Add support for Synapse Simple Antispam

Fixes #255 (Github Issue).

CHANGELOG.md

@@ -1,3 +1,14 @@
+# 2019-09-09
+
+## Synapse Simple Antispam support
+
+There have been lots of invite-spam attacks lately and [Travis](https://github.com/t2bot) has created a Synapse module ([synapse-simple-antispam](https://github.com/t2bot/synapse-simple-antispam)) to let people protect themselves.
+
+From now on, you can easily install and configure this spam checker module through the playbook.
+
+Learn more in [Setting up Synapse Simple Antispam](docs/configuring-playbook-synapse-simple-antispam.md).
+
+
 # 2019-08-25
 
 ## Extensible Riot-web configuration
@@ -9,7 +20,7 @@ This should be enough for most customization needs.
 
 If you need even more power, you can now also take full control and override `matrix_riot_web_configuration_default` (or `matrix_riot_web_configuration`) directly.
 
-Learn more here in [Configuring Riot-web](docs/configuring-playbook-riot-web.md).
+Learn more in [Configuring Riot-web](docs/configuring-playbook-riot-web.md).
 
 
 # 2019-08-22

docs/configuring-playbook-synapse-simple-antispam.md

@@ -0,0 +1,16 @@
+# Setting up Synapse Simple Antispam (optional, advanced)
+
+The playbook can install and configure [synapse-simple-antispam](https://github.com/t2bot/synapse-simple-antispam) for you.
+
+See that project's documentation to learn what it does and why it might be useful to you.
+In short, it lets you fight invite-spam by automatically blocking invitiations from a list of servers specified by you (blacklisting).
+
+If you decide that you'd like to let this playbook install it for you, you need some configuration like this:
+
+```yaml
+matrix_synapse_ext_spam_checker_synapse_simple_antispam_enabled: true
+
+matrix_synapse_ext_spam_checker_synapse_simple_antispam_config_blocked_homeservers:
+- example.com
+- another.com
+```

docs/configuring-playbook.md

@@ -72,6 +72,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins
 
 - [Setting up the LDAP password provider module](configuring-playbook-ldap-auth.md) (optional, advanced)
 
+- [Setting up Synapse Simple Antispam](configuring-playbook-synapse-simple-antispam.md) (optional, advanced)
+
 - [Setting up Matrix Corporal](configuring-playbook-matrix-corporal.md) (optional, advanced)
 
 

roles/matrix-synapse/defaults/main.yml

@@ -263,6 +263,12 @@ matrix_synapse_ext_password_provider_ldap_bind_dn: ""
 matrix_synapse_ext_password_provider_ldap_bind_password: ""
 matrix_synapse_ext_password_provider_ldap_filter: ""
 
+# Enable this to activate the Synapse Antispam spam-checker module.
+# See: https://github.com/t2bot/synapse-simple-antispam
+matrix_synapse_ext_spam_checker_synapse_simple_antispam_enabled: false
+matrix_synapse_ext_spam_checker_synapse_simple_antispam_git_repository_url: "https://github.com/t2bot/synapse-simple-antispam"
+matrix_synapse_ext_spam_checker_synapse_simple_antispam_git_version: "f058d9ce2c7d4195ae461dcdd02df11a2d06a36b"
+matrix_synapse_ext_spam_checker_synapse_simple_antispam_config_blocked_homeservers: []
 
 matrix_s3_media_store_enabled: false
 matrix_s3_media_store_custom_endpoint_enabled: false

roles/matrix-synapse/tasks/ext/setup.yml

@@ -5,3 +5,5 @@
 - import_tasks: "{{ role_path }}/tasks/ext/shared-secret-auth/setup.yml"
 
 - import_tasks: "{{ role_path }}/tasks/ext/ldap-auth/setup.yml"
+
+- import_tasks: "{{ role_path }}/tasks/ext/synapse-simple-antispam/setup.yml"

roles/matrix-synapse/tasks/ext/synapse-simple-antispam/setup.yml

@@ -0,0 +1,7 @@
+---
+
+- import_tasks: "{{ role_path }}/tasks/ext/synapse-simple-antispam/setup_install.yml"
+  when: matrix_synapse_ext_spam_checker_synapse_simple_antispam_enabled|bool
+
+- import_tasks: "{{ role_path }}/tasks/ext/synapse-simple-antispam/setup_uninstall.yml"
+  when: "not matrix_synapse_ext_spam_checker_synapse_simple_antispam_enabled|bool"

roles/matrix-synapse/tasks/ext/synapse-simple-antispam/setup_install.yml

@@ -0,0 +1,41 @@
+---
+
+- name: Fail if Synapse Simple Antispam blocked homeservers is not set
+  fail:
+    msg: "Synapse Simple Antispam is enabled, but no blocked homeservers have been set in matrix_synapse_ext_spam_checker_synapse_simple_antispam_config_blocked_homeservers"
+  when: "matrix_synapse_ext_spam_checker_synapse_simple_antispam_config_blocked_homeservers|length == 0"
+
+- name: Ensure git installed (RedHat)
+  yum:
+    name:
+      - git
+    state: present
+    update_cache: no
+  when: "ansible_os_family == 'RedHat'"
+
+- name: Ensure git installed (Debian)
+  apt:
+    name:
+      - openssl
+    state: present
+    update_cache: no
+  when: "ansible_os_family == 'Debian'"
+
+- name: Clone synapse-simple-antispam git repository
+  git:
+    repo: "{{ matrix_synapse_ext_spam_checker_synapse_simple_antispam_git_repository_url }}"
+    version: "{{ matrix_synapse_ext_spam_checker_synapse_simple_antispam_git_version }}"
+    dest: "{{ matrix_synapse_ext_path }}/synapse-simple-antispam"
+  become: true
+  become_user: "{{ matrix_user_username }}"
+
+- set_fact:
+    matrix_synapse_spam_checker:
+      module: "synapse_simple_antispam.AntiSpamInvites"
+      config:
+        blocked_homeservers: "{{ matrix_synapse_ext_spam_checker_synapse_simple_antispam_config_blocked_homeservers }}"
+
+    matrix_synapse_container_extra_arguments: >
+      {{ matrix_synapse_container_extra_arguments|default([]) }}
+      +
+      {{ ["--mount type=bind,src={{ matrix_synapse_ext_path }}/synapse-simple-antispam/synapse_simple_antispam,dst={{ matrix_synapse_in_container_python_packages_path }}/synapse_simple_antispam,ro"] }}

roles/matrix-synapse/tasks/ext/synapse-simple-antispam/setup_uninstall.yml

@@ -0,0 +1,6 @@
+---
+
+- name: Ensure synapse-simple-antispam doesn't exist
+  file:
+    path: "{{ matrix_synapse_ext_path }}/synapse-simple-antispam"
+    state: absent