mirror/matrix-docker-ansible-deploy
1
0
Fork 0
mirror of https://github.com/spantaleev/matrix-docker-ansible-deploy.git synced 2025-01-30 20:05:01 +01:00
Code Issues Packages Projects Releases Wiki Activity

Draupnir 2.0.0 (#3941)

Browse Source 
* Draupnir 2.0.0

The config getting changes all over the place is because of 2.0 having removed a lot of config options due to the code being removed.

* Update Draupnir Documentation to reflect state as of 2.0.0

* Apply Review Feedback

Co-authored-by: Suguru Hirahara <luixxiul@users.noreply.github.com>

* Change Room IDs found in code review to not conform to playbook standard.

Co-authored-by: Suguru Hirahara <luixxiul@users.noreply.github.com>

* Further Integrate Code Review Feedback

* Apply remaining suggestions from code review.

Co-authored-by: Suguru Hirahara <luixxiul@users.noreply.github.com>

* Apply Configuration Review Feedback

Co-authored-by: Suguru Hirahara <luixxiul@users.noreply.github.com>

* Add Self Registration and Native Login to Draupnir

* Rework Draupnir Documentation to Remove Pantalaimon

* Set bot.draupnir as default username for the bot in config

* Draupnir 2.0.1

* Integrate Review Feedback on Structure of Docs

Co-authored-by: Suguru Hirahara <luixxiul@users.noreply.github.com>

* Further Restructure Docs and tweak variables in response.

* Only auto-create draupnir user if a password has been set

The Draupnir role supports configuring it with either an access token or with a password.

When a password is not assigned (which means the access token mode is used), the user is to be created manually.

* Add ensure-matrix-users-created tag

Now that the Draupnir user may be auto-created in certain configurations (if a password is assigned), it's useful to have the tag there.

---------

Co-authored-by: Suguru Hirahara <luixxiul@users.noreply.github.com>
Co-authored-by: Slavi Pantaleev <slavi@devture.com>
This commit is contained in:
Catalan Lover 2025-01-18 20:25:30 +01:00 committed by GitHub
parent 3e06e4be63
commit f15c0a46be
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
8 changed files with 203 additions and 155 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
docs/configuring-playbook-appservice-draupnir-for-all.md
View File

@ -24,9 +24,7 @@ The playbook does not create a management room for your Main Draupnir. You **nee
Note that the room must be unencrypted.
<!-- TODO: enable Pantalaimon as configuring-playbook-bot-draupnir.md -->
The management room has to be given an alias and be public when you are setting up the bot for the first time as the bot does not differentiate between invites and invites to the management room.
The management room has to be given an alias, and your bot has to be invited to the room.
This management room is used to control who has access to your D4A deployment. The room stores this data inside of the control room state so your bot must have sufficient powerlevel to send custom state events. This is default 50 or moderator as Element clients call this powerlevel.
@ -36,8 +34,6 @@ As noted in the Draupnir install instructions the control room is sensitive. **A
Next, set an alias to the management room.
This alias can be anything you want. However, for increased security during the setup phase, it is recommended to make this alias be a random string. When it has been locked down after setup phase, you can give your room a secondary human readable alias.
## Adjusting the playbook configuration
Add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file. Make sure to replace `MANAGEMENT_ROOM_ALIAS_HERE`.
@ -80,13 +76,11 @@ After configuring the playbook, run it with [playbook tags](playbook-tags.md) as
<!-- NOTE: let this conservative command run (instead of install-all) to make it clear that failure of the command means something is clearly broken. -->
```sh
ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,ensure-matrix-users-created,start
ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
```
**Notes**:
- The `ensure-matrix-users-created` playbook tag makes the playbook automatically create the bot's user account.
- The shortcut commands with the [`just` program](just.md) are also available: `just install-all` or `just setup-all`
`just install-all` is useful for maintaining your setup quickly ([2x-5x faster](../CHANGELOG.md#2x-5x-performance-improvements-in-playbook-runtime) than `just setup-all`) when its components remain unchanged. If you adjust your `vars.yml` to remove other components, you'd need to run `just setup-all`, or these components will still remain installed.
@ -103,7 +97,7 @@ Draupnir for all includes several security measures like that it only allows use
The bot requires a powerlevel of 50 in the management room to control who is allowed to use the bot. The bot does currently not say anything if this is true or false. (This is considered a bug and is documented in issue [#297](https://github.com/the-draupnir-project/Draupnir/issues/297))
To allow users or whole homeservers you type /plain @draupnir-main:example.com allow `target` and target can be either a MXID or a wildcard like `@*:example.com` to allow all users on example.com to register. We use /plain to force the client to not attempt to mess with this command as it can break Wildcard commands especially.
To allow users or whole homeservers you type /plain !admin allow `target` and target can be either a MXID or a wildcard like `@*:example.com` to allow all users on example.com to register. We use /plain to force the client to not attempt to mess with this command as it can break Wildcard commands especially.
### How to provision a D4A once you are allowed to

156
docs/configuring-playbook-bot-draupnir.md
View File

@ -2,7 +2,7 @@
The playbook can install and configure the [Draupnir](https://github.com/the-draupnir-project/Draupnir) moderation bot for you.
See the project's [documentation](https://github.com/the-draupnir-project/Draupnir/blob/main/README.md) to learn what it does and why it might be useful to you.
See the project's [documentation](https://the-draupnir-project.github.io/draupnir-documentation/) to learn what it does and why it might be useful to you.
This documentation page is about installing Draupnir in bot mode. As an alternative, you can run a multi-instance Draupnir deployment by installing [Draupnir in appservice mode](./configuring-playbook-appservice-draupnir-for-all.md) (called Draupnir-for-all) instead.
@ -10,33 +10,74 @@ If your migrating from Mjolnir skip to [this section](#migrating-from-mjolnir-on
## Prerequisites
### Register the bot account
### Create a management room
The playbook does not automatically create users for you. You **need to register the bot user manually** before setting up the bot.
Using your own account, create a new invite only room that you will use to manage the bot. This is the room where you will see the status of the bot and where you will send commands to the bot, such as the command to ban a user from another room. Anyone in this room can control the bot so it is important that you only invite trusted users to this room.
Generate a strong password for the bot. You can create one with a command like `pwgen -s 64 1`.
If you make the management room encrypted (E2EE), then you need to enable the native E2EE support (see [below](#native-e2ee-support)).
You can use the playbook to [register a new user](registering-users.md):
Once you have created the room you need to copy the room ID so you can tell the bot to use that room. In Element Web you can do this by going to the room's settings, clicking Advanced, and then copying the internal room ID. The room ID will look something like `!qporfwt:example.com`.
```sh
ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=bot.draupnir password=PASSWORD_FOR_THE_BOT admin=no' --tags=register-user
Finally invite the `@bot.draupnir:example.com` account that the playbook will create for you to the management room. Please note that clients can issue a warning that your attempting to invite a user that doesnt have a profile and might not exist. This warning is expected as your inviting the bot before its user account exists.
## End-to-End Encryption support
Decide whether you want to support having an Encrypted management room or not. Draupnir can still protect encrypted rooms without encryption support enabled.
Refer to Draupnir's [Documentation](https://the-draupnir-project.github.io/draupnir-documentation/moderator/managing-protected-rooms#protecting-encrypted-rooms) for more information on why you might or might not care about encryption support for protected rooms.
**Note**: Draupnir does not support running with Pantalaimon as it would break all workflows that involve answering prompts with reactions.
### Native E2EE support
To enable the native E2EE support, you need to obtain an access token for Draupnir.
Note that native E2EE requires a clean access token that has not touched E2EE so curl is recommended as a method to obtain it. **The access token obtained via Element Web does not work with it**. Refer to the documentation on [how to obtain an access token via curl](obtaining-access-tokens.md#obtain-an-access-token-via-curl).
To enable the native E2EE support, add the following configuration to your `vars.yml` file:
```yaml
# Enables the native E2EE Support
matrix_bot_draupnir_enable_experimental_rust_crypto: true
# Access Token the bot uses to login.
# Comment out `matrix_bot_draupnir_login_native` when using this option.
matrix_bot_draupnir_access_token: "ACCESS_TOKEN_HERE"
```
If you would like Draupnir to be able to deactivate users, move aliases, shutdown rooms, show abuse reports (see [below](#abuse-reports)), etc then it must be a server admin so you need to change `admin=no` to `admin=yes` in the command above.
## Adjusting the playbook configuration
### Obtain an access token
To enable the bot, add the following configuration to your `vars.yml` file. Make sure to replace `MANAGEMENT_ROOM_ID_HERE`.
The bot requires an access token to be able to connect to your homeserver. Refer to the documentation on [how to obtain an access token](obtaining-access-tokens.md).
```yaml
# Enable Draupnir
matrix_bot_draupnir_enabled: true
⚠️ **Warning**: Access tokens are sensitive information. Do not include them in any bug reports, messages, or logs. Do not share the access token with anyone.
# Uncomment and adjust this part if you'd like to use a username different than the default
# matrix_bot_draupnir_login: bot.draupnir
# Generate a strong password for the bot. You can create one with a command like `pwgen -s 64 1`.
# If creating the user on your own and using `matrix_bot_draupnir_access_token` to login you can comment out this line.
matrix_bot_draupnir_password: PASSWORD_FOR_THE_BOT
# Comment out if using `matrix_bot_draupnir_enable_experimental_rust_crypto: true` or `matrix_bot_draupnir_access_token` to login.
matrix_bot_draupnir_login_native: true
matrix_bot_draupnir_management_room: "MANAGEMENT_ROOM_ID_HERE"
```
Before Proceeding run the playbook with the following command to make sure the Draupnir user has been created.
```sh
ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,ensure-matrix-users-created
```
### Make sure the account is free from rate limiting
If your homeserver's implementation is Synapse, you will need to prevent it from rate limiting the bot's account. **This is a required step. If you do not configure it, Draupnir will crash.**
If your homeserver's implementation is Synapse, you will need to prevent it from rate limiting the bot's account. **This is a heavily recomended step. If you do not configure it, Draupnir performance will be degraded.**
This can be done using Synapse's [Admin APIs](https://element-hq.github.io/synapse/latest/admin_api/user_admin_api.html#override-ratelimiting-for-users). They can be accessed both externally and internally.
To expose the APIs publicly, add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file:
To expose the APIs publicly, add the following configuration to your `vars.yml` file:
```yaml
matrix_synapse_container_labels_public_client_synapse_admin_api_enabled: true
@ -52,92 +93,33 @@ To discharge rate limiting, run the following command on systems that ship curl
curl --header "Authorization: Bearer <access_token>" -X POST https://matrix.example.com/_synapse/admin/v1/users/@bot.draupnir:example.com/override_ratelimit
```
You can obtain an access token for a homeserver admin account in the same way as you can do so for Draupnir itself. If you have made Draupnir an admin, you can just use the Draupnir token.
### Obtain an access token
### Create a management room
Manual access to Synapse's Admin API requires an access token. Refer to the documentation on [how to obtain an access token](obtaining-access-tokens.md).
Using your own account, create a new invite only room that you will use to manage the bot. This is the room where you will see the status of the bot and where you will send commands to the bot, such as the command to ban a user from another room. Anyone in this room can control the bot so it is important that you only invite trusted users to this room.
If you make the management room encrypted (E2EE), then you MUST enable and use Pantalaimon (see [below](#configuration-with-e2ee-support)).
Once you have created the room you need to copy the room ID so you can tell the bot to use that room. In Element Web you can do this by going to the room's settings, clicking Advanced, and then copying the internal room ID. The room ID will look something like `!qporfwt:example.com`.
Finally invite the `@bot.draupnir:example.com` account you created earlier into the room.
## Adjusting the playbook configuration
To enable the bot, add the following configuration to your `vars.yml` file. Make sure to replace `MANAGEMENT_ROOM_ID_HERE`.
```yaml
# Enable Draupnir
matrix_bot_draupnir_enabled: true
matrix_bot_draupnir_management_room: "MANAGEMENT_ROOM_ID_HERE"
```
### End-to-End Encryption support
Decide whether you want Draupnir to be capable of operating in end-to-end encrypted (E2EE) rooms. This includes the management room and the moderated rooms.
To support E2EE, Draupnir needs to [use Pantalaimon](configuring-playbook-pantalaimon.md).
#### Configuration with E2EE support
When using Pantalaimon, Draupnir will log in to its bot account itself through Pantalaimon, so configure its username and password.
Add the following configuration to your `vars.yml` file (adapt to your needs):
```yaml
# Enable Pantalaimon. See docs/configuring-playbook-pantalaimon.md
matrix_pantalaimon_enabled: true
# Tell Draupnir to use Pantalaimon
matrix_bot_draupnir_pantalaimon_use: true
# User name and password for the bot you have created above. Required when using Pantalaimon.
matrix_bot_draupnir_pantalaimon_username: "bot.draupnir"
matrix_bot_draupnir_pantalaimon_password: "PASSWORD_FOR_THE_BOT"
```
The playbook's `group_vars` will configure other required settings. If using this role separately without the playbook, you also need to configure the two URLs that Draupnir uses to reach the homeserver, one through Pantalaimon and one "raw". This example is taken from the playbook's `group_vars`:
```yaml
# Endpoint URL that Draupnir uses to interact with the Matrix homeserver (client-server API).
# Set this to the pantalaimon URL if you're using that.
matrix_bot_draupnir_homeserver_url: "{{ 'http://matrix-pantalaimon:8009' if matrix_bot_draupnir_pantalaimon_use else matrix_addons_homeserver_client_api_url }}"
# Endpoint URL that Draupnir could use to fetch events related to reports (client-server API and /_synapse/),
# only set this to the public-internet homeserver client API URL, do NOT set this to the pantalaimon URL.
matrix_bot_draupnir_raw_homeserver_url: "{{ matrix_addons_homeserver_client_api_url }}"
```
#### Configuration without E2EE support
When NOT using Pantalaimon, Draupnir does not log in by itself and you must give it an access token for its bot account.
Add the following configuration to your `vars.yml` file. Make sure to replace `ACCESS_TOKEN_HERE` with the one created [above](#obtain-an-access-token).
```yaml
matrix_bot_draupnir_access_token: "ACCESS_TOKEN_HERE"
```
⚠️ **Warning**: Access tokens are sensitive information. Do not include them in any bug reports, messages, or logs. Do not share the access token with anyone.
### Abuse Reports
Draupnir supports two methods to receive reports in the management room.
Draupnir can receive reports in the management room.
The first method intercepts the report API endpoint of the client-server API, which requires integration with the reverse proxy in front of the homeserver. If you are using traefik, the playbook can set this up for you:
The bot can intercept the report API endpoint of the client-server API, which requires integration with the reverse proxy in front of the homeserver. If you are using Traefik, this playbook can set this up for you:
```yaml
matrix_bot_draupnir_abuse_reporting_enabled: true
```
The other method polls an Synapse Admin API endpoint, hence it is available only if using Synapse and if the Draupnir user is an admin (see [above](#register-the-bot-account)). To enable it, set `pollReports: true` on `vars.yml` file as below.
<!--
NOTE: this is unsupported by the playbook due to the admin API being inaccessible from containers currently.
The other method polls an Synapse Admin API endpoint, hence it is available only if using Synapse and if the Draupnir user is an admin (see [above](#register-the-bot-account)). To enable it, set `pollReports: true` on `vars.yml` file as below.
-->
### Extending the configuration
You can configure additional options by adding the `matrix_bot_draupnir_configuration_extension_yaml` variable.
For example, to change Draupnir's `pollReports` option to `true`, add the following configuration to your `vars.yml` file:
For example, to change Draupnir's `acceptInvitesFromSpace` option to `!qporfwt:example.com`, add the following configuration to your `vars.yml` file:
```yaml
matrix_bot_draupnir_configuration_extension_yaml: |
@ -148,13 +130,15 @@ matrix_bot_draupnir_configuration_extension_yaml: |
#
# If you need something more special, you can take full control by
# completely redefining `matrix_bot_draupnir_configuration_yaml`.
pollReports: true
acceptInvitesFromSpace: "!qporfwt:example.com"
```
### Migrating from Mjolnir (Only required if migrating)
Replace your `matrix_bot_mjolnir` config with `matrix_bot_draupnir` config. Also disable Mjolnir if you're doing migration.
Note that Pantalaimon is unsupported by Draupnir so it is recommended to consult the instructions to enable [the native E2EE support](#native-e2ee-support).
That is all you need to do due to that Draupnir can complete migration on its own.
## Installing
@ -174,8 +158,6 @@ ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,ensure-matrix-use
`just install-all` is useful for maintaining your setup quickly ([2x-5x faster](../CHANGELOG.md#2x-5x-performance-improvements-in-playbook-runtime) than `just setup-all`) when its components remain unchanged. If you adjust your `vars.yml` to remove other components, you'd need to run `just setup-all`, or these components will still remain installed.
- If you change the Pantalaimon's password (`matrix_bot_draupnir_pantalaimon_password` in your `vars.yml` file) subsequently, its credentials on the homeserver won't be updated automatically. If you'd like to change the password, use a tool like [synapse-admin](configuring-playbook-synapse-admin.md) to change it, and then update `matrix_bot_draupnir_pantalaimon_password` to let Pantalaimon know its new password.
## Usage
You can refer to the upstream [documentation](https://the-draupnir-project.github.io/draupnir-documentation/) for additional ways to use and configure Draupnir and for a more detailed usage guide.
@ -236,7 +218,7 @@ You can also **turn on various built-in [protections](https://the-draupnir-proje
To **see which protections are available and which are enabled**, send a `!draupnir protections` command to the Management Room.
To **see the configuration options for a given protection**, send a `!draupnir config get PROTECTION_NAME` (e.g. `!draupnir config get JoinWaveShortCircuit`).
To **see the configuration options for a given protection**, send a `!draupnir protections show PROTECTION_NAME` (e.g. `!draupnir protections show JoinWaveShortCircuit`).
To **set a specific option for a given protection**, send a command like this: `!draupnir config set PROTECTION_NAME.OPTION VALUE` (e.g. `!draupnir config set JoinWaveShortCircuit.timescaleMinutes 30`).

10
group_vars/matrix_servers
View File

@ -4993,6 +4993,10 @@ matrix_synapse_admin_config_asManagedUsers_auto: |
'^@'+(matrix_bot_buscarron_login | default('') | regex_escape) +':'+(matrix_domain | regex_escape)+'$',
] if matrix_bot_buscarron_enabled else [])
+
([
'^@'+(matrix_bot_draupnir_login | default('') | regex_escape) +':'+(matrix_domain | regex_escape)+'$',
] if matrix_bot_draupnir_enabled else [])
+
([
'^@'+(matrix_bot_chatgpt_matrix_bot_username_localpart | default('') | regex_escape) +':'+(matrix_domain | regex_escape)+'$',
] if matrix_bot_chatgpt_enabled else [])
@ -5855,6 +5859,12 @@ matrix_user_creator_users_auto: |
'initial_password': matrix_bot_maubot_initial_password,
'initial_type': 'bot',
}] if matrix_bot_maubot_enabled else [])
+
([{
'username': matrix_bot_draupnir_login,
'initial_password': matrix_bot_draupnir_password,
'initial_type': 'bot',
}] if matrix_bot_draupnir_enabled and matrix_bot_draupnir_password else [])
}}
######################################################################

2
roles/custom/matrix-appservice-draupnir-for-all/defaults/main.yml
View File

@ -5,7 +5,7 @@
matrix_appservice_draupnir_for_all_enabled: true
# renovate: datasource=docker depName=gnuxie/draupnir
matrix_appservice_draupnir_for_all_version: "1.87.0"
matrix_appservice_draupnir_for_all_version: "v2.0.1"
matrix_appservice_draupnir_for_all_container_image_self_build: false
matrix_appservice_draupnir_for_all_container_image_self_build_repo: "https://github.com/the-draupnir-project/Draupnir.git"

18
roles/custom/matrix-appservice-draupnir-for-all/templates/production-bots.yaml.j2
View File

@ -4,20 +4,10 @@
# This should be at INFO or DEBUG in order to get support for Draupnir problems.
logLevel: "INFO"
# Whether or not Draupnir should synchronize policy lists immediately after startup.
# Equivalent to running '!draupnir sync'.
syncOnStartup: true
# Whether or not Draupnir should check moderation permissions in all protected rooms on startup.
# Equivalent to running `!draupnir verify`.
verifyPermissionsOnStartup: true
# Whether Draupnir should check member lists quicker (by using a different endpoint),
# keep in mind that enabling this will miss invited (but not joined) users.
#
# Turn on if your bot is in (very) large rooms, or in large amounts of rooms.
fasterMembershipChecks: false
# A case-insensitive list of ban reasons to have the bot also automatically redact the user's messages for.
#
# If the bot sees you ban a user with a reason that is an (exact case-insensitive) match to this list,
@ -70,14 +60,10 @@ commands:
- "draupnir_bot"
- "draupnir"
# Whether or not commands with a wildcard (*) will require an additional `--force` argument
# in the command to be able to be submitted.
confirmWildcardBan: true
# The default reasons to be prompted with if the reason is missing from a ban command.
ban:
defaultReasons:
defaultReasons:
- "spam"
- "brigading"
- "harassment"
- "disagreement"
- "disagreement"

28
roles/custom/matrix-bot-draupnir/defaults/main.yml
View File

@ -5,7 +5,7 @@
matrix_bot_draupnir_enabled: true
# renovate: datasource=docker depName=gnuxie/draupnir
matrix_bot_draupnir_version: "v1.87.0"
matrix_bot_draupnir_version: "v2.0.1"
matrix_bot_draupnir_container_image_self_build: false
matrix_bot_draupnir_container_image_self_build_repo: "https://github.com/the-draupnir-project/Draupnir.git"
@ -49,8 +49,20 @@ matrix_bot_draupnir_systemd_wanted_services_list: []
# Whether Draupnir should talk to the homeserver through Pantalaimon
# If true, then other variables must be provided including pointing
# `matrix_bot_draupnir_homeserver_url` to the Pantalaimon URL.
# Enabling this option is discouraged, because Draupnir does not support
# running with Pantalaimon as it would break all workflows that involve answering
# prompts with reactions. (Hint: a lot of workflows rely on them.)
matrix_bot_draupnir_pantalaimon_use: false
# If you choose to accept the risks of using Pantalaimon in your installation
# against the upstream advice, you can enable this to disable the warning about it.
matrix_bot_draupnir_pantalaimon_breakage_ignore: false
# Tells the bot if it should use its native E2EE support in the form of experimental Rust Crypto in the bot SDK.
# This option is mutually exclusive with `matrix_bot_draupnir_pantalaimon_use`.
# Rust Crypto requires a clean access token that has not touched E2EE so curl is recommended as a method to obtain it.
matrix_bot_draupnir_enable_experimental_rust_crypto: false
# The access token for the bot user. Required when NOT using Pantalaimon.
# (Otherwise provide `matrix_bot_draupnir_pantalaimon_username` and `matrix_bot_draupnir_pantalaimon_password` instead.)
matrix_bot_draupnir_access_token: ""
@ -60,6 +72,15 @@ matrix_bot_draupnir_access_token: ""
matrix_bot_draupnir_pantalaimon_username: ""
matrix_bot_draupnir_pantalaimon_password: ""
# Username and password the bot uses for logging in directly. If using Pantalimon
# these values become the values of `matrix_bot_draupnir_pantalaimon_username` and `matrix_bot_draupnir_pantalaimon_password`
matrix_bot_draupnir_login: "{{ matrix_bot_draupnir_pantalaimon_username if matrix_bot_draupnir_pantalaimon_use == 'true' else 'bot.draupnir' }}"
matrix_bot_draupnir_password: "{{ matrix_bot_draupnir_pantalaimon_password }}"
# Controls if we activate the pantalaimon config block for now. This configuration block is proable to change name for our usecase
# due to a Draupnir push to scrub Pantalaimon from the codebase.
matrix_bot_draupnir_login_native: ""
# The room ID where people can use the bot. The bot has no access controls, so
# anyone in this room can use the bot - secure your room!
# This should be a room alias or room ID - not a matrix.to URL.
@ -84,6 +105,11 @@ matrix_bot_draupnir_raw_homeserver_url: ""
# Its Exposed here because its common enough to be valid to expose.
matrix_bot_draupnir_disable_server_acl: "false"
# Controls if the room state backing store is activated.
# Room state backing store makes restarts of the bot lightning fast as the bot does not suffer from amnesia.
# This config option has diminished improvements for bots on extremely fast homeservers or very very small bots on fast homeservers.
matrix_bot_draupnir_enable_room_state_backing_store: "true"
# Default configuration template which covers the generic use case.
# You can customize it by controlling the various variables inside it.
#

16
roles/custom/matrix-bot-draupnir/tasks/validate_config.yml
View File

@ -5,6 +5,7 @@
msg: "The `{{ item.name }}` variable must be defined and have a non-null value."
with_items:
- {'name': 'matrix_bot_draupnir_access_token', when: "{{ not matrix_bot_draupnir_pantalaimon_use }}"}
- {'name': 'matrix_bot_draupnir_access_token', when: "{{ matrix_bot_draupnir_enable_experimental_rust_crypto }}"}
- {'name': 'matrix_bot_draupnir_management_room', when: true}
- {'name': 'matrix_bot_draupnir_container_network', when: true}
- {'name': 'matrix_bot_draupnir_homeserver_url', when: true}
@ -18,4 +19,19 @@
msg: "The `{{ item.name }}` variable must be undefined or have a null value."
with_items:
- {'name': 'matrix_bot_draupnir_access_token', when: "{{ matrix_bot_draupnir_pantalaimon_use }}"}
- {'name': 'matrix_bot_draupnir_access_token', when: "{{ matrix_bot_draupnir_login_native }}"}
- {'name': 'matrix_bot_draupnir_pantalaimon_use', when: "{{ matrix_bot_draupnir_enable_experimental_rust_crypto }}"}
when: "item.when | bool and not (vars[item.name] == '' or vars[item.name] is none)"
- when: "matrix_bot_draupnir_pantalaimon_use == 'true' and matrix_bot_draupnir_pantalaimon_breakage_ignore == 'false'"
block:
- name: Inject warning if Pantalaimon is used together with Draupnir
ansible.builtin.set_fact:
devture_playbook_runtime_messages_list: |
{{
devture_playbook_runtime_messages_list | default([])
+
[
"Note: Draupnir does not support running with Pantalaimon as it would break all workflows that involve answering prompts with reactions. To enable E2EE for Draupnir, it is recommended to use matrix_bot_draupnir_enable_experimental_rust_crypto instead. This warning can be disabled by setting matrix_bot_draupnir_pantalaimon_breakage_ignore to true."
]
}}

116
roles/custom/matrix-bot-draupnir/templates/production.yaml.j2
View File

@ -1,5 +1,4 @@
# Endpoint URL that Draupnir uses to interact with the Matrix homeserver (client-server API),
# set this to the pantalaimon URL if you're using that.
homeserverUrl: {{ matrix_bot_draupnir_homeserver_url | to_json }}
# Endpoint URL that Draupnir could use to fetch events related to reports (client-server API and /_synapse/),
@ -7,29 +6,36 @@ homeserverUrl: {{ matrix_bot_draupnir_homeserver_url | to_json }}
rawHomeserverUrl: {{ matrix_bot_draupnir_raw_homeserver_url | to_json }}
# Matrix Access Token to use, Draupnir will only use this if pantalaimon.use is false.
# This option can be loaded from a file by passing "--access-token-path <path>" at the command line,
# which would allow using secret management systems such as systemd's service credentials.
accessToken: {{ matrix_bot_draupnir_access_token | to_json }}
{% if matrix_bot_draupnir_pantalaimon_use %}
{% if matrix_bot_draupnir_pantalaimon_use or matrix_bot_draupnir_login_native %}
# Options related to Pantalaimon (https://github.com/matrix-org/pantalaimon)
pantalaimon:
# Whether or not Draupnir will use pantalaimon to access the Matrix homeserver,
# set to `true` if you're using pantalaimon.
#
# Be sure to point homeserverUrl to the pantalaimon instance.
# Set to `true` when the bot is to login and fetch the access token on its own.
#
# Draupnir will log in using the given username and password once,
# then store the resulting access token in a file under dataPath.
use: true
# The username to login with.
username: {{ matrix_bot_draupnir_pantalaimon_username | to_json }}
username: {{ matrix_bot_draupnir_login | to_json }}
# The password Draupnir will login with.
#
# After successfully logging in once, this will be ignored, so this value can be blanked after first startup.
password: {{ matrix_bot_draupnir_pantalaimon_password | to_json }}
# This option can be loaded from a file by passing "--password-path <path>" at the command line,
# which would allow using secret management systems such as systemd's service credentials.
password: {{ matrix_bot_draupnir_password | to_json }}
{% endif %}
# Experimental usage of the matrix-bot-sdk rust crypto. This can not be used with Pantalaimon.
# Make sure Pantalaimon is disabled in Draupnir's configuration.
#
# Warning: At this time this is not considered production safe.
experimentalRustCrypto: {{ matrix_bot_draupnir_enable_experimental_rust_crypto | to_json }}
# The path Draupnir will store its state/data in, leave default ("/data/storage") when using containers.
dataPath: "/data"
@ -57,7 +63,7 @@ managementRoom: {{ matrix_bot_draupnir_management_room | to_json }}
# Running with verboseLogging is unsupported.
# Whether Draupnir should log a lot more messages in the room,
# mainly involves "all-OK" messages, and debugging messages for when Draupnir checks bans in a room.
#verboseLogging: false
verboseLogging: false
# The log level of terminal (or container) output,
# can be one of DEBUG, INFO, WARN and ERROR, in increasing order of importance and severity.
@ -81,12 +87,6 @@ noop: false
# DO NOT change this to `true` unless you are very confident that you know what you are doing.
disableServerACL: {{ matrix_bot_draupnir_disable_server_acl | to_json }}
# Whether Draupnir should check member lists quicker (by using a different endpoint),
# keep in mind that enabling this will miss invited (but not joined) users.
#
# Turn on if your bot is in (very) large rooms, or in large amounts of rooms.
fasterMembershipChecks: false
# A case-insensitive list of ban reasons to have the bot also automatically redact the user's messages for.
#
# If the bot sees you ban a user with a reason that is an (exact case-insensitive) match to this list,
@ -102,15 +102,6 @@ automaticallyRedactForReasons:
- "spam"
- "advertising"
# A list of rooms to protect. Draupnir will add this to the list it knows from its account data.
#
# It won't, however, add it to the account data.
# Manually add the room via '!draupnir rooms add' to have it stay protected regardless if this config value changes.
#
# Note: These must be matrix.to URLs
#protectedRooms:
# - "https://matrix.to/#/#matrix:example.org"
# Whether or not to add all joined rooms to the "protected rooms" list
# (excluding the management room and watched policy list rooms, see below).
#
@ -131,15 +122,18 @@ protectAllJoinedRooms: false
# of the homeserver may be more impacted.
backgroundDelayMS: 500
# FIXME: This configuration option is currently broken in the playbook as admin APIs cannot
# be accessed from containers. See https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/3389
# and https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/3308
# Server administration commands, these commands will only work if Draupnir is
# a global server administrator, and the bot's server is a Synapse instance.
admin:
# Whether or not Draupnir can temporarily take control of any eligible account from the local homeserver who's in the room
# (with enough permissions) to "make" a user an admin.
#
# This only works if a local user with enough admin permissions is present in the room.
enableMakeRoomAdminCommand: false
#admin:
# # Whether or not Draupnir can temporarily take control of any eligible account from the local homeserver who's in the room
# # (with enough permissions) to "make" a user an admin.
# #
# # This only works if a local user with enough admin permissions is present in the room.
# enableMakeRoomAdminCommand: false
#
# Misc options for command handling and commands
commands:
# Whether or not the `!draupnir` prefix is necessary to submit commands.
@ -157,10 +151,6 @@ commands:
- "draupnir_bot"
- "draupnir"
# Whether or not commands with a wildcard (*) will require an additional `--force` argument
# in the command to be able to be submitted.
confirmWildcardBan: true
# The default reasons to be prompted with if the reason is missing from a ban command.
ban:
defaultReasons:
@ -178,10 +168,9 @@ commands:
# #
# # WordList will ban users who use these words when first joining a room, so take caution when selecting them.
# #
# # For advanced usage, regex can also be used, see the following links for more information;
# # - https://www.digitalocean.com/community/tutorials/an-introduction-to-regular-expressions
# # - https://regexr.com/
# # - https://regexone.com/
# # The word list protection does not support regular expressions at this time.
# # The configuration in the past stated support for Regex erroneously.
# #
# words:
# - "LoReM"
# - "IpSuM"
@ -196,6 +185,31 @@ commands:
# # (users will always be banned if they say a bad word)
# minutesBeforeTrusting: 20
# The room state backing store writes a copy of the room state for all protected
# rooms to the data directory.
# It is recommended to enable this option unless you deploy Draupnir close to the
# homeserver and know that Draupnir is starting up quickly. If your homeserver can
# respond quickly to Draupnir's requests for `/state` then you might not need this option.
roomStateBackingStore:
enabled: {{ matrix_bot_draupnir_enable_room_state_backing_store | to_json }}
# Safe mode provides recovery options for some failure modes when Draupnir
# fails to start. For example, if the bot fails to resolve a room alias in
# a watched list, or if the server has parted from a protected room and can't
# find a way back in. Safe mode will provide different options to recover from
# these. Such as unprotecting the room or unwatching the policy list.
# By default Draupnir will boot into safe mode only when the failure mode
# is recoverable.
# It may be desirable to prevent the bot from starting into safe mode if you have
# a pager system when Draupnir is down, as Draupnir could prevent your monitoring
# system from identifying a failure to start.
#safeMode:
# # The option for entering safe mode when Draupnir fails to start up.
# # - "RecoveryOnly" will only start the bot in safe mode when there are recovery options available. This is the default.
# # - "Never" will never start the bot in safe mode when Draupnir fails to start normally.
# # - "Always" will always start the bot in safe mode when Draupnir fails to start normally.
# bootOption: RecoveryOnly
# Options for advanced monitoring of the health of the bot.
health:
# healthz options. These options are best for use in container environments
@ -227,6 +241,18 @@ health:
# Defaults to 418.
unhealthyStatus: 418
# Sentry options. Sentry is a tool used to receive/collate/triage runtime
# errors and performance issues. Skip this section if you do not wish to use
# Sentry.
sentry:
# The key used to upload Sentry data to the server.
# dsn: "https://XXXXXXXXX@example.com/YYY
# Frequency of performance monitoring.
# A number in [0.0, 1.0], where 0.0 means "don't bother with tracing"
# and 1.0 means "trace performance at every opportunity".
# tracesSampleRate: 0.5
{% if matrix_bot_draupnir_web_enabled %}
# Options for exposing web APIs.
web:
@ -238,7 +264,12 @@ web:
# The address to listen for requests on. Defaults to only the current
# computer.
address: 0.0.0.0
address: "0.0.0.0"
# Alternative setting to open to the entire web. Be careful,
# as this will increase your security perimeter:
#
# address: "0.0.0.0"
# A web API designed to intercept Matrix API
# POST /_matrix/client/r0/rooms/{roomId}/report/{eventId}
@ -251,10 +282,13 @@ web:
enabled: {{ matrix_bot_draupnir_abuse_reporting_enabled | to_json }}
{% endif %}
# FIXME: This configuration option is currently broken in the playbook as admin APIs cannot
# be accessed from containers. See https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/3389
# and https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/3308
# Whether or not to actively poll synapse for abuse reports, to be used
# instead of intercepting client calls to synapse's abuse endpoint, when that
# isn't possible/practical.
pollReports: false
#pollReports: false
# Whether or not new reports, received either by webapi or polling,
# should be printed to our managementRoom.