Update to 2021-12-01 19:13

roles/unmaintained/matrix_mxisd/defaults/main.yml

@@ -0,0 +1,77 @@
+---
+
+# Install directory
+mxisd_root_dir: /opt/matrix/mxisd
+# User account (will be created if missing)
+mxisd_user: mxisd
+# GIT URI repository
+mxisd_git_uri: https://github.com/kamax-io/mxisd.git
+# Version to checkout
+mxisd_version: v1.1.1
+# Memory limit for the service, in MB
+mxisd_max_mem: 2048
+# TCP port on which the service will bind
+mxisd_port: 8083
+# List of IP address allowed to access this port
+# mxisd_src_ip:
+#  - 0.0.0.0/0
+
+# External server to which forward queries
+# if no match are found localy
+# mxisd_forwarders:
+#   - https://matrix.org
+#   - https://vector.im
+
+# Domain of your Matrix instance. Default to synapse_server_name if present
+# mxisd_matrix_domain: matrix.example.com
+
+# mxisd_server_name: matrix-id.example.com
+# mxisd_public_url: https://matrix-id.domain.com/
+
+# Are recursive lookups allowed
+# mxisd_recursive_lookups: False
+# And if yes, restrict it to certain IP only
+# mxisd_recursive_lookups_ip:
+#   - 192.168.1.0/24
+#   - 172.20.0.0/16
+
+# Should we run LDAP lookups. Most settings can be taken from synapse if installed
+mxisd_ldap_lookup: True
+mxisd_ldap_filter: "{{ ad_auth | default(False) | ternary('(&(objectCategory=person)(objectClass=user)(primaryGroupId=513))','(objectClass=inetOrgPerson)') }}"
+mxisd_ldap_tls: True    # Note that this is TLS, usually on port 636. Start TLS is not supported
+mxisd_ldap_server: "{{ ad_auth | default(False) | ternary(ad_realm | default(samba_realm) | default(ansible_domain) | default(ansible_domain) | lower,'ldap.example.org') }}"
+mxisd_ldap_port: "{{ mxisd_ldap_tls | ternary('636','389') }}"
+#mxisd_ldap_bind_dn: cn=mxisd,ou=DSA,dc=example,dc=org
+#mxisd_ldap_bind_pass: secret
+mxisd_ldap_base: "{{ ad_auth | default(False) | ternary('DC=' + ad_realm | default(samba_realm) | default(ansible_domain) | regex_replace('\\.',',DC='), 'dc=example,dc=org') }}"
+mxisd_ldap_uid_type: uid
+mxisd_ldap_uid_value: "{{ ad_auth | default(False) | ternary('samaccountname','uid') }}"
+mxisd_ldap_attr_name: cn
+mxisd_ldap_attr_mail:
+  - mail
+mxisd_ldap_attr_tel:
+  - telephoneNumber
+  - mobile
+  - homePhone
+  - otherTelephone
+  - otherMobile
+  - otherHomePhone
+mxisd_ldap_attr_other:
+  - cn
+  - memberOf
+
+# Outgoing email settings
+# Will use synapse settings if available
+# mxisd_smtp_server: smtp.domain.com
+# mxisd_smtp_port: 25
+# mxisd_smtp_tls: True
+# mxisd_smtp_user:
+# mxisd_smtp_pass:
+# mxisd_smtp_from: mxisd@domain.com
+
+# Overwrite the DNS name of your Matrix server
+mxisd_dns_overwrite:
+  - name: "{{ mxisd_matrix_domain | default(synapse_server_name) }}"
+    value: http://localhost:8008
+
+...

roles/unmaintained/matrix_mxisd/handlers/main.yml

@@ -0,0 +1,8 @@
+---
+
+- include: ../common/handlers/main.yml
+
+- name: restart mxisd
+  service: name=matrix-mxisd state=restarted
+
+...

roles/unmaintained/matrix_mxisd/tasks/main.yml

@@ -0,0 +1,62 @@
+---
+
+- name: Install needed packages
+  yum:
+    name:
+      - java-1.8.0-openjdk-devel
+      - git
+    state: latest
+
+- name: Create mxisd user account
+  user: name={{ mxisd_user }} home={{ mxisd_root_dir }} shell=/bin/bash state=present
+
+- name: Create needed directories
+  file: path={{ mxisd_root_dir }}/{{ item.dir }} state=directory mode={{ item.mode }} group={{ mxisd_user }}
+  with_items:
+    - { dir: /,   mode: 750 }
+    - { dir: etc, mode: 770 }
+    - { dir: db,  mode: 770 }
+
+- name: Clone mxisd repo
+  git:
+    depth: 1
+    repo: "{{ mxisd_git_uri }}"
+    dest: "{{ mxisd_root_dir }}/app"
+    version: "{{ mxisd_version }}"
+  become_user: "{{ mxisd_user }}"
+  register: mxisd_git
+  become: True
+
+- name: Setup proxy settings for gradle
+  template: src=gradle.properties.j2 dest={{ mxisd_root_dir }}/app/gradle.properties
+
+- name: Check if the jar already exists
+  stat: path={{ mxisd_root_dir }}/app/build/libs/app.jar
+  register: mxisd_jar
+
+- name: Build mxisd
+  command: ./gradlew --no-daemon build
+  args:
+    chdir: "{{ mxisd_root_dir }}/app"
+  become: True
+  become_user: "{{ mxisd_user }}"
+  when: mxisd_git.changed or not mxisd_jar.stat.exists
+  notify: restart mxisd
+
+- name: Handle mxisd port
+  iptables_raw:
+    name=mxisd_port
+    state={{ (mxisd_src_ip is defined and mxisd_src_ip | length > 0) | ternary('present','absent') }}
+    rules="-A INPUT -m state --state NEW -p tcp --dport {{ mxisd_port }} -s {{ mxisd_src_ip | join(',') }} -j ACCEPT"
+  when: iptables_manage | default(True)
+
+- name: Deploy service config
+  template: src=mxisd.yaml.j2 dest={{ mxisd_root_dir }}/etc/mxisd.yaml group={{ mxisd_user }} mode=640
+  notify: restart mxisd
+
+- name: Deploy systemd unit
+  template: src=matrix-mxisd.service.j2 dest=/etc/systemd/system/matrix-mxisd.service
+  notify: reload systemd
+
+- name: Start and enable the service
+  service: name=matrix-mxisd state=started enabled=yes

roles/unmaintained/matrix_mxisd/templates/gradle.properties.j2

@@ -0,0 +1,6 @@
+{% if system_proxy is defined and system_proxy != '' %}
+systemProp.http.proxyHost={{ system_proxy | urlsplit('hostname') }}
+systemProp.http.proxyPort={{ system_proxy | urlsplit('port') }}
+systemProp.https.proxyHost={{ system_proxy | urlsplit('hostname') }}
+systemProp.https.proxyPort={{ system_proxy | urlsplit('port') }}
+{% endif %}

roles/unmaintained/matrix_mxisd/templates/matrix-mxisd.service.j2

@@ -0,0 +1,19 @@
+[Unit]
+Description=Matrix Identity Service Daemon
+
+[Service]
+Type=simple
+User={{ mxisd_user }}
+Group={{ mxisd_user }}
+ExecStart=/usr/bin/java -jar {{ mxisd_root_dir }}/app/build/libs/app.jar -c {{ mxisd_root_dir }}/etc/mxisd.yaml
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectSystem=full
+ProtectHome=yes
+NoNewPrivileges=yes
+MemoryLimit={{ mxisd_max_mem }}M
+SyslogIdentifier=matrix-mxisd
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target

roles/unmaintained/matrix_mxisd/templates/mxisd.yaml.j2

@@ -0,0 +1,105 @@
+matrix:
+  domain: '{{ mxisd_matrix_domain | default(synapse_server_name) }}'
+server:
+  port: {{ mxisd_port }}
+{% if mxisd_server_name is defined %}
+  name: '{{ mxisd_server_name }}'
+{% endif %}
+  publicUrl: '{{ mxisd_public_url | default('https://' + synapse_server_name) }}'
+key:
+  path: '{{ mxisd_root_dir }}/etc/signing.key'
+lookup:
+  recursive:
+    enabled: {{ mxisd_recursive_lookups | default(True) | ternary('true','false') }}
+{% if mxisd_recursive_lookups_ip is defined and mxisd_recursive_lookups_ip | length > 0 %}
+    allowedCidr:
+{% for net in mxisd_recursive_lookups_ip %}
+{% if net | ipaddr %}
+      - {{ net }}
+{% endif %}
+{% endfor %}
+{% endif %}
+{% if mxisd_ldap_lookup | default(synapse_ldap_auth) | default(False) %}
+ldap:
+  enabled: True
+{% if mxisd_ldap_filter is defined %}
+  filter: {{ mxisd_ldap_filter }}
+{% elif synapse_ldap_filter is defined %}
+  filter: {{ synapse_ldap_filter }}
+{% endif %}
+  connection:
+    tls: {{ mxisd_ldap_tls | default(True) | ternary('true','false') }}
+    host: {{ mxisd_ldap_server | default(synapse_ldap_uri) | regex_replace('^(ldaps?://)?(?P<host>[a-zA-Z0-9\-\.]+)(:\d+)?','\\g<host>') | default('localhost') }}
+    port: {{ mxisd_ldap_port | default(mxisd_ldap_tls | ternary('636','389')) }}
+{% if mxisd_ldap_bind_dn is defined and mxisd_ldap_bind_pass is defined %}
+    bindDn: {{ mxisd_ldap_bind_dn }}
+    bindPassword: {{ mxisd_ldap_bind_pass }}
+{% elif synapse_ldap_bind_dn is defined and synapse_ldap_bind_pass is defined %}
+    bindDn: {{ synapse_ldap_bind_dn }}
+    bindPassword: {{ synapse_ldap_bind_pass }}
+{% endif %}
+    baseDn: {{ mxisd_ldap_base | default(synapse_ldap_user_base) }}
+  attribute:
+    uid:
+      type: {{ mxisd_ldap_uid_type | default('uid') }}
+      value: {{ mxisd_ldap_uid_value | default(ad_auth | default(False) | ternary('samaccountname','uid')) }}
+    name: {{ mxisd_ldap_attr_name | default(synapse_ldap_attr_name) | default('cn') }}
+{% if mxisd_ldap_attr_mail is defined and mxisd_ldap_attr_mail | length > 0 %}
+    threepid:
+      email:
+{% for attr in mxisd_ldap_attr_mail %}
+        - {{ attr }}
+{% endfor %}
+{% endif %}
+{% if mxisd_ldap_attr_tel is defined and mxisd_ldap_attr_tel | length > 0 %}
+      msisdn:
+{% for attr in mxisd_ldap_attr_tel %}
+        - {{ attr }}
+{% endfor %}
+{% endif %}
+{% if mxisd_ldap_attr_other is defined and mxisd_ldap_attr_other | length > 0 %}
+      other:
+{% for attr in mxisd_ldap_attr_other %}
+        - {{ attr }}
+{% endfor %}
+{% endif %}
+{% endif %}
+{% if mxisd_forwarders is defined and mxisd_forwarders | length > 0 %}
+forward:
+  servers:
+{% for server in mxisd_forwarders %}
+    - {{ server }}
+{% endfor %}
+{% endif %}
+threepid:
+  medium:
+    email:
+      connectors:
+        smtp:
+          host: {{ mxisd_smtp_server | default(synapse_smtp_server) }}
+          port: {{ mxisd_smtp_port | default(synapse_smtp_port) }}
+          tls: {{ (mxisd_smtp_tls | default(synapse_smtp_tls)) | ternary('2', '1') }}
+{% if mxisd_smtp_user is defined and mxisd_smtp_pass is defined %}
+          login: "{{ mxisd_smtp_user }}"
+          password: "{{ mxisd_smtp_pass }}"
+{% elif synapse_smtp_user is defined and synapse_smtp_pass is defined %}
+          login: "{{ synapse_smtp_user }}"
+          password: "{{ synapse_smtp_pass }}"
+{% endif %}
+      identity:
+        from: "{{ mxisd_smtp_from | default('no-reply@' + ansible_domain) }}"
+storage:
+  backend: 'sqlite'
+  provider:
+    sqlite:
+      database: '{{ mxisd_root_dir }}/db/mxisd.sqlite'
+{% if mxisd_dns_overwrite is defined and mxisd_dns_overwrite | length > 0 %}
+dns:
+  overwrite:
+    homeserver:
+      client:
+{% for overwrite in mxisd_dns_overwrite %}
+        - name: {{ overwrite.name }}
+          value: '{{ overwrite.value }}'
+{% endfor %}
+{% endif %}