Initial commit for draupnir.
main.yml is not included due to that its changed separately.
This commit is contained in:
parent
49a1985750
commit
563cf1a4ba
20
roles/custom/matrix-bot-draupnir/tasks/main.yml
Normal file
20
roles/custom/matrix-bot-draupnir/tasks/main.yml
Normal file
@ -0,0 +1,20 @@
|
||||
---
|
||||
|
||||
- block:
|
||||
- when: matrix_bot_draupnir_enabled | bool
|
||||
ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
|
||||
|
||||
- when: matrix_bot_draupnir_enabled | bool
|
||||
ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
|
||||
tags:
|
||||
- setup-all
|
||||
- setup-bot-draupnir
|
||||
- install-all
|
||||
- install-bot-draupnir
|
||||
|
||||
- block:
|
||||
- when: not matrix_bot_draupnir_enabled | bool
|
||||
ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
|
||||
tags:
|
||||
- setup-all
|
||||
- setup-bot-draupnir
|
74
roles/custom/matrix-bot-draupnir/tasks/setup_install.yml
Normal file
74
roles/custom/matrix-bot-draupnir/tasks/setup_install.yml
Normal file
@ -0,0 +1,74 @@
|
||||
---
|
||||
|
||||
- ansible.builtin.set_fact:
|
||||
matrix_bot_draupnir_requires_restart: false
|
||||
|
||||
- name: Ensure matrix-bot-draupnir paths exist
|
||||
ansible.builtin.file:
|
||||
path: "{{ item.path }}"
|
||||
state: directory
|
||||
mode: 0750
|
||||
owner: "{{ matrix_user_username }}"
|
||||
group: "{{ matrix_user_groupname }}"
|
||||
with_items:
|
||||
- {path: "{{ matrix_bot_draupnir_base_path }}", when: true}
|
||||
- {path: "{{ matrix_bot_draupnir_config_path }}", when: true}
|
||||
- {path: "{{ matrix_bot_draupnir_data_path }}", when: true}
|
||||
- {path: "{{ matrix_bot_draupnir_docker_src_files_path }}", when: "{{ matrix_bot_draupnir_container_image_self_build }}"}
|
||||
when: "item.when | bool"
|
||||
|
||||
- name: Ensure draupnir Docker image is pulled
|
||||
community.docker.docker_image:
|
||||
name: "{{ matrix_bot_draupnir_docker_image }}"
|
||||
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
|
||||
force_source: "{{ matrix_bot_draupnir_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
|
||||
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_draupnir_docker_image_force_pull }}"
|
||||
when: "not matrix_bot_draupnir_container_image_self_build | bool"
|
||||
register: result
|
||||
retries: "{{ devture_playbook_help_container_retries_count }}"
|
||||
delay: "{{ devture_playbook_help_container_retries_delay }}"
|
||||
until: result is not failed
|
||||
|
||||
- name: Ensure draupnir repository is present on self-build
|
||||
ansible.builtin.git:
|
||||
repo: "{{ matrix_bot_draupnir_container_image_self_build_repo }}"
|
||||
dest: "{{ matrix_bot_draupnir_docker_src_files_path }}"
|
||||
version: "{{ matrix_bot_draupnir_docker_image.split(':')[1] }}"
|
||||
force: "yes"
|
||||
become: true
|
||||
become_user: "{{ matrix_user_username }}"
|
||||
register: matrix_bot_draupnir_git_pull_results
|
||||
when: "matrix_bot_draupnir_container_image_self_build | bool"
|
||||
|
||||
- name: Ensure draupnir Docker image is built
|
||||
community.docker.docker_image:
|
||||
name: "{{ matrix_bot_draupnir_docker_image }}"
|
||||
source: build
|
||||
force_source: "{{ matrix_bot_draupnir_git_pull_results.changed }}"
|
||||
build:
|
||||
dockerfile: Dockerfile
|
||||
path: "{{ matrix_bot_draupnir_docker_src_files_path }}"
|
||||
pull: true
|
||||
when: "matrix_bot_draupnir_container_image_self_build | bool"
|
||||
|
||||
- name: Ensure matrix-bot-draupnir config installed
|
||||
ansible.builtin.copy:
|
||||
content: "{{ matrix_bot_draupnir_configuration | to_nice_yaml(indent=2, width=999999) }}"
|
||||
dest: "{{ matrix_bot_draupnir_config_path }}/production.yaml"
|
||||
mode: 0644
|
||||
owner: "{{ matrix_user_username }}"
|
||||
group: "{{ matrix_user_groupname }}"
|
||||
|
||||
- name: Ensure matrix-bot-draupnir.service installed
|
||||
ansible.builtin.template:
|
||||
src: "{{ role_path }}/templates/systemd/matrix-bot-draupnir.service.j2"
|
||||
dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-draupnir.service"
|
||||
mode: 0644
|
||||
register: matrix_bot_draupnir_systemd_service_result
|
||||
|
||||
- name: Ensure matrix-bot-draupnir.service restarted, if necessary
|
||||
ansible.builtin.service:
|
||||
name: "matrix-bot-draupnir.service"
|
||||
state: restarted
|
||||
daemon_reload: true
|
||||
when: "matrix_bot_draupnir_requires_restart | bool"
|
25
roles/custom/matrix-bot-draupnir/tasks/setup_uninstall.yml
Normal file
25
roles/custom/matrix-bot-draupnir/tasks/setup_uninstall.yml
Normal file
@ -0,0 +1,25 @@
|
||||
---
|
||||
|
||||
- name: Check existence of matrix-bot-draupnir service
|
||||
ansible.builtin.stat:
|
||||
path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-draupnir.service"
|
||||
register: matrix_bot_draupnir_service_stat
|
||||
|
||||
- when: matrix_bot_draupnir_service_stat.stat.exists | bool
|
||||
block:
|
||||
- name: Ensure matrix-bot-draupnir is stopped
|
||||
ansible.builtin.service:
|
||||
name: matrix-bot-draupnir
|
||||
state: stopped
|
||||
enabled: false
|
||||
daemon_reload: true
|
||||
|
||||
- name: Ensure matrix-bot-draupnir.service doesn't exist
|
||||
ansible.builtin.file:
|
||||
path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-draupnir.service"
|
||||
state: absent
|
||||
|
||||
- name: Ensure matrix-bot-draupnir paths don't exist
|
||||
ansible.builtin.file:
|
||||
path: "{{ matrix_bot_draupnir_base_path }}"
|
||||
state: absent
|
@ -0,0 +1,9 @@
|
||||
---
|
||||
|
||||
- name: Fail if required variables are undefined
|
||||
ansible.builtin.fail:
|
||||
msg: "The `{{ item }}` variable must be defined and have a non-null value."
|
||||
with_items:
|
||||
- "matrix_bot_draupnir_access_token"
|
||||
- "matrix_bot_draupnir_management_room"
|
||||
when: "vars[item] == '' or vars[item] is none"
|
246
roles/custom/matrix-bot-draupnir/templates/production.yaml.j2
Normal file
246
roles/custom/matrix-bot-draupnir/templates/production.yaml.j2
Normal file
@ -0,0 +1,246 @@
|
||||
# Endpoint URL that draupnir uses to interact with the matrix homeserver (client-server API),
|
||||
# set this to the pantalaimon URL if you're using that.
|
||||
homeserverUrl: "{{ matrix_homeserver_url }}"
|
||||
|
||||
# Endpoint URL that draupnir could use to fetch events related to reports (client-server API and /_synapse/),
|
||||
# only set this to the public-internet homeserver client API URL, do NOT set this to the pantalaimon URL.
|
||||
rawHomeserverUrl: "{{ matrix_homeserver_url }}"
|
||||
|
||||
# Matrix Access Token to use, draupnir will only use this if pantalaimon.use is false.
|
||||
accessToken: "{{ matrix_bot_draupnir_access_token }}"
|
||||
|
||||
# Options related to Pantalaimon (https://github.com/matrix-org/pantalaimon)
|
||||
#pantalaimon:
|
||||
# # Whether or not draupnir will use pantalaimon to access the matrix homeserver,
|
||||
# # set to `true` if you're using pantalaimon.
|
||||
# #
|
||||
# # Be sure to point homeserverUrl to the pantalaimon instance.
|
||||
# #
|
||||
# # draupnir will log in using the given username and password once,
|
||||
# # then store the resulting access token in a file under dataPath.
|
||||
# use: false
|
||||
#
|
||||
# # The username to login with.
|
||||
# username: draupnir
|
||||
#
|
||||
# # The password draupnir will login with.
|
||||
# #
|
||||
# # After successfully logging in once, this will be ignored, so this value can be blanked after first startup.
|
||||
# password: your_password
|
||||
|
||||
# The path draupnir will store its state/data in, leave default ("/data/storage") when using containers.
|
||||
dataPath: "/data"
|
||||
|
||||
# If true (the default), draupnir will only accept invites from users present in managementRoom.
|
||||
autojoinOnlyIfManager: true
|
||||
|
||||
# If `autojoinOnlyIfManager` is false, only the members in this space can invite
|
||||
# the bot to new rooms.
|
||||
#acceptInvitesFromSpace: "!example:example.org"
|
||||
|
||||
# Whether draupnir should report ignored invites to the management room (if autojoinOnlyIfManager is true).
|
||||
recordIgnoredInvites: false
|
||||
|
||||
# The room ID (or room alias) of the management room, anyone in this room can issue commands to draupnir.
|
||||
#
|
||||
# draupnir has no more granular access controls other than this, be sure you trust everyone in this room - secure it!
|
||||
#
|
||||
# This should be a room alias or room ID - not a matrix.to URL.
|
||||
#
|
||||
# Note: By default, draupnir is fairly verbose - expect a lot of messages in this room.
|
||||
# (see verboseLogging to adjust this a bit.)
|
||||
managementRoom: "{{ matrix_bot_draupnir_management_room }}"
|
||||
|
||||
# Whether draupnir should log a lot more messages in the room,
|
||||
# mainly involves "all-OK" messages, and debugging messages for when draupnir checks bans in a room.
|
||||
verboseLogging: false
|
||||
|
||||
# The log level of terminal (or container) output,
|
||||
# can be one of DEBUG, INFO, WARN and ERROR, in increasing order of importance and severity.
|
||||
#
|
||||
# This should be at INFO or DEBUG in order to get support for draupnir problems.
|
||||
logLevel: "INFO"
|
||||
|
||||
# Whether or not draupnir should synchronize policy lists immediately after startup.
|
||||
# Equivalent to running '!draupnir sync'.
|
||||
syncOnStartup: true
|
||||
|
||||
# Whether or not draupnir should check moderation permissions in all protected rooms on startup.
|
||||
# Equivalent to running `!draupnir verify`.
|
||||
verifyPermissionsOnStartup: true
|
||||
|
||||
# Whether or not draupnir should actually apply bans and policy lists,
|
||||
# turn on to trial some untrusted configuration or lists.
|
||||
noop: false
|
||||
|
||||
# Whether draupnir should check member lists quicker (by using a different endpoint),
|
||||
# keep in mind that enabling this will miss invited (but not joined) users.
|
||||
#
|
||||
# Turn on if your bot is in (very) large rooms, or in large amounts of rooms.
|
||||
fasterMembershipChecks: false
|
||||
|
||||
# A case-insensitive list of ban reasons to have the bot also automatically redact the user's messages for.
|
||||
#
|
||||
# If the bot sees you ban a user with a reason that is an (exact case-insensitive) match to this list,
|
||||
# it will also remove the user's messages automatically.
|
||||
#
|
||||
# Typically this is useful to avoid having to give two commands to the bot.
|
||||
# Advanced: Use asterisks to have the reason match using "globs"
|
||||
# (f.e. "spam*testing" would match "spam for testing" as well as "spamtesting").
|
||||
#
|
||||
# See here for more info: https://www.digitalocean.com/community/tools/glob
|
||||
# Note: Keep in mind that glob is NOT regex!
|
||||
automaticallyRedactForReasons:
|
||||
- "spam"
|
||||
- "advertising"
|
||||
|
||||
# A list of rooms to protect. draupnir will add this to the list it knows from its account data.
|
||||
#
|
||||
# It won't, however, add it to the account data.
|
||||
# Manually add the room via '!draupnir rooms add' to have it stay protected regardless if this config value changes.
|
||||
#
|
||||
# Note: These must be matrix.to URLs
|
||||
#protectedRooms:
|
||||
# - "https://matrix.to/#/#yourroom:example.org"
|
||||
|
||||
# Whether or not to add all joined rooms to the "protected rooms" list
|
||||
# (excluding the management room and watched policy list rooms, see below).
|
||||
#
|
||||
# Note that this effectively makes the protectedRooms and associated commands useless
|
||||
# for regular rooms.
|
||||
#
|
||||
# Note: the management room is *excluded* from this condition.
|
||||
# Explicitly add it as a protected room to protect it.
|
||||
#
|
||||
# Note: Ban list rooms the bot is watching but didn't create will not be protected.
|
||||
# Explicitly add these rooms as a protected room list if you want them protected.
|
||||
protectAllJoinedRooms: false
|
||||
|
||||
# Increase this delay to have Mjölnir wait longer between two consecutive backgrounded
|
||||
# operations. The total duration of operations will be longer, but the homeserver won't
|
||||
# be affected as much. Conversely, decrease this delay to have Mjölnir chain operations
|
||||
# faster. The total duration of operations will generally be shorter, but the performance
|
||||
# of the homeserver may be more impacted.
|
||||
backgroundDelayMS: 500
|
||||
|
||||
# Server administration commands, these commands will only work if draupnir is
|
||||
# a global server administrator, and the bot's server is a Synapse instance.
|
||||
#admin:
|
||||
# # Whether or not draupnir can temporarily take control of any eligible account from the local homeserver who's in the room
|
||||
# # (with enough permissions) to "make" a user an admin.
|
||||
# #
|
||||
# # This only works if a local user with enough admin permissions is present in the room.
|
||||
# enableMakeRoomAdminCommand: false
|
||||
|
||||
# Misc options for command handling and commands
|
||||
commands:
|
||||
# Whether or not the `!draupnir` prefix is necessary to submit commands.
|
||||
#
|
||||
# If `true`, will allow commands like `!ban`, `!help`, etc.
|
||||
#
|
||||
# Note: draupnir can also be pinged by display name instead of having to use
|
||||
# the !draupnir prefix. For example, "my_moderator_bot: ban @spammer:example.org"
|
||||
# will address only my_moderator_bot.
|
||||
allowNoPrefix: false
|
||||
|
||||
# Any additional bot prefixes that draupnir will listen to. i.e. adding `mod` will allow `!mod help`.
|
||||
additionalPrefixes:
|
||||
- "draupnir_bot"
|
||||
|
||||
# Whether or not commands with a wildcard (*) will require an additional `--force` argument
|
||||
# in the command to be able to be submitted.
|
||||
confirmWildcardBan: true
|
||||
|
||||
# Configuration specific to certain toggle-able protections
|
||||
#protections:
|
||||
# # Configuration for the wordlist plugin, which can ban users based if they say certain
|
||||
# # blocked words shortly after joining.
|
||||
# wordlist:
|
||||
# # A list of case-insensitive keywords that the WordList protection will watch for from new users.
|
||||
# #
|
||||
# # WordList will ban users who use these words when first joining a room, so take caution when selecting them.
|
||||
# #
|
||||
# # For advanced usage, regex can also be used, see the following links for more information;
|
||||
# # - https://www.digitalocean.com/community/tutorials/an-introduction-to-regular-expressions
|
||||
# # - https://regexr.com/
|
||||
# # - https://regexone.com/
|
||||
# words:
|
||||
# - "LoReM"
|
||||
# - "IpSuM"
|
||||
# - "DoLoR"
|
||||
# - "aMeT"
|
||||
#
|
||||
# # For how long (in minutes) the user is "new" to the WordList plugin.
|
||||
# #
|
||||
# # After this time, the user will no longer be banned for using a word in the above wordlist.
|
||||
# #
|
||||
# # Set to zero to disable the timeout and make users *always* appear "new".
|
||||
# # (users will always be banned if they say a bad word)
|
||||
# minutesBeforeTrusting: 20
|
||||
|
||||
# Options for advanced monitoring of the health of the bot.
|
||||
health:
|
||||
# healthz options. These options are best for use in container environments
|
||||
# like Kubernetes to detect how healthy the service is. The bot will report
|
||||
# that it is unhealthy until it is able to process user requests. Typically
|
||||
# this means that it'll flag itself as unhealthy for a number of minutes
|
||||
# before saying "Now monitoring rooms" and flagging itself healthy.
|
||||
#
|
||||
# Health is flagged through HTTP status codes, defined below.
|
||||
healthz:
|
||||
# Whether the healthz integration should be enabled (default false)
|
||||
enabled: false
|
||||
|
||||
# The port to expose the webserver on. Defaults to 8080.
|
||||
port: 8080
|
||||
|
||||
# The address to listen for requests on. Defaults to all addresses.
|
||||
address: "0.0.0.0"
|
||||
|
||||
# The path to expose the monitoring endpoint at. Defaults to `/healthz`
|
||||
endpoint: "/healthz"
|
||||
|
||||
# The HTTP status code which reports that the bot is healthy/ready to
|
||||
# process requests. Typically this should not be changed. Defaults to
|
||||
# 200.
|
||||
healthyStatus: 200
|
||||
|
||||
# The HTTP status code which reports that the bot is not healthy/ready.
|
||||
# Defaults to 418.
|
||||
unhealthyStatus: 418
|
||||
|
||||
# Options for exposing web APIs.
|
||||
#web:
|
||||
# # Whether to enable web APIs.
|
||||
# enabled: false
|
||||
#
|
||||
# # The port to expose the webserver on. Defaults to 8080.
|
||||
# port: 8080
|
||||
#
|
||||
# # The address to listen for requests on. Defaults to only the current
|
||||
# # computer.
|
||||
# address: localhost
|
||||
#
|
||||
# # Alternative setting to open to the entire web. Be careful,
|
||||
# # as this will increase your security perimeter:
|
||||
# #
|
||||
# # address: "0.0.0.0"
|
||||
#
|
||||
# # A web API designed to intercept Matrix API
|
||||
# # POST /_matrix/client/r0/rooms/{roomId}/report/{eventId}
|
||||
# # and display readable abuse reports in the moderation room.
|
||||
# #
|
||||
# # If you wish to take advantage of this feature, you will need
|
||||
# # to configure a reverse proxy, see e.g. test/nginx.conf
|
||||
# abuseReporting:
|
||||
# # Whether to enable this feature.
|
||||
# enabled: false
|
||||
|
||||
# Whether or not to actively poll synapse for abuse reports, to be used
|
||||
# instead of intercepting client calls to synapse's abuse endpoint, when that
|
||||
# isn't possible/practical.
|
||||
pollReports: false
|
||||
|
||||
# Whether or not new reports, received either by webapi or polling,
|
||||
# should be printed to our managementRoom.
|
||||
displayReports: false
|
@ -0,0 +1,42 @@
|
||||
#jinja2: lstrip_blocks: "True"
|
||||
[Unit]
|
||||
Description=Matrix Draupnir bot
|
||||
{% for service in matrix_bot_draupnir_systemd_required_services_list %}
|
||||
Requires={{ service }}
|
||||
After={{ service }}
|
||||
{% endfor %}
|
||||
{% for service in matrix_bot_draupnir_systemd_required_services_list %}
|
||||
Wants={{ service }}
|
||||
{% endfor %}
|
||||
DefaultDependencies=no
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
|
||||
ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-bot-draupnir 2>/dev/null || true'
|
||||
ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-bot-draupnir 2>/dev/null || true'
|
||||
|
||||
# Intentional delay, so that the homeserver (we likely depend on) can manage to start.
|
||||
ExecStartPre={{ matrix_host_command_sleep }} 5
|
||||
|
||||
ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-bot-draupnir \
|
||||
--log-driver=none \
|
||||
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
|
||||
--cap-drop=ALL \
|
||||
--read-only \
|
||||
--network={{ matrix_docker_network }} \
|
||||
--mount type=bind,src={{ matrix_bot_draupnir_config_path }},dst=/data/config,ro \
|
||||
--mount type=bind,src={{ matrix_bot_draupnir_data_path }},dst=/data \
|
||||
{% for arg in matrix_bot_draupnir_container_extra_arguments %}
|
||||
{{ arg }} \
|
||||
{% endfor %}
|
||||
{{ matrix_bot_draupnir_docker_image }}
|
||||
|
||||
ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-bot-draupnir 2>/dev/null || true'
|
||||
ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-bot-draupnir 2>/dev/null || true'
|
||||
Restart=always
|
||||
RestartSec=30
|
||||
SyslogIdentifier=matrix-bot-draupnir
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
Loading…
Reference in New Issue
Block a user