diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 268f0417e..0d1adc9d7 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -3204,7 +3204,8 @@ matrix_bot_draupnir_container_labels_traefik_docker_network: "{{ matrix_playbook matrix_bot_draupnir_container_labels_web_abuseReporting_traefik_entrypoints: "{{ traefik_entrypoint_primary }}" matrix_bot_draupnir_container_labels_web_abuseReporting_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}" -matrix_bot_draupnir_config_web_synapseHTTPAntispam_authorization: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'draupnir.synapseHTTPAntispam', rounds=655555) | to_uuid }}" # noqa var-naming +#The salt is size restricted here as a maximum salt size of 16 characters exists due to the functions used. +matrix_bot_draupnir_config_web_synapseHTTPAntispam_authorization: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'draupnir.httpmod', rounds=655555) | to_uuid }}" # noqa var-naming ###################################################################### # @@ -3256,6 +3257,24 @@ matrix_appservice_draupnir_for_all_database_password: "{{ '%s' | format(matrix_h # ###################################################################### +###################################################################### +# +# matrix-synapse-ext-synapse-http-antispam +# +###################################################################### + +matrix_synapse_ext_synapse_http_antispam_enabled: "{{ matrix_bot_draupnir_config_web_synapseHTTPAntispam_enabled }}" +matrix_synapse_ext_synapse_http_antispam_config_base_url: "{{ matrix_bot_draupnir_synapse_http_antispam_config_base_url if matrix_bot_draupnir_config_web_synapseHTTPAntispam_enabled else '' }}" +matrix_synapse_ext_synapse_http_antispam_config_authorization: "{{ matrix_bot_draupnir_config_web_synapseHTTPAntispam_authorization if matrix_bot_draupnir_config_web_synapseHTTPAntispam_enabled else '' }}" +matrix_synapse_ext_synapse_http_antispam_config_enabled_callbacks_yaml: "{{ matrix_bot_draunpir_synapse_http_antispam_config_enabled_callbacks_yaml if matrix_bot_draupnir_config_web_synapseHTTPAntispam_enabled else '' }}" +matrix_synapse_ext_synapse_http_antispam_config_fail_open_yaml: "{{ matrix_bot_draupnir_synapse_http_antispam_config_fail_open_yaml if matrix_bot_draupnir_config_web_synapseHTTPAntispam_enabled else '' }}" +matrix_synapse_ext_synapse_http_antispam_config_async_yaml: "{{ matrix_bot_draupnir_synapse_http_antispam_config_async_yaml if matrix_bot_draupnir_config_web_synapseHTTPAntispam_enabled else '' }}" + +###################################################################### +# +# /matrix-synapse-ext-synapse-http-antispam +# +###################################################################### ###################################################################### # diff --git a/roles/custom/matrix-bot-draupnir/defaults/main.yml b/roles/custom/matrix-bot-draupnir/defaults/main.yml index ea61ed4f8..fa5a5fef2 100644 --- a/roles/custom/matrix-bot-draupnir/defaults/main.yml +++ b/roles/custom/matrix-bot-draupnir/defaults/main.yml @@ -138,6 +138,25 @@ matrix_bot_draupnir_web_url: 'http://matrix-bot-draupnir' matrix_bot_draupnir_config_web_synapseHTTPAntispam_enabled: false # noqa var-naming matrix_bot_draupnir_config_web_synapseHTTPAntispam_authorization: '' # noqa var-naming +# This controls the URL that the module targets in Draupnir. +matrix_bot_draupnir_synapse_http_antispam_config_base_url: "{{ matrix_bot_draupnir_web_url }}:{{ matrix_bot_draupnir_config_web_port }}/api/1/spam_check" + +# These variables control the configuration of the Synapse module as the configuration is highly consumer dependent. +# Therefore the module is configured from Draupnir because the consumer of the module determines what settings are relevant. + +matrix_bot_draunpir_synapse_http_antispam_config_enabled_callbacks_yaml: | + - check_event_for_spam + - user_may_invite + - user_may_join_room + +matrix_bot_draupnir_synapse_http_antispam_config_fail_open_yaml: | + check_event_for_spam: true + user_may_invite: true + user_may_join_room: true + +matrix_bot_draupnir_synapse_http_antispam_config_async_yaml: | + check_event_for_spam: true + # Default configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. # diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index 8250c0c64..a611e862d 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -1409,6 +1409,38 @@ matrix_synapse_ext_spam_checker_mjolnir_antispam_config: ban_lists: "{{ matrix_synapse_ext_spam_checker_mjolnir_antispam_config_ban_lists }}" message_max_length: "{{ matrix_synapse_ext_spam_checker_mjolnir_antispam_config_message_max_length }}" +# Enable this to activate the synapse-http-antispam module. +# See: github.com/maunium/synapse-http-antispam +matrix_synapse_ext_synapse_http_antispam_enabled: false +matrix_synapse_ext_synapse_http_antispam_git_repository_url: "https://github.com/maunium/synapse-http-antispam" +# renovate: datasource=github-releases depName=maunium/synapse-http-antispam +matrix_synapse_ext_synapse_http_antispam_git_version: "v0.3.0" +# Where Synapse can locate the consumer of the antispam API. Currently +# Draupnir is the only consumer of this API that is playbook supported. +# But https://github.com/maunium/meowlnir also supports the API. +matrix_synapse_ext_synapse_http_antispam_config_base_url: '' +# This is a shared secret that is established between the consumer and the +# homeserver a lot like how AS authentication is done. This is fully managed +# the same way AS authentication is by the playbook. +matrix_synapse_ext_synapse_http_antispam_config_authorization: '' +# This controls what callbacks are activated. This list is fully dependent on what consumer is in play. +# And what capabilities said consumer should or shouldn't have. There are also performance implications +# to these choices. +matrix_synapse_ext_synapse_http_antispam_config_enabled_callbacks: '' +# Controls if a loss of connectivity to the consumer results in fail open or closed. +# As in if failure results in events getting flagged automatically as spam or not. +matrix_synapse_ext_synapse_http_antispam_config_fail_open: '' +# Controls if the checking is blocking or not. This allows the homeserver to skip waiting for a consumer response. +matrix_synapse_ext_synapse_http_antispam_config_async: '' +# Actual configuration passed to the synapse-http-antispam module +matrix_synapse_ext_synapse_http_antispam_config: "{{ matrix_synapse_ext_synapse_http_antispam_config_yaml | from_yaml }}" +matrix_synapse_ext_synapse_http_antispam_config_yaml: | + base_url: {{ matrix_synapse_ext_synapse_http_antispam_config_base_url | to_json }} + authorization: {{ matrix_synapse_ext_synapse_http_antispam_config_authorization | to_json }} + enabled_callbacks: {{ matrix_synapse_ext_synapse_http_antispam_config_enabled_callbacks_yaml | from_yaml }} + fail_open: {{ matrix_synapse_ext_synapse_http_antispam_config_fail_open_yaml | from_yaml }} + async: {{ matrix_synapse_ext_synapse_http_antispam_config_async_yaml | from_yaml }} + # Enable this to activate the E2EE disabling Synapse module. # See: https://github.com/digitalentity/matrix_encryption_disabler matrix_synapse_ext_encryption_disabler_enabled: false diff --git a/roles/custom/matrix-synapse/tasks/ext/setup_install.yml b/roles/custom/matrix-synapse/tasks/ext/setup_install.yml index 17bd5670b..b5f9c6227 100644 --- a/roles/custom/matrix-synapse/tasks/ext/setup_install.yml +++ b/roles/custom/matrix-synapse/tasks/ext/setup_install.yml @@ -66,6 +66,19 @@ - when: matrix_synapse_ext_spam_checker_mjolnir_antispam_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/mjolnir-antispam/setup_install.yml" +# synapse-http-antispam +- tags: + - setup-all + - setup-synapse + - install-all + - install-synapse + block: + - when: matrix_synapse_ext_synapse_http_antispam_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/synapse-http-antispam/validate_config.yml" + + - when: matrix_synapse_ext_synapse_http_antispam_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/synapse-http-antispam/setup_install.yml" + # s3-storage-provider - tags: - setup-all diff --git a/roles/custom/matrix-synapse/tasks/ext/synapse-http-antispam/setup_install.yml b/roles/custom/matrix-synapse/tasks/ext/synapse-http-antispam/setup_install.yml new file mode 100644 index 000000000..aecb68e4e --- /dev/null +++ b/roles/custom/matrix-synapse/tasks/ext/synapse-http-antispam/setup_install.yml @@ -0,0 +1,37 @@ +# SPDX-FileCopyrightText: 2025 MDAD project contributors +# SPDX-FileCopyrightText: 2025 Catalan Lover +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +--- + +- name: Ensure git installed + ansible.builtin.package: + name: git + state: present + +- name: Clone synapse-http-antispam git repository + ansible.builtin.git: + repo: "{{ matrix_synapse_ext_synapse_http_antispam_git_repository_url }}" + version: "{{ matrix_synapse_ext_synapse_http_antispam_git_version }}" + dest: "{{ matrix_synapse_ext_path }}/synapse-http-antispam" + become: true + become_user: "{{ matrix_synapse_username }}" + +- ansible.builtin.set_fact: + matrix_synapse_modules: > + {{ + matrix_synapse_modules | default([]) + + + [{ + "module": "synapse_http_antispam.HTTPAntispam", + "config": matrix_synapse_ext_synapse_http_antispam_config, + }] + }} + + matrix_synapse_container_extra_arguments: > + {{ + matrix_synapse_container_extra_arguments | default([]) + + + ["--mount type=bind,src={{ matrix_synapse_ext_path }}/synapse-http-antispam/synapse_http_antispam.py,dst={{ matrix_synapse_in_container_python_packages_path }}/synapse_http_antispam.py,ro"] + }} diff --git a/roles/custom/matrix-synapse/tasks/ext/synapse-http-antispam/setup_uninstall.yml b/roles/custom/matrix-synapse/tasks/ext/synapse-http-antispam/setup_uninstall.yml new file mode 100644 index 000000000..1b7985f57 --- /dev/null +++ b/roles/custom/matrix-synapse/tasks/ext/synapse-http-antispam/setup_uninstall.yml @@ -0,0 +1,11 @@ +# SPDX-FileCopyrightText: 2025 MDAD project contributors +# SPDX-FileCopyrightText: 2025 Catalan Lover +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +--- + +- name: Ensure synapse-http-antispam doesn't exist + ansible.builtin.file: + path: "{{ matrix_synapse_ext_path }}/synapse-http-antispam" + state: absent diff --git a/roles/custom/matrix-synapse/tasks/ext/synapse-http-antispam/validate_config.yml b/roles/custom/matrix-synapse/tasks/ext/synapse-http-antispam/validate_config.yml new file mode 100644 index 000000000..037842f14 --- /dev/null +++ b/roles/custom/matrix-synapse/tasks/ext/synapse-http-antispam/validate_config.yml @@ -0,0 +1,21 @@ +# SPDX-FileCopyrightText: 2025 MDAD project contributors +# SPDX-FileCopyrightText: 2025 Catalan Lover +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +--- +- name: Fail if required synapse-http-antispam settings not defined + ansible.builtin.fail: + msg: >- + You need to define a required configuration setting (`{{ item }}`) for using synapse-http-antispam. + when: "vars[item] == ''" + with_items: + - "matrix_synapse_ext_synapse_http_antispam_enabled" + - "matrix_synapse_ext_synapse_http_antispam_config_base_url" + - "matrix_synapse_ext_synapse_http_antispam_config_authorization" + +- name: Fail if required matrix_synapse_ext_synapse_http_antispam_config_base_url looks invalid + ansible.builtin.fail: + msg: >- + `matrix_synapse_ext_synapse_http_antispam_config_base_url` needs to look like a URL (`http://` or `https://` prefix). + when: "not matrix_synapse_ext_synapse_http_antispam_config_base_url.startswith('http')"