Update matrix-appservice-irc to 4.0.0 with authenticated media proxy support

- Upgrade from 1.0.1 to 4.0.0
- Add ircService.mediaProxy configuration for authenticated Matrix media
- Add Traefik integration for media proxy endpoint
- Generate signing key for authenticated media

Closes #3512

Co-authored-by: Jade Ellis <jade@ellis.link>
Co-authored-by: Slavi Pantaleev <slavi@devture.com>

roles/custom/matrix-bridge-appservice-irc/tasks/setup_install.yml

@@ -1,5 +1,6 @@
 # SPDX-FileCopyrightText: 2019 - 2022 MDAD project contributors
-# SPDX-FileCopyrightText: 2019 - 2024 Slavi Pantaleev
+# SPDX-FileCopyrightText: 2019 - 2026 Slavi Pantaleev
+# SPDX-FileCopyrightText: 2025 - 2026 Thom Wiggers
 # SPDX-FileCopyrightText: 2019 Dan Arnfield
 # SPDX-FileCopyrightText: 2020 Chris van Dijk
 # SPDX-FileCopyrightText: 2021 Panagiotis Georgiadis
@@ -121,6 +122,14 @@
     owner: "{{ matrix_user_name }}"
     group: "{{ matrix_group_name }}"
 
+- name: Ensure Matrix Appservice IRC labels file installed
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/labels.j2"
+    dest: "{{ matrix_appservice_irc_base_path }}/labels"
+    mode: 0644
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
+
 - name: Generate Appservice IRC passkey if it doesn't exist
   ansible.builtin.shell:
     cmd: "{{ matrix_host_command_openssl }} genpkey -out {{ matrix_appservice_irc_data_path }}/passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:2048"
@@ -128,6 +137,41 @@
   become: true
   become_user: "{{ matrix_user_name }}"
 
+- name: Check if an authenticated media signing key exists
+  ansible.builtin.stat:
+    path: "{{ matrix_appservice_irc_data_path }}/auth-media.jwk"
+  register: matrix_appservice_irc_stat_auth_media_key
+
+- when: not matrix_appservice_irc_stat_auth_media_key.stat.exists
+  block:
+    - name: Generate IRC appservice signing key for authenticated media
+      community.docker.docker_container:
+        name: "create-auth-media-jwk-key"
+        image: "{{ matrix_appservice_irc_docker_image }}"
+        cleanup: true
+        network_mode: none
+        entrypoint: "/usr/local/bin/node"
+        command: >
+          -e "const webcrypto = require('node:crypto');
+          async function main() {
+              const key = await webcrypto.subtle.generateKey({
+                  name: 'HMAC',
+                  hash: 'SHA-512',
+              }, true, ['sign', 'verify']);
+              console.log(JSON.stringify(await webcrypto.subtle.exportKey('jwk', key), undefined, 4));
+          }
+          main().then(() => process.exit(0)).catch(err => { throw err });"
+        detach: false
+      register: matrix_appservice_irc_jwk_result
+
+    - name: Write auth media signing key to file
+      ansible.builtin.copy:
+        content: "{{ matrix_appservice_irc_jwk_result.container.Output }}"
+        dest: "{{ matrix_appservice_irc_data_path }}/auth-media.jwk"
+        mode: "0644"
+        owner: "{{ matrix_user_name }}"
+        group: "{{ matrix_group_name }}"
+
 # In the past, we used to generate the passkey.pem file with root, so permissions may not be okay.
 # Fix it.
 - name: (Migration) Ensure Appservice IRC passkey permissions are okay

roles/custom/matrix-bridge-appservice-irc/tasks/validate_config.yml

@@ -44,3 +44,27 @@
     - {'old': 'matrix_appservice_irc_container_expose_client_server_api_port', 'new': '<superseded by matrix_appservice_irc_container_http_host_bind_port>'}
     - {'old': 'matrix_appservice_irc_container_self_build', 'new': 'matrix_appservice_irc_container_image_self_build'}
     - {'old': 'matrix_appservice_irc_docker_image_name_prefix', 'new': 'matrix_appservice_irc_docker_image_registry_prefix'}
+    - {'old': 'matrix_appservice_irc_homeserver_media_url', 'new': '<removed; media proxying now uses matrix_appservice_irc_ircService_mediaProxy_publicUrl>'}
+
+- name: Fail if matrix_appservice_irc_ircService_mediaProxy_publicUrl_pathPrefix does not start with a slash
+  ansible.builtin.fail:
+    msg: >-
+      matrix_appservice_irc_ircService_mediaProxy_publicUrl_pathPrefix (`{{ matrix_appservice_irc_ircService_mediaProxy_publicUrl_pathPrefix }}`) must start with a slash (e.g. `/` or `/irc/`).
+  when: "matrix_appservice_irc_ircService_mediaProxy_publicUrl_pathPrefix[0] != '/'"
+
+- name: Fail if matrix_appservice_irc_ircService_mediaProxy_publicUrl_pathPrefix does not end with a slash
+  ansible.builtin.fail:
+    msg: >-
+      matrix_appservice_irc_ircService_mediaProxy_publicUrl_pathPrefix (`{{ matrix_appservice_irc_ircService_mediaProxy_publicUrl_pathPrefix }}`) must end with a slash (e.g. `/` or `/irc/`).
+  when: "matrix_appservice_irc_ircService_mediaProxy_publicUrl_pathPrefix[-1] != '/'"
+
+- when: matrix_appservice_irc_container_labels_traefik_enabled | bool
+  block:
+    # We ensure it doesn't end with a slash, because we handle both (slash and no-slash).
+    # Knowing that the path_prefix does not end with a slash ensures we know how to set these routes up
+    # without having to do "does it end with a slash" checks elsewhere.
+    - name: Fail if matrix_appservice_irc_container_labels_media_proxy_traefik_path_prefix ends with a slash
+      ansible.builtin.fail:
+        msg: >-
+          matrix_appservice_irc_container_labels_media_proxy_traefik_path_prefix (`{{ matrix_appservice_irc_container_labels_media_proxy_traefik_path_prefix }}`) must either be `/` or not end with a slash (e.g. `/irc`).
+      when: "matrix_appservice_irc_container_labels_media_proxy_traefik_path_prefix != '/' and matrix_appservice_irc_container_labels_media_proxy_traefik_path_prefix[-1] == '/'"