diff --git a/docs/configuring-playbook-bridge-hookshot.md b/docs/configuring-playbook-bridge-hookshot.md index ebc75f122..fdf4af00f 100644 --- a/docs/configuring-playbook-bridge-hookshot.md +++ b/docs/configuring-playbook-bridge-hookshot.md @@ -25,9 +25,9 @@ Finally, run the playbook (see [installing](installing.md)). ### End-to-bridge encryption -You can enable [experimental encryption](https://matrix-org.github.io/matrix-hookshot/latest/advanced/encryption.html) for Hookshot by adding `matrix_hookshot_experimental_encryption_enabled: true` to your configuration (`vars.yml`) and [executing the playbook](installing.md) again. +You can enable [encryption](https://matrix-org.github.io/matrix-hookshot/latest/advanced/encryption.html) for Hookshot by adding `matrix_hookshot_encryption_enabled: true` to your configuration (`vars.yml`) and [executing the playbook](installing.md) again. -Should the crypto store be corrupted, you can reset it by executing this Ansible playbook with the tag `reset-hookshot-encryption` added, for example `ansible-playbook -i inventory/hosts setup.yml -K --tags=reset-hookshot-encryption`. +Should the crypto store be corrupted, you can reset it by executing this Ansible playbook with the tag `reset-hookshot-encryption` added, for example `ansible-playbook -i inventory/hosts setup.yml --tags=reset-hookshot-encryption`. ## Usage diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 86572a0f9..b2a1e148d 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -4403,7 +4403,7 @@ ntfy_visitor_request_limit_exempt_hosts_hostnames_auto: | # ###################################################################### -redis_enabled: "{{ not (keydb_enabled or valkey_enabled) and (matrix_synapse_workers_enabled or (matrix_hookshot_enabled and matrix_hookshot_experimental_encryption_enabled)) }}" +redis_enabled: "{{ not (keydb_enabled or valkey_enabled) and (matrix_synapse_workers_enabled or (matrix_hookshot_enabled and matrix_hookshot_encryption_enabled)) }}" redis_identifier: matrix-redis @@ -4455,7 +4455,7 @@ keydb_arch: |- # ###################################################################### -valkey_enabled: "{{ matrix_synapse_workers_enabled or (matrix_hookshot_enabled and matrix_hookshot_experimental_encryption_enabled) }}" +valkey_enabled: "{{ matrix_synapse_workers_enabled or (matrix_hookshot_enabled and matrix_hookshot_encryption_enabled) }}" valkey_identifier: matrix-valkey diff --git a/roles/custom/matrix-bridge-hookshot/defaults/main.yml b/roles/custom/matrix-bridge-hookshot/defaults/main.yml index d36dfd7a9..88542d9ee 100644 --- a/roles/custom/matrix-bridge-hookshot/defaults/main.yml +++ b/roles/custom/matrix-bridge-hookshot/defaults/main.yml @@ -17,10 +17,10 @@ matrix_hookshot_container_additional_networks_auto: [] matrix_hookshot_container_additional_networks_custom: [] # renovate: datasource=docker depName=halfshot/matrix-hookshot -matrix_hookshot_version: 5.4.1 +matrix_hookshot_version: 6.0.1 -matrix_hookshot_docker_image: "{{ matrix_hookshot_docker_image_name_prefix }}halfshot/matrix-hookshot:{{ matrix_hookshot_version }}" -matrix_hookshot_docker_image_name_prefix: "{{ 'localhost/' if matrix_hookshot_container_image_self_build else matrix_container_global_registry_prefix }}" +matrix_hookshot_docker_image: "{{ matrix_hookshot_docker_image_name_prefix }}matrix-org/matrix-hookshot:{{ matrix_hookshot_version }}" +matrix_hookshot_docker_image_name_prefix: "{{ 'localhost/' if matrix_hookshot_container_image_self_build else 'ghcr.io/' }}" matrix_hookshot_docker_image_force_pull: "{{ matrix_hookshot_docker_image.endswith(':latest') }}" matrix_hookshot_base_path: "{{ matrix_base_data_path }}/hookshot" @@ -46,17 +46,18 @@ matrix_hookshot_appservice_hostname: "{{ matrix_hookshot_public_hostname }}" matrix_hookshot_appservice_endpoint: "{{ matrix_hookshot_public_endpoint }}/_matrix/app" # The variables below control the Redis cache parameters. -# Using caching is required when experimental encryption is enabled (`matrix_hookshot_experimental_encryption_enabled`) +# Using caching is required when encryption is enabled (`matrix_hookshot_encryption_enabled`) # but may also speed up Hookshot startup, etc. matrix_hookshot_cache_redis_host: '' matrix_hookshot_cache_redis_port: "6379" matrix_hookshot_cache_redisUri: "{{ ('redis://' + matrix_hookshot_cache_redis_host + ':' + matrix_hookshot_cache_redis_port) if matrix_hookshot_cache_redis_host else '' }}" # noqa var-naming -# Controls whether the experimental end-to-bridge encryption support is enabled. +# Controls whether the end-to-bridge encryption support is enabled. # This requires that: # - support to also be enabled in the homeserver, see the documentation of Hookshot. # - Hookshot to be pointed at a Redis instance via the `matrix_hookshot_cache_redis*` variables. -matrix_hookshot_experimental_encryption_enabled: false +# See: https://matrix-org.github.io/matrix-hookshot/latest/advanced/encryption.html +matrix_hookshot_encryption_enabled: false # Controls whether metrics are enabled in the bridge configuration. # Enabling them is usually enough for a local (in-container) Prometheus to consume them. diff --git a/roles/custom/matrix-bridge-hookshot/tasks/validate_config.yml b/roles/custom/matrix-bridge-hookshot/tasks/validate_config.yml index 33871b77b..de961c186 100644 --- a/roles/custom/matrix-bridge-hookshot/tasks/validate_config.yml +++ b/roles/custom/matrix-bridge-hookshot/tasks/validate_config.yml @@ -31,6 +31,7 @@ - {'old': 'matrix_hookshot_ident', 'new': 'matrix_hookshot_identifier'} - {'old': 'matrix_hookshot_queue_host', 'new': 'matrix_hookshot_cache_redis_host'} - {'old': 'matrix_hookshot_queue_port', 'new': 'matrix_hookshot_cache_redis_port'} + - {'old': 'matrix_hookshot_experimental_encryption_enabled', 'new': 'matrix_hookshot_encryption_enabled'} - name: Fail if required Hookshot settings not defined ansible.builtin.fail: @@ -96,7 +97,7 @@ ansible.builtin.fail: msg: >- You need to define a required configuration setting (`matrix_hookshot_cache_redis*`) to enable Hookshot encryption. - when: "matrix_hookshot_experimental_encryption_enabled and matrix_hookshot_cache_redisUri == ''" + when: "matrix_hookshot_encryption_enabled and matrix_hookshot_cache_redisUri == ''" - name: (Deprecation) Catch and report old metrics usage ansible.builtin.fail: diff --git a/roles/custom/matrix-bridge-hookshot/templates/config.yml.j2 b/roles/custom/matrix-bridge-hookshot/templates/config.yml.j2 index 5f6ab67bf..c476f6b4b 100644 --- a/roles/custom/matrix-bridge-hookshot/templates/config.yml.j2 +++ b/roles/custom/matrix-bridge-hookshot/templates/config.yml.j2 @@ -113,8 +113,8 @@ metrics: cache: redisUri: {{ matrix_hookshot_cache_redisUri | to_json }} {% endif %} -{% if matrix_hookshot_experimental_encryption_enabled %} -experimentalEncryption: +{% if matrix_hookshot_encryption_enabled %} +encryption: storagePath: /data/encryption {% endif %} logging: diff --git a/roles/custom/matrix-bridge-hookshot/templates/registration.yml.j2 b/roles/custom/matrix-bridge-hookshot/templates/registration.yml.j2 index 557bd85d6..0f76b1c05 100644 --- a/roles/custom/matrix-bridge-hookshot/templates/registration.yml.j2 +++ b/roles/custom/matrix-bridge-hookshot/templates/registration.yml.j2 @@ -29,8 +29,9 @@ sender_localpart: hookshot url: "http://{{ matrix_hookshot_container_url }}:{{ matrix_hookshot_appservice_port }}" # This should match the bridge.port in your config file rate_limited: false -{% if matrix_hookshot_experimental_encryption_enabled %} +{% if matrix_hookshot_encryption_enabled %} de.sorunome.msc2409.push_ephemeral: true push_ephemeral: true org.matrix.msc3202: true +org.matrix.msc3202: true {% endif %}