diff --git a/roles/matrix-synapse/defaults/main.yaml b/roles/matrix-synapse/defaults/main.yaml index 90c4848..d5a507a 100644 --- a/roles/matrix-synapse/defaults/main.yaml +++ b/roles/matrix-synapse/defaults/main.yaml @@ -6,9 +6,11 @@ synapse_domain: '{{ domain }}' ldap_server: 'ldap1.dmz.{{ domain }}' ldap_domain: '{{ domain }}' ldap_basedn: 'dc={{ ldap_domain.replace(".", ",dc=") }}' +ldap_tls_enabled: true ldap_tls_server_ca: '{{ tls_root_ca }}' +ldap_renew_secret: false synapse_coturn_integration: true -coturn_host: 'matrix' +coturn_host: 'turn' coturn_fqdn: 'turn.{{ domain }}' coturn_port: '3478' ... diff --git a/roles/matrix-synapse/tasks/main.yaml b/roles/matrix-synapse/tasks/main.yaml index 3d5032f..45bd772 100644 --- a/roles/matrix-synapse/tasks/main.yaml +++ b/roles/matrix-synapse/tasks/main.yaml @@ -43,14 +43,14 @@ - 'python3-psycopg2' - block: - - name: 'create synapse DB' + - name: 'PGSQL | create synapse DB' postgresql_db: name: 'synapse' encoding: 'UTF-8' lc_collate: 'C' lc_ctype: 'C' template: 'template0' - - name: 'create synapse DB user' + - name: 'PGSQL | create synapse DB user' postgresql_user: name: 'matrix-synapse' db: 'synapse' @@ -79,30 +79,50 @@ nginx_proxy_location_path: '{{ synapse_nginx_proxy_location_path }}' notify: 'restart nginx' -- name: 'generate matrix ldap password' - gen_passwd: 'length=32' - register: synapse_ldap_passwd +- name: 'try to read LDAP service password' + command: 'sed -n "s/^\s\+bind_password: \"\(.\+\)\"$/\1/p" /etc/matrix-synapse/homeserver.yaml' + register: synapse_read_ldap_passwd + no_log: true tags: - 'service_password' -- name: 'set matrix ldap password in ldap' - delegate_to: 'localhost' - ldap_passwd: - dn: 'cn={{ host_fqdn }},ou=Server,{{ ldap_basedn }}' - passwd: '{{ synapse_ldap_passwd.passwd }}' - server_uri: 'ldap://{{ ldap_server }}' - start_tls: true - bind_dn: '{{ ldap_admin_dn }}' - bind_pw: '{{ ldap_admin_pw }}' +- name: 'set LDAP service password' + set_fact: + synapse_ldap_passwd: '{{ synapse_read_ldap_passwd.stdout | d("") }}' + no_log: true tags: - 'service_password' -- name: 'update ldap tls server ca' +- block: + - name: 'LDAP | generate client service password' + gen_passwd: 'length=32' + register: 'synapse_ldap_gen_passwd' + no_log: true + tags: + - 'service_password' + - name: 'LDAP | set client service password on server' + delegate_to: 'localhost' + ldap_passwd: + dn: 'cn={{ host_fqdn }},ou=Server,{{ ldap_basedn }}' + passwd: '{{ synapse_ldap_gen_passwd.passwd }}' + server_uri: 'ldap://{{ ldap_server }}' + start_tls: '{{ ldap_tls_enabled }}' + bind_dn: '{{ ldap_admin_dn }}' + bind_pw: '{{ ldap_admin_pw }}' + - name: 'LDAP | set client service password on client' + set_fact: + synapse_ldap_passwd: '{{ synapse_ldap_gen_passwd.passwd }}' + no_log: true + when: synapse_ldap_passwd == '' or ldap_renew_secret + tags: + - 'service_password' + +- name: 'LDAP | update client root ca' copy: content: '{{ ldap_tls_server_ca }}' dest: '/etc/ldap/server_ca.crt' -- name: 'configure ldap client' +- name: 'LDAP | configure client' copy: src: 'ldap.conf' dest: '/etc/ldap/ldap.conf' diff --git a/roles/matrix-synapse/templates/homeserver.yaml.j2 b/roles/matrix-synapse/templates/homeserver.yaml.j2 index 99d40d5..ce389bb 100644 --- a/roles/matrix-synapse/templates/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/homeserver.yaml.j2 @@ -1563,9 +1563,9 @@ password_providers: attributes: uid: "uid" mail: "mail" - name: "sn" + name: "cn" bind_dn: "cn={{ host_fqdn }},ou=Server,{{ ldap_basedn }}" - bind_password: "{{ synapse_ldap_passwd.passwd }}" + bind_password: "{{ synapse_ldap_passwd }}" filter: "(authorizedService=matrix)"