matrix: Deploy Mjolnir to combat abuse

5cf2cf92 · Jan Alexander Steffens (heftig) · 3aa962e8 · 5cf2cf92 · 5cf2cf92 · 5cf2cf92
Verified Commit 5cf2cf92 authored Feb 03, 2021 by Jan Alexander Steffens (heftig)
--- a/group_vars/all/vault_matrix.yml
+++ b/group_vars/all/vault_matrix.yml
--- a/roles/matrix/files/mjolnir.service
+++ b/roles/matrix/files/mjolnir.service
+[Unit]
+Description=Mjolnir Matrix moderation tool
+Wants=synapse.service pantalaimon.service
+After=network.target synapse.service pantalaimon.service
+
+[Service]
+User=synapse
+WorkingDirectory=/var/lib/synapse/mjolnir
+Environment=NODE_ENV=production
+Environment=NODE_CONFIG_DIR=/etc/synapse/mjolnir
+ExecStart=/usr/bin/node lib/index.js
+
+[Install]
+WantedBy=multi-user.target
--- a/roles/matrix/files/pantalaimon.service
+++ b/roles/matrix/files/pantalaimon.service
+[Unit]
+Description=Pantalaimon E2E Matrix reverse proxy
+Wants=synapse.service
+After=network.target synapse.service
+
+[Service]
+User=synapse
+WorkingDirectory=~
+ExecStart=/var/lib/synapse/venv/bin/pantalaimon \
+  -c /etc/synapse/pantalaimon.conf \
+  --data-path /var/lib/synapse/pantalaimon-data
+
+[Install]
+WantedBy=default.target
--- a/roles/matrix/handlers/main.yml
+++ b/roles/matrix/handlers/main.yml
 ---

- name: restart turnserver
+- name: restart synapse
  systemd:
-    name: turnserver
+    name: synapse
    state: restarted
    enabled: yes
    daemon_reload: yes

- name: restart synapse
+- name: restart pantalaimon
  systemd:
-    name: synapse
+    name: pantalaimon
+    state: restarted
+    enabled: yes
+    daemon_reload: yes
+
+- name: restart mjolnir
+  systemd:
+    name: mjolnir
    state: restarted
    enabled: yes
    daemon_reload: yes
@@ -20,3 +27,10 @@
    state: restarted
    enabled: yes
    daemon_reload: yes
+
+- name: restart turnserver
+  systemd:
+    name: turnserver
+    state: restarted
+    enabled: yes
+    daemon_reload: yes
--- a/roles/matrix/tasks/main.yml
+++ b/roles/matrix/tasks/main.yml
@@ -17,6 +17,7 @@
      - jemalloc
      - libffi
      - libjpeg-turbo
+      - libolm
      - libtiff
      - libwebp
      - libxslt
@@ -31,6 +32,7 @@
      - redis
      - tcl
      - tk
+      - yarn
      - zlib

 - name: add synapse group
@@ -44,6 +46,34 @@
  with_items:
    - /var/lib/synapse
    - /var/lib/synapse/media_store
+    - /var/lib/synapse/mjolnir-data
+    - /var/lib/synapse/pantalaimon-data
+
+- name: download mjolnir
+  git:
+    repo: https://github.com/matrix-org/mjolnir
+    dest: /var/lib/synapse/mjolnir
+    version: v0.1.16
+  become: yes
+  become_user: synapse
+  become_method: sudo
+  notify:
+    - restart mjolnir
+
+- name: install mjolnir
+  community.general.yarn:
+    path: /var/lib/synapse/mjolnir
+  become: yes
+  become_user: synapse
+  become_method: sudo
+
+- name: build mjolnir
+  command: yarn build
+  args:
+    chdir: /var/lib/synapse/mjolnir
+  become: true
+  become_user: synapse
+  become_method: sudo

 - name: make virtualenv
  command: python -m venv /var/lib/synapse/venv
@@ -53,10 +83,12 @@
  become_user: synapse
  become_method: sudo

- name: install synapse
+- name: install python packages
  pip:
    name:
-      - 'matrix-synapse[postgres,systemd,url_preview,redis]'
+      - 'matrix-synapse[postgres,systemd,url_preview,redis]==1.26.0'
+      - 'pantalaimon==0.9.1'
+      - /var/lib/synapse/mjolnir/synapse_antispam
      - pip
    state: latest
    extra_args: '-U --upgrade-strategy=eager'
@@ -66,12 +98,13 @@
  become_method: sudo
  notify:
    - restart synapse
+    - restart pantalaimon

 - name: download matrix-appservice-irc
  git:
    repo: https://github.com/matrix-org/matrix-appservice-irc
    dest: /var/lib/synapse/matrix-appservice-irc
-    version: master
+    version: 0.23.0
  become: yes
  become_user: synapse
  become_method: sudo
@@ -84,8 +117,6 @@
  become: yes
  become_user: synapse
  become_method: sudo
-  notify:
-    - restart matrix-appservice-irc

 - name: install pg_hba.conf
  copy: src=pg_hba.conf dest=/var/lib/postgres/data/pg_hba.conf owner=postgres group=postgres mode=0600
@@ -111,7 +142,10 @@
  become_method: su

 - name: create synapse config dir
-  file: state=directory path=/etc/synapse owner=root group=synapse mode=0750
+  file: path={{ item }} state=directory owner=root group=synapse mode=0750
+  with_items:
+    - /etc/synapse
+    - /etc/synapse/mjolnir

 - name: install homeserver config
  template: src=homeserver.yaml.j2 dest=/etc/synapse/homeserver.yaml owner=root group=synapse mode=0640
@@ -129,6 +163,16 @@
  notify:
    - restart synapse

+- name: install pantalaimon config
+  template: src=pantalaimon.conf.j2 dest=/etc/synapse/pantalaimon.conf owner=root group=synapse mode=0644
+  notify:
+    - restart pantalaimon
+
+- name: install mjolnir config
+  template: src=mjolnir.yaml.j2 dest=/etc/synapse/mjolnir/production.yaml owner=root group=synapse mode=0640
+  notify:
+    - restart mjolnir
+
 - name: install irc-bridge config
  template: src=irc-bridge.yaml.j2 dest=/etc/synapse/irc-bridge.yaml owner=root group=synapse mode=0640
  notify:
@@ -181,6 +225,20 @@
  notify:
    - restart synapse

+- name: install pantalaimon units
+  copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
+  with_items:
+    - pantalaimon.service
+  notify:
+    - restart pantalaimon
+
+- name: install mjolnir units
+  copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
+  with_items:
+    - mjolnir.service
+  notify:
+    - restart mjolnir
+
 - name: install matrix-appservice-irc units
  copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
  with_items:
@@ -206,19 +264,25 @@
  notify:
    - restart synapse

+- name: enable pantalaimon units
+  service: name={{ item }} enabled=yes
+  with_items:
+    - pantalaimon.service
+
+- name: enable mjolnir units
+  service: name={{ item }} enabled=yes
+  with_items:
+    - mjolnir.service
+
 - name: enable matrix-appservice-irc units
  service: name={{ item }} enabled=yes
  with_items:
    - matrix-appservice-irc.service
-  notify:
-    - restart matrix-appservice-irc

 - name: enable turnserver units
  service: name={{ item }} enabled=yes
  with_items:
    - turnserver.service
-  notify:
-    - restart turnserver

 - name: open firewall holes
  ansible.posix.firewalld: port={{ item }} permanent=true state=enabled immediate=yes

--- a/roles/matrix/templates/homeserver.yaml.j2
+++ b/roles/matrix/templates/homeserver.yaml.j2
@@ -829,9 +829,9 @@ worker_log_config: "/etc/synapse/log_config.yaml"
 #
 # The defaults are as shown below.
 #
-#rc_message:
-#  per_second: 0.2
-#  burst_count: 10
+rc_message:
+  per_second: 0.5
+  burst_count: 20
 #
 #rc_registration:
 #  per_second: 0.17
@@ -1374,7 +1374,7 @@ autocreate_auto_join_rooms: false
 # Note that, if the room already exists, this user must be joined and
 # have the appropriate permissions to invite new members.
 #
-auto_join_mxid_localpart: heftig
+auto_join_mxid_localpart: mjolnir

 # When auto_join_rooms is specified, setting this flag to false prevents
 # guest accounts from being automatically joined to the rooms.
@@ -2734,3 +2734,24 @@ redis:
  # Optional password if configured on the Redis instance
  #
  #password: <secret_password>
+
+spam_checker:
+  module: mjolnir.AntiSpam
+  config:
+    # Prevent servers/users in the ban lists from inviting users on this
+    # server to rooms. Default true.
+    block_invites: true
+    # Flag messages sent by servers/users in the ban lists as spam. Currently
+    # this means that spammy messages will appear as empty to users. Default
+    # false.
+    block_messages: false
+    # Remove users from the user directory search by filtering matrix IDs and
+    # display names by the entries in the user ban list. Default false.
+    block_usernames: false
+    # The room IDs of the ban lists to honour. Unlike other parts of Mjolnir,
+    # this list cannot be room aliases or permalinks. This server is expected
+    # to already be joined to the room - Mjolnir will not automatically join
+    # these rooms.
+    ban_lists:
+      - "!WuBtumawCeOGEieRrp:matrix.org"  # #matrix-org-coc-bl:matrix.org
+      - "!tUPwPPmVTaiKXMiijj:matrix.org"  # #matrix-org-hs-tos-bl:matrix.org
--- a/roles/matrix/templates/mjolnir.yaml.j2
+++ b/roles/matrix/templates/mjolnir.yaml.j2
+# Where the homeserver is located (client-server URL). This should point at
+# pantalaimon if you're using that.
+homeserverUrl: "http://127.0.0.1:8009"
+
+# The access token for the bot to use. Do not populate if using Pantalaimon.
+accessToken: ""
+
+# Pantalaimon options (https://github.com/matrix-org/pantalaimon)
+pantalaimon:
+  # If true, accessToken above is ignored and the username/password below will be
+  # used instead. The access token of the bot will be stored in the dataPath.
+  use: true
+
+  # The username to login with.
+  username: mjolnir
+
+  # The password to login with. Can be removed after the bot has logged in once and
+  # stored the access token.
+  password: "{{ vault_matrix_secrets.mjolnir_user_password }}"
+
+# The directory the bot should store various bits of information in
+dataPath: "/var/lib/synapse/mjolnir-data"
+
+# If true (the default), only users in the `managementRoom` can invite the bot
+# to new rooms.
+autojoinOnlyIfManager: true
+
+# If `autojoinOnlyIfManager` is false, only the members in this group can invite
+# the bot to new rooms.
+acceptInvitesFromGroup: "+archlinux:archlinux.org"
+
+# If the bot is invited to a room and it won't accept the invite (due to the
+# conditions above), report it to the management room. Defaults to disabled (no
+# reporting).
+recordIgnoredInvites: true
+
+# The room ID where people can use the bot. The bot has no access controls, so
+# anyone in this room can use the bot - secure your room!
+# This should be a room alias or room ID - not a matrix.to URL.
+# Note: Mjolnir is fairly verbose - expect a lot of messages from it.
+managementRoom: "#mjolnir:archlinux.org"
+
+# Set to false to make the management room a bit quieter.
+verboseLogging: true
+
+# The log level for the logs themselves. One of DEBUG, INFO, WARN, and ERROR.
+# This should be at INFO or DEBUG in order to get support for Mjolnir problems.
+logLevel: "INFO"
+
+# Set to false to disable synchronizing the ban lists on startup. If true, this
+# is the same as running !mjolnir sync immediately after startup.
+syncOnStartup: true
+
+# Set to false to prevent Mjolnir from checking its permissions on startup. This
+# is recommended to be left as "true" to catch room permission problems (state
+# resets, etc) before Mjolnir is needed.
+verifyPermissionsOnStartup: true
+
+# If true, Mjolnir won't actually ban users or apply server ACLs, but will
+# think it has. This is useful to see what it does in a scenario where the
+# bot might not be trusted fully, yet. Default false (do bans/ACLs).
+noop: false
+
+# Set to true to use /joined_members instead of /state to figure out who is
+# in the room. Using /state is preferred because it means that users are
+# banned when they are invited instead of just when they join, though if your
+# server struggles with /state requests then set this to true.
+fasterMembershipChecks: false
+
+# A case-insensitive list of ban reasons to automatically redact a user's
+# messages for. Typically this is useful to avoid having to type two commands
+# to the bot. Use asterisks to represent globs (ie: "spam*testing" would match
+# "spam for testing" as well as "spamtesting").
+automaticallyRedactForReasons:
+  - "spam"
+  - "advertising"
+
+# A list of rooms to protect (matrix.to URLs)
+protectedRooms:
+  - "https://matrix.to/#/#archlinux:archlinux.org"
+
+# Set this option to true to protect every room the bot is joined to. Note that
+# this effectively makes the protectedRooms and associated commands useless because
+# the bot by nature must be joined to the room to protect it.
+#
+# Note: the management room is *excluded* from this condition. Add it to the
+# protected rooms to protect it.
+#
+# Note: ban list rooms the bot is watching but didn't create will not be protected.
+# Manually add these rooms to the protected rooms list if you want them protected.
+protectAllJoinedRooms: false
+
+# Misc options for command handling and commands
+commands:
+  # If true, Mjolnir will respond to commands like !help and !ban instead of
+  # requiring a prefix. This is useful if Mjolnir is the only bot running in
+  # your management room.
+  #
+  # Note that Mjolnir can be pinged by display name instead of having to use
+  # the !mjolnir prefix. For example, "my_moderator_bot: ban @spammer:example.org"
+  # will ban a user.
+  allowNoPrefix: true
+
+  # In addition to the bot's display name, !mjolnir, and optionally no prefix
+  # above, the bot will respond to these names. The items here can be used either
+  # as display names or prefixed with exclamation points.
+  additionalPrefixes: []
+
+# Configuration specific to certain toggleable protections
+protections:
+  # Configuration for the wordlist plugin, which can ban users based if they say certain
+  # blocked words shortly after joining.
+  wordlist:
+    # A list of words which should be monitored by the bot.  These will match if any part
+    # of the word is present in the message in any case.  e.g. "hello" also matches
+    # "HEllO".  Additionally, regular expressions can be used.
+    words: []
+
+    # How long after a user joins the server should the bot monitor their messages.  After
+    # this time, users can say words from the wordlist without being banned automatically.
+    # Set to zero to disable (users will always be banned if they say a bad word)
+    minutesBeforeTrusting: 20
+
+# Options for monitoring the health of the bot
+health:
+  # healthz options. These options are best for use in container environments
+  # like Kubernetes to detect how healthy the service is. The bot will report
+  # that it is unhealthy until it is able to process user requests. Typically
+  # this means that it'll flag itself as unhealthy for a number of minutes
+  # before saying "Now monitoring rooms" and flagging itself healthy.
+  #
+  # Health is flagged through HTTP status codes, defined below.
+  healthz:
+    # Whether the healthz integration should be enabled (default false)
+    enabled: false
+
+    # The port to expose the webserver on. Defaults to 8080.
+    port: 8080
+
+    # The address to listen for requests on. Defaults to all addresses.
+    address: "0.0.0.0"
+
+    # The path to expose the monitoring endpoint at. Defaults to `/healthz`
+    endpoint: "/healthz"
+
+    # The HTTP status code which reports that the bot is healthy/ready to
+    # process requests. Typically this should not be changed. Defaults to
+    # 200.
+    healthyStatus: 200
+
+    # The HTTP status code which reports that the bot is not healthy/ready.
+    # Defaults to 418.
+    unhealthyStatus: 418
--- a/roles/matrix/templates/pantalaimon.conf.j2
+++ b/roles/matrix/templates/pantalaimon.conf.j2
+[Default]
+LogLevel = Info
+Notifications = Off
+
+[local-archlinux]
+Homeserver = https://{{ matrix_domain }}
+ListenAddress = 127.0.0.1
+ListenPort = 8009
+UseKeyring = No
+IgnoreVerification = True