瀏覽代碼
Upgrade baibot (v1.14.3 -> v1.15.0) and adapt to support optional access-token auth mode
Ref: - https://github.com/etkecc/baibot/pull/83 -create-pull-request/i18n748d2b7fd4/CHANGELOG.md (2026-03-07-version-1150)-748d2b7fd4/docs/configuration/authentication.md
Slavi Pantaleev
21 小時之前
共有 5 個檔案被更改,包括 102 行新增 和 6 行删除
分割檢視
Diff Options
-
+23 -2docs/configuring-playbook-bot-baibot.md
-
+1 -1group_vars/matrix_servers
-
+22 -2roles/custom/matrix-bot-baibot/defaults/main.yml
-
+52 -1roles/custom/matrix-bot-baibot/tasks/validate_config.yml
-
+4 -0roles/custom/matrix-bot-baibot/templates/config.yaml.j2
+ 23
- 2
docs/configuring-playbook-bot-baibot.md
查看文件
| @@ -39,16 +39,35 @@ Depending on your current `vars.yml` file and desired configuration, **you may r | |||
| To enable the bot, add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file: | |||
| Authentication can be configured in one of two mutually-exclusive ways: | |||
| - **Password authentication** (`matrix_bot_baibot_config_user_password`) - recommended for most playbook-managed setups, because it integrates with automatic user creation flow used by the playbook, and auto-creates the bot account | |||
| - **Access-token authentication** (`matrix_bot_baibot_config_user_access_token` + `matrix_bot_baibot_config_user_device_id`) - useful for specific [Matrix Authentication Service](configuring-playbook-matrix-authentication-service.md)/OIDC setups where password authentication is not available or not desired | |||
| Even when [Matrix Authentication Service](configuring-playbook-matrix-authentication-service.md) is enabled, password authentication is still typically the best fit for baibot if you're using a playbook-managed bot account. | |||
| For upstream details, see baibot's [🔐 Authentication](https://github.com/etkecc/baibot/blob/main/docs/configuration/authentication.md) documentation. | |||
| ```yaml | |||
| matrix_bot_baibot_enabled: true | |||
| # Uncomment and adjust this part if you'd like to use a username different than the default | |||
| # matrix_bot_baibot_config_user_mxid_localpart: baibot | |||
| # Authentication mode (choose exactly one): | |||
| # | |||
| # 1) Password authentication (recommended for most setups) | |||
| # Generate a strong password for the bot. You can create one with a command like `pwgen -s 64 1`. | |||
| # If you'd like to change this password subsequently, see the details below. | |||
| matrix_bot_baibot_config_user_password: 'PASSWORD_FOR_THE_BOT' | |||
| # 2) Access-token authentication (for MAS/OIDC-enabled homeservers) | |||
| # matrix_bot_baibot_config_user_access_token: 'YOUR_MAS_COMPATIBILITY_TOKEN_HERE' | |||
| # matrix_bot_baibot_config_user_device_id: 'BAIBOT' | |||
| # | |||
| # You can generate a compatibility token for MAS with: | |||
| # mas-cli manage issue-compatibility-token <username> [device_id] | |||
| # An optional passphrase to use for backing up and recovering the bot's encryption keys. | |||
| # You can create one with a command like `pwgen -s 64 1`. | |||
| # | |||
| @@ -387,13 +406,15 @@ ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,ensure-matrix-use | |||
| **Notes**: | |||
| - The `ensure-matrix-users-created` playbook tag makes the playbook automatically create the bot's user account. | |||
| - The `ensure-matrix-users-created` playbook tag makes the playbook automatically create the bot's user account when password authentication is used. | |||
| - If you're using access-token authentication, the bot account must already exist and the configured token + device ID must match that account. This mode is mainly for MAS/OIDC setups where password-based bot login is not suitable. | |||
| - The shortcut commands with the [`just` program](just.md) are also available: `just install-all` or `just setup-all` | |||
| `just install-all` is useful for maintaining your setup quickly ([2x-5x faster](../CHANGELOG.md#2x-5x-performance-improvements-in-playbook-runtime) than `just setup-all`) when its components remain unchanged. If you adjust your `vars.yml` to remove other components, you'd need to run `just setup-all`, or these components will still remain installed. | |||
| - If you change the bot password (`matrix_bot_baibot_config_user_password` in your `vars.yml` file) subsequently, the bot user's credentials on the homeserver won't be updated automatically. If you'd like to change the bot user's password, use a tool like [synapse-admin](configuring-playbook-synapse-admin.md) to change it, and then update `matrix_bot_baibot_config_user_password` to let the bot know its new password. | |||
| - If you change the bot password (`matrix_bot_baibot_config_user_password` in your `vars.yml` file) subsequently, the bot user's credentials on the homeserver won't be updated automatically. If you'd like to change the bot user's password, use a tool like [synapse-admin](configuring-playbook-synapse-admin.md) to change it, and then update `matrix_bot_baibot_config_user_password` to let the bot know its new password. (This note applies to password authentication mode.) | |||
| ## Usage | |||
+ 1
- 1
group_vars/matrix_servers
查看文件
| @@ -5778,7 +5778,7 @@ matrix_user_creator_users_auto: | | |||
| 'username': matrix_bot_baibot_config_user_mxid_localpart, | |||
| 'initial_password': matrix_bot_baibot_config_user_password, | |||
| 'initial_type': 'bot', | |||
| }] if matrix_bot_baibot_enabled else []) | |||
| }] if matrix_bot_baibot_enabled and ((matrix_bot_baibot_config_user_password | default('', true) | string | length) > 0) else []) | |||
| + | |||
| ([{ | |||
| 'username': matrix_bot_matrix_reminder_bot_matrix_user_id_localpart, | |||
+ 22
- 2
roles/custom/matrix-bot-baibot/defaults/main.yml
查看文件
| @@ -17,7 +17,7 @@ matrix_bot_baibot_container_repo_version: "{{ 'main' if matrix_bot_baibot_versio | |||
| matrix_bot_baibot_container_src_files_path: "{{ matrix_base_data_path }}/baibot/container-src" | |||
| # renovate: datasource=docker depName=ghcr.io/etkecc/baibot | |||
| matrix_bot_baibot_version: v1.14.3 | |||
| matrix_bot_baibot_version: v1.15.0 | |||
| matrix_bot_baibot_container_image: "{{ matrix_bot_baibot_container_image_registry_prefix }}etkecc/baibot:{{ matrix_bot_baibot_version }}" | |||
| matrix_bot_baibot_container_image_registry_prefix: "{{ 'localhost/' if matrix_bot_baibot_container_image_self_build else matrix_bot_baibot_container_image_registry_prefix_upstream }}" | |||
| matrix_bot_baibot_container_image_registry_prefix_upstream: "{{ matrix_bot_baibot_container_image_registry_prefix_upstream_default }}" | |||
| @@ -59,8 +59,28 @@ matrix_bot_baibot_config_homeserver_url: "" | |||
| # so it can start fresh. | |||
| matrix_bot_baibot_config_user_mxid_localpart: baibot | |||
| # Authentication settings (`user.*` configuration keys). | |||
| # | |||
| # baibot supports 2 mutually-exclusive authentication modes. | |||
| # Set EITHER: | |||
| # - password authentication: `matrix_bot_baibot_config_user_password` | |||
| # OR: | |||
| # - access-token authentication: `matrix_bot_baibot_config_user_access_token` + `matrix_bot_baibot_config_user_device_id` | |||
| # | |||
| # Password authentication is recommended for most playbook-managed deployments, | |||
| # because it integrates with the `matrix-user-creator` role and can auto-create | |||
| # the bot account (via the `ensure-matrix-users-created` playbook tag). | |||
| # This remains true even on many MAS-enabled deployments where the bot account | |||
| # is local and playbook-managed. | |||
| # Controls the `user.password` configuration setting. | |||
| matrix_bot_baibot_config_user_password: '' | |||
| matrix_bot_baibot_config_user_password: null | |||
| # Controls the `user.access_token` configuration setting. | |||
| matrix_bot_baibot_config_user_access_token: null | |||
| # Controls the `user.device_id` configuration setting. | |||
| matrix_bot_baibot_config_user_device_id: null | |||
| # Controls the `user.name` configuration setting. | |||
| # | |||
+ 52
- 1
roles/custom/matrix-bot-baibot/tasks/validate_config.yml
查看文件
| @@ -12,7 +12,6 @@ | |||
| when: "item.when | bool and lookup('vars', item.name, default='') | string | length == 0" | |||
| with_items: | |||
| - {'name': 'matrix_bot_baibot_config_user_mxid_localpart', when: true} | |||
| - {'name': 'matrix_bot_baibot_config_user_password', when: true} | |||
| - {'name': 'matrix_bot_baibot_container_network', when: true} | |||
| - {'name': 'matrix_bot_baibot_config_homeserver_url', when: true} | |||
| @@ -26,6 +25,58 @@ | |||
| - {'name': 'matrix_bot_baibot_config_agents_static_definitions_openai_config_api_key', when: "{{ matrix_bot_baibot_config_agents_static_definitions_openai_enabled }}"} | |||
| - name: Fail if baibot authentication mode is not configured | |||
| ansible.builtin.fail: | |||
| msg: >- | |||
| You need to configure one baibot authentication mode: | |||
| either `matrix_bot_baibot_config_user_password` | |||
| or (`matrix_bot_baibot_config_user_access_token` + `matrix_bot_baibot_config_user_device_id`). | |||
| when: >- | |||
| ( | |||
| matrix_bot_baibot_config_user_password | default('', true) | string | length == 0 | |||
| ) | |||
| and | |||
| ( | |||
| matrix_bot_baibot_config_user_access_token | default('', true) | string | length == 0 | |||
| and matrix_bot_baibot_config_user_device_id | default('', true) | string | length == 0 | |||
| ) | |||
| - name: Fail if baibot authentication mode is configured ambiguously | |||
| ansible.builtin.fail: | |||
| msg: >- | |||
| You need to configure exactly one baibot authentication mode. | |||
| Set either `matrix_bot_baibot_config_user_password`, | |||
| or (`matrix_bot_baibot_config_user_access_token` + `matrix_bot_baibot_config_user_device_id`) but not both. | |||
| when: >- | |||
| ( | |||
| matrix_bot_baibot_config_user_password | default('', true) | string | length > 0 | |||
| ) | |||
| and | |||
| ( | |||
| matrix_bot_baibot_config_user_access_token | default('', true) | string | length > 0 | |||
| or matrix_bot_baibot_config_user_device_id | default('', true) | string | length > 0 | |||
| ) | |||
| - name: Fail if baibot access token authentication is incomplete | |||
| ansible.builtin.fail: | |||
| msg: >- | |||
| Access-token authentication requires both | |||
| `matrix_bot_baibot_config_user_access_token` and `matrix_bot_baibot_config_user_device_id`. | |||
| when: >- | |||
| ( | |||
| matrix_bot_baibot_config_user_password | default('', true) | string | length == 0 | |||
| ) | |||
| and | |||
| ( | |||
| matrix_bot_baibot_config_user_access_token | default('', true) | string | length > 0 | |||
| or matrix_bot_baibot_config_user_device_id | default('', true) | string | length > 0 | |||
| ) | |||
| and | |||
| ( | |||
| matrix_bot_baibot_config_user_access_token | default('', true) | string | length == 0 | |||
| or matrix_bot_baibot_config_user_device_id | default('', true) | string | length == 0 | |||
| ) | |||
| - name: Fail if admin patterns list is empty | |||
| ansible.builtin.fail: | |||
| msg: >- | |||
+ 4
- 0
roles/custom/matrix-bot-baibot/templates/config.yaml.j2
查看文件
| @@ -15,7 +15,11 @@ homeserver: | |||
| user: | |||
| mxid_localpart: {{ matrix_bot_baibot_config_user_mxid_localpart | to_json }} | |||
| # Authentication: set EITHER password OR access_token + device_id. | |||
| password: {{ matrix_bot_baibot_config_user_password | to_json }} | |||
| access_token: {{ matrix_bot_baibot_config_user_access_token | to_json }} | |||
| device_id: {{ matrix_bot_baibot_config_user_device_id | to_json }} | |||
| # The name the bot uses as a display name and when it refers to itself. | |||
| # Leave empty to use the default (baibot). | |||