2018-11-26 13:23:42 +08:00
# Setting up Matrix Corporal (optional, advanced)
-------------------------------------
**WARNING**: This is an advanced feature! It requires prior experience with Matrix and a specific need for using [Matrix Corporal ](https://github.com/devture/matrix-corporal ). If you're unsure whether you have such a need, you most likely don't.
-------------------------------------
2018-08-21 18:34:34 +08:00
The playbook can install and configure [matrix-corporal ](https://github.com/devture/matrix-corporal ) for you.
2018-11-26 13:23:42 +08:00
In short, it's a sort of automation and firewalling service, which is helpful if you're instaling Matrix services in a controlled corporate environment.
2018-08-21 18:34:34 +08:00
See that project's documentation to learn what it does and why it might be useful to you.
2021-01-17 05:47:14 +08:00
If you decide that you'd like to let this playbook install it for you, you'd need to also:
- (required) [set up the Shared Secret Auth password provider module ](configuring-playbook-shared-secret-auth.md )
- (optional, but encouraged) [set up the REST authentication password provider module ](configuring-playbook-rest-auth.md )
2018-08-21 18:34:34 +08:00
2018-10-23 14:19:24 +08:00
## Playbook configuration
2020-08-19 14:29:39 +08:00
2018-08-21 18:34:34 +08:00
You would then need some configuration like this:
```yaml
2020-08-19 14:29:39 +08:00
# The Shared Secret Auth password provider module is required for Corporal to work.
# See configuring-playbook-shared-secret-auth.md
matrix_synapse_ext_password_provider_shared_secret_auth_enabled: true
matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret: YOUR_SHARED_SECRET_GOES_HERE
2021-01-17 05:47:14 +08:00
# When matrix-corporal is acting as the primary authentication provider,
# you need to set up the REST authentication password provider module
# to make Interactive User Authentication work.
# This is necessary for certain user actions (like E2EE, device management, etc).
#
# See configuring-playbook-rest-auth.md
matrix_synapse_ext_password_provider_rest_auth_enabled: true
matrix_synapse_ext_password_provider_rest_auth_endpoint: "http://matrix-corporal:41080/_matrix/corporal"
2018-08-21 18:34:34 +08:00
matrix_corporal_enabled: true
2021-11-15 16:29:25 +08:00
# See below for an example of how to use a locally-stored static policy
2018-08-21 18:34:34 +08:00
matrix_corporal_policy_provider_config: |
{
"Type": "http",
"Uri": "https://intranet.example.com/matrix/policy",
"AuthorizationBearerToken": "SOME_SECRET",
"CachePath": "/var/cache/matrix-corporal/last-policy.json",
2020-04-29 22:22:18 +08:00
"ReloadIntervalSeconds": 1800,
"TimeoutMilliseconds": 300
2018-08-21 18:34:34 +08:00
}
# If you also want to enable Matrix Corporal's HTTP API..
matrix_corporal_http_api_enabled: true
matrix_corporal_http_api_auth_token: "AUTH_TOKEN_HERE"
2021-01-17 05:47:14 +08:00
# If you need to change matrix-corporal's user id from the default (matrix-corporal).
2018-10-23 14:19:24 +08:00
# In any case, you need to make sure this Matrix user is created on your server.
2021-01-17 05:47:14 +08:00
matrix_corporal_corporal_user_id_local_part: "matrix-corporal"
2019-04-02 02:40:14 +08:00
# Because Corporal peridoically performs lots of user logins from the same IP,
# you may need raise Synapse's ratelimits.
# The values below are just an example. Tweak to your use-case (number of users, etc.)
matrix_synapse_rc_login:
address:
per_second: 50
burst_count: 300
account:
per_second: 0.17
burst_count: 3
failed_attempts:
per_second: 0.17
burst_count: 3
2018-08-21 18:34:34 +08:00
```
2018-10-23 14:19:24 +08:00
Matrix Corporal operates with a specific Matrix user on your server.
By default, it's `matrix-corporal` (controllable by the `matrix_corporal_reconciliation_user_id_local_part` setting, see above).
No matter what Matrix user id you configure to run it with, make sure that:
2021-11-15 16:29:25 +08:00
- the Matrix Corporal user is created by [registering it ](registering-users.md ) **with administrator privileges** . Use a password you remember, as you'll need to log in from time to time to create or join rooms
2018-10-23 14:19:24 +08:00
- the Matrix Corporal user is joined and has Admin/Moderator-level access to any rooms you want it to manage
2021-11-15 16:29:25 +08:00
### Using a locally-stored static policy
If you'd like to use a [static policy file ](https://github.com/devture/matrix-corporal/blob/master/docs/policy-providers.md#static-file-pull-style-policy-provider ), you can use a configuration like this:
```yaml
matrix_corporal_policy_provider_config: |
{
"Type": "static_file",
"Path": "/etc/matrix-corporal/policy.json"
}
# Modify the policy below as you see fit
2023-05-12 12:00:58 +08:00
aux_file_definitions:
2021-11-15 16:29:25 +08:00
- dest: "{{ matrix_corporal_config_dir_path }}/policy.json"
content: |
{
"schemaVersion": 1,
"identificationStamp": "stamp-1",
"flags": {
"allowCustomUserDisplayNames": false,
"allowCustomUserAvatars": false,
"forbidRoomCreation": false,
"forbidEncryptedRoomCreation": true,
"forbidUnencryptedRoomCreation": false,
"allowCustomPassthroughUserPasswords": true,
"allowUnauthenticatedPasswordResets": false,
"allow3pidLogin": false
},
"managedCommunityIds": [],
"managedRoomIds": [],
"users": []
}
```
To learn more about what the policy configuration, see the matrix-corporal documentation on [policy ](https://github.com/devture/matrix-corporal/blob/master/docs/policy.md ).
Each time you update the policy in your `vars.yml` file, you'd need to re-run the playbook and restart matrix-corporal (`--tags=setup-all,start` or `--tags=setup-aux-files,setup-corporal,start` ).
2018-10-24 18:59:06 +08:00
2018-10-23 14:19:24 +08:00
## Matrix Corporal files
2018-08-21 18:34:34 +08:00
The following local filesystem paths are mounted in the `matrix-corporal` container and can be used in your configuration (or policy):
- `/matrix/corporal/config` is mounted at `/etc/matrix-corporal` (read-only)
- `/matrix/corporal/var` is mounted at `/var/matrix-corporal` (read and write)
- `/matrix/corporal/cache` is mounted at `/var/cache/matrix-corporal` (read and write)
2018-10-23 14:19:24 +08:00
2021-02-16 16:44:35 +08:00
As an example: you can create your own configuration files in `/matrix/corporal/config` and they will appear in `/etc/matrix-corporal` in the Docker container. Your configuration (stuff in `matrix_corporal_policy_provider_config` ) needs to refer to these files via the local container paths - `/etc/matrix-corporal` (read-only), `/var/matrix-corporal` (read and write), `/var/cache/matrix-corporal` (read and write).