From 42e4e50f5be654b812939732114f0724865cdc78 Mon Sep 17 00:00:00 2001 From: jakicoll Date: Wed, 4 Jan 2023 13:45:37 +0100 Subject: [PATCH 01/38] Matrix Authentication Support for Jitsi This extends the collection with support for seamless authentication at the Jitsi server using Matrix OpenID. 1. New role for installing the [Matrix User Verification Service](https://github.com/matrix-org/matrix-user-verification-service) 2. Changes to Jitsi role: Installing Jitsi Prosody Mods and configuring Jitsi Auth 3. Changes to Jitsi and nginx-proxy roles: Serving .well-known/element/jitsi from jitsi.DOMAIN 4. We updated the Jitsi documentation on authentication and added documentation for the user verification service. --- docs/configuring-playbook-jitsi.md | 47 ++++++- ...ring-playbook-user-verification-service.md | 116 ++++++++++++++++++ group_vars/matrix_servers | 61 ++++++++- playbooks/matrix.yml | 1 + roles/custom/matrix-jitsi/defaults/main.yml | 36 +++++- roles/custom/matrix-jitsi/tasks/main.yml | 6 + .../tasks/self_check_matrix_auth.yml | 62 ++++++++++ .../tasks/setup_jitsi_prosody_install.yml | 46 ++++++- .../setup_jitsi_auth_internal.yml | 17 +++ .../tasks/util/setup_jitsi_auth.yml | 42 ------- .../util/setup_jitsi_auth_uvs_install.yml | 13 ++ .../util/setup_jitsi_auth_uvs_uninstall.yml | 26 ++++ .../setup_jitsi_prosody_post_setup_hooks.yml | 49 ++++++++ .../matrix-jitsi/tasks/validate_config.yml | 15 ++- .../matrix-jitsi/templates/prosody/env.j2 | 8 +- .../templates/web/custom-config.js.j2 | 4 + .../matrix-nginx-proxy/defaults/main.yml | 2 + .../nginx/conf.d/matrix-jitsi.conf.j2 | 11 +- .../defaults/main.yml | 81 ++++++++++++ .../handlers/main.yml | 6 + .../tasks/main.yml | 24 ++++ .../tasks/setup_install.yml | 42 +++++++ .../tasks/setup_uninstall.yml | 35 ++++++ .../templates/.env.j2 | 14 +++ ...atrix-user-verification-service.service.j2 | 42 +++++++ 25 files changed, 747 insertions(+), 59 deletions(-) create mode 100644 docs/configuring-playbook-user-verification-service.md create mode 100644 roles/custom/matrix-jitsi/tasks/self_check_matrix_auth.yml create mode 100644 roles/custom/matrix-jitsi/tasks/util/prosody_post_setup_hooks/setup_jitsi_auth_internal.yml delete mode 100644 roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth.yml create mode 100644 roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_install.yml create mode 100644 roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_uninstall.yml create mode 100644 roles/custom/matrix-jitsi/tasks/util/setup_jitsi_prosody_post_setup_hooks.yml create mode 100644 roles/custom/matrix-user-verification-service/defaults/main.yml create mode 100644 roles/custom/matrix-user-verification-service/handlers/main.yml create mode 100644 roles/custom/matrix-user-verification-service/tasks/main.yml create mode 100644 roles/custom/matrix-user-verification-service/tasks/setup_install.yml create mode 100644 roles/custom/matrix-user-verification-service/tasks/setup_uninstall.yml create mode 100644 roles/custom/matrix-user-verification-service/templates/.env.j2 create mode 100644 roles/custom/matrix-user-verification-service/templates/systemd/matrix-user-verification-service.service.j2 diff --git a/docs/configuring-playbook-jitsi.md b/docs/configuring-playbook-jitsi.md index a9d3c2de4..f51f8fc12 100644 --- a/docs/configuring-playbook-jitsi.md +++ b/docs/configuring-playbook-jitsi.md @@ -39,7 +39,17 @@ By default the Jitsi Meet instance does not require any kind of login and is ope If you're fine with such an open Jitsi instance, please skip to [Apply changes](#apply-changes). -If you would like to control who is allowed to open meetings on your new Jitsi instance, then please follow this step to enable Jitsi's authentication and guests mode. With authentication enabled, all meeting rooms have to be opened by a registered user, after which guests are free to join. If a registered host is not yet present, guests are put on hold in individual waiting rooms. +If you would like to control who is allowed to open meetings on your new Jitsi instance, then please follow the following steps to enable Jitsi's authentication and optionally guests mode. +Currently, there are three supported authentication modes: 'internal' (default), 'matrix' and 'ldap'. + +**Note:** Authentication is not tested via the playbook's self-checks. +We therefore recommend that you manually verify if authentication is required by jitsi. +For this, try to manually create a conference on jitsi.DOMAIN in your browser. + +### Authenticate using Jitsi accounts (Auth-Type 'internal') +The default authentication mechanism is 'internal' auth, which requires jitsi-accounts to be setup and is the recommended setup, as it also works in federated rooms. +With authentication enabled, all meeting rooms have to be opened by a registered user, after which guests are free to join. +If a registered host is not yet present, guests are put on hold in individual waiting rooms. Add these lines to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration: @@ -53,20 +63,35 @@ matrix_jitsi_prosody_auth_internal_accounts: password: "another-password" ``` -**Caution:** Accounts added here and subsquently removed will not be automatically removed from the Prosody server until user account cleaning is integrated into the playbook. +**Caution:** Accounts added here and subsequently removed will not be automatically removed from the Prosody server until user account cleaning is integrated into the playbook. **If you get an error** like this: "Error: Account creation/modification not supported.", it's likely that you had previously installed Jitsi without auth/guest support. In such a case, you should look into [Rebuilding your Jitsi installation](#rebuilding-your-jitsi-installation). +### Authenticate using Matrix OpenID (Auth-Type 'matrix') -### (Optional) LDAP authentication +**Attention: Probably breaks jitsi in federated rooms and does not allow sharing conference links with guests.** -The default authentication mode of Jitsi is `internal`, however LDAP is also supported. An example LDAP configuration could be: +Using this authentication type require a [Matrix User Verification Service](https://github.com/matrix-org/matrix-user-verification-service). +By default, this playbook creates and configures a user-verification-service to run locally, see [configuring-user-verification-service](configuring-playbook-user-verification-service.md). + +To enable set this configuration at host level: + +```yaml +matrix_jitsi_enable_auth: true +matrix_jitsi_auth_type: "matrix" +``` + +For more information see also [https://github.com/matrix-org/prosody-mod-auth-matrix-user-verification](https://github.com/matrix-org/prosody-mod-auth-matrix-user-verification). + +### Authenticate using LDAP (Auth-Type 'ldap') + +An example LDAP configuration could be: ```yaml matrix_jitsi_enable_auth: true matrix_jitsi_auth_type: ldap matrix_jitsi_ldap_url: "ldap://ldap.DOMAIN" -matrix_jitsi_ldap_base: "OU=People,DC=DOMAIN +matrix_jitsi_ldap_base: "OU=People,DC=DOMAIN" #matrix_jitsi_ldap_binddn: "" #matrix_jitsi_ldap_bindpw: "" matrix_jitsi_ldap_filter: "uid=%u" @@ -200,7 +225,19 @@ matrix_nginx_proxy_proxy_jitsi_additional_jvbs: Applied together this will allow you to provision extra JVB instances which will register themselves with the prosody service and be available for jicofo to route conferences too. +## (Optional) Enable Gravatar + +In the default Jisti Meet configuration, gravatar.com is enabled as an avatar service. This results in third party request leaking data to gravatar. +Since element already sends the url of configured Matrix avatars to Jitsi, we disabled gravatar. + +To enable Gravatar set: + +```yaml +matrix_jitsi_disable_gravatar: false +``` +**Beware:** This leaks information to a third party, namely the Gravatar-Service (unless configured otherwise: gravatar.com). +Besides metadata, this includes the matrix user_id and possibly the room identifier (via `referrer` header). ## Apply changes diff --git a/docs/configuring-playbook-user-verification-service.md b/docs/configuring-playbook-user-verification-service.md new file mode 100644 index 000000000..f3d3aa6e2 --- /dev/null +++ b/docs/configuring-playbook-user-verification-service.md @@ -0,0 +1,116 @@ +# Setting up Matrix User Verification Service (optional) + +**[Matrix User Verification Service](https://github.com/matrix-org/matrix-user-verification-service) (hereafter: UVS) can only be installed after Matrix services are installed and running.** +If you're just installing Matrix services for the first time, please continue with the [Configuration](configuring-playbook.md) / [Installation](installing.md) flow and come back here later. + +Currently, the main purpose of this role is to allow Jitsi to authenticate matrix users and check if they are authorized to join a conference. Please refer to the documentation of the [Matrix User Verification Service](https://github.com/matrix-org/matrix-user-verification-service) to understand how it works. + +**Note**: enabling Matrix User Verification Service, means that the `openid` API endpoints will be exposed on the Matrix Federation port (usually `8448`), even if [federation](configuring-playbook-federation.md) is disabled. + +If the Jitsi server is also configured by this collection, all plugging of variables and secrets is handled in `group_vars/matrix_servers`. + +__Some general concepts of UVS may be helpful to understand the rest, so here they are:__ + +UVS can be used to verify two claims: + +* (A) Whether a given OpenID token is valid for a given server and +* (B) whether a user is member of a given room and the corresponding PowerLevel + +Verifying an OpenID token id done by finding the corresponding Homeserver via '.well-known/matrix/server' for the given domain. +The configured `matrix_user_verification_service_uvs_homeserver_url` does **not** factor into this. +By default, this collection only checks against `matrix_server_fqn_matrix`. +Therefore, the request will be made against the public openid API for `matrix_server_fqn_matrix`. + +Verifying RoomMembership and PowerLevel is done against `matrix_user_verification_service_uvs_homeserver_url` which is by default done via the docker network. +UVS will verify the validity of the token beforehand though. + +## Prerequisites + +In order to use UVS, an admin token for the configured homeserver must be supplied. For now this means configuring Synapse and creating the token before installing UVS. + +## Enable + +[Matrix User Verification Service](https://github.com/matrix-org/matrix-user-verification-service) installation is disabled by default unless required by Jitsi (see group_vars/matrix_servers). +You can enable it in your configuration file (`inventory/host_vars/matrix./vars.yml`): + +```yaml +matrix_user_verification_service_enabled: true +``` + +## Configuration + +The only required configuration variable is `matrix_user_verification_service_uvs_access_token` (see below). + +For a list of all configuration options see the role defaults [`roles/matrix-user-verification-service/defaults/main.yml`](../roles/custom/matrix-user-verification-service/defaults/main.yml). +But be aware of all the plugging happening in `group_vars/matrix_servers`. + +In the default configuration, the UVS Server is only reachable via the docker network, which is fine if e.g. Jitsi is also running in a container on the host. +However, it is possible to expose UVS via setting `matrix_user_verification_service_container_http_host_bind_port`. Be aware that the normally used port (3000) may collide with Grafana. + +### Access token + +The Synapse Access Token is used to verify RoomMembership and PowerLevel against the configured homeserver_url (which is plugged in group_vars). + +We recommend that you create a dedicated Matrix user for uvs (`uvs` is a good username). +Follow our [Registering users](registering-users.md) guide to register a user with administration privileges. + +You are required to specify an access token (belonging to this new user) for UVS to work. +To get an access token for the UVS user, you can follow the documentation on [how to do obtain an access token](obtaining-access-tokens.md). + +**Access tokens are sensitive information. Do not include them in any bug reports, messages, or logs. Do not share the access token with anyone.** + +```yaml +matrix_user_verification_service_uvs_access_token: "YOUR ACCESS TOKEN HERE" +``` + +### (Optional) Auth Token + +It is possible to set an API Auth Token to restrict access to the UVS. If this is set, anyone making a request to UVS must provide it via the header "Authorization: Bearer TOKEN" + +By default, the token will be derived from `matrix_homeserver_generic_secret_key` in `group_vars/matrix_servers`. +To set your own Token, simply put the following in your host_vars. + +```yaml +matrix_user_verification_service_uvs_auth_token: "TOKEN" +``` + +In case Jitsi is also managed by this collection and 'matrix' authentication in Jitsi is enabled, this collection will automatically configure Jitsi to use the configured auth token. + +### (Optional) Federation + +In theory (however currently untested), UVS can handle federation. Simply set: + +```yaml +matrix_user_verification_service_uvs_openid_verify_server_name: ~ +``` + +using host_vars to override the group_vars. + +This will instruct UVS to verify the OpenID token against any domain given in a request. +Homeserver discovery is done via '.well-known/matrix/server' of the given domain. + +## Installation + +After these variables have been set, please run the following command to re-run setup and to restart UVS: + +``` +ansible-playbook -i inventory/hosts setup.yml --tags=setup-matrix-user-verification-service,start +``` + +## Logging + +The configuration variable `UVS_LOG_LEVEL` can be set to: +- warning +- info +- debug + +## TLS Certificate Checking +If the matrix Homeserver does not provide a valid TLS certificate, UVS will fail with the following error message: + +> message: 'No response received: [object Object]', + +This also applies to self-signed and let's encrypt staging certificates. + +To disable certificate validation altogether (INSECURE! Not suitable for production use!) set: `NODE_TLS_REJECT_UNAUTHORIZED=0` + +Alternatively, it is possible to inject your own CA certificates into the container by mounting a PEM file with additional trusted CAs into the container and pointing the `NODE_EXTRA_CA_CERTS` environment variable to it. diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 2a9e0414a..18068bd6c 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -312,6 +312,8 @@ devture_systemd_service_manager_services_list_auto: | ([{'name': 'matrix-synapse-admin.service', 'priority': 4000, 'groups': ['matrix', 'synapse-admin']}] if matrix_synapse_admin_enabled else []) + ([{'name': 'matrix-synapse-reverse-proxy-companion.service', 'priority': 1500, 'groups': ['matrix', 'homeservers', 'synapse', 'reverse-proxies']}] if matrix_synapse_reverse_proxy_companion_enabled else []) + + + ([{'name': 'matrix-user-verification-service.service', 'priority': 800, 'groups': ['matrix', 'matrix-user-verification-service']}] if matrix_user_verification_service_enabled else []) }} ######################################################################## @@ -1945,6 +1947,11 @@ matrix_jitsi_web_stun_servers: | matrix_jitsi_etherpad_enabled: "{{ matrix_etherpad_enabled }}" matrix_jitsi_etherpad_base: "{{ matrix_etherpad_base_url if matrix_etherpad_enabled else 'https://scalar.vector.im/etherpad' }}" +# Allow verification using JWT and matrix-UVS +matrix_jitsi_prosody_auth_matrix_uvs_auth_token: "{{ matrix_user_verification_service_uvs_auth_token }}" + +matrix_jitsi_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}" + ###################################################################### # # /matrix-jitsi @@ -2090,7 +2097,10 @@ matrix_nginx_proxy_proxy_buscarron_enabled: "{{ matrix_bot_buscarron_enabled }}" matrix_nginx_proxy_proxy_dimension_enabled: "{{ matrix_dimension_enabled }}" matrix_nginx_proxy_proxy_etherpad_enabled: "{{ matrix_etherpad_enabled and matrix_etherpad_mode == 'standalone' }}" matrix_nginx_proxy_proxy_bot_go_neb_enabled: "{{ matrix_bot_go_neb_enabled }}" + matrix_nginx_proxy_proxy_jitsi_enabled: "{{ matrix_jitsi_enabled }}" +matrix_nginx_proxy_proxy_jitsi_manage_wellknown: "{{ matrix_jitsi_require_well_known }}" + matrix_nginx_proxy_proxy_grafana_enabled: "{{ matrix_grafana_enabled }}" matrix_nginx_proxy_proxy_sygnal_enabled: "{{ matrix_sygnal_enabled }}" matrix_nginx_proxy_proxy_ntfy_enabled: "{{ matrix_ntfy_enabled }}" @@ -2732,7 +2742,7 @@ matrix_synapse_tls_federation_listener_enabled: false matrix_synapse_tls_certificate_path: ~ matrix_synapse_tls_private_key_path: ~ -matrix_synapse_federation_port_openid_resource_required: "{{ not matrix_synapse_federation_enabled and (matrix_dimension_enabled or matrix_ma1sd_enabled) }}" +matrix_synapse_federation_port_openid_resource_required: "{{ not matrix_synapse_federation_enabled and (matrix_dimension_enabled or matrix_ma1sd_enabled or matrix_user_verification_service_enabled) }}" # If someone instals Prometheus via the playbook, they most likely wish to monitor Synapse. matrix_synapse_metrics_enabled: "{{ matrix_prometheus_enabled }}" @@ -3166,3 +3176,52 @@ matrix_user_creator_users_auto: | # /matrix-user-creator # ###################################################################### + + +###################################################################### +# +# matrix-user-verification-service +# +###################################################################### + +## FIXME: Needs to be updated when there is a proper release by upstream. +matrix_user_verification_service_docker_image: "{{ matrix_user_verification_service_docker_image_name_prefix }}matrixdotorg/matrix-user-verification-service@sha256:d2aabc984dd69d258c91900c36928972d7aaef19d776caa3cd6a0fbc0e307270" + +# enable if jitsi is managed by this playbook and requires JWT auth +matrix_user_verification_service_enabled: "{{ (matrix_jitsi_enabled | bool and matrix_jitsi_enable_auth | bool and matrix_jitsi_auth_type == 'matrix') }}" +matrix_user_verification_service_systemd_required_services_list: | + {{ + ['docker.service'] + + + (['matrix-synapse.service'] if matrix_synapse_enabled else []) + + + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + }} + +# If Jitsi is managed by this playbook we can use the docker network - no need to expose a port. +# If Jitsi is not managed by this playbook, or you otherwise have a need for it, you can expose +# matrix-user-verfification-services's client-server port to the local host. +# Note: If grafana is also enabled, the exposed port is changed to 3003. +matrix_user_verification_service_container_http_host_bind_port: "{{ '' if (matrix_jitsi_enabled | bool and matrix_jitsi_enable_auth | bool and matrix_jitsi_auth_type == 'matrix') else '127.0.0.1:' + ('3003' if matrix_nginx_proxy_proxy_grafana_enabled else '3000') }}" + +# URL exposed in the docker network +matrix_user_verification_service_container_url: "http://{{ matrix_user_verification_service_container_name }}:3000" + +# Set the homeserver URL to the container name if synapse is managed by this collection +matrix_user_verification_service_uvs_homeserver_url: "{{ matrix_homeserver_container_url if matrix_synapse_enabled }}" +# If synapse is managed by this collection, we will connect via docker network, which is a private ip. +# Therefore we need to disable IP checks +matrix_user_verification_service_uvs_disable_ip_blacklist: "{{'true' if matrix_synapse_enabled else 'false'}}" + +matrix_user_verification_service_uvs_auth_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'uvs.auth.token', rounds=655555) | to_uuid }}" + +# Pin UVS to only check openId Tokens for the matrix_server_name configured by this collection. +# This is not the homeserverURL, but rather the domain in the matrix "user ID" +matrix_user_verification_service_uvs_openid_verify_server_name: "{{ matrix_domain }}" +matrix_user_verification_service_uvs_log_level: warning + +###################################################################### +# +# /matrix-user-verification-service +# +###################################################################### diff --git a/playbooks/matrix.yml b/playbooks/matrix.yml index 088ea6406..a74b982d0 100755 --- a/playbooks/matrix.yml +++ b/playbooks/matrix.yml @@ -94,6 +94,7 @@ - custom/matrix-client-hydrogen - custom/matrix-client-cinny - custom/matrix-jitsi + - custom/matrix-user-verification-service - custom/matrix-ldap-registration-proxy - custom/matrix-ma1sd - custom/matrix-dimension diff --git a/roles/custom/matrix-jitsi/defaults/main.yml b/roles/custom/matrix-jitsi/defaults/main.yml index ce4d19cc1..1f8502c84 100644 --- a/roles/custom/matrix-jitsi/defaults/main.yml +++ b/roles/custom/matrix-jitsi/defaults/main.yml @@ -13,14 +13,16 @@ matrix_jitsi_enable_jaas_components: false matrix_jitsi_enable_p2p: true matrix_jitsi_enable_av_moderation: true matrix_jitsi_enable_breakout_rooms: true +matrix_jitsi_disable_gravatar: true -# Authentication type, must be one of internal, jwt or ldap. -# Currently only internal and ldap mechanisms are supported by this playbook. +# Authentication type, must be one of internal, jwt, matrix or ldap. +# Currently, only internal, matrix and ldap mechanisms are supported by this playbook. +# matrix auth verifies against matrix openID, and requires a user-verification-service to run. matrix_jitsi_auth_type: internal # A list of Jitsi (Prosody) accounts to create using the internal authentication mechanism. # -# Accounts added here and subsquently removed will not be automatically removed +# Accounts added here and subsequently removed will not be automatically removed # from the Prosody server until user account cleaning is integrated into the playbook. # # Example: @@ -49,6 +51,23 @@ matrix_jitsi_ldap_tls_cacert_file: "/etc/ssl/certs/ca-certificates.crt" matrix_jitsi_ldap_tls_cacert_dir: "/etc/ssl/certs" matrix_jitsi_ldap_start_tls: false +# Auth type: matrix +matrix_jitsi_prosody_auth_matrix_user_verification_repo_location: "https://github.com/matrix-org/prosody-mod-auth-matrix-user-verification" +matrix_jitsi_prosody_auth_matrix_user_verification_repo_target: "{{ matrix_jitsi_prosody_ext_path }}/prosody_auth_matrix_user_verification" +matrix_jitsi_prosody_auth_matrix_user_verification_repo_version: "2839499cb03894d8cfc3e5b2219441427cb133d8" # v1.8.0 +matrix_jitsi_prosody_auth_matrix_uvs_sync_power_levels: true +matrix_jitsi_prosody_auth_matrix_uvs_location: "{{ matrix_user_verification_service_container_url }}" +# Should match domain, see https://github.com/vector-im/element-web/pull/15114/commits/0410a6b3be82a41457275e4d1ce879dea146e092 +matrix_jitsi_prosody_auth_matrix_jwt_app_id: "{{ matrix_server_fqn_jitsi }}" +matrix_jitsi_prosody_auth_matrix_files: + - path: "mod_auth_matrix_user_verification.lua" + when: true + - path: "mod_matrix_power_sync.lua" + when: "{{ matrix_jitsi_prosody_auth_matrix_uvs_sync_power_levels }}" + +# Plugged in group_vars +#matrix_jitsi_prosody_auth_matrix_uvs_auth_token: + matrix_jitsi_timezone: UTC matrix_jitsi_xmpp_domain: meet.jitsi @@ -180,6 +199,17 @@ matrix_jitsi_prosody_docker_image_force_pull: "{{ matrix_jitsi_prosody_docker_im matrix_jitsi_prosody_base_path: "{{ matrix_base_data_path }}/jitsi/prosody" matrix_jitsi_prosody_config_path: "{{ matrix_jitsi_prosody_base_path }}/config" matrix_jitsi_prosody_plugins_path: "{{ matrix_jitsi_prosody_base_path }}/prosody-plugins-custom" +matrix_jitsi_prosody_ext_path: "{{ matrix_jitsi_prosody_base_path }}/ext" + +# well known is currently only needed for auth type "matrix" +matrix_jitsi_require_well_known: "{{ matrix_jitsi_enable_auth | bool and matrix_jitsi_auth_type == 'matrix' }}" +matrix_jitsi_wellknown_element_jitsi_json: '{"auth": "openidtoken-jwt"}' + +# +matrix_jitsi_muc_modules: | + {{ + (['matrix_power_sync'] if matrix_jitsi_prosody_auth_matrix_uvs_sync_power_levels | bool else []) + }} # A list of extra arguments to pass to the container matrix_jitsi_prosody_container_extra_arguments: [] diff --git a/roles/custom/matrix-jitsi/tasks/main.yml b/roles/custom/matrix-jitsi/tasks/main.yml index d7dc66232..b35c2c347 100644 --- a/roles/custom/matrix-jitsi/tasks/main.yml +++ b/roles/custom/matrix-jitsi/tasks/main.yml @@ -67,3 +67,9 @@ - setup-all - setup-jitsi - setup-additional-jitsi-jvb + +- block: + - when: matrix_jitsi_enable_auth | bool and matrix_jitsi_auth_type == 'matrix' + ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check_matrix_auth.yml" + tags: + - self-check diff --git a/roles/custom/matrix-jitsi/tasks/self_check_matrix_auth.yml b/roles/custom/matrix-jitsi/tasks/self_check_matrix_auth.yml new file mode 100644 index 000000000..68a28ef77 --- /dev/null +++ b/roles/custom/matrix-jitsi/tasks/self_check_matrix_auth.yml @@ -0,0 +1,62 @@ +--- + +- ansible.builtin.set_fact: + matrix_jitsi_prosody_self_check_uvs_health_url: "{{ matrix_jitsi_prosody_auth_matrix_uvs_location }}/health" + matrix_jitsi_element_jitsi_well_known_url: "{{ matrix_jitsi_web_public_url }}/.well-known/element/jitsi" + +- name: Check if jitsi serves the .well-known/element/jitsi + ansible.builtin.uri: + url: "{{ matrix_jitsi_element_jitsi_well_known_url }}" + follow_redirects: none + return_content: true + validate_certs: "{{ matrix_jitsi_self_check_validate_certificates }}" + headers: + Origin: example.com + check_mode: false + register: result_well_known_jitsi_element_jitsi + ignore_errors: true + +- name: Fail if .well-known not working + ansible.builtin.fail: + msg: | + Failed checking that the Jitsi well-known file for Element auth is configured at `{{ matrix_jitsi_element_jitsi_well_known_url }}` + Full error: {{ result_well_known_jitsi_element_jitsi }} + when: "result_well_known_jitsi_element_jitsi.failed" + +- name: Parse JSON for well-known payload at the matrix hostname + ansible.builtin.set_fact: + well_known_matrix_payload: "{{ result_well_known_jitsi_element_jitsi.content | from_json }}" + +- name: Fail if .well-known not CORS-aware + ansible.builtin.fail: + msg: "The well-known file on `{{ matrix_jitsi_element_jitsi_well_known_url }}` is not CORS-aware. The file needs to be served with an Access-Control-Allow-Origin header set." + when: "'access_control_allow_origin' not in result_well_known_jitsi_element_jitsi" + +- name: Report working .well-known + ansible.builtin.debug: + msg: "well-known is configured correctly at `{{ matrix_jitsi_element_jitsi_well_known_url }}`" + +- name: Check if we can reach the user verification service and if it's healthy + ansible.builtin.command: + argv: + - "docker" + - "exec" + - "matrix-jitsi-prosody" + - "wget" + - "-O" + - "-" + - "--quiet" + - "{{ matrix_jitsi_prosody_self_check_uvs_health_url | quote }}" + register: matrix_jitsi_prosody_self_check_uvs_result + ignore_errors: true + +- name: Fail if user verification service is not (reachable and healthy) + ansible.builtin.fail: + msg: | + Failed checking user verification service is up (checked endpoint: `{{ matrix_jitsi_prosody_self_check_uvs_health_url }}`). + Full error: {{ matrix_jitsi_prosody_self_check_uvs_result }} + when: "matrix_jitsi_prosody_self_check_uvs_result.failed" + +- name: Report healthy user verification service + ansible.builtin.debug: + msg: "User verification service is working (checked endpoint: `{{ matrix_jitsi_prosody_self_check_uvs_health_url }}`)" diff --git a/roles/custom/matrix-jitsi/tasks/setup_jitsi_prosody_install.yml b/roles/custom/matrix-jitsi/tasks/setup_jitsi_prosody_install.yml index 785811666..f5beab2bf 100644 --- a/roles/custom/matrix-jitsi/tasks/setup_jitsi_prosody_install.yml +++ b/roles/custom/matrix-jitsi/tasks/setup_jitsi_prosody_install.yml @@ -11,6 +11,7 @@ - {path: "{{ matrix_jitsi_prosody_base_path }}", when: true} - {path: "{{ matrix_jitsi_prosody_config_path }}", when: true} - {path: "{{ matrix_jitsi_prosody_plugins_path }}", when: true} + - {path: "{{ matrix_jitsi_prosody_ext_path }}", when: true} when: item.when | bool - name: Ensure jitsi-prosody Docker image is pulled @@ -32,6 +33,43 @@ group: "{{ matrix_user_groupname }}" mode: 0640 +# Configure matrix authentication. +- name: Install user verification plugin + ansible.builtin.include_tasks: + file: "{{ role_path }}/tasks/util/setup_jitsi_auth_uvs_install.yml" + when: matrix_jitsi_enable_auth | bool and matrix_jitsi_auth_type == "matrix" + +- name: Manage Jitsi .well-known + when: matrix_jitsi_require_well_known | bool + block: + - name: Ensure .well-known directories exist + ansible.builtin.file: + path: "{{ item.path }}" + state: directory + mode: 0775 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - {path: "{{ matrix_static_files_base_path }}/.well-known/element", when: "{{ matrix_jitsi_enable_auth | bool and matrix_jitsi_auth_type == 'matrix' }}"} + when: item.when | bool + + # Create .well-known/element/jitsi in the static file directory for nginx-proxy. + - name: Ensure Jitsi /.well-known/element/jitsi configured + ansible.builtin.copy: + content: "{{ matrix_jitsi_wellknown_element_jitsi_json }}" + dest: "{{ matrix_static_files_base_path }}/.well-known/element/jitsi" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + when: matrix_jitsi_enable_auth | bool and matrix_jitsi_auth_type == "matrix" +# END Block + +# Remove matrix authentication if disabled +- name: Ensure user verification plugin is not present if matrix auth is disabled + ansible.builtin.include_tasks: + file: "{{ role_path }}/tasks/util/setup_jitsi_auth_uvs_uninstall.yml" + when: (not matrix_jitsi_enable_auth | bool) or (matrix_jitsi_auth_type != "matrix") + - name: Ensure matrix-jitsi-prosody.service file is installed ansible.builtin.template: src: "{{ role_path }}/templates/prosody/matrix-jitsi-prosody.service.j2" @@ -39,7 +77,9 @@ mode: 0644 register: matrix_jitsi_prosody_systemd_service_result -- name: Ensure authentication is properly configured +# Tasks that require a running prosody container are called in this file. +- name: Run prosody related tasks, that require a running container. ansible.builtin.include_tasks: - file: "{{ role_path }}/tasks/util/setup_jitsi_auth.yml" - when: matrix_jitsi_enable_auth | bool + file: "{{ role_path }}/tasks/util/setup_jitsi_prosody_post_setup_hooks.yml" + when: + - matrix_jitsi_enable_auth | bool and matrix_jitsi_auth_type == "internal" diff --git a/roles/custom/matrix-jitsi/tasks/util/prosody_post_setup_hooks/setup_jitsi_auth_internal.yml b/roles/custom/matrix-jitsi/tasks/util/prosody_post_setup_hooks/setup_jitsi_auth_internal.yml new file mode 100644 index 000000000..ac9bda49b --- /dev/null +++ b/roles/custom/matrix-jitsi/tasks/util/prosody_post_setup_hooks/setup_jitsi_auth_internal.yml @@ -0,0 +1,17 @@ +--- +# +# Tasks related to configuring Jitsi internal authentication on a running prosody instance. +# + +- name: Ensure Jitsi internal authentication users are configured + ansible.builtin.shell: "{{ devture_systemd_docker_base_host_command_docker }} exec matrix-jitsi-prosody prosodyctl --config /config/prosody.cfg.lua register {{ item.username | quote }} meet.jitsi {{ item.password | quote }}" + with_items: "{{ matrix_jitsi_prosody_auth_internal_accounts }}" + when: + - matrix_jitsi_prosody_auth_internal_accounts|length > 0 + register: matrix_jitsi_user_configuration_result + changed_when: matrix_jitsi_user_configuration_result.rc == 0 + no_log: true + +# +# Tasks related to clean up after configuring internal authentication. +# diff --git a/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth.yml b/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth.yml deleted file mode 100644 index 60a49b427..000000000 --- a/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth.yml +++ /dev/null @@ -1,42 +0,0 @@ ---- -# -# Start Necessary Services -# - -- name: Ensure matrix-jitsi-prosody container is running - ansible.builtin.systemd: - state: started - name: matrix-jitsi-prosody - register: matrix_jitsi_prosody_start_result - - -# -# Tasks related to configuring Jitsi internal authentication -# - -- name: Ensure Jitsi internal authentication users are configured - ansible.builtin.shell: "{{ devture_systemd_docker_base_host_command_docker }} exec matrix-jitsi-prosody prosodyctl --config /config/prosody.cfg.lua register {{ item.username | quote }} meet.jitsi {{ item.password | quote }}" - with_items: "{{ matrix_jitsi_prosody_auth_internal_accounts }}" - when: - - matrix_jitsi_auth_type == "internal" - - matrix_jitsi_prosody_auth_internal_accounts|length > 0 - register: matrix_jitsi_user_configuration_result - changed_when: matrix_jitsi_user_configuration_result.rc == 0 - no_log: true - -# -# Tasks related to configuring other Jitsi authentication mechanisms -# - -# -# Tasks related to cleaning after Jitsi authentication configuration -# - -# -# Stop Necessary Services -# -- name: Ensure matrix-jitsi-prosody container is stopped if necessary - ansible.builtin.systemd: - state: stopped - name: matrix-jitsi-prosody - when: matrix_jitsi_prosody_start_result.changed | bool diff --git a/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_install.yml b/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_install.yml new file mode 100644 index 000000000..36f334253 --- /dev/null +++ b/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_install.yml @@ -0,0 +1,13 @@ +- name: Checkout Prosody Auth Matrix User Verification Plugin Repo + ansible.builtin.git: + repo: "{{ matrix_jitsi_prosody_auth_matrix_user_verification_repo_location }}" + dest: "{{ matrix_jitsi_prosody_auth_matrix_user_verification_repo_target }}" + version: "{{ matrix_jitsi_prosody_auth_matrix_user_verification_repo_version }}" + +- name: Install Prosody Auth Matrix User Verification Plugin + ansible.builtin.copy: + remote_src: yes + src: "{{ matrix_jitsi_prosody_auth_matrix_user_verification_repo_target }}/{{ item.path }}" + dest: "{{ matrix_jitsi_prosody_plugins_path }}/{{ item.path }}" + with_items: "{{ matrix_jitsi_prosody_auth_matrix_files }}" + when: item.when | bool diff --git a/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_uninstall.yml b/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_uninstall.yml new file mode 100644 index 000000000..2ba793eca --- /dev/null +++ b/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_uninstall.yml @@ -0,0 +1,26 @@ +- name: Remove all files regarding prosody mod auth_matrix_user_verification and .well-known/element/jitsi + ansible.builtin.file: + path: "{{ item }}" + state: absent + with_flattened: + - "{{ matrix_static_files_base_path }}/.well-known/element/jitsi" + - "{{ matrix_jitsi_prosody_auth_matrix_user_verification_repo_target }}" + - "{{ matrix_jitsi_prosody_auth_matrix_files | map(attribute='path') | map('regex_replace', '^', matrix_jitsi_prosody_plugins_path+'/') | list }}" + register: matrix_jitsi_prosody_auth_matrix_user_verification_uninstalled + +- name: Remove .well-known/element directory if empty + ansible.builtin.command: + argv: + - rmdir + - "{{ matrix_static_files_base_path }}/.well-known/element" + removes: "{{matrix_static_files_base_path}}/.well-known/element" + ignore_errors: yes + +- when: matrix_jitsi_prosody_auth_matrix_user_verification_uninstalled.changed + block: + - name: Populate service facts + ansible.builtin.service_facts: + + - name: Ensure prosody is restarted later on if currently running + set_fact: + matrix_jitsi_prosody_require_restart: "{{ true if ansible_facts.services['matrix-jitsi-prosody.service']['state'] == 'running' else false }}" diff --git a/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_prosody_post_setup_hooks.yml b/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_prosody_post_setup_hooks.yml new file mode 100644 index 000000000..69c18ab32 --- /dev/null +++ b/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_prosody_post_setup_hooks.yml @@ -0,0 +1,49 @@ +--- +##### +# +# This tasks file starts and stops (if state before was stopped) a prosody container during setup to run commands, +# that require a running prosody container. +# The task is called in ../setup_jitsi_prosody_install.yml. +# +# Important: The task is called conditionally, as to only start if really needed. +# So if you add or change anything - remember to also change the 'when' in: ../setup_jitsi_prosody_install.yml +# +##### + +# +# Start Necessary Services +# + +- name: Ensure matrix-jitsi-prosody container is running + ansible.builtin.systemd: + state: "{{ 'restarted' if matrix_jitsi_prosody_require_restart | d(false) | bool else 'started' }}" + name: matrix-jitsi-prosody + register: matrix_jitsi_prosody_start_result + +# If the flag was set, we can safely disable now. +- name: Disable require restart flag + set_fact: + matrix_jitsi_prosody_require_restart: false + +# +# Tasks related to configuring Jitsi internal authentication +# + +- name: Ensure internal authentication is properly configured + ansible.builtin.include_tasks: + file: "{{ role_path }}/tasks/util/prosody_post_setup_hooks/setup_jitsi_auth_internal.yml" + when: matrix_jitsi_enable_auth | bool and matrix_jitsi_auth_type == "internal" + +# +# Tasks related to ... +# + + +# +# Stop Necessary Services +# +- name: Ensure matrix-jitsi-prosody container is stopped if necessary + ansible.builtin.systemd: + state: stopped + name: matrix-jitsi-prosody + when: matrix_jitsi_prosody_start_result.changed | bool diff --git a/roles/custom/matrix-jitsi/tasks/validate_config.yml b/roles/custom/matrix-jitsi/tasks/validate_config.yml index 258b4864c..5975a605b 100644 --- a/roles/custom/matrix-jitsi/tasks/validate_config.yml +++ b/roles/custom/matrix-jitsi/tasks/validate_config.yml @@ -25,16 +25,25 @@ - "matrix_jitsi_jvb_auth_password" -- name: Fail if a Jitsi internal authentication account is not defined +- name: Fail if authentication is enabled, but not properly configured. ansible.builtin.fail: msg: >- + You have enabled authentication, but the configured auth type is missing required configuration. + + Auth type 'internal': At least one Jitsi user needs to be defined in `matrix_jitsi_prosody_auth_internal_accounts` when using internal authentication. If you're setting up Jitsi for the first time, you may have missed a step. Refer to our setup instructions (docs/configuring-playbook-jitsi.md). + + Auth type 'matrix': + If you want to enable matrix_user_verification in jitsi, + please provide an auth token for the user verification service (uvs) using `matrix_jitsi_prosody_auth_matrix_uvs_auth_token`. + If the user-verfication-service is also managed by this playbook the token is derived from `matrix_homeserver_generic_secret_key` in the group vars. when: - matrix_jitsi_enable_auth | bool - - matrix_jitsi_auth_type == 'internal' - - matrix_jitsi_prosody_auth_internal_accounts|length == 0 + - ((matrix_jitsi_auth_type == 'internal' and matrix_jitsi_prosody_auth_internal_accounts|length == 0) + or (matrix_jitsi_auth_type == 'matrix' and matrix_jitsi_prosody_auth_matrix_uvs_auth_token|length == 0)) + - name: (Deprecation) Catch and report renamed settings diff --git a/roles/custom/matrix-jitsi/templates/prosody/env.j2 b/roles/custom/matrix-jitsi/templates/prosody/env.j2 index b0ebbefce..541727b8f 100644 --- a/roles/custom/matrix-jitsi/templates/prosody/env.j2 +++ b/roles/custom/matrix-jitsi/templates/prosody/env.j2 @@ -41,6 +41,12 @@ LDAP_TLS_CACERT_DIR={{ matrix_jitsi_ldap_tls_cacert_dir }} LDAP_START_TLS={{ 1 if matrix_jitsi_ldap_start_tls else 0 }} LDAP_URL={{ matrix_jitsi_ldap_url }} LDAP_USE_TLS={{ 1 if matrix_jitsi_ldap_use_tls else 0 }} +MATRIX_UVS_ISSUER={{ matrix_jitsi_prosody_auth_matrix_jwt_app_id }} +MATRIX_UVS_URL={{ matrix_jitsi_prosody_auth_matrix_uvs_location }} +{% if matrix_jitsi_prosody_auth_matrix_uvs_auth_token is defined %} +MATRIX_UVS_AUTH_TOKEN={{ matrix_jitsi_prosody_auth_matrix_uvs_auth_token }} +{% endif %} +MATRIX_UVS_SYNC_POWER_LEVELS={{ 'true' if matrix_jitsi_prosody_auth_matrix_uvs_sync_power_levels else 'false' }} PUBLIC_URL={{ matrix_jitsi_web_public_url }} TURN_CREDENTIALS={{ matrix_jitsi_turn_credentials }} TURN_HOST={{ matrix_jitsi_turn_host }} @@ -55,7 +61,7 @@ XMPP_GUEST_DOMAIN={{ matrix_jitsi_xmpp_guest_domain }} XMPP_MUC_DOMAIN={{ matrix_jitsi_xmpp_muc_domain }} XMPP_INTERNAL_MUC_DOMAIN={{ matrix_jitsi_xmpp_internal_muc_domain }} XMPP_MODULES={{ matrix_jitsi_xmpp_modules }} -XMPP_MUC_MODULES= +XMPP_MUC_MODULES={{ matrix_jitsi_muc_modules | join(',') }} XMPP_INTERNAL_MUC_MODULES= XMPP_RECORDER_DOMAIN={{ matrix_jitsi_recorder_domain }} XMPP_CROSS_DOMAIN=true diff --git a/roles/custom/matrix-jitsi/templates/web/custom-config.js.j2 b/roles/custom/matrix-jitsi/templates/web/custom-config.js.j2 index bbe85798a..2bde96a8b 100644 --- a/roles/custom/matrix-jitsi/templates/web/custom-config.js.j2 +++ b/roles/custom/matrix-jitsi/templates/web/custom-config.js.j2 @@ -11,6 +11,10 @@ config.p2p.stunServers = [ ]; {% endif %} +{% if matrix_jitsi_disable_gravatar %} +config.gravatar = {'disabled': true}; +{% endif %} + {% if matrix_jitsi_etherpad_enabled %} config.etherpad_base = {{ (matrix_jitsi_etherpad_base + '/p/') |to_json }} {% endif %} diff --git a/roles/custom/matrix-nginx-proxy/defaults/main.yml b/roles/custom/matrix-nginx-proxy/defaults/main.yml index 6fbc019e2..5d5329b0e 100644 --- a/roles/custom/matrix-nginx-proxy/defaults/main.yml +++ b/roles/custom/matrix-nginx-proxy/defaults/main.yml @@ -203,6 +203,8 @@ matrix_nginx_proxy_proxy_bot_go_neb_hostname: "{{ matrix_server_fqn_bot_go_neb } # Controls whether proxying the jitsi domain should be done. matrix_nginx_proxy_proxy_jitsi_enabled: false matrix_nginx_proxy_proxy_jitsi_hostname: "{{ matrix_server_fqn_jitsi }}" +matrix_nginx_proxy_proxy_jitsi_manage_wellknown: false +matrix_nginx_proxy_proxy_jitsi_well_known_configuration_blocks: [] # Controls whether proxying the grafana domain should be done. matrix_nginx_proxy_proxy_grafana_enabled: false diff --git a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 b/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 index 4d5a4ce7c..39dedfc8c 100644 --- a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 +++ b/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 @@ -18,6 +18,15 @@ {{- configuration_block }} {% endfor %} + {% if matrix_nginx_proxy_proxy_jitsi_manage_wellknown %} + location /.well-known { + root {{ matrix_static_files_base_path }}; + expires 4h; + default_type application/json; + add_header Access-Control-Allow-Origin *; + } + {% endif %} + location / { {% if matrix_nginx_proxy_enabled %} {# Use the embedded DNS resolver in Docker containers to discover the service #} @@ -75,7 +84,7 @@ {% if matrix_nginx_proxy_enabled %} resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s; set $backend {{ matrix_jitsi_xmpp_bosh_url_base }}; - proxy_pass $backend/xmpp-websocket; + proxy_pass $backend$request_uri; {% else %} {# Generic configuration for use outside of our container setup #} proxy_pass http://127.0.0.1:5280; diff --git a/roles/custom/matrix-user-verification-service/defaults/main.yml b/roles/custom/matrix-user-verification-service/defaults/main.yml new file mode 100644 index 000000000..a86d62357 --- /dev/null +++ b/roles/custom/matrix-user-verification-service/defaults/main.yml @@ -0,0 +1,81 @@ +--- +# Set this to the display name for ansible used in Output e.g. fail_msg +matrix_user_verification_service_ansible_name: "Matrix User Verification Service" + +# Enable by default. This is overwritten in provided group vars. +matrix_user_verification_service_enabled: true + +# Fix version tag +matrix_user_verification_service_version: "v2.0.0" + +# Paths +matrix_user_verification_service_base_path: "{{ matrix_base_data_path }}/user-verification-service" +# We need the docker src directory to be named user_verification_service. See: https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/588 +matrix_user_verification_service_docker_src_files_path: "{{ matrix_user_verification_service_base_path }}/docker-src/user-verification-service" +matrix_user_verification_service_config_path: "{{ matrix_user_verification_service_base_path }}/config" +matrix_user_verification_service_config_env_file: "{{ matrix_user_verification_service_config_path }}/.env" + +# Set this to true in order to not use the docker image from docker hub, but rather build locally +matrix_user_verification_service_container_image_self_build: false +matrix_user_verification_service_container_image_self_build_repo: "https://github.com/matrix-org/matrix-user-verification-service.git" +matrix_user_verification_service_container_image_self_build_branch: "{{ matrix_user_verification_service_version }}" + +# Docker +matrix_user_verification_service_docker_image_name_prefix: "{{ 'localhost/' if matrix_user_verification_service_container_image_self_build else matrix_container_global_registry_prefix }}" +matrix_user_verification_service_docker_image: "{{ matrix_user_verification_service_docker_image_name_prefix }}matrixdotorg/matrix-user-verification-service:{{ matrix_user_verification_service_version }}" +matrix_user_verification_service_docker_image_force_pull: "{{ matrix_user_verification_service_docker_image.endswith(':latest') }}" + +matrix_user_verification_service_container_name: "matrix-user-verification-service" +# Normally this would run on port 3000 however that may conflict with grafana. It is thus advised to change this port. +#matrix_user_verification_service_container_http_host_bind_port: +matrix_user_verification_service_container_extra_arguments: [] +# Systemd +matrix_user_verification_service_systemd_required_services_list: [] +matrix_user_verification_service_systemd_wanted_services_list: [] +matrix_user_verification_service_systemd_service_basename: "matrix-user-verification-service" +matrix_user_verification_service_systemd_service_name: "{{ matrix_user_verification_service_systemd_service_basename }}.service" + +# Matrix User Verification Service Configuration +## REQUIRED + +# Homeserver client API admin token (synapse only)- Required for the service to verify room membership +# matrix_user_verification_service_uvs_access_token: + +# homeserver client api url +# matrix_user_verification_service_uvs_homeserver_url: "" +# disable check for non private ip range of homeserver. e.g. set to `true` if your homeserver domain resolves to a private ip. +matrix_user_verification_service_uvs_disable_ip_blacklist: false + +## OPTIONAL + +# Auth token to protect the API +# If this is set any calls to the provided API endpoints +# need have the header "Authorization: Bearer changeme". +# matrix_user_verification_service_uvs_auth_token: changeme + +# Matrix server name to verify OpenID tokens against. See below section. +# Defaults to empty value which means verification is made against +# whatever Matrix server name passed in with the token +# matrix_user_verification_service_uvs_openid_verify_server_name: matrix.org + +# Log level, defaults to 'info' +# See choices here: https://github.com/winstonjs/winston#logging-levels +# matrix_user_verification_service_uvs_log_level: info + + +###################################################################### +##### ##### +##### Variables used in this role which are not set by this role ##### +##### ##### +###################################################################### + +# matrix_user_username +# matrix_user_groupname +# matrix_user_uid +# matrix_user_gid +# matrix_container_global_registry_prefix +# matrix_docker_network +# devture_systemd_docker_base_systemd_path +# devture_systemd_docker_base_systemd_unit_home_path +# devture_systemd_docker_base_host_command_sh +# devture_systemd_docker_base_host_command_docker diff --git a/roles/custom/matrix-user-verification-service/handlers/main.yml b/roles/custom/matrix-user-verification-service/handlers/main.yml new file mode 100644 index 000000000..a1ad1f31e --- /dev/null +++ b/roles/custom/matrix-user-verification-service/handlers/main.yml @@ -0,0 +1,6 @@ +--- + +- name: Ensure systemd reloaded after matrix-user-verification-service.service installation + service: + daemon_reload: yes + listen: "reload matrix-user-verification-service" diff --git a/roles/custom/matrix-user-verification-service/tasks/main.yml b/roles/custom/matrix-user-verification-service/tasks/main.yml new file mode 100644 index 000000000..0f51d6cc5 --- /dev/null +++ b/roles/custom/matrix-user-verification-service/tasks/main.yml @@ -0,0 +1,24 @@ +--- + +- name: verify all necessary variables are present + assert: + that: + - matrix_user_verification_service_uvs_access_token is defined and matrix_user_verification_service_uvs_access_token|length + - matrix_user_verification_service_uvs_homeserver_url is defined and matrix_user_verification_service_uvs_homeserver_url|length + fail_msg: "Missing variable in {{ matrix_user_verification_service_ansible_name }} role" + +- block: + - when: run_setup | bool and matrix_user_verification_service_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + tags: + - setup-all + - setup-user-verification-service + - install-all + - install-user-verification-service + +- block: + - when: run_setup | bool and not matrix_user_verification_service_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + tags: + - setup-all + - setup-user-verification-service diff --git a/roles/custom/matrix-user-verification-service/tasks/setup_install.yml b/roles/custom/matrix-user-verification-service/tasks/setup_install.yml new file mode 100644 index 000000000..5d1d28454 --- /dev/null +++ b/roles/custom/matrix-user-verification-service/tasks/setup_install.yml @@ -0,0 +1,42 @@ +--- + +- name: "Ensure Matrix User Verification Service paths exist" + ansible.builtin.file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - { path: "{{ matrix_user_verification_service_config_path }}", when: true } + - { path: "{{ matrix_user_verification_service_docker_src_files_path }}", when: "{{ matrix_user_verification_service_container_image_self_build }}" } + when: item.when | bool + +- name: Ensure Matrix User Verification Service image is pulled + community.docker.docker_image: + name: "{{ matrix_user_verification_service_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_user_verification_service_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_user_verification_service_docker_image_force_pull }}" + when: "not matrix_user_verification_service_container_image_self_build | bool" + register: result + retries: "{{ devture_playbook_help_container_retries_count }}" + delay: "{{ devture_playbook_help_container_retries_delay }}" + until: result is not failed + +#- block: +# TODO +# when: "matrix_user_verification_service_container_image_self_build|bool" + +- name: write env file + ansible.builtin.template: + src: "{{ role_path }}/templates/.env.j2" + dest: "{{ matrix_user_verification_service_config_env_file }}" + mode: 0644 + +- name: Ensure matrix-user-verification-service.service installed + ansible.builtin.template: + src: "{{ role_path }}/templates/systemd/matrix-user-verification-service.service.j2" + dest: "{{ devture_systemd_docker_base_systemd_path }}/{{ matrix_user_verification_service_systemd_service_name }}" + mode: 0644 + notify: "reload matrix-user-verification-service" diff --git a/roles/custom/matrix-user-verification-service/tasks/setup_uninstall.yml b/roles/custom/matrix-user-verification-service/tasks/setup_uninstall.yml new file mode 100644 index 000000000..2a14d96ac --- /dev/null +++ b/roles/custom/matrix-user-verification-service/tasks/setup_uninstall.yml @@ -0,0 +1,35 @@ +--- + +- name: Check existence of matrix-user-verification-service service + stat: + path: "{{ matrix_systemd_path }}/{{ matrix_user_verification_service_systemd_service_name }}" + register: matrix_user_verification_service_service_stat + +- name: Ensure matrix-user-verification-service is stopped + service: + name: "{{ matrix_user_verification_service_systemd_service_basename }}" + state: stopped + daemon_reload: yes + register: stopping_result + when: "matrix_user_verification_service_service_stat.stat.exists|bool" + +- name: Ensure matrix-user-verification-service.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/{{ matrix_user_verification_service_systemd_service_name }}" + state: absent + when: "matrix_user_verification_service_service_stat.stat.exists|bool" + +- name: Ensure systemd reloaded after matrix-user-verification-service.service removal + service: + daemon_reload: yes + when: "matrix_user_verification_service_service_stat.stat.exists|bool" + +- name: Ensure Matrix user-verification-service paths don't exist + file: + path: "{{ matrix_user_verification_service_base_path }}" + state: absent + +- name: Ensure user-verification-service Docker image doesn't exist + docker_image: + name: "{{ matrix_user_verification_service_docker_image }}" + state: absent diff --git a/roles/custom/matrix-user-verification-service/templates/.env.j2 b/roles/custom/matrix-user-verification-service/templates/.env.j2 new file mode 100644 index 000000000..b2f2aaab8 --- /dev/null +++ b/roles/custom/matrix-user-verification-service/templates/.env.j2 @@ -0,0 +1,14 @@ +UVS_ACCESS_TOKEN={{ matrix_user_verification_service_uvs_access_token }} +UVS_HOMESERVER_URL={{ matrix_user_verification_service_uvs_homeserver_url }} +UVS_DISABLE_IP_BLACKLIST={{ matrix_user_verification_service_uvs_disable_ip_blacklist }} + +{% if matrix_user_verification_service_uvs_auth_token is defined and matrix_user_verification_service_uvs_auth_token|length %} + UVS_AUTH_TOKEN={{ matrix_user_verification_service_uvs_auth_token }} +{% endif %} +{% if matrix_user_verification_service_uvs_openid_verify_server_name is defined and matrix_user_verification_service_uvs_openid_verify_server_name|length %} + UVS_OPENID_VERIFY_SERVER_NAME={{ matrix_user_verification_service_uvs_openid_verify_server_name }} +{% endif %} +{% if matrix_user_verification_service_uvs_log_level is defined and matrix_user_verification_service_uvs_log_level|length %} + UVS_LOG_LEVEL={{ matrix_user_verification_service_uvs_log_level }} +{% endif %} + diff --git a/roles/custom/matrix-user-verification-service/templates/systemd/matrix-user-verification-service.service.j2 b/roles/custom/matrix-user-verification-service/templates/systemd/matrix-user-verification-service.service.j2 new file mode 100644 index 000000000..eb24b1281 --- /dev/null +++ b/roles/custom/matrix-user-verification-service/templates/systemd/matrix-user-verification-service.service.j2 @@ -0,0 +1,42 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description={{ matrix_user_verification_service_ansible_name }} +{% for service in matrix_user_verification_service_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_user_verification_service_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill {{ matrix_user_verification_service_container_name }} 2>/dev/null' +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm {{ matrix_user_verification_service_container_name }} 2>/dev/null' + + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name {{ matrix_user_verification_service_container_name }}\ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --read-only \ + --network={{ matrix_docker_network }} \ + {% if matrix_user_verification_service_container_http_host_bind_port %} + -p {{ matrix_user_verification_service_container_http_host_bind_port }}:3000 \ + {% endif %} + --mount type=bind,src={{ matrix_user_verification_service_config_env_file }},dst=/app/.env,ro \ + {% for arg in matrix_user_verification_service_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_user_verification_service_docker_image }} + +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill {{ matrix_user_verification_service_container_name }} 2>/dev/null' +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm {{ matrix_user_verification_service_container_name }} 2>/dev/null' +Restart=always +RestartSec=30 +SyslogIdentifier={{ matrix_user_verification_service_systemd_service_basename }} + +[Install] +WantedBy=multi-user.target From 94830b582bc56226245020b450bb311228c2e299 Mon Sep 17 00:00:00 2001 From: jakicoll Date: Mon, 6 Feb 2023 11:58:50 +0100 Subject: [PATCH 02/38] Wording: change collection -> playbook --- docs/configuring-playbook-user-verification-service.md | 6 +++--- group_vars/matrix_servers | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/configuring-playbook-user-verification-service.md b/docs/configuring-playbook-user-verification-service.md index f3d3aa6e2..e7fc95709 100644 --- a/docs/configuring-playbook-user-verification-service.md +++ b/docs/configuring-playbook-user-verification-service.md @@ -7,7 +7,7 @@ Currently, the main purpose of this role is to allow Jitsi to authenticate matri **Note**: enabling Matrix User Verification Service, means that the `openid` API endpoints will be exposed on the Matrix Federation port (usually `8448`), even if [federation](configuring-playbook-federation.md) is disabled. -If the Jitsi server is also configured by this collection, all plugging of variables and secrets is handled in `group_vars/matrix_servers`. +If the Jitsi server is also configured by this playbook, all plugging of variables and secrets is handled in `group_vars/matrix_servers`. __Some general concepts of UVS may be helpful to understand the rest, so here they are:__ @@ -18,7 +18,7 @@ UVS can be used to verify two claims: Verifying an OpenID token id done by finding the corresponding Homeserver via '.well-known/matrix/server' for the given domain. The configured `matrix_user_verification_service_uvs_homeserver_url` does **not** factor into this. -By default, this collection only checks against `matrix_server_fqn_matrix`. +By default, this playbook only checks against `matrix_server_fqn_matrix`. Therefore, the request will be made against the public openid API for `matrix_server_fqn_matrix`. Verifying RoomMembership and PowerLevel is done against `matrix_user_verification_service_uvs_homeserver_url` which is by default done via the docker network. @@ -74,7 +74,7 @@ To set your own Token, simply put the following in your host_vars. matrix_user_verification_service_uvs_auth_token: "TOKEN" ``` -In case Jitsi is also managed by this collection and 'matrix' authentication in Jitsi is enabled, this collection will automatically configure Jitsi to use the configured auth token. +In case Jitsi is also managed by this playbook and 'matrix' authentication in Jitsi is enabled, this collection will automatically configure Jitsi to use the configured auth token. ### (Optional) Federation diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 18068bd6c..6c785e01f 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -3207,15 +3207,15 @@ matrix_user_verification_service_container_http_host_bind_port: "{{ '' if (matr # URL exposed in the docker network matrix_user_verification_service_container_url: "http://{{ matrix_user_verification_service_container_name }}:3000" -# Set the homeserver URL to the container name if synapse is managed by this collection +# Set the homeserver URL to the container name if synapse is managed by this playbook matrix_user_verification_service_uvs_homeserver_url: "{{ matrix_homeserver_container_url if matrix_synapse_enabled }}" -# If synapse is managed by this collection, we will connect via docker network, which is a private ip. +# If synapse is managed by this playbook, we will connect via docker network, which is a private ip. # Therefore we need to disable IP checks matrix_user_verification_service_uvs_disable_ip_blacklist: "{{'true' if matrix_synapse_enabled else 'false'}}" matrix_user_verification_service_uvs_auth_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'uvs.auth.token', rounds=655555) | to_uuid }}" -# Pin UVS to only check openId Tokens for the matrix_server_name configured by this collection. +# Pin UVS to only check openId Tokens for the matrix_server_name configured by this playbook. # This is not the homeserverURL, but rather the domain in the matrix "user ID" matrix_user_verification_service_uvs_openid_verify_server_name: "{{ matrix_domain }}" matrix_user_verification_service_uvs_log_level: warning From f53731756d23079660ee299a0621097dd2936398 Mon Sep 17 00:00:00 2001 From: jakicoll Date: Mon, 6 Feb 2023 12:15:54 +0100 Subject: [PATCH 03/38] Change comment Applying the assumption, that synapse is always managed by this playbook. --- group_vars/matrix_servers | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 6c785e01f..b52c74a3b 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -3209,8 +3209,7 @@ matrix_user_verification_service_container_url: "http://{{ matrix_user_verifica # Set the homeserver URL to the container name if synapse is managed by this playbook matrix_user_verification_service_uvs_homeserver_url: "{{ matrix_homeserver_container_url if matrix_synapse_enabled }}" -# If synapse is managed by this playbook, we will connect via docker network, which is a private ip. -# Therefore we need to disable IP checks +# We connect via the container network (private IPs), so we need to disable IP checks matrix_user_verification_service_uvs_disable_ip_blacklist: "{{'true' if matrix_synapse_enabled else 'false'}}" matrix_user_verification_service_uvs_auth_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'uvs.auth.token', rounds=655555) | to_uuid }}" From 6913d368c8a11d61b2de4bb8fbe1adb39c8bb32f Mon Sep 17 00:00:00 2001 From: Jakob S Date: Mon, 6 Feb 2023 12:38:01 +0100 Subject: [PATCH 04/38] Consolidate conditionals into a block, keep image Co-authored-by: Slavi Pantaleev --- .../tasks/setup_uninstall.yml | 42 +++++++------------ 1 file changed, 16 insertions(+), 26 deletions(-) diff --git a/roles/custom/matrix-user-verification-service/tasks/setup_uninstall.yml b/roles/custom/matrix-user-verification-service/tasks/setup_uninstall.yml index 2a14d96ac..5daafd3d8 100644 --- a/roles/custom/matrix-user-verification-service/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-user-verification-service/tasks/setup_uninstall.yml @@ -5,31 +5,21 @@ path: "{{ matrix_systemd_path }}/{{ matrix_user_verification_service_systemd_service_name }}" register: matrix_user_verification_service_service_stat -- name: Ensure matrix-user-verification-service is stopped - service: - name: "{{ matrix_user_verification_service_systemd_service_basename }}" - state: stopped - daemon_reload: yes - register: stopping_result - when: "matrix_user_verification_service_service_stat.stat.exists|bool" +- when: matrix_user_verification_service_service_stat.stat.exists | bool + block: + - name: Ensure matrix-user-verification-service is stopped + service: + name: "{{ matrix_user_verification_service_systemd_service_basename }}" + state: stopped + daemon_reload: yes + register: stopping_result -- name: Ensure matrix-user-verification-service.service doesn't exist - file: - path: "{{ matrix_systemd_path }}/{{ matrix_user_verification_service_systemd_service_name }}" - state: absent - when: "matrix_user_verification_service_service_stat.stat.exists|bool" - -- name: Ensure systemd reloaded after matrix-user-verification-service.service removal - service: - daemon_reload: yes - when: "matrix_user_verification_service_service_stat.stat.exists|bool" - -- name: Ensure Matrix user-verification-service paths don't exist - file: - path: "{{ matrix_user_verification_service_base_path }}" - state: absent + - name: Ensure matrix-user-verification-service.service doesn't exist + file: + path: "{{ matrix_systemd_path }}/{{ matrix_user_verification_service_systemd_service_name }}" + state: absent -- name: Ensure user-verification-service Docker image doesn't exist - docker_image: - name: "{{ matrix_user_verification_service_docker_image }}" - state: absent + - name: Ensure Matrix user-verification-service paths don't exist + file: + path: "{{ matrix_user_verification_service_base_path }}" + state: absent From b89f5b7ff5e7e957145c1f2e4a79dba77dc22e89 Mon Sep 17 00:00:00 2001 From: Paul N <92150859+stift-n2@users.noreply.github.com> Date: Mon, 6 Feb 2023 12:47:50 +0100 Subject: [PATCH 05/38] Clarify task name and add user and group to templated env file Co-authored-by: Slavi Pantaleev --- .../matrix-user-verification-service/tasks/setup_install.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/roles/custom/matrix-user-verification-service/tasks/setup_install.yml b/roles/custom/matrix-user-verification-service/tasks/setup_install.yml index 5d1d28454..3ce463aa2 100644 --- a/roles/custom/matrix-user-verification-service/tasks/setup_install.yml +++ b/roles/custom/matrix-user-verification-service/tasks/setup_install.yml @@ -28,10 +28,12 @@ # TODO # when: "matrix_user_verification_service_container_image_self_build|bool" -- name: write env file +- name: Ensure Matrix User Verification Service env file installed ansible.builtin.template: src: "{{ role_path }}/templates/.env.j2" dest: "{{ matrix_user_verification_service_config_env_file }}" + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" mode: 0644 - name: Ensure matrix-user-verification-service.service installed From bf5e633656b8b88bc9dedf7e2be01fcc6f4851b3 Mon Sep 17 00:00:00 2001 From: jakicoll Date: Mon, 6 Feb 2023 12:57:20 +0100 Subject: [PATCH 06/38] Remove the self-build stub, because self-build was not implemented --- .../matrix-user-verification-service/defaults/main.yml | 7 +------ .../tasks/setup_install.yml | 6 ------ 2 files changed, 1 insertion(+), 12 deletions(-) diff --git a/roles/custom/matrix-user-verification-service/defaults/main.yml b/roles/custom/matrix-user-verification-service/defaults/main.yml index a86d62357..2f4b726ca 100644 --- a/roles/custom/matrix-user-verification-service/defaults/main.yml +++ b/roles/custom/matrix-user-verification-service/defaults/main.yml @@ -15,13 +15,8 @@ matrix_user_verification_service_docker_src_files_path: "{{ matrix_user_verifica matrix_user_verification_service_config_path: "{{ matrix_user_verification_service_base_path }}/config" matrix_user_verification_service_config_env_file: "{{ matrix_user_verification_service_config_path }}/.env" -# Set this to true in order to not use the docker image from docker hub, but rather build locally -matrix_user_verification_service_container_image_self_build: false -matrix_user_verification_service_container_image_self_build_repo: "https://github.com/matrix-org/matrix-user-verification-service.git" -matrix_user_verification_service_container_image_self_build_branch: "{{ matrix_user_verification_service_version }}" - # Docker -matrix_user_verification_service_docker_image_name_prefix: "{{ 'localhost/' if matrix_user_verification_service_container_image_self_build else matrix_container_global_registry_prefix }}" +matrix_user_verification_service_docker_image_name_prefix: "{{ matrix_container_global_registry_prefix }}" matrix_user_verification_service_docker_image: "{{ matrix_user_verification_service_docker_image_name_prefix }}matrixdotorg/matrix-user-verification-service:{{ matrix_user_verification_service_version }}" matrix_user_verification_service_docker_image_force_pull: "{{ matrix_user_verification_service_docker_image.endswith(':latest') }}" diff --git a/roles/custom/matrix-user-verification-service/tasks/setup_install.yml b/roles/custom/matrix-user-verification-service/tasks/setup_install.yml index 3ce463aa2..24b8b811a 100644 --- a/roles/custom/matrix-user-verification-service/tasks/setup_install.yml +++ b/roles/custom/matrix-user-verification-service/tasks/setup_install.yml @@ -9,7 +9,6 @@ group: "{{ matrix_user_groupname }}" with_items: - { path: "{{ matrix_user_verification_service_config_path }}", when: true } - - { path: "{{ matrix_user_verification_service_docker_src_files_path }}", when: "{{ matrix_user_verification_service_container_image_self_build }}" } when: item.when | bool - name: Ensure Matrix User Verification Service image is pulled @@ -18,16 +17,11 @@ source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" force_source: "{{ matrix_user_verification_service_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_user_verification_service_docker_image_force_pull }}" - when: "not matrix_user_verification_service_container_image_self_build | bool" register: result retries: "{{ devture_playbook_help_container_retries_count }}" delay: "{{ devture_playbook_help_container_retries_delay }}" until: result is not failed -#- block: -# TODO -# when: "matrix_user_verification_service_container_image_self_build|bool" - - name: Ensure Matrix User Verification Service env file installed ansible.builtin.template: src: "{{ role_path }}/templates/.env.j2" From 0e0ae2f3e6c808e392782bc60b168c7a0cb54ba7 Mon Sep 17 00:00:00 2001 From: jakicoll Date: Mon, 6 Feb 2023 13:04:06 +0100 Subject: [PATCH 07/38] Assign default log level in role instead of matrix_servers file. --- group_vars/matrix_servers | 1 - roles/custom/matrix-user-verification-service/defaults/main.yml | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index b52c74a3b..a5d8c497c 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -3217,7 +3217,6 @@ matrix_user_verification_service_uvs_auth_token: "{{ '%s' | format(matrix_homese # Pin UVS to only check openId Tokens for the matrix_server_name configured by this playbook. # This is not the homeserverURL, but rather the domain in the matrix "user ID" matrix_user_verification_service_uvs_openid_verify_server_name: "{{ matrix_domain }}" -matrix_user_verification_service_uvs_log_level: warning ###################################################################### # diff --git a/roles/custom/matrix-user-verification-service/defaults/main.yml b/roles/custom/matrix-user-verification-service/defaults/main.yml index 2f4b726ca..fd1743941 100644 --- a/roles/custom/matrix-user-verification-service/defaults/main.yml +++ b/roles/custom/matrix-user-verification-service/defaults/main.yml @@ -55,7 +55,7 @@ matrix_user_verification_service_uvs_disable_ip_blacklist: false # Log level, defaults to 'info' # See choices here: https://github.com/winstonjs/winston#logging-levels -# matrix_user_verification_service_uvs_log_level: info +matrix_user_verification_service_uvs_log_level: warning ###################################################################### From 07d9ea5e875a217a44ffde6ba6cdb698a6d67ac7 Mon Sep 17 00:00:00 2001 From: Paul N <92150859+stift-n2@users.noreply.github.com> Date: Mon, 6 Feb 2023 13:06:14 +0100 Subject: [PATCH 08/38] Stick to port 3003 instead of changing the port based on the status of grafana. --- docs/configuring-playbook-user-verification-service.md | 2 +- group_vars/matrix_servers | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/configuring-playbook-user-verification-service.md b/docs/configuring-playbook-user-verification-service.md index e7fc95709..d6468b54c 100644 --- a/docs/configuring-playbook-user-verification-service.md +++ b/docs/configuring-playbook-user-verification-service.md @@ -45,7 +45,7 @@ For a list of all configuration options see the role defaults [`roles/matrix-use But be aware of all the plugging happening in `group_vars/matrix_servers`. In the default configuration, the UVS Server is only reachable via the docker network, which is fine if e.g. Jitsi is also running in a container on the host. -However, it is possible to expose UVS via setting `matrix_user_verification_service_container_http_host_bind_port`. Be aware that the normally used port (3000) may collide with Grafana. +However, it is possible to expose UVS via setting `matrix_user_verification_service_container_http_host_bind_port`. ### Access token diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index a5d8c497c..0a6ae4f39 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -3200,9 +3200,9 @@ matrix_user_verification_service_systemd_required_services_list: | # If Jitsi is managed by this playbook we can use the docker network - no need to expose a port. # If Jitsi is not managed by this playbook, or you otherwise have a need for it, you can expose -# matrix-user-verfification-services's client-server port to the local host. -# Note: If grafana is also enabled, the exposed port is changed to 3003. -matrix_user_verification_service_container_http_host_bind_port: "{{ '' if (matrix_jitsi_enabled | bool and matrix_jitsi_enable_auth | bool and matrix_jitsi_auth_type == 'matrix') else '127.0.0.1:' + ('3003' if matrix_nginx_proxy_proxy_grafana_enabled else '3000') }}" +# matrix-user-verfification-services's client-server port to the local host port 3003. +# By default Matrix-User-Verification-Service binds to port 3000, which collides with grafana, therefore this uses port 3003. +matrix_user_verification_service_container_http_host_bind_port: "{{ '' if (matrix_jitsi_enabled | bool and matrix_jitsi_enable_auth | bool and matrix_jitsi_auth_type == 'matrix') else '127.0.0.1:3003' }}" # URL exposed in the docker network matrix_user_verification_service_container_url: "http://{{ matrix_user_verification_service_container_name }}:3000" From 50c1e9d695490d59d3b8b6234b44e69e6c48640c Mon Sep 17 00:00:00 2001 From: Paul N <92150859+stift-n2@users.noreply.github.com> Date: Mon, 6 Feb 2023 13:14:34 +0100 Subject: [PATCH 09/38] Set matrix_user_verification_service_uvs_homeserver_url in the role defaults and updated docs accordingly. --- docs/configuring-playbook-user-verification-service.md | 2 +- group_vars/matrix_servers | 2 -- roles/custom/matrix-user-verification-service/defaults/main.yml | 2 +- 3 files changed, 2 insertions(+), 4 deletions(-) diff --git a/docs/configuring-playbook-user-verification-service.md b/docs/configuring-playbook-user-verification-service.md index d6468b54c..82e4e84e4 100644 --- a/docs/configuring-playbook-user-verification-service.md +++ b/docs/configuring-playbook-user-verification-service.md @@ -49,7 +49,7 @@ However, it is possible to expose UVS via setting `matrix_user_verification_serv ### Access token -The Synapse Access Token is used to verify RoomMembership and PowerLevel against the configured homeserver_url (which is plugged in group_vars). +The Synapse Access Token is used to verify RoomMembership and PowerLevel against `matrix_user_verification_service_uvs_homeserver_url`. We recommend that you create a dedicated Matrix user for uvs (`uvs` is a good username). Follow our [Registering users](registering-users.md) guide to register a user with administration privileges. diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 0a6ae4f39..8cd9baa92 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -3207,8 +3207,6 @@ matrix_user_verification_service_container_http_host_bind_port: "{{ '' if (matr # URL exposed in the docker network matrix_user_verification_service_container_url: "http://{{ matrix_user_verification_service_container_name }}:3000" -# Set the homeserver URL to the container name if synapse is managed by this playbook -matrix_user_verification_service_uvs_homeserver_url: "{{ matrix_homeserver_container_url if matrix_synapse_enabled }}" # We connect via the container network (private IPs), so we need to disable IP checks matrix_user_verification_service_uvs_disable_ip_blacklist: "{{'true' if matrix_synapse_enabled else 'false'}}" diff --git a/roles/custom/matrix-user-verification-service/defaults/main.yml b/roles/custom/matrix-user-verification-service/defaults/main.yml index fd1743941..2b2cbcb26 100644 --- a/roles/custom/matrix-user-verification-service/defaults/main.yml +++ b/roles/custom/matrix-user-verification-service/defaults/main.yml @@ -37,7 +37,7 @@ matrix_user_verification_service_systemd_service_name: "{{ matrix_user_verificat # matrix_user_verification_service_uvs_access_token: # homeserver client api url -# matrix_user_verification_service_uvs_homeserver_url: "" +matrix_user_verification_service_uvs_homeserver_url: "{{ matrix_homeserver_container_url }}" # disable check for non private ip range of homeserver. e.g. set to `true` if your homeserver domain resolves to a private ip. matrix_user_verification_service_uvs_disable_ip_blacklist: false From 1d99f17b4a32c724dd7ecf8a1cd36f0b7361f383 Mon Sep 17 00:00:00 2001 From: Paul N <92150859+stift-n2@users.noreply.github.com> Date: Mon, 6 Feb 2023 13:23:11 +0100 Subject: [PATCH 10/38] Disable matrix-user-verification-service in group_vars and update docs accordingly. --- docs/configuring-playbook-jitsi.md | 1 + docs/configuring-playbook-user-verification-service.md | 2 +- group_vars/matrix_servers | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/docs/configuring-playbook-jitsi.md b/docs/configuring-playbook-jitsi.md index f51f8fc12..6c787bdb4 100644 --- a/docs/configuring-playbook-jitsi.md +++ b/docs/configuring-playbook-jitsi.md @@ -79,6 +79,7 @@ To enable set this configuration at host level: ```yaml matrix_jitsi_enable_auth: true matrix_jitsi_auth_type: "matrix" +matrix_user_verification_service_enabled: true ``` For more information see also [https://github.com/matrix-org/prosody-mod-auth-matrix-user-verification](https://github.com/matrix-org/prosody-mod-auth-matrix-user-verification). diff --git a/docs/configuring-playbook-user-verification-service.md b/docs/configuring-playbook-user-verification-service.md index 82e4e84e4..1990e8919 100644 --- a/docs/configuring-playbook-user-verification-service.md +++ b/docs/configuring-playbook-user-verification-service.md @@ -30,7 +30,7 @@ In order to use UVS, an admin token for the configured homeserver must be suppli ## Enable -[Matrix User Verification Service](https://github.com/matrix-org/matrix-user-verification-service) installation is disabled by default unless required by Jitsi (see group_vars/matrix_servers). +[Matrix User Verification Service](https://github.com/matrix-org/matrix-user-verification-service) installation is disabled by default. You can enable it in your configuration file (`inventory/host_vars/matrix./vars.yml`): ```yaml diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 8cd9baa92..1bd1c1d3d 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -3188,7 +3188,7 @@ matrix_user_creator_users_auto: | matrix_user_verification_service_docker_image: "{{ matrix_user_verification_service_docker_image_name_prefix }}matrixdotorg/matrix-user-verification-service@sha256:d2aabc984dd69d258c91900c36928972d7aaef19d776caa3cd6a0fbc0e307270" # enable if jitsi is managed by this playbook and requires JWT auth -matrix_user_verification_service_enabled: "{{ (matrix_jitsi_enabled | bool and matrix_jitsi_enable_auth | bool and matrix_jitsi_auth_type == 'matrix') }}" +matrix_user_verification_service_enabled: false matrix_user_verification_service_systemd_required_services_list: | {{ ['docker.service'] From 6499b6536abe94e28a661b5e1e32751e90d47043 Mon Sep 17 00:00:00 2001 From: jakicoll Date: Mon, 6 Feb 2023 15:18:25 +0100 Subject: [PATCH 11/38] Decoupling: Do not use variables user-verification-service role inside the jitsi role. --- group_vars/matrix_servers | 1 + roles/custom/matrix-jitsi/defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 1bd1c1d3d..cabe35615 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1949,6 +1949,7 @@ matrix_jitsi_etherpad_base: "{{ matrix_etherpad_base_url if matrix_etherpad_enab # Allow verification using JWT and matrix-UVS matrix_jitsi_prosody_auth_matrix_uvs_auth_token: "{{ matrix_user_verification_service_uvs_auth_token }}" +matrix_jitsi_prosody_auth_matrix_uvs_location: "{{ matrix_user_verification_service_container_url }}" matrix_jitsi_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}" diff --git a/roles/custom/matrix-jitsi/defaults/main.yml b/roles/custom/matrix-jitsi/defaults/main.yml index 1f8502c84..d97689ea5 100644 --- a/roles/custom/matrix-jitsi/defaults/main.yml +++ b/roles/custom/matrix-jitsi/defaults/main.yml @@ -56,7 +56,7 @@ matrix_jitsi_prosody_auth_matrix_user_verification_repo_location: "https://githu matrix_jitsi_prosody_auth_matrix_user_verification_repo_target: "{{ matrix_jitsi_prosody_ext_path }}/prosody_auth_matrix_user_verification" matrix_jitsi_prosody_auth_matrix_user_verification_repo_version: "2839499cb03894d8cfc3e5b2219441427cb133d8" # v1.8.0 matrix_jitsi_prosody_auth_matrix_uvs_sync_power_levels: true -matrix_jitsi_prosody_auth_matrix_uvs_location: "{{ matrix_user_verification_service_container_url }}" +matrix_jitsi_prosody_auth_matrix_uvs_location: "" # Should match domain, see https://github.com/vector-im/element-web/pull/15114/commits/0410a6b3be82a41457275e4d1ce879dea146e092 matrix_jitsi_prosody_auth_matrix_jwt_app_id: "{{ matrix_server_fqn_jitsi }}" matrix_jitsi_prosody_auth_matrix_files: From 6b206b3763cebd721fa6cfd5e55c35685e2070e3 Mon Sep 17 00:00:00 2001 From: jakicoll Date: Mon, 6 Feb 2023 15:21:10 +0100 Subject: [PATCH 12/38] Move checks into validate_config.yml. --- .../matrix-user-verification-service/tasks/main.yml | 9 ++------- .../tasks/validate_config.yml | 8 ++++++++ 2 files changed, 10 insertions(+), 7 deletions(-) create mode 100644 roles/custom/matrix-user-verification-service/tasks/validate_config.yml diff --git a/roles/custom/matrix-user-verification-service/tasks/main.yml b/roles/custom/matrix-user-verification-service/tasks/main.yml index 0f51d6cc5..926860362 100644 --- a/roles/custom/matrix-user-verification-service/tasks/main.yml +++ b/roles/custom/matrix-user-verification-service/tasks/main.yml @@ -1,13 +1,8 @@ --- -- name: verify all necessary variables are present - assert: - that: - - matrix_user_verification_service_uvs_access_token is defined and matrix_user_verification_service_uvs_access_token|length - - matrix_user_verification_service_uvs_homeserver_url is defined and matrix_user_verification_service_uvs_homeserver_url|length - fail_msg: "Missing variable in {{ matrix_user_verification_service_ansible_name }} role" - - block: + - when: matrix_jitsi_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - when: run_setup | bool and matrix_user_verification_service_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" tags: diff --git a/roles/custom/matrix-user-verification-service/tasks/validate_config.yml b/roles/custom/matrix-user-verification-service/tasks/validate_config.yml new file mode 100644 index 000000000..e4349fa6b --- /dev/null +++ b/roles/custom/matrix-user-verification-service/tasks/validate_config.yml @@ -0,0 +1,8 @@ +--- + +- name: verify all necessary variables are present + assert: + that: + - matrix_user_verification_service_uvs_access_token is defined and matrix_user_verification_service_uvs_access_token|length + - matrix_user_verification_service_uvs_homeserver_url is defined and matrix_user_verification_service_uvs_homeserver_url|length + fail_msg: "Missing variable in {{ matrix_user_verification_service_ansible_name }} role" From d67d8c07f5dde9a8ff702416529bd9d6d5533260 Mon Sep 17 00:00:00 2001 From: Paul N <92150859+stift-n2@users.noreply.github.com> Date: Mon, 6 Feb 2023 15:11:20 +0100 Subject: [PATCH 13/38] Remove remnant comment. --- group_vars/matrix_servers | 1 - 1 file changed, 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index cabe35615..060ffbcaa 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -3188,7 +3188,6 @@ matrix_user_creator_users_auto: | ## FIXME: Needs to be updated when there is a proper release by upstream. matrix_user_verification_service_docker_image: "{{ matrix_user_verification_service_docker_image_name_prefix }}matrixdotorg/matrix-user-verification-service@sha256:d2aabc984dd69d258c91900c36928972d7aaef19d776caa3cd6a0fbc0e307270" -# enable if jitsi is managed by this playbook and requires JWT auth matrix_user_verification_service_enabled: false matrix_user_verification_service_systemd_required_services_list: | {{ From 96dd86d33b943c381d5ffebca256b2bdec9a1780 Mon Sep 17 00:00:00 2001 From: Paul N <92150859+stift-n2@users.noreply.github.com> Date: Mon, 6 Feb 2023 15:19:58 +0100 Subject: [PATCH 14/38] Set default values where sensible and remove unnecessary conditionals in .env.j2. Check for empty string instead of Null to verify if an openid_server_name is pinned. --- ...onfiguring-playbook-user-verification-service.md | 4 ++-- group_vars/matrix_servers | 4 ---- .../defaults/main.yml | 13 +++++++------ .../templates/.env.j2 | 11 +++-------- 4 files changed, 12 insertions(+), 20 deletions(-) diff --git a/docs/configuring-playbook-user-verification-service.md b/docs/configuring-playbook-user-verification-service.md index 1990e8919..451f54f4b 100644 --- a/docs/configuring-playbook-user-verification-service.md +++ b/docs/configuring-playbook-user-verification-service.md @@ -81,10 +81,10 @@ In case Jitsi is also managed by this playbook and 'matrix' authentication in Ji In theory (however currently untested), UVS can handle federation. Simply set: ```yaml -matrix_user_verification_service_uvs_openid_verify_server_name: ~ +matrix_user_verification_service_uvs_openid_verify_server_name: "" ``` -using host_vars to override the group_vars. +in your host_vars. This will instruct UVS to verify the OpenID token against any domain given in a request. Homeserver discovery is done via '.well-known/matrix/server' of the given domain. diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 060ffbcaa..988af72e0 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -3212,10 +3212,6 @@ matrix_user_verification_service_uvs_disable_ip_blacklist: "{{'true' if matrix_s matrix_user_verification_service_uvs_auth_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'uvs.auth.token', rounds=655555) | to_uuid }}" -# Pin UVS to only check openId Tokens for the matrix_server_name configured by this playbook. -# This is not the homeserverURL, but rather the domain in the matrix "user ID" -matrix_user_verification_service_uvs_openid_verify_server_name: "{{ matrix_domain }}" - ###################################################################### # # /matrix-user-verification-service diff --git a/roles/custom/matrix-user-verification-service/defaults/main.yml b/roles/custom/matrix-user-verification-service/defaults/main.yml index 2b2cbcb26..cdef8f399 100644 --- a/roles/custom/matrix-user-verification-service/defaults/main.yml +++ b/roles/custom/matrix-user-verification-service/defaults/main.yml @@ -48,14 +48,15 @@ matrix_user_verification_service_uvs_disable_ip_blacklist: false # need have the header "Authorization: Bearer changeme". # matrix_user_verification_service_uvs_auth_token: changeme -# Matrix server name to verify OpenID tokens against. See below section. -# Defaults to empty value which means verification is made against -# whatever Matrix server name passed in with the token -# matrix_user_verification_service_uvs_openid_verify_server_name: matrix.org +# Matrix server name to verify OpenID tokens against. +# Pin UVS to only check openId Tokens for the matrix_server_name configured by this playbook. +# This is not the homeserverURL, but rather the domain in the matrix "user ID" +# UVS can also be instructed to verify against the Matrix server name passed in the token, to enable set to "" +matrix_user_verification_service_uvs_openid_verify_server_name: "{{ matrix_domain }}" -# Log level, defaults to 'info' +# Log level # See choices here: https://github.com/winstonjs/winston#logging-levels -matrix_user_verification_service_uvs_log_level: warning +matrix_user_verification_service_uvs_log_level: info ###################################################################### diff --git a/roles/custom/matrix-user-verification-service/templates/.env.j2 b/roles/custom/matrix-user-verification-service/templates/.env.j2 index b2f2aaab8..8119c1e98 100644 --- a/roles/custom/matrix-user-verification-service/templates/.env.j2 +++ b/roles/custom/matrix-user-verification-service/templates/.env.j2 @@ -1,14 +1,9 @@ UVS_ACCESS_TOKEN={{ matrix_user_verification_service_uvs_access_token }} UVS_HOMESERVER_URL={{ matrix_user_verification_service_uvs_homeserver_url }} UVS_DISABLE_IP_BLACKLIST={{ matrix_user_verification_service_uvs_disable_ip_blacklist }} - -{% if matrix_user_verification_service_uvs_auth_token is defined and matrix_user_verification_service_uvs_auth_token|length %} - UVS_AUTH_TOKEN={{ matrix_user_verification_service_uvs_auth_token }} -{% endif %} -{% if matrix_user_verification_service_uvs_openid_verify_server_name is defined and matrix_user_verification_service_uvs_openid_verify_server_name|length %} +UVS_LOG_LEVEL={{ matrix_user_verification_service_uvs_log_level }} +UVS_AUTH_TOKEN={{ matrix_user_verification_service_uvs_auth_token }} +{% if matrix_user_verification_service_uvs_openid_verify_server_name | length > 0 %} UVS_OPENID_VERIFY_SERVER_NAME={{ matrix_user_verification_service_uvs_openid_verify_server_name }} {% endif %} -{% if matrix_user_verification_service_uvs_log_level is defined and matrix_user_verification_service_uvs_log_level|length %} - UVS_LOG_LEVEL={{ matrix_user_verification_service_uvs_log_level }} -{% endif %} From 70bea81df753f281ae844239529b3b6bc94c95cc Mon Sep 17 00:00:00 2001 From: Paul N <92150859+stift-n2@users.noreply.github.com> Date: Mon, 6 Feb 2023 15:59:32 +0100 Subject: [PATCH 15/38] Introduced flags to (1) enable/disable Auth (2) enable/disable openid_server_name pinning. Updated validate_config.yml and added new checks to verify. --- ...ring-playbook-user-verification-service.md | 15 +++++++++--- .../defaults/main.yml | 12 ++++++---- .../tasks/validate_config.yml | 23 ++++++++++++++++--- .../templates/.env.j2 | 6 +++-- 4 files changed, 44 insertions(+), 12 deletions(-) diff --git a/docs/configuring-playbook-user-verification-service.md b/docs/configuring-playbook-user-verification-service.md index 451f54f4b..d33c7147d 100644 --- a/docs/configuring-playbook-user-verification-service.md +++ b/docs/configuring-playbook-user-verification-service.md @@ -63,9 +63,9 @@ To get an access token for the UVS user, you can follow the documentation on [ho matrix_user_verification_service_uvs_access_token: "YOUR ACCESS TOKEN HERE" ``` -### (Optional) Auth Token +### (Optional) Custom Auth Token -It is possible to set an API Auth Token to restrict access to the UVS. If this is set, anyone making a request to UVS must provide it via the header "Authorization: Bearer TOKEN" +It is possible to set an API Auth Token to restrict access to the UVS. If this is enabled, anyone making a request to UVS must provide it via the header "Authorization: Bearer TOKEN" By default, the token will be derived from `matrix_homeserver_generic_secret_key` in `group_vars/matrix_servers`. To set your own Token, simply put the following in your host_vars. @@ -76,12 +76,21 @@ matrix_user_verification_service_uvs_auth_token: "TOKEN" In case Jitsi is also managed by this playbook and 'matrix' authentication in Jitsi is enabled, this collection will automatically configure Jitsi to use the configured auth token. +### (Optional) Disable Auth +Authorization is enabled by default. To disable set + +```yaml +matrix_user_verification_service_uvs_require_auth: false +``` + +in your host_vars. + ### (Optional) Federation In theory (however currently untested), UVS can handle federation. Simply set: ```yaml -matrix_user_verification_service_uvs_openid_verify_server_name: "" +matrix_user_verification_service_uvs_pin_openid_verify_server_name: false ``` in your host_vars. diff --git a/roles/custom/matrix-user-verification-service/defaults/main.yml b/roles/custom/matrix-user-verification-service/defaults/main.yml index cdef8f399..6f7be0d1f 100644 --- a/roles/custom/matrix-user-verification-service/defaults/main.yml +++ b/roles/custom/matrix-user-verification-service/defaults/main.yml @@ -43,13 +43,17 @@ matrix_user_verification_service_uvs_disable_ip_blacklist: false ## OPTIONAL +# Require an Auth-Token with API calls. If set to false, UVS will reply to any API call. +# The Auth-Token is defined via: matrix_user_verification_service_uvs_auth_token +matrix_user_verification_service_uvs_require_auth: true # Auth token to protect the API -# If this is set any calls to the provided API endpoints -# need have the header "Authorization: Bearer changeme". -# matrix_user_verification_service_uvs_auth_token: changeme +# If enabled any calls to the provided API endpoints need have the header "Authorization: Bearer TOKEN". +# A Token will be derived from matrix_homeserver_generic_secret_key in group_vars/matrix_servers +matrix_user_verification_service_uvs_auth_token: '' -# Matrix server name to verify OpenID tokens against. # Pin UVS to only check openId Tokens for the matrix_server_name configured by this playbook. +matrix_user_verification_service_uvs_pin_openid_verify_server_name: true +# Matrix server name to verify OpenID tokens against. # This is not the homeserverURL, but rather the domain in the matrix "user ID" # UVS can also be instructed to verify against the Matrix server name passed in the token, to enable set to "" matrix_user_verification_service_uvs_openid_verify_server_name: "{{ matrix_domain }}" diff --git a/roles/custom/matrix-user-verification-service/tasks/validate_config.yml b/roles/custom/matrix-user-verification-service/tasks/validate_config.yml index e4349fa6b..40e9090cb 100644 --- a/roles/custom/matrix-user-verification-service/tasks/validate_config.yml +++ b/roles/custom/matrix-user-verification-service/tasks/validate_config.yml @@ -1,8 +1,25 @@ --- -- name: verify all necessary variables are present +- name: Verify homeserver_url is not empty assert: that: - - matrix_user_verification_service_uvs_access_token is defined and matrix_user_verification_service_uvs_access_token|length - - matrix_user_verification_service_uvs_homeserver_url is defined and matrix_user_verification_service_uvs_homeserver_url|length + - matrix_user_verification_service_uvs_homeserver_url|length > 0 fail_msg: "Missing variable in {{ matrix_user_verification_service_ansible_name }} role" + +- name: Verify Auth is configured properly or disabled + assert: + that: + - matrix_user_verification_service_uvs_access_token|length > 0 or not matrix_user_verification_service_uvs_require_auth|bool + fail_msg: "If Auth is enabled, a valid (non empty) TOKEN must be given in 'matrix_user_verification_service_uvs_access_token'." + +- name: Verify server_name for openid verification is given, if pinning a single server_name is enabled. + assert: + that: + - matrix_user_verification_service_uvs_openid_verify_server_name|length > 0 or not matrix_user_verification_service_uvs_pin_openid_verify_server_name|bool + fail_msg: "If pinning a single server_name is enabled, a valid (non empty) server_name must be given in 'matrix_user_verification_service_uvs_openid_verify_server_name'." + +- name: Verify the homeserver implementation is synapse + assert: + that: + - matrix_homeserver_implementation == 'synapse' + fail_msg: "The User-Verification-Service requires Synapse as homeserver implementation" diff --git a/roles/custom/matrix-user-verification-service/templates/.env.j2 b/roles/custom/matrix-user-verification-service/templates/.env.j2 index 8119c1e98..359eed2a1 100644 --- a/roles/custom/matrix-user-verification-service/templates/.env.j2 +++ b/roles/custom/matrix-user-verification-service/templates/.env.j2 @@ -2,8 +2,10 @@ UVS_ACCESS_TOKEN={{ matrix_user_verification_service_uvs_access_token }} UVS_HOMESERVER_URL={{ matrix_user_verification_service_uvs_homeserver_url }} UVS_DISABLE_IP_BLACKLIST={{ matrix_user_verification_service_uvs_disable_ip_blacklist }} UVS_LOG_LEVEL={{ matrix_user_verification_service_uvs_log_level }} -UVS_AUTH_TOKEN={{ matrix_user_verification_service_uvs_auth_token }} -{% if matrix_user_verification_service_uvs_openid_verify_server_name | length > 0 %} +{% if matrix_user_verification_service_uvs_require_auth | bool %} + UVS_AUTH_TOKEN={{ matrix_user_verification_service_uvs_auth_token }} +{% endif %} +{% if matrix_user_verification_service_uvs_pin_openid_verify_server_name | bool %} UVS_OPENID_VERIFY_SERVER_NAME={{ matrix_user_verification_service_uvs_openid_verify_server_name }} {% endif %} From 7848d865a50eb95d18f9b330a6e53bbef492986c Mon Sep 17 00:00:00 2001 From: jakicoll Date: Mon, 6 Feb 2023 16:15:06 +0100 Subject: [PATCH 16/38] Also define the vars to be overwritten in group vars within the role vars. --- roles/custom/matrix-jitsi/defaults/main.yml | 2 +- .../custom/matrix-user-verification-service/defaults/main.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/custom/matrix-jitsi/defaults/main.yml b/roles/custom/matrix-jitsi/defaults/main.yml index d97689ea5..25a0e9b2d 100644 --- a/roles/custom/matrix-jitsi/defaults/main.yml +++ b/roles/custom/matrix-jitsi/defaults/main.yml @@ -66,7 +66,7 @@ matrix_jitsi_prosody_auth_matrix_files: when: "{{ matrix_jitsi_prosody_auth_matrix_uvs_sync_power_levels }}" # Plugged in group_vars -#matrix_jitsi_prosody_auth_matrix_uvs_auth_token: +matrix_jitsi_prosody_auth_matrix_uvs_auth_token: '' matrix_jitsi_timezone: UTC diff --git a/roles/custom/matrix-user-verification-service/defaults/main.yml b/roles/custom/matrix-user-verification-service/defaults/main.yml index 6f7be0d1f..38304f6d1 100644 --- a/roles/custom/matrix-user-verification-service/defaults/main.yml +++ b/roles/custom/matrix-user-verification-service/defaults/main.yml @@ -21,8 +21,8 @@ matrix_user_verification_service_docker_image: "{{ matrix_user_verification_serv matrix_user_verification_service_docker_image_force_pull: "{{ matrix_user_verification_service_docker_image.endswith(':latest') }}" matrix_user_verification_service_container_name: "matrix-user-verification-service" -# Normally this would run on port 3000 however that may conflict with grafana. It is thus advised to change this port. -#matrix_user_verification_service_container_http_host_bind_port: +# This will be set in group vars +matrix_user_verification_service_container_http_host_bind_port: '' matrix_user_verification_service_container_extra_arguments: [] # Systemd matrix_user_verification_service_systemd_required_services_list: [] From f3ca4a06322442fe846d514847b1d2b6a1a5e98e Mon Sep 17 00:00:00 2001 From: jakicoll Date: Mon, 6 Feb 2023 16:16:36 +0100 Subject: [PATCH 17/38] Remove unnecessary comment. --- .../defaults/main.yml | 18 ------------------ 1 file changed, 18 deletions(-) diff --git a/roles/custom/matrix-user-verification-service/defaults/main.yml b/roles/custom/matrix-user-verification-service/defaults/main.yml index 38304f6d1..c6781fdc4 100644 --- a/roles/custom/matrix-user-verification-service/defaults/main.yml +++ b/roles/custom/matrix-user-verification-service/defaults/main.yml @@ -61,21 +61,3 @@ matrix_user_verification_service_uvs_openid_verify_server_name: "{{ matrix_domai # Log level # See choices here: https://github.com/winstonjs/winston#logging-levels matrix_user_verification_service_uvs_log_level: info - - -###################################################################### -##### ##### -##### Variables used in this role which are not set by this role ##### -##### ##### -###################################################################### - -# matrix_user_username -# matrix_user_groupname -# matrix_user_uid -# matrix_user_gid -# matrix_container_global_registry_prefix -# matrix_docker_network -# devture_systemd_docker_base_systemd_path -# devture_systemd_docker_base_systemd_unit_home_path -# devture_systemd_docker_base_host_command_sh -# devture_systemd_docker_base_host_command_docker From be634168ac4be065e3bac7868b98fe7a30b75a9e Mon Sep 17 00:00:00 2001 From: jakicoll Date: Mon, 6 Feb 2023 16:29:25 +0100 Subject: [PATCH 18/38] Make the linter happy. --- roles/custom/matrix-jitsi/defaults/main.yml | 2 +- .../tasks/util/setup_jitsi_auth_uvs_install.yml | 4 +++- .../tasks/util/setup_jitsi_auth_uvs_uninstall.yml | 8 +++++--- roles/custom/matrix-jitsi/tasks/validate_config.yml | 1 - .../matrix-user-verification-service/handlers/main.yml | 2 +- .../tasks/setup_install.yml | 2 +- .../tasks/setup_uninstall.yml | 2 +- 7 files changed, 12 insertions(+), 9 deletions(-) diff --git a/roles/custom/matrix-jitsi/defaults/main.yml b/roles/custom/matrix-jitsi/defaults/main.yml index 25a0e9b2d..66d06e3b7 100644 --- a/roles/custom/matrix-jitsi/defaults/main.yml +++ b/roles/custom/matrix-jitsi/defaults/main.yml @@ -54,7 +54,7 @@ matrix_jitsi_ldap_start_tls: false # Auth type: matrix matrix_jitsi_prosody_auth_matrix_user_verification_repo_location: "https://github.com/matrix-org/prosody-mod-auth-matrix-user-verification" matrix_jitsi_prosody_auth_matrix_user_verification_repo_target: "{{ matrix_jitsi_prosody_ext_path }}/prosody_auth_matrix_user_verification" -matrix_jitsi_prosody_auth_matrix_user_verification_repo_version: "2839499cb03894d8cfc3e5b2219441427cb133d8" # v1.8.0 +matrix_jitsi_prosody_auth_matrix_user_verification_repo_version: "2839499cb03894d8cfc3e5b2219441427cb133d8" # v1.8.0 matrix_jitsi_prosody_auth_matrix_uvs_sync_power_levels: true matrix_jitsi_prosody_auth_matrix_uvs_location: "" # Should match domain, see https://github.com/vector-im/element-web/pull/15114/commits/0410a6b3be82a41457275e4d1ce879dea146e092 diff --git a/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_install.yml b/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_install.yml index 36f334253..f1d9ff210 100644 --- a/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_install.yml +++ b/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_install.yml @@ -1,3 +1,5 @@ +--- + - name: Checkout Prosody Auth Matrix User Verification Plugin Repo ansible.builtin.git: repo: "{{ matrix_jitsi_prosody_auth_matrix_user_verification_repo_location }}" @@ -6,7 +8,7 @@ - name: Install Prosody Auth Matrix User Verification Plugin ansible.builtin.copy: - remote_src: yes + remote_src: true src: "{{ matrix_jitsi_prosody_auth_matrix_user_verification_repo_target }}/{{ item.path }}" dest: "{{ matrix_jitsi_prosody_plugins_path }}/{{ item.path }}" with_items: "{{ matrix_jitsi_prosody_auth_matrix_files }}" diff --git a/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_uninstall.yml b/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_uninstall.yml index 2ba793eca..229ce896e 100644 --- a/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_uninstall.yml +++ b/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_uninstall.yml @@ -1,3 +1,5 @@ +--- + - name: Remove all files regarding prosody mod auth_matrix_user_verification and .well-known/element/jitsi ansible.builtin.file: path: "{{ item }}" @@ -11,10 +13,10 @@ - name: Remove .well-known/element directory if empty ansible.builtin.command: argv: - - rmdir - - "{{ matrix_static_files_base_path }}/.well-known/element" + - rmdir + - "{{ matrix_static_files_base_path }}/.well-known/element" removes: "{{matrix_static_files_base_path}}/.well-known/element" - ignore_errors: yes + ignore_errors: true - when: matrix_jitsi_prosody_auth_matrix_user_verification_uninstalled.changed block: diff --git a/roles/custom/matrix-jitsi/tasks/validate_config.yml b/roles/custom/matrix-jitsi/tasks/validate_config.yml index 5975a605b..f975e4ac9 100644 --- a/roles/custom/matrix-jitsi/tasks/validate_config.yml +++ b/roles/custom/matrix-jitsi/tasks/validate_config.yml @@ -45,7 +45,6 @@ or (matrix_jitsi_auth_type == 'matrix' and matrix_jitsi_prosody_auth_matrix_uvs_auth_token|length == 0)) - - name: (Deprecation) Catch and report renamed settings ansible.builtin.fail: msg: >- diff --git a/roles/custom/matrix-user-verification-service/handlers/main.yml b/roles/custom/matrix-user-verification-service/handlers/main.yml index a1ad1f31e..b9ee66d73 100644 --- a/roles/custom/matrix-user-verification-service/handlers/main.yml +++ b/roles/custom/matrix-user-verification-service/handlers/main.yml @@ -2,5 +2,5 @@ - name: Ensure systemd reloaded after matrix-user-verification-service.service installation service: - daemon_reload: yes + daemon_reload: true listen: "reload matrix-user-verification-service" diff --git a/roles/custom/matrix-user-verification-service/tasks/setup_install.yml b/roles/custom/matrix-user-verification-service/tasks/setup_install.yml index 24b8b811a..d095c4101 100644 --- a/roles/custom/matrix-user-verification-service/tasks/setup_install.yml +++ b/roles/custom/matrix-user-verification-service/tasks/setup_install.yml @@ -8,7 +8,7 @@ owner: "{{ matrix_user_username }}" group: "{{ matrix_user_groupname }}" with_items: - - { path: "{{ matrix_user_verification_service_config_path }}", when: true } + - {path: "{{ matrix_user_verification_service_config_path }}", when: true} when: item.when | bool - name: Ensure Matrix User Verification Service image is pulled diff --git a/roles/custom/matrix-user-verification-service/tasks/setup_uninstall.yml b/roles/custom/matrix-user-verification-service/tasks/setup_uninstall.yml index 5daafd3d8..bc09f7ef2 100644 --- a/roles/custom/matrix-user-verification-service/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-user-verification-service/tasks/setup_uninstall.yml @@ -11,7 +11,7 @@ service: name: "{{ matrix_user_verification_service_systemd_service_basename }}" state: stopped - daemon_reload: yes + daemon_reload: true register: stopping_result - name: Ensure matrix-user-verification-service.service doesn't exist From 6cffec14eabf6cf1001684ff7bd88c3c67ba6444 Mon Sep 17 00:00:00 2001 From: jakicoll Date: Mon, 6 Feb 2023 16:36:49 +0100 Subject: [PATCH 19/38] fixup! Remove the self-build stub, because self-build was not implemented --- roles/custom/matrix-user-verification-service/defaults/main.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/roles/custom/matrix-user-verification-service/defaults/main.yml b/roles/custom/matrix-user-verification-service/defaults/main.yml index c6781fdc4..52b30a28a 100644 --- a/roles/custom/matrix-user-verification-service/defaults/main.yml +++ b/roles/custom/matrix-user-verification-service/defaults/main.yml @@ -10,8 +10,6 @@ matrix_user_verification_service_version: "v2.0.0" # Paths matrix_user_verification_service_base_path: "{{ matrix_base_data_path }}/user-verification-service" -# We need the docker src directory to be named user_verification_service. See: https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/588 -matrix_user_verification_service_docker_src_files_path: "{{ matrix_user_verification_service_base_path }}/docker-src/user-verification-service" matrix_user_verification_service_config_path: "{{ matrix_user_verification_service_base_path }}/config" matrix_user_verification_service_config_env_file: "{{ matrix_user_verification_service_config_path }}/.env" From 6a205a83f616f0217b2cbd90f1c193b5ef19bf64 Mon Sep 17 00:00:00 2001 From: jakicoll Date: Mon, 6 Feb 2023 17:20:13 +0100 Subject: [PATCH 20/38] Change renamed variables matrix_systemd_path -> devture_systemd_docker_base_systemd_path --- .../tasks/setup_uninstall.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/custom/matrix-user-verification-service/tasks/setup_uninstall.yml b/roles/custom/matrix-user-verification-service/tasks/setup_uninstall.yml index bc09f7ef2..172bf1863 100644 --- a/roles/custom/matrix-user-verification-service/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-user-verification-service/tasks/setup_uninstall.yml @@ -2,7 +2,7 @@ - name: Check existence of matrix-user-verification-service service stat: - path: "{{ matrix_systemd_path }}/{{ matrix_user_verification_service_systemd_service_name }}" + path: "{{ devture_systemd_docker_base_systemd_path }}/{{ matrix_user_verification_service_systemd_service_name }}" register: matrix_user_verification_service_service_stat - when: matrix_user_verification_service_service_stat.stat.exists | bool @@ -16,7 +16,7 @@ - name: Ensure matrix-user-verification-service.service doesn't exist file: - path: "{{ matrix_systemd_path }}/{{ matrix_user_verification_service_systemd_service_name }}" + path: "{{ devture_systemd_docker_base_systemd_path }}/{{ matrix_user_verification_service_systemd_service_name }}" state: absent - name: Ensure Matrix user-verification-service paths don't exist From 563cf1a4bafcfe84d3166133e6ed41140949d050 Mon Sep 17 00:00:00 2001 From: Catalan Lover Date: Wed, 8 Feb 2023 16:44:12 +0100 Subject: [PATCH 21/38] Initial commit for draupnir. main.yml is not included due to that its changed separately. --- .../custom/matrix-bot-draupnir/tasks/main.yml | 20 ++ .../tasks/setup_install.yml | 74 ++++++ .../tasks/setup_uninstall.yml | 25 ++ .../tasks/validate_config.yml | 9 + .../templates/production.yaml.j2 | 246 ++++++++++++++++++ .../systemd/matrix-bot-mjolnir.service.j2 | 42 +++ 6 files changed, 416 insertions(+) create mode 100644 roles/custom/matrix-bot-draupnir/tasks/main.yml create mode 100644 roles/custom/matrix-bot-draupnir/tasks/setup_install.yml create mode 100644 roles/custom/matrix-bot-draupnir/tasks/setup_uninstall.yml create mode 100644 roles/custom/matrix-bot-draupnir/tasks/validate_config.yml create mode 100644 roles/custom/matrix-bot-draupnir/templates/production.yaml.j2 create mode 100644 roles/custom/matrix-bot-draupnir/templates/systemd/matrix-bot-mjolnir.service.j2 diff --git a/roles/custom/matrix-bot-draupnir/tasks/main.yml b/roles/custom/matrix-bot-draupnir/tasks/main.yml new file mode 100644 index 000000000..686fe298c --- /dev/null +++ b/roles/custom/matrix-bot-draupnir/tasks/main.yml @@ -0,0 +1,20 @@ +--- + +- block: + - when: matrix_bot_draupnir_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + + - when: matrix_bot_draupnir_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" + tags: + - setup-all + - setup-bot-draupnir + - install-all + - install-bot-draupnir + +- block: + - when: not matrix_bot_draupnir_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" + tags: + - setup-all + - setup-bot-draupnir diff --git a/roles/custom/matrix-bot-draupnir/tasks/setup_install.yml b/roles/custom/matrix-bot-draupnir/tasks/setup_install.yml new file mode 100644 index 000000000..4808f71fc --- /dev/null +++ b/roles/custom/matrix-bot-draupnir/tasks/setup_install.yml @@ -0,0 +1,74 @@ +--- + +- ansible.builtin.set_fact: + matrix_bot_draupnir_requires_restart: false + +- name: Ensure matrix-bot-draupnir paths exist + ansible.builtin.file: + path: "{{ item.path }}" + state: directory + mode: 0750 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + with_items: + - {path: "{{ matrix_bot_draupnir_base_path }}", when: true} + - {path: "{{ matrix_bot_draupnir_config_path }}", when: true} + - {path: "{{ matrix_bot_draupnir_data_path }}", when: true} + - {path: "{{ matrix_bot_draupnir_docker_src_files_path }}", when: "{{ matrix_bot_draupnir_container_image_self_build }}"} + when: "item.when | bool" + +- name: Ensure draupnir Docker image is pulled + community.docker.docker_image: + name: "{{ matrix_bot_draupnir_docker_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_bot_draupnir_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_draupnir_docker_image_force_pull }}" + when: "not matrix_bot_draupnir_container_image_self_build | bool" + register: result + retries: "{{ devture_playbook_help_container_retries_count }}" + delay: "{{ devture_playbook_help_container_retries_delay }}" + until: result is not failed + +- name: Ensure draupnir repository is present on self-build + ansible.builtin.git: + repo: "{{ matrix_bot_draupnir_container_image_self_build_repo }}" + dest: "{{ matrix_bot_draupnir_docker_src_files_path }}" + version: "{{ matrix_bot_draupnir_docker_image.split(':')[1] }}" + force: "yes" + become: true + become_user: "{{ matrix_user_username }}" + register: matrix_bot_draupnir_git_pull_results + when: "matrix_bot_draupnir_container_image_self_build | bool" + +- name: Ensure draupnir Docker image is built + community.docker.docker_image: + name: "{{ matrix_bot_draupnir_docker_image }}" + source: build + force_source: "{{ matrix_bot_draupnir_git_pull_results.changed }}" + build: + dockerfile: Dockerfile + path: "{{ matrix_bot_draupnir_docker_src_files_path }}" + pull: true + when: "matrix_bot_draupnir_container_image_self_build | bool" + +- name: Ensure matrix-bot-draupnir config installed + ansible.builtin.copy: + content: "{{ matrix_bot_draupnir_configuration | to_nice_yaml(indent=2, width=999999) }}" + dest: "{{ matrix_bot_draupnir_config_path }}/production.yaml" + mode: 0644 + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + +- name: Ensure matrix-bot-draupnir.service installed + ansible.builtin.template: + src: "{{ role_path }}/templates/systemd/matrix-bot-draupnir.service.j2" + dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-draupnir.service" + mode: 0644 + register: matrix_bot_draupnir_systemd_service_result + +- name: Ensure matrix-bot-draupnir.service restarted, if necessary + ansible.builtin.service: + name: "matrix-bot-draupnir.service" + state: restarted + daemon_reload: true + when: "matrix_bot_draupnir_requires_restart | bool" diff --git a/roles/custom/matrix-bot-draupnir/tasks/setup_uninstall.yml b/roles/custom/matrix-bot-draupnir/tasks/setup_uninstall.yml new file mode 100644 index 000000000..10583a0bc --- /dev/null +++ b/roles/custom/matrix-bot-draupnir/tasks/setup_uninstall.yml @@ -0,0 +1,25 @@ +--- + +- name: Check existence of matrix-bot-draupnir service + ansible.builtin.stat: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-draupnir.service" + register: matrix_bot_draupnir_service_stat + +- when: matrix_bot_draupnir_service_stat.stat.exists | bool + block: + - name: Ensure matrix-bot-draupnir is stopped + ansible.builtin.service: + name: matrix-bot-draupnir + state: stopped + enabled: false + daemon_reload: true + + - name: Ensure matrix-bot-draupnir.service doesn't exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-draupnir.service" + state: absent + + - name: Ensure matrix-bot-draupnir paths don't exist + ansible.builtin.file: + path: "{{ matrix_bot_draupnir_base_path }}" + state: absent diff --git a/roles/custom/matrix-bot-draupnir/tasks/validate_config.yml b/roles/custom/matrix-bot-draupnir/tasks/validate_config.yml new file mode 100644 index 000000000..b38281899 --- /dev/null +++ b/roles/custom/matrix-bot-draupnir/tasks/validate_config.yml @@ -0,0 +1,9 @@ +--- + +- name: Fail if required variables are undefined + ansible.builtin.fail: + msg: "The `{{ item }}` variable must be defined and have a non-null value." + with_items: + - "matrix_bot_draupnir_access_token" + - "matrix_bot_draupnir_management_room" + when: "vars[item] == '' or vars[item] is none" diff --git a/roles/custom/matrix-bot-draupnir/templates/production.yaml.j2 b/roles/custom/matrix-bot-draupnir/templates/production.yaml.j2 new file mode 100644 index 000000000..06d88f481 --- /dev/null +++ b/roles/custom/matrix-bot-draupnir/templates/production.yaml.j2 @@ -0,0 +1,246 @@ +# Endpoint URL that draupnir uses to interact with the matrix homeserver (client-server API), +# set this to the pantalaimon URL if you're using that. +homeserverUrl: "{{ matrix_homeserver_url }}" + +# Endpoint URL that draupnir could use to fetch events related to reports (client-server API and /_synapse/), +# only set this to the public-internet homeserver client API URL, do NOT set this to the pantalaimon URL. +rawHomeserverUrl: "{{ matrix_homeserver_url }}" + +# Matrix Access Token to use, draupnir will only use this if pantalaimon.use is false. +accessToken: "{{ matrix_bot_draupnir_access_token }}" + +# Options related to Pantalaimon (https://github.com/matrix-org/pantalaimon) +#pantalaimon: +# # Whether or not draupnir will use pantalaimon to access the matrix homeserver, +# # set to `true` if you're using pantalaimon. +# # +# # Be sure to point homeserverUrl to the pantalaimon instance. +# # +# # draupnir will log in using the given username and password once, +# # then store the resulting access token in a file under dataPath. +# use: false +# +# # The username to login with. +# username: draupnir +# +# # The password draupnir will login with. +# # +# # After successfully logging in once, this will be ignored, so this value can be blanked after first startup. +# password: your_password + +# The path draupnir will store its state/data in, leave default ("/data/storage") when using containers. +dataPath: "/data" + +# If true (the default), draupnir will only accept invites from users present in managementRoom. +autojoinOnlyIfManager: true + +# If `autojoinOnlyIfManager` is false, only the members in this space can invite +# the bot to new rooms. +#acceptInvitesFromSpace: "!example:example.org" + +# Whether draupnir should report ignored invites to the management room (if autojoinOnlyIfManager is true). +recordIgnoredInvites: false + +# The room ID (or room alias) of the management room, anyone in this room can issue commands to draupnir. +# +# draupnir has no more granular access controls other than this, be sure you trust everyone in this room - secure it! +# +# This should be a room alias or room ID - not a matrix.to URL. +# +# Note: By default, draupnir is fairly verbose - expect a lot of messages in this room. +# (see verboseLogging to adjust this a bit.) +managementRoom: "{{ matrix_bot_draupnir_management_room }}" + +# Whether draupnir should log a lot more messages in the room, +# mainly involves "all-OK" messages, and debugging messages for when draupnir checks bans in a room. +verboseLogging: false + +# The log level of terminal (or container) output, +# can be one of DEBUG, INFO, WARN and ERROR, in increasing order of importance and severity. +# +# This should be at INFO or DEBUG in order to get support for draupnir problems. +logLevel: "INFO" + +# Whether or not draupnir should synchronize policy lists immediately after startup. +# Equivalent to running '!draupnir sync'. +syncOnStartup: true + +# Whether or not draupnir should check moderation permissions in all protected rooms on startup. +# Equivalent to running `!draupnir verify`. +verifyPermissionsOnStartup: true + +# Whether or not draupnir should actually apply bans and policy lists, +# turn on to trial some untrusted configuration or lists. +noop: false + +# Whether draupnir should check member lists quicker (by using a different endpoint), +# keep in mind that enabling this will miss invited (but not joined) users. +# +# Turn on if your bot is in (very) large rooms, or in large amounts of rooms. +fasterMembershipChecks: false + +# A case-insensitive list of ban reasons to have the bot also automatically redact the user's messages for. +# +# If the bot sees you ban a user with a reason that is an (exact case-insensitive) match to this list, +# it will also remove the user's messages automatically. +# +# Typically this is useful to avoid having to give two commands to the bot. +# Advanced: Use asterisks to have the reason match using "globs" +# (f.e. "spam*testing" would match "spam for testing" as well as "spamtesting"). +# +# See here for more info: https://www.digitalocean.com/community/tools/glob +# Note: Keep in mind that glob is NOT regex! +automaticallyRedactForReasons: + - "spam" + - "advertising" + +# A list of rooms to protect. draupnir will add this to the list it knows from its account data. +# +# It won't, however, add it to the account data. +# Manually add the room via '!draupnir rooms add' to have it stay protected regardless if this config value changes. +# +# Note: These must be matrix.to URLs +#protectedRooms: +# - "https://matrix.to/#/#yourroom:example.org" + +# Whether or not to add all joined rooms to the "protected rooms" list +# (excluding the management room and watched policy list rooms, see below). +# +# Note that this effectively makes the protectedRooms and associated commands useless +# for regular rooms. +# +# Note: the management room is *excluded* from this condition. +# Explicitly add it as a protected room to protect it. +# +# Note: Ban list rooms the bot is watching but didn't create will not be protected. +# Explicitly add these rooms as a protected room list if you want them protected. +protectAllJoinedRooms: false + +# Increase this delay to have Mjölnir wait longer between two consecutive backgrounded +# operations. The total duration of operations will be longer, but the homeserver won't +# be affected as much. Conversely, decrease this delay to have Mjölnir chain operations +# faster. The total duration of operations will generally be shorter, but the performance +# of the homeserver may be more impacted. +backgroundDelayMS: 500 + +# Server administration commands, these commands will only work if draupnir is +# a global server administrator, and the bot's server is a Synapse instance. +#admin: +# # Whether or not draupnir can temporarily take control of any eligible account from the local homeserver who's in the room +# # (with enough permissions) to "make" a user an admin. +# # +# # This only works if a local user with enough admin permissions is present in the room. +# enableMakeRoomAdminCommand: false + +# Misc options for command handling and commands +commands: + # Whether or not the `!draupnir` prefix is necessary to submit commands. + # + # If `true`, will allow commands like `!ban`, `!help`, etc. + # + # Note: draupnir can also be pinged by display name instead of having to use + # the !draupnir prefix. For example, "my_moderator_bot: ban @spammer:example.org" + # will address only my_moderator_bot. + allowNoPrefix: false + + # Any additional bot prefixes that draupnir will listen to. i.e. adding `mod` will allow `!mod help`. + additionalPrefixes: + - "draupnir_bot" + + # Whether or not commands with a wildcard (*) will require an additional `--force` argument + # in the command to be able to be submitted. + confirmWildcardBan: true + +# Configuration specific to certain toggle-able protections +#protections: +# # Configuration for the wordlist plugin, which can ban users based if they say certain +# # blocked words shortly after joining. +# wordlist: +# # A list of case-insensitive keywords that the WordList protection will watch for from new users. +# # +# # WordList will ban users who use these words when first joining a room, so take caution when selecting them. +# # +# # For advanced usage, regex can also be used, see the following links for more information; +# # - https://www.digitalocean.com/community/tutorials/an-introduction-to-regular-expressions +# # - https://regexr.com/ +# # - https://regexone.com/ +# words: +# - "LoReM" +# - "IpSuM" +# - "DoLoR" +# - "aMeT" +# +# # For how long (in minutes) the user is "new" to the WordList plugin. +# # +# # After this time, the user will no longer be banned for using a word in the above wordlist. +# # +# # Set to zero to disable the timeout and make users *always* appear "new". +# # (users will always be banned if they say a bad word) +# minutesBeforeTrusting: 20 + +# Options for advanced monitoring of the health of the bot. +health: + # healthz options. These options are best for use in container environments + # like Kubernetes to detect how healthy the service is. The bot will report + # that it is unhealthy until it is able to process user requests. Typically + # this means that it'll flag itself as unhealthy for a number of minutes + # before saying "Now monitoring rooms" and flagging itself healthy. + # + # Health is flagged through HTTP status codes, defined below. + healthz: + # Whether the healthz integration should be enabled (default false) + enabled: false + + # The port to expose the webserver on. Defaults to 8080. + port: 8080 + + # The address to listen for requests on. Defaults to all addresses. + address: "0.0.0.0" + + # The path to expose the monitoring endpoint at. Defaults to `/healthz` + endpoint: "/healthz" + + # The HTTP status code which reports that the bot is healthy/ready to + # process requests. Typically this should not be changed. Defaults to + # 200. + healthyStatus: 200 + + # The HTTP status code which reports that the bot is not healthy/ready. + # Defaults to 418. + unhealthyStatus: 418 + +# Options for exposing web APIs. +#web: +# # Whether to enable web APIs. +# enabled: false +# +# # The port to expose the webserver on. Defaults to 8080. +# port: 8080 +# +# # The address to listen for requests on. Defaults to only the current +# # computer. +# address: localhost +# +# # Alternative setting to open to the entire web. Be careful, +# # as this will increase your security perimeter: +# # +# # address: "0.0.0.0" +# +# # A web API designed to intercept Matrix API +# # POST /_matrix/client/r0/rooms/{roomId}/report/{eventId} +# # and display readable abuse reports in the moderation room. +# # +# # If you wish to take advantage of this feature, you will need +# # to configure a reverse proxy, see e.g. test/nginx.conf +# abuseReporting: +# # Whether to enable this feature. +# enabled: false + +# Whether or not to actively poll synapse for abuse reports, to be used +# instead of intercepting client calls to synapse's abuse endpoint, when that +# isn't possible/practical. +pollReports: false + +# Whether or not new reports, received either by webapi or polling, +# should be printed to our managementRoom. +displayReports: false diff --git a/roles/custom/matrix-bot-draupnir/templates/systemd/matrix-bot-mjolnir.service.j2 b/roles/custom/matrix-bot-draupnir/templates/systemd/matrix-bot-mjolnir.service.j2 new file mode 100644 index 000000000..6995bcc39 --- /dev/null +++ b/roles/custom/matrix-bot-draupnir/templates/systemd/matrix-bot-mjolnir.service.j2 @@ -0,0 +1,42 @@ +#jinja2: lstrip_blocks: "True" +[Unit] +Description=Matrix Draupnir bot +{% for service in matrix_bot_draupnir_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_bot_draupnir_systemd_required_services_list %} +Wants={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-bot-draupnir 2>/dev/null || true' +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-bot-draupnir 2>/dev/null || true' + +# Intentional delay, so that the homeserver (we likely depend on) can manage to start. +ExecStartPre={{ matrix_host_command_sleep }} 5 + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-bot-draupnir \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --read-only \ + --network={{ matrix_docker_network }} \ + --mount type=bind,src={{ matrix_bot_draupnir_config_path }},dst=/data/config,ro \ + --mount type=bind,src={{ matrix_bot_draupnir_data_path }},dst=/data \ + {% for arg in matrix_bot_draupnir_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_bot_draupnir_docker_image }} + +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-bot-draupnir 2>/dev/null || true' +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-bot-draupnir 2>/dev/null || true' +Restart=always +RestartSec=30 +SyslogIdentifier=matrix-bot-draupnir + +[Install] +WantedBy=multi-user.target From 78b1ebd5af15d4acdc3e69a9cf3539cb3452a49c Mon Sep 17 00:00:00 2001 From: Catalan Lover Date: Wed, 8 Feb 2023 16:44:30 +0100 Subject: [PATCH 22/38] commit main.yml for draupnir and set target ver to develop --- .../matrix-bot-draupnir/defaults/main.yml | 59 +++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100644 roles/custom/matrix-bot-draupnir/defaults/main.yml diff --git a/roles/custom/matrix-bot-draupnir/defaults/main.yml b/roles/custom/matrix-bot-draupnir/defaults/main.yml new file mode 100644 index 000000000..cafba72d1 --- /dev/null +++ b/roles/custom/matrix-bot-draupnir/defaults/main.yml @@ -0,0 +1,59 @@ +--- +# A moderation tool for Matrix +# Project source code URL: https://github.com/Gnuxie/Draupnir + +matrix_bot_draupnir_enabled: true + +matrix_bot_draupnir_version: "develop" + +matrix_bot_draupnir_container_image_self_build: false +matrix_bot_draupnir_container_image_self_build_repo: "https://github.com/Gnuxie/Draupnir.git" + +matrix_bot_draupnir_docker_image: "{{ matrix_bot_draupnir_docker_image_name_prefix }}gnuxie/draupnir:{{ matrix_bot_draupnir_version }}" +matrix_bot_draupnir_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_draupnir_container_image_self_build else matrix_container_global_registry_prefix }}" +matrix_bot_draupnir_docker_image_force_pull: "{{ matrix_bot_draupnir_docker_image.endswith(':latest') }}" + +matrix_bot_draupnir_base_path: "{{ matrix_base_data_path }}/draupnir" +matrix_bot_draupnir_config_path: "{{ matrix_bot_draupnir_base_path }}/config" +matrix_bot_draupnir_data_path: "{{ matrix_bot_draupnir_base_path }}/data" +matrix_bot_draupnir_docker_src_files_path: "{{ matrix_bot_draupnir_base_path }}/docker-src" + +# A list of extra arguments to pass to the container +matrix_bot_draupnir_container_extra_arguments: [] + +# List of systemd services that matrix-bot-draupnir.service depends on +matrix_bot_draupnir_systemd_required_services_list: ['docker.service'] + +# List of systemd services that matrix-bot-draupnir.service wants +matrix_bot_draupnir_systemd_wanted_services_list: [] + +# The access token for the bot user +matrix_bot_draupnir_access_token: "" + +# The room ID where people can use the bot. The bot has no access controls, so +# anyone in this room can use the bot - secure your room! +# This should be a room alias or room ID - not a matrix.to URL. +# Note: draupnir is fairly verbose - expect a lot of messages from it. +matrix_bot_draupnir_management_room: "" + +# Default configuration template which covers the generic use case. +# You can customize it by controlling the various variables inside it. +# +# For a more advanced customization, you can extend the default (see `matrix_bot_draupnir_configuration_extension_yaml`) +# or completely replace this variable with your own template. +matrix_bot_draupnir_configuration_yaml: "{{ lookup('template', 'templates/production.yaml.j2') }}" + +matrix_bot_draupnir_configuration_extension_yaml: | + # Your custom YAML configuration goes here. + # This configuration extends the default starting configuration (`matrix_bot_draupnir_configuration_yaml`). + # + # You can override individual variables from the default configuration, or introduce new ones. + # + # If you need something more special, you can take full control by + # completely redefining `matrix_bot_draupnir_configuration_yaml`. + +matrix_bot_draupnir_configuration_extension: "{{ matrix_bot_draupnir_configuration_extension_yaml | from_yaml if matrix_bot_draupnir_configuration_extension_yaml | from_yaml is mapping else {} }}" + +# Holds the final configuration (a combination of the default and its extension). +# You most likely don't need to touch this variable. Instead, see `matrix_bot_draupnir_configuration_yaml`. +matrix_bot_draupnir_configuration: "{{ matrix_bot_draupnir_configuration_yaml | from_yaml | combine(matrix_bot_draupnir_configuration_extension, recursive=True) }}" From 9092d4bb6b6348b9c7ad068f308f52392ba0e104 Mon Sep 17 00:00:00 2001 From: Catalan Lover Date: Wed, 8 Feb 2023 17:02:59 +0100 Subject: [PATCH 23/38] Push draupnir version from develop to v1.80.0-beta.0 --- roles/custom/matrix-bot-draupnir/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bot-draupnir/defaults/main.yml b/roles/custom/matrix-bot-draupnir/defaults/main.yml index cafba72d1..f0aa4da8e 100644 --- a/roles/custom/matrix-bot-draupnir/defaults/main.yml +++ b/roles/custom/matrix-bot-draupnir/defaults/main.yml @@ -4,7 +4,7 @@ matrix_bot_draupnir_enabled: true -matrix_bot_draupnir_version: "develop" +matrix_bot_draupnir_version: "v1.80.0-beta.0" matrix_bot_draupnir_container_image_self_build: false matrix_bot_draupnir_container_image_self_build_repo: "https://github.com/Gnuxie/Draupnir.git" From 7b42ff4b759afc031cce73218d7199573483e87c Mon Sep 17 00:00:00 2001 From: Catalan Lover Date: Wed, 8 Feb 2023 18:55:08 +0100 Subject: [PATCH 24/38] Finalise moving draupnir to a fully testable state. --- group_vars/matrix_servers | 30 ++++++++++++++++++++++++++++++ playbooks/matrix.yml | 1 + 2 files changed, 31 insertions(+) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 6d096dea0..1c0a14e49 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -189,6 +189,8 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': 'matrix-bot-mjolnir.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'mjolnir']}] if matrix_bot_mjolnir_enabled else []) + + ([{'name': 'matrix-bot-draupnir.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'draupnir']}] if matrix_bot_draupnir_enabled else []) + + ([{'name': 'matrix-bot-postmoogle.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'postmoogle']}] if matrix_bot_postmoogle_enabled else []) + ([{'name': 'matrix-bot-chatgpt.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'chatgpt']}] if matrix_bot_chatgpt_enabled else []) @@ -1759,6 +1761,34 @@ matrix_bot_mjolnir_systemd_required_services_list: | # ###################################################################### +###################################################################### +# +# matrix-bot-draupnir +# +###################################################################### + +# We don't enable bots by default. +matrix_bot_draupnir_enabled: false + +matrix_bot_draupnir_container_image_self_build: "{{ matrix_architecture != 'amd64' }}" + +matrix_bot_draupnir_systemd_required_services_list: | + {{ + ['docker.service'] + + + ['matrix-' + matrix_homeserver_implementation + '.service'] + + + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + + + (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else []) + }} + +###################################################################### +# +# /matrix-bot-draupnir +# +###################################################################### + ###################################################################### # # matrix-backup-borg diff --git a/playbooks/matrix.yml b/playbooks/matrix.yml index 7be0d6295..906784548 100755 --- a/playbooks/matrix.yml +++ b/playbooks/matrix.yml @@ -79,6 +79,7 @@ - custom/matrix-bot-postmoogle - custom/matrix-bot-go-neb - custom/matrix-bot-mjolnir + - custom/matrix-bot-draupnir - custom/matrix-bot-chatgpt - custom/matrix-cactus-comments - custom/matrix-synapse From 79a4e57fbdf9d900e3753bc0cea595c2a5e02bfc Mon Sep 17 00:00:00 2001 From: Catalan Lover Date: Wed, 8 Feb 2023 18:55:27 +0100 Subject: [PATCH 25/38] Add draupnir docs. --- docs/configuring-playbook-bot-draupnir.md | 114 ++++++++++++++++++++++ 1 file changed, 114 insertions(+) create mode 100644 docs/configuring-playbook-bot-draupnir.md diff --git a/docs/configuring-playbook-bot-draupnir.md b/docs/configuring-playbook-bot-draupnir.md new file mode 100644 index 000000000..cbec1c4f0 --- /dev/null +++ b/docs/configuring-playbook-bot-draupnir.md @@ -0,0 +1,114 @@ +# Setting up draupnir (optional) + +The playbook can install and configure the [draupnir](https://github.com/Gnuxie/Draupnir) moderation bot for you. + +See the project's [documentation](https://github.com/Gnuxie/Draupnir) to learn what it does and why it might be useful to you. + +If your migrating from Mjolnir skip to step 5b. + +## 1. Register the bot account + +The playbook does not automatically create users for you. The bot requires an access token to be able to connect to your homeserver. + +You **need to register the bot user manually** before setting up the bot. + +Choose a strong password for the bot. You can generate a good password with a command like this: `pwgen -s 64 1`. + +You can use the playbook to [register a new user](registering-users.md): + +``` +ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=bot.draupnir password=PASSWORD_FOR_THE_BOT admin=no' --tags=register-user +``` + +If you would like draupnir to be able to deactivate users, move aliases, shutdown rooms, etc then it must be a server admin so you need to change `admin=no` to `admin=yes` in the command above. + + +## 2. Get an access token + +Refer to the documentation on [how to obtain an access token](obtaining-access-tokens.md). + + +## 3. Make sure the account is free from rate limiting + +You will need to prevent Synapse from rate limiting the bot's account. This is not an optional step. If you do not do this step draupnir will crash. This can be done using Synapse's [admin API](https://matrix-org.github.io/synapse/latest/admin_api/user_admin_api.html#override-ratelimiting-for-users). This can also be manually done by editing the Synapse database. Manually editing the Synapse database is rarely a good idea. Please ask for help if you are uncomfortable with these steps. + +1. Copy the statement below into a text editor. + + ``` + INSERT INTO ratelimit_override VALUES ('@bot.draupnir:DOMAIN', 0, 0); + ``` + +1. Change the username (`@bot.draupnir:DOMAIN`) to the username you used when you registered the bot's account. You must change `DOMAIN` to your server's domain. + +1. Get a database terminal by following these steps: [maintenance-postgres.md#getting-a-database-terminal](maintenance-postgres.md#getting-a-database-terminal) + +1. Connect to Synapse's database by typing `\connect synapse` into the database terminal + +1. Paste in the `INSERT INTO` command that you edited and press enter. + +You can run `SELECT * FROM ratelimit_override;` to see if it worked. If the output looks like this: + +``` + user_id | messages_per_second | burst_count +-----------------------+---------------------+------------- + @bot.draupnir:raim.ist | 0 | 0` +``` +then you did it correctly. + + +## 4. Create a management room + +Using your own account, create a new invite only room that you will use to manage the bot. This is the room where you will see the status of the bot and where you will send commands to the bot, such as the command to ban a user from another room. Anyone in this room can control the bot so it is important that you only invite trusted users to this room. The room must be unencrypted since the playbook does not support installing Pantalaimon yet. + +Once you have created the room you need to copy the room ID so you can tell the bot to use that room. In Element you can do this by going to the room's settings, clicking Advanced, and then coping the internal room ID. The room ID will look something like `!QvgVuKq0ha8glOLGMG:DOMAIN`. + +Finally invite the `@bot.draupnir:DOMAIN` account you created earlier into the room. + + +## 5a. Adjusting the playbook configuration + +Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file (adapt to your needs): + +You must replace `ACCESS_TOKEN_FROM_STEP_2_GOES_HERE` and `ROOM_ID_FROM_STEP_4_GOES_HERE` with the your own values. + +```yaml +matrix_bot_draupnir_enabled: true + +matrix_bot_draupnir_access_token: "ACCESS_TOKEN_FROM_STEP_2_GOES_HERE" + +matrix_bot_draupnir_management_room: "ROOM_ID_FROM_STEP_4_GOES_HERE" +``` + +## 5b. Migrating from Mjolnir (Only required if migrating.) + +Replace your matrix_bot_mjolnir config with matrix_bot_draupnir config. Also disable mjolnir if your doing migration. +That is all you need to do due to that Draupnir can complete migration on its own. + +## 6. Installing + +After configuring the playbook, run the [installation](installing.md) command: + +``` +ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start +``` + + +## Usage + +You can refer to the upstream [documentation](https://github.com/Gnuxie/Draupnir) for additional ways to use and configure draupnir. Check out their [quickstart guide](https://github.com/matrix-org/draupnir/blob/main/docs/moderators.md#quick-usage) for some basic commands you can give to the bot. + +You can configure additional options by adding the `matrix_bot_draupnir_configuration_extension_yaml` variable to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file. + +For example to change draupnir's `recordIgnoredInvites` option to `true` you would add the following to your `vars.yml` file. + +```yaml +matrix_bot_draupnir_configuration_extension_yaml: | + # Your custom YAML configuration goes here. + # This configuration extends the default starting configuration (`matrix_bot_draupnir_configuration_yaml`). + # + # You can override individual variables from the default configuration, or introduce new ones. + # + # If you need something more special, you can take full control by + # completely redefining `matrix_bot_draupnir_configuration_yaml`. + recordIgnoredInvites: true +``` From a717590aa5e00e988d1c6db0b72b45a0decf3c31 Mon Sep 17 00:00:00 2001 From: Catalan Lover Date: Wed, 8 Feb 2023 19:53:35 +0100 Subject: [PATCH 26/38] Rename systemd service file from mjolnir to draupnir --- ...trix-bot-mjolnir.service.j2 => matrix-bot-draupnir.service.j2} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename roles/custom/matrix-bot-draupnir/templates/systemd/{matrix-bot-mjolnir.service.j2 => matrix-bot-draupnir.service.j2} (100%) diff --git a/roles/custom/matrix-bot-draupnir/templates/systemd/matrix-bot-mjolnir.service.j2 b/roles/custom/matrix-bot-draupnir/templates/systemd/matrix-bot-draupnir.service.j2 similarity index 100% rename from roles/custom/matrix-bot-draupnir/templates/systemd/matrix-bot-mjolnir.service.j2 rename to roles/custom/matrix-bot-draupnir/templates/systemd/matrix-bot-draupnir.service.j2 From ddcb1735e2671344dec7742b6d5726edfaeeecba Mon Sep 17 00:00:00 2001 From: Catalan Lover Date: Wed, 8 Feb 2023 20:05:47 +0100 Subject: [PATCH 27/38] Add draupnir as valid prefix to resolve a bug Current draupnir does not listen to its name. This config change fixes this bug. This bodge is able to be removed once this is fixed upstream. --- roles/custom/matrix-bot-draupnir/templates/production.yaml.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/custom/matrix-bot-draupnir/templates/production.yaml.j2 b/roles/custom/matrix-bot-draupnir/templates/production.yaml.j2 index 06d88f481..dcc61b1b5 100644 --- a/roles/custom/matrix-bot-draupnir/templates/production.yaml.j2 +++ b/roles/custom/matrix-bot-draupnir/templates/production.yaml.j2 @@ -146,6 +146,7 @@ commands: # Any additional bot prefixes that draupnir will listen to. i.e. adding `mod` will allow `!mod help`. additionalPrefixes: - "draupnir_bot" + - "draupnir" # Whether or not commands with a wildcard (*) will require an additional `--force` argument # in the command to be able to be submitted. From 9615855cfa7e86bb3843f5fa2db90a9b3b9a5fc4 Mon Sep 17 00:00:00 2001 From: ntallasv Date: Thu, 9 Feb 2023 14:53:56 +0200 Subject: [PATCH 28/38] update matrix-chatgpt-bot --- roles/custom/matrix-bot-chatgpt/defaults/main.yml | 13 +++++++------ .../matrix-bot-chatgpt/tasks/validate_config.yml | 4 +--- roles/custom/matrix-bot-chatgpt/templates/env.j2 | 11 ++++++----- 3 files changed, 14 insertions(+), 14 deletions(-) diff --git a/roles/custom/matrix-bot-chatgpt/defaults/main.yml b/roles/custom/matrix-bot-chatgpt/defaults/main.yml index 324e64abf..489b22c4a 100644 --- a/roles/custom/matrix-bot-chatgpt/defaults/main.yml +++ b/roles/custom/matrix-bot-chatgpt/defaults/main.yml @@ -9,7 +9,7 @@ matrix_bot_chatgpt_docker_repo: "https://github.com/matrixgpt/matrix-chatgpt-bot matrix_bot_chatgpt_docker_repo_version: "{{ 'latest' if matrix_bot_chatgpt_version == 'latest' else matrix_bot_chatgpt_version }}" matrix_bot_chatgpt_docker_src_files_path: "{{ matrix_base_data_path }}/chatgpt/docker-src" -matrix_bot_chatgpt_version: 1.4.1 +matrix_bot_chatgpt_version: 2.2.1 matrix_bot_chatgpt_docker_image: "{{ matrix_bot_chatgpt_docker_image_name_prefix }}matrixgpt/matrix-chatgpt-bot:{{ matrix_bot_chatgpt_version }}" matrix_bot_chatgpt_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_chatgpt_container_image_self_build else 'ghcr.io/' }}" matrix_bot_chatgpt_docker_image_force_pull: "{{ matrix_bot_chatgpt_docker_image.endswith(':latest') }}" @@ -28,13 +28,14 @@ matrix_bot_chatgpt_systemd_required_services_list: ['docker.service'] matrix_bot_chatgpt_systemd_wanted_services_list: [] # ChatGPT Settings -matrix_bot_chatgpt_openai_email: '' # OPENAI_EMAIL= -matrix_bot_chatgpt_openai_password: '' # OPENAI_PASSWORD= -matrix_bot_chatgpt_openai_login_type: 'google' # OPENAI_LOGIN_TYPE="google" -matrix_bot_chatgpt_openai_pro: false # OPENAI_PRO - +matrix_bot_chatgpt_openai_api_key: '' matrix_bot_chatgpt_context: 'thread' # CHATGPT_CONTEXT="thread" +matrix_bot_chatgpt_keyv_backend: 'file' +matrix_bot_chatgpt_keyv_url: '' +matrix_bot_chatgpt_keyv_bot_encryption: false +matrix_bot_chatgpt_keyv_bot_storage: true + # Matrix Static Settings (required, see notes) # Defaults to "https://matrix.org" matrix_bot_chatgpt_matrix_homeserver_url: "{{ matrix_homeserver_container_url }}" # MATRIX_HOMESERVER_URL= diff --git a/roles/custom/matrix-bot-chatgpt/tasks/validate_config.yml b/roles/custom/matrix-bot-chatgpt/tasks/validate_config.yml index f68d0e5c2..3d30994c8 100644 --- a/roles/custom/matrix-bot-chatgpt/tasks/validate_config.yml +++ b/roles/custom/matrix-bot-chatgpt/tasks/validate_config.yml @@ -6,7 +6,5 @@ You need to define a required configuration setting (`{{ item.name }}`). when: "item.when | bool and vars[item.name] == ''" with_items: - - {'name': 'matrix_bot_chatgpt_openai_email', when: true} - - {'name': 'matrix_bot_chatgpt_openai_password', when: true} - - {'name': 'matrix_bot_chatgpt_openai_login_type', when: true} + - {'name': 'matrix_bot_chatgpt_openai_api_key', when: true} - {'name': 'matrix_bot_chatgpt_matrix_bot_username', when: true} diff --git a/roles/custom/matrix-bot-chatgpt/templates/env.j2 b/roles/custom/matrix-bot-chatgpt/templates/env.j2 index faf6be713..40b2f9ffe 100644 --- a/roles/custom/matrix-bot-chatgpt/templates/env.j2 +++ b/roles/custom/matrix-bot-chatgpt/templates/env.j2 @@ -1,13 +1,14 @@ MATRIX_HOMESERVER_URL={{ matrix_bot_chatgpt_matrix_homeserver_url }} MATRIX_ACCESS_TOKEN={{ matrix_bot_chatgpt_matrix_access_token }} -OPENAI_EMAIL={{ matrix_bot_chatgpt_openai_email }} -OPENAI_PASSWORD={{ matrix_bot_chatgpt_openai_password }} -OPENAI_LOGIN_TYPE={{ matrix_bot_chatgpt_openai_login_type }} -OPENAI_PRO={{ matrix_bot_chatgpt_openai_pro | to_json }} - +OPENAI_API_KEY={{ matrix_bot_chatgpt_openai_api_key }} CHATGPT_CONTEXT={{ matrix_bot_chatgpt_context }} +KEYV_BACKEND={{ matrix_bot_chatgpt_keyv_backend }} +KEYV_URL={{ matrix_bot_chatgpt_keyv_url }} +KEYV_BOT_ENCRYPTION={{ matrix_bot_chatgpt_keyv_bot_encryption|lower }} +KEYV_BOT_STORAGE={{ matrix_bot_chatgpt_keyv_bot_storage|lower }} + # With the @ and :DOMAIN, ie @SOMETHING:DOMAIN MATRIX_BOT_USERNAME={{ matrix_bot_chatgpt_matrix_bot_username }} MATRIX_BOT_PASSWORD={{ matrix_bot_chatgpt_matrix_bot_password }} From d32f80bf29c8fe3750534e0bf14970c3e1160576 Mon Sep 17 00:00:00 2001 From: Aine <97398200+etkecc@users.noreply.github.com> Date: Thu, 9 Feb 2023 17:43:35 +0000 Subject: [PATCH 29/38] Update postmoogle 0.9.11 -> 0.9.12 * fix uploads from incoming emails into matrix threads * fix emails dequeue (account data cleanup) * rewrite recipients handling (Cc, To, etc.) --- roles/custom/matrix-bot-postmoogle/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bot-postmoogle/defaults/main.yml b/roles/custom/matrix-bot-postmoogle/defaults/main.yml index 48a2b45c9..9f3dad24b 100644 --- a/roles/custom/matrix-bot-postmoogle/defaults/main.yml +++ b/roles/custom/matrix-bot-postmoogle/defaults/main.yml @@ -9,7 +9,7 @@ matrix_bot_postmoogle_docker_repo: "https://gitlab.com/etke.cc/postmoogle.git" matrix_bot_postmoogle_docker_repo_version: "{{ 'main' if matrix_bot_postmoogle_version == 'latest' else matrix_bot_postmoogle_version }}" matrix_bot_postmoogle_docker_src_files_path: "{{ matrix_base_data_path }}/postmoogle/docker-src" -matrix_bot_postmoogle_version: v0.9.11 +matrix_bot_postmoogle_version: v0.9.12 matrix_bot_postmoogle_docker_image: "{{ matrix_bot_postmoogle_docker_image_name_prefix }}etke.cc/postmoogle:{{ matrix_bot_postmoogle_version }}" matrix_bot_postmoogle_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_postmoogle_container_image_self_build else 'registry.gitlab.com/' }}" matrix_bot_postmoogle_docker_image_force_pull: "{{ matrix_bot_postmoogle_docker_image.endswith(':latest') }}" From b7384866844545756ee356ab0a7706b1a6196891 Mon Sep 17 00:00:00 2001 From: ntallasv Date: Fri, 10 Feb 2023 00:13:31 +0200 Subject: [PATCH 30/38] update validate_config.yml --- .../matrix-bot-chatgpt/tasks/validate_config.yml | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/roles/custom/matrix-bot-chatgpt/tasks/validate_config.yml b/roles/custom/matrix-bot-chatgpt/tasks/validate_config.yml index 3d30994c8..fcf77a8e7 100644 --- a/roles/custom/matrix-bot-chatgpt/tasks/validate_config.yml +++ b/roles/custom/matrix-bot-chatgpt/tasks/validate_config.yml @@ -6,5 +6,17 @@ You need to define a required configuration setting (`{{ item.name }}`). when: "item.when | bool and vars[item.name] == ''" with_items: - - {'name': 'matrix_bot_chatgpt_openai_api_key', when: true} - - {'name': 'matrix_bot_chatgpt_matrix_bot_username', when: true} + - { 'name': 'matrix_bot_chatgpt_openai_api_key', when: true } + - { 'name': 'matrix_bot_chatgpt_matrix_bot_username', when: true } + + +- name: Fail if OpenAI configuration not up-to-date. + ansible.builtin.fail: + msg: >- + Your configuration contains a varible that is no longer used. + Please change your configuration to remove the variable (`{{ item.name }}`). + when: "item.name in vars" + with_items: + - { 'name': 'matrix_bot_chatgpt_openai_email' } + - { 'name': 'matrix_bot_chatgpt_openai_password' } + - { 'name': 'matrix_bot_chatgpt_openai_login_type' } From 4221b64a9805a8c9da3a3dc83b5f87a0bf9fe0f3 Mon Sep 17 00:00:00 2001 From: ntallasv Date: Fri, 10 Feb 2023 00:14:09 +0200 Subject: [PATCH 31/38] update configuring-playbook-bot-chatgpt.md --- docs/configuring-playbook-bot-chatgpt.md | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/docs/configuring-playbook-bot-chatgpt.md b/docs/configuring-playbook-bot-chatgpt.md index eb0c75966..7a006816d 100644 --- a/docs/configuring-playbook-bot-chatgpt.md +++ b/docs/configuring-playbook-bot-chatgpt.md @@ -32,11 +32,8 @@ Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars. ```yaml matrix_bot_chatgpt_enabled: true -# See instructions on -# https://www.npmjs.com/package/chatgpt -matrix_bot_chatgpt_openai_email: '' -matrix_bot_chatgpt_openai_password: '' -matrix_bot_chatgpt_openai_login_type: google +# Obtain a new API key from https://platform.openai.com/account/api-keys +matrix_bot_chatgpt_openai_api_key: '' # This is the default username # matrix_bot_chatgpt_matrix_bot_username_localpart: 'bot.chatgpt' From f71cd3a760657bff3b89ebf172f83c26f94e5834 Mon Sep 17 00:00:00 2001 From: ntallasv Date: Fri, 10 Feb 2023 00:34:07 +0200 Subject: [PATCH 32/38] fix linting in validate_config.yml --- .../matrix-bot-chatgpt/tasks/validate_config.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/roles/custom/matrix-bot-chatgpt/tasks/validate_config.yml b/roles/custom/matrix-bot-chatgpt/tasks/validate_config.yml index fcf77a8e7..ecc2b8d22 100644 --- a/roles/custom/matrix-bot-chatgpt/tasks/validate_config.yml +++ b/roles/custom/matrix-bot-chatgpt/tasks/validate_config.yml @@ -6,8 +6,8 @@ You need to define a required configuration setting (`{{ item.name }}`). when: "item.when | bool and vars[item.name] == ''" with_items: - - { 'name': 'matrix_bot_chatgpt_openai_api_key', when: true } - - { 'name': 'matrix_bot_chatgpt_matrix_bot_username', when: true } + - {'name': 'matrix_bot_chatgpt_openai_api_key', when: true} + - {'name': 'matrix_bot_chatgpt_matrix_bot_username', when: true} - name: Fail if OpenAI configuration not up-to-date. @@ -17,6 +17,6 @@ Please change your configuration to remove the variable (`{{ item.name }}`). when: "item.name in vars" with_items: - - { 'name': 'matrix_bot_chatgpt_openai_email' } - - { 'name': 'matrix_bot_chatgpt_openai_password' } - - { 'name': 'matrix_bot_chatgpt_openai_login_type' } + - {'name': 'matrix_bot_chatgpt_openai_email'} + - {'name': 'matrix_bot_chatgpt_openai_password'} + - {'name': 'matrix_bot_chatgpt_openai_login_type'} From 0a15e56641b81801fc72c8aab7da0ca4282447fe Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 10 Feb 2023 11:41:44 +0200 Subject: [PATCH 33/38] Fix typo --- docs/configuring-playbook-bot-draupnir.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-bot-draupnir.md b/docs/configuring-playbook-bot-draupnir.md index cbec1c4f0..7626db249 100644 --- a/docs/configuring-playbook-bot-draupnir.md +++ b/docs/configuring-playbook-bot-draupnir.md @@ -81,7 +81,7 @@ matrix_bot_draupnir_management_room: "ROOM_ID_FROM_STEP_4_GOES_HERE" ## 5b. Migrating from Mjolnir (Only required if migrating.) -Replace your matrix_bot_mjolnir config with matrix_bot_draupnir config. Also disable mjolnir if your doing migration. +Replace your matrix_bot_mjolnir config with matrix_bot_draupnir config. Also disable mjolnir if you're doing migration. That is all you need to do due to that Draupnir can complete migration on its own. ## 6. Installing From 600aaa0bc7db67eff0777d3707f199461d80e749 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 10 Feb 2023 11:52:25 +0200 Subject: [PATCH 34/38] Announce Draupnir support Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2451 --- CHANGELOG.md | 9 +++++++++ docs/configuring-playbook-bot-draupnir.md | 6 +++--- docs/configuring-playbook.md | 2 ++ 3 files changed, 14 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index bb62d8dd3..69e932a97 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,12 @@ +# 2023-02-10 + +## Draupnir moderation tool (bot) support + +Thanks to [FSG-Cat](https://github.com/FSG-Cat), the playbook can now install and configure the [Draupnir](https://github.com/Gnuxie/Draupnir) moderation tool (bot). Draupnir is a fork of [Mjolnir](docs/configuring-playbook-bot-mjolnir.md) (which the playbook has supported for a long time) maintained by Mjolnir's former lead developer. + +Additional details are available in [Setting up Draupnir](docs/configuring-playbook-bot-draupnir.md). + + # 2023-02-05 ## The matrix-prometheus-postgres-exporter role lives independently now diff --git a/docs/configuring-playbook-bot-draupnir.md b/docs/configuring-playbook-bot-draupnir.md index 7626db249..6704ad65f 100644 --- a/docs/configuring-playbook-bot-draupnir.md +++ b/docs/configuring-playbook-bot-draupnir.md @@ -32,7 +32,7 @@ Refer to the documentation on [how to obtain an access token](obtaining-access-t You will need to prevent Synapse from rate limiting the bot's account. This is not an optional step. If you do not do this step draupnir will crash. This can be done using Synapse's [admin API](https://matrix-org.github.io/synapse/latest/admin_api/user_admin_api.html#override-ratelimiting-for-users). This can also be manually done by editing the Synapse database. Manually editing the Synapse database is rarely a good idea. Please ask for help if you are uncomfortable with these steps. -1. Copy the statement below into a text editor. +1. Copy the statement below into a text editor. ``` INSERT INTO ratelimit_override VALUES ('@bot.draupnir:DOMAIN', 0, 0); @@ -81,8 +81,8 @@ matrix_bot_draupnir_management_room: "ROOM_ID_FROM_STEP_4_GOES_HERE" ## 5b. Migrating from Mjolnir (Only required if migrating.) -Replace your matrix_bot_mjolnir config with matrix_bot_draupnir config. Also disable mjolnir if you're doing migration. -That is all you need to do due to that Draupnir can complete migration on its own. +Replace your matrix_bot_mjolnir config with matrix_bot_draupnir config. Also disable mjolnir if you're doing migration. +That is all you need to do due to that Draupnir can complete migration on its own. ## 6. Installing diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index b2724598a..9ab507630 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -177,6 +177,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Setting up Mjolnir](configuring-playbook-bot-mjolnir.md) - a moderation tool/bot (optional) +- [Setting up Draupnir](configuring-playbook-bot-draupnir.md) - a moderation tool/bot (optional), forked from Mjolnir and maintained by its former leader developer + - [Setting up Buscarron](configuring-playbook-bot-buscarron.md) - a bot you can use to send any form (HTTP POST, HTML) to a (encrypted) Matrix room (optional) From 43a6a035a046a95bfaa289bf18b9ecd76c1521db Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 10 Feb 2023 14:16:00 +0200 Subject: [PATCH 35/38] Skip removing /.well-known/element directory to suppress ansible-lint error Leaving an orphan directory is okay and can be improved later on. --- .../tasks/util/setup_jitsi_auth_uvs_uninstall.yml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_uninstall.yml b/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_uninstall.yml index 229ce896e..5c7425660 100644 --- a/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_uninstall.yml +++ b/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_uninstall.yml @@ -10,14 +10,6 @@ - "{{ matrix_jitsi_prosody_auth_matrix_files | map(attribute='path') | map('regex_replace', '^', matrix_jitsi_prosody_plugins_path+'/') | list }}" register: matrix_jitsi_prosody_auth_matrix_user_verification_uninstalled -- name: Remove .well-known/element directory if empty - ansible.builtin.command: - argv: - - rmdir - - "{{ matrix_static_files_base_path }}/.well-known/element" - removes: "{{matrix_static_files_base_path}}/.well-known/element" - ignore_errors: true - - when: matrix_jitsi_prosody_auth_matrix_user_verification_uninstalled.changed block: - name: Populate service facts From e1bfa2a7d632735410d9682e00c8a4ea1f953ba5 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 10 Feb 2023 14:21:31 +0200 Subject: [PATCH 36/38] Fix ansible-lint-reported errors --- .../custom/matrix-jitsi/tasks/self_check_matrix_auth.yml | 1 + .../tasks/util/setup_jitsi_auth_uvs_uninstall.yml | 2 +- .../tasks/util/setup_jitsi_prosody_post_setup_hooks.yml | 4 ++-- .../matrix-user-verification-service/handlers/main.yml | 2 +- .../tasks/setup_uninstall.yml | 8 ++++---- .../tasks/validate_config.yml | 8 ++++---- 6 files changed, 13 insertions(+), 12 deletions(-) diff --git a/roles/custom/matrix-jitsi/tasks/self_check_matrix_auth.yml b/roles/custom/matrix-jitsi/tasks/self_check_matrix_auth.yml index 68a28ef77..52d865c5d 100644 --- a/roles/custom/matrix-jitsi/tasks/self_check_matrix_auth.yml +++ b/roles/custom/matrix-jitsi/tasks/self_check_matrix_auth.yml @@ -48,6 +48,7 @@ - "--quiet" - "{{ matrix_jitsi_prosody_self_check_uvs_health_url | quote }}" register: matrix_jitsi_prosody_self_check_uvs_result + changed_when: false ignore_errors: true - name: Fail if user verification service is not (reachable and healthy) diff --git a/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_uninstall.yml b/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_uninstall.yml index 5c7425660..2559c7e69 100644 --- a/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_uninstall.yml +++ b/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_uninstall.yml @@ -16,5 +16,5 @@ ansible.builtin.service_facts: - name: Ensure prosody is restarted later on if currently running - set_fact: + ansible.builtin.set_fact: matrix_jitsi_prosody_require_restart: "{{ true if ansible_facts.services['matrix-jitsi-prosody.service']['state'] == 'running' else false }}" diff --git a/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_prosody_post_setup_hooks.yml b/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_prosody_post_setup_hooks.yml index 69c18ab32..6be6092a0 100644 --- a/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_prosody_post_setup_hooks.yml +++ b/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_prosody_post_setup_hooks.yml @@ -16,13 +16,13 @@ - name: Ensure matrix-jitsi-prosody container is running ansible.builtin.systemd: - state: "{{ 'restarted' if matrix_jitsi_prosody_require_restart | d(false) | bool else 'started' }}" + state: "{{ 'restarted' if matrix_jitsi_prosody_require_restart | default(false) | bool else 'started' }}" name: matrix-jitsi-prosody register: matrix_jitsi_prosody_start_result # If the flag was set, we can safely disable now. - name: Disable require restart flag - set_fact: + ansible.builtin.set_fact: matrix_jitsi_prosody_require_restart: false # diff --git a/roles/custom/matrix-user-verification-service/handlers/main.yml b/roles/custom/matrix-user-verification-service/handlers/main.yml index b9ee66d73..b955df806 100644 --- a/roles/custom/matrix-user-verification-service/handlers/main.yml +++ b/roles/custom/matrix-user-verification-service/handlers/main.yml @@ -1,6 +1,6 @@ --- - name: Ensure systemd reloaded after matrix-user-verification-service.service installation - service: + ansible.builtin.service: daemon_reload: true listen: "reload matrix-user-verification-service" diff --git a/roles/custom/matrix-user-verification-service/tasks/setup_uninstall.yml b/roles/custom/matrix-user-verification-service/tasks/setup_uninstall.yml index 172bf1863..b61f9cdd2 100644 --- a/roles/custom/matrix-user-verification-service/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-user-verification-service/tasks/setup_uninstall.yml @@ -1,25 +1,25 @@ --- - name: Check existence of matrix-user-verification-service service - stat: + ansible.builtin.stat: path: "{{ devture_systemd_docker_base_systemd_path }}/{{ matrix_user_verification_service_systemd_service_name }}" register: matrix_user_verification_service_service_stat - when: matrix_user_verification_service_service_stat.stat.exists | bool block: - name: Ensure matrix-user-verification-service is stopped - service: + ansible.builtin.service: name: "{{ matrix_user_verification_service_systemd_service_basename }}" state: stopped daemon_reload: true register: stopping_result - name: Ensure matrix-user-verification-service.service doesn't exist - file: + ansible.builtin.file: path: "{{ devture_systemd_docker_base_systemd_path }}/{{ matrix_user_verification_service_systemd_service_name }}" state: absent - name: Ensure Matrix user-verification-service paths don't exist - file: + ansible.builtin.file: path: "{{ matrix_user_verification_service_base_path }}" state: absent diff --git a/roles/custom/matrix-user-verification-service/tasks/validate_config.yml b/roles/custom/matrix-user-verification-service/tasks/validate_config.yml index 40e9090cb..9d7f1be8c 100644 --- a/roles/custom/matrix-user-verification-service/tasks/validate_config.yml +++ b/roles/custom/matrix-user-verification-service/tasks/validate_config.yml @@ -1,25 +1,25 @@ --- - name: Verify homeserver_url is not empty - assert: + ansible.builtin.assert: that: - matrix_user_verification_service_uvs_homeserver_url|length > 0 fail_msg: "Missing variable in {{ matrix_user_verification_service_ansible_name }} role" - name: Verify Auth is configured properly or disabled - assert: + ansible.builtin.assert: that: - matrix_user_verification_service_uvs_access_token|length > 0 or not matrix_user_verification_service_uvs_require_auth|bool fail_msg: "If Auth is enabled, a valid (non empty) TOKEN must be given in 'matrix_user_verification_service_uvs_access_token'." - name: Verify server_name for openid verification is given, if pinning a single server_name is enabled. - assert: + ansible.builtin.assert: that: - matrix_user_verification_service_uvs_openid_verify_server_name|length > 0 or not matrix_user_verification_service_uvs_pin_openid_verify_server_name|bool fail_msg: "If pinning a single server_name is enabled, a valid (non empty) server_name must be given in 'matrix_user_verification_service_uvs_openid_verify_server_name'." - name: Verify the homeserver implementation is synapse - assert: + ansible.builtin.assert: that: - matrix_homeserver_implementation == 'synapse' fail_msg: "The User-Verification-Service requires Synapse as homeserver implementation" From f6ab162fff21e59c3b7eb095fb180beb4fc5a309 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 10 Feb 2023 14:22:37 +0200 Subject: [PATCH 37/38] Remove systemd-reloading handler in matrix-user-verification-service None of the other roles use handlers. We rely on com.devture.ansible.role.systemd_service_manager to reload services when it's necessary to do so. --- .../matrix-user-verification-service/handlers/main.yml | 6 ------ .../tasks/setup_install.yml | 1 - 2 files changed, 7 deletions(-) delete mode 100644 roles/custom/matrix-user-verification-service/handlers/main.yml diff --git a/roles/custom/matrix-user-verification-service/handlers/main.yml b/roles/custom/matrix-user-verification-service/handlers/main.yml deleted file mode 100644 index b955df806..000000000 --- a/roles/custom/matrix-user-verification-service/handlers/main.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- - -- name: Ensure systemd reloaded after matrix-user-verification-service.service installation - ansible.builtin.service: - daemon_reload: true - listen: "reload matrix-user-verification-service" diff --git a/roles/custom/matrix-user-verification-service/tasks/setup_install.yml b/roles/custom/matrix-user-verification-service/tasks/setup_install.yml index d095c4101..185b4b642 100644 --- a/roles/custom/matrix-user-verification-service/tasks/setup_install.yml +++ b/roles/custom/matrix-user-verification-service/tasks/setup_install.yml @@ -35,4 +35,3 @@ src: "{{ role_path }}/templates/systemd/matrix-user-verification-service.service.j2" dest: "{{ devture_systemd_docker_base_systemd_path }}/{{ matrix_user_verification_service_systemd_service_name }}" mode: 0644 - notify: "reload matrix-user-verification-service" From 6db3c8f2ad4c81f2b975d8913c104f73568b77d0 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 10 Feb 2023 14:26:38 +0200 Subject: [PATCH 38/38] Announce Matrix Authentication Support for Jitsi Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2375 --- CHANGELOG.md | 7 +++++++ docs/configuring-playbook.md | 4 +++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 69e932a97..257f57d9b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,12 @@ # 2023-02-10 +## Matrix Authentication Support for Jitsi + +Thanks to [Jakob S.](https://github.com/jakicoll) ([zakk gGmbH](https://github.com/zakk-it)), Jitsi can now use Matrix for authentication (via [Matrix User Verification Service](https://github.com/matrix-org/matrix-user-verification-service)). + +Additional details are available in the [Authenticate using Matrix OpenID (Auth-Type 'matrix')](docs/configuring-playbook-jitsi.md#authenticate-using-matrix-openid-auth-type-matrix). + + ## Draupnir moderation tool (bot) support Thanks to [FSG-Cat](https://github.com/FSG-Cat), the playbook can now install and configure the [Draupnir](https://github.com/Gnuxie/Draupnir) moderation tool (bot). Draupnir is a fork of [Mjolnir](docs/configuring-playbook-bot-mjolnir.md) (which the playbook has supported for a long time) maintained by Mjolnir's former lead developer. diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 9ab507630..3e904abca 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -99,6 +99,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Setting up Matrix Corporal](configuring-playbook-matrix-corporal.md) (optional, advanced) +- [Matrix User Verification Service](docs/configuring-playbook-user-verification-service.md) (optional, advanced) + ### Bridging other networks @@ -177,7 +179,7 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Setting up Mjolnir](configuring-playbook-bot-mjolnir.md) - a moderation tool/bot (optional) -- [Setting up Draupnir](configuring-playbook-bot-draupnir.md) - a moderation tool/bot (optional), forked from Mjolnir and maintained by its former leader developer +- [Setting up Draupnir](configuring-playbook-bot-draupnir.md) - a moderation tool/bot, forked from Mjolnir and maintained by its former leader developer (optional) - [Setting up Buscarron](configuring-playbook-bot-buscarron.md) - a bot you can use to send any form (HTTP POST, HTML) to a (encrypted) Matrix room (optional)