draft encryption support for hookshot

docs/configuring-playbook-bridge-hookshot.md

@@ -23,6 +23,11 @@ Other configuration options are available via the `matrix_hookshot_configuration
 
 Finally, run the playbook (see [installing](installing.md)).
 
+### End-to-bridge endcryption
+
+1. Enable by setting `: true`
+
+If the crypto store has become corrupted, reset it by running `ansible-playbook -i inventory/hosts setup.yml -K --tags=reset-hookshot-encryption`.
 
 ## Usage
 

group_vars/matrix_servers

@@ -3358,7 +3358,7 @@ ntfy_visitor_request_limit_exempt_hosts_hostnames_auto: |
 #
 ######################################################################
 
-redis_enabled: "{{ matrix_synapse_workers_enabled }}"
+redis_enabled: "{{ matrix_synapse_workers_enabled or matrix_hookshot_experimental_encryption_enabled }}"
 
 redis_identifier: matrix-redis
 

roles/custom/matrix-bridge-hookshot/defaults/main.yml

@@ -30,6 +30,10 @@ matrix_hookshot_public_endpoint: /hookshot
 matrix_hookshot_appservice_port: 9993
 matrix_hookshot_appservice_endpoint: "{{ matrix_hookshot_public_endpoint }}/_matrix/app"
 
+# Controls whether the experimental end-to-bridge encryption support is enabled.
+# This requires that support is also enabled in the homeserver, see the hookshot docs.
+matrix_hookshot_experimental_encryption_enabled: false
+
 # Controls whether metrics are enabled in the bridge configuration.
 # Enabling them is usually enough for a local (in-container) Prometheus to consume them.
 # If metrics need to be consumed by another (external) Prometheus server, consider exposing them via `matrix_hookshot_metrics_proxying_enabled`.

roles/custom/matrix-bridge-hookshot/tasks/main.yml

@@ -9,6 +9,12 @@
     - when: matrix_hookshot_enabled | bool
       ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml"
 
+- tags:
+    - reset-hookshot-encryption
+  block:
+    - when: matrix_hookshot_enabled | bool
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/reset_encryption.yml"
+
 - tags:
     - setup-all
     - setup-hookshot

roles/custom/matrix-bridge-hookshot/tasks/reset_encryptioon.yml

@@ -0,0 +1,12 @@
+---
+- name: Resetting Hookshot's crypto store
+  ansible.builtin.command:
+    cmd: |
+      {{ devture_systemd_docker_base_host_command_docker }} run
+      --rm
+      --name={{ matrix_hookshot_container_url }}-reset-crypto
+      --user={{ matrix_user_uid }}:{{ matrix_user_gid }}
+      --cap-drop=ALL
+      -v {{ matrix_hookshot_base_path }}/config.yml:/config.yml
+      {{ matrix_hookshot_docker_image }} yarn start:resetcrypto
+  changed_when: false

roles/custom/matrix-bridge-hookshot/templates/config.yml.j2

@@ -107,6 +107,14 @@ metrics:
   # (Optional) Prometheus metrics support
   #
   enabled: {{ matrix_hookshot_metrics_enabled | to_json }}
+{% if matrix_hookshot_experimental_encryption_enabled %}
+queue:
+  monolithic: true
+  port: 6379
+  host: matrix-redis
+experimentalEncryption:
+  storagePath: /data/encryption
+{% endif %}
 logging:
   # (Optional) Logging settings. You can have a severity debug,info,warn,error
   #

roles/custom/matrix-bridge-hookshot/templates/registration.yml.j2

@@ -28,3 +28,9 @@ namespaces:
 sender_localpart: hookshot
 url: "http://{{ matrix_hookshot_container_url }}:{{ matrix_hookshot_appservice_port }}" # This should match the bridge.port in your config file
 rate_limited: false
+
+{% if matrix_hookshot_experimental_encryption_enabled %}
+de.sorunome.msc2409.push_ephemeral: true
+push_ephemeral: true
+org.matrix.msc3202: true
+{% endif %}

roles/custom/matrix-bridge-hookshot/templates/systemd/matrix-hookshot.service.j2

@@ -16,7 +16,7 @@ Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
 ExecStartPre=-{{ devture_systemd_docker_base_host_command_docker }} kill {{ matrix_hookshot_container_url }}
 ExecStartPre=-{{ devture_systemd_docker_base_host_command_docker }} rm {{ matrix_hookshot_container_url }}
 
-ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name {{ matrix_hookshot_container_url }} \
+ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create --rm --name {{ matrix_hookshot_container_url }} \
           --log-driver=none \
           --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
           --cap-drop=ALL \
@@ -30,6 +30,12 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name
           {% endfor %}
           {{ matrix_hookshot_docker_image }}
 
+{% if matrix_hookshot_experimental_encryption_enabled %}
+ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect matrix-redis {{ matrix_hookshot_container_url }}
+{% endif %}
+
+ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach {{ matrix_hookshot_container_url }}
+
 ExecStop=-{{ devture_systemd_docker_base_host_command_docker }} kill {{ matrix_hookshot_container_url }}
 ExecStop=-{{ devture_systemd_docker_base_host_command_docker }} rm {{ matrix_hookshot_container_url }}
 Restart=always