Merge branch 'spantaleev:master' into 3031-feat-add-signalgo-bridge

docs/ansible.md

@@ -65,7 +65,7 @@ docker run -it --rm \
 -w /work \
 -v `pwd`:/work \
 --entrypoint=/bin/sh \
-docker.io/devture/ansible:2.14.5-r0-0
+docker.io/devture/ansible:2.16.1-r0-0
 ```
 
 Once you execute the above command, you'll be dropped into a `/work` directory inside a Docker container.
@@ -86,7 +86,7 @@ docker run -it --rm \
 -v `pwd`:/work \
 -v $HOME/.ssh/id_rsa:/root/.ssh/id_rsa:ro \
 --entrypoint=/bin/sh \
-docker.io/devture/ansible:2.14.5-r0-0
+docker.io/devture/ansible:2.16.1-r0-0
 ```
 
 The above command tries to mount an SSH key (`$HOME/.ssh/id_rsa`) into the container (at `/root/.ssh/id_rsa`).

docs/configuring-playbook-bridge-hookshot.md

@@ -23,6 +23,11 @@ Other configuration options are available via the `matrix_hookshot_configuration
 
 Finally, run the playbook (see [installing](installing.md)).
 
+### End-to-bridge encryption
+
+You can enable [experimental encryption](https://matrix-org.github.io/matrix-hookshot/latest/advanced/encryption.html) for Hookshot by adding `matrix_hookshot_experimental_encryption_enabled: true` to your configuration (`vars.yml`) and [executing the playbook](installing.md) again.
+
+Should the crypto store be corrupted, you can reset it by executing this Ansible playbook with the tag `reset-hookshot-encryption` added, for example `ansible-playbook -i inventory/hosts setup.yml -K --tags=reset-hookshot-encryption`).
 
 ## Usage
 

group_vars/matrix_servers

@@ -356,7 +356,7 @@ devture_systemd_service_manager_services_list_auto: |
     +
     ([{'name': 'matrix-mailer.service', 'priority': 2000, 'groups': ['matrix', 'mailer']}] if matrix_mailer_enabled else [])
     +
-    ([{'name': 'matrix-nginx-proxy.service', 'priority': 3000, 'groups': ['matrix', 'nginx', 'reverse-proxies']}] if matrix_nginx_proxy_enabled else [])
+    ([{'name': 'matrix-nginx-proxy.service', 'priority': 3000, 'groups': ['matrix', 'nginx', 'nginx-proxy', 'reverse-proxies']}] if matrix_nginx_proxy_enabled else [])
     +
     (matrix_ssl_renewal_systemd_units_list | selectattr('applicable') | selectattr('enableable') | list )
     +
@@ -1439,6 +1439,18 @@ matrix_hookshot_systemd_wanted_services_list: |
     (['matrix-' + matrix_homeserver_implementation + '.service'])
     +
     (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else [])
+    +
+    ([(redis_identifier + '.service')] if redis_enabled and matrix_hookshot_queue_host == redis_identifier else [])
+  }}
+
+# Hookshot's experimental encryption feature (and possibly others) may benefit from Redis, if available.
+# We only connect to Redis if encryption is enabled (not for everyone who has Redis enabled),
+# because connectivity is still potentially troublesome and is to be investigated.
+matrix_hookshot_queue_host: "{{ redis_identifier if redis_enabled and matrix_hookshot_experimental_encryption_enabled else '' }}"
+
+matrix_hookshot_container_additional_networks_auto: |
+  {{
+    ([redis_container_network] if redis_enabled and matrix_hookshot_queue_host == redis_identifier else [])
   }}
 
 matrix_hookshot_container_http_host_bind_ports_defaultmapping:
@@ -3419,7 +3431,7 @@ ntfy_visitor_request_limit_exempt_hosts_hostnames_auto: |
 #
 ######################################################################
 
-redis_enabled: "{{ matrix_synapse_workers_enabled }}"
+redis_enabled: "{{ matrix_synapse_workers_enabled or (matrix_hookshot_enabled and matrix_hookshot_experimental_encryption_enabled) }}"
 
 redis_identifier: matrix-redis
 

roles/custom/matrix-bridge-hookshot/defaults/main.yml

@@ -5,11 +5,17 @@
 
 matrix_hookshot_enabled: true
 
+matrix_hookshot_ident: matrix-hookshot
 
 matrix_hookshot_container_image_self_build: false
 matrix_hookshot_container_image_self_build_repo: "https://github.com/matrix-org/matrix-hookshot.git"
 matrix_hookshot_container_image_self_build_branch: "{{ 'main' if matrix_hookshot_version == 'latest' else matrix_hookshot_version }}"
 
+# Specifies additional networks for the Hookshot container to connect with
+matrix_hookshot_container_additional_networks: "{{ matrix_hookshot_container_additional_networks_auto + matrix_hookshot_container_additional_networks_custom }}"
+matrix_hookshot_container_additional_networks_auto: []
+matrix_hookshot_container_additional_networks_custom: []
+
 # renovate: datasource=docker depName=halfshot/matrix-hookshot
 matrix_hookshot_version: 4.7.0
 
@@ -30,6 +36,17 @@ matrix_hookshot_public_endpoint: /hookshot
 matrix_hookshot_appservice_port: 9993
 matrix_hookshot_appservice_endpoint: "{{ matrix_hookshot_public_endpoint }}/_matrix/app"
 
+# The variables below control the queue parameters and may optionally be pointed to a Redis instance.
+# These are required when experimental encryption is enabled (`matrix_hookshot_experimental_encryption_enabled`).
+matrix_hookshot_queue_host: ''
+matrix_hookshot_queue_port: 6739
+
+# Controls whether the experimental end-to-bridge encryption support is enabled.
+# This requires that:
+# - support to also be enabled in the homeserver, see the documentation of Hookshot.
+# - Hookshot to be pointed at a Redis instance via the `matrix_hookshot_queue_*` variables.
+matrix_hookshot_experimental_encryption_enabled: false
+
 # Controls whether metrics are enabled in the bridge configuration.
 # Enabling them is usually enough for a local (in-container) Prometheus to consume them.
 # If metrics need to be consumed by another (external) Prometheus server, consider exposing them via `matrix_hookshot_metrics_proxying_enabled`.
@@ -41,7 +58,7 @@ matrix_hookshot_metrics_enabled: false
 matrix_hookshot_metrics_proxying_enabled: false
 
 # There is no need to edit ports.
-# Read the documentation to learn about using hookshot metrics with external Prometheus
+# Read the documentation to learn about using Hookshot metrics with external Prometheus
 # If you still want something different, use matrix_hookshot_container_http_host_bind_ports below to expose ports instead.
 matrix_hookshot_metrics_port: 9001
 

roles/custom/matrix-bridge-hookshot/tasks/main.yml

@@ -9,6 +9,12 @@
     - when: matrix_hookshot_enabled | bool
       ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml"
 
+- tags:
+    - reset-hookshot-encryption
+  block:
+    - when: matrix_hookshot_enabled | bool
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/reset_encryption.yml"
+
 - tags:
     - setup-all
     - setup-hookshot

roles/custom/matrix-bridge-hookshot/tasks/reset_encryption.yml

@@ -0,0 +1,14 @@
+---
+
+- name: Resetting Hookshot's crypto store
+  ansible.builtin.command:
+    cmd: |
+      {{ devture_systemd_docker_base_host_command_docker }} run
+      --rm
+      --name={{ matrix_hookshot_ident }}-reset-crypto
+      --user={{ matrix_user_uid }}:{{ matrix_user_gid }}
+      --cap-drop=ALL
+      --mount type=bind,src={{ matrix_hookshot_base_path }}/config.yml,dst=/config.yml
+      {{ matrix_hookshot_docker_image }}
+      yarn start:resetcrypto
+  changed_when: true

roles/custom/matrix-bridge-hookshot/tasks/validate_config.yml

@@ -87,6 +87,12 @@
   with_items:
     - "matrix_hookshot_provisioning_secret"
 
+- name: Fail if no Redis queue enabled when Hookshot encryption is enabled
+  ansible.builtin.fail:
+    msg: >-
+      You need to define a required configuration setting (`{{ item }}`) to enable Hookshot encryption.
+  when: "matrix_hookshot_experimental_encryption_enabled and matrix_hookshot_queue_host == ''"
+
 - name: (Deprecation) Catch and report old metrics usage
   ansible.builtin.fail:
     msg: >-

roles/custom/matrix-bridge-hookshot/templates/config.yml.j2

@@ -107,6 +107,16 @@ metrics:
   # (Optional) Prometheus metrics support
   #
   enabled: {{ matrix_hookshot_metrics_enabled | to_json }}
+{% if matrix_hookshot_queue_host != '' %}
+queue:
+  monolithic: true
+  port: {{ matrix_hookshot_queue_port }}
+  host: {{ matrix_hookshot_queue_host | to_json }}
+{% endif %}
+{% if matrix_hookshot_experimental_encryption_enabled %}
+experimentalEncryption:
+  storagePath: /data/encryption
+{% endif %}
 logging:
   # (Optional) Logging settings. You can have a severity debug,info,warn,error
   #

roles/custom/matrix-bridge-hookshot/templates/registration.yml.j2

@@ -28,3 +28,9 @@ namespaces:
 sender_localpart: hookshot
 url: "http://{{ matrix_hookshot_container_url }}:{{ matrix_hookshot_appservice_port }}" # This should match the bridge.port in your config file
 rate_limited: false
+
+{% if matrix_hookshot_experimental_encryption_enabled %}
+de.sorunome.msc2409.push_ephemeral: true
+push_ephemeral: true
+org.matrix.msc3202: true
+{% endif %}

roles/custom/matrix-bridge-hookshot/templates/systemd/matrix-hookshot.service.j2

@@ -13,10 +13,9 @@ DefaultDependencies=no
 [Service]
 Type=simple
 Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
-ExecStartPre=-{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} {{ matrix_hookshot_container_url }}
+ExecStartPre=-{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} {{ matrix_hookshot_ident }}
-ExecStartPre=-{{ devture_systemd_docker_base_host_command_docker }} rm {{ matrix_hookshot_container_url }}
+ExecStartPre=-{{ devture_systemd_docker_base_host_command_docker }} rm {{ matrix_hookshot_ident }}
-
+ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create --rm --name {{ matrix_hookshot_ident }} \
-ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name {{ matrix_hookshot_container_url }} \
           --log-driver=none \
           --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
           --cap-drop=ALL \
@@ -30,11 +29,18 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name
           {% endfor %}
           {{ matrix_hookshot_docker_image }}
 
-ExecStop=-{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} {{ matrix_hookshot_container_url }}
+{% for network in matrix_hookshot_container_additional_networks %}
-ExecStop=-{{ devture_systemd_docker_base_host_command_docker }} rm {{ matrix_hookshot_container_url }}
+ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} {{ matrix_hookshot_ident }}
+{% endfor %}
+
+ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach {{ matrix_hookshot_ident }}
+
+ExecStop=-{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} {{ matrix_hookshot_ident }}
+ExecStop=-{{ devture_systemd_docker_base_host_command_docker }} rm {{ matrix_hookshot_ident }}
+
 Restart=always
 RestartSec=30
-SyslogIdentifier={{ matrix_hookshot_container_url }}
+SyslogIdentifier={{ matrix_hookshot_ident }}
 
 [Install]
 WantedBy=multi-user.target

roles/custom/matrix-mailer/defaults/main.yml

@@ -11,7 +11,7 @@ matrix_mailer_container_image_self_build_src_files_path: "{{ matrix_mailer_base_
 matrix_mailer_container_image_self_build_version: "{{ matrix_mailer_docker_image.split(':')[1] }}"
 
 # renovate: datasource=docker depName=devture/exim-relay versioning=semver
-matrix_mailer_version: 4.96.2-r0-0
+matrix_mailer_version: 4.97-r0-0
 matrix_mailer_docker_image: "{{ matrix_mailer_docker_image_name_prefix }}devture/exim-relay:{{ matrix_mailer_version }}"
 matrix_mailer_docker_image_name_prefix: "{{ 'localhost/' if matrix_mailer_container_image_self_build else matrix_container_global_registry_prefix }}"
 matrix_mailer_docker_image_force_pull: "{{ matrix_mailer_docker_image.endswith(':latest') }}"