From ac72879bf5ad04ebb034feb779d8f12db784965a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 25 Jul 2022 15:55:16 +0300 Subject: [PATCH] Make bridge permissions more easily configurable Not doing {% if matrix_admin %} checks in the YAML also fixes some issues with indentation being incorrect sometimes. This should be backward compatible, except for mautrix-signal's case where `matrix_mautrix_signal_bridge_permissions` previously existed as a string, not a dictionary. `tasks/validate_config.yml` will catch the problem an even provide a quick fix. --- .../defaults/main.yml | 6 +++++ .../templates/config.yaml.j2 | 8 ++----- .../defaults/main.yml | 22 ++++++++++++------- .../templates/config.yaml.j2 | 6 +---- .../defaults/main.yml | 6 +++++ .../templates/config.yaml.j2 | 6 +---- .../defaults/main.yml | 6 +++++ .../templates/config.yaml.j2 | 6 +---- .../defaults/main.yml | 6 +++++ .../templates/config.yaml.j2 | 6 +---- .../defaults/main.yml | 6 +++++ .../templates/config.yaml.j2 | 6 +---- .../defaults/main.yml | 12 +++++----- .../tasks/validate_config.yml | 9 ++++++++ .../templates/config.yaml.j2 | 3 +-- .../defaults/main.yml | 6 +++++ .../templates/config.yaml.j2 | 6 +---- .../defaults/main.yml | 6 +++++ .../templates/config.yaml.j2 | 6 +---- .../defaults/main.yml | 15 +++++++++---- .../templates/config.yaml.j2 | 6 +---- 21 files changed, 94 insertions(+), 65 deletions(-) diff --git a/roles/matrix-bridge-beeper-linkedin/defaults/main.yml b/roles/matrix-bridge-beeper-linkedin/defaults/main.yml index 45afd0f1..fc2cc898 100644 --- a/roles/matrix-bridge-beeper-linkedin/defaults/main.yml +++ b/roles/matrix-bridge-beeper-linkedin/defaults/main.yml @@ -29,6 +29,12 @@ matrix_beeper_linkedin_bridge_presence: true matrix_beeper_linkedin_command_prefix: "!li" +matrix_beeper_linkedin_bridge_permissions: | + {{ + {matrix_beeper_linkedin_homeserver_domain: 'user'} + | combine({matrix_admin: 'admin'} if matrix_admin else {}) + }} + # A list of extra arguments to pass to the container matrix_beeper_linkedin_container_extra_arguments: [] diff --git a/roles/matrix-bridge-beeper-linkedin/templates/config.yaml.j2 b/roles/matrix-bridge-beeper-linkedin/templates/config.yaml.j2 index a91eb416..a30f2425 100644 --- a/roles/matrix-bridge-beeper-linkedin/templates/config.yaml.j2 +++ b/roles/matrix-bridge-beeper-linkedin/templates/config.yaml.j2 @@ -56,7 +56,7 @@ appservice: # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty # to leave display name/avatar as-is. displayname: LinkedIn bridge bot - avatar: mxc://sumnerevans.com/XMtwdeUBnxYvWNFFrfeTSHqB + avatar: mxc://sumnerevans.com/XMtwdeUBnxYvWNFFrfeTSHqB # Whether or not to receive ephemeral events via appservice transactions. # Requires MSC2409 support (i.e. Synapse 1.22+). @@ -236,11 +236,7 @@ bridge: # * - All Matrix users # domain - All users on that homeserver # mxid - Specific user - permissions: - "{{ matrix_beeper_linkedin_homeserver_domain }}": user - {% if matrix_admin %} - "{{ matrix_admin }}": admin - {% endif %} + permissions: {{ matrix_beeper_linkedin_bridge_permissions|to_json }} diff --git a/roles/matrix-bridge-go-skype-bridge/defaults/main.yml b/roles/matrix-bridge-go-skype-bridge/defaults/main.yml index b05e78a5..cc456538 100644 --- a/roles/matrix-bridge-go-skype-bridge/defaults/main.yml +++ b/roles/matrix-bridge-go-skype-bridge/defaults/main.yml @@ -85,6 +85,20 @@ matrix_go_skype_bridge_bridge_login_shared_secret_map: matrix_go_skype_bridge_bridge_double_puppet_server_map: "{{ matrix_go_skype_bridge_homeserver_domain : matrix_go_skype_bridge_homeserver_address }}" +# Enable End-to-bridge encryption +matrix_go_skype_bridge_bridge_encryption_allow: false +matrix_go_skype_bridge_bridge_encryption_default: "{{ matrix_go_skype_bridge_bridge_encryption_allow }}" + +# Minimum severity of journal log messages. +# Options: debug, info, warn, error, fatal +matrix_go_skype_bridge_log_level: 'warn' + +matrix_go_skype_bridge_bridge_permissions: | + {{ + {matrix_go_skype_bridge_homeserver_domain: 'user'} + | combine({matrix_admin: 'admin'} if matrix_admin else {}) + }} + # Default go-skype-bridge configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. # @@ -124,11 +138,3 @@ matrix_go_skype_bridge_registration_yaml: | de.sorunome.msc2409.push_ephemeral: true matrix_go_skype_bridge_registration: "{{ matrix_go_skype_bridge_registration_yaml | from_yaml }}" - -# Enable End-to-bridge encryption -matrix_go_skype_bridge_bridge_encryption_allow: false -matrix_go_skype_bridge_bridge_encryption_default: "{{ matrix_go_skype_bridge_bridge_encryption_allow }}" - -# Minimum severity of journal log messages. -# Options: debug, info, warn, error, fatal -matrix_go_skype_bridge_log_level: 'warn' diff --git a/roles/matrix-bridge-go-skype-bridge/templates/config.yaml.j2 b/roles/matrix-bridge-go-skype-bridge/templates/config.yaml.j2 index 56e37f84..2a1dc6c1 100644 --- a/roles/matrix-bridge-go-skype-bridge/templates/config.yaml.j2 +++ b/roles/matrix-bridge-go-skype-bridge/templates/config.yaml.j2 @@ -197,11 +197,7 @@ bridge: # * - All Matrix users # domain - All users on that homeserver # mxid - Specific user - permissions: - "{{ matrix_go_skype_bridge_homeserver_domain }}": user - {% if matrix_admin %} - "{{ matrix_admin }}": admin - {% endif %} + permissions: {{ matrix_go_skype_bridge_bridge_permissions|to_json }} relaybot: # Whether or not relaybot support is enabled. diff --git a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml index 51b4f357..719c86dc 100644 --- a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml @@ -46,6 +46,12 @@ matrix_mautrix_facebook_homeserver_token: '' # If false, created portal rooms will never be federated. matrix_mautrix_facebook_federate_rooms: true +matrix_mautrix_facebook_bridge_permissions: | + {{ + {matrix_mautrix_facebook_homeserver_domain: 'user'} + | combine({matrix_admin: 'admin'} if matrix_admin else {}) + }} + # Controls whether the matrix-mautrix-facebook container exposes its HTTP port. # # Takes an ":" or "" value (e.g. "127.0.0.1:9008"), or empty string to not expose. diff --git a/roles/matrix-bridge-mautrix-facebook/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-facebook/templates/config.yaml.j2 index 4b27e66a..3318255d 100644 --- a/roles/matrix-bridge-mautrix-facebook/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-facebook/templates/config.yaml.j2 @@ -201,11 +201,7 @@ bridge: # * - All Matrix users # domain - All users on that homeserver # mxid - Specific user - permissions: - '{{ matrix_mautrix_facebook_homeserver_domain }}': user - {% if matrix_admin %} - '{{ matrix_admin }}': admin - {% endif %} + permissions: {{ matrix_mautrix_facebook_bridge_permissions|to_json }} relay: # Whether relay mode should be allowed. If allowed, `!fb set-relay` can be used to turn any diff --git a/roles/matrix-bridge-mautrix-googlechat/defaults/main.yml b/roles/matrix-bridge-mautrix-googlechat/defaults/main.yml index 85d534e5..a4b1438b 100644 --- a/roles/matrix-bridge-mautrix-googlechat/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-googlechat/defaults/main.yml @@ -48,6 +48,12 @@ matrix_mautrix_googlechat_homeserver_token: '' # If false, created portal rooms will never be federated. matrix_mautrix_googlechat_federate_rooms: true +matrix_mautrix_googlechat_bridge_permissions: | + {{ + {matrix_mautrix_googlechat_homeserver_domain: 'user'} + | combine({matrix_admin: 'admin'} if matrix_admin else {}) + }} + # Database-related configuration fields. # # To use SQLite, stick to these defaults. diff --git a/roles/matrix-bridge-mautrix-googlechat/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-googlechat/templates/config.yaml.j2 index ad86219c..a2560a9f 100644 --- a/roles/matrix-bridge-mautrix-googlechat/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-googlechat/templates/config.yaml.j2 @@ -117,11 +117,7 @@ bridge: # * - All Matrix users # domain - All users on that homeserver # mxid - Specific user - permissions: - '{{ matrix_mautrix_googlechat_homeserver_domain }}': user - {% if matrix_admin %} - '{{ matrix_admin }}': admin - {% endif %} + permissions: {{ matrix_mautrix_googlechat_bridge_permissions|to_json }} # Python logging configuration. # diff --git a/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml b/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml index fc467871..8b338fd7 100644 --- a/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml @@ -27,6 +27,12 @@ matrix_mautrix_hangouts_appservice_address: 'http://matrix-mautrix-hangouts:8080 matrix_mautrix_hangouts_command_prefix: "!HO" +matrix_mautrix_hangouts_bridge_permissions: | + {{ + {matrix_mautrix_hangouts_homeserver_domain: 'user'} + | combine({matrix_admin: 'admin'} if matrix_admin else {}) + }} + # Controls whether the matrix-mautrix-hangouts container exposes its HTTP port (tcp/8080 in the container). # # Takes an ":" or "" value (e.g. "127.0.0.1:9007"), or empty string to not expose. diff --git a/roles/matrix-bridge-mautrix-hangouts/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-hangouts/templates/config.yaml.j2 index 6dca06ff..d737f3f1 100644 --- a/roles/matrix-bridge-mautrix-hangouts/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-hangouts/templates/config.yaml.j2 @@ -114,11 +114,7 @@ bridge: # * - All Matrix users # domain - All users on that homeserver # mxid - Specific user - permissions: - '{{ matrix_mautrix_hangouts_homeserver_domain }}': user - {% if matrix_admin %} - '{{ matrix_admin }}': admin - {% endif %} + permissions: {{ matrix_mautrix_hangouts_bridge_permissions|to_json }} # Python logging configuration. # diff --git a/roles/matrix-bridge-mautrix-instagram/defaults/main.yml b/roles/matrix-bridge-mautrix-instagram/defaults/main.yml index e31f3f46..bcb6ddb1 100644 --- a/roles/matrix-bridge-mautrix-instagram/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-instagram/defaults/main.yml @@ -25,6 +25,12 @@ matrix_mautrix_instagram_appservice_address: 'http://matrix-mautrix-instagram:29 matrix_mautrix_instagram_command_prefix: "!ig" +matrix_mautrix_instagram_bridge_permissions: | + {{ + {matrix_mautrix_instagram_homeserver_domain: 'user'} + | combine({matrix_admin: 'admin'} if matrix_admin else {}) + }} + # A list of extra arguments to pass to the container matrix_mautrix_instagram_container_extra_arguments: [] diff --git a/roles/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 index 11b1d997..039b9bfe 100644 --- a/roles/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 @@ -185,11 +185,7 @@ bridge: # * - All Matrix users # domain - All users on that homeserver # mxid - Specific user - permissions: - "{{ matrix_mautrix_instagram_homeserver_domain }}": user - {% if matrix_admin %} - "{{ matrix_admin }}": admin - {% endif %} + permissions: {{ matrix_mautrix_instagram_bridge_permissions|to_json }} # Provisioning API part of the web server for automated portal creation and fetching information. # Used by things like mautrix-manager (https://github.com/tulir/mautrix-manager). provisioning: diff --git a/roles/matrix-bridge-mautrix-signal/defaults/main.yml b/roles/matrix-bridge-mautrix-signal/defaults/main.yml index 84ef38cd..161fa892 100644 --- a/roles/matrix-bridge-mautrix-signal/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-signal/defaults/main.yml @@ -103,12 +103,14 @@ matrix_mautrix_signal_relaybot_enabled: false # * - All Matrix users # domain - All users on that homeserver # mxid - Specific user +# +# This variable used to contain a YAML string, but now needs to contain a hashmap/dictionary. matrix_mautrix_signal_bridge_permissions: | - '*': relay - '{{ matrix_mautrix_signal_homeserver_domain }}': user - {% if matrix_admin %} - "{{ matrix_admin }}": admin - {% endif %} + {{ + {'*': 'relay'} + | combine({matrix_mautrix_signal_homeserver_domain: 'user'}) + | combine({matrix_admin: 'admin'} if matrix_admin else {}) + }} # Default configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. diff --git a/roles/matrix-bridge-mautrix-signal/tasks/validate_config.yml b/roles/matrix-bridge-mautrix-signal/tasks/validate_config.yml index 01a02c2f..ea2c1c43 100644 --- a/roles/matrix-bridge-mautrix-signal/tasks/validate_config.yml +++ b/roles/matrix-bridge-mautrix-signal/tasks/validate_config.yml @@ -11,6 +11,15 @@ - "matrix_mautrix_signal_homeserver_token" - "matrix_mautrix_signal_appservice_token" +- name: (Deprecation) Fail if matrix_mautrix_signal_bridge_permissions specified as YAML string, instead of a dictionary + ansible.builtin.fail: + msg: >- + The `matrix_mautrix_signal_bridge_permissions` variable in your configuration is specified as a YAML string. + The playbook now expects a hashmap/dictionary in this variable. + Change your configuration like this: + matrix_mautrix_signal_bridge_permissions: {{ matrix_mautrix_signal_bridge_permissions | from_yaml | to_json }} + when: "matrix_mautrix_signal_bridge_permissions is string" + - name: (Deprecation) Catch and report renamed Signal variables ansible.builtin.fail: msg: >- diff --git a/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 index f0644ee2..796a6e41 100644 --- a/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2 @@ -223,8 +223,7 @@ bridge: # * - All Matrix users # domain - All users on that homeserver # mxid - Specific user - permissions: - {{ matrix_mautrix_signal_bridge_permissions|from_yaml }} + permissions: {{ matrix_mautrix_signal_bridge_permissions|to_json }} relay: # Whether or not relay mode should be allowed. If allowed, `!signal set-relay` can be used to turn any diff --git a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml index 2ac9fe04..101889c1 100644 --- a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml @@ -27,6 +27,12 @@ matrix_mautrix_telegram_data_path: "{{ matrix_mautrix_telegram_base_path }}/data matrix_mautrix_telegram_command_prefix: "!tg" +matrix_mautrix_telegram_bridge_permissions: | + {{ + {matrix_mautrix_telegram_homeserver_domain: 'user'} + | combine({matrix_admin: 'admin'} if matrix_admin else {}) + }} + # Get your own API keys at https://my.telegram.org/apps matrix_mautrix_telegram_api_id: '' matrix_mautrix_telegram_api_hash: '' diff --git a/roles/matrix-bridge-mautrix-telegram/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-telegram/templates/config.yaml.j2 index 19bacbde..3a7ab7f1 100644 --- a/roles/matrix-bridge-mautrix-telegram/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-telegram/templates/config.yaml.j2 @@ -289,11 +289,7 @@ bridge: # * - All Matrix users # domain - All users on that homeserver # mxid - Specific user - permissions: - '{{ matrix_mautrix_telegram_homeserver_domain }}': full - {% if matrix_admin %} - '{{ matrix_admin }}': admin - {% endif %} + permissions: {{ matrix_mautrix_telegram_bridge_permissions|to_json }} # Options related to the message relay Telegram bot. relaybot: diff --git a/roles/matrix-bridge-mautrix-twitter/defaults/main.yml b/roles/matrix-bridge-mautrix-twitter/defaults/main.yml index 512195cb..29999c45 100644 --- a/roles/matrix-bridge-mautrix-twitter/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-twitter/defaults/main.yml @@ -25,6 +25,12 @@ matrix_mautrix_twitter_appservice_address: 'http://matrix-mautrix-twitter:29327' matrix_mautrix_twitter_command_prefix: "!tw" +matrix_mautrix_twitter_bridge_permissions: | + {{ + {matrix_mautrix_twitter_homeserver_domain: 'user'} + | combine({matrix_admin: 'admin'} if matrix_admin else {}) + }} + # A list of extra arguments to pass to the container matrix_mautrix_twitter_container_extra_arguments: [] diff --git a/roles/matrix-bridge-mautrix-twitter/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-twitter/templates/config.yaml.j2 index b59864f1..da823d1e 100644 --- a/roles/matrix-bridge-mautrix-twitter/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-twitter/templates/config.yaml.j2 @@ -173,11 +173,7 @@ bridge: # * - All Matrix users # domain - All users on that homeserver # mxid - Specific user - permissions: - '{{ matrix_mautrix_twitter_homeserver_domain }}': user - {% if matrix_admin %} - '{{ matrix_admin }}': admin - {% endif %} + permissions: {{ matrix_mautrix_twitter_bridge_permissions|to_json }} # Python logging configuration. diff --git a/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml b/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml index 7a511651..ed13bbd0 100644 --- a/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml +++ b/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml @@ -90,6 +90,17 @@ matrix_mautrix_whatsapp_bridge_login_shared_secret_map: matrix_mautrix_whatsapp_bridge_double_puppet_server_map: "{{ matrix_mautrix_whatsapp_homeserver_domain : matrix_mautrix_whatsapp_homeserver_address }}" +# Enable End-to-bridge encryption +matrix_mautrix_whatsapp_bridge_encryption_allow: false +matrix_mautrix_whatsapp_bridge_encryption_default: "{{ matrix_mautrix_whatsapp_bridge_encryption_allow }}" +matrix_mautrix_whatsapp_bridge_encryption_key_sharing_allow: "{{ matrix_mautrix_whatsapp_bridge_encryption_allow }}" + +matrix_mautrix_whatsapp_bridge_permissions: | + {{ + {matrix_mautrix_whatsapp_homeserver_domain: 'user'} + | combine({matrix_admin: 'admin'} if matrix_admin else {}) + }} + # Default mautrix-whatsapp configuration template which covers the generic use case. # You can customize it by controlling the various variables inside it. # @@ -130,7 +141,3 @@ matrix_mautrix_whatsapp_registration_yaml: | matrix_mautrix_whatsapp_registration: "{{ matrix_mautrix_whatsapp_registration_yaml | from_yaml }}" -# Enable End-to-bridge encryption -matrix_mautrix_whatsapp_bridge_encryption_allow: false -matrix_mautrix_whatsapp_bridge_encryption_default: "{{ matrix_mautrix_whatsapp_bridge_encryption_allow }}" -matrix_mautrix_whatsapp_bridge_encryption_key_sharing_allow: "{{ matrix_mautrix_whatsapp_bridge_encryption_allow }}" diff --git a/roles/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 b/roles/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 index 8e0e300b..fab8d964 100644 --- a/roles/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 +++ b/roles/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2 @@ -368,11 +368,7 @@ bridge: # * - All Matrix users # domain - All users on that homeserver # mxid - Specific user - permissions: - "{{ matrix_mautrix_whatsapp_homeserver_domain }}": user - {% if matrix_admin %} - "{{ matrix_admin }}": admin - {% endif %} + permissions: {{ matrix_mautrix_whatsapp_bridge_permissions|to_json }} # Settings for relay mode relay: