diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index a7cbb0369dc..e93d8b77a77 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -938,6 +938,8 @@ matrix_appservice_irc_container_additional_networks_auto: |- ([] if matrix_addons_homeserver_container_network == '' else [matrix_addons_homeserver_container_network]) + ([postgres_container_network] if (postgres_enabled and matrix_appservice_irc_database_hostname == postgres_connection_hostname and matrix_appservice_irc_container_network != postgres_container_network) else []) + + + [matrix_playbook_reverse_proxyable_services_additional_network] if (matrix_appservice_irc_container_labels_traefik_enabled and matrix_playbook_reverse_proxyable_services_additional_network) else [] ) | unique }} @@ -955,6 +957,11 @@ matrix_appservice_irc_database_hostname: "{{ postgres_connection_hostname if pos matrix_appservice_irc_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'as.irc.db', rounds=655555) | to_uuid }}" matrix_appservice_irc_database_container_network: "{{ postgres_container_network if postgres_enabled else '' }}" +matrix_appservice_irc_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" +matrix_appservice_irc_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +matrix_appservice_irc_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}" +matrix_appservice_irc_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}" + ###################################################################### # # /matrix-bridge-appservice-irc diff --git a/roles/custom/matrix-bridge-appservice-irc/defaults/main.yml b/roles/custom/matrix-bridge-appservice-irc/defaults/main.yml index 7ea0ee4cc99..782b52bf779 100644 --- a/roles/custom/matrix-bridge-appservice-irc/defaults/main.yml +++ b/roles/custom/matrix-bridge-appservice-irc/defaults/main.yml @@ -33,7 +33,7 @@ matrix_appservice_irc_docker_src_files_path: "{{ matrix_base_data_path }}/appser # matrix_appservice_irc_version used to contain the full Docker image tag (e.g. `release-X.X.X`). # It's a bare version number now. We try to somewhat retain compatibility below. # renovate: datasource=docker depName=docker.io/matrixdotorg/matrix-appservice-irc -matrix_appservice_irc_version: 1.0.1 +matrix_appservice_irc_version: 3.0.5 matrix_appservice_irc_docker_image: "{{ matrix_appservice_irc_docker_image_registry_prefix }}matrixdotorg/matrix-appservice-irc:{{ matrix_appservice_irc_docker_image_tag }}" matrix_appservice_irc_docker_image_registry_prefix: "{{ 'localhost/' if matrix_appservice_irc_container_image_self_build else matrix_appservice_irc_docker_image_registry_prefix_upstream }}" matrix_appservice_irc_docker_image_registry_prefix_upstream: "{{ matrix_appservice_irc_docker_image_registry_prefix_upstream_default }}" @@ -46,7 +46,8 @@ matrix_appservice_irc_config_path: "{{ matrix_appservice_irc_base_path }}/config matrix_appservice_irc_data_path: "{{ matrix_appservice_irc_base_path }}/data" matrix_appservice_irc_homeserver_url: "" -matrix_appservice_irc_homeserver_media_url: '{{ matrix_homeserver_url }}' +matrix_appservice_irc_homeserver_media_url: '{{ matrix_homeserver_url }}/irc/' +matrix_appservice_irc_homeserver_media_bind_port: 11111 matrix_appservice_irc_homeserver_domain: '{{ matrix_domain }}' matrix_appservice_irc_homeserver_enablePresence: true # noqa var-naming matrix_appservice_irc_appservice_address: 'http://matrix-appservice-irc:9999' @@ -89,20 +90,25 @@ matrix_appservice_irc_ircService_servers: [] # noqa var-naming # # It is also used in the Third Party Lookup API as the instance `desc` # # property, where each server is an instance. # name: "ExampleNet" - +# # Additional addresses to connect to, used for load balancing between IRCDs. # additionalAddresses: [ "irc2.example.com" ] +# # Typically additionalAddresses would be in addition to the address key given above, +# # but some configurations wish to exclusively use additional addresses while reserving +# # the top key for identification purposes. Set this to true to exclusively use the +# # additionalAddresses array when connecting to servers. +# onlyAdditionalAddresses: false # # # # [DEPRECATED] Use `name`, above, instead. # # A human-readable description string # # description: "Example.com IRC network" - +# # # An ID for uniquely identifying this server amongst other servers being bridged. # # networkId: "example" - -# # URL to an icon used as the network icon whenever this network appear in -# # a network list. (Like in the Riot room directory, for instance.) -# # icon: https://example.com/images/hash.png - +# +# # MXC URL to an icon used as the network icon whenever this network appear in +# # a network list. (Like in the Element room directory, for instance.) +# # icon: mxc://matrix.org/LpsSLrbANVrEIEOgEaVteItf +# # # The port to connect to. Optional. # port: 6697 # # Whether to use SSL or not. Default: false. @@ -115,19 +121,26 @@ matrix_appservice_irc_ircService_servers: [] # noqa var-naming # # Whether to allow expired certs when connecting to the IRC server. # # Usually this should be off. Default: false. # allowExpiredCerts: false -# # A specific CA to trust instead of the default CAs. Optional. -# #ca: | -# # -----BEGIN CERTIFICATE----- -# # … -# # -----END CERTIFICATE----- - +# +# # Set additional TLS options for the connections to the IRC server. +# #tlsOptions: +# # A specific CA to trust instead of the default CAs. Optional. +# #ca: | +# # -----BEGIN CERTIFICATE----- +# # ... +# # -----END CERTIFICATE----- +# # Server name for the SNI (Server Name Indication) TLS extension. If the address you +# # are using does not report the correct certificate name, you can override it here. +# # servername: real.server.name +# # ...or any options in https://nodejs.org/api/tls.html#tls_tls_connect_options_callback +# # # # # The connection password to send for all clients as a PASS (or SASL, if enabled above) command. Optional. # # password: 'pa$$w0rd' # # # # Whether or not to send connection/error notices to real Matrix users. Default: true. # sendConnectionMessages: true - +# # quitDebounce: # # Whether parts due to net-splits are debounced for delayMs, to allow # # time for the netsplit to resolve itself. A netsplit is detected as being @@ -147,13 +160,13 @@ matrix_appservice_irc_ircService_servers: [] # noqa var-naming # delayMinMs: 3600000 # 1h # # Default: 7200000, = 2h # delayMaxMs: 7200000 # 2h - +# # # A map for conversion of IRC user modes to Matrix power levels. This enables bridging # # of IRC ops to Matrix power levels only, it does not enable the reverse. If a user has # # been given multiple modes, the one that maps to the highest power level will be used. # modePowerMap: # o: 50 - +# v: 1 # botConfig: # # Enable the presence of the bot in IRC channels. The bot serves as the entity # # which maps from IRC -> Matrix. You can disable the bot entirely which @@ -176,6 +189,8 @@ matrix_appservice_irc_ircService_servers: [] # noqa var-naming # enabled: true # # The nickname to give the AS bot. # nick: "MatrixBot" +# # The username to give to the AS bot. Defaults to "matrixbot" +# username: "matrixbot" # # The password to give to NickServ or IRC Server for this nick. Optional. # # password: "helloworld" # # @@ -184,7 +199,7 @@ matrix_appservice_irc_ircService_servers: [] # noqa var-naming # # real Matrix users in them, even if there is a mapping for the channel. # # Default: true # joinChannelsIfNoUsers: true - +# # # Configuration for PMs / private 1:1 communications between users. # privateMessages: # # Enable the ability for PMs to be sent to/from IRC/Matrix. @@ -193,12 +208,12 @@ matrix_appservice_irc_ircService_servers: [] # noqa var-naming # # Prevent Matrix users from sending PMs to the following IRC nicks. # # Optional. Default: []. # # exclude: ["Alice", "Bob"] # NOT YET IMPLEMENTED - +# # # Should created Matrix PM rooms be federated? If false, only users on the # # HS attached to this AS will be able to interact with this room. # # Optional. Default: true. # federate: true - +# # # Configuration for mappings not explicitly listed in the 'mappings' # # section. # dynamicChannels: @@ -212,27 +227,34 @@ matrix_appservice_irc_ircService_servers: [] # noqa var-naming # # Should the AS publish the new Matrix room to the public room list so # # anyone can see it? Default: true. # published: true +# # Publish the rooms to the homeserver directory, as oppose to the appservice +# # room directory. Only used if `published` is on. +# # Default: false +# useHomeserverDirectory: true # # What should the join_rule be for the new Matrix room? If 'public', # # anyone can join the room. If 'invite', only users with an invite can # # join the room. Note that if an IRC channel has +k or +i set on it, # # join_rules will be set to 'invite' until these modes are removed. # # Default: "public". # joinRule: public -# # This will set the m.room.related_groups state event in newly created rooms -# # with the given groupId. This means flares will show up on IRC users in those rooms. -# # This should be set to the same thing as namespaces.users.group_id in irc_registration. -# # This does not alter existing rooms. -# # Leaving this option empty will not set the event. -# groupId: +myircnetwork:localhost # # Should created Matrix rooms be federated? If false, only users on the # # HS attached to this AS will be able to interact with this room. # # Default: true. # federate: true +# # Force this room version when creating IRC channels. Beware if the homeserver doesn't +# # support the room version then the request will fail. By default, no version is requested. +# # roomVersion: "1" # # The room alias template to apply when creating new aliases. This only # # applies if createAlias is 'true'. The following variables are exposed: # # $SERVER => The IRC server address (e.g. "irc.example.com") # # $CHANNEL => The IRC channel (e.g. "#python") # # This MUST have $CHANNEL somewhere in it. +# # +# # In certain circumstances you might want to bridge your whole IRC network as a +# # homeserver (e.g. #matrix:libera.chat). For these use cases, you can set the +# # template to just be $CHANNEL. Doing so will preclude you from supporting +# # other prefix characters though. +# # # # Default: '#irc_$SERVER_$CHANNEL' # aliasTemplate: "#irc_$CHANNEL" # # A list of user IDs which the AS bot will send invites to in response @@ -244,7 +266,11 @@ matrix_appservice_irc_ircService_servers: [] # noqa var-naming # # Prevent the given list of channels from being mapped under any # # circumstances. # # exclude: ["#foo", "#bar"] - +# +# # excludedUsers: +# # - regex: "@.*:evilcorp.com" +# # kickReason: "We don't like Evilcorp" +# # # Configuration for controlling how Matrix and IRC membership lists are # # synced. # membershipLists: @@ -253,12 +279,12 @@ matrix_appservice_irc_ircService_servers: [] # noqa var-naming # # synced. This must be enabled for anything else in this section to take # # effect. Default: false. # enabled: false - +# # # Syncing membership lists at startup can result in hundreds of members to # # process all at once. This timer drip feeds membership entries at the # # specified rate. Default: 10000. (10s) # floodDelayMs: 10000 - +# # global: # ircToMatrix: # # Get a snapshot of all real IRC users on a channel (via NAMES) and @@ -267,7 +293,14 @@ matrix_appservice_irc_ircService_servers: [] # noqa var-naming # # Make virtual Matrix clients join and leave rooms as their real IRC # # counterparts join/part channels. Default: false. # incremental: false - +# # Should the bridge check if all Matrix users are connected to IRC and +# # joined to the channel before relaying messages into the room. +# # +# # This is considered a safety net to avoid any leakages by the bridge to +# # unconnected users, but given it ignores all IRC messages while users +# # are still connecting it may be overkill. +# requireMatrixJoined: false +# # matrixToIrc: # # Get a snapshot of all real Matrix users in the room and join all of # # them to the mapped IRC channel on startup. Default: false. @@ -276,21 +309,32 @@ matrix_appservice_irc_ircService_servers: [] # noqa var-naming # # counterparts join/leave rooms. Make sure your 'maxClients' value is # # high enough! Default: false. # incremental: false - +# # # Apply specific rules to Matrix rooms. Only matrix-to-IRC takes effect. # rooms: # - room: "!qporfwt:localhost" # matrixToIrc: # initial: false # incremental: false - +# # # Apply specific rules to IRC channels. Only IRC-to-matrix takes effect. # channels: # - channel: "#foo" # ircToMatrix: # initial: false # incremental: false - +# requireMatrixJoined: false +# +# # Should the bridge ignore users which are not considered active on the bridge +# # during startup +# ignoreIdleUsersOnStartup: +# enabled: true +# # How many hours can a user be considered idle for before they are considered +# # ignoreable +# idleForHours: 720 +# # A regex which will exclude matching MXIDs from this check. +# exclude: "foobar" +# # mappings: # # 1:many mappings from IRC channels to room IDs on this IRC server. # # The Matrix room must already exist. Your Matrix client should expose @@ -300,27 +344,27 @@ matrix_appservice_irc_ircService_servers: [] # noqa var-naming # # Channel key/password to use. Optional. If provided, Matrix users do # # not need to know the channel key in order to join the channel. # # key: "secret" - +# # # Configuration for virtual Matrix users. The following variables are # # exposed: # # $NICK => The IRC nick # # $SERVER => The IRC server address (e.g. "irc.example.com") # matrixClients: # # The user ID template to use when creating virtual Matrix users. This -# # MUST have $NICK somewhere in it. +# # MUST start with an @ and have $NICK somewhere in it. # # Optional. Default: "@$SERVER_$NICK". # # Example: "@irc.example.com_Alice:example.com" # userTemplate: "@irc_$NICK" # # The display name to use for created Matrix clients. This should have # # $NICK somewhere in it if it is specified. Can also use $SERVER to # # insert the IRC domain. -# # Optional. Default: "$NICK (IRC)". Example: "Alice (IRC)" -# displayName: "$NICK (IRC)" +# # Optional. Default: "$NICK". Example: "Alice" +# displayName: "$NICK" # # Number of tries a client can attempt to join a room before the request # # is discarded. You can also use -1 to never retry or 0 to never give up. # # Optional. Default: -1 # joinAttempts: -1 - +# # # Configuration for virtual IRC users. The following variables are exposed: # # $LOCALPART => The user ID localpart ("alice" in @alice:localhost) # # $USERID => The user ID @@ -349,9 +393,20 @@ matrix_appservice_irc_ircService_servers: [] # noqa var-naming # # connected user. If not specified, all users will connect from the same # # (default) address. This may require additional OS-specific work to allow # # for the node process to bind to multiple different source addresses -# # e.g IP_FREEBIND on Linux, which requires an LD_PRELOAD with the library +# # Linux kernels 4.3+ support sysctl net.ipv6.ip_nonlocal_bind=1 +# # Older kernels will need IP_FREEBIND, which requires an LD_PRELOAD with the library # # https://github.com/matrix-org/freebindfree as Node does not expose setsockopt. # # prefix: "2001:0db8:85a3::" # modify appropriately +# +# # Optional. Define blocks of IPv6 addresses for different homeservers +# # which can be used to restrict users of those homeservers to a given +# # IP. These blocks should be considered immutable once set, as changing +# # the startFrom value will NOT adjust existing IP addresses. +# # Changing the startFrom value to a lower value may conflict with existing clients. +# # Multiple homeservers may NOT share blocks. +# blocks: +# - homeserver: another-server.org +# startFrom: '10:0000' # # # # The maximum amount of time in seconds that the client can exist # # without sending another message before being disconnected. Use 0 to @@ -388,12 +443,36 @@ matrix_appservice_irc_ircService_servers: [] # noqa var-naming # # through the bridge e.g. caller ID as there is no way to /ACCEPT. # # Default: "" (no user modes) # # userModes: "R" - -# Controls whether the matrix-appservice-discord container exposes its HTTP port (tcp/9999 in the container). +# # The format of the realname defined for users, either mxid or reverse-mxid +# realnameFormat: "mxid" +# # The minimum time to wait between connection attempts if we were disconnected +# # due to throttling. +# # pingTimeoutMs: 600000 +# # The rate at which to send pings to the IRCd if the client is being quiet for a while. +# # Whilst the IRCd *should* be sending pings to us to keep the connection alive, it appears +# # that sometimes they don't get around to it and end up ping timing us out. +# # pingRateMs: 60000 +# # Choose which conditions the IRC bridge should kick Matrix users for. Decisions to this from +# # defaults should be taken with care as it may dishonestly repesent Matrix users on the IRC +# # network, and cause your bridge to be banned. +# kickOn: +# # Kick a Matrix user from a bridged room if they fail to join the IRC channel. +# channelJoinFailure: true +# # Kick a Matrix user from ALL rooms if they are unable to get connected to IRC. +# ircConnectionFailure: true +# # Kick a Matrix user from ALL rooms if they choose to QUIT the IRC network. +# userQuit: true + +# Controls whether the matrix-appservice-irc container exposes its HTTP port (tcp/9999 in the container). # # Takes an ":" or "" value (e.g. "127.0.0.1:9999"), or empty string to not expose. matrix_appservice_irc_container_http_host_bind_port: '' +# Controls whether the matrix-appservice-irc container exposes its media proxy HTTP port (tcp/11111 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:11111"), or empty string to not expose. +matrix_appservice_irc_container_media_proxy_host_bind_port: '' + matrix_appservice_irc_container_network: "" matrix_appservice_irc_container_additional_networks: "{{ matrix_appservice_irc_container_additional_networks_auto + matrix_appservice_irc_container_additional_networks_custom }}" @@ -403,6 +482,25 @@ matrix_appservice_irc_container_additional_networks_custom: [] # A list of extra arguments to pass to the container matrix_appservice_irc_container_extra_arguments: [] +# matrix_appservice_irc_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container. +# To inject your own other container labels, see `matrix_appservice_irc_container_labels_additional_labels`. +matrix_appservice_irc_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" +matrix_appservice_irc_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +matrix_appservice_irc_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}" +matrix_appservice_irc_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}" + +# Controls whether Traefik labels for the media proxy will be applied +matrix_appservice_irc_container_labels_media_proxy_enabled: true +matrix_appservice_irc_container_labels_traefik_path_prefix: "/irc" +matrix_appservice_irc_container_labels_media_proxy_traefik_rule: "Host(`{{ matrix_server_fqn_matrix }}`) && PathPrefix(`{{ matrix_appservice_irc_container_labels_traefik_path_prefix }}`)" +matrix_appservice_irc_container_labels_media_proxy_traefik_priority: 2000 +matrix_appservice_irc_container_labels_media_proxy_traefik_entrypoints: "{{ matrix_appservice_irc_container_labels_traefik_entrypoints }}" +matrix_appservice_irc_container_labels_media_proxy_traefik_tls: "{{ matrix_appservice_irc_container_labels_media_proxy_traefik_entrypoints != 'web' }}" +matrix_appservice_irc_container_labels_media_proxy_traefik_tls_certResolver: "{{ matrix_appservice_irc_container_labels_traefik_tls_certResolver }}" + +# matrix-appservice-irc container additional labels +matrix_appservice_irc_container_labels_additional_labels: '' + # List of systemd services that matrix-appservice-irc.service depends on. matrix_appservice_irc_systemd_required_services_list: "{{ matrix_appservice_irc_systemd_required_services_list_default + matrix_appservice_irc_systemd_required_services_list_auto + matrix_appservice_irc_systemd_required_services_list_custom }}" matrix_appservice_irc_systemd_required_services_list_default: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}" diff --git a/roles/custom/matrix-bridge-appservice-irc/tasks/setup_install.yml b/roles/custom/matrix-bridge-appservice-irc/tasks/setup_install.yml index 79b51ab6f8d..a38f7df117f 100644 --- a/roles/custom/matrix-bridge-appservice-irc/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-appservice-irc/tasks/setup_install.yml @@ -121,6 +121,14 @@ owner: "{{ matrix_user_name }}" group: "{{ matrix_group_name }}" +- name: Ensure Matrix Appservice IRC labels file installed + ansible.builtin.template: + src: "{{ role_path }}/templates/labels.j2" + dest: "{{ matrix_appservice_irc_base_path }}/labels" + mode: 0644 + owner: "{{ matrix_user_name }}" + group: "{{ matrix_group_name }}" + - name: Generate Appservice IRC passkey if it doesn't exist ansible.builtin.shell: cmd: "{{ matrix_host_command_openssl }} genpkey -out {{ matrix_appservice_irc_data_path }}/passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:2048" @@ -128,6 +136,41 @@ become: true become_user: "{{ matrix_user_name }}" +- name: Check if an authenticated media signing key exists + ansible.builtin.stat: + path: "{{ matrix_appservice_irc_data_path }}/auth-media.jwk" + register: matrix_appservice_irc_stat_auth_media_key + +- when: not matrix_appservice_irc_stat_auth_media_key.stat.exists + block: + - name: Generate IRC appservice signing key for authenticated media + community.docker.docker_container: + name: "create-auth-media-jwk-key" + image: "{{ matrix_appservice_irc_docker_image }}" + cleanup: true + network_mode: none + entrypoint: "/usr/local/bin/node" + command: > + -e "const webcrypto = require('node:crypto'); + async function main() { + const key = await webcrypto.subtle.generateKey({ + name: 'HMAC', + hash: 'SHA-512', + }, true, ['sign', 'verify']); + console.log(JSON.stringify(await webcrypto.subtle.exportKey('jwk', key), undefined, 4)); + } + main().then(() => process.exit(0)).catch(err => { throw err });" + detach: false + register: matrix_appservice_irc_jwk_result + + - name: Write auth media signing key to file + ansible.builtin.copy: + content: "{{ matrix_appservice_irc_jwk_result.container.Output }}" + dest: "{{ matrix_appservice_irc_data_path }}/auth-media.jwk" + mode: "0644" + owner: "{{ matrix_user_username }}" + group: "{{ matrix_user_groupname }}" + # In the past, we used to generate the passkey.pem file with root, so permissions may not be okay. # Fix it. - name: (Migration) Ensure Appservice IRC passkey permissions are okay diff --git a/roles/custom/matrix-bridge-appservice-irc/templates/config.yaml.j2 b/roles/custom/matrix-bridge-appservice-irc/templates/config.yaml.j2 index 8b7aca5b83b..92d710814b2 100644 --- a/roles/custom/matrix-bridge-appservice-irc/templates/config.yaml.j2 +++ b/roles/custom/matrix-bridge-appservice-irc/templates/config.yaml.j2 @@ -1,14 +1,13 @@ #jinja2: lstrip_blocks: True +# +# Based on https://github.com/matrix-org/matrix-appservice-irc/blob/8daebec7779a2480180cbc4c293838de649aab36/config.sample.yaml +# +# Configuration specific to AS registration. Unless other marked, all fields +# are *REQUIRED*. +# Unless otherwise specified, these keys CANNOT be hot-reloaded. homeserver: - # The URL to the home server for client-server API calls, also used to form the - # media URLs as displayed in bridged IRC channels: - url: {{ matrix_appservice_irc_homeserver_url }} - # - # The URL of the homeserver hosting media files. This is only used to transform - # mxc URIs to http URIs when bridging m.room.[file|image] events. Optional. By - # default, this is the homeserver URL, specified above. - # - media_url: {{ matrix_appservice_irc_homeserver_media_url }} + # The URL to the home server for client-server API calls + url: "{{ matrix_appservice_irc_homeserver_url }}" # Drop Matrix messages which are older than this number of seconds, according to # the event's origin_server_ts. @@ -20,18 +19,29 @@ homeserver: # clock times and hence produce different origin_server_ts values, which may be old # enough to cause *all* events from the homeserver to be dropped. # Default: 0 (don't ever drop) + # This key CAN be hot-reloaded. # dropMatrixMessagesAfterSecs: 300 # 5 minutes # The 'domain' part for user IDs on this home server. Usually (but not always) # is the "domain name" part of the HS URL. - domain: {{ matrix_appservice_irc_homeserver_domain }} + domain: "{{ matrix_appservice_irc_homeserver_domain }}" # Should presence be enabled for Matrix clients on this bridge. If disabled on the # homeserver then it should also be disabled here to avoid excess traffic. # Default: true enablePresence: {{ matrix_appservice_irc_homeserver_enablePresence|to_json }} + # Which port should the appservice bind to. Can be overriden by the one provided in the + # command line! Optional. + # bindPort: 8090 + + # Use this option to force the appservice to listen on another hostname for transactions. + # This is NOT your synapse hostname. E.g. use 127.0.0.1 to only listen locally. Optional. + # bindHostname: 0.0.0.0 + +# Configuration specific to the IRC service ircService: + # WARNING: The bridge needs to send plaintext passwords to the IRC server, it cannot # send a password hash. As a result, passwords (NOT hashes) are stored encrypted in # the database. @@ -50,11 +60,18 @@ ircService: # Cache this many Matrix events in memory to be used for m.relates_to messages (usually replies). eventCacheSize: 4096 + # All server keys can be hot-reloaded, however existing IRC connections + # will not have changes applied to them. servers: {{ matrix_appservice_irc_ircService_servers|to_json }} + # present relevant UI to the user. MSC2346 + bridgeInfoState: + enabled: false + initial: false # Configuration for an ident server. If you are running a public bridge it is # advised you setup an ident server so IRC mods can ban specific Matrix users # rather than the application service itself. + # This key CANNOT be hot-reloaded ident: # True to listen for Ident requests and respond with the # Matrix user's user_id (converted to ASCII, respecting RFC 1413). @@ -71,6 +88,10 @@ ircService: # Default: 0.0.0.0 address: "::" + # Encoding fallback - which text encoding to try if text is not UTF-8. Default: not set. + # List of supported encodings: https://www.npmjs.com/package/iconv#supported-encodings + # encodingFallback: "ISO-8859-15" + # Configuration for logging. Optional. Default: console debug level logging # only. logging: @@ -87,33 +108,42 @@ ircService: # to rotations. maxFiles: 5 - # Optional. Enable Prometheus metrics. If this is enabled, you MUST install `prom-client`: - # $ npm install prom-client@6.3.0 # Metrics will then be available via GET /metrics on the bridge listening port (-p). + # This key CANNOT be hot-reloaded metrics: # Whether to actually enable the metric endpoint. Default: false enabled: true + # Which port to listen on (omit to listen on the bindPort) + #port: 7001 + # Which hostname to listen on (omit to listen on 127.0.0.1), requires port to be set + host: 127.0.0.1 + # When determining activeness of remote and matrix users, cut off at this number of hours. + userActivityThresholdHours: 72 # 3 days # When collecting remote user active times, which "buckets" should be used. Defaults are given below. # The bucket name is formed of a duration and a period. (h=hours,d=days,w=weeks). remoteUserAgeBuckets: - "1h" - "1d" - "1w" - # Configuration for the provisioning API. - # - # GET /_matrix/provision/link - # GET /_matrix/provision/unlink - # GET /_matrix/provision/listlinks - # + # This key CANNOT be hot-reloaded provisioning: # True to enable the provisioning HTTP endpoint. Default: false. enabled: false - # The number of seconds to wait before giving up on getting a response from - # an IRC channel operator. If the channel operator does not respond within the - # allotted time period, the provisioning request will fail. - # Default: 300 seconds (5 mins) - requestTimeoutSeconds: 300 + # Whether to enable hosting the setup widget page. Default: false. + widget: false + + # Config for the media proxy, required to serve publically accessible URLs to authenticated Matrix media + mediaProxy: + # To generate a .jwk file: + # $ node src/generate-signing-key.js > signingkey.jwk + signingKeyPath: "/data/auth-media.jwk" + # How long should the generated URLs be valid for + ttlSeconds: 604800 + # The port for the media proxy to listen on + bindPort: {{ matrix_appservice_irc_homeserver_media_bind_port | to_json }} + # The publically accessible URL to the media proxy + publicUrl: "{{ matrix_appservice_irc_homeserver_media_url }}" # Options here are generally only applicable to large-scale bridges and may have # consequences greater than other options in this configuration file. @@ -122,13 +152,18 @@ advanced: # however for large bridges it is important to rate limit the bridge to avoid # accidentally overloading the homeserver. Defaults to 1000, which should be # enough for the vast majority of use cases. + # This key CAN be hot-reloaded maxHttpSockets: 1000 + # Max size of an appservice transaction payload, in bytes. Defaults to 10Mb + # This key CANNOT be hot-reloaded. + maxTxnSize: 10000000 # Use an external database to store bridge state. +# This key CANNOT be hot-reloaded. database: # database engine (must be 'postgres' or 'nedb'). Default: nedb engine: {{ matrix_appservice_irc_database_engine|to_json }} # Either a PostgreSQL connection string, or a path to the NeDB storage directory. # For postgres, it must start with postgres:// # For NeDB, it must start with nedb://. The path is relative to the project directory. - connectionString: {{ matrix_appservice_irc_database_connectionString|to_json }} + connectionString: {{ matrix_appservice_irc_database_connectionString | to_json }} diff --git a/roles/custom/matrix-bridge-appservice-irc/templates/labels.j2 b/roles/custom/matrix-bridge-appservice-irc/templates/labels.j2 new file mode 100644 index 00000000000..2ea6557ae50 --- /dev/null +++ b/roles/custom/matrix-bridge-appservice-irc/templates/labels.j2 @@ -0,0 +1,61 @@ +{# +SPDX-FileCopyrightText: 2025 Jade Ellis + +SPDX-License-Identifier: AGPL-3.0-or-later +#} + +{% if matrix_appservice_irc_container_labels_traefik_enabled and matrix_appservice_irc_container_labels_media_proxy_enabled %} +traefik.enable=true + +{% if matrix_appservice_irc_container_labels_traefik_docker_network %} +traefik.docker.network={{ matrix_appservice_irc_container_labels_traefik_docker_network }} +{% endif %} + +traefik.http.services.matrix-appservice-irc-media-proxy.loadbalancer.server.port={{ matrix_appservice_irc_homeserver_media_bind_port }} + +############################################################ +# # +# IRC Bridge Media Proxy # +# # +############################################################ + +{% set middlewares = [] %} + +traefik.http.routers.matrix-appservice-irc-media-proxy.rule={{ matrix_appservice_irc_container_labels_media_proxy_traefik_rule }} + +{% if matrix_appservice_irc_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.matrix-appservice-irc-media-proxy-slashless-redirect.redirectregex.regex=({{ matrix_appservice_irc_container_labels_traefik_path_prefix | quote }})$ +traefik.http.middlewares.matrix-appservice-irc-media-proxy-slashless-redirect.redirectregex.replacement=${1}/ +{% set middlewares = middlewares + ['matrix-appservice-irc-media-proxy-slashless-redirect'] %} +{% endif %} + +{% if matrix_appservice_irc_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.matrix-appservice-irc-media-proxy-strip-prefix.stripprefix.prefixes={{ matrix_appservice_irc_container_labels_traefik_path_prefix }} +{% set middlewares = middlewares + ['matrix-appservice-irc-media-proxy-strip-prefix'] %} +{% endif %} + + +{% if matrix_appservice_irc_container_labels_media_proxy_traefik_priority | int > 0 %} +traefik.http.routers.matrix-appservice-irc-media-proxy.priority={{ matrix_appservice_irc_container_labels_media_proxy_traefik_priority }} +{% endif %} + +traefik.http.routers.matrix-appservice-irc-media-proxy.service=matrix-appservice-irc-media-proxy +traefik.http.routers.matrix-appservice-irc-media-proxy.entrypoints={{ matrix_appservice_irc_container_labels_media_proxy_traefik_entrypoints }} + +{% if middlewares | length > 0 %} +traefik.http.routers.matrix-appservice-irc-media-proxy.middlewares={{ middlewares | join(',') }} +{% endif %} + +traefik.http.routers.matrix-appservice-irc-media-proxy.tls={{ matrix_appservice_irc_container_labels_media_proxy_traefik_tls | to_json }} +{% if matrix_appservice_irc_container_labels_media_proxy_traefik_tls %} +traefik.http.routers.matrix-appservice-irc-media-proxy.tls.certResolver={{ matrix_appservice_irc_container_labels_media_proxy_traefik_tls_certResolver }} +{% endif %} + +############################################################ +# # +# /IRC Bridge Media Proxy # +# # +############################################################ +{% endif %} + +{{ matrix_appservice_irc_container_labels_additional_labels }} diff --git a/roles/custom/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 b/roles/custom/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 index aa26ff78bad..93d5335801c 100644 --- a/roles/custom/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 +++ b/roles/custom/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 @@ -26,8 +26,12 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ {% if matrix_appservice_irc_container_http_host_bind_port %} -p {{ matrix_appservice_irc_container_http_host_bind_port }}:9999 \ {% endif %} + {% if matrix_appservice_irc_container_media_proxy_host_bind_port %} + -p {{ matrix_appservice_irc_container_media_proxy_host_bind_port }}:{{ matrix_appservice_irc_homeserver_media_bind_port }} \ + {% endif %} --mount type=bind,src={{ matrix_appservice_irc_config_path }},dst=/config \ --mount type=bind,src={{ matrix_appservice_irc_data_path }},dst=/data \ + --label-file={{ matrix_appservice_irc_base_path }}/labels \ {% for arg in matrix_appservice_irc_container_extra_arguments %} {{ arg }} \ {% endfor %}