Added a role for the bridge mautrix-signal

docs/configuring-playbook-bridge-mautrix-signal.md

@@ -0,0 +1,59 @@
+# Setting up Mautrix Signal (optional)
+
+The playbook can install and configure [mautrix-signal](https://github.com/tulir/mautrix-signal) for you.
+
+See the project's [documentation](https://github.com/tulir/mautrix-signal/wiki) to learn what it does and why it might be useful to you.
+
+Use the following playbook configuration:
+
+```yaml
+matrix_mautrix_signal_enabled: true
+```
+
+To specify which users have access to the bridge, use the variable `matrix_mautrix_signal_configuration_permissions`.
+Refer to the documentation for
+```yaml
+bridge:
+  permissions:
+```
+in [the example config in mautrix-signal](https://github.com/tulir/mautrix-signal/blob/master/mautrix_signal/example-config.yaml).
+For instance, use
+```yaml
+matrix_mautrix_signal_configuration_permissions:
+  "YOUR_DOMAIN": user
+```
+to allow all users registered to `YOUR_DOMAIN` access to the bridge (where `YOUR_DOMAIN` is your base domain, not the `matrix.` domain).
+
+
+## Set up Double Puppeting
+
+If you'd like to use [Double Puppeting](https://github.com/tulir/mautrix-whatsapp/wiki/Authentication#replacing-whatsapp-accounts-matrix-puppet-with-matrix-account) (hint: you most likely do), you have 2 ways of going about it.
+
+### Method 1: automatically, by enabling Shared Secret Auth
+
+The bridge will automatically perform Double Puppeting if you enable [Shared Secret Auth](configuring-playbook-shared-secret-auth.md) for this playbook.
+
+This is the recommended way of setting up Double Puppeting, as it's easier to accomplish, works for all your users automatically, and has less of a chance of breaking in the future.
+
+### Method 2: manually, by asking each user to provide a working access token
+
+**Note**: This method for enabling Double Puppeting can be configured only after you've already set up bridging (see [Usage](#usage)).
+
+When using this method, **each user** that wishes to enable Double Puppeting needs to follow the following steps:
+
+- retrieve a Matrix access token for yourself. You can use the following command:
+
+```
+curl \
+--data '{"identifier": {"type": "m.id.user", "user": "YOUR_MATRIX_USERNAME" }, "password": "YOUR_MATRIX_PASSWORD", "type": "m.login.password", "device_id": "Mautrix-Signal", "initial_device_display_name": "Mautrix-Signal"}' \
+https://matrix.DOMAIN/_matrix/client/r0/login
+```
+
+- send the access token to the bot. Example: `login-matrix MATRIX_ACCESS_TOKEN_HERE`
+
+- make sure you don't log out the `Mautrix-Signal` device some time in the future, as that would break the Double Puppeting feature
+
+
+## Usage
+
+You then need to start a chat with `@signalbot:YOUR_DOMAIN` (where `YOUR_DOMAIN` is your base domain, not the `matrix.` domain).

docs/configuring-playbook.md

@@ -93,6 +93,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins
 
 - [Setting up Mautrix Hangouts bridging](configuring-playbook-bridge-mautrix-hangouts.md) (optional)
 
+- [Setting up Mautrix Signal bridging](configuring-playbook-bridge-mautrix-signal.md) (optional)
+
 - [Setting up Appservice IRC bridging](configuring-playbook-bridge-appservice-irc.md) (optional)
 
 - [Setting up Appservice Discord bridging](configuring-playbook-bridge-appservice-discord.md) (optional)

group_vars/matrix_servers

@@ -241,7 +241,43 @@ matrix_mautrix_hangouts_login_shared_secret: "{{ matrix_synapse_ext_password_pro
 ######################################################################
 
 
+######################################################################
+#
+# matrix-bridge-mautrix-signal
+#
+######################################################################
+
+matrix_mautrix_signal_enabled: false
+
+# TODO: unclear whether to put this into the role or keep it here
+matrix_mautrix_signal_systemd_required_services_list: |
+  {{
+    ['docker.service']
+    +
+    (['matrix-synapse.service'] if matrix_synapse_enabled else [])
+    +
+    ['matrix-mautrix-signal-daemon.service', 'matrix-mautrix-signal-db.service']
+  }}
+
+matrix_mautrix_signal_homeserver_domain: '{{ matrix_domain }}'
+
+matrix_mautrix_signal_homeserver_address: "{{ 'http://matrix-synapse:8008' if matrix_synapse_enabled else '' }}"
+
+matrix_mautrix_signal_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'si.hs.token') | to_uuid }}"
+
+matrix_mautrix_signal_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'si.as.token') | to_uuid }}"
+
+matrix_mautrix_signal_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"
 
+matrix_mautrix_signal_db_user: 'signal-db-user'
+matrix_mautrix_signal_db_password: 'signal-db-password'
+matrix_mautrix_signal_db_database: 'signal-db'
+
+######################################################################
+#
+# /matrix-bridge-mautrix-signal
+#
+######################################################################
 
 
 ######################################################################

roles/matrix-bridge-mautrix-signal/defaults/main.yml

@@ -0,0 +1,91 @@
+# mautrix-signal is a Matrix <-> Signal bridge
+# See: https://github.com/tulir/mautrix-signal
+
+matrix_mautrix_signal_enabled: true
+
+# See: https://mau.dev/tulir/mautrix-signal/container_registry
+matrix_mautrix_signal_docker_image: "dock.mau.dev/tulir/mautrix-signal:latest"
+matrix_mautrix_signal_docker_image_force_pull: "{{ matrix_mautrix_signal_docker_image.endswith(':latest') }}"
+
+matrix_mautrix_signal_daemon_docker_image: "dock.mau.dev/maunium/signald:latest"
+matrix_mautrix_signal_daemon_docker_image_force_pull: "{{ matrix_mautrix_signal_daemon_docker_image.endswith(':latest') }}"
+
+matrix_mautrix_signal_base_path: "{{ matrix_base_data_path }}/mautrix-signal"
+matrix_mautrix_signal_config_path: "{{ matrix_mautrix_signal_base_path }}/bridge"
+matrix_mautrix_signal_daemon_path: "{{ matrix_mautrix_signal_base_path }}/signald"
+
+matrix_mautrix_signal_homeserver_address: ''
+matrix_mautrix_signal_homeserver_domain: ''
+matrix_mautrix_signal_appservice_address: 'http://matrix-mautrix-signal:29328'
+
+# Controls whether the matrix-mautrix-signal container exposes its port (tcp/29328 in the container).
+#
+# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:9006"), or empty string to not expose.
+matrix_mautrix_signal_container_http_host_bind_port: ''
+
+# A list of extra arguments to pass to the container
+matrix_mautrix_signal_container_extra_arguments: []
+
+# List of systemd services that matrix-mautrix-signal.service depends on.
+# TODO: unclear whether to put this into group_vars or keep it here
+matrix_mautrix_signal_systemd_required_services_list:
+  - 'docker.service'
+  - "{{ 'matrix-synapse.service' if matrix_synapse_enabled else [] }}"
+  - 'matrix-mautrix-signal-daemon.service'
+  - 'matrix-mautrix-signal-db.service'
+
+# List of systemd services that matrix-mautrix-signal.service wants
+matrix_mautrix_signal_systemd_wanted_services_list: []
+
+matrix_mautrix_signal_appservice_token: ''
+matrix_mautrix_signal_homeserver_token: ''
+
+matrix_mautrix_signal_db_docker_image: "postgres:13.0-alpine"
+matrix_mautrix_signal_db_docker_image_force_pull: "{{ matrix_mautrix_signal_db_docker_image.endswith(':latest') }}"
+matrix_mautrix_signal_db_storage_path: "{{ matrix_mautrix_signal_base_path }}/database"
+
+matrix_mautrix_signal_db_user: ''
+matrix_mautrix_signal_db_password: ''
+matrix_mautrix_signal_db_host: 'matrix-mautrix-signal-db'
+matrix_mautrix_signal_db_port: '5432'
+matrix_mautrix_signal_db_database: ''
+
+matrix_mautrix_signal_db_url: "postgres://{{ matrix_mautrix_signal_db_user }}:{{ matrix_mautrix_signal_db_password }}@{{ matrix_mautrix_signal_db_host }}:{{ matrix_mautrix_signal_db_port }}/{{ matrix_mautrix_signal_db_database }}"
+
+# Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth).
+matrix_mautrix_signal_login_shared_secret: ''
+
+# Default configuration template which covers the generic use case.
+# You can customize it by controlling the various variables inside it.
+#
+# For a more advanced customization, you can extend the default (see `matrix_mautrix_signal_configuration_extension_yaml`)
+# or completely replace this variable with your own template.
+matrix_mautrix_signal_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}"
+
+# Permitted values:
+#       user - Use the bridge with puppeting.
+#      admin - Use and administrate the bridge.
+# Permitted keys:
+#        * - All Matrix users
+#   domain - All users on that homeserver
+#     mxid - Specific user
+matrix_mautrix_signal_configuration_permissions: []
+
+matrix_mautrix_signal_configuration_extension_yaml: |
+  # Your custom YAML configuration goes here.
+  # This configuration extends the default starting configuration (`matrix_mautrix_signal_configuration_yaml`).
+  #
+  # You can override individual variables from the default configuration, or introduce new ones.
+  #
+  # If you need something more special, you can take full control by
+  # completely redefining `matrix_mautrix_signal_configuration_yaml`.
+
+matrix_mautrix_signal_configuration_extension: "{{ matrix_mautrix_signal_configuration_extension_yaml|from_yaml if matrix_mautrix_signal_configuration_extension_yaml|from_yaml is mapping else {} }}"
+
+# Holds the final configuration (a combination of the default and its extension).
+# You most likely don't need to touch this variable. Instead, see `matrix_mautrix_signal_configuration_yaml`.
+matrix_mautrix_signal_configuration: "{{ matrix_mautrix_signal_configuration_yaml|from_yaml|combine(matrix_mautrix_signal_configuration_extension, recursive=True) }}"
+
+matrix_mautrix_signal_registration_yaml: "{{ lookup('template', 'templates/registration.yaml.j2') }}"
+
+matrix_mautrix_signal_registration: "{{ matrix_mautrix_signal_registration_yaml|from_yaml }}"

roles/matrix-bridge-mautrix-signal/tasks/init.yml

@@ -0,0 +1,16 @@
+- set_fact:
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-signal', 'matrix-mautrix-signal-daemon'] }}"
+  when: matrix_mautrix_signal_enabled|bool
+
+# If the matrix-synapse role is not used, these variables may not exist.
+- set_fact:
+    matrix_synapse_container_extra_arguments: >
+      {{ matrix_synapse_container_extra_arguments|default([]) }}
+      +
+      ["--mount type=bind,src={{ matrix_mautrix_signal_config_path }}/registration.yaml,dst=/matrix-mautrix-signal-registration.yaml,ro"]
+
+    matrix_synapse_app_service_config_files: >
+      {{ matrix_synapse_app_service_config_files|default([]) }}
+      +
+      {{ ["/matrix-mautrix-signal-registration.yaml"] }}
+  when: matrix_mautrix_signal_enabled|bool

roles/matrix-bridge-mautrix-signal/tasks/main.yml

@@ -0,0 +1,21 @@
+- import_tasks: "{{ role_path }}/tasks/init.yml"
+  tags:
+    - always
+
+- import_tasks: "{{ role_path }}/tasks/validate_config.yml"
+  when: "run_setup|bool and matrix_mautrix_signal_enabled|bool"
+  tags:
+    - setup-all
+    - setup-mautrix-signal
+
+- import_tasks: "{{ role_path }}/tasks/setup_install.yml"
+  when: "run_setup|bool and matrix_mautrix_signal_enabled|bool"
+  tags:
+    - setup-all
+    - setup-mautrix-signal
+
+- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
+  when: "run_setup|bool and not matrix_mautrix_signal_enabled|bool"
+  tags:
+    - setup-all
+    - setup-mautrix-signal

roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml

@@ -0,0 +1,85 @@
+---
+
+# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist.
+# We don't want to fail in such cases.
+- name: Fail if matrix-synapse role already executed
+  fail:
+    msg: >-
+      The matrix-bridge-mautrix-signal role needs to execute before the matrix-synapse role.
+  when: "matrix_synapse_role_executed|default(False)"
+
+- name: Ensure Mautrix Signal image is pulled
+  docker_image:
+    name: "{{ matrix_mautrix_signal_docker_image }}"
+    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
+    force_source: "{{ matrix_mautrix_signal_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_signal_docker_image_force_pull }}"
+
+- name: Ensure Mautrix Signal Daemon image is pulled
+  docker_image:
+    name: "{{ matrix_mautrix_signal_daemon_docker_image }}"
+    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
+    force_source: "{{ matrix_mautrix_signal_daemon_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_signal_docker_image_force_pull }}"
+
+- name: Ensure Mautrix Signal database image is pulled
+  docker_image:
+    name: "{{ matrix_mautrix_signal_db_docker_image }}"
+    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
+    force_source: "{{ matrix_mautrix_signal_db_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_signal_docker_image_force_pull }}"
+
+- name: Ensure Mautrix Signal paths exist
+  file:
+    path: "{{ item }}"
+    state: directory
+    mode: 0750
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+  with_items:
+    - "{{ matrix_mautrix_signal_base_path }}"
+    - "{{ matrix_mautrix_signal_config_path }}"
+    - "{{ matrix_mautrix_signal_daemon_path }}"
+    - "{{ matrix_mautrix_signal_db_storage_path }}"
+
+- name: Ensure mautrix-signal config.yaml installed
+  copy:
+    content: "{{ matrix_mautrix_signal_configuration|to_nice_yaml }}"
+    dest: "{{ matrix_mautrix_signal_config_path }}/config.yaml"
+    mode: 0644
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+
+- name: Ensure mautrix-signal registration.yaml installed
+  copy:
+    content: "{{ matrix_mautrix_signal_registration|to_nice_yaml }}"
+    dest: "{{ matrix_mautrix_signal_config_path }}/registration.yaml"
+    mode: 0644
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+
+- name: Ensure matrix-mautrix-signal-daemon.service installed
+  template:
+    src: "{{ role_path }}/templates/systemd/matrix-mautrix-signal-daemon.service.j2"
+    dest: "{{ matrix_systemd_path }}/matrix-mautrix-signal-daemon.service"
+    mode: 0644
+  register: matrix_mautrix_signal_daemon_systemd_service_result
+
+- name: Ensure matrix-mautrix-signal-db.service installed
+  template:
+    src: "{{ role_path }}/templates/systemd/matrix-mautrix-signal-db.service.j2"
+    dest: "{{ matrix_systemd_path }}/matrix-mautrix-signal-db.service"
+    mode: 0644
+  register: matrix_mautrix_signal_db_systemd_service_result
+
+- name: Ensure matrix-mautrix-signal.service installed
+  template:
+    src: "{{ role_path }}/templates/systemd/matrix-mautrix-signal.service.j2"
+    dest: "{{ matrix_systemd_path }}/matrix-mautrix-signal.service"
+    mode: 0644
+  register: matrix_mautrix_signal_systemd_service_result
+
+- name: Ensure systemd reloaded after matrix-mautrix-signal.service installation
+  service:
+    daemon_reload: yes
+  when: "matrix_mautrix_signal_systemd_service_result.changed or matrix_mautrix_signal_daemon_systemd_service_result.changed or matrix_mautrix_signal_db_systemd_service_result.changed"

roles/matrix-bridge-mautrix-signal/tasks/setup_uninstall.yml

@@ -0,0 +1,64 @@
+---
+
+# Signal database service
+- name: Check existence of matrix-mautrix-signal-db service
+  stat:
+    path: "{{ matrix_systemd_path }}/matrix-mautrix-signal-db.service"
+  register: matrix_mautrix_signal_db_service_stat
+
+- name: Ensure matrix-mautrix-signal-db is stopped
+  service:
+    name: matrix-mautrix-signal-db
+    state: stopped
+    daemon_reload: yes
+  when: "matrix_mautrix_signal_db_service_stat.stat.exists"
+
+- name: Ensure matrix-mautrix-signal-db.service doesn't exist
+  file:
+    path: "{{ matrix_systemd_path }}/matrix-mautrix-signal-db.service"
+    state: absent
+  when: "matrix_mautrix_signal_db_service_stat.stat.exists"
+
+# Signal daemon service
+- name: Check existence of matrix-mautrix-signal-daemon service
+  stat:
+    path: "{{ matrix_systemd_path }}/matrix-mautrix-signal-daemon.service"
+  register: matrix_mautrix_signal_daemon_service_stat
+
+- name: Ensure matrix-mautrix-signal-daemon is stopped
+  service:
+    name: matrix-mautrix-signal-daemon
+    state: stopped
+    daemon_reload: yes
+  when: "matrix_mautrix_signal_daemon_service_stat.stat.exists"
+
+- name: Ensure matrix-mautrix-signal-daemon.service doesn't exist
+  file:
+    path: "{{ matrix_systemd_path }}/matrix-mautrix-signal-daemon.service"
+    state: absent
+  when: "matrix_mautrix_signal_daemon_service_stat.stat.exists"
+
+# Bridge service
+- name: Check existence of matrix-mautrix-signal service
+  stat:
+    path: "{{ matrix_systemd_path }}/matrix-mautrix-signal.service"
+  register: matrix_mautrix_signal_service_stat
+
+- name: Ensure matrix-mautrix-signal is stopped
+  service:
+    name: matrix-mautrix-signal
+    state: stopped
+    daemon_reload: yes
+  when: "matrix_mautrix_signal_service_stat.stat.exists"
+
+- name: Ensure matrix-mautrix-signal.service doesn't exist
+  file:
+    path: "{{ matrix_systemd_path }}/matrix-mautrix-signal.service"
+    state: absent
+  when: "matrix_mautrix_signal_service_stat.stat.exists"
+
+# All services
+- name: Ensure systemd reloaded after matrix-mautrix-signal_X.service removal
+  service:
+    daemon_reload: yes
+  when: "matrix_mautrix_signal_service_stat.stat.exists or matrix_mautrix_signal_daemon_service_stat.stat.exists or matrix_mautrix_signal_db_service_stat.stat.exists"