Merge branch 'master' into bye-bye-nginx-proxy

CHANGELOG.md

@@ -1,3 +1,27 @@
+# 2024-01-13
+
+## matrix-reminder-bot update with more secure (backward-incompatible) default settings
+
+**TLDR**: your updated (to [v0.3.0](https://github.com/anoadragon453/matrix-reminder-bot/releases/tag/v0.3.0)) [matrix-reminder-bot](./docs/configuring-playbook-bot-matrix-reminder-bot.md) is now more secure. By default, like other bridges/bots managed by the playbook, it will only provide its services to users of your own server (not to anyone, even across the Matrix Federation). If that's fine, there's nothing you need to do.
+
+Maintenance of [matrix-reminder-bot](./docs/configuring-playbook-bot-matrix-reminder-bot.md) has been picked up by [Kim Brose](https://github.com/HarHarLinks).
+
+Thanks to Kim, a new [v0.3.0](https://github.com/anoadragon453/matrix-reminder-bot/releases/tag/v0.3.0) release is out. The new version is now available for the ARM64 architecture, so playbook users on this architecture will no longer need to wait for [self-building](./docs/self-building.md) to happen.
+
+The new version also comes with new `allowlist` and `blocklist` settings, which make it possible to restrict who can use the bot. Previously anyone, even across the Matrix Federation could talk to it and schedule reminders.
+
+The playbook defaults all bridges and bots (where possible) to only be exposed to users of the current homeserver, not users across federation.
+Thanks to the new version of this bot making such a restriction possible, we're now making use of it. The playbook (via its `group_vars/matrix_servers` file) automatically enables the `allowlist` (`matrix_bot_matrix_reminder_bot_allowlist_enabled: true`) and configures it in such a way (`matrix_bot_matrix_reminder_bot_allowlist_regexes_auto`) so as to restrict the bot to your homeserver's users.
+
+If you need **to undo or tweak these security improvements**, you can change your `vars.yml` file to:
+
+- disable the allowlist (`matrix_bot_matrix_reminder_bot_allowlist_enabled: false`), making the bot allow usage by anyone, anywhere
+
+- inject additional allowed servers or users by adding **additional** (on top of the default allowlist in `matrix_bot_matrix_reminder_bot_allowlist_regexes_auto`) custom regexes in the `matrix_bot_matrix_reminder_bot_allowlist_regexes_custom` list variable (see the [syntax reference](https://github.com/anoadragon453/matrix-reminder-bot/blob/1e910c0aa3469d280d93ee7e6c6d577227a3460c/sample.config.yaml#L43-L49))
+
+- override the default allowlist (in the `group_vars/matrix_servers` file) by redefining `matrix_bot_matrix_reminder_bot_allowlist_regexes_auto`
+
+
 # 2024-01-05
 
 ## matrix-mailer has been replaced by the exim-relay external role

group_vars/matrix_servers

@@ -2064,9 +2064,11 @@ matrix_bot_matrix_reminder_bot_systemd_required_services_list_auto: |
     +
     ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled and matrix_bot_matrix_reminder_bot_database_hostname == devture_postgres_connection_hostname else [])
   }}
-matrix_bot_matrix_reminder_bot_container_image_self_build: "{{ matrix_architecture != 'amd64' }}"
+
+matrix_bot_matrix_reminder_bot_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}"
 
 matrix_bot_matrix_reminder_bot_container_network: "{{ matrix_addons_container_network }}"
+
 matrix_bot_matrix_reminder_bot_container_additional_networks_auto: |-
   {{
     (
@@ -2083,6 +2085,10 @@ matrix_bot_matrix_reminder_bot_database_engine: "{{ 'postgres' if devture_postgr
 matrix_bot_matrix_reminder_bot_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}"
 matrix_bot_matrix_reminder_bot_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'reminder.bot.db', rounds=655555) | to_uuid }}"
 
+matrix_bot_matrix_reminder_bot_allowlist_enabled: true
+matrix_bot_matrix_reminder_bot_allowlist_regexes_auto:
+  - "@[a-z0-9-_.]+:{{ matrix_domain }}"
+
 ######################################################################
 #
 # /matrix-bot-matrix-reminder-bot

roles/custom/matrix-bot-matrix-reminder-bot/defaults/main.yml

@@ -9,9 +9,10 @@ matrix_bot_matrix_reminder_bot_docker_repo: "https://github.com/anoadragon453/ma
 matrix_bot_matrix_reminder_bot_docker_repo_version: "{{ matrix_bot_matrix_reminder_bot_version }}"
 matrix_bot_matrix_reminder_bot_docker_src_files_path: "{{ matrix_base_data_path }}/matrix-reminder-bot/docker-src"
 
-# renovate: datasource=docker depName=anoa/matrix-reminder-bot
-matrix_bot_matrix_reminder_bot_version: release-v0.2.1
-matrix_bot_matrix_reminder_bot_docker_image: "{{ matrix_container_global_registry_prefix }}anoa/matrix-reminder-bot:{{ matrix_bot_matrix_reminder_bot_version }}"
+# renovate: datasource=docker depName=ghcr.io/anoadragon453/matrix-reminder-bot
+matrix_bot_matrix_reminder_bot_version: v0.3.0
+matrix_bot_matrix_reminder_bot_docker_image: "{{ matrix_bot_matrix_reminder_bot_docker_image_name_prefix }}anoadragon453/matrix-reminder-bot:{{ matrix_bot_matrix_reminder_bot_version }}"
+matrix_bot_matrix_reminder_bot_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_matrix_reminder_bot_container_image_self_build else 'ghcr.io/' }}"
 matrix_bot_matrix_reminder_bot_docker_image_force_pull: "{{ matrix_bot_matrix_reminder_bot_docker_image.endswith(':latest') }}"
 
 matrix_bot_matrix_reminder_bot_base_path: "{{ matrix_base_data_path }}/matrix-reminder-bot"
@@ -82,6 +83,17 @@ matrix_bot_matrix_reminder_bot_matrix_homeserver_url: ""
 # Examples: 'Europe/London', 'Etc/UTC'
 matrix_bot_matrix_reminder_bot_reminders_timezone: ''
 
+matrix_bot_matrix_reminder_bot_allowlist_enabled: false
+matrix_bot_matrix_reminder_bot_allowlist_regexes: "{{ matrix_bot_matrix_reminder_bot_allowlist_regexes_auto + matrix_bot_matrix_reminder_bot_allowlist_regexes_custom }}"
+matrix_bot_matrix_reminder_bot_allowlist_regexes_auto: []
+matrix_bot_matrix_reminder_bot_allowlist_regexes_custom: []
+
+# If both the blocklist and whitelist are enabled at the same time, the blocklist takes precedence.
+matrix_bot_matrix_reminder_bot_blocklist_enabled: false
+matrix_bot_matrix_reminder_bot_blocklist_regexes: "{{ matrix_bot_matrix_reminder_bot_blocklist_regexes_auto + matrix_bot_matrix_reminder_bot_blocklist_regexes_custom }}"
+matrix_bot_matrix_reminder_bot_blocklist_regexes_auto: []
+matrix_bot_matrix_reminder_bot_blocklist_regexes_custom: []
+
 # Default configuration template which covers the generic use case.
 # You can customize it by controlling the various variables inside it.
 #

roles/custom/matrix-bot-matrix-reminder-bot/templates/config.yaml.j2

@@ -33,6 +33,33 @@ reminders:
   # If not set, UTC will be used
   timezone: {{ matrix_bot_matrix_reminder_bot_reminders_timezone }}
 
+# Restrict the bot to only respond to certain MXIDs
+allowlist:
+  # Set to true to enable the allowlist
+  enabled: {{ matrix_bot_matrix_reminder_bot_allowlist_enabled | to_json }}
+  # A list of MXID regexes to be allowed
+  # To allow a certain homeserver:
+  #     regexes: ["@[a-z0-9-_.]+:myhomeserver.tld"]
+  # To allow a set of users:
+  #     regexes: ["@alice:someserver.tld", "@bob:anotherserver.tld"]
+  # To allow nobody (same as blocking every MXID):
+  #     regexes: []
+  regexes: {{ matrix_bot_matrix_reminder_bot_allowlist_regexes | to_json }}
+
+# Prevent the bot from responding to certain MXIDs
+# If both allowlist and blocklist are enabled, blocklist entries takes precedence
+blocklist:
+  # Set to true to enable the blocklist
+  enabled: {{ matrix_bot_matrix_reminder_bot_blocklist_enabled | to_json }}
+  # A list of MXID regexes to be blocked
+  # To block a certain homeserver:
+  #     regexes: [".*:myhomeserver.tld"]
+  # To block a set of users:
+  #     regexes: ["@alice:someserver.tld", "@bob:anotherserver.tld"]
+  # To block absolutely everyone (same as allowing nobody):
+  #     regexes: [".*"]
+  regexes: {{ matrix_bot_matrix_reminder_bot_blocklist_regexes | to_json }}
+
 # Logging setup
 logging:
   # Logging level