Merge branch 'spantaleev:master' into 3031-feat-add-signalgo-bridge

2023-12-16 12:34:56 +01:00
parent c028d75f9e 9f5d4018c7
commit 0e4c878ee3
11 changed files with 95 additions and 13 deletions
--- a/roles/custom/matrix-bridge-hookshot/defaults/main.yml
+++ b/roles/custom/matrix-bridge-hookshot/defaults/main.yml
@ -5,11 +5,17 @@

 matrix_hookshot_enabled: true

+matrix_hookshot_ident: matrix-hookshot

 matrix_hookshot_container_image_self_build: false
 matrix_hookshot_container_image_self_build_repo: "https://github.com/matrix-org/matrix-hookshot.git"
 matrix_hookshot_container_image_self_build_branch: "{{ 'main' if matrix_hookshot_version == 'latest' else matrix_hookshot_version }}"

+# Specifies additional networks for the Hookshot container to connect with
+matrix_hookshot_container_additional_networks: "{{ matrix_hookshot_container_additional_networks_auto + matrix_hookshot_container_additional_networks_custom }}"
+matrix_hookshot_container_additional_networks_auto: []
+matrix_hookshot_container_additional_networks_custom: []
+
 # renovate: datasource=docker depName=halfshot/matrix-hookshot
 matrix_hookshot_version: 4.7.0

@ -30,6 +36,17 @@ matrix_hookshot_public_endpoint: /hookshot
 matrix_hookshot_appservice_port: 9993
 matrix_hookshot_appservice_endpoint: "{{ matrix_hookshot_public_endpoint }}/_matrix/app"

+# The variables below control the queue parameters and may optionally be pointed to a Redis instance.
+# These are required when experimental encryption is enabled (`matrix_hookshot_experimental_encryption_enabled`).
+matrix_hookshot_queue_host: ''
+matrix_hookshot_queue_port: 6739
+
+# Controls whether the experimental end-to-bridge encryption support is enabled.
+# This requires that:
+# - support to also be enabled in the homeserver, see the documentation of Hookshot.
+# - Hookshot to be pointed at a Redis instance via the `matrix_hookshot_queue_*` variables.
+matrix_hookshot_experimental_encryption_enabled: false
+
 # Controls whether metrics are enabled in the bridge configuration.
 # Enabling them is usually enough for a local (in-container) Prometheus to consume them.
 # If metrics need to be consumed by another (external) Prometheus server, consider exposing them via `matrix_hookshot_metrics_proxying_enabled`.
@ -41,7 +58,7 @@ matrix_hookshot_metrics_enabled: false
 matrix_hookshot_metrics_proxying_enabled: false

 # There is no need to edit ports.
-# Read the documentation to learn about using hookshot metrics with external Prometheus
+# Read the documentation to learn about using Hookshot metrics with external Prometheus
 # If you still want something different, use matrix_hookshot_container_http_host_bind_ports below to expose ports instead.
 matrix_hookshot_metrics_port: 9001

--- a/roles/custom/matrix-bridge-hookshot/tasks/main.yml
+++ b/roles/custom/matrix-bridge-hookshot/tasks/main.yml
@ -9,6 +9,12 @@
    - when: matrix_hookshot_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml"

+- tags:
+    - reset-hookshot-encryption
+  block:
+    - when: matrix_hookshot_enabled | bool
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/reset_encryption.yml"
+
 - tags:
    - setup-all
    - setup-hookshot
--- a/roles/custom/matrix-bridge-hookshot/tasks/reset_encryption.yml
+++ b/roles/custom/matrix-bridge-hookshot/tasks/reset_encryption.yml
@ -0,0 +1,14 @@
+---
+
+- name: Resetting Hookshot's crypto store
+  ansible.builtin.command:
+    cmd: |
+      {{ devture_systemd_docker_base_host_command_docker }} run
+      --rm
+      --name={{ matrix_hookshot_ident }}-reset-crypto
+      --user={{ matrix_user_uid }}:{{ matrix_user_gid }}
+      --cap-drop=ALL
+      --mount type=bind,src={{ matrix_hookshot_base_path }}/config.yml,dst=/config.yml
+      {{ matrix_hookshot_docker_image }}
+      yarn start:resetcrypto
+  changed_when: true
--- a/roles/custom/matrix-bridge-hookshot/tasks/validate_config.yml
+++ b/roles/custom/matrix-bridge-hookshot/tasks/validate_config.yml
@ -87,6 +87,12 @@
  with_items:
    - "matrix_hookshot_provisioning_secret"

+- name: Fail if no Redis queue enabled when Hookshot encryption is enabled
+  ansible.builtin.fail:
+    msg: >-
+      You need to define a required configuration setting (`{{ item }}`) to enable Hookshot encryption.
+  when: "matrix_hookshot_experimental_encryption_enabled and matrix_hookshot_queue_host == ''"
+
 - name: (Deprecation) Catch and report old metrics usage
  ansible.builtin.fail:
    msg: >-
--- a/roles/custom/matrix-bridge-hookshot/templates/config.yml.j2
+++ b/roles/custom/matrix-bridge-hookshot/templates/config.yml.j2
@ -107,6 +107,16 @@ metrics:
  # (Optional) Prometheus metrics support
  #
  enabled: {{ matrix_hookshot_metrics_enabled | to_json }}
+{% if matrix_hookshot_queue_host != '' %}
+queue:
+  monolithic: true
+  port: {{ matrix_hookshot_queue_port }}
+  host: {{ matrix_hookshot_queue_host | to_json }}
+{% endif %}
+{% if matrix_hookshot_experimental_encryption_enabled %}
+experimentalEncryption:
+  storagePath: /data/encryption
+{% endif %}
 logging:
  # (Optional) Logging settings. You can have a severity debug,info,warn,error
  #
--- a/roles/custom/matrix-bridge-hookshot/templates/registration.yml.j2
+++ b/roles/custom/matrix-bridge-hookshot/templates/registration.yml.j2
@ -28,3 +28,9 @@ namespaces:
 sender_localpart: hookshot
 url: "http://{{ matrix_hookshot_container_url }}:{{ matrix_hookshot_appservice_port }}" # This should match the bridge.port in your config file
 rate_limited: false
+
+{% if matrix_hookshot_experimental_encryption_enabled %}
+de.sorunome.msc2409.push_ephemeral: true
+push_ephemeral: true
+org.matrix.msc3202: true
+{% endif %}
--- a/roles/custom/matrix-bridge-hookshot/templates/systemd/matrix-hookshot.service.j2
+++ b/roles/custom/matrix-bridge-hookshot/templates/systemd/matrix-hookshot.service.j2
@ -13,10 +13,9 @@ DefaultDependencies=no
 [Service]
 Type=simple
 Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
-ExecStartPre=-{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} {{ matrix_hookshot_container_url }}
-ExecStartPre=-{{ devture_systemd_docker_base_host_command_docker }} rm {{ matrix_hookshot_container_url }}
-
-ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name {{ matrix_hookshot_container_url }} \
+ExecStartPre=-{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} {{ matrix_hookshot_ident }}
+ExecStartPre=-{{ devture_systemd_docker_base_host_command_docker }} rm {{ matrix_hookshot_ident }}
+ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create --rm --name {{ matrix_hookshot_ident }} \
          --log-driver=none \
          --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
          --cap-drop=ALL \
@ -30,11 +29,18 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name
          {% endfor %}
          {{ matrix_hookshot_docker_image }}

-ExecStop=-{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} {{ matrix_hookshot_container_url }}
-ExecStop=-{{ devture_systemd_docker_base_host_command_docker }} rm {{ matrix_hookshot_container_url }}
+{% for network in matrix_hookshot_container_additional_networks %}
+ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} {{ matrix_hookshot_ident }}
+{% endfor %}
+
+ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach {{ matrix_hookshot_ident }}
+
+ExecStop=-{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} {{ matrix_hookshot_ident }}
+ExecStop=-{{ devture_systemd_docker_base_host_command_docker }} rm {{ matrix_hookshot_ident }}
+
 Restart=always
 RestartSec=30
-SyslogIdentifier={{ matrix_hookshot_container_url }}
+SyslogIdentifier={{ matrix_hookshot_ident }}

 [Install]
 WantedBy=multi-user.target
--- a/roles/custom/matrix-mailer/defaults/main.yml
+++ b/roles/custom/matrix-mailer/defaults/main.yml
@ -11,7 +11,7 @@ matrix_mailer_container_image_self_build_src_files_path: "{{ matrix_mailer_base_
 matrix_mailer_container_image_self_build_version: "{{ matrix_mailer_docker_image.split(':')[1] }}"

 # renovate: datasource=docker depName=devture/exim-relay versioning=semver
-matrix_mailer_version: 4.96.2-r0-0
+matrix_mailer_version: 4.97-r0-0
 matrix_mailer_docker_image: "{{ matrix_mailer_docker_image_name_prefix }}devture/exim-relay:{{ matrix_mailer_version }}"
 matrix_mailer_docker_image_name_prefix: "{{ 'localhost/' if matrix_mailer_container_image_self_build else matrix_container_global_registry_prefix }}"
 matrix_mailer_docker_image_force_pull: "{{ matrix_mailer_docker_image.endswith(':latest') }}"