cqrenet/matrix-docker-ansible-deploy
3
0
Fork 0
mirror of https://github.com/spantaleev/matrix-docker-ansible-deploy.git synced 2026-02-08 08:03:08 +00:00
Code Issues Wiki Activity

Remove ma1sd (#4898)

Browse Source 
* Remove ma1sd

Reuse 6d1ec58a82/docs/configuring-playbook-bridge-mautrix-instagram.md

Signed-off-by: Suguru Hirahara <did🔑z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

* Update configuring-playbook-ma1sd.pot

Signed-off-by: Suguru Hirahara <did🔑z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>

* Update changelog entry date for ma1sd removal

---------

Signed-off-by: Suguru Hirahara <did🔑z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>
Co-authored-by: Suguru Hirahara <did🔑z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>
Co-authored-by: Slavi Pantaleev <slavi@devture.com>
This commit is contained in:
Suguru Hirahara
2026-02-08 07:35:51 +00:00
committed by GitHub
parent 9320ef49fe
commit 4310fb83c1
26 changed files with 70 additions and 1394 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
CHANGELOG.md
View File

@@ -1,3 +1,13 @@
# 2026-02-08
## ma1sd has been removed from the playbook
[ma1sd](./docs/configuring-playbook-ma1sd.md) has been removed from the playbook, as it has been unmaintained for a long time.
The playbook will let you know if you're using any `matrix_ma1sd_*` variables. You'll need to remove them from `vars.yml` and potentially [uninstall the component manually](./docs/configuring-playbook-ma1sd.md#uninstalling-the-component-manually).
Please note that some of the functions can be achieved with other components. For example, if you wish to implement LDAP integration, you might as well check out [the LDAP provider module for Synapse](./docs/configuring-playbook-ldap-auth.md) instead.
# 2026-02-07
## (BC Break) Cinny role has been relocated and variable names need adjustments
@@ -12,8 +22,6 @@ You need to do the following replacement:
As always, the playbook would let you know about this and point out any variables you may have missed.
# 2026-02-06
## The Sliding Sync proxy has been removed from the playbook
The [Sliding Sync proxy](./docs/configuring-playbook-sliding-sync-proxy.md) has been removed from the playbook, as it's been replaced with a different method (called Simplified Sliding Sync) integrated to newer homeservers by default (**Conduit** homeserver from version `0.6.0` or **Synapse** from version `1.114`).

1
README.md
View File

@@ -79,7 +79,6 @@ Services that run on the server to make the various parts of your installation w
| [Traefik](https://doc.traefik.io/traefik/) | ✅ | Web server, listening on ports 80, 443 and 8448 - standing in front of all the other services. [Using your own webserver](docs/configuring-playbook-own-webserver.md) is also possible. | [Link](docs/configuring-playbook-traefik.md) |
| [Let's Encrypt](https://letsencrypt.org/) | ✅ | Free SSL certificate, which secures the connection to all components | [Link](docs/configuring-playbook-ssl-certificates.md) |
| [Exim](https://www.exim.org/) | ✅ | Mail server, through which all Matrix services send outgoing email (can be configured to relay through another SMTP server) | [Link](docs/configuring-playbook-email.md) |
| [ma1sd](https://github.com/ma1uta/ma1sd) | ❌ | Matrix Identity Server | [Link](docs/configuring-playbook-ma1sd.md)
| [ddclient](https://github.com/linuxserver/docker-ddclient) | ❌ | Dynamic DNS | [Link](docs/configuring-playbook-dynamic-dns.md) |
| [LiveKit Server](https://github.com/livekit/livekit) | ❌ | WebRTC server for audio/video calls | [Link](docs/configuring-playbook-livekit-server.md) |
| [Livekit JWT Service](https://github.com/livekit/livekit-jwt-service) | ❌ | JWT service for integrating [Element Call](./configuring-playbook-element-call.md) with [LiveKit Server](./configuring-playbook-livekit-server.md) | [Link](docs/configuring-playbook-livekit-jwt-service.md) |

2
docs/configuring-playbook-federation.md
View File

@@ -44,7 +44,7 @@ matrix_homeserver_federation_enabled: false
With that, your server's users will only be able to talk among themselves, but not to anyone who is on another server.
**Disabling federation does not necessarily disable the federation port** (`8448`). Services like [Dimension](configuring-playbook-dimension.md) and [ma1sd](configuring-playbook-ma1sd.md) normally rely on `openid` APIs exposed on that port. Even if you disable federation and only if necessary, we may still be exposing the federation port and serving the `openid` APIs there. To override this and completely disable Synapse's federation port use:
**Disabling federation does not necessarily disable the federation port** (`8448`). Services like [Dimension](configuring-playbook-dimension.md) normally rely on `openid` APIs exposed on that port. Even if you disable federation and only if necessary, we may still be exposing the federation port and serving the `openid` APIs there. To override this and completely disable Synapse's federation port use:
```yaml
matrix_homeserver_federation_enabled: false

185
docs/configuring-playbook-ma1sd.md
View File

@@ -1,176 +1,37 @@
<!--
SPDX-FileCopyrightText: 2018 - 2024 Slavi Pantaleev
SPDX-FileCopyrightText: 2019 - 2020 MDAD project contributors
SPDX-FileCopyrightText: 2018-2025 Slavi Pantaleev
SPDX-FileCopyrightText: 2019 Eduardo Beltrame
SPDX-FileCopyrightText: 2019 Noah Fleischmann
SPDX-FileCopyrightText: 2020 Justin Croonenberghs
SPDX-FileCopyrightText: 2019-2022, 2024 MDAD project contributors
SPDX-FileCopyrightText: 2020 Hugues Morisset
SPDX-FileCopyrightText: 2020 Marcel Partap
SPDX-FileCopyrightText: 2024 - 2025 Suguru Hirahara
SPDX-FileCopyrightText: 2020 Tulir Asokan
SPDX-FileCopyrightText: 2020, 2023 Justin Croonenberghs
SPDX-FileCopyrightText: 2022 Dennis Ciba
SPDX-FileCopyrightText: 2022 Vladimir Panteleev
SPDX-FileCopyrightText: 2023 Kuba Orlik
SPDX-FileCopyrightText: 2023 Pierre 'McFly' Marty
SPDX-FileCopyrightText: 2023 Samuel Meenzen
SPDX-FileCopyrightText: 2024 Fabio Bonelli
SPDX-FileCopyrightText: 2024-2026 Suguru Hirahara
SPDX-License-Identifier: AGPL-3.0-or-later
-->
# Setting up ma1sd Identity Server (optional)
# Setting up ma1sd Identity Server (optional, removed)
> [!WARNING]
> Since ma1sd has been unmaintained for years (the latest commit and release being from 2021) and the future of identity server's role in the Matrix specification is uncertain, **we recommend not bothering with installing it unless it's the only way you can do what you need to do**.
>
> Please note that certain things can be achieved with other components. For example, if you wish to implement LDAP integration, you might as well check out [the LDAP provider module for Synapse](./configuring-playbook-ldap-auth.md) instead.
🪦 The playbook used to be able to install and configure the [ma1sd](https://github.com/ma1uta/ma1sd) Identity Server, but no longer includes this component, as it has been unmaintained for a long time.
The playbook can configure the [ma1sd](https://github.com/ma1uta/ma1sd) Identity Server for you. It is a fork of [mxisd](https://github.com/kamax-io/mxisd) which was pronounced end of life 2019-06-21.
Please note that some of the functions can be achieved with other components. For example, if you wish to implement LDAP integration, you might as well check out [the LDAP provider module for Synapse](./configuring-playbook-ldap-auth.md) instead.
ma1sd is used for 3PIDs (3rd party identifiers like E-mail and phone numbers) and some [enhanced features](https://github.com/ma1uta/ma1sd/#features). It is private by default, potentially at the expense of user discoverability.
## Uninstalling the component manually
See the project's [documentation](https://github.com/ma1uta/ma1sd/blob/master/README.md) to learn what it does and why it might be useful to you.
If you still have the ma1sd Identity Server installed on your Matrix server, the playbook can no longer help you uninstall it and you will need to do it manually. To uninstall manually, run these commands on the server:
## Prerequisites
### Open Matrix Federation port
Enabling the ma1sd service will automatically reconfigure your Synapse homeserver to expose the `openid` API endpoints on the Matrix Federation port (usually `8448`), even if [federation](configuring-playbook-federation.md) is disabled. If you enable the component, make sure that the port is accessible.
## Adjusting DNS records
To make the ma1sd Identity Server enable its federation features, set up a SRV record that looks like this:
- Name: `_matrix-identity._tcp` (use this text as-is)
- Content: `10 0 443 matrix.example.com` (replace `example.com` with your own)
See [ma1sd's documentation](https://github.com/ma1uta/ma1sd/wiki/mxisd-and-your-privacy#choices-are-never-easy) for information on the privacy implications of setting up this SRV record.
When setting up a SRV record, if you are asked for a service and protocol instead of a hostname split the host value from the table where the period is. For example use service as `_matrix-identity` and protocol as `_tcp`.
**Note**: This `_matrix-identity._tcp` SRV record for the identity server is different from the `_matrix._tcp` that can be used for Synapse delegation. See [howto-server-delegation.md](howto-server-delegation.md) for more information about delegation.
## Adjusting the playbook configuration
To enable ma1sd, add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file:
```yaml
matrix_ma1sd_enabled: true
```
### Matrix.org lookup forwarding
To ensure maximum discovery, you can make your identity server also forward lookups to the central matrix.org Identity server (at the cost of potentially leaking all your contacts information).
Enabling this is discouraged and you'd better [learn more](https://github.com/ma1uta/ma1sd/blob/master/docs/features/identity.md#lookups) before proceeding.
To enable matrix.org forwarding, add the following configuration to your `vars.yml` file:
```yaml
matrix_ma1sd_matrixorg_forwarding_enabled: true
```
### Extending the configuration
There are some additional things you may wish to configure about the component.
Take a look at:
- `roles/custom/matrix-ma1sd/defaults/main.yml` for some variables that you can customize via your `vars.yml` file. You can override settings (even those that don't have dedicated playbook variables) using the `matrix_ma1sd_configuration_extension_yaml` variable
You can refer to the [ma1sd website](https://github.com/ma1uta/ma1sd) for more details and configuration options.
#### Customizing email templates
If you'd like to change the default email templates used by ma1sd, take a look at the `matrix_ma1sd_threepid_medium_email_custom_` variables (in the `roles/custom/matrix-ma1sd/defaults/main.yml` file.
#### ma1sd-controlled Registration
To use the [Registration](https://github.com/ma1uta/ma1sd/blob/master/docs/features/registration.md) feature of ma1sd, you can make use of the following variables:
- `matrix_synapse_enable_registration` — to enable user-initiated registration in Synapse
- `matrix_synapse_enable_registration_captcha` — to validate registering users using reCAPTCHA, as described in the [enabling reCAPTCHA](configuring-captcha.md) documentation.
- `matrix_synapse_registrations_require_3pid` — a list of 3pid types (among `'email'`, `'msisdn'`) required by the Synapse server for registering
- variables prefixed with `matrix_ma1sd_container_labels_` (e.g. `matrix_ma1sd_container_labels_matrix_client_3pid_registration_enabled`) — to configure the Traefik reverse-proxy to capture and send registration requests to ma1sd (instead of Synapse), so it can apply its additional functionality
- `matrix_ma1sd_configuration_extension_yaml` — to configure ma1sd as required. See the [Registration feature's docs](https://github.com/ma1uta/ma1sd/blob/master/docs/features/registration.md) for inspiration. Also see the [Additional features](#additional-features) section below to learn more about how to use `matrix_ma1sd_configuration_extension_yaml`.
**Note**: For this to work, either the homeserver needs to [federate](configuring-playbook-federation.md) or the `openid` APIs need to exposed on the federation port. When federation is disabled and ma1sd is enabled, we automatically expose the `openid` APIs (only!) on the federation port. Make sure the federation port (usually `https://matrix.example.com:8448`) is whitelisted in your firewall (even if you don't actually use/need federation).
#### Authentication
[Authentication](https://github.com/ma1uta/ma1sd/blob/master/docs/features/authentication.md) provides the possibility to use your own [Identity Stores](https://github.com/ma1uta/ma1sd/blob/master/docs/stores/README.md) (for example LDAP) to authenticate users on your Homeserver.
To enable authentication against an LDAP server, add the following configuration to your `vars.yml` file:
```yaml
matrix_synapse_ext_password_provider_rest_auth_enabled: true
# matrix-ma1sd is the hostname of the ma1sd Docker container
matrix_synapse_ext_password_provider_rest_auth_endpoint: "http://matrix-ma1sd:8090"
matrix_ma1sd_configuration_extension_yaml: |
ldap:
enabled: true
connection:
host: ldapHostnameOrIp
tls: false
port: 389
baseDNs: ['OU=Users,DC=example,DC=org']
bindDn: CN=My ma1sd User,OU=Users,DC=example,DC=org
bindPassword: TheUserPassword
```
#### Example: SMS verification
If your use case requires mobile verification, it is quite simple to integrate ma1sd with [Twilio](https://www.twilio.com/), an online telephony services gateway. Their prices are reasonable for low-volume projects and integration can be done with the following configuration:
```yaml
matrix_ma1sd_configuration_extension_yaml: |
threepid:
medium:
msisdn:
connectors:
twilio:
account_sid: '<secret-SID>'
auth_token: '<secret-token>'
number: '+<msisdn-number>'
```
#### Example: Open Registration for every Domain
If you want to open registration for any domain, you have to setup the allowed domains with ma1sd's `blacklist` and `whitelist`. The default behavior when neither the `blacklist`, nor the `whitelist` match, is to allow registration. Beware: you can't block toplevel domains (aka `.xy`) because the internal architecture of ma1sd doesn't allow that.
```yaml
matrix_ma1sd_configuration_extension_yaml: |
register:
policy:
allowed: true
threepid:
email:
domain:
blacklist: ~
whitelist: ~
```
## Installing
After configuring the playbook, run it with [playbook tags](playbook-tags.md) as below:
<!-- NOTE: let this conservative command run (instead of install-all) to make it clear that failure of the command means something is clearly broken. -->
```sh
ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
```
The shortcut commands with the [`just` program](just.md) are also available: `just install-all` or `just setup-all`
`just install-all` is useful for maintaining your setup quickly ([2x-5x faster](../CHANGELOG.md#2x-5x-performance-improvements-in-playbook-runtime) than `just setup-all`) when its components remain unchanged. If you adjust your `vars.yml` to remove other components, you'd need to run `just setup-all`, or these components will still remain installed. Note these shortcuts run the `ensure-matrix-users-created` tag too.
## Troubleshooting
If email address validation emails sent by ma1sd are not reaching you, you should look into [Adjusting email-sending settings](configuring-playbook-email.md).
As with all other services, you can find the logs in [systemd-journald](https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html) by logging in to the server with SSH and running `journalctl -fu matrix-ma1sd`.
### Increase logging verbosity
If you want to increase the verbosity, add the following configuration to your `vars.yml` file and re-run the playbook:
```yaml
# See: https://github.com/ma1uta/ma1sd/blob/master/docs/troubleshooting.md#increase-verbosity
matrix_ma1sd_verbose_logging: true
systemctl disable --now matrix-ma1sd.service
rm -rf /matrix/ma1sd
/matrix/postgres/bin/cli-non-interactive 'DROP DATABASE matrix_ma1sd;'
```

9
docs/configuring-playbook-rest-auth.md
View File

@@ -18,7 +18,7 @@ Add the following configuration to your `inventory/host_vars/matrix.example.com/
```yaml
matrix_synapse_ext_password_provider_rest_auth_enabled: true
matrix_synapse_ext_password_provider_rest_auth_endpoint: "http://matrix-ma1sd:8090"
matrix_synapse_ext_password_provider_rest_auth_endpoint: SET_YOUR_ENDPOINT_HERE
matrix_synapse_ext_password_provider_rest_auth_registration_enforce_lowercase: false
matrix_synapse_ext_password_provider_rest_auth_registration_profile_name_autofill: true
matrix_synapse_ext_password_provider_rest_auth_login_profile_name_autofill: false
@@ -47,9 +47,4 @@ The shortcut commands with the [`just` program](just.md) are also available: `ju
## Usage
### Use ma1sd Identity Server for the backend (not recommended)
This module does not provide direct integration with any backend. For the backend you can use [ma1sd](https://github.com/ma1uta/ma1sd) Identity Server, which can be configured with the playbook.
> [!WARNING]
> We recommend not bothering with installing ma1sd as it has been unmaintained for years. If you wish to install it anyway, consult the [ma1sd Identity Server configuration](configuring-playbook-ma1sd.md).
This module does not provide direct integration with any backend. Please prepare one by yourself for it.

4
docs/configuring-playbook.md
View File

@@ -70,8 +70,6 @@ For a more custom setup, see the [Other configuration options](#other-configurat
- [Adjusting email-sending settings](configuring-playbook-email.md)
- [Setting up ma1sd Identity Server](configuring-playbook-ma1sd.md)
- [Setting up Dynamic DNS](configuring-playbook-dynamic-dns.md)
- Server connectivity:
@@ -277,6 +275,8 @@ Various services that don't fit any other categories.
- [Setting up Go Skype Bridge bridging](configuring-playbook-bridge-go-skype-bridge.md) (removed; Skype has been discontinued since May 2025)
- [Setting up ma1sd Identity Server](configuring-playbook-ma1sd.md) (removed; this component has been unmaintained for a long time, so it has been removed from the playbook.)
- [Setting up matrix-bot-chatgpt](configuring-playbook-bot-chatgpt.md) (unmaintained; the bridge's author suggests taking a look at [baibot](https://github.com/etkecc/baibot) as a replacement, which can also be [installed using this playbook](configuring-playbook-bot-baibot.md))
- [Setting up Mautrix Facebook bridging](configuring-playbook-bridge-mautrix-facebook.md) (deprecated in favor of the Messenger/Instagram bridge with [mautrix-meta-messenger](configuring-playbook-bridge-mautrix-meta-messenger.md))

2
docs/container-images.md
View File

@@ -53,7 +53,6 @@ Services that run on the server to make the various parts of your installation w
| [Traefik](configuring-playbook-traefik.md) | [Traefik](https://hub.docker.com/_/traefik/) | ✅ | Web server, listening on ports 80, 443 and 8448 — standing in front of all the other services. [Using your own webserver](configuring-playbook-own-webserver.md) is also possible. |
| [Let's Encrypt](configuring-playbook-ssl-certificates.md) | [certbot/certbot](https://hub.docker.com/r/certbot/certbot/) | ✅ | [Certbot](https://certbot.eff.org/) tool for obtaining SSL certificates from [Let's Encrypt](https://letsencrypt.org/) |
| [Exim](configuring-playbook-email.md) | [devture/exim-relay](https://hub.docker.com/r/devture/exim-relay/) | ✅ | Mail server, through which all Matrix services send outgoing email (can be configured to relay through another SMTP server) |
| [ma1sd](configuring-playbook-ma1sd.md) | [ma1uta/ma1sd](https://hub.docker.com/r/ma1uta/ma1sd/) | ❌ | Matrix Identity Server |
| [ddclient](configuring-playbook-dynamic-dns.md) | [linuxserver/ddclient](https://hub.docker.com/r/linuxserver/ddclient) | ❌ | Update dynamic DNS entries for accounts on Dynamic DNS Network Service Provider |
| [LiveKit Server](configuring-playbook-livekit-server.md) | [livekit/livekit-server](https://hub.docker.com/r/livekit/livekit-server/) | ❌ | WebRTC server for audio/video calls |
| [Livekit JWT Service](configuring-playbook-livekit-jwt-service.md) | [element-hq/lk-jwt-service](https://ghcr.io/element-hq/lk-jwt-service) | ❌ | JWT service for integrating [Element Call](./configuring-playbook-element-call.md) with [LiveKit Server](./configuring-playbook-livekit-server.md) |
@@ -177,6 +176,7 @@ The list of the deprecated or unmaintained services is available [here](configur
| [Dimension](configuring-playbook-dimension.md) | [turt2live/matrix-dimension](https://hub.docker.com/r/turt2live/matrix-dimension) | ❌ | Open source integration manager for Matrix clients |
| [Email2Matrix](configuring-playbook-email2matrix.md) | [devture/email2matrix](https://hub.docker.com/r/devture/email2matrix/) | ❌ | Bridge for relaying emails to Matrix rooms |
| [Go-NEB](configuring-playbook-bot-go-neb.md) | [matrixdotorg/go-neb](https://hub.docker.com/r/matrixdotorg/go-neb) | ❌ | Multi functional bot written in Go |
| [ma1sd](configuring-playbook-ma1sd.md) | [ma1uta/ma1sd](https://hub.docker.com/r/ma1uta/ma1sd/) | ❌ | Matrix Identity Server |
| [matrix-appservice-webhooks](configuring-playbook-bridge-appservice-webhooks.md) | [turt2live/matrix-appservice-webhooks](https://hub.docker.com/r/turt2live/matrix-appservice-webhooks) | ❌ | Bridge for slack compatible webhooks ([ConcourseCI](https://concourse-ci.org/), [Slack](https://slack.com/) etc. pp.) |
| [matrix-chatgpt-bot](configuring-playbook-bot-chatgpt.md) | [matrixgpt/matrix-chatgpt-bot](https://ghcr.io/matrixgpt/matrix-chatgpt-bot) | ❌ | Accessing ChatGPT via your favourite Matrix client |
| [mautrix-facebook](configuring-playbook-bridge-mautrix-facebook.md) | [mautrix/facebook](https://mau.dev/mautrix/facebook/container_registry) | ❌ | Bridge to [Facebook](https://facebook.com/) |

1
docs/self-building.md
View File

@@ -34,7 +34,6 @@ Possibly outdated list of roles where self-building the Docker image is currentl
- `matrix-coturn`
- `matrix-corporal`
- `matrix-dimension`
- `matrix-ma1sd`
- `exim-relay`
- `matrix-bridge-hookshot`
- `matrix-bridge-appservice-irc`

110
group_vars/matrix_servers
View File

@@ -384,8 +384,6 @@ devture_systemd_service_manager_services_list_auto: |
+
([{'name': 'matrix-ldap-registration-proxy.service', 'priority': 2000, 'groups': ['matrix', 'ldap-registration-proxy']}] if matrix_ldap_registration_proxy_enabled else [])
+
([{'name': 'matrix-ma1sd.service', 'priority': 2000, 'groups': ['matrix', 'ma1sd']}] if matrix_ma1sd_enabled else [])
+
([{'name': (matrix_media_repo_identifier + '.service'), 'priority': 4000, 'groups': ['matrix', 'matrix-media-repo']}] if matrix_media_repo_enabled else [])
+
([{'name': (exim_relay_identifier ~ '.service'), 'priority': 800, 'groups': ['matrix', 'mailer', 'exim-relay']}] if exim_relay_enabled else [])
@@ -508,8 +506,6 @@ docker_daemon_options: "{{ matrix_playbook_docker_installation_daemon_options }}
#
######################################################################
matrix_identity_server_url: "{{ (('https://' if matrix_playbook_ssl_enabled else 'http://') + matrix_server_fqn_matrix) if matrix_ma1sd_enabled else None }}"
matrix_homeserver_systemd_services_list: |-
{{
(
@@ -3543,95 +3539,6 @@ exim_relay_container_image_self_build: "{{ matrix_architecture not in ['amd64',
# #
########################################################################
######################################################################
#
# matrix-ma1sd
#
######################################################################
# We no longer install the ma1sd identity server by default.
#
# The main reason we used to install ma1sd by default in the past was to
# prevent Element from talking to the `matrix.org` / `vector.im` identity servers,
# by forcing it to talk to our own self-hosted (but otherwise useless) identity server instead,
# thus preventing contact list leaks.
#
# Since Element no longer defaults to using a public identity server if another one is not provided,
# we can stop installing ma1sd.
matrix_ma1sd_enabled: false
matrix_ma1sd_scheme: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}"
matrix_ma1sd_hostname: "{{ matrix_server_fqn_matrix }}"
matrix_ma1sd_docker_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else matrix_ma1sd_docker_image_registry_prefix_upstream_default }}"
matrix_ma1sd_container_image_self_build: "{{ matrix_architecture != 'amd64' }}"
matrix_ma1sd_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '' ~ matrix_ma1sd_container_port | string) if matrix_playbook_service_host_bind_interface_prefix else '' }}"
matrix_ma1sd_container_network: "{{ matrix_homeserver_container_network }}"
matrix_ma1sd_container_additional_networks_auto: |
{{
(
([matrix_homeserver_container_network] if (matrix_ma1sd_container_network != matrix_homeserver_container_network) else [])
+
([postgres_container_network] if (postgres_enabled and matrix_ma1sd_database_hostname == postgres_connection_hostname and matrix_ma1sd_container_network != postgres_container_network) else [])
+
([exim_relay_container_network] if (exim_relay_enabled and matrix_ma1sd_threepid_medium_email_connectors_smtp_host == exim_relay_identifier and matrix_ma1sd_container_network != exim_relay_container_network) else [])
+
([matrix_playbook_reverse_proxyable_services_additional_network] if (matrix_playbook_reverse_proxyable_services_additional_network and matrix_ma1sd_container_labels_traefik_enabled) else [])
) | unique
}}
matrix_ma1sd_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}"
matrix_ma1sd_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
matrix_ma1sd_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}"
matrix_ma1sd_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}"
# We enable Synapse integration via its Postgres database by default.
# When using another Identity store, you might wish to disable this and define
# your own configuration in `matrix_ma1sd_configuration_extension_yaml`.
matrix_ma1sd_synapsesql_enabled: true
matrix_ma1sd_synapsesql_type: postgresql
matrix_ma1sd_synapsesql_connection: //{{ matrix_synapse_database_host }}/{{ matrix_synapse_database_database }}?user={{ matrix_synapse_database_user | urlencode() }}&password={{ matrix_synapse_database_password | urlencode() }}
matrix_ma1sd_dns_overwrite_enabled: true
matrix_ma1sd_dns_overwrite_homeserver_client_name: "{{ matrix_server_fqn_matrix }}"
matrix_ma1sd_dns_overwrite_homeserver_client_value: "{{ matrix_addons_homeserver_client_api_url }}"
# By default, we send mail through the exim relay service.
matrix_ma1sd_threepid_medium_email_identity_from: "{{ exim_relay_sender_address }}"
matrix_ma1sd_threepid_medium_email_connectors_smtp_host: "{{ exim_relay_identifier }}"
matrix_ma1sd_threepid_medium_email_connectors_smtp_port: 8025
matrix_ma1sd_threepid_medium_email_connectors_smtp_tls: 0
matrix_ma1sd_self_check_validate_certificates: "{{ matrix_playbook_ssl_enabled }}"
matrix_ma1sd_systemd_required_services_list_auto: |
{{
matrix_addons_homeserver_systemd_services_list
+
([postgres_identifier ~ '.service'] if (postgres_enabled and matrix_ma1sd_database_hostname == postgres_connection_hostname) else [])
}}
matrix_ma1sd_systemd_wanted_services_list_auto: |
{{
([exim_relay_identifier ~ '.service'] if (exim_relay_enabled and matrix_ma1sd_threepid_medium_email_connectors_smtp_host == exim_relay_identifier) else [])
}}
# Postgres is the default, except if not using internal Postgres server
matrix_ma1sd_database_engine: "{{ 'postgres' if postgres_enabled else 'sqlite' }}"
matrix_ma1sd_database_hostname: "{{ postgres_connection_hostname if postgres_enabled else '' }}"
matrix_ma1sd_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'ma1sd.db', rounds=655555) | to_uuid }}"
######################################################################
#
# /matrix-ma1sd
#
######################################################################
######################################################################
#
# matrix-media-repo
@@ -3823,12 +3730,6 @@ postgres_managed_databases_auto: |
'password': matrix_authentication_service_config_database_password,
}] if (matrix_authentication_service_enabled and matrix_authentication_service_config_database_host == postgres_connection_hostname) else [])
+
([{
'name': matrix_ma1sd_database_name,
'username': matrix_ma1sd_database_username,
'password': matrix_ma1sd_database_password,
}] if (matrix_ma1sd_enabled and matrix_ma1sd_database_engine == 'postgres' and matrix_ma1sd_database_hostname == postgres_connection_hostname) else [])
+
([{
'name': matrix_bot_matrix_reminder_bot_database_name,
'username': matrix_bot_matrix_reminder_bot_database_username,
@@ -4436,11 +4337,6 @@ matrix_synapse_rust_synapse_compress_state_docker_image_registry_prefix_upstream
matrix_synapse_container_image_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}"
matrix_synapse_account_threepid_delegates_msisdn_mas1sd_url: "{{ ('http://matrix-ma1sd:' + matrix_ma1sd_container_port| string) }}"
# When ma1sd is enabled, we can use it to validate phone numbers. It's something that the homeserver cannot do by itself.
matrix_synapse_account_threepid_delegates_msisdn: "{{ matrix_synapse_account_threepid_delegates_msisdn_mas1sd_url if matrix_ma1sd_enabled else '' }}"
# For exposing the Matrix Federation API's TLS port (HTTPS) to the internet on all network interfaces.
matrix_synapse_container_federation_api_tls_host_bind_port: "{{ matrix_federation_public_port if (matrix_synapse_federation_enabled and matrix_synapse_tls_federation_listener_enabled) else '' }}"
#
@@ -4463,8 +4359,6 @@ matrix_synapse_container_additional_networks_auto: |
+
([exim_relay_container_network] if (exim_relay_enabled and matrix_synapse_email_enabled and matrix_synapse_email_smtp_host == exim_relay_identifier and matrix_synapse_container_network != exim_relay_container_network) else [])
+
([matrix_ma1sd_container_network] if (matrix_ma1sd_enabled and matrix_synapse_account_threepid_delegates_msisdn == matrix_synapse_account_threepid_delegates_msisdn_mas1sd_url and matrix_synapse_container_network != matrix_ma1sd_container_network) else [])
+
([matrix_bot_draupnir_container_network] if (matrix_synapse_ext_synapse_http_antispam_enabled and matrix_synapse_ext_synapse_http_antispam_config_base_url == matrix_bot_draupnir_synapse_http_antispam_config_base_url and matrix_bot_draupnir_container_network != matrix_synapse_container_network) else [])
) | unique
}}
@@ -4511,7 +4405,7 @@ matrix_synapse_tls_federation_listener_enabled: false
matrix_synapse_tls_certificate_path: ~
matrix_synapse_tls_private_key_path: ~
matrix_synapse_federation_port_openid_resource_required: "{{ not matrix_synapse_federation_enabled and (matrix_dimension_enabled or matrix_ma1sd_enabled or matrix_user_verification_service_enabled or matrix_livekit_jwt_service_enabled) }}"
matrix_synapse_federation_port_openid_resource_required: "{{ not matrix_synapse_federation_enabled and (matrix_dimension_enabled or matrix_user_verification_service_enabled or matrix_livekit_jwt_service_enabled) }}"
matrix_synapse_metrics_enabled: "{{ prometheus_enabled or matrix_metrics_exposure_enabled }}"
@@ -5396,7 +5290,7 @@ matrix_dendrite_disable_tls_validation: "{{ not matrix_playbook_ssl_enabled }}"
matrix_dendrite_self_check_validate_certificates: "{{ matrix_playbook_ssl_enabled }}"
matrix_dendrite_trusted_id_servers: "{{ [matrix_server_fqn_matrix] if matrix_ma1sd_enabled else ['matrix.org', 'vector.im'] }}"
matrix_dendrite_trusted_id_servers: "{{ ['matrix.org', 'vector.im'] }}"
matrix_dendrite_systemd_required_services_list_auto: |
{{

206
i18n/translation-templates/docs/configuring-playbook-ma1sd.pot
View File

@@ -1,5 +1,5 @@
# SOME DESCRIPTIVE TITLE.
# Copyright (C) 2018-2025, Slavi Pantaleev, Aine Etke, MDAD community members
# Copyright (C) 2018-2026, Slavi Pantaleev, Aine Etke, MDAD community members
# This file is distributed under the same license as the matrix-docker-ansible-deploy package.
# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
#
@@ -8,7 +8,7 @@ msgid ""
msgstr ""
"Project-Id-Version: matrix-docker-ansible-deploy \n"
"Report-Msgid-Bugs-To: \n"
"POT-Creation-Date: 2025-11-06 23:09+0900\n"
"POT-Creation-Date: 2026-02-06 16:30+0900\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@li.org>\n"
@@ -16,214 +16,22 @@ msgstr ""
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#: ../../../docs/configuring-playbook-ma1sd.md:12
msgid "Setting up ma1sd Identity Server (optional)"
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:14
msgid "[!WARNING] Since ma1sd has been unmaintained for years (the latest commit and release being from 2021) and the future of identity server's role in the Matrix specification is uncertain, **we recommend not bothering with installing it unless it's the only way you can do what you need to do**."
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:17
msgid "Please note that certain things can be achieved with other components. For example, if you wish to implement LDAP integration, you might as well check out [the LDAP provider module for Synapse](./configuring-playbook-ldap-auth.md) instead."
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:19
msgid "The playbook can configure the [ma1sd](https://github.com/ma1uta/ma1sd) Identity Server for you. It is a fork of [mxisd](https://github.com/kamax-io/mxisd) which was pronounced end of life 2019-06-21."
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:21
msgid "ma1sd is used for 3PIDs (3rd party identifiers like E-mail and phone numbers) and some [enhanced features](https://github.com/ma1uta/ma1sd/#features). It is private by default, potentially at the expense of user discoverability."
msgid "Setting up ma1sd Identity Server (optional, removed)"
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:23
msgid "See the project's [documentation](https://github.com/ma1uta/ma1sd/blob/master/README.md) to learn what it does and why it might be useful to you."
msgid "🪦 The playbook used to be able to install and configure the [ma1sd](https://github.com/ma1uta/ma1sd) Identity Server, but no longer includes this component, as it has been unmaintained for a long time."
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:25
msgid "Prerequisites"
msgid "Please note that some of the functions can be achieved with other components. For example, if you wish to implement LDAP integration, you might as well check out [the LDAP provider module for Synapse](./configuring-playbook-ldap-auth.md) instead."
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:27
msgid "Open Matrix Federation port"
msgid "Uninstalling the component manually"
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:29
msgid "Enabling the ma1sd service will automatically reconfigure your Synapse homeserver to expose the `openid` API endpoints on the Matrix Federation port (usually `8448`), even if [federation](configuring-playbook-federation.md) is disabled. If you enable the component, make sure that the port is accessible."
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:31
msgid "Adjusting DNS records"
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:33
msgid "To make the ma1sd Identity Server enable its federation features, set up a SRV record that looks like this:"
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:35
msgid "Name: `_matrix-identity._tcp` (use this text as-is)"
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:36
msgid "Content: `10 0 443 matrix.example.com` (replace `example.com` with your own)"
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:38
msgid "See [ma1sd's documentation](https://github.com/ma1uta/ma1sd/wiki/mxisd-and-your-privacy#choices-are-never-easy) for information on the privacy implications of setting up this SRV record."
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:40
msgid "When setting up a SRV record, if you are asked for a service and protocol instead of a hostname split the host value from the table where the period is. For example use service as `_matrix-identity` and protocol as `_tcp`."
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:42
msgid "**Note**: This `_matrix-identity._tcp` SRV record for the identity server is different from the `_matrix._tcp` that can be used for Synapse delegation. See [howto-server-delegation.md](howto-server-delegation.md) for more information about delegation."
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:44
msgid "Adjusting the playbook configuration"
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:46
msgid "To enable ma1sd, add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file:"
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:52
msgid "Matrix.org lookup forwarding"
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:54
msgid "To ensure maximum discovery, you can make your identity server also forward lookups to the central matrix.org Identity server (at the cost of potentially leaking all your contacts information)."
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:56
msgid "Enabling this is discouraged and you'd better [learn more](https://github.com/ma1uta/ma1sd/blob/master/docs/features/identity.md#lookups) before proceeding."
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:58
msgid "To enable matrix.org forwarding, add the following configuration to your `vars.yml` file:"
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:64
msgid "Extending the configuration"
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:66
msgid "There are some additional things you may wish to configure about the component."
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:68
msgid "Take a look at:"
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:70
msgid "`roles/custom/matrix-ma1sd/defaults/main.yml` for some variables that you can customize via your `vars.yml` file. You can override settings (even those that don't have dedicated playbook variables) using the `matrix_ma1sd_configuration_extension_yaml` variable"
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:72
msgid "You can refer to the [ma1sd website](https://github.com/ma1uta/ma1sd) for more details and configuration options."
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:74
msgid "Customizing email templates"
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:76
msgid "If you'd like to change the default email templates used by ma1sd, take a look at the `matrix_ma1sd_threepid_medium_email_custom_` variables (in the `roles/custom/matrix-ma1sd/defaults/main.yml` file."
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:78
msgid "ma1sd-controlled Registration"
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:80
msgid "To use the [Registration](https://github.com/ma1uta/ma1sd/blob/master/docs/features/registration.md) feature of ma1sd, you can make use of the following variables:"
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:82
msgid "`matrix_synapse_enable_registration` — to enable user-initiated registration in Synapse"
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:84
msgid "`matrix_synapse_enable_registration_captcha` — to validate registering users using reCAPTCHA, as described in the [enabling reCAPTCHA](configuring-captcha.md) documentation."
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:86
msgid "`matrix_synapse_registrations_require_3pid` — a list of 3pid types (among `'email'`, `'msisdn'`) required by the Synapse server for registering"
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:88
msgid "variables prefixed with `matrix_ma1sd_container_labels_` (e.g. `matrix_ma1sd_container_labels_matrix_client_3pid_registration_enabled`) — to configure the Traefik reverse-proxy to capture and send registration requests to ma1sd (instead of Synapse), so it can apply its additional functionality"
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:90
msgid "`matrix_ma1sd_configuration_extension_yaml` — to configure ma1sd as required. See the [Registration feature's docs](https://github.com/ma1uta/ma1sd/blob/master/docs/features/registration.md) for inspiration. Also see the [Additional features](#additional-features) section below to learn more about how to use `matrix_ma1sd_configuration_extension_yaml`."
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:92
msgid "**Note**: For this to work, either the homeserver needs to [federate](configuring-playbook-federation.md) or the `openid` APIs need to exposed on the federation port. When federation is disabled and ma1sd is enabled, we automatically expose the `openid` APIs (only!) on the federation port. Make sure the federation port (usually `https://matrix.example.com:8448`) is whitelisted in your firewall (even if you don't actually use/need federation)."
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:94
msgid "Authentication"
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:96
msgid "[Authentication](https://github.com/ma1uta/ma1sd/blob/master/docs/features/authentication.md) provides the possibility to use your own [Identity Stores](https://github.com/ma1uta/ma1sd/blob/master/docs/stores/README.md) (for example LDAP) to authenticate users on your Homeserver."
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:98
msgid "To enable authentication against an LDAP server, add the following configuration to your `vars.yml` file:"
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:118
msgid "Example: SMS verification"
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:120
msgid "If your use case requires mobile verification, it is quite simple to integrate ma1sd with [Twilio](https://www.twilio.com/), an online telephony services gateway. Their prices are reasonable for low-volume projects and integration can be done with the following configuration:"
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:134
msgid "Example: Open Registration for every Domain"
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:136
msgid "If you want to open registration for any domain, you have to setup the allowed domains with ma1sd's `blacklist` and `whitelist`. The default behavior when neither the `blacklist`, nor the `whitelist` match, is to allow registration. Beware: you can't block toplevel domains (aka `.xy`) because the internal architecture of ma1sd doesn't allow that."
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:150
msgid "Installing"
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:152
msgid "After configuring the playbook, run it with [playbook tags](playbook-tags.md) as below:"
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:159
msgid "The shortcut commands with the [`just` program](just.md) are also available: `just install-all` or `just setup-all`"
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:161
msgid "`just install-all` is useful for maintaining your setup quickly ([2x-5x faster](../CHANGELOG.md#2x-5x-performance-improvements-in-playbook-runtime) than `just setup-all`) when its components remain unchanged. If you adjust your `vars.yml` to remove other components, you'd need to run `just setup-all`, or these components will still remain installed. Note these shortcuts run the `ensure-matrix-users-created` tag too."
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:163
msgid "Troubleshooting"
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:165
msgid "If email address validation emails sent by ma1sd are not reaching you, you should look into [Adjusting email-sending settings](configuring-playbook-email.md)."
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:167
msgid "As with all other services, you can find the logs in [systemd-journald](https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html) by logging in to the server with SSH and running `journalctl -fu matrix-ma1sd`."
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:169
msgid "Increase logging verbosity"
msgstr ""
#: ../../../docs/configuring-playbook-ma1sd.md:171
msgid "If you want to increase the verbosity, add the following configuration to your `vars.yml` file and re-run the playbook:"
msgid "If you still have the ma1sd Identity Server installed on your Matrix server, the playbook can no longer help you uninstall it and you will need to do it manually. To uninstall manually, run these commands on the server:"
msgstr ""

2
roles/custom/matrix-base/defaults/main.yml
View File

@@ -368,7 +368,7 @@ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_definition:
# This entrypoint provides local addons (e.g. bridges, bots, etc.) with the ability to easily & quickly communicate with the homeserver and/or related software.
# Such services can reach the homeserver over the public internet (e.g. https://matrix.example.com), but this is slow due to networking and SSL-termination.
# Talking directly to the homeserver (e.g. `http://matrix-synapse:8008`) is another option, but does not allow other homeserver-related software
# (e.g. identity servers like ma1sd, media repository servers like matrix-media-repo, firewalls like matrix-corporal)
# (e.g. media repository servers like matrix-media-repo, firewalls like matrix-corporal)
# to register itself for certain homeserver routes.
#
# For example: when matrix-media-repo is enabled, it wishes to handle `/_matrix/media` both publicly and internally.

250
roles/custom/matrix-ma1sd/defaults/main.yml
View File

@@ -1,250 +0,0 @@
# SPDX-FileCopyrightText: 2020 - 2022 MDAD project contributors
# SPDX-FileCopyrightText: 2020 - 2024 Slavi Pantaleev
# SPDX-FileCopyrightText: 2020 Marcel Partap
# SPDX-FileCopyrightText: 2020 Matt Cengia
# SPDX-FileCopyrightText: 2021 Aaron Raimist
# SPDX-FileCopyrightText: 2021 Ahmad Haghighi
# SPDX-FileCopyrightText: 2021 boris runakov
# SPDX-FileCopyrightText: 2022 Marko Weltzer
# SPDX-FileCopyrightText: 2022 Nikita Chernyi
# SPDX-FileCopyrightText: 2023 Samuel Meenzen
# SPDX-FileCopyrightText: 2024 - 2025 Suguru Hirahara
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
# ma1sd is a Federated Matrix Identity Server
# Project source code URL: https://github.com/ma1uta/ma1sd
matrix_ma1sd_enabled: true
matrix_ma1sd_scheme: https
matrix_ma1sd_hostname: ''
matrix_ma1sd_container_image_self_build: false
matrix_ma1sd_container_image_self_build_repo: "https://github.com/ma1uta/ma1sd.git"
matrix_ma1sd_container_image_self_build_branch: "{{ matrix_ma1sd_version }}"
# renovate: datasource=docker depName=ma1uta/ma1sd
matrix_ma1sd_version: "2.5.0"
matrix_ma1sd_docker_image: "{{ matrix_ma1sd_docker_image_registry_prefix }}ma1uta/ma1sd:{{ matrix_ma1sd_version }}"
matrix_ma1sd_docker_image_registry_prefix: "{{ 'localhost/' if matrix_ma1sd_container_image_self_build else matrix_ma1sd_docker_image_registry_prefix_upstream }}"
matrix_ma1sd_docker_image_registry_prefix_upstream: "{{ matrix_ma1sd_docker_image_registry_prefix_upstream_default }}"
matrix_ma1sd_docker_image_registry_prefix_upstream_default: "docker.io/"
matrix_ma1sd_docker_image_force_pull: "{{ matrix_ma1sd_docker_image.endswith(':latest') }}"
matrix_ma1sd_base_path: "{{ matrix_base_data_path }}/ma1sd"
# We need the docker src directory to be named ma1sd. See: https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/588
matrix_ma1sd_docker_src_files_path: "{{ matrix_ma1sd_base_path }}/docker-src/ma1sd"
matrix_ma1sd_config_path: "{{ matrix_ma1sd_base_path }}/config"
matrix_ma1sd_data_path: "{{ matrix_ma1sd_base_path }}/data"
matrix_ma1sd_container_port: 8090
# Controls whether the matrix-ma1sd container exposes its HTTP port (tcp/{{ matrix_ma1sd_container_port }} in the container).
#
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8090"), or empty string to not expose.
matrix_ma1sd_container_http_host_bind_port: ''
# A list of extra arguments to pass to the container
matrix_ma1sd_container_extra_arguments: []
# List of systemd services that matrix-ma1sd.service depends on
matrix_ma1sd_systemd_required_services_list: "{{ matrix_ma1sd_systemd_required_services_list_default + matrix_ma1sd_systemd_required_services_list_auto + matrix_ma1sd_systemd_required_services_list_custom }}"
matrix_ma1sd_systemd_required_services_list_default: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}"
matrix_ma1sd_systemd_required_services_list_auto: []
matrix_ma1sd_systemd_required_services_list_custom: []
# List of systemd services that matrix-ma1sd.service wants
matrix_ma1sd_systemd_wanted_services_list: "{{ matrix_ma1sd_systemd_wanted_services_list_default + matrix_ma1sd_systemd_wanted_services_list_auto + matrix_ma1sd_systemd_wanted_services_list_custom }}"
matrix_ma1sd_systemd_wanted_services_list_default: []
matrix_ma1sd_systemd_wanted_services_list_auto: []
matrix_ma1sd_systemd_wanted_services_list_custom: []
# The base container network. It will be auto-created by this role if it doesn't exist already.
matrix_ma1sd_container_network: ""
# A list of additional container networks that matrix-ma1sd would be connected to.
# The playbook does not create these networks, so make sure they already exist.
#
# Use this to expose matrix-ma1sd to another docker network, that matrix-ma1sd might have to reach for authentication (e.g. an ldap instance)
matrix_ma1sd_container_additional_networks: "{{ matrix_ma1sd_container_additional_networks_auto + matrix_ma1sd_container_additional_networks_custom }}"
matrix_ma1sd_container_additional_networks_auto: []
matrix_ma1sd_container_additional_networks_custom: []
# matrix_ma1sd_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container.
# See `../templates/labels.j2` for details.
#
# To inject your own other container labels, see `matrix_ma1sd_container_labels_additional_labels`.
matrix_ma1sd_container_labels_traefik_enabled: true
matrix_ma1sd_container_labels_traefik_docker_network: "{{ matrix_ma1sd_container_network }}"
matrix_ma1sd_container_labels_traefik_entrypoints: web-secure
matrix_ma1sd_container_labels_traefik_tls_certResolver: default # noqa var-naming
# Controls whether labels will be added that expose ma1sd's /_matrix/identity endpoints
matrix_ma1sd_container_labels_matrix_identity_enabled: "{{ matrix_ma1sd_container_labels_traefik_enabled }}"
matrix_ma1sd_container_labels_matrix_identity_hostname: "{{ matrix_ma1sd_hostname }}"
matrix_ma1sd_container_labels_matrix_identity_path_prefix: "/_matrix/identity"
matrix_ma1sd_container_labels_matrix_identity_traefik_rule: "Host(`{{ matrix_ma1sd_container_labels_matrix_identity_hostname }}`) && PathPrefix(`{{ matrix_ma1sd_container_labels_matrix_identity_path_prefix }}`)"
matrix_ma1sd_container_labels_matrix_identity_traefik_priority: 0
matrix_ma1sd_container_labels_matrix_identity_traefik_entrypoints: "{{ matrix_ma1sd_container_labels_traefik_entrypoints }}"
matrix_ma1sd_container_labels_matrix_identity_traefik_tls: "{{ matrix_ma1sd_container_labels_matrix_identity_traefik_entrypoints != 'web' }}"
matrix_ma1sd_container_labels_matrix_identity_traefik_tls_certResolver: "{{ matrix_ma1sd_container_labels_traefik_tls_certResolver }}" # noqa var-naming
# Controls whether labels will be added that expose ma1sd's /_matrix/client/VERSION/user_directory/search endpoint
matrix_ma1sd_container_labels_matrix_client_user_directory_search_enabled: "{{ matrix_ma1sd_container_labels_traefik_enabled }}"
matrix_ma1sd_container_labels_matrix_client_user_directory_search_hostname: "{{ matrix_ma1sd_hostname }}"
matrix_ma1sd_container_labels_matrix_client_user_directory_search_path_regexp: "/_matrix/client/(?P<version>(r0|v3))/user_directory/search"
matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_rule: "Host(`{{ matrix_ma1sd_container_labels_matrix_client_user_directory_search_hostname }}`) && PathRegexp(`{{ matrix_ma1sd_container_labels_matrix_client_user_directory_search_path_regexp }}`)"
matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_priority: 0
matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_entrypoints: "{{ matrix_ma1sd_container_labels_traefik_entrypoints }}"
matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_tls: "{{ matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_entrypoints != 'web' }}"
matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_tls_certResolver: "{{ matrix_ma1sd_container_labels_traefik_tls_certResolver }}" # noqa var-naming
# Controls whether labels will be added that expose ma1sd's /_matrix/client/VERSION/register/TYPE/requestToken endpoints
# This allows another service to control registrations involving 3PIDs.
# To learn more, see: https://github.com/ma1uta/ma1sd/blob/master/docs/features/registration.md
matrix_ma1sd_container_labels_matrix_client_3pid_registration_enabled: false
matrix_ma1sd_container_labels_matrix_client_3pid_registration_hostname: "{{ matrix_ma1sd_hostname }}"
matrix_ma1sd_container_labels_matrix_client_3pid_registration_path_regexp: "/_matrix/client/(?P<version>(r0|v3))/register/(?P<type>(email|msisdn))/requestToken"
matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_rule: "Host(`{{ matrix_ma1sd_container_labels_matrix_client_3pid_registration_hostname }}`) && PathRegexp(`{{ matrix_ma1sd_container_labels_matrix_client_3pid_registration_path_regexp }}`)"
matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_priority: 0
matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_entrypoints: "{{ matrix_ma1sd_container_labels_traefik_entrypoints }}"
matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_tls: "{{ matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_entrypoints != 'web' }}"
matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_tls_certResolver: "{{ matrix_ma1sd_container_labels_traefik_tls_certResolver }}" # noqa var-naming
# matrix_ma1sd_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
# See `../templates/labels.j2` for details.
#
# Example:
# matrix_ma1sd_container_labels_additional_labels: |
# my.label=1
# another.label="here"
matrix_ma1sd_container_labels_additional_labels: ''
# Your identity server is private by default.
# To ensure maximum discovery, you can make your identity server
# also forward lookups to the central matrix.org Identity server
# (at the cost of potentially leaking all your contacts information).
# Enabling this is discouraged. Learn more here: https://github.com/ma1uta/ma1sd/blob/master/docs/features/identity.md#lookups
matrix_ma1sd_matrixorg_forwarding_enabled: false
# Database-related configuration fields.
#
# To use SQLite, stick to these defaults.
#
# To use Postgres:
# - change the engine (`matrix_ma1sd_database_engine: 'postgres'`)
# - adjust your database credentials via the `matrix_ma1sd_database_*` variables
matrix_ma1sd_database_engine: 'sqlite'
matrix_ma1sd_sqlite_database_path_local: "{{ matrix_ma1sd_data_path }}/ma1sd.db"
matrix_ma1sd_sqlite_database_path_in_container: "/var/ma1sd/ma1sd.db"
matrix_ma1sd_database_username: 'matrix_ma1sd'
matrix_ma1sd_database_password: 'some-password'
matrix_ma1sd_database_hostname: ''
matrix_ma1sd_database_port: 5432
matrix_ma1sd_database_name: 'matrix_ma1sd'
matrix_ma1sd_database_connection_string: 'postgresql://{{ matrix_ma1sd_database_username }}:{{ matrix_ma1sd_database_password }}@{{ matrix_ma1sd_database_hostname }}:{{ matrix_ma1sd_database_port }}/{{ matrix_ma1sd_database_name }}'
# ma1sd has several supported identity stores.
# One of them is storing identities directly in Synapse's database.
# Learn more here: https://github.com/ma1uta/ma1sd/blob/master/docs/stores/synapse.md
matrix_ma1sd_synapsesql_enabled: false
matrix_ma1sd_synapsesql_type: ""
matrix_ma1sd_synapsesql_connection: ""
# Setting up email-sending settings is required for using ma1sd.
matrix_ma1sd_threepid_medium_email_identity_from: "matrix@{{ matrix_domain }}"
matrix_ma1sd_threepid_medium_email_connectors_smtp_host: ""
matrix_ma1sd_threepid_medium_email_connectors_smtp_port: 587
matrix_ma1sd_threepid_medium_email_connectors_smtp_tls: 1
matrix_ma1sd_threepid_medium_email_connectors_smtp_login: ""
matrix_ma1sd_threepid_medium_email_connectors_smtp_password: ""
# DNS overwrites are useful for telling ma1sd how it can reach the homeserver directly.
# Useful when reverse-proxying certain URLs (e.g. `/_matrix/client/r0/user_directory/search`) to ma1sd,
# so that ma1sd can rewrite the original URL to one that would reach the homeserver.
matrix_ma1sd_dns_overwrite_enabled: false
matrix_ma1sd_dns_overwrite_homeserver_client_name: "{{ matrix_server_fqn_matrix }}"
matrix_ma1sd_dns_overwrite_homeserver_client_value: ""
# Override the default session templates
# To use this, fill in the template variables with the full desired template as a multi-line YAML variable
#
# More info:
# https://github.com/ma1uta/ma1sd/blob/master/docs/threepids/session/session-views.md
matrix_ma1sd_view_session_custom_templates_enabled: false
# Defaults to: https://github.com/ma1uta/ma1sd/blob/master/src/main/resources/templates/session/tokenSubmitSuccess.html
matrix_ma1sd_view_session_custom_onTokenSubmit_success_template: "" # noqa var-naming
# Defaults to: https://github.com/ma1uta/ma1sd/blob/master/src/main/resources/templates/session/tokenSubmitFailure.html
matrix_ma1sd_view_session_custom_onTokenSubmit_failure_template: "" # noqa var-naming
# Override the default email templates
# To use this, fill in the template variables with the full desired template as a multi-line YAML variable
#
# More info:
# https://github.com/ma1uta/ma1sd/blob/master/docs/threepids/notification/template-generator.md
# https://github.com/ma1uta/ma1sd/tree/master/src/main/resources/threepids/email
matrix_ma1sd_threepid_medium_email_custom_templates_enabled: false
# Defaults to: https://github.com/ma1uta/ma1sd/blob/master/src/main/resources/threepids/email/invite-template.eml
matrix_ma1sd_threepid_medium_email_custom_invite_template: ""
# Defaults to: https://github.com/ma1uta/ma1sd/blob/master/src/main/resources/threepids/email/validate-template.eml
matrix_ma1sd_threepid_medium_email_custom_session_validation_template: ""
# Defaults to: https://github.com/ma1uta/ma1sd/blob/master/src/main/resources/threepids/email/unbind-notification.eml
matrix_ma1sd_threepid_medium_email_custom_session_unbind_notification_template: ""
# Defaults to: https://github.com/ma1uta/ma1sd/blob/master/src/main/resources/threepids/email/mxid-template.eml
matrix_ma1sd_threepid_medium_email_custom_matrixid_template: ""
matrix_ma1sd_self_check_endpoint_url: "{{ matrix_ma1sd_scheme }}://{{ matrix_ma1sd_hostname }}/_matrix/identity/api/v1"
# Controls whether the self-check feature should validate SSL certificates.
matrix_ma1sd_self_check_validate_certificates: true
# Controls ma1sd logging verbosity for troubleshooting.
#
# See: https://github.com/ma1uta/ma1sd/blob/master/docs/troubleshooting.md#increase-verbosity
matrix_ma1sd_verbose_logging: false
# Setting up support for API prefixes
matrix_ma1sd_v1_enabled: true
matrix_ma1sd_v2_enabled: true
# Fix for missing 3PIDS bug
matrix_ma1sd_hashing_enabled: true
# Default ma1sd configuration template which covers the generic use case.
# You can customize it by controlling the various variables inside it.
#
# For a more advanced customization, you can extend the default (see `matrix_ma1sd_configuration_extension_yaml`)
# or completely replace this variable with your own template.
matrix_ma1sd_configuration_yaml: "{{ lookup('template', 'templates/ma1sd.yaml.j2') }}"
matrix_ma1sd_configuration_extension_yaml: |
# Your custom YAML configuration for ma1sd goes here.
# This configuration extends the default starting configuration (`matrix_ma1sd_configuration_yaml`).
#
# You can override individual variables from the default configuration, or introduce new ones.
#
# If you need something more special, you can take full control by
# completely redefining `matrix_ma1sd_configuration_yaml`.
#
# Example configuration extension follows:
#
# ldap:
# enabled: true
# connection:
# host: ldapHostnameOrIp
# tls: false
# port: 389
# baseDNs: ['OU=Users,DC=example,DC=org']
# bindDn: CN=My Ma1sd User,OU=Users,DC=example,DC=org
# bindPassword: TheUserPassword
matrix_ma1sd_configuration_extension: "{{ matrix_ma1sd_configuration_extension_yaml | from_yaml if matrix_ma1sd_configuration_extension_yaml | from_yaml is mapping else {} }}"
# Holds the final ma1sd configuration (a combination of the default and its extension).
# You most likely don't need to touch this variable. Instead, see `matrix_ma1sd_configuration_yaml`.
matrix_ma1sd_configuration: "{{ matrix_ma1sd_configuration_yaml | from_yaml | combine(matrix_ma1sd_configuration_extension, recursive=True) }}"

33
roles/custom/matrix-ma1sd/tasks/main.yml
View File

@@ -1,33 +0,0 @@
# SPDX-FileCopyrightText: 2020 - 2024 Slavi Pantaleev
# SPDX-FileCopyrightText: 2020 Marcel Partap
# SPDX-FileCopyrightText: 2022 Marko Weltzer
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
- tags:
- setup-all
- setup-ma1sd
- install-all
- install-ma1sd
block:
- when: matrix_ma1sd_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
- when: matrix_ma1sd_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
- tags:
- setup-all
- setup-ma1sd
block:
- when: not matrix_ma1sd_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
- tags:
- self-check
- self-check-ma1sd
block:
- when: matrix_ma1sd_enabled | bool
ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check.yml"

28
roles/custom/matrix-ma1sd/tasks/self_check.yml
View File

@@ -1,28 +0,0 @@
# SPDX-FileCopyrightText: 2020 MDAD project contributors
# SPDX-FileCopyrightText: 2020 Marcel Partap
# SPDX-FileCopyrightText: 2022 - 2024 Slavi Pantaleev
# SPDX-FileCopyrightText: 2022 Marko Weltzer
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
- name: Check ma1sd Identity Service
ansible.builtin.uri:
url: "{{ matrix_ma1sd_self_check_endpoint_url }}"
follow_redirects: none
validate_certs: "{{ matrix_ma1sd_self_check_validate_certificates }}"
check_mode: false
register: result_ma1sd
ignore_errors: true
delegate_to: 127.0.0.1
become: false
- name: Fail if ma1sd Identity Service not working
ansible.builtin.fail:
msg: "Failed checking ma1sd is up at `{{ matrix_ma1sd_hostname }}` (checked endpoint: `{{ matrix_ma1sd_self_check_endpoint_url }}`). Is ma1sd running? Is port 443 open in your firewall? Full error: {{ result_ma1sd }}"
when: "result_ma1sd.failed or 'json' not in result_ma1sd"
- name: Report working ma1sd Identity Service
ansible.builtin.debug:
msg: "ma1sd at `{{ matrix_ma1sd_hostname }}` is working (checked endpoint: `{{ matrix_ma1sd_self_check_endpoint_url }}`)"

167
roles/custom/matrix-ma1sd/tasks/setup_install.yml
View File

@@ -1,167 +0,0 @@
# SPDX-FileCopyrightText: 2020 - 2024 Slavi Pantaleev
# SPDX-FileCopyrightText: 2020 Chris van Dijk
# SPDX-FileCopyrightText: 2020 Marcel Partap
# SPDX-FileCopyrightText: 2020 Matt Cengia
# SPDX-FileCopyrightText: 2020 Stuart Mumford
# SPDX-FileCopyrightText: 2022 Jim Myhrberg
# SPDX-FileCopyrightText: 2022 MDAD project contributors
# SPDX-FileCopyrightText: 2022 Marko Weltzer
# SPDX-FileCopyrightText: 2022 Nikita Chernyi
# SPDX-FileCopyrightText: 2022 Sebastian Gumprich
# SPDX-FileCopyrightText: 2024 David Mehren
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
- name: Ensure ma1sd paths exist
ansible.builtin.file:
path: "{{ item.path }}"
state: directory
mode: 0750
owner: "{{ matrix_user_name }}"
group: "{{ matrix_group_name }}"
with_items:
- {path: "{{ matrix_ma1sd_config_path }}", when: true}
- {path: "{{ matrix_ma1sd_data_path }}", when: true}
- {path: "{{ matrix_ma1sd_docker_src_files_path }}", when: "{{ matrix_ma1sd_container_image_self_build }}"}
when: "item.when | bool"
# These (SQLite -> Postgres) migration tasks are usually at the top,
# but we'd like to run them after `migrate_mxisd.yml`, which requires the ma1sd paths to exist.
- ansible.builtin.set_fact:
matrix_ma1sd_requires_restart: false
- when: "matrix_ma1sd_database_engine == 'postgres'"
block:
- name: Check if an SQLite database already exists
ansible.builtin.stat:
path: "{{ matrix_ma1sd_sqlite_database_path_local }}"
register: matrix_ma1sd_sqlite_database_path_local_stat_result
- when: "matrix_ma1sd_sqlite_database_path_local_stat_result.stat.exists | bool"
block:
- ansible.builtin.include_role:
name: galaxy/postgres
tasks_from: migrate_db_to_postgres
vars:
postgres_db_migration_request:
src: "{{ matrix_ma1sd_sqlite_database_path_local }}"
dst: "{{ matrix_ma1sd_database_connection_string }}"
caller: "{{ role_path | basename }}"
engine_variable_name: 'matrix_ma1sd_database_engine'
engine_old: 'sqlite'
systemd_services_to_stop: ['matrix-ma1sd.service']
pgloader_options: ['--with "quote identifiers"']
- ansible.builtin.set_fact:
matrix_ma1sd_requires_restart: true
- name: Ensure ma1sd image is pulled
community.docker.docker_image:
name: "{{ matrix_ma1sd_docker_image }}"
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
force_source: "{{ matrix_ma1sd_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_ma1sd_docker_image_force_pull }}"
when: "not matrix_ma1sd_container_image_self_build | bool"
register: result
retries: "{{ devture_playbook_help_container_retries_count }}"
delay: "{{ devture_playbook_help_container_retries_delay }}"
until: result is not failed
- when: "matrix_ma1sd_container_image_self_build | bool"
block:
- name: Ensure ma1sd repository is present on self-build
ansible.builtin.git:
repo: "{{ matrix_ma1sd_container_image_self_build_repo }}"
dest: "{{ matrix_ma1sd_docker_src_files_path }}"
version: "{{ matrix_ma1sd_container_image_self_build_branch }}"
force: "yes"
become: true
become_user: "{{ matrix_user_name }}"
register: matrix_ma1sd_git_pull_results
- name: Ensure ma1sd container image is built
ansible.builtin.command:
cmd: |-
{{ devture_systemd_docker_base_host_command_docker }} buildx build
--tag={{ matrix_ma1sd_docker_image }}
--file={{ matrix_ma1sd_docker_src_files_path }}/Dockerfile
{{ matrix_ma1sd_docker_src_files_path }}
changed_when: true
- name: Ensure ma1sd config installed
ansible.builtin.copy:
content: "{{ matrix_ma1sd_configuration | to_nice_yaml(indent=2, width=999999) }}"
dest: "{{ matrix_ma1sd_config_path }}/ma1sd.yaml"
mode: 0644
owner: "{{ matrix_user_name }}"
group: "{{ matrix_group_name }}"
- name: Ensure custom view templates are installed, if any
ansible.builtin.copy:
content: "{{ item.value }}"
dest: "{{ matrix_ma1sd_config_path }}/{{ item.location }}"
mode: 0644
owner: "{{ matrix_user_name }}"
group: "{{ matrix_group_name }}"
with_items:
- {value: "{{ matrix_ma1sd_view_session_custom_onTokenSubmit_success_template }}", location: 'tokenSubmitSuccess.html'}
- {value: "{{ matrix_ma1sd_view_session_custom_onTokenSubmit_failure_template }}", location: 'tokenSubmitFailure.html'}
when: "matrix_ma1sd_view_session_custom_templates_enabled | bool and item.value"
- name: Ensure custom email templates are installed, if any
ansible.builtin.copy:
content: "{{ item.value }}"
dest: "{{ matrix_ma1sd_config_path }}/{{ item.location }}"
mode: 0644
owner: "{{ matrix_user_name }}"
group: "{{ matrix_group_name }}"
with_items:
- {value: "{{ matrix_ma1sd_threepid_medium_email_custom_invite_template }}", location: 'invite-template.eml'}
- {value: "{{ matrix_ma1sd_threepid_medium_email_custom_session_validation_template }}", location: 'validate-template.eml'}
- {value: "{{ matrix_ma1sd_threepid_medium_email_custom_session_unbind_notification_template }}", location: 'unbind-notification.eml'}
- {value: "{{ matrix_ma1sd_threepid_medium_email_custom_matrixid_template }}", location: 'mxid-template.eml'}
when: "matrix_ma1sd_threepid_medium_email_custom_templates_enabled | bool and item.value"
# Only cleaning up for people who define the respective templates
- name: (Cleanup) Ensure custom email templates are not in data/ anymore (we've put them in config/)
ansible.builtin.file:
path: "{{ matrix_ma1sd_data_path }}/{{ item.location }}"
state: absent
with_items:
- {value: "{{ matrix_ma1sd_threepid_medium_email_custom_invite_template }}", location: 'invite-template.eml'}
- {value: "{{ matrix_ma1sd_threepid_medium_email_custom_session_validation_template }}", location: 'validate-template.eml'}
- {value: "{{ matrix_ma1sd_threepid_medium_email_custom_session_unbind_notification_template }}", location: 'unbind-notification.eml'}
- {value: "{{ matrix_ma1sd_threepid_medium_email_custom_matrixid_template }}", location: 'mxid-template.eml'}
when: "matrix_ma1sd_threepid_medium_email_custom_templates_enabled | bool and item.value"
- name: Ensure ma1sd support files installed
ansible.builtin.template:
src: "{{ role_path }}/templates/{{ item }}.j2"
dest: "{{ matrix_ma1sd_base_path }}/{{ item }}"
mode: 0640
owner: "{{ matrix_user_name }}"
group: "{{ matrix_group_name }}"
with_items:
- labels
- name: Ensure ma1sd container network is created
community.general.docker_network:
enable_ipv6: "{{ devture_systemd_docker_base_ipv6_enabled }}"
name: "{{ matrix_ma1sd_container_network }}"
driver: bridge
driver_options: "{{ devture_systemd_docker_base_container_networks_driver_options }}"
- name: Ensure matrix-ma1sd.service installed
ansible.builtin.template:
src: "{{ role_path }}/templates/systemd/matrix-ma1sd.service.j2"
dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-ma1sd.service"
mode: 0644
- name: Ensure matrix-ma1sd.service restarted, if necessary
ansible.builtin.service:
name: "matrix-ma1sd.service"
state: restarted
daemon_reload: true
when: "matrix_ma1sd_requires_restart | bool"

31
roles/custom/matrix-ma1sd/tasks/setup_uninstall.yml
View File

@@ -1,31 +0,0 @@
# SPDX-FileCopyrightText: 2020 - 2024 Slavi Pantaleev
# SPDX-FileCopyrightText: 2022 Marko Weltzer
# SPDX-FileCopyrightText: 2022 Sebastian Gumprich
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
- name: Check existence of matrix-ma1sd service
ansible.builtin.stat:
path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-ma1sd.service"
register: matrix_ma1sd_service_stat
- when: matrix_ma1sd_service_stat.stat.exists | bool
block:
- name: Ensure matrix-ma1sd is stopped
ansible.builtin.service:
name: matrix-ma1sd
state: stopped
enabled: false
daemon_reload: true
- name: Ensure matrix-ma1sd.service doesn't exist
ansible.builtin.file:
path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-ma1sd.service"
state: absent
- name: Ensure Matrix ma1sd paths don't exist
ansible.builtin.file:
path: "{{ matrix_ma1sd_base_path }}"
state: absent

86
roles/custom/matrix-ma1sd/tasks/validate_config.yml
View File

@@ -1,86 +0,0 @@
# SPDX-FileCopyrightText: 2020 - 2025 Slavi Pantaleev
# SPDX-FileCopyrightText: 2020 Marcel Partap
# SPDX-FileCopyrightText: 2021 boris runakov
# SPDX-FileCopyrightText: 2025 Suguru Hirahara
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
- name: (Deprecation) Warn about ma1sd variables that are not used anymore
ansible.builtin.fail:
msg: >
The `{{ item }}` variable defined in your configuration is not used by this playbook anymore!
You'll need to adapt to the new way of extending ma1sd configuration.
See the CHANGELOG and the `matrix_ma1sd_configuration_extension_yaml` variable for more information and examples.
when: "lookup('ansible.builtin.varnames', ('^' + item + '$'), wantlist=True) | length > 0"
with_items:
- 'matrix_ma1sd_ldap_enabled'
- 'matrix_ma1sd_ldap_connection_host'
- 'matrix_ma1sd_ldap_connection_tls'
- 'matrix_ma1sd_ldap_connection_port'
- 'matrix_ma1sd_ldap_connection_baseDn'
- 'matrix_ma1sd_ldap_connection_baseDns'
- 'matrix_ma1sd_ldap_connection_bindDn'
- 'matrix_ma1sd_ldap_connection_bindPassword'
- 'matrix_ma1sd_ldap_filter'
- 'matrix_ma1sd_ldap_attribute_uid_type'
- 'matrix_ma1sd_ldap_attribute_uid_value'
- 'matrix_ma1sd_ldap_connection_bindPassword'
- 'matrix_ma1sd_ldap_attribute_name'
- 'matrix_ma1sd_ldap_attribute_threepid_email'
- 'matrix_ma1sd_ldap_attribute_threepid_msisdn'
- 'matrix_ma1sd_ldap_identity_filter'
- 'matrix_ma1sd_ldap_identity_medium'
- 'matrix_ma1sd_ldap_auth_filter'
- 'matrix_ma1sd_ldap_directory_filter'
- 'matrix_ma1sd_template_config'
- 'matrix_ma1sd_architecture'
- name: Ensure ma1sd configuration does not contain any dot-notation keys
ansible.builtin.fail:
msg: >
Since version 1.3.0, ma1sd will not accept property-style configuration keys.
You have defined a key (`{{ item.key }}`) which contains a dot.
Instead, use nesting. See: https://github.com/ma1uta/ma1sd/wiki/Upgrade-Notes#v130
when: "'.' in item.key"
with_dict: "{{ matrix_ma1sd_configuration }}"
- name: Fail if required ma1sd settings not defined
ansible.builtin.fail:
msg: >
You need to define a required configuration setting (`{{ item.name }}`).
when: "item.when | bool and lookup('vars', item.name, default='') | string | length == 0"
with_items:
- {'name': 'matrix_ma1sd_hostname', when: true}
- {'name': 'matrix_ma1sd_threepid_medium_email_connectors_smtp_host', when: true}
- {'name': 'matrix_ma1sd_dns_overwrite_homeserver_client_value', when: true}
- {'name': 'matrix_ma1sd_database_hostname', when: "{{ matrix_ma1sd_database_engine == 'postgres' }}"}
- {'name': 'matrix_ma1sd_container_network', when: true}
- {'name': 'matrix_ma1sd_container_labels_matrix_identity_hostname', when: "{{ matrix_ma1sd_container_labels_matrix_identity_enabled }}"}
- {'name': 'matrix_ma1sd_container_labels_matrix_identity_path_prefix', when: "{{ matrix_ma1sd_container_labels_matrix_identity_enabled }}"}
- {'name': 'matrix_ma1sd_container_labels_matrix_client_user_directory_search_hostname', when: "{{ matrix_ma1sd_container_labels_matrix_client_user_directory_search_enabled }}"}
- {'name': 'matrix_ma1sd_container_labels_matrix_client_user_directory_search_path_regexp', when: "{{ matrix_ma1sd_container_labels_matrix_client_user_directory_search_enabled }}"}
- {'name': 'matrix_ma1sd_container_labels_matrix_client_3pid_registration_path_regexp', when: "{{ matrix_ma1sd_container_labels_matrix_client_3pid_registration_enabled }}"}
- name: (Deprecation) Catch and report renamed ma1sd variables
ansible.builtin.fail:
msg: >-
Your configuration contains a variable, which now has a different name.
Please rename the variable (`{{ item.old }}` -> `{{ item.new }}`) on your configuration file (vars.yml).
when: "lookup('ansible.builtin.varnames', ('^' + item.old + '$'), wantlist=True) | length > 0"
with_items:
- {'old': 'matrix_ma1sd_container_expose_port', 'new': '<superseded by matrix_ma1sd_container_http_host_bind_port>'}
- {'old': 'matrix_ma1sd_threepid_medium_email_custom_unbind_fraudulent_template', 'new': 'matrix_ma1sd_threepid_medium_email_custom_session_unbind_notification_template'}
- {'old': 'matrix_ma1sd_default_port', 'new': 'matrix_ma1sd_container_port'}
- {'old': 'matrix_ma1sd_container_labels_matrix_client_user_directory_search_path', 'new': 'matrix_ma1sd_container_labels_matrix_client_user_directory_search_path_regexp'}
- {'old': 'matrix_ma1sd_container_labels_matrix_client_3pid_registration_path', 'new': 'matrix_ma1sd_container_labels_matrix_client_3pid_registration_path_regexp'}
- {'old': 'matrix_ma1sd_docker_image_name_prefix', 'new': 'matrix_ma1sd_docker_image_registry_prefix'}
- name: (Deprecation) Catch and report mxisd variables
ansible.builtin.fail:
msg: >-
mxisd is deprecated and has been replaced with ma1sd (https://github.com/ma1uta/ma1sd), a compatible fork.
The playbook will migrate your existing mxisd configuration and data automatically, but you need to adjust variable names.
Please rename these variables (`matrix_mxisd_*` -> `matrix_ma1sd_*`) on your configuration file (vars.yml): {{ lookup('ansible.builtin.varnames', '^matrix_mxisd_.+', wantlist=True) | join(', ') }}
when: "lookup('ansible.builtin.varnames', '^matrix_mxisd_.+', wantlist=True) | length > 0"

124
roles/custom/matrix-ma1sd/templates/labels.j2
View File

@@ -1,124 +0,0 @@
{#
SPDX-FileCopyrightText: 2024 Slavi Pantaleev
SPDX-License-Identifier: AGPL-3.0-or-later
#}
{% if matrix_ma1sd_container_labels_traefik_enabled %}
traefik.enable=true
{% if matrix_ma1sd_container_labels_traefik_docker_network %}
traefik.docker.network={{ matrix_ma1sd_container_labels_traefik_docker_network }}
{% endif %}
traefik.http.services.matrix-ma1sd.loadbalancer.server.port={{ matrix_ma1sd_container_port }}
{% if matrix_ma1sd_container_labels_matrix_identity_enabled %}
############################################################
# #
# Matrix Identity APIs (/_matrix/identity) #
# #
############################################################
traefik.http.routers.matrix-ma1sd-matrix-identity.rule={{ matrix_ma1sd_container_labels_matrix_identity_traefik_rule }}
{% if matrix_ma1sd_container_labels_matrix_identity_traefik_priority | int > 0 %}
traefik.http.routers.matrix-ma1sd-matrix-identity.priority={{ matrix_ma1sd_container_labels_matrix_identity_traefik_priority }}
{% endif %}
traefik.http.routers.matrix-ma1sd-matrix-identity.service=matrix-ma1sd
traefik.http.routers.matrix-ma1sd-matrix-identity.entrypoints={{ matrix_ma1sd_container_labels_matrix_identity_traefik_entrypoints }}
traefik.http.routers.matrix-ma1sd-matrix-identity.tls={{ matrix_ma1sd_container_labels_matrix_identity_traefik_tls | to_json }}
{% if matrix_ma1sd_container_labels_matrix_identity_traefik_tls %}
traefik.http.routers.matrix-ma1sd-matrix-identity.tls.certResolver={{ matrix_ma1sd_container_labels_matrix_identity_traefik_tls_certResolver }}
{% endif %}
############################################################
# #
# /Matrix Identity APIs (/_matrix/identity) #
# #
############################################################
{% endif %}
{% if matrix_ma1sd_container_labels_matrix_client_user_directory_search_enabled %}
############################################################
# #
# Matrix Client user-directory search API endpoint #
# (/_matrix/client/VERSION/user_directory/search) #
# #
############################################################
# ma1sd only supports /_matrix/client/r0/user_directory/search
# while we potentially handle /_matrix/client/v3/user_directory/search as well,
# so we need to transparently reroute.
traefik.http.middlewares.matrix-ma1sd-matrix-client-user-directory-search-replacepath.replacepath.path=/_matrix/client/r0/user_directory/search
traefik.http.routers.matrix-ma1sd-matrix-client-user-directory-search.rule={{ matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_rule }}
traefik.http.routers.matrix-ma1sd-matrix-client-user-directory-search.middlewares=matrix-ma1sd-matrix-client-user-directory-search-replacepath
{% if matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_priority | int > 0 %}
traefik.http.routers.matrix-ma1sd-matrix-client-user-directory-search.priority={{ matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_priority }}
{% endif %}
traefik.http.routers.matrix-ma1sd-matrix-client-user-directory-search.service=matrix-ma1sd
traefik.http.routers.matrix-ma1sd-matrix-client-user-directory-search.entrypoints={{ matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_entrypoints }}
traefik.http.routers.matrix-ma1sd-matrix-client-user-directory-search.tls={{ matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_tls | to_json }}
{% if matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_tls %}
traefik.http.routers.matrix-ma1sd-matrix-client-user-directory-search.tls.certResolver={{ matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_tls_certResolver }}
{% endif %}
############################################################
# #
# /Matrix Client user-directory search API endpoint #
# (/_matrix/client/VERSION/user_directory/search) #
# #
############################################################
{% endif %}
{% if matrix_ma1sd_container_labels_matrix_client_user_directory_search_enabled %}
############################################################
# #
# Matrix Client 3pid registration API endpoint #
# (/_matrix/client/VERSION/register/TYPE/requestToken) #
# #
############################################################
# ma1sd only supports /_matrix/client/r0/register/TYPE/requestToken
# while we potentially handle /_matrix/client/v3/register/TYPE/requestToken as well,
# so we need to transparently reroute.
traefik.http.middlewares.matrix-ma1sd-matrix-client-3pid-registration-replacepathregex.replacepathregex.regex=^/_matrix/client/([^/]+)/register/([^/]+)/requestToken
traefik.http.middlewares.matrix-ma1sd-matrix-client-3pid-registration-replacepathregex.replacepathregex.replacement=/_matrix/client/r0/register/${2}/requestToken
traefik.http.routers.matrix-ma1sd-matrix-client-3pid-registration.rule={{ matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_rule }}
traefik.http.routers.matrix-ma1sd-matrix-client-3pid-registration.middlewares=matrix-ma1sd-matrix-client-3pid-registration-replacepathregex
{% if matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_priority | int > 0 %}
traefik.http.routers.matrix-ma1sd-matrix-client-3pid-registration.priority={{ matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_priority }}
{% endif %}
traefik.http.routers.matrix-ma1sd-matrix-client-3pid-registration.service=matrix-ma1sd
traefik.http.routers.matrix-ma1sd-matrix-client-3pid-registration.entrypoints={{ matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_entrypoints }}
traefik.http.routers.matrix-ma1sd-matrix-client-3pid-registration.tls={{ matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_tls | to_json }}
{% if matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_tls %}
traefik.http.routers.matrix-ma1sd-matrix-client-3pid-registration.tls.certResolver={{ matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_tls_certResolver }}
{% endif %}
############################################################
# #
# /Matrix Client 3pid registration API endpoint #
# (/_matrix/client/VERSION/register/TYPE/requestToken) #
# #
############################################################
{% endif %}
{% endif %}
{{ matrix_ma1sd_container_labels_additional_labels }}

104
roles/custom/matrix-ma1sd/templates/ma1sd.yaml.j2
View File

@@ -1,104 +0,0 @@
#jinja2: lstrip_blocks: True
matrix:
domain: {{ matrix_domain }}
v1: {{ matrix_ma1sd_v1_enabled|to_json }}
v2: {{ matrix_ma1sd_v2_enabled|to_json }}
server:
name: {{ matrix_server_fqn_matrix }}
key:
path: /var/ma1sd/sign.key
storage:
{% if matrix_ma1sd_database_engine == 'sqlite' %}
backend: sqlite
provider:
sqlite:
database: {{ matrix_ma1sd_sqlite_database_path_in_container|to_json }}
{% elif matrix_ma1sd_database_engine == 'postgres' %}
backend: postgresql
provider:
postgresql:
database: //{{ matrix_ma1sd_database_hostname }}:{{ matrix_ma1sd_database_port }}/{{ matrix_ma1sd_database_name }}
username: {{ matrix_ma1sd_database_username|to_json }}
password: {{ matrix_ma1sd_database_password|to_json }}
{% endif %}
{% if matrix_ma1sd_dns_overwrite_enabled %}
dns:
overwrite:
homeserver:
client:
- name: {{ matrix_ma1sd_dns_overwrite_homeserver_client_name }}
value: {{ matrix_ma1sd_dns_overwrite_homeserver_client_value }}
{% endif %}
{% if matrix_ma1sd_matrixorg_forwarding_enabled %}
forward:
servers: ['matrix-org']
{% endif %}
threepid:
medium:
email:
identity:
from: {{ matrix_ma1sd_threepid_medium_email_identity_from }}
connectors:
smtp:
host: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_host }}
port: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_port }}
tls: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_tls }}
login: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_login }}
password: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_password }}
{% if matrix_ma1sd_threepid_medium_email_custom_templates_enabled %}
generators:
template:
{% if matrix_ma1sd_threepid_medium_email_custom_invite_template %}
invite: '/etc/ma1sd/invite-template.eml'
{% endif %}
{% if matrix_ma1sd_threepid_medium_email_custom_session_validation_template or matrix_ma1sd_threepid_medium_email_custom_session_unbind_notification_template %}
session:
{% if matrix_ma1sd_threepid_medium_email_custom_session_validation_template %}
validation: '/etc/ma1sd/validate-template.eml'
{% endif %}
{% if matrix_ma1sd_threepid_medium_email_custom_session_unbind_notification_template %}
unbind:
notification: '/etc/ma1sd/unbind-notification.eml'
{% endif %}
{% endif %}
{% if matrix_ma1sd_threepid_medium_email_custom_matrixid_template %}
generic:
matrixId: '/etc/ma1sd/mxid-template.eml'
{% endif %}
{% endif %}
{% if matrix_ma1sd_view_session_custom_templates_enabled %}
view:
session:
onTokenSubmit:
{% if matrix_ma1sd_view_session_custom_onTokenSubmit_success_template %}
success: '/etc/ma1sd/tokenSubmitSuccess.html'
{% endif %}
{% if matrix_ma1sd_view_session_custom_onTokenSubmit_failure_template %}
failure: '/etc/ma1sd/tokenSubmitFailure.html'
{% endif %}
{% endif %}
{% if matrix_ma1sd_hashing_enabled %}
hashing:
enabled: true # enable or disable the hash lookup MSC2140 (default is false)
pepperLength: 20 # length of the pepper value (default is 20)
rotationPolicy: per_requests # or `per_seconds` how often the hashes will be updating
hashStorageType: sql # or `in_memory` where the hashes will be stored
algorithms:
- none # the same as v1 bulk lookup
- sha256 # hash the 3PID and pepper.
delay: 2m # how often hashes will be updated if rotation policy = per_seconds (default is 10s)
requests: 10
{% endif %}
synapseSql:
enabled: {{ matrix_ma1sd_synapsesql_enabled|to_json }}
type: {{ matrix_ma1sd_synapsesql_type|to_json }}
connection: {{ matrix_ma1sd_synapsesql_connection|to_json }}

4
roles/custom/matrix-ma1sd/templates/ma1sd.yaml.j2.license
View File

@@ -1,4 +0,0 @@
SPDX-FileCopyrightText: 2020 - 2022 Slavi Pantaleev
SPDX-FileCopyrightText: 2020 MDAD project contributors
SPDX-License-Identifier: AGPL-3.0-or-later

57
roles/custom/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2
View File

@@ -1,57 +0,0 @@
#jinja2: lstrip_blocks: True
[Unit]
Description=Matrix ma1sd Identity server
{% for service in matrix_ma1sd_systemd_required_services_list %}
Requires={{ service }}
After={{ service }}
{% endfor %}
{% for service in matrix_ma1sd_systemd_wanted_services_list %}
Wants={{ service }}
{% endfor %}
DefaultDependencies=no
[Service]
Type=simple
Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop -t {{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-ma1sd 2>/dev/null || true'
ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-ma1sd 2>/dev/null || true'
# ma1sd writes an SQLite shared library (libsqlitejdbc.so) to /tmp and executes it from there,
# so /tmp needs to be mounted with an exec option.
ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
--rm \
--name=matrix-ma1sd \
--log-driver=none \
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
--cap-drop=ALL \
--read-only \
--tmpfs=/tmp:rw,exec,nosuid,size=10m \
--network={{ matrix_ma1sd_container_network }} \
{% if matrix_ma1sd_container_http_host_bind_port %}
-p {{ matrix_ma1sd_container_http_host_bind_port }}:{{ matrix_ma1sd_container_port }} \
{% endif %}
{% if matrix_ma1sd_verbose_logging %}
-e MA1SD_LOG_LEVEL=debug \
{% endif %}
--mount type=bind,src={{ matrix_ma1sd_config_path }},dst=/etc/ma1sd,ro \
--mount type=bind,src={{ matrix_ma1sd_data_path }},dst=/var/ma1sd \
--label-file={{ matrix_ma1sd_base_path }}/labels \
{% for arg in matrix_ma1sd_container_extra_arguments %}
{{ arg }} \
{% endfor %}
{{ matrix_ma1sd_docker_image }}
{% for network in matrix_ma1sd_container_additional_networks %}
ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-ma1sd
{% endfor %}
ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-ma1sd
ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop -t {{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-ma1sd 2>/dev/null || true'
ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-ma1sd 2>/dev/null || true'
Restart=always
RestartSec=30
SyslogIdentifier=matrix-ma1sd
[Install]
WantedBy=multi-user.target

7
roles/custom/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2.license
View File

@@ -1,7 +0,0 @@
SPDX-FileCopyrightText: 2020 - 2025 Slavi Pantaleev
SPDX-FileCopyrightText: 2020 Chris van Dijk
SPDX-FileCopyrightText: 2020 Marcel Partap
SPDX-FileCopyrightText: 2021 - 2022 MDAD project contributors
SPDX-FileCopyrightText: 2021 boris runakov
SPDX-License-Identifier: AGPL-3.0-or-later

10
roles/custom/matrix-ma1sd/vars/main.yml
View File

@@ -1,10 +0,0 @@
# SPDX-FileCopyrightText: 2020 Marcel Partap
# SPDX-FileCopyrightText: 2022 Slavi Pantaleev
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
# Doing `|from_yaml` when the extension contains nothing yields an empty string ("").
# We need to ensure it's a dictionary or `|combine` (when building `matrix_ma1sd_configuration`) will fail later.
matrix_ma1sd_configuration_extension: "{{ matrix_ma1sd_configuration_extension_yaml | from_yaml if matrix_ma1sd_configuration_extension_yaml | from_yaml else {} }}"

4
roles/custom/matrix-synapse/defaults/main.yml
View File

@@ -522,7 +522,7 @@ matrix_synapse_http_listener_resource_names: ["client"]
# Resources served on Synapse's federation port.
# When disabling federation, we may wish to serve the `openid` resource here,
# so that services like Dimension and ma1sd can work.
# so that services like Dimension can work.
matrix_synapse_federation_listener_resource_names: "{{ ['federation'] if matrix_synapse_federation_enabled else (['openid'] if matrix_synapse_federation_port_openid_resource_required else []) }}"
# Enable this to allow Synapse to report utilization statistics about your server to matrix.org
@@ -721,7 +721,7 @@ matrix_synapse_federation_enabled: true
matrix_synapse_federation_port_enabled: "{{ matrix_synapse_federation_enabled or matrix_synapse_federation_port_openid_resource_required }}"
# Controls whether an `openid` listener is to be enabled. Useful when disabling federation,
# but needing the `openid` APIs for Dimension or an identity server like ma1sd.
# but needing the `openid` APIs for Dimension.
matrix_synapse_federation_port_openid_resource_required: false
# A list of domain names that are allowed to federate with the given Synapse server.

24
roles/custom/matrix_playbook_migration/tasks/validate_config.yml
View File

@@ -73,6 +73,8 @@
- {'old': 'matrix_playbook_reverse_proxy_traefik_middleware_compession_enabled', 'new': 'matrix_playbook_reverse_proxy_traefik_middleware_compression_enabled'}
- {'old': 'matrix_playbook_reverse_proxy_traefik_middleware_compession_name', 'new': 'matrix_playbook_reverse_proxy_traefik_middleware_compression_name'}
- {'old': 'matrix_synapse_account_threepid_delegates_msisdn_mas1sd_url', 'new': '<removed>'}
- {'old': 'cinny_docker_image', 'new': 'cinny_container_image'}
- {'old': 'cinny_docker_image_registry_prefix', 'new': 'cinny_container_image_registry_prefix'}
- {'old': 'cinny_docker_image_registry_prefix_upstream', 'new': 'cinny_container_image_registry_prefix_upstream'}
@@ -372,17 +374,17 @@
- {'old': 'matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_client_api_enabled', 'new': 'matrix_synapse_container_labels_public_client_synapse_client_api_enabled'}
- {'old': 'matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_oidc_api_enabled', 'new': '<replaced by matrix_synapse_container_labels_public_client_synapse_oidc_api_enabled, but if you use matrix_synapse_oidc_enabled then it would be toggled automatically; see the new recommended OIDC example configuration in docs/configuring-playbook-synapse.md>'}
- {'old': 'matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled', 'new': 'matrix_synapse_container_labels_public_client_synapse_admin_api_enabled'}
- {'old': 'matrix_nginx_proxy_proxy_matrix_identity_api_enabled', 'new': '<superseded by matrix_ma1sd_container_labels_traefik_enabled and matrix_ma1sd_container_labels_matrix_identity_enabled>'}
- {'old': 'matrix_nginx_proxy_proxy_matrix_identity_api_enabled', 'new': '<removed>'}
- {'old': 'matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container', 'new': '<removed>'}
- {'old': 'matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container', 'new': '<removed>'}
- {'old': 'matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled', 'new': '<superseded by matrix_ma1sd_container_labels_traefik_enabled and matrix_ma1sd_container_labels_matrix_client_user_directory_search_enabled>'}
- {'old': 'matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled', 'new': '<removed>'}
- {'old': 'matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container', 'new': '<removed>'}
- {'old': 'matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container', 'new': '<removed>'}
- {'old': 'matrix_nginx_proxy_proxy_matrix_user_directory_search_v3_to_r0_redirect_enabled', 'new': '<superseded by matrix_ma1sd_container_labels_matrix_client_user_directory_search_path_regexp>'}
- {'old': 'matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled', 'new': 'matrix_ma1sd_container_labels_matrix_client_3pid_registration_enabled'}
- {'old': 'matrix_nginx_proxy_proxy_matrix_user_directory_search_v3_to_r0_redirect_enabled', 'new': '<removed>'}
- {'old': 'matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled', 'new': '<removed>'}
- {'old': 'matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_with_container', 'new': '<removed>'}
- {'old': 'matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_sans_container', 'new': '<removed>'}
- {'old': 'matrix_nginx_proxy_proxy_matrix_3pid_registration_v3_to_r0_redirect_enabled', 'new': '<superseded by matrix_ma1sd_container_labels_matrix_client_3pid_registration_path_regexp>'}
- {'old': 'matrix_nginx_proxy_proxy_matrix_3pid_registration_v3_to_r0_redirect_enabled', 'new': '<removed>'}
- {'old': 'matrix_nginx_proxy_proxy_conduit_enabled', 'new': 'matrix_conduit_container_labels_traefik_enabled'}
- {'old': 'matrix_nginx_proxy_proxy_conduit_block_federation_api_on_client_port', 'new': '<not supported anymore - the /_matrix/federation endpoints are now also being served on the Client-Server API port>'}
- {'old': 'matrix_nginx_proxy_proxy_conduit_federation_api_enabled', 'new': 'matrix_conduit_container_labels_public_federation_api_enabled'}
@@ -539,6 +541,18 @@
The following variables in your configuration need to be renamed: {{ lookup('ansible.builtin.varnames', '^devture_container_socket_proxy_.+', wantlist=True) | join(', ') }}
when: "lookup('ansible.builtin.varnames', '^devture_container_socket_proxy_.+', wantlist=True) | length > 0"
- name: (Deprecation) Catch and report ma1sd variables
ansible.builtin.fail:
msg: |-
ma1sd was completely removed from the playbook in February 2026.
Please remove all `matrix_ma1sd_*` variables from your configuration file (vars.yml).
You may also wish to uninstall the component manually. See `docs/configuring-playbook-ma1sd.md` for more information.
The following variables in your configuration need to be removed: {{ lookup('ansible.builtin.varnames', '^matrix_ma1sd_.+', wantlist=True) | join(', ') }}
when: "lookup('ansible.builtin.varnames', '^matrix_ma1sd_.+', wantlist=True) | length > 0"
- name: (Deprecation) Catch and report matrix-appservice-webhooks variables
ansible.builtin.fail:
msg: |-

1
setup.yml
View File

@@ -117,7 +117,6 @@
- galaxy/jitsi
- custom/matrix-user-verification-service
- custom/matrix-ldap-registration-proxy
- custom/matrix-ma1sd
- custom/matrix-dimension
- galaxy/etherpad
- custom/matrix-sygnal