Switch mautrix-signal double-puppeting method (shared secret auth -> appservice-double-puppet)

Since upgrading mautrix-signal (v0.6.3 -> v0.7.0) in 76fec0b863, we expect double-puppeting to require the new appservice double-puppeting method. This commit switches the mautrix-signal bridge to it.
2024-08-17 19:01:35 +03:00 · 2024-08-17 19:01:35 +03:00 · 999f2bf8dd
commit 999f2bf8dd
parent 111fa65e44
5 changed files with 18 additions and 14 deletions
--- a/docs/configuring-playbook-bridge-mautrix-signal.md
+++ b/docs/configuring-playbook-bridge-mautrix-signal.md
@ -56,9 +56,9 @@ You may wish to look at `roles/custom/matrix-bridge-mautrix-signal/templates/con
 If you'd like to use [Double Puppeting](https://docs.mau.fi/bridges/general/double-puppeting.html) (hint: you most likely do), you have 2 ways of going about it.
-### Method 1: automatically, by enabling Shared Secret Auth
+### Method 1: automatically, by enabling Appservice Double Puppet
-The bridge will automatically perform Double Puppeting if you enable [Shared Secret Auth](configuring-playbook-shared-secret-auth.md) for this playbook.
+The bridge will automatically perform Double Puppeting if you enable the [Appservice Double Puppet](configuring-playbook-appservice-double-puppet.md) service for this playbook.
 This is the recommended way of setting up Double Puppeting, as it's easier to accomplish, works for all your users automatically, and has less of a chance of breaking in the future.
--- a/group_vars/matrix_servers
+++ b/group_vars/matrix_servers
@ -1385,7 +1385,14 @@ matrix_mautrix_signal_homeserver_token: "{{ '%s' | format(matrix_homeserver_gene
 matrix_mautrix_signal_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'si.as.token', rounds=655555) | to_uuid }}"
-matrix_mautrix_signal_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"
+matrix_mautrix_signal_double_puppet_secrets_auto: |-
  {{
    {
      matrix_mautrix_signal_homeserver_domain: ("as_token:" + matrix_appservice_double_puppet_registration_as_token)
    }
    if matrix_appservice_double_puppet_enabled
    else {}
  }}
 matrix_mautrix_signal_metrics_enabled: "{{ prometheus_enabled or matrix_metrics_exposure_enabled }}"
--- a/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml
@ -145,14 +145,9 @@ matrix_mautrix_signal_appservice_database_uri: "{{
 	}[matrix_mautrix_signal_database_engine]
 }}"
-# Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth).
+matrix_mautrix_signal_double_puppet_secrets: "{{ matrix_mautrix_signal_double_puppet_secrets_auto | combine(matrix_mautrix_signal_double_puppet_secrets_custom) }}"
-matrix_mautrix_signal_login_shared_secret: ''
+matrix_mautrix_signal_double_puppet_secrets_auto: {}
-matrix_mautrix_signal_bridge_login_shared_secret_map:
+matrix_mautrix_signal_double_puppet_secrets_custom: {}
  "{{ {matrix_mautrix_signal_homeserver_domain: matrix_mautrix_signal_login_shared_secret} if matrix_mautrix_signal_login_shared_secret else {} }}"
 # Servers to always allow double puppeting from
 matrix_mautrix_signal_bridge_double_puppet_server_map:
  "{{ matrix_mautrix_signal_homeserver_domain :  matrix_mautrix_signal_homeserver_address }}"
 # Default mautrix-signal configuration template which covers the generic use case.
 # You can customize it by controlling the various variables inside it.
--- a/roles/custom/matrix-bridge-mautrix-signal/tasks/validate_config.yml
+++ b/roles/custom/matrix-bridge-mautrix-signal/tasks/validate_config.yml
@ -24,3 +24,6 @@
    - {'old': 'matrix_mautrix_signal_log_level', 'new': 'matrix_mautrix_signal_logging_level'}
    - {'old': 'matrix_mautrix_signal_bridge_restricted_rooms', 'new': '<removed>'}
    - {'old': 'matrix_mautrix_signal_bridge_note_to_self_avatar', 'new': 'matrix_mautrix_signal_network_note_to_self_avatar'}
    - {'old': 'matrix_mautrix_signal_login_shared_secret', 'new': '<removed>'}
    - {'old': 'matrix_mautrix_signal_bridge_login_shared_secret_map', 'new': '<superseded by matrix_mautrix_signal_double_puppet_secrets>'}
    - {'old': 'matrix_mautrix_signal_bridge_double_puppet_server_map', 'new': '<removed>'}
--- a/roles/custom/matrix-bridge-mautrix-signal/templates/config.yaml.j2
+++ b/roles/custom/matrix-bridge-mautrix-signal/templates/config.yaml.j2
@ -312,15 +312,14 @@ backfill:
 double_puppet:
    # Servers to always allow double puppeting from.
    # This is only for other servers and should NOT contain the server the bridge is on.
-    servers:
+    servers: {}
        "{{ matrix_mautrix_signal_homeserver_domain }}": {{ matrix_mautrix_signal_homeserver_address }}
    # Whether to allow client API URL discovery for other servers. When using this option,
    # users on other servers can use double puppeting even if their server URLs aren't
    # explicitly added to the servers map above.
    allow_discovery: false
    # Shared secrets for automatic double puppeting.
    # See https://docs.mau.fi/bridges/general/double-puppeting.html for instructions.
-    secrets: {{ matrix_mautrix_signal_bridge_login_shared_secret_map | to_json }}
+    secrets: {{ matrix_mautrix_signal_double_puppet_secrets | to_json }}
 # End-to-bridge encryption support options.
 #