skype_docker_image.endswith(':latest') }}" + +matrix_mx_puppet_skype_base_path: "{{ matrix_base_data_path }}/mx-puppet-skype" +matrix_mx_puppet_skype_config_path: "{{ matrix_mx_puppet_skype_base_path }}/data" +matrix_mx_puppet_skype_data_path: "{{ matrix_mx_puppet_skype_base_path }}/data" +matrix_mx_puppet_skype_docker_src_files_path: "{{ matrix_mx_puppet_skype_base_path }}/docker-src" + +matrix_mx_puppet_skype_appservice_port: "6000" + +matrix_mx_puppet_skype_homeserver_address: 'http://matrix-synapse:8008' +matrix_mx_puppet_skype_homeserver_domain: '{{ matrix_domain }}' +matrix_mx_puppet_skype_appservice_address: 'http://matrix-mx-puppet-skype:{{ matrix_mx_puppet_skype_appservice_port }}' + +# A list of extra arguments to pass to the container +matrix_mx_puppet_skype_container_extra_arguments: [] + +# List of systemd services that matrix-puppet-skype.service depends on. +matrix_mx_puppet_skype_systemd_required_services_list: ['docker.service'] + +# List of systemd services that matrix-puppet-skype.service wants +matrix_mx_puppet_skype_systemd_wanted_services_list: [] + +matrix_mx_puppet_skype_appservice_token: '' +matrix_mx_puppet_skype_homeserver_token: '' + +# Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth). +matrix_mx_puppet_skype_login_shared_secret: '' + +# Default configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. +# +# For a more advanced customization, you can extend the default (see `matrix_mx_puppet_skype_configuration_extension_yaml`) +# or completely replace this variable with your own template. +matrix_mx_puppet_skype_configuration_yaml: | + #jinja2: lstrip_blocks: "True" + bridge: + # Address for the bridge to bind to; if running as a Docker container, you + # probably want 0.0.0.0 here + bindAddress: 0.0.0.0 + # Port to host the bridge on which your homeserver will connect to + port: {{ matrix_mx_puppet_skype_appservice_port }} + # Name of your homeserver + domain: {{ matrix_mx_puppet_skype_homeserver_domain }} + # URL where the bridge can connect to your homeserver + homeserverUrl: {{ matrix_mx_puppet_skype_homeserver_address }} + # Optionally specify a different media URL used for the media store + mediaURL: https://{{ matrix_server_fqn_matrix }} + # This enabled automatic double-puppeting: + # A map for shared secrets of the homeserver URL to the shared secret + # See https://github.com/devture/matrix-synapse-shared-secret-auth + #loginSharedSecretMap: + # yourserver.com: supersecretsharedsecret + {% if matrix_mx_puppet_skype_login_shared_secret != '' %} + loginSharedSecretMap: + {{ matrix_mx_puppet_skype_homeserver_domain }}: {{ matrix_mx_puppet_skype_login_shared_secret }} + {% endif %} + # optionally override the display name of the bridge bot + #displayname: Protocol Bot + # optionally set the avatar of the bridge bot + #avatarUrl: mxc://yourserver.com/somefile + + logging: + # Log level of console output + # Allowed values starting with most verbose: + # silly, debug, verbose, info, warn, error + console: info + # Optionally, you can apply filters to the console logging + #console: + # level: info + # enabled: + # - Store + # disabled: + # - PresenceHandler + + # Date and time formatting + lineDateFormat: MMM-D HH:mm:ss.SSS + # Logging files + # Log files are rotated daily by default + files: + # Log file path + - file: "/data/bridge.log" + # Log level for this file + # Allowed values starting with most verbose: + # silly, debug, verbose, info, warn, error + level: info + # Date and time formatting + datePattern: YYYY-MM-DD + # Maximum number of logs to keep. + # This can be a number of files or number of days. + # If using days, add 'd' as a suffix + maxFiles: 14d + # Maximum size of the file after which it will rotate. This can be a + # number of bytes, or units of kb, mb, and gb. If using the units, add + # 'k', 'm', or 'g' as the suffix + maxSize: 50m + # Optionally enable/disable logging for certain modules + #disabled: + # - PresenceHandler + # - module: bot-sdk-MatrixLiteClient + # regex: /_matrix/client/r0/presence/ # this regex needs to match to disable the log + #enabled: + # - Store + + database: + # Use Postgres as a database backend + # If set, will be used instead of SQLite3 + # Connection string to connect to the Postgres instance + # with username "user", password "pass", host "localhost" and database name "dbname". + # Modify each value as necessary + #connString: "postgres://user:pass@localhost/dbname?sslmode=disable" + # Use SQLite3 as a database backend + # The name of the database file + filename: /data/database.db + + provisioning: + # Regex of Matrix IDs allowed to use the puppet bridge + whitelist: + # Allow a specific user + #- "@user:server\\.com" + # Allow users on a specific homeserver + - '@.*:{{ matrix_mx_puppet_skype_homeserver_domain | regex_escape }}' + # Allow anyone + #- ".*" + # Regex of Matrix IDs forbidden from using the puppet bridge + #blacklist: + # Disallow a specific user + #- "@user:server\\.com" + # Disallow users on a specific homeserver + #- "@.*:yourserver\\.com" + + presence: + # Bridge online/offline status + enabled: true + # How often to send status to the homeserver in milliseconds + interval: 500 + # if the im.vector.user_status state setting should be diabled + #disableStatusState: false + # A blacklist of remote user IDs for the im.vector.user_status state setting + #statusStateBlacklist: + # - baduser + + relay: + # Regex of Matrix IDs to allow to use the relay mode + # Same format as in provisioning + whitelist: + - '@.*:{{ matrix_mx_puppet_skype_homeserver_domain | regex_escape }}' + #blacklist: + #- "@user:yourserver\\.com" + + # Map certain homeserver URLs to the C-S API endpoint + # Useful for double-puppeting if .well-known is unavailable for some reason + #homeserverUrlMap: + # yourserver.com: http://localhost:1234 + + namePatterns: + # Override the protocols set default name patterns + # Which variables are available depends on protocol implementation + user: :name + room: :name + + limits: + # Up to how many users should be auto-joined on room creation? -1 to disable + # Defaults to 200 + maxAutojoinUsers: 200 + # How long the delay between two autojoin users should be, in millisectonds. + # Defaults to 5000 + roomUserAutojoinDelay: 5000 + +matrix_mx_puppet_skype_configuration_extension_yaml: | + # Your custom YAML configuration goes here. + # This configuration extends the default starting configuration (`matrix_mx_puppet_skype_configuration_yaml`). + # + # You can override individual variables from the default configuration, or introduce new ones. + # + # If you need something more special, you can take full control by + # completely redefining `matrix_mx_puppet_skype_configuration_yaml`. + +matrix_mx_puppet_skype_configuration_extension: "{{ matrix_mx_puppet_skype_configuration_extension_yaml|from_yaml if matrix_mx_puppet_skype_configuration_extension_yaml|from_yaml is mapping else {} }}" + +# Holds the final configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_mx_puppet_skype_configuration_yaml`. +matrix_mx_puppet_skype_configuration: "{{ matrix_mx_puppet_skype_configuration_yaml|from_yaml|combine(matrix_mx_puppet_skype_configuration_extension, recursive=True) }}" + +matrix_mx_puppet_skype_registration_yaml: | + as_token: "{{ matrix_mx_puppet_skype_appservice_token }}" + hs_token: "{{ matrix_mx_puppet_skype_homeserver_token }}" + id: skype-puppet + namespaces: + users: + - exclusive: true + regex: '@_skypepuppet_.*:{{ matrix_mx_puppet_skype_homeserver_domain|regex_escape }}' + rooms: [] + aliases: + - exclusive: true + regex: '#_skypepuppet_.*:{{ matrix_mx_puppet_skype_homeserver_domain|regex_escape }}' + protocols: [] + rate_limited: false + sender_localpart: _skypepuppet_bot + url: {{ matrix_mx_puppet_skype_appservice_address }} + +matrix_mx_puppet_skype_registration: "{{ matrix_mx_puppet_skype_registration_yaml|from_yaml }}" diff --git a/roles/matrix-bridge-mx-puppet-skype/tasks/init.yml b/roles/matrix-bridge-mx-puppet-skype/tasks/init.yml new file mode 100644 index 000000000..099baa07b --- /dev/null +++ b/roles/matrix-bridge-mx-puppet-skype/tasks/init.yml @@ -0,0 +1,23 @@ +- set_fact: + matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-skype'] }}" + when: matrix_mx_puppet_skype_enabled|bool + +# If the matrix-synapse role is not used, these variables may not exist. +- set_fact: + matrix_synapse_container_extra_arguments: > + {{ matrix_synapse_container_extra_arguments|default([]) }} + + + ["--mount type=bind,src={{ matrix_mx_puppet_skype_config_path }}/skype-registration.yaml,dst=/matrix-mx-puppet-skype-registration.yaml,ro"] + + matrix_synapse_app_service_config_files: > + {{ matrix_synapse_app_service_config_files|default([]) }} + + + {{ ["/matrix-mx-puppet-skype-registration.yaml"] }} + when: matrix_mx_puppet_skype_enabled|bool + +# ansible lower than 2.8, does not support docker_image build parameters +# for self buildig it is explicitly needed, so we rather fail here +- name: Fail if running on Ansible lower than 2.8 and trying self building + fail: + msg: "To self build Puppet Skype image, you should usa ansible 2.8 or higher. E.g. pip contains such packages." + when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_skype_container_image_self_build" diff --git a/roles/matrix-bridge-mx-puppet-skype/tasks/main.yml b/roles/matrix-bridge-mx-puppet-skype/tasks/main.yml new file mode 100644 index 000000000..01ddd7d87 --- /dev/null +++ b/roles/matrix-bridge-mx-puppet-skype/tasks/main.yml @@ -0,0 +1,21 @@ +- import_tasks: "{{ role_path }}/tasks/init.yml" + tags: + - always + +- import_tasks: "{{ role_path }}/tasks/validate_config.yml" + when: "run_setup|bool and matrix_mx_puppet_skype_enabled|bool" + tags: + - setup-all + - setup-mx-puppet-skype + +- import_tasks: "{{ role_path }}/tasks/setup_install.yml" + when: "run_setup|bool and matrix_mx_puppet_skype_enabled|bool" + tags: + - setup-all + - setup-mx-puppet-skype + +- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + when: "run_setup|bool and not matrix_mx_puppet_skype_enabled|bool" + tags: + - setup-all + - setup-mx-puppet-skype diff --git a/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml b/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml new file mode 100644 index 000000000..46e37112c --- /dev/null +++ b/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml @@ -0,0 +1,93 @@ +--- + +# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. +# We don't want to fail in such cases. +- name: Fail if matrix-synapse role already executed + fail: + msg: >- + The matrix-bridge-mx-puppet-skype role needs to execute before the matrix-synapse role. + when: "matrix_synapse_role_executed|default(False)" + +- name: Ensure MX Puppet Skype image is pulled + docker_image: + name: "{{ matrix_mx_puppet_skype_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_mx_puppet_skype_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mx_puppet_skype_docker_image_force_pull }}" + when: matrix_mx_puppet_skype_enabled|bool and not matrix_mx_puppet_skype_container_image_self_build + +- name: Ensure MX Puppet Skype paths exist + file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + with_items: + - { path: "{{ matrix_mx_puppet_skype_base_path }}", when: true } + - { path: "{{ matrix_mx_puppet_skype_config_path }}", when: true } + - { path: "{{ matrix_mx_puppet_skype_data_path }}", when: true } + - { path: "{{ matrix_mx_puppet_skype_docker_src_files_path }}", when: "{{ matrix_mx_puppet_skype_container_image_self_build }}" } + when: matrix_mx_puppet_skype_enabled|bool and item.when|bool + +- name: Ensure MX Puppet Skype repository is present on self build + git: + repo: https://github.com/Sorunome/mx-puppet-skype.git + dest: "{{ matrix_mx_puppet_skype_docker_src_files_path }}" + force: "yes" + when: "matrix_mx_puppet_skype_enabled|bool and matrix_mx_puppet_skype_container_image_self_build" + +- name: Ensure MX Puppet Skype Docker image is built + docker_image: + name: "{{ matrix_mx_puppet_skype_docker_image }}" + source: build + build: + dockerfile: Dockerfile + path: "{{ matrix_mx_puppet_skype_docker_src_files_path }}" + pull: yes + when: "matrix_mx_puppet_skype_enabled|bool and matrix_mx_puppet_skype_container_image_self_build" + +- name: Check if an old database file already exists + stat: + path: "{{ matrix_mx_puppet_skype_base_path }}/database.db" + register: matrix_mx_puppet_skype_stat_database + +- name: (Data relocation) Ensure matrix-mx-puppet-skype.service is stopped + service: + name: matrix-mx-puppet-skype + state: stopped + daemon_reload: yes + failed_when: false + when: "matrix_mx_puppet_skype_stat_database.stat.exists" + +- name: (Data relocation) Move mx-puppet-skype database file to ./data directory + command: "mv {{ matrix_mx_puppet_skype_base_path }}/database.db {{ matrix_mx_puppet_skype_data_path }}/database.db" + when: "matrix_mx_puppet_skype_stat_database.stat.exists" + +- name: Ensure mx-puppet-skype config.yaml installed + copy: + content: "{{ matrix_mx_puppet_skype_configuration|to_nice_yaml }}" + dest: "{{ matrix_mx_puppet_skype_config_path }}/config.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + +- name: Ensure mx-puppet-skype skype-registration.yaml installed + copy: + content: "{{ matrix_mx_puppet_skype_registration|to_nice_yaml }}" + dest: "{{ matrix_mx_puppet_skype_config_path }}/skype-registration.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_username }}" + +- name: Ensure matrix-mx-puppet-skype.service installed + template: + src: "{{ role_path }}/templates/systemd/matrix-mx-puppet-skype.service.j2" + dest: "/etc/systemd/system/matrix-mx-puppet-skype.service" + mode: 0644 + register: matrix_mx_puppet_skype_systemd_service_result + +- name: Ensure systemd reloaded after matrix-mx-puppet-skype.service installation + service: + daemon_reload: yes + when: "matrix_mx_puppet_skype_systemd_service_result.changed" diff --git a/roles/matrix-bridge-mx-puppet-skype/tasks/setup_uninstall.yml b/roles/matrix-bridge-mx-puppet-skype/tasks/setup_uninstall.yml new file mode 100644 index 000000000..72b3a945a --- /dev/null +++ b/roles/matrix-bridge-mx-puppet-skype/tasks/setup_uninstall.yml @@ -0,0 +1,24 @@ +--- + +- name: Check existence of matrix-mx-puppet-skype service + stat: + path: "/etc/systemd/system/matrix-mx-puppet-skype.service" + register: matrix_mx_puppet_skype_service_stat + +- name: Ensure matrix-mx-puppet-skype is stopped + service: + name: matrix-mx-puppet-skype + state: stopped + daemon_reload: yes + when: "matrix_mx_puppet_skype_service_stat.stat.exists" + +- name: Ensure matrix-mx-puppet-skype.service doesn't exist + file: + path: "/etc/systemd/system/matrix-mx-puppet-skype.service" + state: absent + when: "matrix_mx_puppet_skype_service_stat.stat.exists" + +- name: Ensure systemd reloaded after matrix-mx-puppet-skype.service removal + service: + daemon_reload: yes + when: "matrix_mx_puppet_skype_service_stat.stat.exists" diff --git a/roles/matrix-bridge-mx-puppet-skype/tasks/validate_config.yml b/roles/matrix-bridge-mx-puppet-skype/tasks/validate_config.yml new file mode 100644 index 000000000..7ed433b12 --- /dev/null +++ b/roles/matrix-bridge-mx-puppet-skype/tasks/validate_config.yml @@ -0,0 +1,10 @@ +--- + +- name: Fail if required settings not defined + fail: + msg: >- + You need to define a required configuration setting (`{{ item }}`). + when: "vars[item] == ''" + with_items: + - "matrix_mx_puppet_skype_appservice_token" + - "matrix_mx_puppet_skype_homeserver_token" diff --git a/roles/matrix-bridge-mx-puppet-skype/templates/systemd/matrix-mx-puppet-skype.service.j2 b/roles/matrix-bridge-mx-puppet-skype/templates/systemd/matrix-mx-puppet-skype.service.j2 new file mode 100644 index 000000000..de0c9d204 --- /dev/null +++ b/roles/matrix-bridge-mx-puppet-skype/templates/systemd/matrix-mx-puppet-skype.service.j2 @@ -0,0 +1,38 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix Mx Puppet Skype server +{% for service in matrix_mx_puppet_skype_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_mx_puppet_skype_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} + +[Service] +Type=simple +ExecStartPre=-/usr/bin/docker kill matrix-mx-puppet-skype +ExecStartPre=-/usr/bin/docker rm matrix-mx-puppet-skype + +# Intentional delay, so that the homeserver (we likely depend on) can manage to start. +ExecStartPre=/bin/sleep 5 + +ExecStart=/usr/bin/docker run --rm --name matrix-mx-puppet-skype \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --network={{ matrix_docker_network }} \ + -v {{ matrix_mx_puppet_skype_data_path }}:/data:z \ + {% for arg in matrix_mx_puppet_skype_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_mx_puppet_skype_docker_image }} + +ExecStop=-/usr/bin/docker kill matrix-mx-puppet-skype +ExecStop=-/usr/bin/docker rm matrix-mx-puppet-skype +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-mx-puppet-skype + +[Install] +WantedBy=multi-user.target diff --git a/setup.yml b/setup.yml index 5baee8f35..bca4b240f 100755 --- a/setup.yml +++ b/setup.yml @@ -16,6 +16,7 @@ - matrix-bridge-mautrix-hangouts - matrix-bridge-mautrix-telegram - matrix-bridge-mautrix-whatsapp + - matrix-bridge-mx-puppet-skype - matrix-synapse - matrix-riot-web - matrix-jitsi From 53f893b77e7ab5d31413a85ff76d52a8575b6184 Mon Sep 17 00:00:00 2001 From: Rodrigo Belem Date: Wed, 8 Apr 2020 13:18:02 -0400 Subject: [PATCH 56/87] Add documentations for the mx-puppet-skype bridge --- ...iguring-playbook-bridge-mx-bridge-skype.md | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 docs/configuring-playbook-bridge-mx-bridge-skype.md diff --git a/docs/configuring-playbook-bridge-mx-bridge-skype.md b/docs/configuring-playbook-bridge-mx-bridge-skype.md new file mode 100644 index 000000000..f39ce51e6 --- /dev/null +++ b/docs/configuring-playbook-bridge-mx-bridge-skype.md @@ -0,0 +1,32 @@ +# Setting up MX Puppet Skype (optional) + +The playbook can install and configure +[mx-puppet-skype](https://github.com/Sorunome/mx-puppet-skype) for you. + +See the project's +[documentation](https://github.com/tulir/mautrix-hangouts/wiki#usage) to learn +what it does and why it might be useful to you. + +To enable the [Skype](https://www.skype.com/) bridge just use the following +playbook configuration: + + +```yaml +matrix_mx_puppet_skype_enabled: true +``` + + +## Usage + +Once the bot is enabled you need to start a chat with `Skype Puppet Bridge` with +the handle `@_skypepuppet_bot:YOUR_DOMAIN` (where `YOUR_DOMAIN` is your base +domain, not the `matrix.` domain). + +Send `link ` to the bridge bot to link your skype account. + +Once logged in, send `list` to the bot user to list the available rooms. + +Clicking rooms in the list will result in you receiving an invitation to the +bridged room. + +Also send `help` to the bot to see the commands available. From 67a5ef97ba34d8cc4a865783f657832d0148f4d6 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 9 Apr 2020 09:16:10 +0300 Subject: [PATCH 57/87] Fix missing "stun:" prefix for jitsi/web STUN server URLs Hopefully fixes an error like this (which I haven't been able to reproduce, but..): > [modules/xmpp/strophe.util.js] : Strophe: Error: Failed to construct 'RTCPeerConnection': 'matrix.DOMAIN' is not one of the supported URL schemes 'stun', 'turn' or 'turns'. --- group_vars/matrix_servers | 6 +++--- roles/matrix-jitsi/defaults/main.yml | 3 ++- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index ef753e17e..5841b20ce 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -412,11 +412,11 @@ matrix_jitsi_jvb_auth_password: "{{ matrix_synapse_macaroon_secret_key | passwor matrix_jitsi_web_stun_servers: | {{ [ - matrix_server_fqn_matrix + ':5349', - matrix_server_fqn_matrix + ':3478', + 'stun:' + matrix_server_fqn_matrix + ':5349', + 'stun:' + matrix_server_fqn_matrix + ':3478', ] if matrix_coturn_enabled - else [ 'meet-jit-si-turnrelay.jitsi.net:443'] + else [ 'stun:meet-jit-si-turnrelay.jitsi.net:443'] }} ###################################################################### diff --git a/roles/matrix-jitsi/defaults/main.yml b/roles/matrix-jitsi/defaults/main.yml index 44a279c78..fb9242ed5 100644 --- a/roles/matrix-jitsi/defaults/main.yml +++ b/roles/matrix-jitsi/defaults/main.yml @@ -38,7 +38,8 @@ matrix_jitsi_web_transcripts_path: "{{ matrix_jitsi_web_base_path }}/transcripts matrix_jitsi_web_public_url: "https://{{ matrix_server_fqn_jitsi }}" # STUN servers used in the web UI. Feel free to point them to your own STUN server. -matrix_jitsi_web_stun_servers: ['meet-jit-si-turnrelay.jitsi.net:443'] +# Addresses need to be prefixed with one of `stun:`, `turn:` or `turns:`. +matrix_jitsi_web_stun_servers: ['stun:meet-jit-si-turnrelay.jitsi.net:443'] # Controls whether the matrix-jitsi-web container exposes its HTTP port (tcp/80 in the container). # From 4e9976d559418ae9747ec7b255c2bab126dc309b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 9 Apr 2020 09:26:03 +0300 Subject: [PATCH 58/87] Rename documentation file --- ...kype.md => configuring-playbook-bridge-mx-puppet-skype.md} | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) rename docs/{configuring-playbook-bridge-mx-bridge-skype.md => configuring-playbook-bridge-mx-puppet-skype.md} (84%) diff --git a/docs/configuring-playbook-bridge-mx-bridge-skype.md b/docs/configuring-playbook-bridge-mx-puppet-skype.md similarity index 84% rename from docs/configuring-playbook-bridge-mx-bridge-skype.md rename to docs/configuring-playbook-bridge-mx-puppet-skype.md index f39ce51e6..cca5e3059 100644 --- a/docs/configuring-playbook-bridge-mx-bridge-skype.md +++ b/docs/configuring-playbook-bridge-mx-puppet-skype.md @@ -3,9 +3,7 @@ The playbook can install and configure [mx-puppet-skype](https://github.com/Sorunome/mx-puppet-skype) for you. -See the project's -[documentation](https://github.com/tulir/mautrix-hangouts/wiki#usage) to learn -what it does and why it might be useful to you. +See the project page to learn what it does and why it might be useful to you. To enable the [Skype](https://www.skype.com/) bridge just use the following playbook configuration: From 5b8f8bc9420e23a91c15bfe7408546b6d6a46902 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 9 Apr 2020 09:33:30 +0300 Subject: [PATCH 59/87] Announce Skype bridging --- CHANGELOG.md | 9 +++++++++ README.md | 2 ++ docs/configuring-playbook.md | 2 ++ 3 files changed, 13 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index af2c8910d..b849ef359 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,12 @@ +# 2020-04-09 + +## Skype bridging support + +Thanks to [Rodrigo Belem](https://github.com/rbelem)'s efforts, the playbook now supports bridging to [Skype](https://www.skype.com) via the [mx-puppet-skype](https://github.com/Sorunome/mx-puppet-skype) bridge. + +See our [Setting up MX Puppet Skype bridging](docs/configuring-playbook-bridge-mx-puppet-skype.md) documentation page for getting started. + + # 2020-04-05 ## Private Jitsi support diff --git a/README.md b/README.md index b16a8dfea..43125026f 100644 --- a/README.md +++ b/README.md @@ -144,6 +144,8 @@ This playbook sets up your server using the following Docker images: - [turt2live/matrix-appservice-webhooks](https://hub.docker.com/r/turt2live/matrix-appservice-webhooks) - the [Appservice Webhooks](https://github.com/turt2live/matrix-appservice-webhooks) bridge (optional) +- [sorunome/mx-puppet-skype](https://hub.docker.com/r/sorunome/mx-puppet-skype) - the [mx-puppet-skype](https://github.com/Sorunome/mx-puppet-skype) bridge to [Skype](https:/www.skype.com) (optional) + - [turt2live/matrix-dimension](https://hub.docker.com/r/turt2live/matrix-dimension) - the [Dimension](https://dimension.t2bot.io/) integrations manager (optional) - [jitsi/web](https://hub.docker.com/r/jitsi/web) - the [Jitsi](https://jitsi.org/) web UI (optional) diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 4d0d2093b..af00f7c09 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -97,4 +97,6 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Setting up Appservice Webhooks bridging](configuring-playbook-bridge-appservice-webhooks.md) (optional) +- [Setting up MX Puppet Skype bridging](configuring-playbook-bridge-mx-puppet-skype.md) (optional) + - [Setting up Email2Matrix](configuring-playbook-email2matrix.md) (optional) From c1a66d3422c3b0a1676ba6358fc182668de8f4c3 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 9 Apr 2020 09:44:10 +0300 Subject: [PATCH 60/87] Put mx-puppet-skype configs in ./config directory, not ./data --- roles/matrix-bridge-mx-puppet-skype/defaults/main.yml | 2 +- roles/matrix-bridge-mx-puppet-skype/tasks/init.yml | 2 +- roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml | 2 +- .../templates/systemd/matrix-mx-puppet-skype.service.j2 | 3 +++ 4 files changed, 6 insertions(+), 3 deletions(-) diff --git a/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml b/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml index 9eb2c9643..d4df2f0db 100644 --- a/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml @@ -9,7 +9,7 @@ matrix_mx_puppet_skype_docker_image: "sorunome/mx-puppet-skype:latest" matrix_mx_puppet_skype_docker_image_force_pull: "{{ matrix_mx_puppet_skype_docker_image.endswith(':latest') }}" matrix_mx_puppet_skype_base_path: "{{ matrix_base_data_path }}/mx-puppet-skype" -matrix_mx_puppet_skype_config_path: "{{ matrix_mx_puppet_skype_base_path }}/data" +matrix_mx_puppet_skype_config_path: "{{ matrix_mx_puppet_skype_base_path }}/config" matrix_mx_puppet_skype_data_path: "{{ matrix_mx_puppet_skype_base_path }}/data" matrix_mx_puppet_skype_docker_src_files_path: "{{ matrix_mx_puppet_skype_base_path }}/docker-src" diff --git a/roles/matrix-bridge-mx-puppet-skype/tasks/init.yml b/roles/matrix-bridge-mx-puppet-skype/tasks/init.yml index 099baa07b..801c71c28 100644 --- a/roles/matrix-bridge-mx-puppet-skype/tasks/init.yml +++ b/roles/matrix-bridge-mx-puppet-skype/tasks/init.yml @@ -7,7 +7,7 @@ matrix_synapse_container_extra_arguments: > {{ matrix_synapse_container_extra_arguments|default([]) }} + - ["--mount type=bind,src={{ matrix_mx_puppet_skype_config_path }}/skype-registration.yaml,dst=/matrix-mx-puppet-skype-registration.yaml,ro"] + ["--mount type=bind,src={{ matrix_mx_puppet_skype_config_path }}/registration.yaml,dst=/matrix-mx-puppet-skype-registration.yaml,ro"] matrix_synapse_app_service_config_files: > {{ matrix_synapse_app_service_config_files|default([]) }} diff --git a/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml b/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml index 46e37112c..894b0a9be 100644 --- a/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml +++ b/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml @@ -75,7 +75,7 @@ - name: Ensure mx-puppet-skype skype-registration.yaml installed copy: content: "{{ matrix_mx_puppet_skype_registration|to_nice_yaml }}" - dest: "{{ matrix_mx_puppet_skype_config_path }}/skype-registration.yaml" + dest: "{{ matrix_mx_puppet_skype_config_path }}/registration.yaml" mode: 0644 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_username }}" diff --git a/roles/matrix-bridge-mx-puppet-skype/templates/systemd/matrix-mx-puppet-skype.service.j2 b/roles/matrix-bridge-mx-puppet-skype/templates/systemd/matrix-mx-puppet-skype.service.j2 index de0c9d204..cc55f3241 100644 --- a/roles/matrix-bridge-mx-puppet-skype/templates/systemd/matrix-mx-puppet-skype.service.j2 +++ b/roles/matrix-bridge-mx-puppet-skype/templates/systemd/matrix-mx-puppet-skype.service.j2 @@ -22,6 +22,9 @@ ExecStart=/usr/bin/docker run --rm --name matrix-mx-puppet-skype \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ --network={{ matrix_docker_network }} \ + -e CONFIG_PATH=/config/config.yaml \ + -e REGISTRATION_PATH=/config/registration.yaml \ + -v {{ matrix_mx_puppet_skype_config_path }}:/config:z \ -v {{ matrix_mx_puppet_skype_data_path }}:/data:z \ {% for arg in matrix_mx_puppet_skype_container_extra_arguments %} {{ arg }} \ From 7035af87d8d96c9381b47ed65a39e05ead1dc3b5 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 9 Apr 2020 09:58:35 +0300 Subject: [PATCH 61/87] Add support for Jitsi discovery for Riot via /.well-known/matrix/client This will not work yet, as no version of Riot currently supports it. It's expected to land in riot-web v1.5.16 via matrix-org/matrix-react-sdk#4348. --- group_vars/matrix_servers | 2 ++ roles/matrix-base/defaults/main.yml | 5 +++++ .../templates/static-files/well-known/matrix-client.j2 | 5 +++++ 3 files changed, 12 insertions(+) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 474ef9601..864cd7d40 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -18,6 +18,8 @@ matrix_identity_server_url: "{{ 'https://' + matrix_synapse_trusted_third_party_id_servers[0] if matrix_synapse_trusted_third_party_id_servers|length > 0 else None }}" +matrix_riot_jitsi_preferredDomain: "{{ matrix_server_fqn_jitsi if matrix_jitsi_enabled else '' }}" + ###################################################################### # # /matrix-base diff --git a/roles/matrix-base/defaults/main.yml b/roles/matrix-base/defaults/main.yml index c6ed430b9..7f4c6ace7 100644 --- a/roles/matrix-base/defaults/main.yml +++ b/roles/matrix-base/defaults/main.yml @@ -43,6 +43,11 @@ matrix_identity_server_url: ~ matrix_integration_manager_rest_url: ~ matrix_integration_manager_ui_url: ~ +# The domain name where a Jitsi server is self-hosted. +# If set, `/.well-known/matrix/client` will suggest Riot clients to use that Jitsi server. +# See: https://github.com/vector-im/riot-web/blob/develop/docs/jitsi.md#configuring-riot-to-use-your-self-hosted-jitsi-server +matrix_riot_jitsi_preferredDomain: '' + # The Docker network that all services would be put into matrix_docker_network: "matrix" diff --git a/roles/matrix-base/templates/static-files/well-known/matrix-client.j2 b/roles/matrix-base/templates/static-files/well-known/matrix-client.j2 index 719656a4a..edbaa62eb 100644 --- a/roles/matrix-base/templates/static-files/well-known/matrix-client.j2 +++ b/roles/matrix-base/templates/static-files/well-known/matrix-client.j2 @@ -18,4 +18,9 @@ ] } {% endif %} + {% if matrix_riot_jitsi_preferredDomain %}, + "im.vector.riot.jitsi": { + "preferredDomain": {{ matrix_riot_jitsi_preferredDomain|to_json }} + } + {% endif %} } From ab58b3fc9ed0f0e76a781ec977ebbd7bd9f3ff2c Mon Sep 17 00:00:00 2001 From: skoal Date: Thu, 9 Apr 2020 14:31:42 +0200 Subject: [PATCH 62/87] Update prerequisites.md Added Jitsi firewall ports --- docs/prerequisites.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/prerequisites.md b/docs/prerequisites.md index 3427c8a38..6b66c3d33 100644 --- a/docs/prerequisites.md +++ b/docs/prerequisites.md @@ -16,6 +16,6 @@ - properly configured DNS records for `` (details in [Configuring DNS](configuring-dns.md)) -- some TCP/UDP ports open. This playbook configures the server's internal firewall for you. In most cases, you don't need to do anything special. But **if your server is running behind another firewall**, you'd need to open these ports: `80/tcp` (HTTP webserver), `443/tcp` (HTTPS webserver), `3478/tcp` (TURN over TCP), `3478/udp` (TURN over UDP), `5349/tcp` (TURN over TCP), `5349/udp` (TURN over UDP), `8448/tcp` (Matrix Federation API HTTPS webserver), the range `49152-49172/udp` (TURN over UDP). +- some TCP/UDP ports open. This playbook configures the server's internal firewall for you. In most cases, you don't need to do anything special. But **if your server is running behind another firewall**, you'd need to open these ports: `80/tcp` (HTTP webserver), `443/tcp` (HTTPS webserver), `3478/tcp` (TURN over TCP), `3478/udp` (TURN over UDP), `5349/tcp` (TURN over TCP), `5349/udp` (TURN over UDP), `8448/tcp` (Matrix Federation API HTTPS webserver), the range `49152-49172/udp` (TURN over UDP), `4443/tcp` (Jitsi Harvester fallback), `10000/udp` (Jitsi video RTP) When ready to proceed, continue with [Configuring DNS](configuring-dns.md). From 0713570e2feebf21a598891d58a20552f6027ad1 Mon Sep 17 00:00:00 2001 From: skoal Date: Thu, 9 Apr 2020 14:40:32 +0200 Subject: [PATCH 63/87] Update matrix_servers turn tls port update --- group_vars/matrix_servers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 864cd7d40..419cf0027 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -443,7 +443,7 @@ matrix_jitsi_jvb_auth_password: "{{ matrix_synapse_macaroon_secret_key | passwor matrix_jitsi_web_stun_servers: | {{ [ - 'stun:' + matrix_server_fqn_matrix + ':5349', + 'turns:' + matrix_server_fqn_matrix + ':5349', 'stun:' + matrix_server_fqn_matrix + ':3478', ] if matrix_coturn_enabled From e6ebfbf8cc94b8a728f61faa2a4759114d590e95 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 9 Apr 2020 16:07:36 +0300 Subject: [PATCH 64/87] Prevent conflict between Whatsapp and Skype bridge tokens Fixes an error like this: > synapse.config._base.ConfigError: Cannot reuse as_token across application services --- group_vars/matrix_servers | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 864cd7d40..6135ded68 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -308,9 +308,9 @@ matrix_mx_puppet_skype_systemd_required_services_list: | (['matrix-synapse.service'] if matrix_synapse_enabled else []) }} -matrix_mx_puppet_skype_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'whats.as.token') | to_uuid }}" +matrix_mx_puppet_skype_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'skype.as.tok') | to_uuid }}" -matrix_mx_puppet_skype_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'whats.hs.token') | to_uuid }}" +matrix_mx_puppet_skype_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'skype.hs.tok') | to_uuid }}" matrix_mx_puppet_skype_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" From 64de103dff0c165cb709219f4e72366ba3c7b351 Mon Sep 17 00:00:00 2001 From: Rodrigo Belem Date: Thu, 9 Apr 2020 11:03:06 -0400 Subject: [PATCH 65/87] Add global var to control skype image self build --- group_vars/matrix_servers | 2 ++ 1 file changed, 2 insertions(+) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 65ebc451f..ceb5ff9f7 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -301,6 +301,8 @@ matrix_mautrix_whatsapp_login_shared_secret: "{{ matrix_synapse_ext_password_pro # We don't enable bridges by default. matrix_mx_puppet_skype_enabled: false +matrix_mx_puppet_skype_container_image_self_build: "{{ matrix_container_images_self_build }}" + matrix_mx_puppet_skype_systemd_required_services_list: | {{ ['docker.service'] From 181434d9c6d5634ef367f059432a066c31c3f827 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 9 Apr 2020 18:48:56 +0300 Subject: [PATCH 66/87] Add matrix-mx-puppet-skype to the list of roles that can self-build --- docs/self-building.md | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/docs/self-building.md b/docs/self-building.md index bef358521..aae31c7b9 100644 --- a/docs/self-building.md +++ b/docs/self-building.md @@ -8,12 +8,13 @@ matrix_container_images_self_build: true ``` Setting that variable will self-build every role which supports self-building. Self-building can be set on a per-role basis as well. -List of roles where self-building the docker image is currently possible: -- synapse -- riot-web -- coturn -- ma1sd -- matrix-bridge-mautrix-facebook -- matrix-bridge-mautrix-hangouts +List of roles where self-building the Docker image is currently possible: +- `matrix-synapse` +- `matrix-riot-web` +- `matrix-coturn` +- `matrix-ma1sd` +- `matrix-mautrix-facebook` +- `matrix-mautrix-hangouts` +- `matrix-mx-puppet-skype` Adding self-building support to other roles is welcome. Feel free to contribute! From 515160f0d71fff0a6d33f07f1eea5ff49df5db30 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 9 Apr 2020 19:09:04 +0300 Subject: [PATCH 67/87] Fix STUN server URL for jitsi/web (turns -> stun) Discussed in #446 (Github Pull Request). --- group_vars/matrix_servers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index ceb5ff9f7..e80d55c35 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -445,7 +445,7 @@ matrix_jitsi_jvb_auth_password: "{{ matrix_synapse_macaroon_secret_key | passwor matrix_jitsi_web_stun_servers: | {{ [ - 'turns:' + matrix_server_fqn_matrix + ':5349', + 'stun:' + matrix_server_fqn_matrix + ':5349', 'stun:' + matrix_server_fqn_matrix + ':3478', ] if matrix_coturn_enabled From ddc44996e3337d00814824fdec1aec524f538c1d Mon Sep 17 00:00:00 2001 From: John Goerzen Date: Sat, 11 Apr 2020 17:07:30 -0500 Subject: [PATCH 68/87] Fix to avoid putting an incorrect empty jitsi.preferredDomain when no local jitsi --- roles/matrix-riot-web/templates/config.json.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-riot-web/templates/config.json.j2 b/roles/matrix-riot-web/templates/config.json.j2 index 43d50ab51..0a388e813 100644 --- a/roles/matrix-riot-web/templates/config.json.j2 +++ b/roles/matrix-riot-web/templates/config.json.j2 @@ -30,7 +30,7 @@ "embeddedPages": { "homeUrl": {{ matrix_riot_web_embedded_pages_home_url|string|to_json }} }, - {% if matrix_riot_web_jitsi_preferredDomain is not none %} + {% if matrix_riot_web_jitsi_preferredDomain is not none and matrix_riot_web_jitsi_preferredDomain != '' %} "jitsi": { "preferredDomain": {{ matrix_riot_web_jitsi_preferredDomain|to_json }} }, From 69338d045a9ff7c6917216586ba1a78645afac6e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 12 Apr 2020 01:09:22 +0300 Subject: [PATCH 69/87] Simplify if conditions --- roles/matrix-riot-web/templates/config.json.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-riot-web/templates/config.json.j2 b/roles/matrix-riot-web/templates/config.json.j2 index 0a388e813..adbbf8dcd 100644 --- a/roles/matrix-riot-web/templates/config.json.j2 +++ b/roles/matrix-riot-web/templates/config.json.j2 @@ -30,7 +30,7 @@ "embeddedPages": { "homeUrl": {{ matrix_riot_web_embedded_pages_home_url|string|to_json }} }, - {% if matrix_riot_web_jitsi_preferredDomain is not none and matrix_riot_web_jitsi_preferredDomain != '' %} + {% if matrix_riot_web_jitsi_preferredDomain %} "jitsi": { "preferredDomain": {{ matrix_riot_web_jitsi_preferredDomain|to_json }} }, From cf36dbe4f6627e64e35e9831fe4f67b5185050fb Mon Sep 17 00:00:00 2001 From: Udo Rader Date: Mon, 13 Apr 2020 11:22:13 +0200 Subject: [PATCH 70/87] correctly quoted and added another way to retrieve it --- docs/configuring-playbook-bridge-appservice-slack.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-bridge-appservice-slack.md b/docs/configuring-playbook-bridge-appservice-slack.md index afeeb658b..cf0874141 100644 --- a/docs/configuring-playbook-bridge-appservice-slack.md +++ b/docs/configuring-playbook-bridge-appservice-slack.md @@ -63,7 +63,7 @@ Note that the bot's domain is your server's domain **without the `matrix.` prefi * Invite the bot user to both the Slack and Matrix channels you would like to bridge using `/invite @slackbot` for slack and `/invite @slackbot:MY.DOMAIN` for matrix. - * Determine the "channel ID" that Slack uses to identify the channel, which can be found in the url https://XXX.slack.com/messages//. + * Determine the "channel ID" that Slack uses to identify the channel, which can be found in the url `https://XXX.slack.com/messages//`. Or, even simpler, if you open a channel in a browser, the URL reads like this: `https://app.slack.com/client/XXX//details/`. * Issue a link command in the administration control room with these collected values as arguments: From b6aa246f7c5cfa66078efffccb02d8d621224988 Mon Sep 17 00:00:00 2001 From: Udo Rader Date: Mon, 13 Apr 2020 17:17:19 +0200 Subject: [PATCH 71/87] better described how to get channel id, added a section how to unlink a channel and a troubleshooting section --- ...guring-playbook-bridge-appservice-slack.md | 35 ++++++++++++++++--- 1 file changed, 31 insertions(+), 4 deletions(-) diff --git a/docs/configuring-playbook-bridge-appservice-slack.md b/docs/configuring-playbook-bridge-appservice-slack.md index cf0874141..371195b62 100644 --- a/docs/configuring-playbook-bridge-appservice-slack.md +++ b/docs/configuring-playbook-bridge-appservice-slack.md @@ -4,7 +4,7 @@ The playbook can install and configure [matrix-appservice-slack](https://github. See the project's [documentation](https://github.com/matrix-org/matrix-appservice-slack/blob/master/README.md) to learn what it does and why it might be useful to you. -Setup Instructions: +## Setup Instructions: loosely based on [this](https://github.com/matrix-org/matrix-appservice-slack#Setup) @@ -29,7 +29,9 @@ Note that the bot's domain is your server's domain **without the `matrix.` prefi 5. Create a new Slack App [here](https://api.slack.com/apps). - Name the app & select the team/workspace this app will belong to. + Name the app "matrixbot" (or anything else you'll remember). + + Select the team/workspace this app will belong to. Click on bot users and add a new bot user. We will use this account to bridge the the rooms. @@ -61,9 +63,9 @@ Note that the bot's domain is your server's domain **without the `matrix.` prefi * Create a Matrix room in the usual manner for your client. Take a note of its Matrix room ID - it will look something like !aBcDeF:example.com. - * Invite the bot user to both the Slack and Matrix channels you would like to bridge using `/invite @slackbot` for slack and `/invite @slackbot:MY.DOMAIN` for matrix. + * Invite the bot user to both the Slack and Matrix channels you would like to bridge using `/invite @matrixbot` for slack and `/invite @slackbot:MY.DOMAIN` for matrix. - * Determine the "channel ID" that Slack uses to identify the channel, which can be found in the url `https://XXX.slack.com/messages//`. Or, even simpler, if you open a channel in a browser, the URL reads like this: `https://app.slack.com/client/XXX//details/`. + * Determine the "channel ID" that Slack uses to identify the channel. You can see it when you open a given Slack channel in a browser. The URL reads like this: `https://app.slack.com/client/XXX//details/`. * Issue a link command in the administration control room with these collected values as arguments: @@ -81,3 +83,28 @@ Note that the bot's domain is your server's domain **without the `matrix.` prefi ``` Other configuration options are available via the `matrix_appservice_slack_configuration_extension_yaml` variable. + +10. Unlinking + + Channels can be unlinked again like this: + ``` + unlink --room !the-matrix:room.id + ``` + + Unlinking doesn't only disconnect the bridge, but also makes the slackbot leave the bridged matrix room. So in case you want to re-link later, don't forget to re-invite the slackbot into this room again. + +## Troubleshooting + +* as always, check the logs: +`journalctl -fu matrix-appservice-slack` + +* linking: "Room is now pending-name" +This typically means that you haven't used the correct slack channel id. Unlink the room and recheck 'Determine the "channel ID"' from above. + +* Messages work from M to S, but not the other way around +Check you logs, if they say something like + +`WARN SlackEventHandler Ignoring message from unrecognised slack channel id : %s (%s) ` + +then unlink your room, reinvite the bot and re-link it again. This may particularly hit you, if you tried to unsuccessfully link +your room multiple times without unlinking it after each failed attempt. From cc8fc55ac6fdac94fadb01de91584b34e62ab0d6 Mon Sep 17 00:00:00 2001 From: Rodrigo Belem Date: Wed, 15 Apr 2020 15:13:56 -0400 Subject: [PATCH 72/87] Upstream set mx-puppet-skype default port to 8438 --- roles/matrix-bridge-mx-puppet-skype/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml b/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml index d4df2f0db..c32768079 100644 --- a/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml +++ b/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml @@ -13,7 +13,7 @@ matrix_mx_puppet_skype_config_path: "{{ matrix_mx_puppet_skype_base_path }}/conf matrix_mx_puppet_skype_data_path: "{{ matrix_mx_puppet_skype_base_path }}/data" matrix_mx_puppet_skype_docker_src_files_path: "{{ matrix_mx_puppet_skype_base_path }}/docker-src" -matrix_mx_puppet_skype_appservice_port: "6000" +matrix_mx_puppet_skype_appservice_port: "8438" matrix_mx_puppet_skype_homeserver_address: 'http://matrix-synapse:8008' matrix_mx_puppet_skype_homeserver_domain: '{{ matrix_domain }}' From d83236ea0e87af29fb1f81647fe92c04fb360bc5 Mon Sep 17 00:00:00 2001 From: Chris van Dijk Date: Fri, 17 Apr 2020 00:52:09 +0200 Subject: [PATCH 73/87] Fix inconsistent whitespace --- .../usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 | 2 +- .../templates/usr-local-bin/matrix-postgres-cli.j2 | 2 +- .../usr-local-bin/matrix-postgres-update-user-password-hash.j2 | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 b/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 index 93306d782..f7c930c09 100644 --- a/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 +++ b/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 @@ -11,7 +11,7 @@ docker run \ --rm \ --name=matrix-certbot \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --cap-drop=ALL \ + --cap-drop=ALL \ --network="{{ matrix_docker_network }}" \ -p 127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}:8080 \ -v {{ matrix_ssl_config_dir_path }}:/etc/letsencrypt \ diff --git a/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-cli.j2 b/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-cli.j2 index 8f0c4c5b4..61f4cf80a 100644 --- a/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-cli.j2 +++ b/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-cli.j2 @@ -5,7 +5,7 @@ docker run \ -it \ --rm \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --cap-drop=ALL \ + --cap-drop=ALL \ --env-file={{ matrix_postgres_base_path }}/env-postgres-psql \ --network {{ matrix_docker_network }} \ {{ matrix_postgres_docker_image_to_use }} \ diff --git a/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2 b/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2 index d950ce974..e546b2c51 100644 --- a/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2 +++ b/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2 @@ -9,7 +9,7 @@ fi docker run \ --rm \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --cap-drop=ALL \ + --cap-drop=ALL \ --env-file={{ matrix_postgres_base_path }}/env-postgres-psql \ --network {{ matrix_docker_network }} \ {{ matrix_postgres_docker_image_to_use }} \ From 88c1fbf6aa9505db0e4cc43f3a3ed322f14e4494 Mon Sep 17 00:00:00 2001 From: Chris van Dijk Date: Fri, 17 Apr 2020 00:54:38 +0200 Subject: [PATCH 74/87] Fix hardcoded values in postgres script matrix-change-user-admin-status --- .../usr-local-bin/matrix-change-user-admin-status.j2 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/matrix-postgres/templates/usr-local-bin/matrix-change-user-admin-status.j2 b/roles/matrix-postgres/templates/usr-local-bin/matrix-change-user-admin-status.j2 index 861a0d0d7..e9c76674c 100644 --- a/roles/matrix-postgres/templates/usr-local-bin/matrix-change-user-admin-status.j2 +++ b/roles/matrix-postgres/templates/usr-local-bin/matrix-change-user-admin-status.j2 @@ -11,9 +11,9 @@ fi docker run \ -it \ --rm \ - --user=991:991 \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ --env-file={{ matrix_postgres_base_path }}/env-postgres-psql \ --network {{ matrix_docker_network }} \ - postgres:12.1-alpine \ - psql -h matrix-postgres -c "UPDATE users set admin=$2 WHERE name like '@$1:{{ matrix_domain }}'" + {{ matrix_postgres_docker_image_to_use }} \ + psql -h {{ matrix_postgres_connection_hostname }} -c "UPDATE users set admin=$2 WHERE name like '@$1:{{ matrix_domain }}'" From 4d260c0dd533a0cf6a87d113887759660472f898 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 17 Apr 2020 09:44:48 +0300 Subject: [PATCH 75/87] Add encryption configuration defaults to Mautrix bridges Related to #451 (Github Issue). --- .../matrix-bridge-mautrix-facebook/defaults/main.yml | 11 +++++++++++ .../matrix-bridge-mautrix-hangouts/defaults/main.yml | 11 +++++++++++ .../matrix-bridge-mautrix-telegram/defaults/main.yml | 12 ++++++++++++ 3 files changed, 34 insertions(+) diff --git a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml index 30693bd58..3c09dafd3 100644 --- a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml @@ -141,6 +141,17 @@ matrix_mautrix_facebook_configuration_yaml: | presence: true # Whether or not to update avatars when syncing all contacts at startup. update_avatar_initial_sync: true + # End-to-bridge encryption support options. These require matrix-nio to be installed with pip + # and login_shared_secret to be configured in order to get a device for the bridge bot. + # + # Additionally, https://github.com/matrix-org/synapse/pull/5758 is required if using a normal + # application service. + encryption: + # Allow encryption, work in group chat rooms with e2ee enabled + allow: false + # Default to encryption, force-enable encryption in all portals the bridge creates + # This will cause the bridge bot to be in private chats for the encryption to work properly. + default: false # Permissions for using the bridge. # Permitted values: diff --git a/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml b/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml index 5284bc822..8de4576f3 100644 --- a/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml @@ -124,6 +124,17 @@ matrix_mautrix_hangouts_configuration_yaml: | login_shared_secret: {{ matrix_mautrix_hangouts_login_shared_secret|to_json }} # Whether or not to update avatars when syncing all contacts at startup. update_avatar_initial_sync: true + # End-to-bridge encryption support options. These require matrix-nio to be installed with pip + # and login_shared_secret to be configured in order to get a device for the bridge bot. + # + # Additionally, https://github.com/matrix-org/synapse/pull/5758 is required if using a normal + # application service. + encryption: + # Allow encryption, work in group chat rooms with e2ee enabled + allow: false + # Default to encryption, force-enable encryption in all portals the bridge creates + # This will cause the bridge bot to be in private chats for the encryption to work properly. + default: false # Public website and API configs web: diff --git a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml index 6cfa3abb7..b491dce8b 100644 --- a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml @@ -227,6 +227,18 @@ matrix_mautrix_telegram_configuration_yaml: | height: 256 background: "020202" # only for gif fps: 30 # only for webm + # End-to-bridge encryption support options. These require matrix-nio to be installed with pip + # and login_shared_secret to be configured in order to get a device for the bridge bot. + # + # Additionally, https://github.com/matrix-org/synapse/pull/5758 is required if using a normal + # application service. + encryption: + # Allow encryption, work in group chat rooms with e2ee enabled + allow: false + # Default to encryption, force-enable encryption in all portals the bridge creates + # This will cause the bridge bot to be in private chats for the encryption to work properly. + default: false + # Overrides for base power levels. initial_power_level_overrides: user: {} From 9a43cc02e0a5b46670d13c7a2c5f8388e7ba3046 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 17 Apr 2020 09:45:35 +0300 Subject: [PATCH 76/87] Only install docker-python if matrix_docker_installation_enabled Should help with #300 (Github Issue). --- roles/matrix-base/tasks/server_base/setup_centos.yml | 2 +- roles/matrix-base/tasks/server_base/setup_debian.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-base/tasks/server_base/setup_centos.yml b/roles/matrix-base/tasks/server_base/setup_centos.yml index 77b2866af..07776d7f6 100644 --- a/roles/matrix-base/tasks/server_base/setup_centos.yml +++ b/roles/matrix-base/tasks/server_base/setup_centos.yml @@ -20,7 +20,6 @@ - name: Ensure yum packages are installed yum: name: - - docker-python - "{{ matrix_ntpd_package }}" - fuse state: latest @@ -30,5 +29,6 @@ yum: name: - "{{ matrix_docker_package_name }}" + - docker-python state: latest when: matrix_docker_installation_enabled|bool diff --git a/roles/matrix-base/tasks/server_base/setup_debian.yml b/roles/matrix-base/tasks/server_base/setup_debian.yml index c54b3cb6f..88ea1c1de 100644 --- a/roles/matrix-base/tasks/server_base/setup_debian.yml +++ b/roles/matrix-base/tasks/server_base/setup_debian.yml @@ -27,7 +27,6 @@ - name: Ensure APT packages are installed apt: name: - - "python{{'3' if ansible_python.version.major == 3 else ''}}-docker" - "{{ matrix_ntpd_package }}" - fuse state: latest @@ -37,5 +36,6 @@ apt: name: - "{{ matrix_docker_package_name }}" + - "python{{'3' if ansible_python.version.major == 3 else ''}}-docker" state: latest when: matrix_docker_installation_enabled|bool From 43201c9e223d42ddf5fca65ca42da5bc684d2c89 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 17 Apr 2020 22:26:55 +0300 Subject: [PATCH 77/87] Upgrade matrix-corporal (1.8.0 -> 1.9.0) --- roles/matrix-corporal/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-corporal/defaults/main.yml b/roles/matrix-corporal/defaults/main.yml index 9430f0532..f077b4655 100644 --- a/roles/matrix-corporal/defaults/main.yml +++ b/roles/matrix-corporal/defaults/main.yml @@ -19,7 +19,7 @@ matrix_corporal_container_extra_arguments: [] # List of systemd services that matrix-corporal.service depends on matrix_corporal_systemd_required_services_list: ['docker.service'] -matrix_corporal_docker_image: "devture/matrix-corporal:1.8.0" +matrix_corporal_docker_image: "devture/matrix-corporal:1.9.0" matrix_corporal_docker_image_force_pull: "{{ matrix_corporal_docker_image.endswith(':latest') }}" matrix_corporal_base_path: "{{ matrix_base_data_path }}/corporal" From e54428b160de6720bd603610d1ebbcc5ee9d8953 Mon Sep 17 00:00:00 2001 From: Tom Date: Sat, 18 Apr 2020 00:11:30 +0100 Subject: [PATCH 78/87] Expose allowed local 3pids as a configurable option --- roles/matrix-synapse/defaults/main.yml | 7 +++++++ roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 | 3 +++ 2 files changed, 10 insertions(+) diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index e2ab5fb81..f117fe93d 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -164,6 +164,13 @@ matrix_synapse_enable_group_creation: false # A list of 3PID types which users must supply when registering (possible values: email, msisdn). matrix_synapse_registrations_require_3pid: [] +# A list of patterns 3pids must match in order to permit registration, e.g.: +# - medium: email +# pattern: '.*@example\.com' +# - medium: msisdn +# pattern: '\+44' +matrix_synapse_allowed_local_3pids: [] + # The server to use for email threepid validation. When empty, Synapse does it by itself. # Otherwise, this should be pointed to an identity server. matrix_synapse_account_threepid_delegates_email: '' diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 310421e9b..59c35c1fb 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -986,6 +986,9 @@ registrations_require_3pid: {{ matrix_synapse_registrations_require_3pid|to_json # pattern: '.*@vector\.im' # - medium: msisdn # pattern: '\+44' +{% if matrix_synapse_allowed_local_3pids %} +allowed_local_3pids: {{ matrix_synapse_allowed_local_3pids|to_json }} +{% endif %} # Enable 3PIDs lookup requests to identity servers from this server. # From 8cd9cdead0ca6e38711fed4b953db848934b180c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 18 Apr 2020 11:05:47 +0300 Subject: [PATCH 79/87] Improve consistency --- roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 59c35c1fb..08476c259 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -967,8 +967,8 @@ account_validity: #registrations_require_3pid: # - email # - msisdn -{% if matrix_synapse_registrations_require_3pid %} -registrations_require_3pid: {{ matrix_synapse_registrations_require_3pid|to_json }} +{% if matrix_synapse_registrations_require_3pid|length > 0 %} +registrations_require_3pid: {{ matrix_synapse_registrations_require_3pid|to_nice_yaml }} {% endif %} # Explicitly disable asking for MSISDNs from the registration @@ -986,8 +986,8 @@ registrations_require_3pid: {{ matrix_synapse_registrations_require_3pid|to_json # pattern: '.*@vector\.im' # - medium: msisdn # pattern: '\+44' -{% if matrix_synapse_allowed_local_3pids %} -allowed_local_3pids: {{ matrix_synapse_allowed_local_3pids|to_json }} +{% if matrix_synapse_allowed_local_3pids|length > 0 %} +allowed_local_3pids: {{ matrix_synapse_allowed_local_3pids|to_nice_yaml }} {% endif %} # Enable 3PIDs lookup requests to identity servers from this server. From c13c29f48eae238ac1a7359cede5785635b77328 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 18 Apr 2020 11:06:53 +0300 Subject: [PATCH 80/87] Fix |to_nice_yaml breaking formatting Well, actually 8cd9cde won't work, unless we put the `|to_nice_yaml` thing on a new line. We can, but that takes more lines and makes things look uglier. Using `|to_json` seems good enough. The whole file is parsed as YAML later on and merged with the `_extension` variable before being dumped as YAML again in the end. --- roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 08476c259..d41313e39 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -968,7 +968,7 @@ account_validity: # - email # - msisdn {% if matrix_synapse_registrations_require_3pid|length > 0 %} -registrations_require_3pid: {{ matrix_synapse_registrations_require_3pid|to_nice_yaml }} +registrations_require_3pid: {{ matrix_synapse_registrations_require_3pid|to_json }} {% endif %} # Explicitly disable asking for MSISDNs from the registration @@ -987,7 +987,7 @@ registrations_require_3pid: {{ matrix_synapse_registrations_require_3pid|to_nice # - medium: msisdn # pattern: '\+44' {% if matrix_synapse_allowed_local_3pids|length > 0 %} -allowed_local_3pids: {{ matrix_synapse_allowed_local_3pids|to_nice_yaml }} +allowed_local_3pids: {{ matrix_synapse_allowed_local_3pids|to_json }} {% endif %} # Enable 3PIDs lookup requests to identity servers from this server. From 203a319881ed7fb4bdbcbdb652f384d2b9327530 Mon Sep 17 00:00:00 2001 From: Horvath Gergely Date: Sat, 18 Apr 2020 12:56:36 +0200 Subject: [PATCH 81/87] force build docker image if git master changes --- roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml b/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml index 894b0a9be..6857c6c93 100644 --- a/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml +++ b/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml @@ -35,6 +35,7 @@ repo: https://github.com/Sorunome/mx-puppet-skype.git dest: "{{ matrix_mx_puppet_skype_docker_src_files_path }}" force: "yes" + register: matrix_mx_puppet_skype_git_pull_results when: "matrix_mx_puppet_skype_enabled|bool and matrix_mx_puppet_skype_container_image_self_build" - name: Ensure MX Puppet Skype Docker image is built @@ -45,7 +46,7 @@ dockerfile: Dockerfile path: "{{ matrix_mx_puppet_skype_docker_src_files_path }}" pull: yes - when: "matrix_mx_puppet_skype_enabled|bool and matrix_mx_puppet_skype_container_image_self_build" + when: "matrix_mx_puppet_skype_enabled|bool and matrix_mx_puppet_skype_container_image_self_build and matrix_mx_puppet_skype_git_pull_results.changed" - name: Check if an old database file already exists stat: From bd61598faf37246022d073fdb91f3f546f48f3b9 Mon Sep 17 00:00:00 2001 From: Horvath Gergely Date: Sat, 18 Apr 2020 22:55:19 +0200 Subject: [PATCH 82/87] add experimental(?) architecture support for arm32 and arm64 the changes are necessary because certbot images are tagged, so docker does not recognize the necessary architecture --- docs/alternative-architectures.md | 16 ++++++++++++ group_vars/matrix_servers | 30 +++++++++++++++++----- roles/matrix-nginx-proxy/defaults/main.yml | 4 ++- 3 files changed, 42 insertions(+), 8 deletions(-) create mode 100644 docs/alternative-architectures.md diff --git a/docs/alternative-architectures.md b/docs/alternative-architectures.md new file mode 100644 index 000000000..a469e4220 --- /dev/null +++ b/docs/alternative-architectures.md @@ -0,0 +1,16 @@ +# Alternative architectures +As stated in the [Prerequisites](prerequisites.md), currently only x86_64 is supported. However, it is possible to set the target architecture, and some tools can be built on the host or other measures can be used. + +To that end add the following variable to your `vars.yaml` file: +``` +matrix_architecture = +``` +Currently supported architectures are the following: +- `amd64` (the default) +- `arm64` +- `arm32` + +On most roles self-building is used if the architecture is not `amd64`. Special cases: +- matrix-bridge-mautrix-facebook: there is built docker image for arm64 as well, +- matrix-bridge-mautrix-hangouts: there is built docker image for arm64 as well, +- matrix-nginx-proxy: Certbot has docker image for both arm32 and arm64, however tagging is used, which requires special handling. diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index e80d55c35..524c11cd0 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -26,6 +26,20 @@ matrix_riot_jitsi_preferredDomain: "{{ matrix_server_fqn_jitsi if matrix_jitsi_e # ###################################################################### +###################################################################### +# +# matrix-architecture +# +###################################################################### + +matrix_architecture: "amd64" + +###################################################################### +# +# /matrix-architecture +# +###################################################################### + ###################################################################### # @@ -174,7 +188,7 @@ matrix_appservice_irc_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | # We don't enable bridges by default. matrix_mautrix_facebook_enabled: false -matrix_mautrix_facebook_container_image_self_build: "{{ matrix_container_images_self_build }}" +matrix_mautrix_facebook_container_image_self_build: "{{ (matrix_architecture != 'amd64') and (matrix_architecture != 'arm64') }}" matrix_mautrix_facebook_systemd_required_services_list: | {{ @@ -205,7 +219,7 @@ matrix_mautrix_facebook_login_shared_secret: "{{ matrix_synapse_ext_password_pro # We don't enable bridges by default. matrix_mautrix_hangouts_enabled: false -matrix_mautrix_hangouts_container_image_self_build: "{{ matrix_container_images_self_build }}" +matrix_mautrix_hangouts_container_image_self_build: "{{ (matrix_architecture != 'amd64') and (matrix_architecture != 'arm64') }}" matrix_mautrix_hangouts_systemd_required_services_list: | {{ @@ -301,7 +315,7 @@ matrix_mautrix_whatsapp_login_shared_secret: "{{ matrix_synapse_ext_password_pro # We don't enable bridges by default. matrix_mx_puppet_skype_enabled: false -matrix_mx_puppet_skype_container_image_self_build: "{{ matrix_container_images_self_build }}" +matrix_mx_puppet_skype_container_image_self_build: "{{ matrix_architecture != 'amd64'}}" matrix_mx_puppet_skype_systemd_required_services_list: | {{ @@ -366,7 +380,7 @@ matrix_corporal_matrix_registration_shared_secret: "{{ matrix_synapse_registrati matrix_coturn_enabled: true -matrix_coturn_container_image_self_build: "{{ matrix_container_images_self_build }}" +matrix_coturn_container_image_self_build: "{{ matrix_architecture != 'amd64'}}" matrix_coturn_turn_external_ip_address: "{{ ansible_host }}" @@ -489,7 +503,7 @@ matrix_mailer_enabled: true # If you wish to use the public identity servers (matrix.org, vector.im) instead of your own you may wish to disable this. matrix_ma1sd_enabled: true -matrix_ma1sd_container_image_self_build: "{{ matrix_container_images_self_build }}" +matrix_ma1sd_container_image_self_build: "{{ matrix_architecture != 'amd64'}}" # Normally, matrix-nginx-proxy is enabled and nginx can reach ma1sd over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose @@ -599,6 +613,8 @@ matrix_ssl_domains_to_obtain_certificates_for: | ([matrix_domain] if matrix_nginx_proxy_base_domain_serving_enabled else []) }} +matrix_ssl_architecture: "{{ matrix_architecture }}" + ###################################################################### # # /matrix-nginx-proxy @@ -638,7 +654,7 @@ matrix_postgres_db_name: "homeserver" # If you wish to connect to your Matrix server by other means, you may wish to disable this. matrix_riot_web_enabled: true -matrix_riot_web_container_image_self_build: "{{ matrix_container_images_self_build }}" +matrix_riot_web_container_image_self_build: "{{ matrix_architecture != 'amd64'}}" # Normally, matrix-nginx-proxy is enabled and nginx can reach riot-web over the container network. # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose @@ -683,7 +699,7 @@ matrix_riot_web_jitsi_preferredDomain: "{{ matrix_server_fqn_jitsi if matrix_jit # ###################################################################### -matrix_synapse_container_image_self_build: "{{ matrix_container_images_self_build }}" +matrix_synapse_container_image_self_build: "{{ matrix_architecture != 'amd64'}}" # When ma1sd is enabled, we can use it instead of the default public Identity servers. matrix_synapse_trusted_third_party_id_servers: "{{ [matrix_server_fqn_matrix] if matrix_ma1sd_enabled else matrix_synapse_id_servers_public }}" diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 12d314f5b..35c6adfcd 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -213,12 +213,14 @@ matrix_nginx_proxy_self_check_well_known_matrix_client_follow_redirects: none # plain HTTP traffic only (usually, on the loopback interface only) and you'd be terminating SSL using another reverse-proxy. matrix_ssl_retrieval_method: "lets-encrypt" +matrix_ssl_architecture: "amd64" + # The list of domains that this role will obtain certificates for. matrix_ssl_domains_to_obtain_certificates_for: [] # Controls whether to obtain production or staging certificates from Let's Encrypt. matrix_ssl_lets_encrypt_staging: false -matrix_ssl_lets_encrypt_certbot_docker_image: "certbot/certbot:v1.3.0" +matrix_ssl_lets_encrypt_certbot_docker_image: "certbot/certbot:{{ matrix_ssl_architecture }}-v1.3.0" matrix_ssl_lets_encrypt_certbot_docker_image_force_pull: "{{ matrix_ssl_lets_encrypt_certbot_docker_image.endswith(':latest') }}" matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402 matrix_ssl_lets_encrypt_support_email: ~ From b5844d2395f9d55afe83bd963f768055f06dbd96 Mon Sep 17 00:00:00 2001 From: Horvath Gergely Date: Sun, 19 Apr 2020 13:31:36 +0200 Subject: [PATCH 83/87] shortening line based on @spantaleev 's comment --- group_vars/matrix_servers | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 524c11cd0..517c299f3 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -188,7 +188,7 @@ matrix_appservice_irc_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | # We don't enable bridges by default. matrix_mautrix_facebook_enabled: false -matrix_mautrix_facebook_container_image_self_build: "{{ (matrix_architecture != 'amd64') and (matrix_architecture != 'arm64') }}" +matrix_mautrix_facebook_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" matrix_mautrix_facebook_systemd_required_services_list: | {{ @@ -219,7 +219,7 @@ matrix_mautrix_facebook_login_shared_secret: "{{ matrix_synapse_ext_password_pro # We don't enable bridges by default. matrix_mautrix_hangouts_enabled: false -matrix_mautrix_hangouts_container_image_self_build: "{{ (matrix_architecture != 'amd64') and (matrix_architecture != 'arm64') }}" +matrix_mautrix_hangouts_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" matrix_mautrix_hangouts_systemd_required_services_list: | {{ From 7dba695713fd1855d0b3d13a7f905259996398eb Mon Sep 17 00:00:00 2001 From: Horvath Gergely Date: Sun, 19 Apr 2020 13:32:27 +0200 Subject: [PATCH 84/87] clarification for the list of implementation details --- docs/alternative-architectures.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/docs/alternative-architectures.md b/docs/alternative-architectures.md index a469e4220..5fb0c8ead 100644 --- a/docs/alternative-architectures.md +++ b/docs/alternative-architectures.md @@ -10,7 +10,10 @@ Currently supported architectures are the following: - `arm64` - `arm32` -On most roles self-building is used if the architecture is not `amd64`. Special cases: +## Implementation details +This subsection is used for a reminder, how the different roles implement architecture differenes. This is **not** aimed at the users, so one does not have to do anything based on this subsection. + +On most roles self-building is used if the architecture is not `amd64`, however there are some special cases: - matrix-bridge-mautrix-facebook: there is built docker image for arm64 as well, - matrix-bridge-mautrix-hangouts: there is built docker image for arm64 as well, - matrix-nginx-proxy: Certbot has docker image for both arm32 and arm64, however tagging is used, which requires special handling. From 441278412b4839a70f500a053c0137bc0de08c8e Mon Sep 17 00:00:00 2001 From: Horvath Gergely Date: Sun, 19 Apr 2020 13:51:26 +0200 Subject: [PATCH 85/87] add explicit information for the Rapsberry pi --- docs/alternative-architectures.md | 5 +++++ docs/prerequisites.md | 2 +- docs/self-building.md | 2 ++ 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/docs/alternative-architectures.md b/docs/alternative-architectures.md index 5fb0c8ead..b38f1cdc5 100644 --- a/docs/alternative-architectures.md +++ b/docs/alternative-architectures.md @@ -10,6 +10,11 @@ Currently supported architectures are the following: - `arm64` - `arm32` +so for the Raspberry Pi the following should be in your `vars.yaml` file: +``` +matrix_architecture = "arm32" +``` + ## Implementation details This subsection is used for a reminder, how the different roles implement architecture differenes. This is **not** aimed at the users, so one does not have to do anything based on this subsection. diff --git a/docs/prerequisites.md b/docs/prerequisites.md index 6b66c3d33..9a26d7698 100644 --- a/docs/prerequisites.md +++ b/docs/prerequisites.md @@ -1,6 +1,6 @@ # Prerequisites -- An x86 server running **CentOS** (7 only for now; [8 is not yet supported](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/300)), **Debian** (9/Stretch+), **Ubuntu** (16.04+), or **Archlinux**. This playbook doesn't support running on ARM ([see](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/299)), however a minimal subset of the tools can be built on the host, which may result in a working configuration, even on a Raspberry pi (see [Self-Building](self-building.md)). We only strive to support released stable versions of distributions, not betas or pre-releases. This playbook can take over your whole server or co-exist with other services that you have there. +- An x86 server running **CentOS** (7 only for now; [8 is not yet supported](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/300)), **Debian** (9/Stretch+), **Ubuntu** (16.04+), or **Archlinux**. This playbook doesn't support running on ARM ([see](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/299)), however a minimal subset of the tools can be built on the host, which may result in a working configuration, even on a Raspberry pi (see [Alternative Architectures](alternative-architectures.md)). We only strive to support released stable versions of distributions, not betas or pre-releases. This playbook can take over your whole server or co-exist with other services that you have there. - `root` access to your server (or a user capable of elevating to `root` via `sudo`). diff --git a/docs/self-building.md b/docs/self-building.md index aae31c7b9..85d098120 100644 --- a/docs/self-building.md +++ b/docs/self-building.md @@ -1,5 +1,7 @@ # Self-building +**Caution: self-building does not have to be used on its own. See the [Alternative Architectures](alternative-architectures.md) page.** + The playbook supports the self-building of some of its components. This may be useful for architectures besides x86_64, which have no Docker images right now (e g. the armv7 for the Raspberry Pi). Some playbook roles have been updated, so they build the necessary image on the host. It needs more space, as some build tools need to be present (like Java, for ma1sd). To use these modification there is a variable that needs to be switched to enable this functionality. Add this to your `vars.yaml` file: From 588e97a97c30bb26e9761ca81e5dae640ea56dae Mon Sep 17 00:00:00 2001 From: Horvath Gergely Date: Sun, 19 Apr 2020 14:02:32 +0200 Subject: [PATCH 86/87] link to self-building from implementation subsection --- docs/alternative-architectures.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/alternative-architectures.md b/docs/alternative-architectures.md index b38f1cdc5..01f6946f5 100644 --- a/docs/alternative-architectures.md +++ b/docs/alternative-architectures.md @@ -18,7 +18,7 @@ matrix_architecture = "arm32" ## Implementation details This subsection is used for a reminder, how the different roles implement architecture differenes. This is **not** aimed at the users, so one does not have to do anything based on this subsection. -On most roles self-building is used if the architecture is not `amd64`, however there are some special cases: +On most roles [self-building](self-building.md) is used if the architecture is not `amd64`, however there are some special cases: - matrix-bridge-mautrix-facebook: there is built docker image for arm64 as well, - matrix-bridge-mautrix-hangouts: there is built docker image for arm64 as well, - matrix-nginx-proxy: Certbot has docker image for both arm32 and arm64, however tagging is used, which requires special handling. From e2de6a156978c642b8ddf81462e2a1a0a97b7737 Mon Sep 17 00:00:00 2001 From: Dan Arnfield Date: Sun, 19 Apr 2020 08:38:53 -0500 Subject: [PATCH 87/87] Update nginx (1.17.9 -> 1.17.10) --- roles/matrix-nginx-proxy/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 12d314f5b..3bbd2c9b5 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -3,7 +3,7 @@ matrix_nginx_proxy_enabled: true # We use an official nginx image, which we fix-up to run unprivileged. # An alternative would be an `nginxinc/nginx-unprivileged` image, but # that is frequently out of date. -matrix_nginx_proxy_docker_image: "nginx:1.17.9-alpine" +matrix_nginx_proxy_docker_image: "nginx:1.17.10-alpine" matrix_nginx_proxy_docker_image_force_pull: "{{ matrix_nginx_proxy_docker_image.endswith(':latest') }}" matrix_nginx_proxy_base_path: "{{ matrix_base_data_path }}/nginx-proxy"