diff --git a/README.md b/README.md index e545d18f..b93fdd5d 100644 --- a/README.md +++ b/README.md @@ -45,6 +45,8 @@ Using this playbook, you can get the following services configured on your serve - (optional, advanced) the [matrix-synapse-ldap3](https://github.com/matrix-org/matrix-synapse-ldap3) LDAP Auth password provider module +- (optional, advanced) the [matrix-ldap-registration-proxy](https://gitlab.com/activism.international/matrix_ldap_registration_proxy) a proxy that handles Matrix registration requests and forwards them to LDAP. + - (optional, advanced) the [synapse-simple-antispam](https://github.com/t2bot/synapse-simple-antispam) spam checker module - (optional, advanced) the [Matrix Corporal](https://github.com/devture/matrix-corporal) reconciliator and gateway for a managed Matrix server diff --git a/docs/configuring-playbook-matrix-ldap-registration-proxy.md b/docs/configuring-playbook-matrix-ldap-registration-proxy.md new file mode 100644 index 00000000..31b75a0b --- /dev/null +++ b/docs/configuring-playbook-matrix-ldap-registration-proxy.md @@ -0,0 +1,30 @@ +# Setting up matrix-ldap-registration-proxy (optional) + +The playbook can install and configure [matrix-ldap-registration-proxy](https://gitlab.com/activism.international/matrix_ldap_registration_proxy) for you. + +This proxy handles Matrix registration requests and forwards them to LDAP. + +**Please note:** This does support the full Matrix specification for registrations. It only provide a very coarse +implementation of a basic password registration. + +## Quickstart + +Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file: + +```yaml +matrix_ldap_registration_proxy_enabled: true +``` + +That is enough if you use the synapse external password provider via LDAP. +If you want to use your own credentials add the following to your `inventory/host_vars/matrix.DOMAIN/vars.yml`: + + + +# LDAP credentials +```yaml +matrix_ldap_registration_proxy_ldap_uri: +matrix_ldap_registration_proxy_ldap_base_dn: +matrix_ldap_registration_proxy_ldap_user: +matrix_ldap_registration_proxy_ldap_password: +``` +TODO: is the block above correct? Else indicate that it can only be used with the LDAP password provider for Synapse diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index b17f902f..43b68ee8 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -86,6 +86,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins - [Setting up the LDAP password provider module](configuring-playbook-ldap-auth.md) (optional, advanced) +- [Setting up the ldap-registration-proxy](configuring-playbook-matrix-ldap-registration-proxy.md) (optional, advanced) + - [Setting up Synapse Simple Antispam](configuring-playbook-synapse-simple-antispam.md) (optional, advanced) - [Setting up Matrix Corporal](configuring-playbook-matrix-corporal.md) (optional, advanced) diff --git a/roles/matrix-ldap-registration-proxy/defaults/main.yml b/roles/matrix-ldap-registration-proxy/defaults/main.yml index 2d2894c9..bf7f3564 100644 --- a/roles/matrix-ldap-registration-proxy/defaults/main.yml +++ b/roles/matrix-ldap-registration-proxy/defaults/main.yml @@ -7,9 +7,6 @@ matrix_ldap_registration_proxy_enabled: true matrix_ldap_registration_proxy_container_image_self_build_repo: "https://gitlab.com/activism.international/matrix_ldap_registration_proxy.git" matrix_ldap_registration_proxy_container_image_self_build_branch: "{{ matrix_ldap_registration_proxy_version }}" -matrix_ldap_registration_proxy_docker_image: "{{ matrix_ldap_registration_proxy_docker_image_name_prefix }}activism.international/matrix_ldap_registration_proxy:{{ matrix_ldap_registration_proxy_version }}" -matrix_ldap_registration_proxy_docker_image_name_prefix: "localhost/" - matrix_ldap_registration_proxy_version: "296246afc6a9b3105e67fcf6621cf05ebc74b873" matrix_ldap_registration_proxy_base_path: "{{ matrix_base_data_path }}/matrix_ldap_registration_proxy" @@ -17,8 +14,6 @@ matrix_ldap_registration_proxy_base_path: "{{ matrix_base_data_path }}/matrix_ld matrix_ldap_registration_proxy_docker_src_files_path: "{{ matrix_ldap_registration_proxy_base_path }}/docker-src/matrix_ldap_registration_proxy" matrix_ldap_registration_proxy_config_path: "{{ matrix_ldap_registration_proxy_base_path }}/config" -matrix_ldap_registration_proxy_appservice_public_enabled: false - matrix_ldap_registration_proxy_ldap_uri: "" matrix_ldap_registration_proxy_ldap_base_dn: "" matrix_ldap_registration_proxy_ldap_user: "" @@ -27,16 +22,20 @@ matrix_ldap_registration_proxy_matrix_server_name: "{{ matrix_domain }}" matrix_ldap_registration_proxy_matrix_server_url: "https://{{ matrix_server_fqn_matrix }}" # Controls whether the self-check feature should validate SSL certificates. -matrix_ldap_registration_proxy_self_check_validate_certificates: true +matrix_matrix_ldap_registration_proxy_self_check_validate_certificates: true matrix_ldap_registration_proxy_container_port: 8080 # Controls whether the matrix_ldap_registration_proxy container exposes its HTTP port (tcp/{{ matrix_ldap_registration_proxy_container_port }} in the container). # # Takes an ":" or "" value (e.g. "127.0.0.1:8080"), or empty string to not expose. -matrix_ldap_registration_proxy_container_http_host_bind_port: '' +matrix_ldap_registration_proxy_container_http_host_bind_port: '8585'}' -matrix_ldap_registration_proxy_registration_addr_with_container: "matrix-ldap_registration-proxy:{{ matrix_ldap_registration_proxy_container_port }}" -matrix_ldap_registration_proxy_registration_addr_sans_container: "127.0.0.1:{{ matrix_ldap_registration_proxy_container_port }}" +# `matrix_ldap_registration_proxy_container_http_host_bind_port_number_raw` contains the raw port number extracted from `matrix_ldap_registration_proxy_container_http_host_bind_port`, + # which can contain values like this: ('1234', '127.0.0.1:1234', '0.0.0.0:1234') + matrix_ldap_registration_proxy_container_http_host_bind_port_number_raw: "{{ '' if matrix_ldap_registration_proxy_container_http_host_bind_port == '' else (matrix_ldap_registration_proxy_container_http_host_bind_port.split(':')[1] if ':' in matrix_ldap_registration_proxy_container_http_host_bind_port else matrix_ldap_registration_proxy_container_http_host_bind_port) }}" + +matrix_ldap_registration_proxy_registration_addr_with_container: "matrix-ldap_registration-proxy:{{ matrix_ldap_registration_proxy_container_http_host_bind_port_number_raw }}" +matrix_ldap_registration_proxy_registration_addr_sans_container: "127.0.0.1:{{ matrix_ldap_registration_proxy_container_http_host_bind_port_number_raw }}" # A list of extra arguments to pass to the container diff --git a/roles/matrix-ldap-registration-proxy/templates/systemd/matrix-ldap-registration-proxy.service.j2 b/roles/matrix-ldap-registration-proxy/templates/systemd/matrix-ldap-registration-proxy.service.j2 index 4c68ed46..13ada897 100644 --- a/roles/matrix-ldap-registration-proxy/templates/systemd/matrix-ldap-registration-proxy.service.j2 +++ b/roles/matrix-ldap-registration-proxy/templates/systemd/matrix-ldap-registration-proxy.service.j2 @@ -13,8 +13,8 @@ DefaultDependencies=no [Service] Type=simple Environment="HOME={{ matrix_systemd_unit_home_path }}" -ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix_ldap_registration_proxy 2>/dev/null || true' -ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix_ldap_registration_proxy 2>/dev/null || true' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-ldap-registration-proxy 2>/dev/null || true' +ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-ldap-registration-proxy 2>/dev/null || true' # matrix_ldap_registration_proxy writes an SQLite shared library (libsqlitejdbc.so) to /tmp and executes it from there, # so /tmp needs to be mounted with an exec option.