From df205a2f775be3d5a51918a4c4342be468287ea7 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 7 Mar 2026 12:43:07 +0200 Subject: [PATCH] Upgrade baibot (v1.14.3 -> v1.15.0) and adapt to support optional access-token auth mode Ref: - https://github.com/etkecc/baibot/pull/83 - https://github.com/etkecc/baibot/blob/748d2b7fd4ab7bbd53cde1400935d634dc13ea38/CHANGELOG.md#2026-03-07-version-1150 - https://github.com/etkecc/baibot/blob/748d2b7fd4ab7bbd53cde1400935d634dc13ea38/docs/configuration/authentication.md --- docs/configuring-playbook-bot-baibot.md | 25 ++++++++- group_vars/matrix_servers | 2 +- .../matrix-bot-baibot/defaults/main.yml | 24 ++++++++- .../tasks/validate_config.yml | 53 ++++++++++++++++++- .../templates/config.yaml.j2 | 4 ++ 5 files changed, 102 insertions(+), 6 deletions(-) diff --git a/docs/configuring-playbook-bot-baibot.md b/docs/configuring-playbook-bot-baibot.md index aaf19ce54..38e1cc51d 100644 --- a/docs/configuring-playbook-bot-baibot.md +++ b/docs/configuring-playbook-bot-baibot.md @@ -39,16 +39,35 @@ Depending on your current `vars.yml` file and desired configuration, **you may r To enable the bot, add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file: +Authentication can be configured in one of two mutually-exclusive ways: + +- **Password authentication** (`matrix_bot_baibot_config_user_password`) - recommended for most playbook-managed setups, because it integrates with automatic user creation flow used by the playbook, and auto-creates the bot account +- **Access-token authentication** (`matrix_bot_baibot_config_user_access_token` + `matrix_bot_baibot_config_user_device_id`) - useful for specific [Matrix Authentication Service](configuring-playbook-matrix-authentication-service.md)/OIDC setups where password authentication is not available or not desired + +Even when [Matrix Authentication Service](configuring-playbook-matrix-authentication-service.md) is enabled, password authentication is still typically the best fit for baibot if you're using a playbook-managed bot account. + +For upstream details, see baibot's [🔐 Authentication](https://github.com/etkecc/baibot/blob/main/docs/configuration/authentication.md) documentation. + ```yaml matrix_bot_baibot_enabled: true # Uncomment and adjust this part if you'd like to use a username different than the default # matrix_bot_baibot_config_user_mxid_localpart: baibot +# Authentication mode (choose exactly one): +# +# 1) Password authentication (recommended for most setups) # Generate a strong password for the bot. You can create one with a command like `pwgen -s 64 1`. # If you'd like to change this password subsequently, see the details below. matrix_bot_baibot_config_user_password: 'PASSWORD_FOR_THE_BOT' +# 2) Access-token authentication (for MAS/OIDC-enabled homeservers) +# matrix_bot_baibot_config_user_access_token: 'YOUR_MAS_COMPATIBILITY_TOKEN_HERE' +# matrix_bot_baibot_config_user_device_id: 'BAIBOT' +# +# You can generate a compatibility token for MAS with: +# mas-cli manage issue-compatibility-token [device_id] + # An optional passphrase to use for backing up and recovering the bot's encryption keys. # You can create one with a command like `pwgen -s 64 1`. # @@ -387,13 +406,15 @@ ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,ensure-matrix-use **Notes**: -- The `ensure-matrix-users-created` playbook tag makes the playbook automatically create the bot's user account. +- The `ensure-matrix-users-created` playbook tag makes the playbook automatically create the bot's user account when password authentication is used. + +- If you're using access-token authentication, the bot account must already exist and the configured token + device ID must match that account. This mode is mainly for MAS/OIDC setups where password-based bot login is not suitable. - The shortcut commands with the [`just` program](just.md) are also available: `just install-all` or `just setup-all` `just install-all` is useful for maintaining your setup quickly ([2x-5x faster](../CHANGELOG.md#2x-5x-performance-improvements-in-playbook-runtime) than `just setup-all`) when its components remain unchanged. If you adjust your `vars.yml` to remove other components, you'd need to run `just setup-all`, or these components will still remain installed. -- If you change the bot password (`matrix_bot_baibot_config_user_password` in your `vars.yml` file) subsequently, the bot user's credentials on the homeserver won't be updated automatically. If you'd like to change the bot user's password, use a tool like [synapse-admin](configuring-playbook-synapse-admin.md) to change it, and then update `matrix_bot_baibot_config_user_password` to let the bot know its new password. +- If you change the bot password (`matrix_bot_baibot_config_user_password` in your `vars.yml` file) subsequently, the bot user's credentials on the homeserver won't be updated automatically. If you'd like to change the bot user's password, use a tool like [synapse-admin](configuring-playbook-synapse-admin.md) to change it, and then update `matrix_bot_baibot_config_user_password` to let the bot know its new password. (This note applies to password authentication mode.) ## Usage diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index bbeb1b1e0..25f10523f 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -5778,7 +5778,7 @@ matrix_user_creator_users_auto: | 'username': matrix_bot_baibot_config_user_mxid_localpart, 'initial_password': matrix_bot_baibot_config_user_password, 'initial_type': 'bot', - }] if matrix_bot_baibot_enabled else []) + }] if matrix_bot_baibot_enabled and ((matrix_bot_baibot_config_user_password | default('', true) | string | length) > 0) else []) + ([{ 'username': matrix_bot_matrix_reminder_bot_matrix_user_id_localpart, diff --git a/roles/custom/matrix-bot-baibot/defaults/main.yml b/roles/custom/matrix-bot-baibot/defaults/main.yml index 431280c84..0e2aaa09c 100644 --- a/roles/custom/matrix-bot-baibot/defaults/main.yml +++ b/roles/custom/matrix-bot-baibot/defaults/main.yml @@ -17,7 +17,7 @@ matrix_bot_baibot_container_repo_version: "{{ 'main' if matrix_bot_baibot_versio matrix_bot_baibot_container_src_files_path: "{{ matrix_base_data_path }}/baibot/container-src" # renovate: datasource=docker depName=ghcr.io/etkecc/baibot -matrix_bot_baibot_version: v1.14.3 +matrix_bot_baibot_version: v1.15.0 matrix_bot_baibot_container_image: "{{ matrix_bot_baibot_container_image_registry_prefix }}etkecc/baibot:{{ matrix_bot_baibot_version }}" matrix_bot_baibot_container_image_registry_prefix: "{{ 'localhost/' if matrix_bot_baibot_container_image_self_build else matrix_bot_baibot_container_image_registry_prefix_upstream }}" matrix_bot_baibot_container_image_registry_prefix_upstream: "{{ matrix_bot_baibot_container_image_registry_prefix_upstream_default }}" @@ -59,8 +59,28 @@ matrix_bot_baibot_config_homeserver_url: "" # so it can start fresh. matrix_bot_baibot_config_user_mxid_localpart: baibot +# Authentication settings (`user.*` configuration keys). +# +# baibot supports 2 mutually-exclusive authentication modes. +# Set EITHER: +# - password authentication: `matrix_bot_baibot_config_user_password` +# OR: +# - access-token authentication: `matrix_bot_baibot_config_user_access_token` + `matrix_bot_baibot_config_user_device_id` +# +# Password authentication is recommended for most playbook-managed deployments, +# because it integrates with the `matrix-user-creator` role and can auto-create +# the bot account (via the `ensure-matrix-users-created` playbook tag). +# This remains true even on many MAS-enabled deployments where the bot account +# is local and playbook-managed. + # Controls the `user.password` configuration setting. -matrix_bot_baibot_config_user_password: '' +matrix_bot_baibot_config_user_password: null + +# Controls the `user.access_token` configuration setting. +matrix_bot_baibot_config_user_access_token: null + +# Controls the `user.device_id` configuration setting. +matrix_bot_baibot_config_user_device_id: null # Controls the `user.name` configuration setting. # diff --git a/roles/custom/matrix-bot-baibot/tasks/validate_config.yml b/roles/custom/matrix-bot-baibot/tasks/validate_config.yml index 14d155b6e..c6eca9657 100644 --- a/roles/custom/matrix-bot-baibot/tasks/validate_config.yml +++ b/roles/custom/matrix-bot-baibot/tasks/validate_config.yml @@ -12,7 +12,6 @@ when: "item.when | bool and lookup('vars', item.name, default='') | string | length == 0" with_items: - {'name': 'matrix_bot_baibot_config_user_mxid_localpart', when: true} - - {'name': 'matrix_bot_baibot_config_user_password', when: true} - {'name': 'matrix_bot_baibot_container_network', when: true} - {'name': 'matrix_bot_baibot_config_homeserver_url', when: true} @@ -26,6 +25,58 @@ - {'name': 'matrix_bot_baibot_config_agents_static_definitions_openai_config_api_key', when: "{{ matrix_bot_baibot_config_agents_static_definitions_openai_enabled }}"} +- name: Fail if baibot authentication mode is not configured + ansible.builtin.fail: + msg: >- + You need to configure one baibot authentication mode: + either `matrix_bot_baibot_config_user_password` + or (`matrix_bot_baibot_config_user_access_token` + `matrix_bot_baibot_config_user_device_id`). + when: >- + ( + matrix_bot_baibot_config_user_password | default('', true) | string | length == 0 + ) + and + ( + matrix_bot_baibot_config_user_access_token | default('', true) | string | length == 0 + and matrix_bot_baibot_config_user_device_id | default('', true) | string | length == 0 + ) + +- name: Fail if baibot authentication mode is configured ambiguously + ansible.builtin.fail: + msg: >- + You need to configure exactly one baibot authentication mode. + Set either `matrix_bot_baibot_config_user_password`, + or (`matrix_bot_baibot_config_user_access_token` + `matrix_bot_baibot_config_user_device_id`) but not both. + when: >- + ( + matrix_bot_baibot_config_user_password | default('', true) | string | length > 0 + ) + and + ( + matrix_bot_baibot_config_user_access_token | default('', true) | string | length > 0 + or matrix_bot_baibot_config_user_device_id | default('', true) | string | length > 0 + ) + +- name: Fail if baibot access token authentication is incomplete + ansible.builtin.fail: + msg: >- + Access-token authentication requires both + `matrix_bot_baibot_config_user_access_token` and `matrix_bot_baibot_config_user_device_id`. + when: >- + ( + matrix_bot_baibot_config_user_password | default('', true) | string | length == 0 + ) + and + ( + matrix_bot_baibot_config_user_access_token | default('', true) | string | length > 0 + or matrix_bot_baibot_config_user_device_id | default('', true) | string | length > 0 + ) + and + ( + matrix_bot_baibot_config_user_access_token | default('', true) | string | length == 0 + or matrix_bot_baibot_config_user_device_id | default('', true) | string | length == 0 + ) + - name: Fail if admin patterns list is empty ansible.builtin.fail: msg: >- diff --git a/roles/custom/matrix-bot-baibot/templates/config.yaml.j2 b/roles/custom/matrix-bot-baibot/templates/config.yaml.j2 index 19dda786c..54dd8161d 100644 --- a/roles/custom/matrix-bot-baibot/templates/config.yaml.j2 +++ b/roles/custom/matrix-bot-baibot/templates/config.yaml.j2 @@ -15,7 +15,11 @@ homeserver: user: mxid_localpart: {{ matrix_bot_baibot_config_user_mxid_localpart | to_json }} + + # Authentication: set EITHER password OR access_token + device_id. password: {{ matrix_bot_baibot_config_user_password | to_json }} + access_token: {{ matrix_bot_baibot_config_user_access_token | to_json }} + device_id: {{ matrix_bot_baibot_config_user_device_id | to_json }} # The name the bot uses as a display name and when it refers to itself. # Leave empty to use the default (baibot).