-
-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added a role for the bridge mautrix-signal #686
Merged
Merged
Changes from 10 commits
Commits
Show all changes
25 commits
Select commit
Hold shift + click to select a range
69efcb5
added mautrix-signal role
laszabine 7a54e11
started moving settings to group_vars
laszabine d6940d9
added docs
laszabine ff1d792
moved registration.yaml contents to template
laszabine 9b890e9
moved some settings from role to group_vars
laszabine 8ebc39d
fixed dependencies of bridge service (not ideal, but correct)
laszabine c36e135
cleanup
laszabine e59aa07
more cleanup
laszabine 2211e67
fixed comments that were copied over from mautrix-telegram role
laszabine dd50ee1
fixed bridge permissions
laszabine 468cc39
added a workaround for postgres's issue with initdb
laszabine aabefe2
fixed yaml
laszabine cea2faa
added docs for bridge permissions
laszabine 77b04b2
Merge pull request #2 from spantaleev/master
laszabine 19d030b
Merge pull request #3 from spantaleev/master
laszabine a06c58c
Merge branch 'master' into signal
laszabine ffb837d
made the bridge use the default postgres db
laszabine 89f7f3c
added log level configuration
laszabine 56af2b1
small fixes
laszabine 84cac25
added config data_dir (else in ~, which isn't set)
laszabine df8d9cf
Remove some TODOs
spantaleev aac4006
Announce mautrix-signal bridge
spantaleev da2a668
Get rid of matrix_mautrix_signal_configuration_permissions
spantaleev 274f23f
Make matrix-mautrix-signal-daemon.service depend on docker.service
spantaleev 3b524ee
Make mautrix-signal bridge not log to files
spantaleev File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,59 @@ | ||
# Setting up Mautrix Signal (optional) | ||
|
||
The playbook can install and configure [mautrix-signal](https://github.com/tulir/mautrix-signal) for you. | ||
|
||
See the project's [documentation](https://github.com/tulir/mautrix-signal/wiki) to learn what it does and why it might be useful to you. | ||
|
||
Use the following playbook configuration: | ||
|
||
```yaml | ||
matrix_mautrix_signal_enabled: true | ||
``` | ||
|
||
To specify which users have access to the bridge, use the variable `matrix_mautrix_signal_configuration_permissions`. | ||
Refer to the documentation for | ||
```yaml | ||
bridge: | ||
permissions: | ||
``` | ||
in [the example config in mautrix-signal](https://github.com/tulir/mautrix-signal/blob/master/mautrix_signal/example-config.yaml). | ||
For instance, use | ||
```yaml | ||
matrix_mautrix_signal_configuration_permissions: | ||
"YOUR_DOMAIN": user | ||
``` | ||
to allow all users registered to `YOUR_DOMAIN` access to the bridge (where `YOUR_DOMAIN` is your base domain, not the `matrix.` domain). | ||
|
||
|
||
## Set up Double Puppeting | ||
|
||
If you'd like to use [Double Puppeting](https://github.com/tulir/mautrix-whatsapp/wiki/Authentication#replacing-whatsapp-accounts-matrix-puppet-with-matrix-account) (hint: you most likely do), you have 2 ways of going about it. | ||
|
||
### Method 1: automatically, by enabling Shared Secret Auth | ||
|
||
The bridge will automatically perform Double Puppeting if you enable [Shared Secret Auth](configuring-playbook-shared-secret-auth.md) for this playbook. | ||
|
||
This is the recommended way of setting up Double Puppeting, as it's easier to accomplish, works for all your users automatically, and has less of a chance of breaking in the future. | ||
|
||
### Method 2: manually, by asking each user to provide a working access token | ||
|
||
**Note**: This method for enabling Double Puppeting can be configured only after you've already set up bridging (see [Usage](#usage)). | ||
|
||
When using this method, **each user** that wishes to enable Double Puppeting needs to follow the following steps: | ||
|
||
- retrieve a Matrix access token for yourself. You can use the following command: | ||
|
||
``` | ||
curl \ | ||
--data '{"identifier": {"type": "m.id.user", "user": "YOUR_MATRIX_USERNAME" }, "password": "YOUR_MATRIX_PASSWORD", "type": "m.login.password", "device_id": "Mautrix-Signal", "initial_device_display_name": "Mautrix-Signal"}' \ | ||
https://matrix.DOMAIN/_matrix/client/r0/login | ||
``` | ||
|
||
- send the access token to the bot. Example: `login-matrix MATRIX_ACCESS_TOKEN_HERE` | ||
|
||
- make sure you don't log out the `Mautrix-Signal` device some time in the future, as that would break the Double Puppeting feature | ||
|
||
|
||
## Usage | ||
|
||
You then need to start a chat with `@signalbot:YOUR_DOMAIN` (where `YOUR_DOMAIN` is your base domain, not the `matrix.` domain). |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,91 @@ | ||
# mautrix-signal is a Matrix <-> Signal bridge | ||
# See: https://github.com/tulir/mautrix-signal | ||
|
||
matrix_mautrix_signal_enabled: true | ||
|
||
# See: https://mau.dev/tulir/mautrix-signal/container_registry | ||
matrix_mautrix_signal_docker_image: "dock.mau.dev/tulir/mautrix-signal:latest" | ||
matrix_mautrix_signal_docker_image_force_pull: "{{ matrix_mautrix_signal_docker_image.endswith(':latest') }}" | ||
|
||
matrix_mautrix_signal_daemon_docker_image: "dock.mau.dev/maunium/signald:latest" | ||
matrix_mautrix_signal_daemon_docker_image_force_pull: "{{ matrix_mautrix_signal_daemon_docker_image.endswith(':latest') }}" | ||
|
||
matrix_mautrix_signal_base_path: "{{ matrix_base_data_path }}/mautrix-signal" | ||
matrix_mautrix_signal_config_path: "{{ matrix_mautrix_signal_base_path }}/bridge" | ||
matrix_mautrix_signal_daemon_path: "{{ matrix_mautrix_signal_base_path }}/signald" | ||
|
||
matrix_mautrix_signal_homeserver_address: '' | ||
matrix_mautrix_signal_homeserver_domain: '' | ||
matrix_mautrix_signal_appservice_address: 'http://matrix-mautrix-signal:29328' | ||
|
||
# Controls whether the matrix-mautrix-signal container exposes its port (tcp/29328 in the container). | ||
# | ||
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:9006"), or empty string to not expose. | ||
matrix_mautrix_signal_container_http_host_bind_port: '' | ||
|
||
# A list of extra arguments to pass to the container | ||
matrix_mautrix_signal_container_extra_arguments: [] | ||
|
||
# List of systemd services that matrix-mautrix-signal.service depends on. | ||
# TODO: unclear whether to put this into group_vars or keep it here | ||
matrix_mautrix_signal_systemd_required_services_list: | ||
- 'docker.service' | ||
- "{{ 'matrix-synapse.service' if matrix_synapse_enabled else [] }}" | ||
- 'matrix-mautrix-signal-daemon.service' | ||
- 'matrix-mautrix-signal-db.service' | ||
|
||
# List of systemd services that matrix-mautrix-signal.service wants | ||
matrix_mautrix_signal_systemd_wanted_services_list: [] | ||
|
||
matrix_mautrix_signal_appservice_token: '' | ||
matrix_mautrix_signal_homeserver_token: '' | ||
|
||
matrix_mautrix_signal_db_docker_image: "postgres:13.0-alpine" | ||
matrix_mautrix_signal_db_docker_image_force_pull: "{{ matrix_mautrix_signal_db_docker_image.endswith(':latest') }}" | ||
matrix_mautrix_signal_db_storage_path: "{{ matrix_mautrix_signal_base_path }}/database" | ||
|
||
matrix_mautrix_signal_db_user: '' | ||
matrix_mautrix_signal_db_password: '' | ||
matrix_mautrix_signal_db_host: 'matrix-mautrix-signal-db' | ||
matrix_mautrix_signal_db_port: '5432' | ||
matrix_mautrix_signal_db_database: '' | ||
|
||
matrix_mautrix_signal_db_url: "postgres://{{ matrix_mautrix_signal_db_user }}:{{ matrix_mautrix_signal_db_password }}@{{ matrix_mautrix_signal_db_host }}:{{ matrix_mautrix_signal_db_port }}/{{ matrix_mautrix_signal_db_database }}" | ||
|
||
# Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth). | ||
matrix_mautrix_signal_login_shared_secret: '' | ||
|
||
# Default configuration template which covers the generic use case. | ||
# You can customize it by controlling the various variables inside it. | ||
# | ||
# For a more advanced customization, you can extend the default (see `matrix_mautrix_signal_configuration_extension_yaml`) | ||
# or completely replace this variable with your own template. | ||
matrix_mautrix_signal_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}" | ||
|
||
# Permitted values: | ||
# user - Use the bridge with puppeting. | ||
# admin - Use and administrate the bridge. | ||
# Permitted keys: | ||
# * - All Matrix users | ||
# domain - All users on that homeserver | ||
# mxid - Specific user | ||
matrix_mautrix_signal_configuration_permissions: [] | ||
|
||
matrix_mautrix_signal_configuration_extension_yaml: | | ||
# Your custom YAML configuration goes here. | ||
# This configuration extends the default starting configuration (`matrix_mautrix_signal_configuration_yaml`). | ||
# | ||
# You can override individual variables from the default configuration, or introduce new ones. | ||
# | ||
# If you need something more special, you can take full control by | ||
# completely redefining `matrix_mautrix_signal_configuration_yaml`. | ||
|
||
matrix_mautrix_signal_configuration_extension: "{{ matrix_mautrix_signal_configuration_extension_yaml|from_yaml if matrix_mautrix_signal_configuration_extension_yaml|from_yaml is mapping else {} }}" | ||
|
||
# Holds the final configuration (a combination of the default and its extension). | ||
# You most likely don't need to touch this variable. Instead, see `matrix_mautrix_signal_configuration_yaml`. | ||
matrix_mautrix_signal_configuration: "{{ matrix_mautrix_signal_configuration_yaml|from_yaml|combine(matrix_mautrix_signal_configuration_extension, recursive=True) }}" | ||
|
||
matrix_mautrix_signal_registration_yaml: "{{ lookup('template', 'templates/registration.yaml.j2') }}" | ||
|
||
matrix_mautrix_signal_registration: "{{ matrix_mautrix_signal_registration_yaml|from_yaml }}" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
- set_fact: | ||
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-signal', 'matrix-mautrix-signal-daemon'] }}" | ||
when: matrix_mautrix_signal_enabled|bool | ||
|
||
# If the matrix-synapse role is not used, these variables may not exist. | ||
- set_fact: | ||
matrix_synapse_container_extra_arguments: > | ||
{{ matrix_synapse_container_extra_arguments|default([]) }} | ||
+ | ||
["--mount type=bind,src={{ matrix_mautrix_signal_config_path }}/registration.yaml,dst=/matrix-mautrix-signal-registration.yaml,ro"] | ||
|
||
matrix_synapse_app_service_config_files: > | ||
{{ matrix_synapse_app_service_config_files|default([]) }} | ||
+ | ||
{{ ["/matrix-mautrix-signal-registration.yaml"] }} | ||
when: matrix_mautrix_signal_enabled|bool |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
- import_tasks: "{{ role_path }}/tasks/init.yml" | ||
tags: | ||
- always | ||
|
||
- import_tasks: "{{ role_path }}/tasks/validate_config.yml" | ||
when: "run_setup|bool and matrix_mautrix_signal_enabled|bool" | ||
tags: | ||
- setup-all | ||
- setup-mautrix-signal | ||
|
||
- import_tasks: "{{ role_path }}/tasks/setup_install.yml" | ||
when: "run_setup|bool and matrix_mautrix_signal_enabled|bool" | ||
tags: | ||
- setup-all | ||
- setup-mautrix-signal | ||
|
||
- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" | ||
when: "run_setup|bool and not matrix_mautrix_signal_enabled|bool" | ||
tags: | ||
- setup-all | ||
- setup-mautrix-signal |
85 changes: 85 additions & 0 deletions
85
roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,85 @@ | ||
--- | ||
|
||
# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist. | ||
# We don't want to fail in such cases. | ||
- name: Fail if matrix-synapse role already executed | ||
fail: | ||
msg: >- | ||
The matrix-bridge-mautrix-signal role needs to execute before the matrix-synapse role. | ||
when: "matrix_synapse_role_executed|default(False)" | ||
|
||
- name: Ensure Mautrix Signal image is pulled | ||
docker_image: | ||
name: "{{ matrix_mautrix_signal_docker_image }}" | ||
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" | ||
force_source: "{{ matrix_mautrix_signal_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" | ||
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_signal_docker_image_force_pull }}" | ||
|
||
- name: Ensure Mautrix Signal Daemon image is pulled | ||
docker_image: | ||
name: "{{ matrix_mautrix_signal_daemon_docker_image }}" | ||
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" | ||
force_source: "{{ matrix_mautrix_signal_daemon_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" | ||
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_signal_docker_image_force_pull }}" | ||
|
||
- name: Ensure Mautrix Signal database image is pulled | ||
docker_image: | ||
name: "{{ matrix_mautrix_signal_db_docker_image }}" | ||
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" | ||
force_source: "{{ matrix_mautrix_signal_db_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" | ||
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_signal_docker_image_force_pull }}" | ||
|
||
- name: Ensure Mautrix Signal paths exist | ||
file: | ||
path: "{{ item }}" | ||
state: directory | ||
mode: 0750 | ||
owner: "{{ matrix_user_username }}" | ||
group: "{{ matrix_user_groupname }}" | ||
with_items: | ||
- "{{ matrix_mautrix_signal_base_path }}" | ||
- "{{ matrix_mautrix_signal_config_path }}" | ||
- "{{ matrix_mautrix_signal_daemon_path }}" | ||
- "{{ matrix_mautrix_signal_db_storage_path }}" | ||
|
||
- name: Ensure mautrix-signal config.yaml installed | ||
copy: | ||
content: "{{ matrix_mautrix_signal_configuration|to_nice_yaml }}" | ||
dest: "{{ matrix_mautrix_signal_config_path }}/config.yaml" | ||
mode: 0644 | ||
owner: "{{ matrix_user_username }}" | ||
group: "{{ matrix_user_groupname }}" | ||
|
||
- name: Ensure mautrix-signal registration.yaml installed | ||
copy: | ||
content: "{{ matrix_mautrix_signal_registration|to_nice_yaml }}" | ||
dest: "{{ matrix_mautrix_signal_config_path }}/registration.yaml" | ||
mode: 0644 | ||
owner: "{{ matrix_user_username }}" | ||
group: "{{ matrix_user_groupname }}" | ||
|
||
- name: Ensure matrix-mautrix-signal-daemon.service installed | ||
template: | ||
src: "{{ role_path }}/templates/systemd/matrix-mautrix-signal-daemon.service.j2" | ||
dest: "{{ matrix_systemd_path }}/matrix-mautrix-signal-daemon.service" | ||
mode: 0644 | ||
register: matrix_mautrix_signal_daemon_systemd_service_result | ||
|
||
- name: Ensure matrix-mautrix-signal-db.service installed | ||
template: | ||
src: "{{ role_path }}/templates/systemd/matrix-mautrix-signal-db.service.j2" | ||
dest: "{{ matrix_systemd_path }}/matrix-mautrix-signal-db.service" | ||
mode: 0644 | ||
register: matrix_mautrix_signal_db_systemd_service_result | ||
|
||
- name: Ensure matrix-mautrix-signal.service installed | ||
template: | ||
src: "{{ role_path }}/templates/systemd/matrix-mautrix-signal.service.j2" | ||
dest: "{{ matrix_systemd_path }}/matrix-mautrix-signal.service" | ||
mode: 0644 | ||
register: matrix_mautrix_signal_systemd_service_result | ||
|
||
- name: Ensure systemd reloaded after matrix-mautrix-signal.service installation | ||
service: | ||
daemon_reload: yes | ||
when: "matrix_mautrix_signal_systemd_service_result.changed or matrix_mautrix_signal_daemon_systemd_service_result.changed or matrix_mautrix_signal_db_systemd_service_result.changed" |
64 changes: 64 additions & 0 deletions
64
roles/matrix-bridge-mautrix-signal/tasks/setup_uninstall.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,64 @@ | ||
--- | ||
|
||
# Signal database service | ||
- name: Check existence of matrix-mautrix-signal-db service | ||
stat: | ||
path: "{{ matrix_systemd_path }}/matrix-mautrix-signal-db.service" | ||
register: matrix_mautrix_signal_db_service_stat | ||
|
||
- name: Ensure matrix-mautrix-signal-db is stopped | ||
service: | ||
name: matrix-mautrix-signal-db | ||
state: stopped | ||
daemon_reload: yes | ||
when: "matrix_mautrix_signal_db_service_stat.stat.exists" | ||
|
||
- name: Ensure matrix-mautrix-signal-db.service doesn't exist | ||
file: | ||
path: "{{ matrix_systemd_path }}/matrix-mautrix-signal-db.service" | ||
state: absent | ||
when: "matrix_mautrix_signal_db_service_stat.stat.exists" | ||
|
||
# Signal daemon service | ||
- name: Check existence of matrix-mautrix-signal-daemon service | ||
stat: | ||
path: "{{ matrix_systemd_path }}/matrix-mautrix-signal-daemon.service" | ||
register: matrix_mautrix_signal_daemon_service_stat | ||
|
||
- name: Ensure matrix-mautrix-signal-daemon is stopped | ||
service: | ||
name: matrix-mautrix-signal-daemon | ||
state: stopped | ||
daemon_reload: yes | ||
when: "matrix_mautrix_signal_daemon_service_stat.stat.exists" | ||
|
||
- name: Ensure matrix-mautrix-signal-daemon.service doesn't exist | ||
file: | ||
path: "{{ matrix_systemd_path }}/matrix-mautrix-signal-daemon.service" | ||
state: absent | ||
when: "matrix_mautrix_signal_daemon_service_stat.stat.exists" | ||
|
||
# Bridge service | ||
- name: Check existence of matrix-mautrix-signal service | ||
stat: | ||
path: "{{ matrix_systemd_path }}/matrix-mautrix-signal.service" | ||
register: matrix_mautrix_signal_service_stat | ||
|
||
- name: Ensure matrix-mautrix-signal is stopped | ||
service: | ||
name: matrix-mautrix-signal | ||
state: stopped | ||
daemon_reload: yes | ||
when: "matrix_mautrix_signal_service_stat.stat.exists" | ||
|
||
- name: Ensure matrix-mautrix-signal.service doesn't exist | ||
file: | ||
path: "{{ matrix_systemd_path }}/matrix-mautrix-signal.service" | ||
state: absent | ||
when: "matrix_mautrix_signal_service_stat.stat.exists" | ||
|
||
# All services | ||
- name: Ensure systemd reloaded after matrix-mautrix-signal_X.service removal | ||
service: | ||
daemon_reload: yes | ||
when: "matrix_mautrix_signal_service_stat.stat.exists or matrix_mautrix_signal_daemon_service_stat.stat.exists or matrix_mautrix_signal_db_service_stat.stat.exists" |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I suggest making it the default configuration that only user from
YOUR_DOMAIN
can access the bridge.PS: I'm looking forward to using this bridge.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi, thanks for commenting! I thought about doing that, but then I thought, perhaps some admins consider this setting too liberal: what if you don't want all the users registered to your domain to be able to use the bridge? Having no default permissions at all is safer, but may be annoying if you forget to adapt. But maybe I'm too paranoid, and it's reasonable to assume that what you suggest will work for the vast majority of admins.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The container will not start if you forget to adapt. I think it should be at least working. I think "[]" is not valid yaml?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Absolutely. Fixed it, and added documentation for how one can get what @ebbertd proposed.