From 7b2c56aa39f80db89f8690736155e624d4d9837c Mon Sep 17 00:00:00 2001 From: Catalan Lover Date: Thu, 24 Apr 2025 11:50:53 +0200 Subject: [PATCH] Add synapse-http-antispam support to Draupnir role --- group_vars/matrix_servers | 2 ++ roles/custom/matrix-bot-draupnir/defaults/main.yml | 9 +++++++++ .../custom/matrix-bot-draupnir/templates/labels.j2 | 2 +- .../templates/production.yaml.j2 | 14 +++++++++++++- .../systemd/matrix-bot-draupnir.service.j2 | 2 +- 5 files changed, 26 insertions(+), 3 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 45d2a81a4..268f0417e 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -3204,6 +3204,8 @@ matrix_bot_draupnir_container_labels_traefik_docker_network: "{{ matrix_playbook matrix_bot_draupnir_container_labels_web_abuseReporting_traefik_entrypoints: "{{ traefik_entrypoint_primary }}" matrix_bot_draupnir_container_labels_web_abuseReporting_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}" +matrix_bot_draupnir_config_web_synapseHTTPAntispam_authorization: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'draupnir.synapseHTTPAntispam', rounds=655555) | to_uuid }}" # noqa var-naming + ###################################################################### # # /matrix-bot-draupnir diff --git a/roles/custom/matrix-bot-draupnir/defaults/main.yml b/roles/custom/matrix-bot-draupnir/defaults/main.yml index d84e7457e..ea61ed4f8 100644 --- a/roles/custom/matrix-bot-draupnir/defaults/main.yml +++ b/roles/custom/matrix-bot-draupnir/defaults/main.yml @@ -129,6 +129,15 @@ matrix_bot_draupnir_config_admin_enableMakeRoomAdminCommand: false # noqa var-n # This config option has diminished improvements for bots on extremely fast homeservers or very very small bots on fast homeservers. matrix_bot_draupnir_config_roomStateBackingStore_enabled: true # noqa var-naming +matrix_bot_draupnir_config_web_port: "8080" +matrix_bot_draupnir_web_url: 'http://matrix-bot-draupnir' + +# These variables are used for turning on the integration between the synapseHTTPAntispam module and Draupnir. +# Authorisation is a shared secret between Draupnir and the module just like is used by Appservices and the homeserver +# therefore the same creation mechanism is used here too. +matrix_bot_draupnir_config_web_synapseHTTPAntispam_enabled: false # noqa var-naming +matrix_bot_draupnir_config_web_synapseHTTPAntispam_authorization: '' # noqa var-naming + # Default configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. # diff --git a/roles/custom/matrix-bot-draupnir/templates/labels.j2 b/roles/custom/matrix-bot-draupnir/templates/labels.j2 index 67ec0e29b..15740adf5 100644 --- a/roles/custom/matrix-bot-draupnir/templates/labels.j2 +++ b/roles/custom/matrix-bot-draupnir/templates/labels.j2 @@ -12,7 +12,7 @@ traefik.enable=true traefik.docker.network={{ matrix_bot_draupnir_container_labels_traefik_docker_network }} {% endif %} -traefik.http.services.matrix-bot-draupnir.loadbalancer.server.port=8080 +traefik.http.services.matrix-bot-draupnir.loadbalancer.server.port={{ matrix_bot_draupnir_config_web_port }} {% if matrix_bot_draupnir_config_web_abuseReporting %} ############################################################ diff --git a/roles/custom/matrix-bot-draupnir/templates/production.yaml.j2 b/roles/custom/matrix-bot-draupnir/templates/production.yaml.j2 index d3184c273..21a9eeeef 100644 --- a/roles/custom/matrix-bot-draupnir/templates/production.yaml.j2 +++ b/roles/custom/matrix-bot-draupnir/templates/production.yaml.j2 @@ -266,7 +266,7 @@ web: enabled: true # The port to expose the webserver on. Defaults to 8080. - port: 8080 + port: {{ matrix_bot_draupnir_config_web_port | to_json }} # The address to listen for requests on. Defaults to only the current # computer. @@ -286,6 +286,18 @@ web: abuseReporting: # Whether to enable this feature. enabled: {{ matrix_bot_draupnir_config_web_abuseReporting | to_json }} + # Whether to setup a endpoints for synapse-http-antispam + # https://github.com/maunium/synapse-http-antispam + # this is required for some features of Draupnir, + # such as support for room takedown policies. + # + # Please FOLLOW the instructions here: + # https://the-draupnir-project.github.io/draupnir-documentation/bot/synapse-http-antispam + synapseHTTPAntispam: + enabled: {{ matrix_bot_draupnir_config_web_synapseHTTPAntispam_enabled | to_json }} + # This is a secret that you must place into your synapse module config + # https://github.com/maunium/synapse-http-antispam?tab=readme-ov-file#configuration + authorization: {{ matrix_bot_draupnir_config_web_synapseHTTPAntispam_authorization | to_json }} {% endif %} # FIXME: This configuration option is currently broken in the playbook as admin APIs cannot diff --git a/roles/custom/matrix-bot-draupnir/templates/systemd/matrix-bot-draupnir.service.j2 b/roles/custom/matrix-bot-draupnir/templates/systemd/matrix-bot-draupnir.service.j2 index 1c9c72de1..550be60a7 100644 --- a/roles/custom/matrix-bot-draupnir/templates/systemd/matrix-bot-draupnir.service.j2 +++ b/roles/custom/matrix-bot-draupnir/templates/systemd/matrix-bot-draupnir.service.j2 @@ -25,7 +25,7 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ --read-only \ --network={{ matrix_bot_draupnir_container_network }} \ {% if matrix_bot_draupnir_container_http_host_bind_port %} - -p {{ matrix_bot_draupnir_container_http_host_bind_port }}:8080 \ + -p {{ matrix_bot_draupnir_container_http_host_bind_port }}:{{ matrix_bot_draupnir_config_web_port }} \ {% endif %} --label-file={{ matrix_bot_draupnir_base_path }}/labels \ --mount type=bind,src={{ matrix_bot_draupnir_config_path }},dst=/data/config,ro \