Matrix Authentication Support for Jitsi

This extends the collection with support for seamless authentication at the Jitsi server using Matrix OpenID.

1. New role for installing the [Matrix User Verification Service](https://github.com/matrix-org/matrix-user-verification-service)
2. Changes to Jitsi role: Installing Jitsi Prosody Mods and configuring Jitsi Auth
3. Changes to Jitsi and nginx-proxy roles: Serving .well-known/element/jitsi from jitsi.DOMAIN
4. We updated the Jitsi documentation on authentication and added documentation for the user verification service.

roles/custom/matrix-user-verification-service/defaults/main.yml

@@ -0,0 +1,81 @@
+---
+# Set this to the display name for ansible used in Output e.g. fail_msg
+matrix_user_verification_service_ansible_name: "Matrix User Verification Service"
+
+# Enable by default. This is overwritten in provided group vars.
+matrix_user_verification_service_enabled: true
+
+# Fix version tag
+matrix_user_verification_service_version: "v2.0.0"
+
+# Paths
+matrix_user_verification_service_base_path: "{{ matrix_base_data_path }}/user-verification-service"
+# We need the docker src directory to be named user_verification_service. See: https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/588
+matrix_user_verification_service_docker_src_files_path: "{{ matrix_user_verification_service_base_path }}/docker-src/user-verification-service"
+matrix_user_verification_service_config_path: "{{ matrix_user_verification_service_base_path }}/config"
+matrix_user_verification_service_config_env_file: "{{ matrix_user_verification_service_config_path }}/.env"
+
+# Set this to true in order to not use the docker image from docker hub, but rather build locally
+matrix_user_verification_service_container_image_self_build: false
+matrix_user_verification_service_container_image_self_build_repo: "https://github.com/matrix-org/matrix-user-verification-service.git"
+matrix_user_verification_service_container_image_self_build_branch: "{{ matrix_user_verification_service_version }}"
+
+# Docker
+matrix_user_verification_service_docker_image_name_prefix: "{{ 'localhost/' if matrix_user_verification_service_container_image_self_build else matrix_container_global_registry_prefix }}"
+matrix_user_verification_service_docker_image: "{{ matrix_user_verification_service_docker_image_name_prefix }}matrixdotorg/matrix-user-verification-service:{{ matrix_user_verification_service_version }}"
+matrix_user_verification_service_docker_image_force_pull: "{{ matrix_user_verification_service_docker_image.endswith(':latest') }}"
+
+matrix_user_verification_service_container_name: "matrix-user-verification-service"
+# Normally this would run on port 3000 however that may conflict with grafana. It is thus advised to change this port.
+#matrix_user_verification_service_container_http_host_bind_port:
+matrix_user_verification_service_container_extra_arguments: []
+# Systemd
+matrix_user_verification_service_systemd_required_services_list: []
+matrix_user_verification_service_systemd_wanted_services_list: []
+matrix_user_verification_service_systemd_service_basename: "matrix-user-verification-service"
+matrix_user_verification_service_systemd_service_name: "{{ matrix_user_verification_service_systemd_service_basename }}.service"
+
+# Matrix User Verification Service Configuration
+## REQUIRED
+
+# Homeserver client API admin token (synapse only)-  Required for the service to verify room membership
+# matrix_user_verification_service_uvs_access_token:
+
+# homeserver client api url
+# matrix_user_verification_service_uvs_homeserver_url: ""
+# disable check for non private ip range of homeserver. e.g. set to `true` if your homeserver domain resolves to a private ip.
+matrix_user_verification_service_uvs_disable_ip_blacklist: false
+
+## OPTIONAL
+
+# Auth token to protect the API
+# If this is set any calls to the provided API endpoints
+# need have the header "Authorization: Bearer changeme".
+# matrix_user_verification_service_uvs_auth_token: changeme
+
+# Matrix server name to verify OpenID tokens against. See below section.
+# Defaults to empty value which means verification is made against
+# whatever Matrix server name passed in with the token
+# matrix_user_verification_service_uvs_openid_verify_server_name: matrix.org
+
+# Log level, defaults to 'info'
+# See choices here: https://github.com/winstonjs/winston#logging-levels
+# matrix_user_verification_service_uvs_log_level: info
+
+
+######################################################################
+#####                                                            #####
+##### Variables used in this role which are not set by this role #####
+#####                                                            #####
+######################################################################
+
+# matrix_user_username
+# matrix_user_groupname
+# matrix_user_uid
+# matrix_user_gid
+# matrix_container_global_registry_prefix
+# matrix_docker_network
+# devture_systemd_docker_base_systemd_path
+# devture_systemd_docker_base_systemd_unit_home_path
+# devture_systemd_docker_base_host_command_sh
+# devture_systemd_docker_base_host_command_docker

roles/custom/matrix-user-verification-service/handlers/main.yml

@@ -0,0 +1,6 @@
+---
+
+- name: Ensure systemd reloaded after matrix-user-verification-service.service installation
+  service:
+    daemon_reload: yes
+  listen: "reload matrix-user-verification-service"

roles/custom/matrix-user-verification-service/tasks/main.yml

@@ -0,0 +1,24 @@
+---
+
+- name: verify all necessary variables are present
+  assert:
+    that:
+      - matrix_user_verification_service_uvs_access_token is defined and matrix_user_verification_service_uvs_access_token|length
+      - matrix_user_verification_service_uvs_homeserver_url is defined and matrix_user_verification_service_uvs_homeserver_url|length
+    fail_msg: "Missing variable in {{ matrix_user_verification_service_ansible_name }} role"
+
+- block:
+    - when: run_setup | bool and matrix_user_verification_service_enabled | bool
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
+  tags:
+    - setup-all
+    - setup-user-verification-service
+    - install-all
+    - install-user-verification-service
+
+- block:
+    - when: run_setup | bool and not matrix_user_verification_service_enabled | bool
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
+  tags:
+    - setup-all
+    - setup-user-verification-service

roles/custom/matrix-user-verification-service/tasks/setup_install.yml

@@ -0,0 +1,42 @@
+---
+
+- name: "Ensure Matrix User Verification Service paths exist"
+  ansible.builtin.file:
+    path: "{{ item.path }}"
+    state: directory
+    mode: 0750
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+  with_items:
+    - { path: "{{ matrix_user_verification_service_config_path }}", when: true }
+    - { path: "{{ matrix_user_verification_service_docker_src_files_path }}", when: "{{ matrix_user_verification_service_container_image_self_build }}" }
+  when: item.when | bool
+
+- name: Ensure Matrix User Verification Service image is pulled
+  community.docker.docker_image:
+    name: "{{ matrix_user_verification_service_docker_image }}"
+    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
+    force_source: "{{ matrix_user_verification_service_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_user_verification_service_docker_image_force_pull }}"
+  when: "not matrix_user_verification_service_container_image_self_build | bool"
+  register: result
+  retries: "{{ devture_playbook_help_container_retries_count }}"
+  delay: "{{ devture_playbook_help_container_retries_delay }}"
+  until: result is not failed
+
+#- block:
+# TODO
+#  when: "matrix_user_verification_service_container_image_self_build|bool"
+
+- name: write env file
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/.env.j2"
+    dest: "{{ matrix_user_verification_service_config_env_file }}"
+    mode: 0644
+
+- name: Ensure matrix-user-verification-service.service installed
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/systemd/matrix-user-verification-service.service.j2"
+    dest: "{{ devture_systemd_docker_base_systemd_path }}/{{ matrix_user_verification_service_systemd_service_name }}"
+    mode: 0644
+  notify: "reload matrix-user-verification-service"

roles/custom/matrix-user-verification-service/tasks/setup_uninstall.yml

@@ -0,0 +1,35 @@
+---
+
+- name: Check existence of matrix-user-verification-service service
+  stat:
+    path: "{{ matrix_systemd_path }}/{{ matrix_user_verification_service_systemd_service_name }}"
+  register: matrix_user_verification_service_service_stat
+
+- name: Ensure matrix-user-verification-service is stopped
+  service:
+    name: "{{ matrix_user_verification_service_systemd_service_basename }}"
+    state: stopped
+    daemon_reload: yes
+  register: stopping_result
+  when: "matrix_user_verification_service_service_stat.stat.exists|bool"
+
+- name: Ensure matrix-user-verification-service.service doesn't exist
+  file:
+    path: "{{ matrix_systemd_path }}/{{ matrix_user_verification_service_systemd_service_name }}"
+    state: absent
+  when: "matrix_user_verification_service_service_stat.stat.exists|bool"
+
+- name: Ensure systemd reloaded after matrix-user-verification-service.service removal
+  service:
+    daemon_reload: yes
+  when: "matrix_user_verification_service_service_stat.stat.exists|bool"
+
+- name: Ensure Matrix user-verification-service paths don't exist
+  file:
+    path: "{{ matrix_user_verification_service_base_path }}"
+    state: absent
+
+- name: Ensure user-verification-service Docker image doesn't exist
+  docker_image:
+    name: "{{ matrix_user_verification_service_docker_image }}"
+    state: absent

roles/custom/matrix-user-verification-service/templates/.env.j2

@@ -0,0 +1,14 @@
+UVS_ACCESS_TOKEN={{ matrix_user_verification_service_uvs_access_token }}
+UVS_HOMESERVER_URL={{ matrix_user_verification_service_uvs_homeserver_url }}
+UVS_DISABLE_IP_BLACKLIST={{ matrix_user_verification_service_uvs_disable_ip_blacklist }}
+
+{% if matrix_user_verification_service_uvs_auth_token is defined and matrix_user_verification_service_uvs_auth_token|length %}
+  UVS_AUTH_TOKEN={{ matrix_user_verification_service_uvs_auth_token }}
+{% endif %}
+{% if matrix_user_verification_service_uvs_openid_verify_server_name is defined and matrix_user_verification_service_uvs_openid_verify_server_name|length %}
+  UVS_OPENID_VERIFY_SERVER_NAME={{ matrix_user_verification_service_uvs_openid_verify_server_name }}
+{% endif %}
+{% if matrix_user_verification_service_uvs_log_level is defined and matrix_user_verification_service_uvs_log_level|length %}
+  UVS_LOG_LEVEL={{ matrix_user_verification_service_uvs_log_level }}
+{% endif %}
+

roles/custom/matrix-user-verification-service/templates/systemd/matrix-user-verification-service.service.j2

@@ -0,0 +1,42 @@
+#jinja2: lstrip_blocks: "True"
+[Unit]
+Description={{ matrix_user_verification_service_ansible_name }}
+{% for service in matrix_user_verification_service_systemd_required_services_list %}
+Requires={{ service }}
+After={{ service }}
+{% endfor %}
+{% for service in matrix_user_verification_service_systemd_wanted_services_list %}
+Wants={{ service }}
+{% endfor %}
+DefaultDependencies=no
+
+[Service]
+Type=simple
+Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
+ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill {{ matrix_user_verification_service_container_name }} 2>/dev/null'
+ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm {{ matrix_user_verification_service_container_name }} 2>/dev/null'
+
+
+ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name  {{ matrix_user_verification_service_container_name }}\
+			--log-driver=none \
+			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
+			--cap-drop=ALL \
+			--read-only \
+			--network={{ matrix_docker_network }} \
+			{% if matrix_user_verification_service_container_http_host_bind_port %}
+			-p {{ matrix_user_verification_service_container_http_host_bind_port }}:3000 \
+			{% endif %}
+			--mount type=bind,src={{ matrix_user_verification_service_config_env_file }},dst=/app/.env,ro \
+			{% for arg in matrix_user_verification_service_container_extra_arguments %}
+			{{ arg }} \
+			{% endfor %}
+			{{ matrix_user_verification_service_docker_image }}
+
+ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill {{ matrix_user_verification_service_container_name }} 2>/dev/null'
+ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm {{ matrix_user_verification_service_container_name }} 2>/dev/null'
+Restart=always
+RestartSec=30
+SyslogIdentifier={{ matrix_user_verification_service_systemd_service_basename }}
+
+[Install]
+WantedBy=multi-user.target