matrix-docker-ansible-deploy/docs/configuring-playbook-matrix-corporal.md

# Setting up Matrix Corporal (optional, advanced)

-------------------------------------

**WARNING**: This is an advanced feature! It requires prior experience with Matrix and a specific need for using [Matrix Corporal](https://github.com/devture/matrix-corporal). If you're unsure whether you have such a need, you most likely don't.

-------------------------------------

The playbook can install and configure [matrix-corporal](https://github.com/devture/matrix-corporal) for you.

In short, it's a sort of automation and firewalling service, which is helpful if you're instaling Matrix services in a controlled corporate environment. See that project's documentation to learn what it does and why it might be useful to you.

If you decide that you'd like to let this playbook install it for you, you'd need to also:
- (required) [set up the Shared Secret Auth password provider module](configuring-playbook-shared-secret-auth.md)
- (optional, but encouraged) [set up the REST authentication password provider module](configuring-playbook-rest-auth.md)


## Adjusting the playbook configuration

Add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file (adapt to your needs):

```yaml
# The Shared Secret Auth password provider module is required for Corporal to work.
# See configuring-playbook-shared-secret-auth.md
matrix_synapse_ext_password_provider_shared_secret_auth_enabled: true
matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret: YOUR_SHARED_SECRET_GOES_HERE

# When matrix-corporal is acting as the primary authentication provider,
# you need to set up the REST authentication password provider module
# to make Interactive User Authentication work.
# This is necessary for certain user actions (like E2EE, device management, etc).
#
# See configuring-playbook-rest-auth.md
matrix_synapse_ext_password_provider_rest_auth_enabled: true
matrix_synapse_ext_password_provider_rest_auth_endpoint: "http://matrix-corporal:41080/_matrix/corporal"

matrix_corporal_enabled: true

# See below for an example of how to use a locally-stored static policy
matrix_corporal_policy_provider_config: |
  {
    "Type": "http",
    "Uri": "https://intranet.example.com/matrix/policy",
    "AuthorizationBearerToken": "SOME_SECRET",
    "CachePath": "/var/cache/matrix-corporal/last-policy.json",
    "ReloadIntervalSeconds": 1800,
    "TimeoutMilliseconds": 300
  }

# If you also want to enable Matrix Corporal's HTTP API..
matrix_corporal_http_api_enabled: true
matrix_corporal_http_api_auth_token: "AUTH_TOKEN_HERE"

# If you need to change matrix-corporal's user ID from the default (matrix-corporal).
# In any case, you need to make sure this Matrix user is created on your server.
matrix_corporal_corporal_user_id_local_part: "matrix-corporal"

# Because Corporal peridoically performs lots of user logins from the same IP,
# you may need raise Synapse's ratelimits.
# The values below are just an example. Tweak to your use-case (number of users, etc.)
matrix_synapse_rc_login:
  address:
    per_second: 50
    burst_count: 300
  account:
    per_second: 0.17
    burst_count: 3
  failed_attempts:
    per_second: 0.17
    burst_count: 3
```

Matrix Corporal operates with a specific Matrix user on your server. By default, it's `matrix-corporal` (controllable by the `matrix_corporal_reconciliation_user_id_local_part` setting, see above).

No matter what Matrix user ID you configure to run it with, make sure that:

- the Matrix Corporal user is created by [registering it](registering-users.md) **with administrator privileges**. Use a password you remember, as you'll need to log in from time to time to create or join rooms

- the Matrix Corporal user is joined and has Admin/Moderator-level access to any rooms you want it to manage

### Using a locally-stored static policy

If you'd like to use a [static policy file](https://github.com/devture/matrix-corporal/blob/master/docs/policy-providers.md#static-file-pull-style-policy-provider), you can use a configuration like this:

```yaml
matrix_corporal_policy_provider_config: |
  {
    "Type": "static_file",
    "Path": "/etc/matrix-corporal/policy.json"
  }

# Modify the policy below as you see fit
aux_file_definitions:
  - dest: "{{ matrix_corporal_config_dir_path }}/policy.json"
    content: |
      {
        "schemaVersion": 1,
        "identificationStamp": "stamp-1",
        "flags": {
          "allowCustomUserDisplayNames": false,
          "allowCustomUserAvatars": false,
          "forbidRoomCreation": false,
          "forbidEncryptedRoomCreation": true,
          "forbidUnencryptedRoomCreation": false,
          "allowCustomPassthroughUserPasswords": true,
          "allowUnauthenticatedPasswordResets": false,
          "allow3pidLogin": false
        },
        "managedCommunityIds": [],
        "managedRoomIds": [],
        "users": []
      }
```

To learn more about what the policy configuration, see the matrix-corporal documentation on [policy](https://github.com/devture/matrix-corporal/blob/master/docs/policy.md).

## Installing

After configuring the playbook, run the [installation](installing.md) command (`--tags=setup-all,start` or `--tags=setup-aux-files,setup-corporal,start`).


## Matrix Corporal files

The following local filesystem paths are mounted in the `matrix-corporal` container and can be used in your configuration (or policy):

- `/matrix/corporal/config` is mounted at `/etc/matrix-corporal` (read-only)

- `/matrix/corporal/var` is mounted at `/var/matrix-corporal` (read and write)

- `/matrix/corporal/cache` is mounted at `/var/cache/matrix-corporal` (read and write)

As an example: you can create your own configuration files in `/matrix/corporal/config` and they will appear in `/etc/matrix-corporal` in the Docker container. Your configuration (stuff in `matrix_corporal_policy_provider_config`) needs to refer to these files via the local container paths - `/etc/matrix-corporal` (read-only), `/var/matrix-corporal` (read and write), `/var/cache/matrix-corporal` (read and write).
Annotate certain features as optional/advanced We've had some people get confused into installing Matrix Corporal and having pain with that. With this documentation change, we try to make it clearer that it's an advanced feature not to be touched unless you know what you're doing. On a similar note, we also make sure other things are properly labeled as "(optional)" and/or "(advanced)". 2018-11-26 06:23:42 +01:00			`# Setting up Matrix Corporal (optional, advanced)`

			`-------------------------------------`

			`WARNING: This is an advanced feature! It requires prior experience with Matrix and a specific need for using [Matrix Corporal](https://github.com/devture/matrix-corporal). If you're unsure whether you have such a need, you most likely don't.`

			`-------------------------------------`
Add support for matrix-corporal 2018-08-21 12:34:34 +02:00
			`The playbook can install and configure [matrix-corporal](https://github.com/devture/matrix-corporal) for you.`

Edit line breaks in sentences and paragraphs Signed-off-by: Suguru Hirahara <acioustick@noreply.codeberg.org> 2024-10-18 19:32:11 +02:00			`In short, it's a sort of automation and firewalling service, which is helpful if you're instaling Matrix services in a controlled corporate environment. See that project's documentation to learn what it does and why it might be useful to you.`
Add support for matrix-corporal 2018-08-21 12:34:34 +02:00
Initial work on support for matrix-corporal v2 2021-01-16 22:47:14 +01:00			`If you decide that you'd like to let this playbook install it for you, you'd need to also:`
			`- (required) [set up the Shared Secret Auth password provider module](configuring-playbook-shared-secret-auth.md)`
			`- (optional, but encouraged) [set up the REST authentication password provider module](configuring-playbook-rest-auth.md)`
Add support for matrix-corporal 2018-08-21 12:34:34 +02:00
Make matrix-corporal documentation more detailed 2018-10-23 08:19:24 +02:00
Use common expression on documentation regarding playbook configuration Overall the playbook uses the expression "Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file:" with the heading "Adjusting the playbook configuration" for sections to explain what to be added as variables Signed-off-by: Suguru Hirahara <acioustick@noreply.codeberg.org> 2024-10-12 13:48:24 +02:00			`## Adjusting the playbook configuration`
Be more clear that Corporal requires Shared Secret Auth 2020-08-19 08:29:39 +02:00
Replace DOMAIN with example.com Signed-off-by: Suguru Hirahara <acioustick@noreply.codeberg.org> 2024-10-17 15:17:56 +02:00			Add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file (adapt to your needs):
Add support for matrix-corporal 2018-08-21 12:34:34 +02:00
			```yaml
Be more clear that Corporal requires Shared Secret Auth 2020-08-19 08:29:39 +02:00			`# The Shared Secret Auth password provider module is required for Corporal to work.`
			`# See configuring-playbook-shared-secret-auth.md`
			`matrix_synapse_ext_password_provider_shared_secret_auth_enabled: true`
			`matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret: YOUR_SHARED_SECRET_GOES_HERE`

Initial work on support for matrix-corporal v2 2021-01-16 22:47:14 +01:00			`# When matrix-corporal is acting as the primary authentication provider,`
			`# you need to set up the REST authentication password provider module`
			`# to make Interactive User Authentication work.`
			`# This is necessary for certain user actions (like E2EE, device management, etc).`
			`#`
			`# See configuring-playbook-rest-auth.md`
			`matrix_synapse_ext_password_provider_rest_auth_enabled: true`
			`matrix_synapse_ext_password_provider_rest_auth_endpoint: "http://matrix-corporal:41080/_matrix/corporal"`

Add support for matrix-corporal 2018-08-21 12:34:34 +02:00			`matrix_corporal_enabled: true`

Update matrix-corporal documentation 2021-11-15 09:29:25 +01:00			`# See below for an example of how to use a locally-stored static policy`
Add support for matrix-corporal 2018-08-21 12:34:34 +02:00			`matrix_corporal_policy_provider_config: \|`
			`{`
			`"Type": "http",`
			`"Uri": "https://intranet.example.com/matrix/policy",`
			`"AuthorizationBearerToken": "SOME_SECRET",`
			`"CachePath": "/var/cache/matrix-corporal/last-policy.json",`
Fix example policy provider configuration for matrix-corporal Fixes the example, to add the missing required configuration key for the HTTP policy provider. Related to #477 (Github Issue). 2020-04-29 16:22:18 +02:00			`"ReloadIntervalSeconds": 1800,`
			`"TimeoutMilliseconds": 300`
Add support for matrix-corporal 2018-08-21 12:34:34 +02:00			`}`

			`# If you also want to enable Matrix Corporal's HTTP API..`
			`matrix_corporal_http_api_enabled: true`
			`matrix_corporal_http_api_auth_token: "AUTH_TOKEN_HERE"`

Fix capitalization: id → ID Signed-off-by: Suguru Hirahara <acioustick@noreply.codeberg.org> 2024-10-15 19:24:34 +02:00			`# If you need to change matrix-corporal's user ID from the default (matrix-corporal).`
Make matrix-corporal documentation more detailed 2018-10-23 08:19:24 +02:00			`# In any case, you need to make sure this Matrix user is created on your server.`
Initial work on support for matrix-corporal v2 2021-01-16 22:47:14 +01:00			`matrix_corporal_corporal_user_id_local_part: "matrix-corporal"`
Add support for adjusting Synapse rate-limiting configuration 2019-04-01 20:40:14 +02:00
			`# Because Corporal peridoically performs lots of user logins from the same IP,`
			`# you may need raise Synapse's ratelimits.`
			`# The values below are just an example. Tweak to your use-case (number of users, etc.)`
			`matrix_synapse_rc_login:`
			`address:`
			`per_second: 50`
			`burst_count: 300`
			`account:`
			`per_second: 0.17`
			`burst_count: 3`
			`failed_attempts:`
			`per_second: 0.17`
			`burst_count: 3`
Add support for matrix-corporal 2018-08-21 12:34:34 +02:00			```

Edit line breaks in sentences and paragraphs Signed-off-by: Suguru Hirahara <acioustick@noreply.codeberg.org> 2024-10-18 19:32:11 +02:00			Matrix Corporal operates with a specific Matrix user on your server. By default, it's `matrix-corporal` (controllable by the `matrix_corporal_reconciliation_user_id_local_part` setting, see above).

Fix capitalization: id → ID Signed-off-by: Suguru Hirahara <acioustick@noreply.codeberg.org> 2024-10-15 19:24:34 +02:00			`No matter what Matrix user ID you configure to run it with, make sure that:`
Make matrix-corporal documentation more detailed 2018-10-23 08:19:24 +02:00
Update matrix-corporal documentation 2021-11-15 09:29:25 +01:00			`- the Matrix Corporal user is created by [registering it](registering-users.md) with administrator privileges. Use a password you remember, as you'll need to log in from time to time to create or join rooms`
Make matrix-corporal documentation more detailed 2018-10-23 08:19:24 +02:00
			`- the Matrix Corporal user is joined and has Admin/Moderator-level access to any rooms you want it to manage`

Update matrix-corporal documentation 2021-11-15 09:29:25 +01:00			`### Using a locally-stored static policy`

			`If you'd like to use a [static policy file](https://github.com/devture/matrix-corporal/blob/master/docs/policy-providers.md#static-file-pull-style-policy-provider), you can use a configuration like this:`

			```yaml
			`matrix_corporal_policy_provider_config: \|`
			`{`
			`"Type": "static_file",`
			`"Path": "/etc/matrix-corporal/policy.json"`
			`}`

			`# Modify the policy below as you see fit`
Update aux role documentation, removing old matrix-aux references 2023-05-12 06:00:58 +02:00			`aux_file_definitions:`
Update matrix-corporal documentation 2021-11-15 09:29:25 +01:00			`- dest: "{{ matrix_corporal_config_dir_path }}/policy.json"`
			`content: \|`
			`{`
			`"schemaVersion": 1,`
			`"identificationStamp": "stamp-1",`
			`"flags": {`
			`"allowCustomUserDisplayNames": false,`
			`"allowCustomUserAvatars": false,`
			`"forbidRoomCreation": false,`
			`"forbidEncryptedRoomCreation": true,`
			`"forbidUnencryptedRoomCreation": false,`
			`"allowCustomPassthroughUserPasswords": true,`
			`"allowUnauthenticatedPasswordResets": false,`
			`"allow3pidLogin": false`
			`},`
			`"managedCommunityIds": [],`
			`"managedRoomIds": [],`
			`"users": []`
			`}`
			```

			`To learn more about what the policy configuration, see the matrix-corporal documentation on [policy](https://github.com/devture/matrix-corporal/blob/master/docs/policy.md).`

Use common sentences on documentation regarding installation Signed-off-by: Suguru Hirahara <acioustick@noreply.codeberg.org> 2024-10-12 20:03:46 +02:00			`## Installing`

Remove 'again' Signed-off-by: Suguru Hirahara <acioustick@noreply.codeberg.org> 2024-10-13 04:50:04 +02:00			After configuring the playbook, run the [installation](installing.md) command (`--tags=setup-all,start` or `--tags=setup-aux-files,setup-corporal,start`).
Update matrix-corporal documentation 2021-11-15 09:29:25 +01:00
Use disable_guests=true for Riot 2018-10-24 12:59:06 +02:00
Make matrix-corporal documentation more detailed 2018-10-23 08:19:24 +02:00			`## Matrix Corporal files`

Add support for matrix-corporal 2018-08-21 12:34:34 +02:00			The following local filesystem paths are mounted in the `matrix-corporal` container and can be used in your configuration (or policy):

			- `/matrix/corporal/config` is mounted at `/etc/matrix-corporal` (read-only)

			- `/matrix/corporal/var` is mounted at `/var/matrix-corporal` (read and write)

			- `/matrix/corporal/cache` is mounted at `/var/cache/matrix-corporal` (read and write)
Make matrix-corporal documentation more detailed 2018-10-23 08:19:24 +02:00
Update configuring-playbook-matrix-corporal.md 2021-02-16 09:44:35 +01:00			As an example: you can create your own configuration files in `/matrix/corporal/config` and they will appear in `/etc/matrix-corporal` in the Docker container. Your configuration (stuff in `matrix_corporal_policy_provider_config`) needs to refer to these files via the local container paths - `/etc/matrix-corporal` (read-only), `/var/matrix-corporal` (read and write), `/var/cache/matrix-corporal` (read and write).