From 94abf2d5bde63919c6b5597f3142eea5fed73815 Mon Sep 17 00:00:00 2001 From: HarHarLinks Date: Wed, 1 Nov 2023 16:05:22 +0100 Subject: [PATCH] draft encryption support for hookshot --- docs/configuring-playbook-bridge-hookshot.md | 5 +++++ group_vars/matrix_servers | 2 +- .../custom/matrix-bridge-hookshot/defaults/main.yml | 4 ++++ roles/custom/matrix-bridge-hookshot/tasks/main.yml | 6 ++++++ .../tasks/reset_encryptioon.yml | 12 ++++++++++++ .../matrix-bridge-hookshot/templates/config.yml.j2 | 8 ++++++++ .../templates/registration.yml.j2 | 6 ++++++ .../templates/systemd/matrix-hookshot.service.j2 | 8 +++++++- 8 files changed, 49 insertions(+), 2 deletions(-) create mode 100644 roles/custom/matrix-bridge-hookshot/tasks/reset_encryptioon.yml diff --git a/docs/configuring-playbook-bridge-hookshot.md b/docs/configuring-playbook-bridge-hookshot.md index 48a66a8ea..33c5b98eb 100644 --- a/docs/configuring-playbook-bridge-hookshot.md +++ b/docs/configuring-playbook-bridge-hookshot.md @@ -23,6 +23,11 @@ Other configuration options are available via the `matrix_hookshot_configuration Finally, run the playbook (see [installing](installing.md)). +### End-to-bridge endcryption + +1. Enable by setting `: true` + +If the crypto store has become corrupted, reset it by running `ansible-playbook -i inventory/hosts setup.yml -K --tags=reset-hookshot-encryption`. ## Usage diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 03370aefa..fe5a4fe21 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -3358,7 +3358,7 @@ ntfy_visitor_request_limit_exempt_hosts_hostnames_auto: | # ###################################################################### -redis_enabled: "{{ matrix_synapse_workers_enabled }}" +redis_enabled: "{{ matrix_synapse_workers_enabled or matrix_hookshot_experimental_encryption_enabled }}" redis_identifier: matrix-redis diff --git a/roles/custom/matrix-bridge-hookshot/defaults/main.yml b/roles/custom/matrix-bridge-hookshot/defaults/main.yml index 80ebdf68c..e14668ff4 100644 --- a/roles/custom/matrix-bridge-hookshot/defaults/main.yml +++ b/roles/custom/matrix-bridge-hookshot/defaults/main.yml @@ -30,6 +30,10 @@ matrix_hookshot_public_endpoint: /hookshot matrix_hookshot_appservice_port: 9993 matrix_hookshot_appservice_endpoint: "{{ matrix_hookshot_public_endpoint }}/_matrix/app" +# Controls whether the experimental end-to-bridge encryption support is enabled. +# This requires that support is also enabled in the homeserver, see the hookshot docs. +matrix_hookshot_experimental_encryption_enabled: false + # Controls whether metrics are enabled in the bridge configuration. # Enabling them is usually enough for a local (in-container) Prometheus to consume them. # If metrics need to be consumed by another (external) Prometheus server, consider exposing them via `matrix_hookshot_metrics_proxying_enabled`. diff --git a/roles/custom/matrix-bridge-hookshot/tasks/main.yml b/roles/custom/matrix-bridge-hookshot/tasks/main.yml index e2fa9936a..44ad5229b 100644 --- a/roles/custom/matrix-bridge-hookshot/tasks/main.yml +++ b/roles/custom/matrix-bridge-hookshot/tasks/main.yml @@ -9,6 +9,12 @@ - when: matrix_hookshot_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml" +- tags: + - reset-hookshot-encryption + block: + - when: matrix_hookshot_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/reset_encryption.yml" + - tags: - setup-all - setup-hookshot diff --git a/roles/custom/matrix-bridge-hookshot/tasks/reset_encryptioon.yml b/roles/custom/matrix-bridge-hookshot/tasks/reset_encryptioon.yml new file mode 100644 index 000000000..6964c521a --- /dev/null +++ b/roles/custom/matrix-bridge-hookshot/tasks/reset_encryptioon.yml @@ -0,0 +1,12 @@ +--- +- name: Resetting Hookshot's crypto store + ansible.builtin.command: + cmd: | + {{ devture_systemd_docker_base_host_command_docker }} run + --rm + --name={{ matrix_hookshot_container_url }}-reset-crypto + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} + --cap-drop=ALL + -v {{ matrix_hookshot_base_path }}/config.yml:/config.yml + {{ matrix_hookshot_docker_image }} yarn start:resetcrypto + changed_when: false diff --git a/roles/custom/matrix-bridge-hookshot/templates/config.yml.j2 b/roles/custom/matrix-bridge-hookshot/templates/config.yml.j2 index c3b0bbd48..b07eae72b 100644 --- a/roles/custom/matrix-bridge-hookshot/templates/config.yml.j2 +++ b/roles/custom/matrix-bridge-hookshot/templates/config.yml.j2 @@ -107,6 +107,14 @@ metrics: # (Optional) Prometheus metrics support # enabled: {{ matrix_hookshot_metrics_enabled | to_json }} +{% if matrix_hookshot_experimental_encryption_enabled %} +queue: + monolithic: true + port: 6379 + host: matrix-redis +experimentalEncryption: + storagePath: /data/encryption +{% endif %} logging: # (Optional) Logging settings. You can have a severity debug,info,warn,error # diff --git a/roles/custom/matrix-bridge-hookshot/templates/registration.yml.j2 b/roles/custom/matrix-bridge-hookshot/templates/registration.yml.j2 index 87509a127..557bd85d6 100644 --- a/roles/custom/matrix-bridge-hookshot/templates/registration.yml.j2 +++ b/roles/custom/matrix-bridge-hookshot/templates/registration.yml.j2 @@ -28,3 +28,9 @@ namespaces: sender_localpart: hookshot url: "http://{{ matrix_hookshot_container_url }}:{{ matrix_hookshot_appservice_port }}" # This should match the bridge.port in your config file rate_limited: false + +{% if matrix_hookshot_experimental_encryption_enabled %} +de.sorunome.msc2409.push_ephemeral: true +push_ephemeral: true +org.matrix.msc3202: true +{% endif %} diff --git a/roles/custom/matrix-bridge-hookshot/templates/systemd/matrix-hookshot.service.j2 b/roles/custom/matrix-bridge-hookshot/templates/systemd/matrix-hookshot.service.j2 index 713c7a9fd..91de90e08 100644 --- a/roles/custom/matrix-bridge-hookshot/templates/systemd/matrix-hookshot.service.j2 +++ b/roles/custom/matrix-bridge-hookshot/templates/systemd/matrix-hookshot.service.j2 @@ -16,7 +16,7 @@ Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" ExecStartPre=-{{ devture_systemd_docker_base_host_command_docker }} kill {{ matrix_hookshot_container_url }} ExecStartPre=-{{ devture_systemd_docker_base_host_command_docker }} rm {{ matrix_hookshot_container_url }} -ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name {{ matrix_hookshot_container_url }} \ +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create --rm --name {{ matrix_hookshot_container_url }} \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ @@ -30,6 +30,12 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name {% endfor %} {{ matrix_hookshot_docker_image }} +{% if matrix_hookshot_experimental_encryption_enabled %} +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect matrix-redis {{ matrix_hookshot_container_url }} +{% endif %} + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach {{ matrix_hookshot_container_url }} + ExecStop=-{{ devture_systemd_docker_base_host_command_docker }} kill {{ matrix_hookshot_container_url }} ExecStop=-{{ devture_systemd_docker_base_host_command_docker }} rm {{ matrix_hookshot_container_url }} Restart=always