Add dendrite captcha config to doc and hCaptcha (#2290)

* added dendrite captcha options

* added hcaptcha doc

* proper url

* Apply suggestions from code review

Co-authored-by: Slavi Pantaleev <slavi@devture.com>

* Update main.yml

* renamed captcha vars to new naming scheme

* change vars to new format

* Rename back some incorrect renamed variables

These variables are either not just part of the `client_api` subsection,
or are not even part of that section at all. They shouldn't have been
renamed in baaef2ed616e2645550d9

* Fix up naming inconsistencies

Some of these variables had been renamed in one place,
but not in other places, so it couldn't have worked that way.

* Add validation/deprecation for renamed Dendrite variables

Related to 4097898f885cf4c73, baaef2ed616e2645550, 68f4418092fa8ad
and a0b4a0ae6b2f1f18

Co-authored-by: Slavi Pantaleev <slavi@devture.com>

docs/configuring-captcha.md

@@ -2,9 +2,11 @@
 
 # Overview
 Captcha can be enabled for this home server. This file explains how to do that.
-The captcha mechanism used is Google's [ReCaptcha](https://www.google.com/recaptcha/). This requires API keys from Google.
+The captcha mechanism used is Google's [ReCaptcha](https://www.google.com/recaptcha/). This requires API keys from Google. If your homeserver is Dendrite then [hCapcha](https://www.hcaptcha.com) can be used instead.
 
-## Getting keys
+## ReCaptcha
+
+### Getting keys
 
 Requires a site/secret key pair from:
 
@@ -12,12 +14,39 @@ Requires a site/secret key pair from:
 
 Must be a reCAPTCHA **v2** key using the "I'm not a robot" Checkbox option
 
-## Setting ReCaptcha Keys
+### Setting ReCaptcha keys
 
 Once registered as above, set the following values:
 
 ```yaml
+# for Synapse
 matrix_synapse_enable_registration_captcha: true
 matrix_synapse_recaptcha_public_key: 'YOUR_SITE_KEY'
 matrix_synapse_recaptcha_private_key: 'YOUR_SECRET_KEY'
+
+# for Dendrite
+matrix_dendrite_client_api_enable_registration_captcha: true
+matrix_dendrite_client_api_recaptcha_public_key: 'YOUR_SITE_KEY'
+matrix_dendrite_client_api_recaptcha_private_key: 'YOUR_SECRET_KEY'
+```
+
+## hCaptcha
+
+### Getting keys
+
+Requires a site/secret key pair from:
+
+<https://dashboard.hcaptcha.com/sites/new>
+
+### Setting hCaptcha keys
+
+```yaml
+matrix_dendrite_client_api_enable_registration_captcha: true
+matrix_dendrite_client_api_recaptcha_public_key: 'YOUR_SITE_KEY'
+matrix_dendrite_client_api_recaptcha_private_key: 'YOUR_SECRET_KEY'
+
+matrix_dendrite_client_api_recaptcha_siteverify_api: 'https://hcaptcha.com/siteverify'
+matrix_dendrite_client_api_recaptcha_api_js_url: 'https://js.hcaptcha.com/1/api.js'
+matrix_dendrite_client_api_recaptcha_form_field: 'h-captcha-response'
+matrix_dendrite_client_api_recaptcha_sitekey_class: 'h-captcha'
 ```

group_vars/matrix_servers

@@ -1474,7 +1474,7 @@ matrix_bot_maubot_registration_shared_secret: |-
   {{
     {
       'synapse': matrix_synapse_registration_shared_secret,
-      'dendrite': matrix_dendrite_registration_shared_secret,
+      'dendrite': matrix_dendrite_client_api_registration_shared_secret,
     }[matrix_homeserver_implementation]
   }}
 
@@ -2898,7 +2898,7 @@ matrix_registration_shared_secret: |-
   {{
     {
       'synapse': matrix_synapse_registration_shared_secret,
-      'dendrite': matrix_dendrite_registration_shared_secret,
+      'dendrite': matrix_dendrite_client_api_registration_shared_secret,
       'conduit': '',
     }[matrix_homeserver_implementation]
   }}
@@ -2975,13 +2975,13 @@ matrix_dendrite_container_https_host_bind_address: "{{ '' if matrix_nginx_proxy_
 
 matrix_dendrite_sync_api_real_ip_header: "{{ 'X-Forwarded-For' if matrix_nginx_proxy_enabled else '' }}"
 
-matrix_dendrite_registration_shared_secret: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'dendrite.rss', rounds=655555) | to_uuid }}"
+matrix_dendrite_client_api_registration_shared_secret: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'dendrite.rss', rounds=655555) | to_uuid }}"
 
 matrix_dendrite_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'dendrite.db', rounds=655555) | to_uuid }}"
 
 # Even if TURN doesn't support TLS (it does by default),
 # it doesn't hurt to try a secure connection anyway.
-matrix_dendrite_turn_uris: |
+matrix_dendrite_client_api_turn_uris: |
   {{
     [
       'turns:' + matrix_server_fqn_matrix + '?transport=udp',

roles/custom/matrix-dendrite/defaults/main.yml

@@ -76,7 +76,7 @@ matrix_dendrite_systemd_wanted_services_list: []
 # matrix_dendrite_template_dendrite_config: "{{ playbook_dir }}/inventory/host_vars/<host>/dendrite.yaml.j2"
 matrix_dendrite_template_dendrite_config: "{{ role_path }}/templates/dendrite/dendrite.yaml.j2"
 
-matrix_dendrite_registration_shared_secret: ''
+matrix_dendrite_client_api_registration_shared_secret: ''
 matrix_dendrite_allow_guest_access: false
 
 matrix_dendrite_max_file_size_bytes: 10485760
@@ -89,18 +89,21 @@ matrix_dendrite_sync_api_real_ip_header: ''
 matrix_dendrite_tmp_directory_size_mb: 500
 
 # Rate limits
-matrix_dendrite_rate_limiting_enabled: true
-matrix_dendrite_rate_limiting_threshold: 20
-matrix_dendrite_rate_limiting_cooloff_ms: 500
+matrix_dendrite_client_api_rate_limiting_enabled: true
+matrix_dendrite_client_api_rate_limiting_threshold: 20
+matrix_dendrite_client_api_rate_limiting_cooloff_ms: 500
 
 # Controls whether people with access to the homeserver can register by themselves.
-matrix_dendrite_registration_disabled: true
+matrix_dendrite_client_api_registration_disabled: true
 
 # reCAPTCHA API for validating registration attempts
-matrix_dendrite_enable_registration_captcha: false
-matrix_dendrite_recaptcha_public_key: ""
-matrix_dendrite_recaptcha_private_key: ""
-matrix_dendrite_recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify"
+matrix_dendrite_client_api_enable_registration_captcha: false
+matrix_dendrite_client_api_recaptcha_public_key: ""
+matrix_dendrite_client_api_recaptcha_private_key: ""
+matrix_dendrite_client_api_recaptcha_siteverify_api: ""
+matrix_dendrite_client_api_recaptcha_api_js_url: ""
+matrix_dendrite_client_api_recaptcha_form_field: ""
+matrix_dendrite_client_api_recaptcha_sitekey_class: ""
 
 # A list of additional "volumes" to mount in the container.
 # This list gets populated dynamically based on Dendrite extensions that have been enabled.
@@ -147,11 +150,10 @@ matrix_dendrite_userapi_database: "dendrite_userapi"
 matrix_dendrite_pushserver_database: "dendrite_pushserver"
 matrix_dendrite_mscs_database: "dendrite_mscs"
 
-matrix_dendrite_turn_uris: []
-matrix_dendrite_turn_shared_secret: ""
-matrix_dendrite_turn_allow_guests: false
+matrix_dendrite_client_api_turn_uris: []
+matrix_dendrite_client_api_turn_client_api_shared_secret: ""
+matrix_dendrite_client_api_turn_allow_guests: false
 
-# Controls whether the self-check feature should validate TLS certificates.
 matrix_dendrite_disable_tls_validation: false
 
 matrix_dendrite_trusted_id_servers:

roles/custom/matrix-dendrite/tasks/validate_config.yml

@@ -5,7 +5,7 @@
       You need to define a required configuration setting (`{{ item }}`) for using Dendrite.
   when: "vars[item] == ''"
   with_items:
-    - "matrix_dendrite_registration_shared_secret"
+    - "matrix_dendrite_client_api_registration_shared_secret"
 
 - name: (Deprecation) Catch and report renamed settings
   ansible.builtin.fail:
@@ -13,4 +13,15 @@
       Your configuration contains a variable, which now has a different name.
       Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`).
   when: "item.old in vars"
-  with_items: []
+  with_items:
+    - {'old': 'matrix_dendrite_enable_registration_captcha', 'new': 'matrix_dendrite_client_api_enable_registration_captcha'}
+    - {'old': 'matrix_dendrite_recaptcha_public_key', 'new': 'matrix_dendrite_client_api_recaptcha_public_key'}
+    - {'old': 'matrix_dendrite_recaptcha_private_key', 'new': 'matrix_dendrite_client_api_recaptcha_private_key'}
+    - {'old': 'matrix_dendrite_registration_disabled', 'new': 'matrix_dendrite_client_api_registration_disabled'}
+    - {'old': 'matrix_dendrite_registration_shared_secret', 'new': 'matrix_dendrite_client_api_registration_shared_secret'}
+    - {'old': 'matrix_dendrite_turn_uris', 'new': 'matrix_dendrite_client_api_turn_uris'}
+    - {'old': 'matrix_dendrite_turn_client_api_shared_secret', 'new': 'matrix_dendrite_client_api_turn_client_api_shared_secret'}
+    - {'old': 'matrix_dendrite_turn_allow_guests', 'new': 'matrix_dendrite_client_api_turn_allow_guests'}
+    - {'old': 'matrix_dendrite_rate_limiting_enabled', 'new': 'matrix_dendrite_client_api_rate_limiting_enabled'}
+    - {'old': 'matrix_dendrite_rate_limiting_threshold', 'new': 'matrix_dendrite_client_api_rate_limiting_threshold'}
+    - {'old': 'matrix_dendrite_rate_limiting_cooloff_ms', 'new': 'matrix_dendrite_client_api_rate_limiting_cooloff_ms'}

roles/custom/matrix-dendrite/templates/dendrite/dendrite.yaml.j2

@@ -175,7 +175,7 @@ client_api:
 
   # Prevents new users from being able to register on this homeserver, except when
   # using the registration shared secret below.
-  registration_disabled: {{ matrix_dendrite_registration_disabled|to_json }}
+  registration_disabled: {{ matrix_dendrite_client_api_registration_disabled | to_json }}
 
   # Prevents new guest accounts from being created. Guest registration is also
   # disabled implicitly by setting 'registration_disabled' above.
@@ -183,22 +183,25 @@ client_api:
 
   # If set, allows registration by anyone who knows the shared secret, regardless of
   # whether registration is otherwise disabled.
-  registration_shared_secret: {{ matrix_dendrite_registration_shared_secret | string|to_json }}
+  registration_shared_secret: {{ matrix_dendrite_client_api_registration_shared_secret | string | to_json }}
 
   # Whether to require reCAPTCHA for registration.
-  enable_registration_captcha: {{ matrix_dendrite_enable_registration_captcha|to_json }}
+  enable_registration_captcha: {{ matrix_dendrite_client_api_enable_registration_captcha | to_json }}
 
   # Settings for ReCAPTCHA.
-  recaptcha_public_key: {{ matrix_dendrite_recaptcha_public_key|to_json }}
-  recaptcha_private_key: {{ matrix_dendrite_recaptcha_private_key|to_json }}
+  recaptcha_public_key: {{ matrix_dendrite_client_api_recaptcha_public_key | to_json }}
+  recaptcha_private_key: {{ matrix_dendrite_client_api_recaptcha_private_key | to_json }}
   recaptcha_bypass_secret: ""
-  recaptcha_siteverify_api: {{ matrix_dendrite_recaptcha_siteverify_api|to_json }}
+  recaptcha_siteverify_api: {{ matrix_dendrite_client_api_recaptcha_siteverify_api | to_json }}
+  recaptcha_api_js_url: {{ matrix_dendrite_client_api_recaptcha_api_js_url | to_json }}
+  recaptcha_form_field: {{ matrix_dendrite_client_api_recaptcha_form_field | to_json }}
+  recaptcha_sitekey_class: {{ matrix_dendrite_client_api_recaptcha_sitekey_class | to_json }}
 
   # TURN server information that this homeserver should send to clients.
   turn:
     turn_user_lifetime: ""
-    turn_uris: {{ matrix_dendrite_turn_uris|to_json }}
-    turn_shared_secret: {{ matrix_dendrite_turn_shared_secret|to_json }}
+    turn_uris: {{ matrix_dendrite_client_api_turn_uris | to_json }}
+    turn_shared_secret: {{ matrix_dendrite_client_api_turn_shared_secret | to_json }}
     turn_username: ""
     turn_password: ""
 
@@ -206,9 +209,9 @@ client_api:
   # threshold number of "slots" have been taken by requests from a specific
   # host. Each "slot" will be released after the cooloff time in milliseconds.
   rate_limiting:
-    enabled: {{ matrix_dendrite_rate_limiting_enabled|to_json }}
-    threshold: {{ matrix_dendrite_rate_limiting_threshold|to_json }}
-    cooloff_ms: {{ matrix_dendrite_rate_limiting_cooloff_ms|to_json }}
+    enabled: {{ matrix_dendrite_client_api_rate_limiting_enabled | to_json }}
+    threshold: {{ matrix_dendrite_client_api_rate_limiting_threshold | to_json }}
+    cooloff_ms: {{ matrix_dendrite_client_api_rate_limiting_cooloff_ms | to_json }}
     exempt_user_ids:
     #  - "@user:domain.com"