matrix-docker-ansible-deploy/docs/configuring-playbook-ma1sd.md

143 lines
7.4 KiB
Markdown
Raw Normal View History

# Setting up ma1sd Identity Server (optional)
2018-08-15 09:23:22 +02:00
The playbook can configure the [ma1sd](https://github.com/ma1uta/ma1sd) Identity Server for you.
ma1sd, being an Identity Server, is not strictly needed. It is only used for 3PIDs (3rd party identifiers like E-mail and phone numbers) and some [enhanced features](https://github.com/ma1uta/ma1sd/#features).
2018-08-15 09:23:22 +02:00
This server is private by default, potentially at the expense of user discoverability.
*ma1sd is a fork of [mxisd](https://github.com/kamax-io/mxisd) which was pronounced end of life 2019-06-21.*
**Note**: enabling ma1sd, means that the `openid` API endpoints will be exposed on the Matrix Federation port (usually `8448`), even if [federation](configuring-playbook-federation.md) is disabled. It's something to be aware of, especially in terms of firewall whitelisting (make sure port `8448` is accessible).
2019-10-22 09:54:13 +02:00
## Adjusting the playbook configuration
To enable ma1sd, add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file:
2020-08-05 12:46:30 +02:00
```yaml
matrix_ma1sd_enabled: true
2020-08-05 12:46:30 +02:00
```
### Matrix.org lookup forwarding
2018-08-15 09:23:22 +02:00
To ensure maximum discovery, you can make your identity server also forward lookups to the central matrix.org Identity server (at the cost of potentially leaking all your contacts information).
Enabling this is discouraged and you'd better [learn more](https://github.com/ma1uta/ma1sd/blob/master/docs/features/identity.md#lookups) before proceeding.
2018-08-15 09:23:22 +02:00
Enabling matrix.org forwarding can happen with the following configuration:
```yaml
matrix_ma1sd_matrixorg_forwarding_enabled: true
2018-08-15 09:23:22 +02:00
```
### Customizing email templates
If you'd like to change the default email templates used by ma1sd, take a look at the `matrix_ma1sd_threepid_medium_email_custom_` variables (in the `roles/custom/matrix-ma1sd/defaults/main.yml` file.
Update docs/configuring-dns.md (#3786) * Update docs/configuring-dns.md: add note about DNS settings for default services Signed-off-by: Suguru Hirahara <acioustick@noreply.codeberg.org> * Update docs/configuring-dns.md and docs/configuring-playbook-ma1sd.md: move the DNS setting (SRV record) for ma1sd to the latter Edit instruction to enable a SRV record for ma1sd. Signed-off-by: Suguru Hirahara <acioustick@noreply.codeberg.org> * Update docs/configuring-dns.md: remove repetitive explanations about necessity of subdomain settings Signed-off-by: Suguru Hirahara <acioustick@noreply.codeberg.org> * Update docs/configuring-dns.md: move explanation about subdomain settings up Signed-off-by: Suguru Hirahara <acioustick@noreply.codeberg.org> * Update docs/configuring-dns.md: fix tables layout Signed-off-by: Suguru Hirahara <acioustick@noreply.codeberg.org> * Update docs/configuring-dns.md: edit the section for TXT and MX records Signed-off-by: Suguru Hirahara <acioustick@noreply.codeberg.org> * Update docs/configuring-dns.md: move the row for ma1sd under the rows for CNAME records Signed-off-by: Suguru Hirahara <acioustick@noreply.codeberg.org> * Update docs/configuring-dns.md: replace "may be necessary" with "is necessary" as Element Web is installed by default Signed-off-by: Suguru Hirahara <acioustick@noreply.codeberg.org> * Update docs/configuring-dns.md: add a note about setting a SRV record for ma1sd Signed-off-by: Suguru Hirahara <acioustick@noreply.codeberg.org> * Update docs/configuring-dns.md: use the same string for IP address placeholder Also: adjust the table's layout Signed-off-by: Suguru Hirahara <acioustick@noreply.codeberg.org> * Update docs/configuring-dns.md: simplify the header for postmoogle DNS records configuration Signed-off-by: Suguru Hirahara <acioustick@noreply.codeberg.org> * Update docs/configuring-dns.md: switch the order of TXT and MX moogle for Postmoogle Signed-off-by: Suguru Hirahara <acioustick@noreply.codeberg.org> * Update docs/configuring-dns.md: simplify instructions for ma1sd and Postmoogle Signed-off-by: Suguru Hirahara <acioustick@noreply.codeberg.org> * Update docs/configuring-dns.md: fix the anchor link to rageshake documentation The issue was introduced with ea6e8794870074c6ebffc0ac3893c82eca0e0aa6 Signed-off-by: Suguru Hirahara <acioustick@noreply.codeberg.org> --------- Signed-off-by: Suguru Hirahara <acioustick@noreply.codeberg.org> Co-authored-by: Suguru Hirahara <acioustick@noreply.codeberg.org>
2024-11-17 09:10:40 +01:00
## Adjusting DNS records
To make the ma1sd Identity Server enable its federation features, set up an SRV record that looks like this:
- Name: `_matrix-identity._tcp` (use this text as-is)
- Content: `10 0 443 matrix.example.com` (replace `example.com` with your own)
See [ma1sd's documentation](https://github.com/ma1uta/ma1sd/wiki/mxisd-and-your-privacy#choices-are-never-easy) for information on the privacy implications of setting up this SRV record.
**Note**: This `_matrix-identity._tcp` SRV record for the identity server is different from the `_matrix._tcp` that can be used for Synapse delegation. See [howto-server-delegation.md](howto-server-delegation.md) for more information about delegation.
## Installing
After configuring the playbook, run the [installation](installing.md) command: `just install-all` or `just setup-all`
2019-10-22 09:54:13 +02:00
## ma1sd-controlled Registration
To use the [Registration](https://github.com/ma1uta/ma1sd/blob/master/docs/features/registration.md) feature of ma1sd, you can make use of the following variables:
2019-10-22 09:54:13 +02:00
- `matrix_synapse_enable_registration` - to enable user-initiated registration in Synapse
- `matrix_synapse_enable_registration_captcha` - to validate registering users using reCAPTCHA, as described in the [enabling reCAPTCHA](configuring-captcha.md) documentation.
2020-07-04 01:33:25 +02:00
- `matrix_synapse_registrations_require_3pid` - a list of 3pid types (among `'email'`, `'msisdn'`) required by the Synapse server for registering
- variables prefixed with `matrix_ma1sd_container_labels_` (e.g. `matrix_ma1sd_container_labels_matrix_client_3pid_registration_enabled`) - to configure the Traefik reverse-proxy to capture and send registration requests to ma1sd (instead of Synapse), so it can apply its additional functionality
2019-10-22 09:54:13 +02:00
- `matrix_ma1sd_configuration_extension_yaml` - to configure ma1sd as required. See the [Registration feature's docs](https://github.com/ma1uta/ma1sd/blob/master/docs/features/registration.md) for inspiration. Also see the [Additional features](#additional-features) section below to learn more about how to use `matrix_ma1sd_configuration_extension_yaml`.
**Note**: For this to work, either the homeserver needs to [federate](configuring-playbook-federation.md) or the `openid` APIs need to exposed on the federation port. When federation is disabled and ma1sd is enabled, we automatically expose the `openid` APIs (only!) on the federation port. Make sure the federation port (usually `https://matrix.example.com:8448`) is whitelisted in your firewall (even if you don't actually use/need federation).
2019-10-22 17:24:27 +02:00
## Authentication
[Authentication](https://github.com/ma1uta/ma1sd/blob/master/docs/features/authentication.md) provides the possibility to use your own [Identity Stores](https://github.com/ma1uta/ma1sd/blob/master/docs/stores/README.md) (for example LDAP) to authenticate users on your Homeserver. The following configuration can be used to authenticate against an LDAP server:
2019-10-22 17:24:27 +02:00
```yaml
matrix_synapse_ext_password_provider_rest_auth_enabled: true
# matrix-ma1sd is the hostname of the ma1sd Docker container
matrix_synapse_ext_password_provider_rest_auth_endpoint: "http://matrix-ma1sd:8090"
2019-10-22 17:24:27 +02:00
matrix_ma1sd_configuration_extension_yaml: |
2019-10-22 17:24:27 +02:00
ldap:
enabled: true
connection:
host: ldapHostnameOrIp
tls: false
port: 389
baseDNs: ['OU=Users,DC=example,DC=org']
bindDn: CN=My ma1sd User,OU=Users,DC=example,DC=org
2019-10-22 17:24:27 +02:00
bindPassword: TheUserPassword
```
2018-08-15 09:23:22 +02:00
## Additional features
What this playbook configures for your is some bare minimum Identity Server functionality, so that you won't need to rely on external 3rd party services.
A few variables can be toggled in this playbook to alter the ma1sd configuration that gets generated.
Still, ma1sd can do much more. You can refer to the [ma1sd website](https://github.com/ma1uta/ma1sd) for more details and configuration options.
2018-08-15 09:23:22 +02:00
To use a more custom configuration, you can define a `matrix_ma1sd_configuration_extension_yaml` string variable and put your configuration in it. To learn more about how to do this, refer to the information about `matrix_ma1sd_configuration_extension_yaml` in the [default variables file](../roles/custom/matrix-ma1sd/defaults/main.yml) of the ma1sd component.
2018-08-15 09:23:22 +02:00
2020-06-24 23:34:28 +02:00
## Example: SMS verification
2020-06-25 07:22:12 +02:00
If your use case requires mobile verification, it is quite simple to integrate ma1sd with [Twilio](https://www.twilio.com/), an online telephony services gateway. Their prices are reasonable for low-volume projects and integration can be done with the following configuration:
2020-06-24 23:34:28 +02:00
```yaml
matrix_ma1sd_configuration_extension_yaml: |
2020-06-24 23:34:28 +02:00
threepid:
medium:
msisdn:
connectors:
twilio:
account_sid: '<secret-SID>'
auth_token: '<secret-token>'
number: '+<msisdn-number>'
```
2019-10-22 09:54:13 +02:00
## Example: Open Registration for every Domain
2020-07-26 17:24:53 +02:00
If you want to open registration for any domain, you have to setup the allowed domains with ma1sd's `blacklist` and `whitelist`. The default behavior when neither the `blacklist`, nor the `whitelist` match, is to allow registration. Beware: you can't block toplevel domains (aka `.xy`) because the internal architecture of ma1sd doesn't allow that.
```yaml
matrix_ma1sd_configuration_extension_yaml: |
register:
policy:
allowed: true
threepid:
email:
domain:
blacklist: ~
whitelist: ~
```
2018-08-15 09:23:22 +02:00
## Troubleshooting
If email address validation emails sent by ma1sd are not reaching you, you should look into [Adjusting email-sending settings](configuring-playbook-email.md).
2019-10-21 20:11:00 +02:00
If you'd like additional logging information, temporarily enable verbose logging for ma1sd.
2019-10-21 20:11:00 +02:00
Example configuration (`inventory/host_vars/matrix.example.com/vars.yml`):
2019-10-21 20:11:00 +02:00
```yaml
matrix_ma1sd_verbose_logging: true
```