diff --git a/docs/configuring-captcha.md b/docs/configuring-captcha.md index d137cf99e..173b34fe7 100644 --- a/docs/configuring-captcha.md +++ b/docs/configuring-captcha.md @@ -2,9 +2,11 @@ # Overview Captcha can be enabled for this home server. This file explains how to do that. -The captcha mechanism used is Google's [ReCaptcha](https://www.google.com/recaptcha/). This requires API keys from Google. +The captcha mechanism used is Google's [ReCaptcha](https://www.google.com/recaptcha/). This requires API keys from Google. If your homeserver is Dendrite then [hCapcha](https://www.hcaptcha.com) can be used instead. -## Getting keys +## ReCaptcha + +### Getting keys Requires a site/secret key pair from: @@ -12,12 +14,39 @@ Requires a site/secret key pair from: Must be a reCAPTCHA **v2** key using the "I'm not a robot" Checkbox option -## Setting ReCaptcha Keys +### Setting ReCaptcha keys Once registered as above, set the following values: ```yaml +# for Synapse matrix_synapse_enable_registration_captcha: true matrix_synapse_recaptcha_public_key: 'YOUR_SITE_KEY' matrix_synapse_recaptcha_private_key: 'YOUR_SECRET_KEY' + +# for Dendrite +matrix_dendrite_client_api_enable_registration_captcha: true +matrix_dendrite_client_api_recaptcha_public_key: 'YOUR_SITE_KEY' +matrix_dendrite_client_api_recaptcha_private_key: 'YOUR_SECRET_KEY' +``` + +## hCaptcha + +### Getting keys + +Requires a site/secret key pair from: + + + +### Setting hCaptcha keys + +```yaml +matrix_dendrite_client_api_enable_registration_captcha: true +matrix_dendrite_client_api_recaptcha_public_key: 'YOUR_SITE_KEY' +matrix_dendrite_client_api_recaptcha_private_key: 'YOUR_SECRET_KEY' + +matrix_dendrite_client_api_recaptcha_siteverify_api: 'https://hcaptcha.com/siteverify' +matrix_dendrite_client_api_recaptcha_api_js_url: 'https://js.hcaptcha.com/1/api.js' +matrix_dendrite_client_api_recaptcha_form_field: 'h-captcha-response' +matrix_dendrite_client_api_recaptcha_sitekey_class: 'h-captcha' ``` diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index dd0c730c0..cf9c71933 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1474,7 +1474,7 @@ matrix_bot_maubot_registration_shared_secret: |- {{ { 'synapse': matrix_synapse_registration_shared_secret, - 'dendrite': matrix_dendrite_registration_shared_secret, + 'dendrite': matrix_dendrite_client_api_registration_shared_secret, }[matrix_homeserver_implementation] }} @@ -2898,7 +2898,7 @@ matrix_registration_shared_secret: |- {{ { 'synapse': matrix_synapse_registration_shared_secret, - 'dendrite': matrix_dendrite_registration_shared_secret, + 'dendrite': matrix_dendrite_client_api_registration_shared_secret, 'conduit': '', }[matrix_homeserver_implementation] }} @@ -2975,13 +2975,13 @@ matrix_dendrite_container_https_host_bind_address: "{{ '' if matrix_nginx_proxy_ matrix_dendrite_sync_api_real_ip_header: "{{ 'X-Forwarded-For' if matrix_nginx_proxy_enabled else '' }}" -matrix_dendrite_registration_shared_secret: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'dendrite.rss', rounds=655555) | to_uuid }}" +matrix_dendrite_client_api_registration_shared_secret: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'dendrite.rss', rounds=655555) | to_uuid }}" matrix_dendrite_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'dendrite.db', rounds=655555) | to_uuid }}" # Even if TURN doesn't support TLS (it does by default), # it doesn't hurt to try a secure connection anyway. -matrix_dendrite_turn_uris: | +matrix_dendrite_client_api_turn_uris: | {{ [ 'turns:' + matrix_server_fqn_matrix + '?transport=udp', diff --git a/roles/custom/matrix-dendrite/defaults/main.yml b/roles/custom/matrix-dendrite/defaults/main.yml index a60c33d26..ba84d4300 100644 --- a/roles/custom/matrix-dendrite/defaults/main.yml +++ b/roles/custom/matrix-dendrite/defaults/main.yml @@ -76,7 +76,7 @@ matrix_dendrite_systemd_wanted_services_list: [] # matrix_dendrite_template_dendrite_config: "{{ playbook_dir }}/inventory/host_vars//dendrite.yaml.j2" matrix_dendrite_template_dendrite_config: "{{ role_path }}/templates/dendrite/dendrite.yaml.j2" -matrix_dendrite_registration_shared_secret: '' +matrix_dendrite_client_api_registration_shared_secret: '' matrix_dendrite_allow_guest_access: false matrix_dendrite_max_file_size_bytes: 10485760 @@ -89,18 +89,21 @@ matrix_dendrite_sync_api_real_ip_header: '' matrix_dendrite_tmp_directory_size_mb: 500 # Rate limits -matrix_dendrite_rate_limiting_enabled: true -matrix_dendrite_rate_limiting_threshold: 20 -matrix_dendrite_rate_limiting_cooloff_ms: 500 +matrix_dendrite_client_api_rate_limiting_enabled: true +matrix_dendrite_client_api_rate_limiting_threshold: 20 +matrix_dendrite_client_api_rate_limiting_cooloff_ms: 500 # Controls whether people with access to the homeserver can register by themselves. -matrix_dendrite_registration_disabled: true +matrix_dendrite_client_api_registration_disabled: true # reCAPTCHA API for validating registration attempts -matrix_dendrite_enable_registration_captcha: false -matrix_dendrite_recaptcha_public_key: "" -matrix_dendrite_recaptcha_private_key: "" -matrix_dendrite_recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify" +matrix_dendrite_client_api_enable_registration_captcha: false +matrix_dendrite_client_api_recaptcha_public_key: "" +matrix_dendrite_client_api_recaptcha_private_key: "" +matrix_dendrite_client_api_recaptcha_siteverify_api: "" +matrix_dendrite_client_api_recaptcha_api_js_url: "" +matrix_dendrite_client_api_recaptcha_form_field: "" +matrix_dendrite_client_api_recaptcha_sitekey_class: "" # A list of additional "volumes" to mount in the container. # This list gets populated dynamically based on Dendrite extensions that have been enabled. @@ -147,11 +150,10 @@ matrix_dendrite_userapi_database: "dendrite_userapi" matrix_dendrite_pushserver_database: "dendrite_pushserver" matrix_dendrite_mscs_database: "dendrite_mscs" -matrix_dendrite_turn_uris: [] -matrix_dendrite_turn_shared_secret: "" -matrix_dendrite_turn_allow_guests: false +matrix_dendrite_client_api_turn_uris: [] +matrix_dendrite_client_api_turn_client_api_shared_secret: "" +matrix_dendrite_client_api_turn_allow_guests: false -# Controls whether the self-check feature should validate TLS certificates. matrix_dendrite_disable_tls_validation: false matrix_dendrite_trusted_id_servers: diff --git a/roles/custom/matrix-dendrite/tasks/validate_config.yml b/roles/custom/matrix-dendrite/tasks/validate_config.yml index 390da9380..7ca31b0d5 100644 --- a/roles/custom/matrix-dendrite/tasks/validate_config.yml +++ b/roles/custom/matrix-dendrite/tasks/validate_config.yml @@ -5,7 +5,7 @@ You need to define a required configuration setting (`{{ item }}`) for using Dendrite. when: "vars[item] == ''" with_items: - - "matrix_dendrite_registration_shared_secret" + - "matrix_dendrite_client_api_registration_shared_secret" - name: (Deprecation) Catch and report renamed settings ansible.builtin.fail: @@ -13,4 +13,15 @@ Your configuration contains a variable, which now has a different name. Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). when: "item.old in vars" - with_items: [] + with_items: + - {'old': 'matrix_dendrite_enable_registration_captcha', 'new': 'matrix_dendrite_client_api_enable_registration_captcha'} + - {'old': 'matrix_dendrite_recaptcha_public_key', 'new': 'matrix_dendrite_client_api_recaptcha_public_key'} + - {'old': 'matrix_dendrite_recaptcha_private_key', 'new': 'matrix_dendrite_client_api_recaptcha_private_key'} + - {'old': 'matrix_dendrite_registration_disabled', 'new': 'matrix_dendrite_client_api_registration_disabled'} + - {'old': 'matrix_dendrite_registration_shared_secret', 'new': 'matrix_dendrite_client_api_registration_shared_secret'} + - {'old': 'matrix_dendrite_turn_uris', 'new': 'matrix_dendrite_client_api_turn_uris'} + - {'old': 'matrix_dendrite_turn_client_api_shared_secret', 'new': 'matrix_dendrite_client_api_turn_client_api_shared_secret'} + - {'old': 'matrix_dendrite_turn_allow_guests', 'new': 'matrix_dendrite_client_api_turn_allow_guests'} + - {'old': 'matrix_dendrite_rate_limiting_enabled', 'new': 'matrix_dendrite_client_api_rate_limiting_enabled'} + - {'old': 'matrix_dendrite_rate_limiting_threshold', 'new': 'matrix_dendrite_client_api_rate_limiting_threshold'} + - {'old': 'matrix_dendrite_rate_limiting_cooloff_ms', 'new': 'matrix_dendrite_client_api_rate_limiting_cooloff_ms'} diff --git a/roles/custom/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 b/roles/custom/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 index 65cb4c2c3..005f9bd64 100644 --- a/roles/custom/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 +++ b/roles/custom/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 @@ -175,7 +175,7 @@ client_api: # Prevents new users from being able to register on this homeserver, except when # using the registration shared secret below. - registration_disabled: {{ matrix_dendrite_registration_disabled|to_json }} + registration_disabled: {{ matrix_dendrite_client_api_registration_disabled | to_json }} # Prevents new guest accounts from being created. Guest registration is also # disabled implicitly by setting 'registration_disabled' above. @@ -183,22 +183,25 @@ client_api: # If set, allows registration by anyone who knows the shared secret, regardless of # whether registration is otherwise disabled. - registration_shared_secret: {{ matrix_dendrite_registration_shared_secret | string|to_json }} + registration_shared_secret: {{ matrix_dendrite_client_api_registration_shared_secret | string | to_json }} # Whether to require reCAPTCHA for registration. - enable_registration_captcha: {{ matrix_dendrite_enable_registration_captcha|to_json }} + enable_registration_captcha: {{ matrix_dendrite_client_api_enable_registration_captcha | to_json }} # Settings for ReCAPTCHA. - recaptcha_public_key: {{ matrix_dendrite_recaptcha_public_key|to_json }} - recaptcha_private_key: {{ matrix_dendrite_recaptcha_private_key|to_json }} + recaptcha_public_key: {{ matrix_dendrite_client_api_recaptcha_public_key | to_json }} + recaptcha_private_key: {{ matrix_dendrite_client_api_recaptcha_private_key | to_json }} recaptcha_bypass_secret: "" - recaptcha_siteverify_api: {{ matrix_dendrite_recaptcha_siteverify_api|to_json }} + recaptcha_siteverify_api: {{ matrix_dendrite_client_api_recaptcha_siteverify_api | to_json }} + recaptcha_api_js_url: {{ matrix_dendrite_client_api_recaptcha_api_js_url | to_json }} + recaptcha_form_field: {{ matrix_dendrite_client_api_recaptcha_form_field | to_json }} + recaptcha_sitekey_class: {{ matrix_dendrite_client_api_recaptcha_sitekey_class | to_json }} # TURN server information that this homeserver should send to clients. turn: turn_user_lifetime: "" - turn_uris: {{ matrix_dendrite_turn_uris|to_json }} - turn_shared_secret: {{ matrix_dendrite_turn_shared_secret|to_json }} + turn_uris: {{ matrix_dendrite_client_api_turn_uris | to_json }} + turn_shared_secret: {{ matrix_dendrite_client_api_turn_shared_secret | to_json }} turn_username: "" turn_password: "" @@ -206,9 +209,9 @@ client_api: # threshold number of "slots" have been taken by requests from a specific # host. Each "slot" will be released after the cooloff time in milliseconds. rate_limiting: - enabled: {{ matrix_dendrite_rate_limiting_enabled|to_json }} - threshold: {{ matrix_dendrite_rate_limiting_threshold|to_json }} - cooloff_ms: {{ matrix_dendrite_rate_limiting_cooloff_ms|to_json }} + enabled: {{ matrix_dendrite_client_api_rate_limiting_enabled | to_json }} + threshold: {{ matrix_dendrite_client_api_rate_limiting_threshold | to_json }} + cooloff_ms: {{ matrix_dendrite_client_api_rate_limiting_cooloff_ms | to_json }} exempt_user_ids: # - "@user:domain.com"