Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in
Toggle navigation
Menu
Open sidebar
Arch Linux
infrastructure
Commits
5cf2cf92
Verified
Commit
5cf2cf92
authored
Feb 03, 2021
by
Jan Alexander Steffens (heftig)
Browse files
matrix: Deploy Mjolnir to combat abuse
parent
3aa962e8
Pipeline
#5098
failed with stage
in 40 seconds
Changes
8
Pipelines
1
Expand all
Hide whitespace changes
Inline
Side-by-side
group_vars/all/vault_matrix.yml
View file @
5cf2cf92
This diff is collapsed.
Click to expand it.
roles/matrix/files/mjolnir.service
0 → 100644
View file @
5cf2cf92
[Unit]
Description
=
Mjolnir Matrix moderation tool
Wants
=
synapse.service pantalaimon.service
After
=
network.target synapse.service pantalaimon.service
[Service]
User
=
synapse
WorkingDirectory
=
/var/lib/synapse/mjolnir
Environment
=
NODE_ENV=production
Environment
=
NODE_CONFIG_DIR=/etc/synapse/mjolnir
ExecStart
=
/usr/bin/node lib/index.js
[Install]
WantedBy
=
multi-user.target
roles/matrix/files/pantalaimon.service
0 → 100644
View file @
5cf2cf92
[Unit]
Description
=
Pantalaimon E2E Matrix reverse proxy
Wants
=
synapse.service
After
=
network.target synapse.service
[Service]
User
=
synapse
WorkingDirectory
=
~
ExecStart
=
/var/lib/synapse/venv/bin/pantalaimon
\
-c /etc/synapse/pantalaimon.conf
\
--data-path /var/lib/synapse/pantalaimon-data
[Install]
WantedBy=default.target
roles/matrix/handlers/main.yml
View file @
5cf2cf92
---
-
name
:
restart
turnserver
-
name
:
restart
synapse
systemd
:
name
:
turnserver
name
:
synapse
state
:
restarted
enabled
:
yes
daemon_reload
:
yes
-
name
:
restart
synapse
-
name
:
restart
pantalaimon
systemd
:
name
:
synapse
name
:
pantalaimon
state
:
restarted
enabled
:
yes
daemon_reload
:
yes
-
name
:
restart mjolnir
systemd
:
name
:
mjolnir
state
:
restarted
enabled
:
yes
daemon_reload
:
yes
...
...
@@ -20,3 +27,10 @@
state
:
restarted
enabled
:
yes
daemon_reload
:
yes
-
name
:
restart turnserver
systemd
:
name
:
turnserver
state
:
restarted
enabled
:
yes
daemon_reload
:
yes
roles/matrix/tasks/main.yml
View file @
5cf2cf92
...
...
@@ -17,6 +17,7 @@
-
jemalloc
-
libffi
-
libjpeg-turbo
-
libolm
-
libtiff
-
libwebp
-
libxslt
...
...
@@ -31,6 +32,7 @@
-
redis
-
tcl
-
tk
-
yarn
-
zlib
-
name
:
add synapse group
...
...
@@ -44,6 +46,34 @@
with_items
:
-
/var/lib/synapse
-
/var/lib/synapse/media_store
-
/var/lib/synapse/mjolnir-data
-
/var/lib/synapse/pantalaimon-data
-
name
:
download mjolnir
git
:
repo
:
https://github.com/matrix-org/mjolnir
dest
:
/var/lib/synapse/mjolnir
version
:
v0.1.16
become
:
yes
become_user
:
synapse
become_method
:
sudo
notify
:
-
restart mjolnir
-
name
:
install mjolnir
community.general.yarn
:
path
:
/var/lib/synapse/mjolnir
become
:
yes
become_user
:
synapse
become_method
:
sudo
-
name
:
build mjolnir
command
:
yarn build
args
:
chdir
:
/var/lib/synapse/mjolnir
become
:
true
become_user
:
synapse
become_method
:
sudo
-
name
:
make virtualenv
command
:
python -m venv /var/lib/synapse/venv
...
...
@@ -53,10 +83,12 @@
become_user
:
synapse
become_method
:
sudo
-
name
:
install
synapse
-
name
:
install
python packages
pip
:
name
:
-
'
matrix-synapse[postgres,systemd,url_preview,redis]'
-
'
matrix-synapse[postgres,systemd,url_preview,redis]==1.26.0'
-
'
pantalaimon==0.9.1'
-
/var/lib/synapse/mjolnir/synapse_antispam
-
pip
state
:
latest
extra_args
:
'
-U
--upgrade-strategy=eager'
...
...
@@ -66,12 +98,13 @@
become_method
:
sudo
notify
:
-
restart synapse
-
restart pantalaimon
-
name
:
download matrix-appservice-irc
git
:
repo
:
https://github.com/matrix-org/matrix-appservice-irc
dest
:
/var/lib/synapse/matrix-appservice-irc
version
:
master
version
:
0.23.0
become
:
yes
become_user
:
synapse
become_method
:
sudo
...
...
@@ -84,8 +117,6 @@
become
:
yes
become_user
:
synapse
become_method
:
sudo
notify
:
-
restart matrix-appservice-irc
-
name
:
install pg_hba.conf
copy
:
src=pg_hba.conf dest=/var/lib/postgres/data/pg_hba.conf owner=postgres group=postgres mode=0600
...
...
@@ -111,7 +142,10 @@
become_method
:
su
-
name
:
create synapse config dir
file
:
state=directory path=/etc/synapse owner=root group=synapse mode=0750
file
:
path={{ item }} state=directory owner=root group=synapse mode=0750
with_items
:
-
/etc/synapse
-
/etc/synapse/mjolnir
-
name
:
install homeserver config
template
:
src=homeserver.yaml.j2 dest=/etc/synapse/homeserver.yaml owner=root group=synapse mode=0640
...
...
@@ -129,6 +163,16 @@
notify
:
-
restart synapse
-
name
:
install pantalaimon config
template
:
src=pantalaimon.conf.j2 dest=/etc/synapse/pantalaimon.conf owner=root group=synapse mode=0644
notify
:
-
restart pantalaimon
-
name
:
install mjolnir config
template
:
src=mjolnir.yaml.j2 dest=/etc/synapse/mjolnir/production.yaml owner=root group=synapse mode=0640
notify
:
-
restart mjolnir
-
name
:
install irc-bridge config
template
:
src=irc-bridge.yaml.j2 dest=/etc/synapse/irc-bridge.yaml owner=root group=synapse mode=0640
notify
:
...
...
@@ -181,6 +225,20 @@
notify
:
-
restart synapse
-
name
:
install pantalaimon units
copy
:
src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
with_items
:
-
pantalaimon.service
notify
:
-
restart pantalaimon
-
name
:
install mjolnir units
copy
:
src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
with_items
:
-
mjolnir.service
notify
:
-
restart mjolnir
-
name
:
install matrix-appservice-irc units
copy
:
src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
with_items
:
...
...
@@ -206,19 +264,25 @@
notify
:
-
restart synapse
-
name
:
enable pantalaimon units
service
:
name={{ item }} enabled=yes
with_items
:
-
pantalaimon.service
-
name
:
enable mjolnir units
service
:
name={{ item }} enabled=yes
with_items
:
-
mjolnir.service
-
name
:
enable matrix-appservice-irc units
service
:
name={{ item }} enabled=yes
with_items
:
-
matrix-appservice-irc.service
notify
:
-
restart matrix-appservice-irc
-
name
:
enable turnserver units
service
:
name={{ item }} enabled=yes
with_items
:
-
turnserver.service
notify
:
-
restart turnserver
-
name
:
open firewall holes
ansible.posix.firewalld
:
port={{ item }} permanent=true state=enabled immediate=yes
...
...
roles/matrix/templates/homeserver.yaml.j2
View file @
5cf2cf92
...
...
@@ -829,9 +829,9 @@ worker_log_config: "/etc/synapse/log_config.yaml"
#
# The defaults are as shown below.
#
#
rc_message:
#
per_second: 0.
2
#
burst_count:
1
0
rc_message
:
per_second
:
0.
5
burst_count
:
2
0
#
#rc_registration:
# per_second: 0.17
...
...
@@ -1374,7 +1374,7 @@ autocreate_auto_join_rooms: false
# Note that, if the room already exists, this user must be joined and
# have the appropriate permissions to invite new members.
#
auto_join_mxid_localpart
:
heftig
auto_join_mxid_localpart
:
mjolnir
# When auto_join_rooms is specified, setting this flag to false prevents
# guest accounts from being automatically joined to the rooms.
...
...
@@ -2734,3 +2734,24 @@ redis:
# Optional password if configured on the Redis instance
#
#password: <secret_password>
spam_checker
:
module
:
mjolnir.AntiSpam
config
:
# Prevent servers/users in the ban lists from inviting users on this
# server to rooms. Default true.
block_invites
:
true
# Flag messages sent by servers/users in the ban lists as spam. Currently
# this means that spammy messages will appear as empty to users. Default
# false.
block_messages
:
false
# Remove users from the user directory search by filtering matrix IDs and
# display names by the entries in the user ban list. Default false.
block_usernames
:
false
# The room IDs of the ban lists to honour. Unlike other parts of Mjolnir,
# this list cannot be room aliases or permalinks. This server is expected
# to already be joined to the room - Mjolnir will not automatically join
# these rooms.
ban_lists
:
-
"
!WuBtumawCeOGEieRrp:matrix.org"
# #matrix-org-coc-bl:matrix.org
-
"
!tUPwPPmVTaiKXMiijj:matrix.org"
# #matrix-org-hs-tos-bl:matrix.org
roles/matrix/templates/mjolnir.yaml.j2
0 → 100644
View file @
5cf2cf92
# Where the homeserver is located (client-server URL). This should point at
# pantalaimon if you're using that.
homeserverUrl: "http://127.0.0.1:8009"
# The access token for the bot to use. Do not populate if using Pantalaimon.
accessToken: ""
# Pantalaimon options (https://github.com/matrix-org/pantalaimon)
pantalaimon:
# If true, accessToken above is ignored and the username/password below will be
# used instead. The access token of the bot will be stored in the dataPath.
use: true
# The username to login with.
username: mjolnir
# The password to login with. Can be removed after the bot has logged in once and
# stored the access token.
password: "{{ vault_matrix_secrets.mjolnir_user_password }}"
# The directory the bot should store various bits of information in
dataPath: "/var/lib/synapse/mjolnir-data"
# If true (the default), only users in the `managementRoom` can invite the bot
# to new rooms.
autojoinOnlyIfManager: true
# If `autojoinOnlyIfManager` is false, only the members in this group can invite
# the bot to new rooms.
acceptInvitesFromGroup: "+archlinux:archlinux.org"
# If the bot is invited to a room and it won't accept the invite (due to the
# conditions above), report it to the management room. Defaults to disabled (no
# reporting).
recordIgnoredInvites: true
# The room ID where people can use the bot. The bot has no access controls, so
# anyone in this room can use the bot - secure your room!
# This should be a room alias or room ID - not a matrix.to URL.
# Note: Mjolnir is fairly verbose - expect a lot of messages from it.
managementRoom: "#mjolnir:archlinux.org"
# Set to false to make the management room a bit quieter.
verboseLogging: true
# The log level for the logs themselves. One of DEBUG, INFO, WARN, and ERROR.
# This should be at INFO or DEBUG in order to get support for Mjolnir problems.
logLevel: "INFO"
# Set to false to disable synchronizing the ban lists on startup. If true, this
# is the same as running !mjolnir sync immediately after startup.
syncOnStartup: true
# Set to false to prevent Mjolnir from checking its permissions on startup. This
# is recommended to be left as "true" to catch room permission problems (state
# resets, etc) before Mjolnir is needed.
verifyPermissionsOnStartup: true
# If true, Mjolnir won't actually ban users or apply server ACLs, but will
# think it has. This is useful to see what it does in a scenario where the
# bot might not be trusted fully, yet. Default false (do bans/ACLs).
noop: false
# Set to true to use /joined_members instead of /state to figure out who is
# in the room. Using /state is preferred because it means that users are
# banned when they are invited instead of just when they join, though if your
# server struggles with /state requests then set this to true.
fasterMembershipChecks: false
# A case-insensitive list of ban reasons to automatically redact a user's
# messages for. Typically this is useful to avoid having to type two commands
# to the bot. Use asterisks to represent globs (ie: "spam*testing" would match
# "spam for testing" as well as "spamtesting").
automaticallyRedactForReasons:
- "spam"
- "advertising"
# A list of rooms to protect (matrix.to URLs)
protectedRooms:
- "https://matrix.to/#/#archlinux:archlinux.org"
# Set this option to true to protect every room the bot is joined to. Note that
# this effectively makes the protectedRooms and associated commands useless because
# the bot by nature must be joined to the room to protect it.
#
# Note: the management room is *excluded* from this condition. Add it to the
# protected rooms to protect it.
#
# Note: ban list rooms the bot is watching but didn't create will not be protected.
# Manually add these rooms to the protected rooms list if you want them protected.
protectAllJoinedRooms: false
# Misc options for command handling and commands
commands:
# If true, Mjolnir will respond to commands like !help and !ban instead of
# requiring a prefix. This is useful if Mjolnir is the only bot running in
# your management room.
#
# Note that Mjolnir can be pinged by display name instead of having to use
# the !mjolnir prefix. For example, "my_moderator_bot: ban @spammer:example.org"
# will ban a user.
allowNoPrefix: true
# In addition to the bot's display name, !mjolnir, and optionally no prefix
# above, the bot will respond to these names. The items here can be used either
# as display names or prefixed with exclamation points.
additionalPrefixes: []
# Configuration specific to certain toggleable protections
protections:
# Configuration for the wordlist plugin, which can ban users based if they say certain
# blocked words shortly after joining.
wordlist:
# A list of words which should be monitored by the bot. These will match if any part
# of the word is present in the message in any case. e.g. "hello" also matches
# "HEllO". Additionally, regular expressions can be used.
words: []
# How long after a user joins the server should the bot monitor their messages. After
# this time, users can say words from the wordlist without being banned automatically.
# Set to zero to disable (users will always be banned if they say a bad word)
minutesBeforeTrusting: 20
# Options for monitoring the health of the bot
health:
# healthz options. These options are best for use in container environments
# like Kubernetes to detect how healthy the service is. The bot will report
# that it is unhealthy until it is able to process user requests. Typically
# this means that it'll flag itself as unhealthy for a number of minutes
# before saying "Now monitoring rooms" and flagging itself healthy.
#
# Health is flagged through HTTP status codes, defined below.
healthz:
# Whether the healthz integration should be enabled (default false)
enabled: false
# The port to expose the webserver on. Defaults to 8080.
port: 8080
# The address to listen for requests on. Defaults to all addresses.
address: "0.0.0.0"
# The path to expose the monitoring endpoint at. Defaults to `/healthz`
endpoint: "/healthz"
# The HTTP status code which reports that the bot is healthy/ready to
# process requests. Typically this should not be changed. Defaults to
# 200.
healthyStatus: 200
# The HTTP status code which reports that the bot is not healthy/ready.
# Defaults to 418.
unhealthyStatus: 418
roles/matrix/templates/pantalaimon.conf.j2
0 → 100644
View file @
5cf2cf92
[Default]
LogLevel = Info
Notifications = Off
[local-archlinux]
Homeserver = https://{{ matrix_domain }}
ListenAddress = 127.0.0.1
ListenPort = 8009
UseKeyring = No
IgnoreVerification = True
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment