Add matrix-synapse-rest-auth support

This commit is contained in:
Slavi Pantaleev 2018-08-17 09:02:12 +03:00
parent 7e543f32d9
commit ea43d46b70
13 changed files with 229 additions and 98 deletions

View file

@ -1,5 +1,12 @@
# 2018-08-17
## REST auth support via matrix-synapse-rest-auth
The playbook can now install and configure [matrix-synapse-rest-auth](https://github.com/kamax-io/matrix-synapse-rest-auth) for you.
Additional details are available in [Setting up the REST authentication password provider module](docs/configuring-playbook-rest-auth.md).
## Compression improvements
Shifted Matrix Synapse compression from happening in the Matrix Synapse,

View file

@ -26,6 +26,8 @@ Using this playbook, you can get the following services configured on your serve
- (optional default) an [nginx](http://nginx.org/) web server, listening on ports 80 and 443 - standing in front of all the other services. Using your own webserver [is possible](#using-your-own-webserver-instead-of-this-playbooks-nginx-proxy-optional)
- (optional) the [matrix-synapse-rest-auth](https://github.com/kamax-io/matrix-synapse-rest-auth) REST authentication password provider module
Basically, this playbook aims to get you up-and-running with all the basic necessities around Matrix, without you having to do anything else.

View file

@ -0,0 +1,15 @@
# Setting up the REST authentication password provider module
The playbook can now install and configure [matrix-synapse-rest-auth](https://github.com/kamax-io/matrix-synapse-rest-auth) for you.
See that project's documentation to learn what it does and why it might be useful to you.
If you decide that you'd like to let this playbook install it for you, you need soem configuration like this:
```yaml
matrix_synapse_ext_password_provider_rest_auth_enabled: true
matrix_synapse_ext_password_provider_rest_auth_endpoint: "http://change.me.example.com:12345"
matrix_synapse_ext_password_provider_rest_auth_registration_enforce_lowercase: false
matrix_synapse_ext_password_provider_rest_auth_registration_profile_name_autofill: true
matrix_synapse_ext_password_provider_rest_auth_login_profile_name_autofill: false
```

View file

@ -31,4 +31,6 @@ When you're done with all the configuration you'd like to do, continue with [Ins
- [Adjusting mxisd Identity Server configuration](configuring-playbook-mxisd.md) (optional)
- [Using your own webserver, instead of this playbook's nginx proxy](configuring-playbook-own-webserver.md) (optional)
- [Using your own webserver, instead of this playbook's nginx proxy](configuring-playbook-own-webserver.md) (optional)
- [Setting up the REST authentication password provider module](configuring-playbook-rest-auth.md) (optional)

View file

@ -33,6 +33,7 @@ matrix_synapse_config_dir_path: "{{ matrix_synapse_base_path }}/config"
matrix_synapse_run_path: "{{ matrix_synapse_base_path }}/run"
matrix_synapse_storage_path: "{{ matrix_synapse_base_path }}/storage"
matrix_synapse_media_store_path: "{{ matrix_synapse_storage_path }}/media-store"
matrix_synapse_ext_path: "{{ matrix_synapse_base_path }}/ext"
# Specifies which template files to use when configuring Synapse.
# If you'd like to have your own different configuration, feel free to copy and paste
@ -60,6 +61,29 @@ matrix_synapse_max_upload_size_mb: 10
matrix_synapse_max_log_file_size_mb: 100
matrix_synapse_max_log_files_count: 10
# A list of additional "volumes" to mount in the container.
# This list gets populated dynamically based on Synapse extensions that have been enabled.
# Contains definition objects like this: `{"src": "/outside", "dst": "/inside", "options": "rw|ro|slave|.."}
matrix_synapse_container_additional_volumes: []
# A list of additional loggers to register in synapse.log.config.
# This list gets populated dynamically based on Synapse extensions that have been enabled.
# Contains definition objects like this: `{"name": "..", "level": "DEBUG"}
matrix_synapse_additional_loggers: []
# This is set dynamically during execution depending on whether
# any password providers have been enabled or not.
matrix_synapse_password_providers_enabled: false
# Enable this to activate the REST auth password provider module
# See: https://github.com/kamax-io/matrix-synapse-rest-auth
matrix_synapse_ext_password_provider_rest_auth_enabled: false
matrix_synapse_ext_password_provider_rest_auth_download_url: "https://raw.githubusercontent.com/kamax-io/matrix-synapse-rest-auth/v0.1.1/rest_auth_provider.py"
matrix_synapse_ext_password_provider_rest_auth_endpoint: ""
matrix_synapse_ext_password_provider_rest_auth_registration_enforce_lowercase: false
matrix_synapse_ext_password_provider_rest_auth_registration_profile_name_autofill: true
matrix_synapse_ext_password_provider_rest_auth_login_profile_name_autofill: false
matrix_postgres_data_path: "{{ matrix_base_data_path }}/postgres"
matrix_nginx_proxy_data_path: "{{ matrix_base_data_path }}/nginx-proxy"
matrix_nginx_proxy_confd_path: "{{ matrix_nginx_proxy_data_path }}/conf.d"
@ -159,4 +183,4 @@ matrix_ssl_renew_cron_time_definition: "15 4 */5 * *"
# Specifies when to reload the matrix-nginx-proxy service so that
# a new SSL certificate could go into effect.
matrix_nginx_proxy_reload_cron_time_definition: "20 4 */5 * *"
matrix_nginx_proxy_reload_cron_time_definition: "20 4 */5 * *"

View file

@ -1,99 +1,7 @@
---
- name: Fail if Macaroon key is missing
fail:
msg: "You need to set a secret in the matrix_synapse_macaroon_secret_key variable"
when: "matrix_synapse_macaroon_secret_key == ''"
- include: tasks/setup_synapse_pre.yml
- name: Ensure Matrix Synapse paths exist
file:
path: "{{ item }}"
state: directory
mode: 0750
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_username }}"
with_items:
- "{{ matrix_synapse_config_dir_path }}"
- "{{ matrix_synapse_run_path }}"
- "{{ matrix_synapse_storage_path }}"
# We handle matrix_synapse_media_store_path below, not here,
# because if it's using S3fs and it's already mounted (from before),
# trying to chown/chmod it here will cause trouble.
- include: tasks/setup_synapse_ext.yml
# This will throw a Permission Denied error if already mounted using fuse
- name: Check Matrix Synapse media store path
stat: path="{{ matrix_synapse_media_store_path }}"
register: local_path_media_store_stat
ignore_errors: yes
# This is separate and conditional, to ensure we don't execute it
# if the path already exists or we failed to check, because it's mounted using fuse.
- name: Ensure Matrix media store path exists
file:
path: "{{ matrix_synapse_media_store_path }}"
state: directory
mode: 0750
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_username }}"
when: "not local_path_media_store_stat.failed and not local_path_media_store_stat.stat.exists"
- name: Ensure Matrix Docker image is pulled
docker_image:
name: "{{ matrix_docker_image_synapse }}"
- name: Check if a Matrix Synapse configuration exists
stat:
path: "{{ matrix_synapse_config_dir_path }}/homeserver.yaml"
register: matrix_synapse_config_stat
# We do this mostly so that the keys would get generated.
# We'll replace the rest of the configuration with our own templates below.
- name: Generate initial Matrix config
docker_container:
name: matrix-config
image: "{{ matrix_docker_image_synapse }}"
detach: no
cleanup: yes
command: generate
env:
SYNAPSE_CONFIG_PATH: "/data/homeserver.yaml"
SYNAPSE_SERVER_NAME: "{{ hostname_matrix }}"
SYNAPSE_REPORT_STATS: "no"
user: "{{ matrix_user_uid }}:{{ matrix_user_gid }}"
volumes:
- "{{ matrix_synapse_config_dir_path }}:/data"
when: "not matrix_synapse_config_stat.stat.exists"
- name: Ensure Matrix homeserver config installed
template:
src: "{{ matrix_synapse_template_synapse_homeserver }}"
dest: "{{ matrix_synapse_config_dir_path }}/homeserver.yaml"
mode: 0644
- name: Ensure Matrix log config installed
template:
src: "{{ matrix_synapse_template_synapse_log }}"
dest: "{{ matrix_synapse_config_dir_path }}/{{ hostname_matrix }}.log.config"
mode: 0644
- name: Ensure matrix-synapse.service installed
template:
src: "{{ role_path }}/templates/systemd/matrix-synapse.service.j2"
dest: "/etc/systemd/system/matrix-synapse.service"
mode: 0644
- name: Ensure matrix-synapse-register-user script created
template:
src: "{{ role_path }}/templates/usr-local-bin/matrix-synapse-register-user.j2"
dest: "/usr/local/bin/matrix-synapse-register-user"
mode: 0750
- name: Allow access to Matrix ports in firewalld
firewalld:
port: "{{ item }}"
state: enabled
immediate: yes
permanent: yes
with_items:
- '8448/tcp' # Matrix federation
when: ansible_os_family == 'RedHat'
- include: tasks/setup_synapse_main.yml

View file

@ -0,0 +1,3 @@
---
- include: tasks/setup_synapse_ext_rest_auth.yml

View file

@ -0,0 +1,45 @@
---
#
# Tasks related to setting up matrix-synapse-rest-auth
#
- name: Download matrix-synapse-rest-auth
get_url:
url: "{{ matrix_synapse_ext_password_provider_rest_auth_download_url }}"
dest: "{{ matrix_synapse_ext_path }}/rest_auth_provider.py"
mode: 0440
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_username }}"
- set_fact:
matrix_synapse_password_providers_enabled: true
when: "matrix_synapse_ext_password_provider_rest_auth_enabled"
- set_fact:
matrix_synapse_container_additional_volumes: >
{{ matrix_synapse_container_additional_volumes }}
+
{{ [{'src': '{{ matrix_synapse_ext_path }}/rest_auth_provider.py', 'dst': '/usr/local/lib/python2.7/site-packages/rest_auth_provider.py', 'options': 'ro'}] }}
when: "matrix_synapse_ext_password_provider_rest_auth_enabled"
- set_fact:
matrix_synapse_additional_loggers: >
{{ matrix_synapse_additional_loggers }}
+
{{ [{'name': 'rest_auth_provider', 'level': 'DEBUG'}] }}
when: "matrix_synapse_ext_password_provider_rest_auth_enabled"
- debug: var="matrix_synapse_container_additional_volumes"
- debug: var="matrix_synapse_additional_loggers"
#
# Tasks related to getting rid of matrix-synapse-rest-auth (if it was previously enabled)
#
- name: Ensure matrix-synapse-rest-auth doesn't exist
file:
path: "{{ matrix_synapse_ext_path }}/rest_auth_provider.py"
state: absent
when: "not matrix_synapse_ext_password_provider_rest_auth_enabled"

View file

@ -0,0 +1,84 @@
---
- name: Fail if Macaroon key is missing
fail:
msg: "You need to set a secret in the matrix_synapse_macaroon_secret_key variable"
when: "matrix_synapse_macaroon_secret_key == ''"
# This will throw a Permission Denied error if already mounted using fuse
- name: Check Matrix Synapse media store path
stat: path="{{ matrix_synapse_media_store_path }}"
register: local_path_media_store_stat
ignore_errors: yes
# This is separate and conditional, to ensure we don't execute it
# if the path already exists or we failed to check, because it's mounted using fuse.
- name: Ensure Matrix media store path exists
file:
path: "{{ matrix_synapse_media_store_path }}"
state: directory
mode: 0750
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_username }}"
when: "not local_path_media_store_stat.failed and not local_path_media_store_stat.stat.exists"
- name: Ensure Matrix Docker image is pulled
docker_image:
name: "{{ matrix_docker_image_synapse }}"
- name: Check if a Matrix Synapse configuration exists
stat:
path: "{{ matrix_synapse_config_dir_path }}/homeserver.yaml"
register: matrix_synapse_config_stat
# We do this mostly so that the keys would get generated.
# We'll replace the rest of the configuration with our own templates below.
- name: Generate initial Matrix config
docker_container:
name: matrix-config
image: "{{ matrix_docker_image_synapse }}"
detach: no
cleanup: yes
command: generate
env:
SYNAPSE_CONFIG_PATH: "/data/homeserver.yaml"
SYNAPSE_SERVER_NAME: "{{ hostname_matrix }}"
SYNAPSE_REPORT_STATS: "no"
user: "{{ matrix_user_uid }}:{{ matrix_user_gid }}"
volumes:
- "{{ matrix_synapse_config_dir_path }}:/data"
when: "not matrix_synapse_config_stat.stat.exists"
- name: Ensure Matrix homeserver config installed
template:
src: "{{ matrix_synapse_template_synapse_homeserver }}"
dest: "{{ matrix_synapse_config_dir_path }}/homeserver.yaml"
mode: 0644
- name: Ensure Matrix log config installed
template:
src: "{{ matrix_synapse_template_synapse_log }}"
dest: "{{ matrix_synapse_config_dir_path }}/{{ hostname_matrix }}.log.config"
mode: 0644
- name: Ensure matrix-synapse.service installed
template:
src: "{{ role_path }}/templates/systemd/matrix-synapse.service.j2"
dest: "/etc/systemd/system/matrix-synapse.service"
mode: 0644
- name: Ensure matrix-synapse-register-user script created
template:
src: "{{ role_path }}/templates/usr-local-bin/matrix-synapse-register-user.j2"
dest: "/usr/local/bin/matrix-synapse-register-user"
mode: 0750
- name: Allow access to Matrix ports in firewalld
firewalld:
port: "{{ item }}"
state: enabled
immediate: yes
permanent: yes
with_items:
- '8448/tcp' # Matrix federation
when: ansible_os_family == 'RedHat'

View file

@ -0,0 +1,17 @@
---
- name: Ensure Matrix Synapse paths exist
file:
path: "{{ item }}"
state: directory
mode: 0750
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_username }}"
with_items:
- "{{ matrix_synapse_config_dir_path }}"
- "{{ matrix_synapse_run_path }}"
- "{{ matrix_synapse_storage_path }}"
- "{{ matrix_synapse_ext_path }}"
# We handle matrix_synapse_media_store_path elsewhere (in setup_synapse.yml),
# because if it's using S3fs and it's already mounted (from before),
# trying to chown/chmod it here will cause trouble.

View file

@ -580,7 +580,23 @@ email:
# #bind_dn:
# #bind_password:
# #filter: "(objectClass=posixAccount)"
{% if matrix_synapse_password_providers_enabled %}
password_providers:
{% if matrix_synapse_ext_password_provider_rest_auth_enabled %}
- module: "rest_auth_provider.RestAuthProvider"
config:
endpoint: "{{ matrix_synapse_ext_password_provider_rest_auth_endpoint }}"
policy:
registration:
username:
enforceLowercase: {{ matrix_synapse_ext_password_provider_rest_auth_registration_enforce_lowercase }}
profile:
name: {{ matrix_synapse_ext_password_provider_rest_auth_registration_profile_name_autofill }}
login:
profile:
name: {{ matrix_synapse_ext_password_provider_rest_auth_login_profile_name_autofill }}
{% endif %}
{% endif %}
# Clients requesting push notifications can either have the body of

View file

@ -32,6 +32,11 @@ loggers:
# information such as access tokens.
level: INFO
{% for logger in matrix_synapse_additional_loggers %}
{{ logger.name }}:
level: {{ logger.level }}
{% endfor %}
root:
level: INFO
handlers: [file, console]

View file

@ -34,6 +34,9 @@ ExecStart=/usr/bin/docker run --rm --name matrix-synapse \
-v {{ matrix_synapse_config_dir_path }}:/data \
-v {{ matrix_synapse_run_path }}:/matrix-run \
-v {{ matrix_synapse_storage_path }}:/matrix-storage:slave \
{% for volume in matrix_synapse_container_additional_volumes %}
-v {{ volume.src }}:{{ volume.dst }}:{{ volume.options }} \
{% endfor %}
-e SYNAPSE_CONFIG_PATH=/data/homeserver.yaml \
{{ matrix_docker_image_synapse }}
ExecStop=-/usr/bin/docker kill matrix-synapse