Add dendrite captcha config to doc and hCaptcha (#2290)

* added dendrite captcha options

* added hcaptcha doc

* proper url

* Apply suggestions from code review

Co-authored-by: Slavi Pantaleev <slavi@devture.com>

* Update main.yml

* renamed captcha vars to new naming scheme

* change vars to new format

* Rename back some incorrect renamed variables

These variables are either not just part of the `client_api` subsection,
or are not even part of that section at all. They shouldn't have been
renamed in baaef2ed616e2645550d9

* Fix up naming inconsistencies

Some of these variables had been renamed in one place,
but not in other places, so it couldn't have worked that way.

* Add validation/deprecation for renamed Dendrite variables

Related to 4097898f885cf4c73, baaef2ed616e2645550, 68f4418092fa8ad
and a0b4a0ae6b2f1f18

Co-authored-by: Slavi Pantaleev <slavi@devture.com>
This commit is contained in:
Array in a Matrix 2022-11-25 23:27:43 -08:00 committed by GitHub
parent 16c18b0344
commit 504d4a4134
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 78 additions and 33 deletions

View file

@ -2,9 +2,11 @@
# Overview # Overview
Captcha can be enabled for this home server. This file explains how to do that. Captcha can be enabled for this home server. This file explains how to do that.
The captcha mechanism used is Google's [ReCaptcha](https://www.google.com/recaptcha/). This requires API keys from Google. The captcha mechanism used is Google's [ReCaptcha](https://www.google.com/recaptcha/). This requires API keys from Google. If your homeserver is Dendrite then [hCapcha](https://www.hcaptcha.com) can be used instead.
## Getting keys ## ReCaptcha
### Getting keys
Requires a site/secret key pair from: Requires a site/secret key pair from:
@ -12,12 +14,39 @@ Requires a site/secret key pair from:
Must be a reCAPTCHA **v2** key using the "I'm not a robot" Checkbox option Must be a reCAPTCHA **v2** key using the "I'm not a robot" Checkbox option
## Setting ReCaptcha Keys ### Setting ReCaptcha keys
Once registered as above, set the following values: Once registered as above, set the following values:
```yaml ```yaml
# for Synapse
matrix_synapse_enable_registration_captcha: true matrix_synapse_enable_registration_captcha: true
matrix_synapse_recaptcha_public_key: 'YOUR_SITE_KEY' matrix_synapse_recaptcha_public_key: 'YOUR_SITE_KEY'
matrix_synapse_recaptcha_private_key: 'YOUR_SECRET_KEY' matrix_synapse_recaptcha_private_key: 'YOUR_SECRET_KEY'
# for Dendrite
matrix_dendrite_client_api_enable_registration_captcha: true
matrix_dendrite_client_api_recaptcha_public_key: 'YOUR_SITE_KEY'
matrix_dendrite_client_api_recaptcha_private_key: 'YOUR_SECRET_KEY'
```
## hCaptcha
### Getting keys
Requires a site/secret key pair from:
<https://dashboard.hcaptcha.com/sites/new>
### Setting hCaptcha keys
```yaml
matrix_dendrite_client_api_enable_registration_captcha: true
matrix_dendrite_client_api_recaptcha_public_key: 'YOUR_SITE_KEY'
matrix_dendrite_client_api_recaptcha_private_key: 'YOUR_SECRET_KEY'
matrix_dendrite_client_api_recaptcha_siteverify_api: 'https://hcaptcha.com/siteverify'
matrix_dendrite_client_api_recaptcha_api_js_url: 'https://js.hcaptcha.com/1/api.js'
matrix_dendrite_client_api_recaptcha_form_field: 'h-captcha-response'
matrix_dendrite_client_api_recaptcha_sitekey_class: 'h-captcha'
``` ```

View file

@ -1474,7 +1474,7 @@ matrix_bot_maubot_registration_shared_secret: |-
{{ {{
{ {
'synapse': matrix_synapse_registration_shared_secret, 'synapse': matrix_synapse_registration_shared_secret,
'dendrite': matrix_dendrite_registration_shared_secret, 'dendrite': matrix_dendrite_client_api_registration_shared_secret,
}[matrix_homeserver_implementation] }[matrix_homeserver_implementation]
}} }}
@ -2898,7 +2898,7 @@ matrix_registration_shared_secret: |-
{{ {{
{ {
'synapse': matrix_synapse_registration_shared_secret, 'synapse': matrix_synapse_registration_shared_secret,
'dendrite': matrix_dendrite_registration_shared_secret, 'dendrite': matrix_dendrite_client_api_registration_shared_secret,
'conduit': '', 'conduit': '',
}[matrix_homeserver_implementation] }[matrix_homeserver_implementation]
}} }}
@ -2975,13 +2975,13 @@ matrix_dendrite_container_https_host_bind_address: "{{ '' if matrix_nginx_proxy_
matrix_dendrite_sync_api_real_ip_header: "{{ 'X-Forwarded-For' if matrix_nginx_proxy_enabled else '' }}" matrix_dendrite_sync_api_real_ip_header: "{{ 'X-Forwarded-For' if matrix_nginx_proxy_enabled else '' }}"
matrix_dendrite_registration_shared_secret: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'dendrite.rss', rounds=655555) | to_uuid }}" matrix_dendrite_client_api_registration_shared_secret: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'dendrite.rss', rounds=655555) | to_uuid }}"
matrix_dendrite_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'dendrite.db', rounds=655555) | to_uuid }}" matrix_dendrite_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'dendrite.db', rounds=655555) | to_uuid }}"
# Even if TURN doesn't support TLS (it does by default), # Even if TURN doesn't support TLS (it does by default),
# it doesn't hurt to try a secure connection anyway. # it doesn't hurt to try a secure connection anyway.
matrix_dendrite_turn_uris: | matrix_dendrite_client_api_turn_uris: |
{{ {{
[ [
'turns:' + matrix_server_fqn_matrix + '?transport=udp', 'turns:' + matrix_server_fqn_matrix + '?transport=udp',

View file

@ -76,7 +76,7 @@ matrix_dendrite_systemd_wanted_services_list: []
# matrix_dendrite_template_dendrite_config: "{{ playbook_dir }}/inventory/host_vars/<host>/dendrite.yaml.j2" # matrix_dendrite_template_dendrite_config: "{{ playbook_dir }}/inventory/host_vars/<host>/dendrite.yaml.j2"
matrix_dendrite_template_dendrite_config: "{{ role_path }}/templates/dendrite/dendrite.yaml.j2" matrix_dendrite_template_dendrite_config: "{{ role_path }}/templates/dendrite/dendrite.yaml.j2"
matrix_dendrite_registration_shared_secret: '' matrix_dendrite_client_api_registration_shared_secret: ''
matrix_dendrite_allow_guest_access: false matrix_dendrite_allow_guest_access: false
matrix_dendrite_max_file_size_bytes: 10485760 matrix_dendrite_max_file_size_bytes: 10485760
@ -89,18 +89,21 @@ matrix_dendrite_sync_api_real_ip_header: ''
matrix_dendrite_tmp_directory_size_mb: 500 matrix_dendrite_tmp_directory_size_mb: 500
# Rate limits # Rate limits
matrix_dendrite_rate_limiting_enabled: true matrix_dendrite_client_api_rate_limiting_enabled: true
matrix_dendrite_rate_limiting_threshold: 20 matrix_dendrite_client_api_rate_limiting_threshold: 20
matrix_dendrite_rate_limiting_cooloff_ms: 500 matrix_dendrite_client_api_rate_limiting_cooloff_ms: 500
# Controls whether people with access to the homeserver can register by themselves. # Controls whether people with access to the homeserver can register by themselves.
matrix_dendrite_registration_disabled: true matrix_dendrite_client_api_registration_disabled: true
# reCAPTCHA API for validating registration attempts # reCAPTCHA API for validating registration attempts
matrix_dendrite_enable_registration_captcha: false matrix_dendrite_client_api_enable_registration_captcha: false
matrix_dendrite_recaptcha_public_key: "" matrix_dendrite_client_api_recaptcha_public_key: ""
matrix_dendrite_recaptcha_private_key: "" matrix_dendrite_client_api_recaptcha_private_key: ""
matrix_dendrite_recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify" matrix_dendrite_client_api_recaptcha_siteverify_api: ""
matrix_dendrite_client_api_recaptcha_api_js_url: ""
matrix_dendrite_client_api_recaptcha_form_field: ""
matrix_dendrite_client_api_recaptcha_sitekey_class: ""
# A list of additional "volumes" to mount in the container. # A list of additional "volumes" to mount in the container.
# This list gets populated dynamically based on Dendrite extensions that have been enabled. # This list gets populated dynamically based on Dendrite extensions that have been enabled.
@ -147,11 +150,10 @@ matrix_dendrite_userapi_database: "dendrite_userapi"
matrix_dendrite_pushserver_database: "dendrite_pushserver" matrix_dendrite_pushserver_database: "dendrite_pushserver"
matrix_dendrite_mscs_database: "dendrite_mscs" matrix_dendrite_mscs_database: "dendrite_mscs"
matrix_dendrite_turn_uris: [] matrix_dendrite_client_api_turn_uris: []
matrix_dendrite_turn_shared_secret: "" matrix_dendrite_client_api_turn_client_api_shared_secret: ""
matrix_dendrite_turn_allow_guests: false matrix_dendrite_client_api_turn_allow_guests: false
# Controls whether the self-check feature should validate TLS certificates.
matrix_dendrite_disable_tls_validation: false matrix_dendrite_disable_tls_validation: false
matrix_dendrite_trusted_id_servers: matrix_dendrite_trusted_id_servers:

View file

@ -5,7 +5,7 @@
You need to define a required configuration setting (`{{ item }}`) for using Dendrite. You need to define a required configuration setting (`{{ item }}`) for using Dendrite.
when: "vars[item] == ''" when: "vars[item] == ''"
with_items: with_items:
- "matrix_dendrite_registration_shared_secret" - "matrix_dendrite_client_api_registration_shared_secret"
- name: (Deprecation) Catch and report renamed settings - name: (Deprecation) Catch and report renamed settings
ansible.builtin.fail: ansible.builtin.fail:
@ -13,4 +13,15 @@
Your configuration contains a variable, which now has a different name. Your configuration contains a variable, which now has a different name.
Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`).
when: "item.old in vars" when: "item.old in vars"
with_items: [] with_items:
- {'old': 'matrix_dendrite_enable_registration_captcha', 'new': 'matrix_dendrite_client_api_enable_registration_captcha'}
- {'old': 'matrix_dendrite_recaptcha_public_key', 'new': 'matrix_dendrite_client_api_recaptcha_public_key'}
- {'old': 'matrix_dendrite_recaptcha_private_key', 'new': 'matrix_dendrite_client_api_recaptcha_private_key'}
- {'old': 'matrix_dendrite_registration_disabled', 'new': 'matrix_dendrite_client_api_registration_disabled'}
- {'old': 'matrix_dendrite_registration_shared_secret', 'new': 'matrix_dendrite_client_api_registration_shared_secret'}
- {'old': 'matrix_dendrite_turn_uris', 'new': 'matrix_dendrite_client_api_turn_uris'}
- {'old': 'matrix_dendrite_turn_client_api_shared_secret', 'new': 'matrix_dendrite_client_api_turn_client_api_shared_secret'}
- {'old': 'matrix_dendrite_turn_allow_guests', 'new': 'matrix_dendrite_client_api_turn_allow_guests'}
- {'old': 'matrix_dendrite_rate_limiting_enabled', 'new': 'matrix_dendrite_client_api_rate_limiting_enabled'}
- {'old': 'matrix_dendrite_rate_limiting_threshold', 'new': 'matrix_dendrite_client_api_rate_limiting_threshold'}
- {'old': 'matrix_dendrite_rate_limiting_cooloff_ms', 'new': 'matrix_dendrite_client_api_rate_limiting_cooloff_ms'}

View file

@ -175,7 +175,7 @@ client_api:
# Prevents new users from being able to register on this homeserver, except when # Prevents new users from being able to register on this homeserver, except when
# using the registration shared secret below. # using the registration shared secret below.
registration_disabled: {{ matrix_dendrite_registration_disabled|to_json }} registration_disabled: {{ matrix_dendrite_client_api_registration_disabled | to_json }}
# Prevents new guest accounts from being created. Guest registration is also # Prevents new guest accounts from being created. Guest registration is also
# disabled implicitly by setting 'registration_disabled' above. # disabled implicitly by setting 'registration_disabled' above.
@ -183,22 +183,25 @@ client_api:
# If set, allows registration by anyone who knows the shared secret, regardless of # If set, allows registration by anyone who knows the shared secret, regardless of
# whether registration is otherwise disabled. # whether registration is otherwise disabled.
registration_shared_secret: {{ matrix_dendrite_registration_shared_secret | string|to_json }} registration_shared_secret: {{ matrix_dendrite_client_api_registration_shared_secret | string | to_json }}
# Whether to require reCAPTCHA for registration. # Whether to require reCAPTCHA for registration.
enable_registration_captcha: {{ matrix_dendrite_enable_registration_captcha|to_json }} enable_registration_captcha: {{ matrix_dendrite_client_api_enable_registration_captcha | to_json }}
# Settings for ReCAPTCHA. # Settings for ReCAPTCHA.
recaptcha_public_key: {{ matrix_dendrite_recaptcha_public_key|to_json }} recaptcha_public_key: {{ matrix_dendrite_client_api_recaptcha_public_key | to_json }}
recaptcha_private_key: {{ matrix_dendrite_recaptcha_private_key|to_json }} recaptcha_private_key: {{ matrix_dendrite_client_api_recaptcha_private_key | to_json }}
recaptcha_bypass_secret: "" recaptcha_bypass_secret: ""
recaptcha_siteverify_api: {{ matrix_dendrite_recaptcha_siteverify_api|to_json }} recaptcha_siteverify_api: {{ matrix_dendrite_client_api_recaptcha_siteverify_api | to_json }}
recaptcha_api_js_url: {{ matrix_dendrite_client_api_recaptcha_api_js_url | to_json }}
recaptcha_form_field: {{ matrix_dendrite_client_api_recaptcha_form_field | to_json }}
recaptcha_sitekey_class: {{ matrix_dendrite_client_api_recaptcha_sitekey_class | to_json }}
# TURN server information that this homeserver should send to clients. # TURN server information that this homeserver should send to clients.
turn: turn:
turn_user_lifetime: "" turn_user_lifetime: ""
turn_uris: {{ matrix_dendrite_turn_uris|to_json }} turn_uris: {{ matrix_dendrite_client_api_turn_uris | to_json }}
turn_shared_secret: {{ matrix_dendrite_turn_shared_secret|to_json }} turn_shared_secret: {{ matrix_dendrite_client_api_turn_shared_secret | to_json }}
turn_username: "" turn_username: ""
turn_password: "" turn_password: ""
@ -206,9 +209,9 @@ client_api:
# threshold number of "slots" have been taken by requests from a specific # threshold number of "slots" have been taken by requests from a specific
# host. Each "slot" will be released after the cooloff time in milliseconds. # host. Each "slot" will be released after the cooloff time in milliseconds.
rate_limiting: rate_limiting:
enabled: {{ matrix_dendrite_rate_limiting_enabled|to_json }} enabled: {{ matrix_dendrite_client_api_rate_limiting_enabled | to_json }}
threshold: {{ matrix_dendrite_rate_limiting_threshold|to_json }} threshold: {{ matrix_dendrite_client_api_rate_limiting_threshold | to_json }}
cooloff_ms: {{ matrix_dendrite_rate_limiting_cooloff_ms|to_json }} cooloff_ms: {{ matrix_dendrite_client_api_rate_limiting_cooloff_ms | to_json }}
exempt_user_ids: exempt_user_ids:
# - "@user:domain.com" # - "@user:domain.com"