From e6b77284f2dd4d9b5549601947d9b9d09f5375e5 Mon Sep 17 00:00:00 2001 From: Wolfgang Winter Date: Fri, 13 Aug 2021 17:46:37 +0200 Subject: [PATCH 01/15] Relay bot configurable + permissions Enable / disable relay bot functionality as configuratoin paramter; set bridge permissions for base domain users to user level --- .../matrix-bridge-mautrix-signal/templates/config.yaml.j2 | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 index d4f64c790..ef66ee914 100644 --- a/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 @@ -188,14 +188,13 @@ bridge: # * - All Matrix users # domain - All users on that homeserver # mxid - Specific user - permissions: - '{{ matrix_mautrix_signal_homeserver_domain }}': relay - '{{ matrix_mautrix_signal_homeserver_domain }}': user + permissions: + {{ matrix_mautrix_signal_homeserver_domain }}: user relay: # Whether or not relay mode should be allowed. If allowed, `!signal set-relay` can be used to turn any # authenticated user into a relaybot for that chat. - enabled: true + enabled: {{ matrix_mautrix_signal_relaybot_enabled }} # The formats to use when sending messages to Signal via a relay user. # # Available variables: From 5ca28ba87249951e24cd226e4ccfdf81aadd98d3 Mon Sep 17 00:00:00 2001 From: Wolfgang Winter Date: Fri, 13 Aug 2021 17:48:05 +0200 Subject: [PATCH 02/15] Default relay bot functionality setting Per default relay bot functionality is disabled; the bridge user permissions depends on the relay bot, if enabled the base domain users are on level relay, else remain on user; --- .../defaults/main.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/roles/matrix-bridge-mautrix-signal/defaults/main.yml b/roles/matrix-bridge-mautrix-signal/defaults/main.yml index 8ff2fbb6d..157922c66 100644 --- a/roles/matrix-bridge-mautrix-signal/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-signal/defaults/main.yml @@ -78,6 +78,9 @@ matrix_mautrix_signal_appservice_database: "{{ # Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth). matrix_mautrix_signal_login_shared_secret: '' +# Enable bridge relay bot functionality +matrix_mautrix_signal_relaybot_enabled: false + # Default configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. # @@ -93,6 +96,21 @@ matrix_mautrix_signal_configuration_extension_yaml: | # # If you need something more special, you can take full control by # completely redefining `matrix_mautrix_signal_configuration_yaml`. + # + # Permissions for using the bridge. + # Permitted values: + # relay - Allowed to be relayed through the bridge, no access to commands. + # user - Use the bridge with puppeting. + # admin - Use and administrate the bridge. + # Permitted keys: + # * - All Matrix users + # domain - All users on that homeserver + # mxid - Specific user + # + bridge: + permissions: + {{ matrix_mautrix_signal_homeserver_domain }}: "{{ "relay" if matrix_mautrix_signal_relaybot_enabled else "user" }}" + matrix_mautrix_signal_configuration_extension: "{{ matrix_mautrix_signal_configuration_extension_yaml|from_yaml if matrix_mautrix_signal_configuration_extension_yaml|from_yaml is mapping else {} }}" From c3b4a1a66d7796d84b8c0b2eaf4970405a6d28fc Mon Sep 17 00:00:00 2001 From: Wolfgang Winter Date: Fri, 13 Aug 2021 17:48:28 +0200 Subject: [PATCH 03/15] Augment documentation for relay bot --- ...figuring-playbook-bridge-mautrix-signal.md | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/docs/configuring-playbook-bridge-mautrix-signal.md b/docs/configuring-playbook-bridge-mautrix-signal.md index 6d3c4dfbd..e91487faa 100644 --- a/docs/configuring-playbook-bridge-mautrix-signal.md +++ b/docs/configuring-playbook-bridge-mautrix-signal.md @@ -12,6 +12,27 @@ Use the following playbook configuration: matrix_mautrix_signal_enabled: true ``` +There are some additional things you may wish to configure about the bridge before you continue. + +The relay bot functionality is off by default. If you would like to enable the relay bot, add the following to your `vars.yml` file: +```yaml +matrix_mautrix_signal_relaybot_enabled: true +``` + +Additionally the permissions for the bridge grant user rights to all base domain users in case the relay bot is disabled, or relay rights in case the relay bot is enabled. + +If you would like to have a more specific setting of the permissions you can set the permissions as follows (example). For more details see also [mautrix-bridge documentation](https://docs.mau.fi/bridges/python/signal/relay-mode.html) +```yaml +matrix_mautrix_signal_configuration_extension_yaml: | + bridge: + permissions: + '@YOUR_USERNAME:YOUR_DOMAIN': admin + '*': user + YOUR_DOMAIN: relay +``` + +You may wish to look at `roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2` to find more information on the permissions settings and other options you would like to configure. + ## Set up Double Puppeting If you'd like to use [Double Puppeting](https://github.com/tulir/mautrix-signal/wiki/Authentication#double-puppeting) (hint: you most likely do), you have 2 ways of going about it. From bb931493eeb26a55f8dd60e26d2cbea04885b99b Mon Sep 17 00:00:00 2001 From: WobbelTheBear Date: Fri, 13 Aug 2021 20:15:19 +0200 Subject: [PATCH 04/15] Update as per suggestion --- docs/configuring-playbook-bridge-mautrix-signal.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/configuring-playbook-bridge-mautrix-signal.md b/docs/configuring-playbook-bridge-mautrix-signal.md index e91487faa..30b7bba80 100644 --- a/docs/configuring-playbook-bridge-mautrix-signal.md +++ b/docs/configuring-playbook-bridge-mautrix-signal.md @@ -27,8 +27,8 @@ matrix_mautrix_signal_configuration_extension_yaml: | bridge: permissions: '@YOUR_USERNAME:YOUR_DOMAIN': admin - '*': user - YOUR_DOMAIN: relay + YOUR_DOMAIN: user + '*': relay ``` You may wish to look at `roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2` to find more information on the permissions settings and other options you would like to configure. From a34241e4ccbbdeb982ceb662d320da7a0b995480 Mon Sep 17 00:00:00 2001 From: Wolfgang Winter Date: Fri, 13 Aug 2021 21:11:41 +0200 Subject: [PATCH 05/15] Remove intial permissions seting Permissions, when set in the template, will be augmented rahter than replaced when using matrix_mautrix_signal_configuration_extension_yaml. Therefore, permissions shall only be set in the defaults/vars.yml or in the HS specific vars.yml file --- roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 index ef66ee914..f0b9af869 100644 --- a/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 @@ -188,8 +188,10 @@ bridge: # * - All Matrix users # domain - All users on that homeserver # mxid - Specific user - permissions: - {{ matrix_mautrix_signal_homeserver_domain }}: user + #permissions: + # + # Remark: permissions will be set in the defaults/main.yml file of this role + # (see matrix_mautrix_signal_configuration_extension_yaml) relay: # Whether or not relay mode should be allowed. If allowed, `!signal set-relay` can be used to turn any From d9e8be7c7997042963382dea0b8da1c38b5b8b5c Mon Sep 17 00:00:00 2001 From: WobbelTheBear Date: Sat, 14 Aug 2021 17:32:54 +0200 Subject: [PATCH 06/15] Update docs/configuring-playbook-bridge-mautrix-signal.md Document how to enable relay functionality in a room Co-authored-by: Jan <31133207+Jaffex@users.noreply.github.com> --- docs/configuring-playbook-bridge-mautrix-signal.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/configuring-playbook-bridge-mautrix-signal.md b/docs/configuring-playbook-bridge-mautrix-signal.md index 30b7bba80..06881b604 100644 --- a/docs/configuring-playbook-bridge-mautrix-signal.md +++ b/docs/configuring-playbook-bridge-mautrix-signal.md @@ -18,7 +18,8 @@ The relay bot functionality is off by default. If you would like to enable the r ```yaml matrix_mautrix_signal_relaybot_enabled: true ``` - +If you want to activate the relay bot in a room, use `!signal set-relay`. +Use `!signal unset-relay` to deactivate. Additionally the permissions for the bridge grant user rights to all base domain users in case the relay bot is disabled, or relay rights in case the relay bot is enabled. If you would like to have a more specific setting of the permissions you can set the permissions as follows (example). For more details see also [mautrix-bridge documentation](https://docs.mau.fi/bridges/python/signal/relay-mode.html) From ae9639585ccedc1e303fb28e03b844432d4c380e Mon Sep 17 00:00:00 2001 From: WobbelTheBear Date: Sat, 14 Aug 2021 17:35:49 +0200 Subject: [PATCH 07/15] Update roles/matrix-bridge-mautrix-signal/defaults/main.yml Improved setup through template file Co-authored-by: Jan <31133207+Jaffex@users.noreply.github.com> --- .../defaults/main.yml | 15 --------------- 1 file changed, 15 deletions(-) diff --git a/roles/matrix-bridge-mautrix-signal/defaults/main.yml b/roles/matrix-bridge-mautrix-signal/defaults/main.yml index 157922c66..48aa25661 100644 --- a/roles/matrix-bridge-mautrix-signal/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-signal/defaults/main.yml @@ -96,21 +96,6 @@ matrix_mautrix_signal_configuration_extension_yaml: | # # If you need something more special, you can take full control by # completely redefining `matrix_mautrix_signal_configuration_yaml`. - # - # Permissions for using the bridge. - # Permitted values: - # relay - Allowed to be relayed through the bridge, no access to commands. - # user - Use the bridge with puppeting. - # admin - Use and administrate the bridge. - # Permitted keys: - # * - All Matrix users - # domain - All users on that homeserver - # mxid - Specific user - # - bridge: - permissions: - {{ matrix_mautrix_signal_homeserver_domain }}: "{{ "relay" if matrix_mautrix_signal_relaybot_enabled else "user" }}" - matrix_mautrix_signal_configuration_extension: "{{ matrix_mautrix_signal_configuration_extension_yaml|from_yaml if matrix_mautrix_signal_configuration_extension_yaml|from_yaml is mapping else {} }}" From d249fe874ede76f244c2701e42ab8c2199a5f5af Mon Sep 17 00:00:00 2001 From: WobbelTheBear Date: Sat, 14 Aug 2021 17:36:43 +0200 Subject: [PATCH 08/15] Update roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 Updated settings in template file: * relay for any user * user permissions only for HS domain users Co-authored-by: Jan <31133207+Jaffex@users.noreply.github.com> --- .../matrix-bridge-mautrix-signal/templates/config.yaml.j2 | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 index f0b9af869..5628b9426 100644 --- a/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 @@ -188,10 +188,9 @@ bridge: # * - All Matrix users # domain - All users on that homeserver # mxid - Specific user - #permissions: - # - # Remark: permissions will be set in the defaults/main.yml file of this role - # (see matrix_mautrix_signal_configuration_extension_yaml) + permissions: + *: relay + '{{ matrix_mautrix_signal_homeserver_domain }}': user relay: # Whether or not relay mode should be allowed. If allowed, `!signal set-relay` can be used to turn any From 30aa8c2c3f88ae0c2725b8c069f1ecef5639bce9 Mon Sep 17 00:00:00 2001 From: WobbelTheBear Date: Sat, 14 Aug 2021 17:38:58 +0200 Subject: [PATCH 09/15] Update docs/configuring-playbook-bridge-mautrix-signal.md Improvement of documentation Co-authored-by: Jan <31133207+Jaffex@users.noreply.github.com> --- docs/configuring-playbook-bridge-mautrix-signal.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/configuring-playbook-bridge-mautrix-signal.md b/docs/configuring-playbook-bridge-mautrix-signal.md index 06881b604..efd4d96f5 100644 --- a/docs/configuring-playbook-bridge-mautrix-signal.md +++ b/docs/configuring-playbook-bridge-mautrix-signal.md @@ -20,7 +20,8 @@ matrix_mautrix_signal_relaybot_enabled: true ``` If you want to activate the relay bot in a room, use `!signal set-relay`. Use `!signal unset-relay` to deactivate. -Additionally the permissions for the bridge grant user rights to all base domain users in case the relay bot is disabled, or relay rights in case the relay bot is enabled. +By default, any user on your homeserver will be able to use the bridge. +If you enable the relay bot functionality, it will relay every user's messages in a portal room - no matter which homeserver they're from. If you would like to have a more specific setting of the permissions you can set the permissions as follows (example). For more details see also [mautrix-bridge documentation](https://docs.mau.fi/bridges/python/signal/relay-mode.html) ```yaml From f988fd33391f923ec997fc6f71ba663dc6dc03e9 Mon Sep 17 00:00:00 2001 From: WobbelTheBear Date: Sat, 14 Aug 2021 17:47:31 +0200 Subject: [PATCH 10/15] Change sequence of permissions As per earlier comment (see from tulir) the sequence has been changed. --- roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 index 5628b9426..2adfd5203 100644 --- a/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 @@ -189,8 +189,8 @@ bridge: # domain - All users on that homeserver # mxid - Specific user permissions: - *: relay '{{ matrix_mautrix_signal_homeserver_domain }}': user + *: relay relay: # Whether or not relay mode should be allowed. If allowed, `!signal set-relay` can be used to turn any From 7486db0d1a88d40bd9d02bfd96be7386f99e1fae Mon Sep 17 00:00:00 2001 From: Wolfgang Winter Date: Sat, 14 Aug 2021 17:58:08 +0200 Subject: [PATCH 11/15] Missing ticks --- roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 index 2adfd5203..ecd5902b5 100644 --- a/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 @@ -190,7 +190,7 @@ bridge: # mxid - Specific user permissions: '{{ matrix_mautrix_signal_homeserver_domain }}': user - *: relay + '*': relay relay: # Whether or not relay mode should be allowed. If allowed, `!signal set-relay` can be used to turn any From d0b557eb6f0c56ad86c20bab642e29dcfb0e430c Mon Sep 17 00:00:00 2001 From: Wolfgang Winter Date: Sun, 15 Aug 2021 08:42:21 +0200 Subject: [PATCH 12/15] Replace tabs to spaces to prevent problems in YAML --- roles/matrix-bridge-mautrix-signal/defaults/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/matrix-bridge-mautrix-signal/defaults/main.yml b/roles/matrix-bridge-mautrix-signal/defaults/main.yml index 48aa25661..93472d51e 100644 --- a/roles/matrix-bridge-mautrix-signal/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-signal/defaults/main.yml @@ -70,9 +70,9 @@ matrix_mautrix_signal_database_name: 'matrix_mautrix_signal' matrix_mautrix_signal_database_connection_string: 'postgres://{{ matrix_mautrix_signal_database_username }}:{{ matrix_mautrix_signal_database_password }}@{{ matrix_mautrix_signal_database_hostname }}:{{ matrix_mautrix_signal_database_port }}/{{ matrix_mautrix_signal_database_name }}' matrix_mautrix_signal_appservice_database: "{{ - { - 'postgres': matrix_mautrix_signal_database_connection_string, - }[matrix_mautrix_signal_database_engine] + { + 'postgres': matrix_mautrix_signal_database_connection_string, + }[matrix_mautrix_signal_database_engine] }}" # Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth). From b1c94efcd8bfba5047765c53f19a1af585153a34 Mon Sep 17 00:00:00 2001 From: Wolfgang Winter Date: Mon, 16 Aug 2021 18:23:40 +0200 Subject: [PATCH 13/15] Make template generic for the pemission settings --- roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 index ecd5902b5..1c7a637fc 100644 --- a/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 @@ -189,8 +189,7 @@ bridge: # domain - All users on that homeserver # mxid - Specific user permissions: - '{{ matrix_mautrix_signal_homeserver_domain }}': user - '*': relay + {{ matrix_mautrix_signal_bridge_permissions|from_yaml }} relay: # Whether or not relay mode should be allowed. If allowed, `!signal set-relay` can be used to turn any From 4b7506ca1a0c13a31adf4e4eaea1e6f79c02b9b3 Mon Sep 17 00:00:00 2001 From: Wolfgang Winter Date: Mon, 16 Aug 2021 18:24:12 +0200 Subject: [PATCH 14/15] Preset the permissions inline with other bridges --- .../matrix-bridge-mautrix-signal/defaults/main.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/roles/matrix-bridge-mautrix-signal/defaults/main.yml b/roles/matrix-bridge-mautrix-signal/defaults/main.yml index 93472d51e..93993fa11 100644 --- a/roles/matrix-bridge-mautrix-signal/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-signal/defaults/main.yml @@ -81,6 +81,19 @@ matrix_mautrix_signal_login_shared_secret: '' # Enable bridge relay bot functionality matrix_mautrix_signal_relaybot_enabled: false +# Permissions for using the bridge. +# Permitted values: +# relay - Allowed to be relayed through the bridge, no access to commands. +# user - Use the bridge with puppeting. +# admin - Use and administrate the bridge. +# Permitted keys: +# * - All Matrix users +# domain - All users on that homeserver +# mxid - Specific user +matrix_mautrix_signal_bridge_permissions: | + '*': relay + '{{ matrix_mautrix_signal_homeserver_domain }}': user + # Default configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. # From 5a828f36a6226c4a44449b355a1e3fa2d3f5957a Mon Sep 17 00:00:00 2001 From: Wolfgang Winter Date: Mon, 16 Aug 2021 18:24:55 +0200 Subject: [PATCH 15/15] Document the permissions settings. Distinguish between augmenting and overwriting. --- ...figuring-playbook-bridge-mautrix-signal.md | 28 +++++++++++++++++-- 1 file changed, 25 insertions(+), 3 deletions(-) diff --git a/docs/configuring-playbook-bridge-mautrix-signal.md b/docs/configuring-playbook-bridge-mautrix-signal.md index efd4d96f5..131d3abad 100644 --- a/docs/configuring-playbook-bridge-mautrix-signal.md +++ b/docs/configuring-playbook-bridge-mautrix-signal.md @@ -23,14 +23,36 @@ Use `!signal unset-relay` to deactivate. By default, any user on your homeserver will be able to use the bridge. If you enable the relay bot functionality, it will relay every user's messages in a portal room - no matter which homeserver they're from. -If you would like to have a more specific setting of the permissions you can set the permissions as follows (example). For more details see also [mautrix-bridge documentation](https://docs.mau.fi/bridges/python/signal/relay-mode.html) +Different levels of permission can be granted to users: + +* relay - Allowed to be relayed through the bridge, no access to commands; +* user - Use the bridge with puppeting; +* admin - Use and administer the bridge. + +The permissions are following the sequence: nothing < relay < user < admin. + +The default permissions are set as follows: +```yaml +permissions: + '*': relay + YOUR_DOMAIN: user +``` + +If you want to augment the preset permissions, you might want to set the additional permissions with the following settings in your `vars.yml` file: ```yaml matrix_mautrix_signal_configuration_extension_yaml: | bridge: permissions: '@YOUR_USERNAME:YOUR_DOMAIN': admin - YOUR_DOMAIN: user - '*': relay +``` + +This will add the admin permission to the specific user, while keepting the default permissions. + +In case you want to replace the default permissions settings **completely**, populate the following item within your `vars.yml` file: +```yaml +matrix_mautrix_signal_bridge_permissions: | + '@ADMIN:YOUR_DOMAIN': admin + '@USER:YOUR_DOMAIN' : user ``` You may wish to look at `roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2` to find more information on the permissions settings and other options you would like to configure.