Make registration proxy independent of other roles, document (#7)

* Make registration proxy independent of other roles, document

Signed-off-by: Julian-Samuel Gebühr <julian-samuel@gebuehr.net>

* Fix yml issues

Signed-off-by: Julian-Samuel Gebühr <julian-samuel@gebuehr.net>

* Remove undefined variable (as service HAS to be exposed

Signed-off-by: Julian-Samuel Gebühr <julian-samuel@gebuehr.net>

* Add registration endpint

Defines the registration endpoint that should be intercepted/forwarded to the proxy

Signed-off-by: Julian-Samuel Gebühr <julian-samuel@gebuehr.net>

* Add image name

Signed-off-by: Julian-Samuel Gebühr <julian-samuel@gebuehr.net>

Signed-off-by: Julian-Samuel Gebühr <julian-samuel@gebuehr.net>
This commit is contained in:
Julian-Samuel Gebühr 2022-09-29 18:00:14 +02:00 committed by GitHub
parent dd5844524b
commit 41e1da2ff4
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 59 additions and 60 deletions

View file

@ -13,18 +13,21 @@ Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.
```yaml
matrix_ldap_registration_proxy_enabled: true
```
That is enough if you use the synapse external password provider via LDAP.
If you want to use your own credentials add the following to your `inventory/host_vars/matrix.DOMAIN/vars.yml`:
# LDAP credentials
```yaml
matrix_ldap_registration_proxy_ldap_uri: <URI>
matrix_ldap_registration_proxy_ldap_base_dn: <DN>
matrix_ldap_registration_proxy_ldap_user: <USER>
matrix_ldap_registration_proxy_ldap_password: <password>
```
TODO: is the block above correct? Else indicate that it can only be used with the LDAP password provider for Synapse
If you already use the [synapse external password provider via LDAP](docs/configuring-playbook-ldap-auth.md) (that is, you have `matrix_synapse_ext_password_provider_ldap_enabled: true` and other options in your configuration)
you can use the following values as configuration:
```yaml
# Use the LDAP values specified for the synapse role to setup LDAP proxy
matrix_ldap_registration_proxy_ldap_uri: "{{ matrix_synapse_ext_password_provider_ldap_uri }}"
matrix_ldap_registration_proxy_ldap_base_dn: "{{ matrix_synapse_ext_password_provider_ldap_base }}"
matrix_ldap_registration_proxy_ldap_user: "{{ matrix_synapse_ext_password_provider_ldap_bind_dn }}"
matrix_ldap_registration_proxy_ldap_password: "{{ matrix_synapse_ext_password_provider_ldap_bind_password }}"
```

View file

@ -1579,12 +1579,6 @@ matrix_jitsi_etherpad_base: "{{ matrix_etherpad_base_url if matrix_etherpad_enab
# This is only for users with a specific LDAP setup
matrix_ldap_registration_proxy_enabled: false
# Use the LDAP values specified for the synapse role to setup LDAP proxy
matrix_ldap_registration_proxy_ldap_uri: "{{ matrix_synapse_ext_password_provider_ldap_uri }}"
matrix_ldap_registration_proxy_ldap_base_dn: "{{ matrix_synapse_ext_password_provider_ldap_base }}"
matrix_ldap_registration_proxy_ldap_user: "{{ matrix_synapse_ext_password_provider_ldap_bind_dn }}"
matrix_ldap_registration_proxy_ldap_password: "{{ matrix_synapse_ext_password_provider_ldap_bind_password }}"
######################################################################
#
# /matrix-ldap-registration-proxy

View file

@ -4,6 +4,7 @@
matrix_ldap_registration_proxy_enabled: true
matrix_ldap_registration_proxy_docker_image: matrix_ldap_registration_proxy
matrix_ldap_registration_proxy_container_image_self_build_repo: "https://gitlab.com/activism.international/matrix_ldap_registration_proxy.git"
matrix_ldap_registration_proxy_container_image_self_build_branch: "{{ matrix_ldap_registration_proxy_version }}"
@ -21,6 +22,8 @@ matrix_ldap_registration_proxy_ldap_password: ""
matrix_ldap_registration_proxy_matrix_server_name: "{{ matrix_domain }}"
matrix_ldap_registration_proxy_matrix_server_url: "https://{{ matrix_server_fqn_matrix }}"
matrix_ldap_registration_proxy_registration_endpoint: "/_matrix/client/r0/register"
# Controls whether the self-check feature should validate SSL certificates.
matrix_matrix_ldap_registration_proxy_self_check_validate_certificates: true
@ -28,11 +31,11 @@ matrix_ldap_registration_proxy_container_port: 8080
# Controls whether the matrix_ldap_registration_proxy container exposes its HTTP port (tcp/{{ matrix_ldap_registration_proxy_container_port }} in the container).
#
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8080"), or empty string to not expose.
matrix_ldap_registration_proxy_container_http_host_bind_port: '8585'}'
matrix_ldap_registration_proxy_container_http_host_bind_port: ''
# `matrix_ldap_registration_proxy_container_http_host_bind_port_number_raw` contains the raw port number extracted from `matrix_ldap_registration_proxy_container_http_host_bind_port`,
# which can contain values like this: ('1234', '127.0.0.1:1234', '0.0.0.0:1234')
matrix_ldap_registration_proxy_container_http_host_bind_port_number_raw: "{{ '' if matrix_ldap_registration_proxy_container_http_host_bind_port == '' else (matrix_ldap_registration_proxy_container_http_host_bind_port.split(':')[1] if ':' in matrix_ldap_registration_proxy_container_http_host_bind_port else matrix_ldap_registration_proxy_container_http_host_bind_port) }}"
# which can contain values like this: ('1234', '127.0.0.1:1234', '0.0.0.0:1234')
matrix_ldap_registration_proxy_container_http_host_bind_port_number_raw: "{{ '' if matrix_ldap_registration_proxy_container_http_host_bind_port == '' else (matrix_ldap_registration_proxy_container_http_host_bind_port.split(':')[1] if ':' in matrix_ldap_registration_proxy_container_http_host_bind_port else matrix_ldap_registration_proxy_container_http_host_bind_port) }}"
matrix_ldap_registration_proxy_registration_addr_with_container: "matrix-ldap_registration-proxy:{{ matrix_ldap_registration_proxy_container_http_host_bind_port_number_raw }}"
matrix_ldap_registration_proxy_registration_addr_sans_container: "127.0.0.1:{{ matrix_ldap_registration_proxy_container_http_host_bind_port_number_raw }}"
@ -53,4 +56,3 @@ matrix_ldap_registration_proxy_systemd_wanted_services_list: []
# matrix_ldap_registration_proxy_env_variables_extension: |
# KEY=value
matrix_ldap_registration_proxy_env_variables_extension: ''

View file

@ -11,48 +11,48 @@
when: matrix_ldap_registration_proxy_enabled | bool
- block:
- name: Fail if matrix-nginx-proxy role already executed
ansible.builtin.fail:
msg: >-
Trying to append Matrix LDAP registration proxy's reverse-proxying configuration to matrix-nginx-proxy,
but it's pointless since the matrix-nginx-proxy role had already executed.
To fix this, please change the order of roles in your playbook,
so that the matrix-nginx-proxy role would run after the matrix-bridge-mautrix-telegram role.
when: matrix_nginx_proxy_role_executed | default(False) | bool
- name: Fail if matrix-nginx-proxy role already executed
ansible.builtin.fail:
msg: >-
Trying to append Matrix LDAP registration proxy's reverse-proxying configuration to matrix-nginx-proxy,
but it's pointless since the matrix-nginx-proxy role had already executed.
To fix this, please change the order of roles in your playbook,
so that the matrix-nginx-proxy role would run after the matrix-bridge-mautrix-telegram role.
when: matrix_nginx_proxy_role_executed | default(False) | bool
- name: Generate Matrix LDAP registration proxy proxying configuration for matrix-nginx-proxy
ansible.builtin.set_fact:
matrix_ldap_registration_proxy_matrix_nginx_proxy_configuration: |
location {{ matrix_ldap_registration_proxy_public_endpoint }} {
{% if matrix_nginx_proxy_enabled | default(False) %}
{# Use the embedded DNS resolver in Docker containers to discover the service #}
resolver 127.0.0.11 valid=5s;
set $backend "{{ matrix_ldap_registration_proxy_registration_addr_with_container }}";
proxy_pass http://$backend/register;;
{% else %}
{# Generic configuration for use outside of our container setup #}
proxy_pass http://{{ matrix_ldap_registration_proxy_registration_addr_sans_container }}/register;
{% endif %}
}
- name: Generate Matrix LDAP registration proxy proxying configuration for matrix-nginx-proxy
ansible.builtin.set_fact:
matrix_ldap_registration_proxy_matrix_nginx_proxy_configuration: |
location {{ matrix_ldap_registration_proxy_registration_endpoint }} {
{% if matrix_nginx_proxy_enabled | default(False) %}
{# Use the embedded DNS resolver in Docker containers to discover the service #}
resolver 127.0.0.11 valid=5s;
set $backend "{{ matrix_ldap_registration_proxy_registration_addr_with_container }}";
proxy_pass http://$backend/register;;
{% else %}
{# Generic configuration for use outside of our container setup #}
proxy_pass http://{{ matrix_ldap_registration_proxy_registration_addr_sans_container }}/register;
{% endif %}
}
- name: Register Matrix LDAP registration proxy proxying configuration with matrix-nginx-proxy
ansible.builtin.set_fact:
matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: |
{{
matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks | default([])
+
[matrix_ldap_registration_proxy_matrix_nginx_proxy_configuration]
}}
- name: Warn about reverse-proxying if matrix-nginx-proxy not used
ansible.builtin.debug:
msg: >-
NOTE: You've enabled the Matrix LDAP registration proxy bridge but are not using the matrix-nginx-proxy
reverse proxy.
Please make sure that you're proxying the `{{ matrix_ldap_registration_proxy_public_endpoint }}`
URL endpoint to the matrix-ldap-proxy container.
You can expose the container's port using the `matrix_ldap_registration_proxy_container_http_host_bind_port` variable.
when: "not matrix_nginx_proxy_enabled | default(False) | bool"
- name: Register Matrix LDAP registration proxy proxying configuration with matrix-nginx-proxy
ansible.builtin.set_fact:
matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: |
{{
matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks | default([])
+
[matrix_ldap_registration_proxy_matrix_nginx_proxy_configuration]
}}
- name: Warn about reverse-proxying if matrix-nginx-proxy not used
ansible.builtin.debug:
msg: >-
NOTE: You've enabled the Matrix LDAP registration proxy bridge but are not using the matrix-nginx-proxy
reverse proxy.
Please make sure that you're proxying the `{{ matrix_ldap_registration_proxy_public_endpoint }}`
URL endpoint to the matrix-ldap-proxy container.
You can expose the container's port using the `matrix_ldap_registration_proxy_container_http_host_bind_port` variable.
when: "not matrix_nginx_proxy_enabled | default(False) | bool"
tags:
- always
when: matrix_ldap_registration_proxy_enabled | bool and matrix_ldap_registration_proxy_appservice_public_enabled | bool
- always
when: matrix_ldap_registration_proxy_enabled | bool