From d43f03bbca24ca63145cae2957f25063b213c760 Mon Sep 17 00:00:00 2001 From: Benjamin Blacher Date: Fri, 17 Oct 2025 21:28:17 +0200 Subject: [PATCH] Add support for bridge self signing This also moves msc4190 to the correct section for twitter --- roles/custom/matrix-base/defaults/main.yml | 3 +++ .../matrix-bridge-mautrix-bluesky/defaults/main.yml | 1 + .../templates/config.yaml.j2 | 3 +++ .../defaults/main.yml | 1 + .../templates/config.yaml.j2 | 3 +++ .../defaults/main.yml | 1 + .../templates/config.yaml.j2 | 3 +++ .../defaults/main.yml | 1 + .../templates/config.yaml.j2 | 3 +++ .../matrix-bridge-mautrix-signal/defaults/main.yml | 1 + .../templates/config.yaml.j2 | 3 +++ .../matrix-bridge-mautrix-slack/defaults/main.yml | 1 + .../templates/config.yaml.j2 | 3 +++ .../matrix-bridge-mautrix-twitter/defaults/main.yml | 1 + .../templates/config.yaml.j2 | 13 ++++++++----- .../defaults/main.yml | 1 + .../templates/config.yaml.j2 | 3 +++ 17 files changed, 40 insertions(+), 5 deletions(-) diff --git a/roles/custom/matrix-base/defaults/main.yml b/roles/custom/matrix-base/defaults/main.yml index 406cd9af0..f54e1e201 100644 --- a/roles/custom/matrix-base/defaults/main.yml +++ b/roles/custom/matrix-base/defaults/main.yml @@ -51,6 +51,9 @@ matrix_bridges_encryption_default: "{{ matrix_bridges_encryption_enabled }}" # Global var for enabling msc4190 ( On supported bridges) matrix_bridges_msc4190_enabled: "{{ matrix_authentication_service_enabled and matrix_bridges_encryption_enabled and matrix_synapse_experimental_features_msc3202_device_masquerading_enabled }}" +# Global var for enabling bridge self-signing ( On supported bridges) +matrix_bridges_self_sign_enabled: "{{ matrix_bridges_msc4190_enabled }}" + # Global var to enable/disable relay mode across all bridges with relay mode support matrix_bridges_relay_enabled: false diff --git a/roles/custom/matrix-bridge-mautrix-bluesky/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-bluesky/defaults/main.yml index d35fc8cfb..d1b63aeb6 100644 --- a/roles/custom/matrix-bridge-mautrix-bluesky/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-bluesky/defaults/main.yml @@ -35,6 +35,7 @@ matrix_mautrix_bluesky_homeserver_domain: '{{ matrix_domain }}' matrix_mautrix_bluesky_appservice_address: 'http://matrix-mautrix-bluesky:29340' matrix_mautrix_bluesky_msc4190_enabled: "{{ matrix_bridges_msc4190_enabled }}" +matrix_mautrix_bluesky_self_sign_enabled: "{{ matrix_bridges_self_sign_enabled }}" # A public address that external services can use to reach this appservice. matrix_mautrix_bluesky_appservice_public_address: '' diff --git a/roles/custom/matrix-bridge-mautrix-bluesky/templates/config.yaml.j2 b/roles/custom/matrix-bridge-mautrix-bluesky/templates/config.yaml.j2 index 03ea60d2d..7fbac01d8 100644 --- a/roles/custom/matrix-bridge-mautrix-bluesky/templates/config.yaml.j2 +++ b/roles/custom/matrix-bridge-mautrix-bluesky/templates/config.yaml.j2 @@ -359,6 +359,9 @@ encryption: # Only relevant when using end-to-bridge encryption, required when using encryption with next-gen auth (MSC3861). # Changing this option requires updating the appservice registration file. msc4190: {{ matrix_mautrix_bluesky_msc4190_enabled | to_json }} + # Whether to enable self-signing for bridges (Only the bridge bot uses this for now) + # Requires msc4190 to replace keys on reset + self_sign: {{ matrix_mautrix_bluesky_self_sign_enabled | to_json }} # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled. # You must use a client that supports requesting keys from other users to use this feature. allow_key_sharing: {{ matrix_mautrix_bluesky_bridge_encryption_key_sharing_allow | to_json }} diff --git a/roles/custom/matrix-bridge-mautrix-gmessages/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-gmessages/defaults/main.yml index f966758ae..95b581456 100644 --- a/roles/custom/matrix-bridge-mautrix-gmessages/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-gmessages/defaults/main.yml @@ -40,6 +40,7 @@ matrix_mautrix_gmessages_homeserver_domain: "{{ matrix_domain }}" matrix_mautrix_gmessages_appservice_address: "http://matrix-mautrix-gmessages:8080" matrix_mautrix_gmessages_msc4190_enabled: "{{ matrix_bridges_msc4190_enabled }}" +matrix_mautrix_gmessages_self_sign_enabled: "{{ matrix_bridges_self_sign_enabled }}" matrix_mautrix_gmessages_backfill_enabled: true matrix_mautrix_gmessages_backfill_max_initial_messages: 50 diff --git a/roles/custom/matrix-bridge-mautrix-gmessages/templates/config.yaml.j2 b/roles/custom/matrix-bridge-mautrix-gmessages/templates/config.yaml.j2 index c5a7f96f4..ae87f818d 100644 --- a/roles/custom/matrix-bridge-mautrix-gmessages/templates/config.yaml.j2 +++ b/roles/custom/matrix-bridge-mautrix-gmessages/templates/config.yaml.j2 @@ -356,6 +356,9 @@ encryption: # Only relevant when using end-to-bridge encryption, required when using encryption with next-gen auth (MSC3861). # Changing this option requires updating the appservice registration file. msc4190: {{ matrix_mautrix_gmessages_msc4190_enabled | to_json }} + # Whether to enable self-signing for bridges (Only the bridge bot uses this for now) + # Requires msc4190 to replace keys on reset + self_sign: {{ matrix_mautrix_gmessages_self_sign_enabled | to_json }} # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled. # You must use a client that supports requesting keys from other users to use this feature. allow_key_sharing: {{ matrix_mautrix_gmessages_bridge_encryption_key_sharing_allow | to_json }} diff --git a/roles/custom/matrix-bridge-mautrix-meta-instagram/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-meta-instagram/defaults/main.yml index 2b6eca747..84a63d17b 100644 --- a/roles/custom/matrix-bridge-mautrix-meta-instagram/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-meta-instagram/defaults/main.yml @@ -127,6 +127,7 @@ matrix_mautrix_meta_instagram_appservice_address: "http://{{ matrix_mautrix_meta matrix_mautrix_meta_instagram_appservice_id: "{{ matrix_mautrix_meta_instagram_meta_mode }}" matrix_mautrix_meta_instagram_msc4190_enabled: "{{ matrix_bridges_msc4190_enabled }}" +matrix_mautrix_meta_instagram_self_sign_enabled: "{{ matrix_bridges_self_sign_enabled }}" # For Facebook/Messenger, we use the same `@messengerbot:example.com` username regardless of how bridging happens for multiple reasons: # - it's consistent - regardless of how bridging happens, the bridged service is actually Messenger diff --git a/roles/custom/matrix-bridge-mautrix-meta-instagram/templates/config.yaml.j2 b/roles/custom/matrix-bridge-mautrix-meta-instagram/templates/config.yaml.j2 index 06f7f2080..968d4eda9 100644 --- a/roles/custom/matrix-bridge-mautrix-meta-instagram/templates/config.yaml.j2 +++ b/roles/custom/matrix-bridge-mautrix-meta-instagram/templates/config.yaml.j2 @@ -372,6 +372,9 @@ encryption: # Only relevant when using end-to-bridge encryption, required when using encryption with next-gen auth (MSC3861). # Changing this option requires updating the appservice registration file. msc4190: {{ matrix_mautrix_meta_instagram_msc4190_enabled | to_json }} + # Whether to enable self-signing for bridges (Only the bridge bot uses this for now) + # Requires msc4190 to replace keys on reset + self_sign: {{ matrix_mautrix_meta_instagram_self_sign_enabled | to_json }} # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled. # You must use a client that supports requesting keys from other users to use this feature. allow_key_sharing: {{ matrix_mautrix_meta_instagram_bridge_encryption_allow_key_sharing | to_json }} diff --git a/roles/custom/matrix-bridge-mautrix-meta-messenger/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-meta-messenger/defaults/main.yml index 03bb68ff4..0ebd90d4d 100644 --- a/roles/custom/matrix-bridge-mautrix-meta-messenger/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-meta-messenger/defaults/main.yml @@ -127,6 +127,7 @@ matrix_mautrix_meta_messenger_appservice_address: "http://{{ matrix_mautrix_meta matrix_mautrix_meta_messenger_appservice_id: "{{ matrix_mautrix_meta_messenger_meta_mode }}" matrix_mautrix_meta_messenger_msc4190_enabled: "{{ matrix_bridges_msc4190_enabled }}" +matrix_mautrix_meta_messenger_self_sign_enabled: "{{ matrix_bridges_self_sign_enabled }}" # For Facebook/Messenger, we use the same `@messengerbot:example.com` username regardless of how bridging happens for multiple reasons: # - it's consistent - regardless of how bridging happens, the bridged service is actually Messenger diff --git a/roles/custom/matrix-bridge-mautrix-meta-messenger/templates/config.yaml.j2 b/roles/custom/matrix-bridge-mautrix-meta-messenger/templates/config.yaml.j2 index 055268aaf..2af47d5f8 100644 --- a/roles/custom/matrix-bridge-mautrix-meta-messenger/templates/config.yaml.j2 +++ b/roles/custom/matrix-bridge-mautrix-meta-messenger/templates/config.yaml.j2 @@ -372,6 +372,9 @@ encryption: # Only relevant when using end-to-bridge encryption, required when using encryption with next-gen auth (MSC3861). # Changing this option requires updating the appservice registration file. msc4190: {{ matrix_mautrix_meta_messenger_msc4190_enabled | to_json }} + # Whether to enable self-signing for bridges (Only the bridge bot uses this for now) + # Requires msc4190 to replace keys on reset + self_sign: {{ matrix_mautrix_meta_messenger_self_sign_enabled | to_json }} # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled. # You must use a client that supports requesting keys from other users to use this feature. allow_key_sharing: {{ matrix_mautrix_meta_messenger_bridge_encryption_allow_key_sharing | to_json }} diff --git a/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml index d6f774924..e133bf9a3 100644 --- a/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml @@ -48,6 +48,7 @@ matrix_mautrix_signal_homeserver_async_media: false matrix_mautrix_signal_appservice_address: "http://matrix-mautrix-signal:8080" matrix_mautrix_signal_msc4190_enabled: "{{ matrix_bridges_msc4190_enabled }}" +matrix_mautrix_signal_self_sign_enabled: "{{ matrix_bridges_self_sign_enabled }}" matrix_mautrix_signal_command_prefix: "!signal" diff --git a/roles/custom/matrix-bridge-mautrix-signal/templates/config.yaml.j2 b/roles/custom/matrix-bridge-mautrix-signal/templates/config.yaml.j2 index 24653c410..f2feecb3a 100644 --- a/roles/custom/matrix-bridge-mautrix-signal/templates/config.yaml.j2 +++ b/roles/custom/matrix-bridge-mautrix-signal/templates/config.yaml.j2 @@ -332,6 +332,9 @@ encryption: # Only relevant when using end-to-bridge encryption, required when using encryption with next-gen auth (MSC3861). # Changing this option requires updating the appservice registration file. msc4190: {{ matrix_mautrix_signal_msc4190_enabled | to_json }} + # Whether to enable self-signing for bridges (Only the bridge bot uses this for now) + # Requires msc4190 to replace keys on reset + self_sign: {{ matrix_mautrix_signal_self_sign_enabled | to_json }} # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled. # You must use a client that supports requesting keys from other users to use this feature. allow_key_sharing: {{ matrix_mautrix_signal_bridge_encryption_key_sharing_allow | to_json }} diff --git a/roles/custom/matrix-bridge-mautrix-slack/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-slack/defaults/main.yml index f0b077d7e..94074bb3d 100644 --- a/roles/custom/matrix-bridge-mautrix-slack/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-slack/defaults/main.yml @@ -38,6 +38,7 @@ matrix_mautrix_slack_homeserver_async_media: false matrix_mautrix_slack_appservice_address: "http://matrix-mautrix-slack:8080" matrix_mautrix_slack_msc4190_enabled: "{{ matrix_bridges_msc4190_enabled }}" +matrix_mautrix_slack_self_sign_enabled: "{{ matrix_bridges_self_sign_enabled }}" # Displayname template for Slack users. Available variables: # .Name - The username of the user diff --git a/roles/custom/matrix-bridge-mautrix-slack/templates/config.yaml.j2 b/roles/custom/matrix-bridge-mautrix-slack/templates/config.yaml.j2 index 30ea0b349..f2a2e8782 100644 --- a/roles/custom/matrix-bridge-mautrix-slack/templates/config.yaml.j2 +++ b/roles/custom/matrix-bridge-mautrix-slack/templates/config.yaml.j2 @@ -376,6 +376,9 @@ encryption: # Only relevant when using end-to-bridge encryption, required when using encryption with next-gen auth (MSC3861). # Changing this option requires updating the appservice registration file. msc4190: {{ matrix_mautrix_slack_msc4190_enabled | to_json }} + # Whether to enable self-signing for bridges (Only the bridge bot uses this for now) + # Requires msc4190 to replace keys on reset + self_sign: {{ matrix_mautrix_slack_self_sign_enabled | to_json }} # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled. # You must use a client that supports requesting keys from other users to use this feature. allow_key_sharing: {{ matrix_mautrix_slack_bridge_encryption_key_sharing_allow | to_json }} diff --git a/roles/custom/matrix-bridge-mautrix-twitter/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-twitter/defaults/main.yml index 8c21ec4f9..ca941c484 100644 --- a/roles/custom/matrix-bridge-mautrix-twitter/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-twitter/defaults/main.yml @@ -43,6 +43,7 @@ matrix_mautrix_twitter_homeserver_domain: '{{ matrix_domain }}' matrix_mautrix_twitter_appservice_address: 'http://matrix-mautrix-twitter:29327' matrix_mautrix_twitter_msc4190_enabled: "{{ matrix_bridges_msc4190_enabled }}" +matrix_mautrix_twitter_self_sign_enabled: "{{ matrix_bridges_self_sign_enabled }}" # A public address that external services can use to reach this appservice. matrix_mautrix_twitter_appservice_public_address: '' diff --git a/roles/custom/matrix-bridge-mautrix-twitter/templates/config.yaml.j2 b/roles/custom/matrix-bridge-mautrix-twitter/templates/config.yaml.j2 index 5c1e8d9c1..441f0ad41 100644 --- a/roles/custom/matrix-bridge-mautrix-twitter/templates/config.yaml.j2 +++ b/roles/custom/matrix-bridge-mautrix-twitter/templates/config.yaml.j2 @@ -205,11 +205,6 @@ appservice: # However, messages will not be guaranteed to be bridged in the same order they were sent in. # This value doesn't affect the registration file. async_transactions: false - # Whether to use MSC4190 instead of appservice login to create the bridge bot device. - # Requires the homeserver to support MSC4190 and the device masquerading parts of MSC3202. - # Only relevant when using end-to-bridge encryption, required when using encryption with next-gen auth (MSC3861). - # Changing this option requires updating the appservice registration file. - msc4190: {{ matrix_mautrix_twitter_msc4190_enabled | to_json }} # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify. as_token: {{ matrix_mautrix_twitter_appservice_token | to_json }} @@ -355,6 +350,14 @@ encryption: # Whether to use MSC2409/MSC3202 instead of /sync long polling for receiving encryption-related data. # This option is not yet compatible with standard Matrix servers like Synapse and should not be used. appservice: {{ matrix_mautrix_twitter_bridge_encryption_appservice | to_json }} + # Whether to use MSC4190 instead of appservice login to create the bridge bot device. + # Requires the homeserver to support MSC4190 and the device masquerading parts of MSC3202. + # Only relevant when using end-to-bridge encryption, required when using encryption with next-gen auth (MSC3861). + # Changing this option requires updating the appservice registration file. + msc4190: {{ matrix_mautrix_twitter_msc4190_enabled | to_json }} + # Whether to enable self-signing for bridges (Only the bridge bot uses this for now) + # Requires msc4190 to replace keys on reset + self_sign: {{ matrix_mautrix_twitter_self_sign_enabled | to_json }} # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled. # You must use a client that supports requesting keys from other users to use this feature. allow_key_sharing: {{ matrix_mautrix_twitter_bridge_encryption_key_sharing_allow | to_json }} diff --git a/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml index 9b58c1eb7..c5b4f1a6f 100644 --- a/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml @@ -50,6 +50,7 @@ matrix_mautrix_whatsapp_homeserver_async_media: false matrix_mautrix_whatsapp_appservice_address: "http://matrix-mautrix-whatsapp:8080" matrix_mautrix_whatsapp_msc4190_enabled: "{{ matrix_bridges_msc4190_enabled }}" +matrix_mautrix_whatsapp_self_sign_enabled: "{{ matrix_bridges_self_sign_enabled }}" matrix_mautrix_whatsapp_extev_polls: false diff --git a/roles/custom/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 b/roles/custom/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 index ed55cc586..91b3e801e 100644 --- a/roles/custom/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 +++ b/roles/custom/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 @@ -444,6 +444,9 @@ encryption: # Only relevant when using end-to-bridge encryption, required when using encryption with next-gen auth (MSC3861). # Changing this option requires updating the appservice registration file. msc4190: {{ matrix_mautrix_whatsapp_msc4190_enabled | to_json }} + # Whether to enable self-signing for bridges (Only the bridge bot uses this for now) + # Requires msc4190 to replace keys on reset + self_sign: {{ matrix_mautrix_whatsapp_self_sign_enabled | to_json }} # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled. # You must use a client that supports requesting keys from other users to use this feature. allow_key_sharing: {{ matrix_mautrix_whatsapp_bridge_encryption_key_sharing_allow | to_json }}