Add dendrite captcha config to doc and hCaptcha (#2290)

* added dendrite captcha options

* added hcaptcha doc

* proper url

* Apply suggestions from code review

Co-authored-by: Slavi Pantaleev <slavi@devture.com>

* Update main.yml

* renamed captcha vars to new naming scheme

* change vars to new format

* Rename back some incorrect renamed variables

These variables are either not just part of the `client_api` subsection,
or are not even part of that section at all. They shouldn't have been
renamed in baaef2ed616e2645550d9

* Fix up naming inconsistencies

Some of these variables had been renamed in one place,
but not in other places, so it couldn't have worked that way.

* Add validation/deprecation for renamed Dendrite variables

Related to 4097898f885cf4c73, baaef2ed616e2645550, 68f4418092fa8ad
and a0b4a0ae6b2f1f18

Co-authored-by: Slavi Pantaleev <slavi@devture.com>
This commit is contained in:
Array in a Matrix 2022-11-25 23:27:43 -08:00 committed by GitHub
parent 16c18b0344
commit 504d4a4134
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 78 additions and 33 deletions

View file

@ -2,9 +2,11 @@
# Overview
Captcha can be enabled for this home server. This file explains how to do that.
The captcha mechanism used is Google's [ReCaptcha](https://www.google.com/recaptcha/). This requires API keys from Google.
The captcha mechanism used is Google's [ReCaptcha](https://www.google.com/recaptcha/). This requires API keys from Google. If your homeserver is Dendrite then [hCapcha](https://www.hcaptcha.com) can be used instead.
## Getting keys
## ReCaptcha
### Getting keys
Requires a site/secret key pair from:
@ -12,12 +14,39 @@ Requires a site/secret key pair from:
Must be a reCAPTCHA **v2** key using the "I'm not a robot" Checkbox option
## Setting ReCaptcha Keys
### Setting ReCaptcha keys
Once registered as above, set the following values:
```yaml
# for Synapse
matrix_synapse_enable_registration_captcha: true
matrix_synapse_recaptcha_public_key: 'YOUR_SITE_KEY'
matrix_synapse_recaptcha_private_key: 'YOUR_SECRET_KEY'
# for Dendrite
matrix_dendrite_client_api_enable_registration_captcha: true
matrix_dendrite_client_api_recaptcha_public_key: 'YOUR_SITE_KEY'
matrix_dendrite_client_api_recaptcha_private_key: 'YOUR_SECRET_KEY'
```
## hCaptcha
### Getting keys
Requires a site/secret key pair from:
<https://dashboard.hcaptcha.com/sites/new>
### Setting hCaptcha keys
```yaml
matrix_dendrite_client_api_enable_registration_captcha: true
matrix_dendrite_client_api_recaptcha_public_key: 'YOUR_SITE_KEY'
matrix_dendrite_client_api_recaptcha_private_key: 'YOUR_SECRET_KEY'
matrix_dendrite_client_api_recaptcha_siteverify_api: 'https://hcaptcha.com/siteverify'
matrix_dendrite_client_api_recaptcha_api_js_url: 'https://js.hcaptcha.com/1/api.js'
matrix_dendrite_client_api_recaptcha_form_field: 'h-captcha-response'
matrix_dendrite_client_api_recaptcha_sitekey_class: 'h-captcha'
```

View file

@ -1474,7 +1474,7 @@ matrix_bot_maubot_registration_shared_secret: |-
{{
{
'synapse': matrix_synapse_registration_shared_secret,
'dendrite': matrix_dendrite_registration_shared_secret,
'dendrite': matrix_dendrite_client_api_registration_shared_secret,
}[matrix_homeserver_implementation]
}}
@ -2898,7 +2898,7 @@ matrix_registration_shared_secret: |-
{{
{
'synapse': matrix_synapse_registration_shared_secret,
'dendrite': matrix_dendrite_registration_shared_secret,
'dendrite': matrix_dendrite_client_api_registration_shared_secret,
'conduit': '',
}[matrix_homeserver_implementation]
}}
@ -2975,13 +2975,13 @@ matrix_dendrite_container_https_host_bind_address: "{{ '' if matrix_nginx_proxy_
matrix_dendrite_sync_api_real_ip_header: "{{ 'X-Forwarded-For' if matrix_nginx_proxy_enabled else '' }}"
matrix_dendrite_registration_shared_secret: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'dendrite.rss', rounds=655555) | to_uuid }}"
matrix_dendrite_client_api_registration_shared_secret: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'dendrite.rss', rounds=655555) | to_uuid }}"
matrix_dendrite_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'dendrite.db', rounds=655555) | to_uuid }}"
# Even if TURN doesn't support TLS (it does by default),
# it doesn't hurt to try a secure connection anyway.
matrix_dendrite_turn_uris: |
matrix_dendrite_client_api_turn_uris: |
{{
[
'turns:' + matrix_server_fqn_matrix + '?transport=udp',

View file

@ -76,7 +76,7 @@ matrix_dendrite_systemd_wanted_services_list: []
# matrix_dendrite_template_dendrite_config: "{{ playbook_dir }}/inventory/host_vars/<host>/dendrite.yaml.j2"
matrix_dendrite_template_dendrite_config: "{{ role_path }}/templates/dendrite/dendrite.yaml.j2"
matrix_dendrite_registration_shared_secret: ''
matrix_dendrite_client_api_registration_shared_secret: ''
matrix_dendrite_allow_guest_access: false
matrix_dendrite_max_file_size_bytes: 10485760
@ -89,18 +89,21 @@ matrix_dendrite_sync_api_real_ip_header: ''
matrix_dendrite_tmp_directory_size_mb: 500
# Rate limits
matrix_dendrite_rate_limiting_enabled: true
matrix_dendrite_rate_limiting_threshold: 20
matrix_dendrite_rate_limiting_cooloff_ms: 500
matrix_dendrite_client_api_rate_limiting_enabled: true
matrix_dendrite_client_api_rate_limiting_threshold: 20
matrix_dendrite_client_api_rate_limiting_cooloff_ms: 500
# Controls whether people with access to the homeserver can register by themselves.
matrix_dendrite_registration_disabled: true
matrix_dendrite_client_api_registration_disabled: true
# reCAPTCHA API for validating registration attempts
matrix_dendrite_enable_registration_captcha: false
matrix_dendrite_recaptcha_public_key: ""
matrix_dendrite_recaptcha_private_key: ""
matrix_dendrite_recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify"
matrix_dendrite_client_api_enable_registration_captcha: false
matrix_dendrite_client_api_recaptcha_public_key: ""
matrix_dendrite_client_api_recaptcha_private_key: ""
matrix_dendrite_client_api_recaptcha_siteverify_api: ""
matrix_dendrite_client_api_recaptcha_api_js_url: ""
matrix_dendrite_client_api_recaptcha_form_field: ""
matrix_dendrite_client_api_recaptcha_sitekey_class: ""
# A list of additional "volumes" to mount in the container.
# This list gets populated dynamically based on Dendrite extensions that have been enabled.
@ -147,11 +150,10 @@ matrix_dendrite_userapi_database: "dendrite_userapi"
matrix_dendrite_pushserver_database: "dendrite_pushserver"
matrix_dendrite_mscs_database: "dendrite_mscs"
matrix_dendrite_turn_uris: []
matrix_dendrite_turn_shared_secret: ""
matrix_dendrite_turn_allow_guests: false
matrix_dendrite_client_api_turn_uris: []
matrix_dendrite_client_api_turn_client_api_shared_secret: ""
matrix_dendrite_client_api_turn_allow_guests: false
# Controls whether the self-check feature should validate TLS certificates.
matrix_dendrite_disable_tls_validation: false
matrix_dendrite_trusted_id_servers:

View file

@ -5,7 +5,7 @@
You need to define a required configuration setting (`{{ item }}`) for using Dendrite.
when: "vars[item] == ''"
with_items:
- "matrix_dendrite_registration_shared_secret"
- "matrix_dendrite_client_api_registration_shared_secret"
- name: (Deprecation) Catch and report renamed settings
ansible.builtin.fail:
@ -13,4 +13,15 @@
Your configuration contains a variable, which now has a different name.
Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`).
when: "item.old in vars"
with_items: []
with_items:
- {'old': 'matrix_dendrite_enable_registration_captcha', 'new': 'matrix_dendrite_client_api_enable_registration_captcha'}
- {'old': 'matrix_dendrite_recaptcha_public_key', 'new': 'matrix_dendrite_client_api_recaptcha_public_key'}
- {'old': 'matrix_dendrite_recaptcha_private_key', 'new': 'matrix_dendrite_client_api_recaptcha_private_key'}
- {'old': 'matrix_dendrite_registration_disabled', 'new': 'matrix_dendrite_client_api_registration_disabled'}
- {'old': 'matrix_dendrite_registration_shared_secret', 'new': 'matrix_dendrite_client_api_registration_shared_secret'}
- {'old': 'matrix_dendrite_turn_uris', 'new': 'matrix_dendrite_client_api_turn_uris'}
- {'old': 'matrix_dendrite_turn_client_api_shared_secret', 'new': 'matrix_dendrite_client_api_turn_client_api_shared_secret'}
- {'old': 'matrix_dendrite_turn_allow_guests', 'new': 'matrix_dendrite_client_api_turn_allow_guests'}
- {'old': 'matrix_dendrite_rate_limiting_enabled', 'new': 'matrix_dendrite_client_api_rate_limiting_enabled'}
- {'old': 'matrix_dendrite_rate_limiting_threshold', 'new': 'matrix_dendrite_client_api_rate_limiting_threshold'}
- {'old': 'matrix_dendrite_rate_limiting_cooloff_ms', 'new': 'matrix_dendrite_client_api_rate_limiting_cooloff_ms'}

View file

@ -175,7 +175,7 @@ client_api:
# Prevents new users from being able to register on this homeserver, except when
# using the registration shared secret below.
registration_disabled: {{ matrix_dendrite_registration_disabled|to_json }}
registration_disabled: {{ matrix_dendrite_client_api_registration_disabled | to_json }}
# Prevents new guest accounts from being created. Guest registration is also
# disabled implicitly by setting 'registration_disabled' above.
@ -183,22 +183,25 @@ client_api:
# If set, allows registration by anyone who knows the shared secret, regardless of
# whether registration is otherwise disabled.
registration_shared_secret: {{ matrix_dendrite_registration_shared_secret | string|to_json }}
registration_shared_secret: {{ matrix_dendrite_client_api_registration_shared_secret | string | to_json }}
# Whether to require reCAPTCHA for registration.
enable_registration_captcha: {{ matrix_dendrite_enable_registration_captcha|to_json }}
enable_registration_captcha: {{ matrix_dendrite_client_api_enable_registration_captcha | to_json }}
# Settings for ReCAPTCHA.
recaptcha_public_key: {{ matrix_dendrite_recaptcha_public_key|to_json }}
recaptcha_private_key: {{ matrix_dendrite_recaptcha_private_key|to_json }}
recaptcha_public_key: {{ matrix_dendrite_client_api_recaptcha_public_key | to_json }}
recaptcha_private_key: {{ matrix_dendrite_client_api_recaptcha_private_key | to_json }}
recaptcha_bypass_secret: ""
recaptcha_siteverify_api: {{ matrix_dendrite_recaptcha_siteverify_api|to_json }}
recaptcha_siteverify_api: {{ matrix_dendrite_client_api_recaptcha_siteverify_api | to_json }}
recaptcha_api_js_url: {{ matrix_dendrite_client_api_recaptcha_api_js_url | to_json }}
recaptcha_form_field: {{ matrix_dendrite_client_api_recaptcha_form_field | to_json }}
recaptcha_sitekey_class: {{ matrix_dendrite_client_api_recaptcha_sitekey_class | to_json }}
# TURN server information that this homeserver should send to clients.
turn:
turn_user_lifetime: ""
turn_uris: {{ matrix_dendrite_turn_uris|to_json }}
turn_shared_secret: {{ matrix_dendrite_turn_shared_secret|to_json }}
turn_uris: {{ matrix_dendrite_client_api_turn_uris | to_json }}
turn_shared_secret: {{ matrix_dendrite_client_api_turn_shared_secret | to_json }}
turn_username: ""
turn_password: ""
@ -206,9 +209,9 @@ client_api:
# threshold number of "slots" have been taken by requests from a specific
# host. Each "slot" will be released after the cooloff time in milliseconds.
rate_limiting:
enabled: {{ matrix_dendrite_rate_limiting_enabled|to_json }}
threshold: {{ matrix_dendrite_rate_limiting_threshold|to_json }}
cooloff_ms: {{ matrix_dendrite_rate_limiting_cooloff_ms|to_json }}
enabled: {{ matrix_dendrite_client_api_rate_limiting_enabled | to_json }}
threshold: {{ matrix_dendrite_client_api_rate_limiting_threshold | to_json }}
cooloff_ms: {{ matrix_dendrite_client_api_rate_limiting_cooloff_ms | to_json }}
exempt_user_ids:
# - "@user:domain.com"