From 5cf2cf92e40161afa99633f5997256a01bbd5573 Mon Sep 17 00:00:00 2001
From: "Jan Alexander Steffens (heftig)" <heftig@archlinux.org>
Date: Wed, 3 Feb 2021 20:27:27 +0100
Subject: [PATCH] matrix: Deploy Mjolnir to combat abuse

---
 group_vars/all/vault_matrix.yml            | 342 +++++++++++----------
 roles/matrix/files/mjolnir.service         |  14 +
 roles/matrix/files/pantalaimon.service     |  14 +
 roles/matrix/handlers/main.yml             |  22 +-
 roles/matrix/tasks/main.yml                |  84 ++++-
 roles/matrix/templates/homeserver.yaml.j2  |  29 +-
 roles/matrix/templates/mjolnir.yaml.j2     | 153 +++++++++
 roles/matrix/templates/pantalaimon.conf.j2 |  10 +
 8 files changed, 481 insertions(+), 187 deletions(-)
 create mode 100644 roles/matrix/files/mjolnir.service
 create mode 100644 roles/matrix/files/pantalaimon.service
 create mode 100644 roles/matrix/templates/mjolnir.yaml.j2
 create mode 100644 roles/matrix/templates/pantalaimon.conf.j2

diff --git a/group_vars/all/vault_matrix.yml b/group_vars/all/vault_matrix.yml
index 7d9c24e17..89454d820 100644
--- a/group_vars/all/vault_matrix.yml
+++ b/group_vars/all/vault_matrix.yml
@@ -1,170 +1,174 @@
 $ANSIBLE_VAULT;1.1;AES256
-32386539306634376465616333663561626139633633343135326565383361653335613039643035
-6235623665343434623435333564623266333864346666650a636337666339346261333561353238
-33383830633339343230623266353038323938316639333663326535613038316264383237613136
-3738653932303864610a363830393030663838356263623363613066316464386337316139616430
-30656465373836646436323734633739653264383235373733643139356661633439653433373761
-33393130643037633965626435393062336232373039306632363039613331323064336630373435
-36333264363633343565333861373036613134366436306665643036306636333436353730653232
-64373031313135666330363261303335343134383239656130653234653531313535313162376432
-36376435356263393437653661323964393261396165306334313536613538363563333333653661
-35303638306633303630373733323861633636396562653432643533303461646439393635643064
-63336330616331323665663665353566663430643161396463386639633837396662323662623030
-33353237336337646365643132393231653530373964326538383161646632643438363630356432
-38616461363530613035666236363336663635336232333334643565343936383939343961653963
-34356238373930626530633732323064386637313633653433313766306433646265343337373863
-63626230653165363330626631623663613065386262313763646137343363383239616233613264
-39306138323336346566383366616365393736323934326534333565323437356131373162306331
-36323862333265376239626435613365663634333934316361396563656165663935623861363663
-39643131323437323733373964646338346561383534326332373865373964653734326336373635
-36336462313964643331613935333163633735616633383561643262383030663336343037373364
-35316430306266626137343934613337313734633438383765383534363463363733306365363239
-33613730643934663766356636356231343863623138306136613963336136383735353735656134
-39386165373134656238656466636262316266646364313533353965353034653539336630643465
-63326336623438613365373665623930303265623235663539663966336439343463396566386438
-39363637663466636439653763313366356332326436323665333138343861336335346437353733
-63313861373933626533336438663362396262646338633264313662383439393562396265643637
-63366632336230613036643032343930626364663561316562343736646466326164363864303362
-66653966393633383865313531666438303764626666616562623730656539643038356263633337
-65376631363234323633363239303861373633636236646634326431363637373936653035393336
-63323538663135623265613339386566393362353233353062346536353563643331353735626339
-31643438383562623933623361366563326462666461363165366365613166383162366433313166
-35643634353232396165326133316438366431356130323837613164306464326534623736613239
-36623563346534636234373365333533643331633038343039353534643430613831326665643137
-31376237613765396339666461633038306436653763353562396531326137373736356638303836
-34316432313233393563656335343162323537383434313364653338366339316433336132616239
-38626664373064643235656462363064633766633865303162656562373635663233376563646330
-62663064626262346331393431666265343831336331373166383337333635386665613738373162
-32336438666233613130636163376138323834396539636536393365666161363632306364633233
-30643364386635383932653362393462366333363037666236386239333464303061666237393130
-66313036336236653137306461383739393438313230393439326636323732613934656663653466
-32306530666135303936386465623534613134613361346234326664313236346136396233313335
-36666463303031646362386232643838613134656561333333386538373532643738323633333834
-62353766653262303032303762353138663163643665393134616538353437326635646662623336
-64393764343561313362393138323462383664643235636164613166646164643139333761326437
-32653939303064353065323765366466376233343430626337626266336566386531323665643430
-62663833653830376564636439363034363538616161623135366163346162633032353336346231
-31643666376363363630646566336361663165386532633936613261323066366131393162363761
-65343332343937646230366266333535653934653931326431393235396338393239343564393161
-31316235343831336330343139656430626534653765393634373537393533616365653830663330
-32663366303561386438376266363235373436616561616433646630373864383933353931373065
-37373865383335383863376466326634653033396533383030343034316531346431613761333666
-63653361643163663661613230326564366666313461326363373863383766653737363464633431
-34656333383462353032646438363632343732393430363666363733363030633465646534343562
-63316530323930366462663964353466356266323764373635373833656561393761396462386231
-30656566336532336335353034336332363034353665396362346366363063623432323764323733
-65366663346537386135356332643663336234316530346130326534383731626264643863343930
-33383662373132326538316432326532366261356434336563386261393066316239383565643665
-36653331396133646134643764356235663336316662396566306161323532396639633265666333
-61366464666139636434653739336166646332643431623936356637306361316430643338653365
-30313231363032373331333334316234336131313831653461616564626634336664363662613333
-36383036366433353962366166643836336362316430656132356364323163346663386432323635
-36393262616338353064353037666136616239623031373064633263616632393536303238356133
-66623836366462626464393361353331383133353033313366653532383330346133386561373132
-30653430633733393361356263616135643532656662366335343637643737336331613438323061
-65633638353462306337376430616139636166623731346361643737643435666538366237336162
-66343136646436336236656563633436656362623734343761303364363765353437373232353765
-37653761333435306233333062386266373533396133356661333539396637333931666366313031
-38323261626334303361303838333166353331366637616532383436643734613537333633376433
-32393963633036356135333536376636326634363932353230653134373338643639313535646665
-34633031653231663035613734366137656634643938336130313464653837393235333665626465
-64653330656366656239656434646162393866373065613662383031623232376261336462323638
-30376130656135666163396635623061393862333834383930623933373162336466323336323533
-31306365353132303764363931623864626330356366396135613432376161356433376331633163
-32653432366363663631656466343633393763653662636261333765393163336636663231313363
-30323534643934343237663562326363316631663165653561626432326164343532613435366662
-61633731383134656561663638646634303236396363623735386335626532376137383939333439
-61613534646564346331366635316335326137333134386637663534386635363965653339663033
-39623537356163613736636665346437656264653566636535323632316632383931316365316130
-39306663336362363037393038653162336563316639313364366337396264393934393465303263
-63383661656366613664633436663961326531336534663533303531633031333934356266326333
-38613966386465383838336630313563613163326561343864373863623537633139623637663631
-64613834383266646132303935666135326364363536626665666564333137323061663332373530
-61623866383634376137336334633463303231663932383966356139656232393465323564383938
-32363630343932653765653432393135623133626165393431633463633563393434653133656165
-37633264386462663166356162373266313966373061653436386233386332636365336438333638
-63353231373930666237363131653164313635623935353439346239393636626364353031643735
-38666436383439633436643461343061653130356130633038353634396361613662613936636633
-33663265656263313632353261333961356163313735393931356261353631383532653464653966
-36376564376434613062376139613566613666633966363239626230303231643164303134383934
-34393939336462333836666661306133643061316438656333363137386664303232343665373463
-31303234656634316464353862636537373134336664626639346439356438373165306334643336
-33626264663066643732336332343236356130353964373531396566643062373566623764383264
-34616461633361393933616565666234393461336138333266303064616338333265666232386630
-36626432386636303533306637623035393362313562616236373130326133386330653766663561
-62383062613832313936326162623034616364373066363630376536306463646562393861396563
-63633835643466613561616361306636643432356666353366383533383638333465373133313361
-31346565303232353462333533616566313434613763623533623637653062306133386434396433
-65393235626530306231343839643834666336633635623361653664626561623437323530623137
-31306432386366616366363166356135653162663637396466353366346364643863323437316230
-66353935633361616562313666373831363232373065393462373238633265336534323361646437
-62383466303039616232633266626466633365663631633335633165336166316135653133306163
-63366232663363343965396438383266383330353732353937623936313234363266343235643835
-30366161323362333664626537623966613639623262303737313966343466336336653339366463
-30396233353431653862623433336137306561653632666566306239363266393631616539306561
-31316236326336373439383733643736316130663936393132643765643734646166636230363031
-32346437613539343635623230313336383364616463316162326638623439386236383432353532
-62653535396633616636646565346163386633336339616566393533316638313162616439363862
-37353735636539633864333161306534623061303563336132636536313262613632646537363264
-30303564323666323239626335306332303033386566336564613166653865343631646265636633
-32356562386166323531353065663462626233386161376464623135656639336234313166323562
-36383261393663303132643164376463343132363165623161616231396563633039366338323332
-64343333346339363633383934353662333562653131373034373532343734623536633366333761
-37333864313935643631613238653439353964363838363334386461313662623831663461653238
-31383931346466363561376262386335653161653361646166303665633939613830363837616361
-64366131393236353432643936313938316331313864303239646365363039346162306136393734
-30646664366533313835353233663630623364396137383265663333626662333338373731383638
-66376538396466626533646263343932633535653064353034326666316466333166616362616331
-65353064336435313166313033663431646562636434653132653436323935363264376335346361
-37303439396630306164313762643439633566363937663339326134643562343036363734303334
-66333537393035386434303062393531653132313061366133633638663833643962303066656561
-33316239643132626136373532643238343639306336333838653833336366613437303364373538
-36343235353731303339616336616465313337633531656435333364343662626166643461346238
-65633534356134623033663962356434633865626665643438323133346563393037653933623330
-66656238363264633135643336353833396162326239376434353837626633343466663561356130
-34386162343336656230303439376461343063626665316462393364323362656238363964376235
-66333735306235373361663065623230303630633536323738666462303961626264316437366437
-33616339623138366633303932396236643466353436353333346664333661333836353762356562
-34336634646238396262383766373530653939663664366330346534643436323934396635613035
-62393130323636353361353862336463303863613335646364346466393635316138396436633862
-62653761333835633366353562313334303362643765316564646666656431653739373230303637
-65343831303432353032393934643066316265333731393034343765306135363563616362616338
-63363235336433363962366236633034383034356138366362353431343433623965653038303932
-30396564383261323835633934386331323536333934353331323737313965643166356261666531
-38353133616466346565633430323861633139633339313338396236633534333435383638316166
-30356331306331666639316663653638333836656166623261396132613965333638613635353530
-36353632396666313935616132633062663232613236393866396535306634343134633636313365
-36623039303961636637356136383066646432376633326238396135613134333566663633366566
-37363432366565633030393936333063386134336635386533313835383766666237303665666339
-32303063353837396461313961326562346433666433323336636135393539316363303664366135
-65313631363261373734353432616431316432303361376164336236396530323761616432646364
-34663932626431333737653730333737373735623463653733366130656466613133616435386338
-31646462623961633534323261636662396335323066383936626561353632613564363366363665
-36616339336434663734663562353334656433643962653935323938393665386433623739333733
-37356663326564616635613766393962313730613162353932356634366330393635373538346231
-62316139653434326238333336343139393230633763353134616334663962356633353266663932
-31343030626436333930353261636533363962343763333764373136313934323431303163336337
-39636164336366316236616433643263653431383462656231323362653336656564373532363065
-32623764316537393639333333336530326436343566633536363334623632663931613963643438
-33333165306563633936656239386162336566316539376537666333633032653232393833323261
-33646530333231366337646263313833643131353063353337326638636138343134363930303366
-61616638663338323339656334303337383163353830353062376363333265326162663237383336
-63343239613534336433666463653733326538303338623062346638643965396564626632303163
-39383139623536613839636564616564653032313363626634633331363564626666303238616631
-36353939396263306161373436313537386234623536363862636130643136656363343265613664
-34366266313461363631623138303639343737616161323336356330303235373063333762383036
-34653632313133323832396363323034626433363363343830333335316365333830653634643161
-62336466616565383033386663396638383632343364643435643765376434633939646334306262
-32323132376530336336386430623264333962383034386166656466313337306464616535646661
-64616461373031623066363933323665356361623032316430616464343531366561353830623937
-62643366363532363537336561653133326531383439616435333032366266623764323334363064
-30613965633835616562373333636563366263376465633930313562666162636365623239386430
-66356561326561353732383566343236636634343765613539326431323437363636356361373262
-33656463306432613165616133333662633739636663373334366563346465326363393161333065
-31626230633832613439633132316631306262303962613963306362313461636130376361393662
-61303638316333353034333137383630366333373865316632393635326238666661613036626534
-34636165643938386134366239323630326565623338623936366461386265306636343938323630
-66343138633165366235653236616561383232663664333765643465623838376532623736396663
-63656435326536383738363765646163313462386165383532656664626636383166363636313137
-64313866336266373338346233336562656364663166306538623866346261356666633965636666
-6466
+30376261613932376534643231633964666162656232326236336230666532663937373935343037
+3233383232363162353739613862353861616232626430390a333033653262326336346630643030
+38373031643466636633393762396131623462393633633866643635343833303738363530383330
+3461313337343936660a363436636335646164616331366534313861313965363865646339306536
+65666264326238363137633366366531663363656138383939343233626665323331323163316534
+64356565623666333933323130376535623932373166633730343861613663643562613561316338
+39313439636135636636346137613266396535356636383763363437396137613162623637393031
+36333162326632356464363533613131613865663963623163323461626663353332343338373263
+64633731623231353834326635643866383464646438363636373536646230666661613261366161
+38386235336336396365356532376232323938643163633934653863313235626434333034666437
+30363438636364623135643361343162373234666536653232366265646439623533343062613231
+35623461383132636136383265313731323339316266646164623262356266356461613361376666
+33666261623137353431383134636234653039356366336435613463636437366134393131613764
+36623630343136636439316337303832633863333762386161363834303635373565666537323865
+33333461613266626239353135643462363934613365316263306535613365633237393031383339
+30663637353566653032363462386335626335323336346639383233306234616438633366306336
+32646366623162623732396537363239653537336334653361613930343239386234663166363334
+36356435383830633837323765333236333437636134613033376462323562616261336665323734
+66303365616663333937383662396432643537653231313431383561363835613631356435383661
+65326462626331613263623538366235623134353936343931393437386135653435623735363833
+37626564323330633838653362306261653064373534343962373239616433656231363663626637
+31303735303535393234376265656664623036613361353936353530383863313439393064643363
+65663130396533626435656261643036363034333333636462633633373231336239613263613634
+30393861343534353463303734313963356666306538636561386638663434353932303266326665
+64303336653862383233373938613164303861306430353534376637656162343465306538666131
+37643161316237306238646461313462656330336266343930653061333538376661333438386662
+64343039363566633262666665623132313037353639643161656466636362656566383633343964
+36333161613365313839326163336563363939313231636661636165383262373863313636333366
+64306163363835643439336138373534333335626362643538306530646562313337316134333666
+33303532343438346662636364653662653765373738643339393134356237313333623334383836
+31333266313963626161666533656264313264353038383766383839666339663065616265303832
+38646566343837643363313035356139303437373636396366653230376338623130316161643030
+63613437326464303161306563376531383336386530333134333739386666306666353565393730
+65366362333335663036613864316661346631643465346135366463663231353562383634623232
+37343266353038353739373436303238666536303761643234623736393331353134623064623934
+30623739636361356263386434356363376437653638636462366134306332383332393465373936
+32616163356539306338633231633436396430396163323764346163623963303163643363356663
+61353536346265383866313565386432343735646336333065346431393031373262663735313132
+62396431383835303164363363363337313136333566323931623731343862383634333533623731
+38383737343433396631643830386532623236616336363539653532623933373339353038393734
+64636431323666623062643033633563656431346235646638333732383635346135616534353739
+36353438373763313130363731636134613734306532336233346163346265356633313165643237
+65376666336437396534353837633862623161643030383166663463613563333131343763623561
+61363065356465666138653038323765636166663135656563313537323764643038623532373565
+31356330323261623861363361653464393332343034313538393565386366363962656338623230
+30303832366161353163343330613232373631666237346664366138663538353434656434636539
+64323566356565343433666631653634623663383031343965616136653238353035316538346338
+32343263616665366661376139333966323366393533336139376530306561616664383865323664
+63383638346135653664653034643036623737326135626539633535303337303462636166386433
+39323630653662646266663061366337396566646563383134333338373535613030343762663362
+32623636363732346335643333613234323265633031393333666133363837393763383765383134
+62343662613465306136303862306530356162313035393433636231393136373366616530346662
+39633663313764616466643362326663383733383436663361393135653436363565343438643266
+39646362383839663331623138303231313663323330623635323635623136386132343137646431
+35336565323235623865303135393866656264326162333732613035303632656136633764366336
+35333935323362313335363762303232613339313837363961326361353965633862363262303837
+64623931633634326637396337303462633361616662656334323735366566323935316233383839
+65396464643166383365313266353366393835373862373633613934386237663262616231346661
+30333431353866386530653039666332633835646238303461653562616564613836363735306463
+34396132386337643066323437626138303233326666643433373039643130306530656534623535
+33613336623338636361343838326634313665613137396238623332613133643065643436633264
+64356661613165393136633137613766336366323762643462653739363338653335356135353333
+37636532313764353163626539633735393633363635303038326239326531633939396162303630
+30343636336538363239323938666136316661396266646239646433303364346433643762363531
+30343037336235343038633637633937633930326234653537316135373063306265336162343764
+61363164393266336566363966643263643733353562643064663830646332393265313435383535
+65313931373762343330653033353366343765636339363331663135396130393633323731323336
+62646464636130666665363362303635653837343534316130303434383761363436373361393038
+31663633313039313364346238303061613366626230366135666432363334646532326566653164
+61323930353937336631663436363662366339336164383534306465363366353634653639336133
+66323964336133303735323236306163366235636439366462323063333838336261316161313465
+34306330643638633265366239373638653930383235366533653361303834366565626532336432
+36393238363031613563653133626435363936613164323761633765616432306433316165626234
+39666635303239376561323430623539663961623035616461353532666332373732323061356130
+65343538656465363534383431363264376361323130373834326665663230333931353638396463
+36613330613465613937313436326230663630343266633762613034306463343262653731616561
+39386661393039653937336332363962333965313538663538393061396536623334303432363935
+64373436333430393666333039393461333532323762363663633235653637306332623565323636
+30326134323335313865636463303139396636633130323837383434396239353665353165633139
+66376338376336313763356132303437383439646465393031333038306432393635336536613562
+35353237363065373935626532653862303436333264326165336539313163373365343066616133
+34343966613733343934663261666639616462653363663232653030633264313035363533363265
+30643666613465376132383663353734613937646438633263663534393166663534613337383662
+31313330363336313433626437646431373634346165633061623764633738653665656433336636
+35363264643463323962616562333532303962353939376639613031643364636434396164313435
+37626661353737306637363262393830343038663065336663353733623633663636366637373931
+30333139666137663830653737636134363935313337663034376234326630396164303030323739
+31353534666265653930643837363664616261396631343535663839353933333161393461623835
+66323035363462613933323161343366663962326135306539336234356631353462393232326331
+33646637383061353566376138666630613833393465363761366535386332653433353862663137
+38663737633235323535393734353566396239336236356364343061323663333263626566636265
+33346531343239313164323066346633383465356237386562363763363135633363346665653565
+64306539653330326230616131343065323062613165306633616164333833336562666566373833
+38623538666539303133383061636331653965343733386230363231393564666532313537346530
+30663134613131343234373736623031616364653565386363366233343338343637383930653764
+63343132666334396162323065346530363139376131303238613732353037386663656339383263
+34643063383630396434653731383066616461343937616561316638313966366633353466313364
+66353564663934323437646434616630326634353966643537343261613935333935393163343231
+64316231303237323234653366613061313031316461366439656137383361323131666338653064
+39373532353130306363316166396465376165333231343933393431636239646333616334616361
+30643038663863316162316462636535623463663135333066666430663832333633326532353162
+64313930376165623861336636313134393663366366376163353866383965316561613734396630
+31343066633461626634386331323135313164343832313735323035666262613030643963663766
+61363432373239653966373033323565643538653336616335313135373762363063663662313639
+64346338613433303231653462323261323732303064376663393232636530333537613636303334
+32653632303335303239323962383264653263323466646135656135333739353531303731346537
+36393332333835363762653963306663353464643364656565636538666534303938363530326232
+30383464353436303562316665646431663338356230396431386232623464346662393738306466
+65616239646665326539363865346534396365653763353863636466376138643733613962303636
+32373465346662303238616233613633376261613631333739313730306434393663336263396563
+34393363383034613539383139383735613938393362303862383637646538343863306539663835
+65383237616161323637383338306330323531316365313062616632396335366338323865363563
+32393333346465376639653366623566326162346339643332633238393739343366653631303933
+30663466396664303866393265323237356632386533323634653532326636346337316330356363
+34323536626663653732366565633137663961373265313831643665303336346338656638636235
+31626565336636363135356138346531343831303663626438633438626534343836363138323230
+37383735316563663463336362313931316135306537383935333836663936396134323962366133
+32363133666233646361326438343263363837376130633330666431323831326433623763316433
+35326638616264643132303433383130376431646464363736393062656439366335323239356533
+63323064316438373262393232643130646638616432386434366631386435313865313031653162
+64383531616137666462306634633866613664313435663262626163356239393538356662333534
+61666666653564336438373464313139653438303462646364343365323130616132353839616535
+64633663613465663861303633363032363132393836636130333733646334653161303564646361
+39623763616236643362316633336465643537303966356230333236326330336434303665393466
+39616464643230363062373234616263613164373437386331383764646363626437393964393539
+63383434386362396639646334343661373832366562633263373137313431633861626364636233
+66616561636636363036313034383234616430653761323337363331633538343561343031396237
+39353634643134306536363361383563656235336233353165386362653236663737356565313632
+65306561376339653065323165303337376564616661613030313330633366313539323030643266
+62366536333166626635636261303539323830633431613835363233633333333133616134386636
+63643162633466316464636533636630363566306265666639303037383036303932613135623633
+39353663383032663735333234613366396638643931353561396530393162663736313631643335
+36646561336563333836376365643035333333373037613533363236623834616164366233333534
+66336561386639663032343532633564356236356535646338336161393337343138343465316130
+30393635313637346231656339383434633364383666633966343337383238613466653335376361
+39383235316462313638353966323364366366633339336561633662653866346363623765636561
+30323461393539383035366136656266666364393731376433633264346634626562666237366430
+34383037383431363163633534363366373833343839353431376430333038396666356437383066
+32313333316632396238393262336663313862336334316233393339366538653039346433346362
+62633532396139326338306265663632653661306436626661613531623865376430376634356137
+30373934306330356233623764376634613034333162393362633431613435643632313937333036
+66393865373534306331666134303435656461613831626639643763363438343165396437396635
+30383031633964373863383235383863373161316333353737616432303763643564656534653061
+63366238666634653639383738393638343531646331653864386465346438643039343238663933
+66666463616561636530323036356463373232353433396133373031333232336133333764383565
+33363838326234363662306532393661383137306364376538666366326634653037343731366363
+35343932346132373565376532366466363835343632633932613362636339366535663036373337
+39326135653665306139373230373130303663613364336163393930663731356634356139363432
+36663838396336306537363735313835666261656631336562616430306130376235646237306262
+30656466363262383134383831396439333235663361643265613664393338656239383934386565
+66323766323835383834303138343932643361373531306364303862366362646134656434333235
+66386139386663373265376637626635376434333965306366376664373436386333343739396335
+34656335356161326466383463643364623061653230363264643464366533393164643239366230
+34646263383861663739356132343333393866613436623832666331623265346539653462633030
+62666564383335303462383430323538363462613039623261306366373135643134643439633633
+34376165656562353165643531303537636262356139323361356162653834353430356234383634
+66333032383335366332336163363130313261363535353338336438623832343962666365373962
+37363330383139393364336134633766376365386238663535346438343261306234343338316363
+65396563343864333465353038626462623738383661316134383565386165313335393734396435
+35333331363166333437306365393639323730663563316331313966376666376630356138396639
+36633933393836376234633639653031346238616664333338623733333065633634383438656434
+39626133343765366363373435383338353232373134353836643666653566383037313763383665
+32663833343231393666323363373634613138653533316366613731653439616663393462313730
+30653637336264363664633237343331646138626663363664313132386234613566636437363365
+33303030346336343866643566623431343338303964636665336461653336393762343565613664
+66303933323064326163306432643361383961663966656239343966383932393364313331336535
+66623831303738313866633466316135633635356534616536303361386434373666636536346330
+66333662613462353530643761313130323236623063616365643234313131666338346434353633
+37316362303036616366656139343033663739343537623232343062663461303337636239653261
+31626663613033316266656364353032343464653732663638643964353039303433323131383938
+31336336343836623165613236316436326533316230396661303463656130306235383161656138
+62316436336531396332346238363938333830303935646534366465636131636636383938323239
+3038
diff --git a/roles/matrix/files/mjolnir.service b/roles/matrix/files/mjolnir.service
new file mode 100644
index 000000000..59cdb6564
--- /dev/null
+++ b/roles/matrix/files/mjolnir.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=Mjolnir Matrix moderation tool
+Wants=synapse.service pantalaimon.service
+After=network.target synapse.service pantalaimon.service
+
+[Service]
+User=synapse
+WorkingDirectory=/var/lib/synapse/mjolnir
+Environment=NODE_ENV=production
+Environment=NODE_CONFIG_DIR=/etc/synapse/mjolnir
+ExecStart=/usr/bin/node lib/index.js
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/matrix/files/pantalaimon.service b/roles/matrix/files/pantalaimon.service
new file mode 100644
index 000000000..fa85e4f74
--- /dev/null
+++ b/roles/matrix/files/pantalaimon.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=Pantalaimon E2E Matrix reverse proxy
+Wants=synapse.service
+After=network.target synapse.service
+
+[Service]
+User=synapse
+WorkingDirectory=~
+ExecStart=/var/lib/synapse/venv/bin/pantalaimon \
+  -c /etc/synapse/pantalaimon.conf \
+  --data-path /var/lib/synapse/pantalaimon-data
+
+[Install]
+WantedBy=default.target
diff --git a/roles/matrix/handlers/main.yml b/roles/matrix/handlers/main.yml
index 26ad217e9..5f8b02927 100644
--- a/roles/matrix/handlers/main.yml
+++ b/roles/matrix/handlers/main.yml
@@ -1,15 +1,22 @@
 ---
 
-- name: restart turnserver
+- name: restart synapse
   systemd:
-    name: turnserver
+    name: synapse
     state: restarted
     enabled: yes
     daemon_reload: yes
 
-- name: restart synapse
+- name: restart pantalaimon
   systemd:
-    name: synapse
+    name: pantalaimon
+    state: restarted
+    enabled: yes
+    daemon_reload: yes
+
+- name: restart mjolnir
+  systemd:
+    name: mjolnir
     state: restarted
     enabled: yes
     daemon_reload: yes
@@ -20,3 +27,10 @@
     state: restarted
     enabled: yes
     daemon_reload: yes
+
+- name: restart turnserver
+  systemd:
+    name: turnserver
+    state: restarted
+    enabled: yes
+    daemon_reload: yes
diff --git a/roles/matrix/tasks/main.yml b/roles/matrix/tasks/main.yml
index 5465f072d..346144c6e 100644
--- a/roles/matrix/tasks/main.yml
+++ b/roles/matrix/tasks/main.yml
@@ -17,6 +17,7 @@
       - jemalloc
       - libffi
       - libjpeg-turbo
+      - libolm
       - libtiff
       - libwebp
       - libxslt
@@ -31,6 +32,7 @@
       - redis
       - tcl
       - tk
+      - yarn
       - zlib
 
 - name: add synapse group
@@ -44,6 +46,34 @@
   with_items:
     - /var/lib/synapse
     - /var/lib/synapse/media_store
+    - /var/lib/synapse/mjolnir-data
+    - /var/lib/synapse/pantalaimon-data
+
+- name: download mjolnir
+  git:
+    repo: https://github.com/matrix-org/mjolnir
+    dest: /var/lib/synapse/mjolnir
+    version: v0.1.16
+  become: yes
+  become_user: synapse
+  become_method: sudo
+  notify:
+    - restart mjolnir
+
+- name: install mjolnir
+  community.general.yarn:
+    path: /var/lib/synapse/mjolnir
+  become: yes
+  become_user: synapse
+  become_method: sudo
+
+- name: build mjolnir
+  command: yarn build
+  args:
+    chdir: /var/lib/synapse/mjolnir
+  become: true
+  become_user: synapse
+  become_method: sudo
 
 - name: make virtualenv
   command: python -m venv /var/lib/synapse/venv
@@ -53,10 +83,12 @@
   become_user: synapse
   become_method: sudo
 
-- name: install synapse
+- name: install python packages
   pip:
     name:
-      - 'matrix-synapse[postgres,systemd,url_preview,redis]'
+      - 'matrix-synapse[postgres,systemd,url_preview,redis]==1.26.0'
+      - 'pantalaimon==0.9.1'
+      - /var/lib/synapse/mjolnir/synapse_antispam
       - pip
     state: latest
     extra_args: '-U --upgrade-strategy=eager'
@@ -66,12 +98,13 @@
   become_method: sudo
   notify:
     - restart synapse
+    - restart pantalaimon
 
 - name: download matrix-appservice-irc
   git:
     repo: https://github.com/matrix-org/matrix-appservice-irc
     dest: /var/lib/synapse/matrix-appservice-irc
-    version: master
+    version: 0.23.0
   become: yes
   become_user: synapse
   become_method: sudo
@@ -84,8 +117,6 @@
   become: yes
   become_user: synapse
   become_method: sudo
-  notify:
-    - restart matrix-appservice-irc
 
 - name: install pg_hba.conf
   copy: src=pg_hba.conf dest=/var/lib/postgres/data/pg_hba.conf owner=postgres group=postgres mode=0600
@@ -111,7 +142,10 @@
   become_method: su
 
 - name: create synapse config dir
-  file: state=directory path=/etc/synapse owner=root group=synapse mode=0750
+  file: path={{ item }} state=directory owner=root group=synapse mode=0750
+  with_items:
+    - /etc/synapse
+    - /etc/synapse/mjolnir
 
 - name: install homeserver config
   template: src=homeserver.yaml.j2 dest=/etc/synapse/homeserver.yaml owner=root group=synapse mode=0640
@@ -129,6 +163,16 @@
   notify:
     - restart synapse
 
+- name: install pantalaimon config
+  template: src=pantalaimon.conf.j2 dest=/etc/synapse/pantalaimon.conf owner=root group=synapse mode=0644
+  notify:
+    - restart pantalaimon
+
+- name: install mjolnir config
+  template: src=mjolnir.yaml.j2 dest=/etc/synapse/mjolnir/production.yaml owner=root group=synapse mode=0640
+  notify:
+    - restart mjolnir
+
 - name: install irc-bridge config
   template: src=irc-bridge.yaml.j2 dest=/etc/synapse/irc-bridge.yaml owner=root group=synapse mode=0640
   notify:
@@ -181,6 +225,20 @@
   notify:
     - restart synapse
 
+- name: install pantalaimon units
+  copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
+  with_items:
+    - pantalaimon.service
+  notify:
+    - restart pantalaimon
+
+- name: install mjolnir units
+  copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
+  with_items:
+    - mjolnir.service
+  notify:
+    - restart mjolnir
+
 - name: install matrix-appservice-irc units
   copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
   with_items:
@@ -206,19 +264,25 @@
   notify:
     - restart synapse
 
+- name: enable pantalaimon units
+  service: name={{ item }} enabled=yes
+  with_items:
+    - pantalaimon.service
+
+- name: enable mjolnir units
+  service: name={{ item }} enabled=yes
+  with_items:
+    - mjolnir.service
+
 - name: enable matrix-appservice-irc units
   service: name={{ item }} enabled=yes
   with_items:
     - matrix-appservice-irc.service
-  notify:
-    - restart matrix-appservice-irc
 
 - name: enable turnserver units
   service: name={{ item }} enabled=yes
   with_items:
     - turnserver.service
-  notify:
-    - restart turnserver
 
 - name: open firewall holes
   ansible.posix.firewalld: port={{ item }} permanent=true state=enabled immediate=yes
diff --git a/roles/matrix/templates/homeserver.yaml.j2 b/roles/matrix/templates/homeserver.yaml.j2
index 42d876621..cfd89b3ec 100644
--- a/roles/matrix/templates/homeserver.yaml.j2
+++ b/roles/matrix/templates/homeserver.yaml.j2
@@ -829,9 +829,9 @@ worker_log_config: "/etc/synapse/log_config.yaml"
 #
 # The defaults are as shown below.
 #
-#rc_message:
-#  per_second: 0.2
-#  burst_count: 10
+rc_message:
+  per_second: 0.5
+  burst_count: 20
 #
 #rc_registration:
 #  per_second: 0.17
@@ -1374,7 +1374,7 @@ autocreate_auto_join_rooms: false
 # Note that, if the room already exists, this user must be joined and
 # have the appropriate permissions to invite new members.
 #
-auto_join_mxid_localpart: heftig
+auto_join_mxid_localpart: mjolnir
 
 # When auto_join_rooms is specified, setting this flag to false prevents
 # guest accounts from being automatically joined to the rooms.
@@ -2734,3 +2734,24 @@ redis:
   # Optional password if configured on the Redis instance
   #
   #password: <secret_password>
+
+spam_checker:
+  module: mjolnir.AntiSpam
+  config:
+    # Prevent servers/users in the ban lists from inviting users on this
+    # server to rooms. Default true.
+    block_invites: true
+    # Flag messages sent by servers/users in the ban lists as spam. Currently
+    # this means that spammy messages will appear as empty to users. Default
+    # false.
+    block_messages: false
+    # Remove users from the user directory search by filtering matrix IDs and
+    # display names by the entries in the user ban list. Default false.
+    block_usernames: false
+    # The room IDs of the ban lists to honour. Unlike other parts of Mjolnir,
+    # this list cannot be room aliases or permalinks. This server is expected
+    # to already be joined to the room - Mjolnir will not automatically join
+    # these rooms.
+    ban_lists:
+      - "!WuBtumawCeOGEieRrp:matrix.org"  # #matrix-org-coc-bl:matrix.org
+      - "!tUPwPPmVTaiKXMiijj:matrix.org"  # #matrix-org-hs-tos-bl:matrix.org
diff --git a/roles/matrix/templates/mjolnir.yaml.j2 b/roles/matrix/templates/mjolnir.yaml.j2
new file mode 100644
index 000000000..64da615cf
--- /dev/null
+++ b/roles/matrix/templates/mjolnir.yaml.j2
@@ -0,0 +1,153 @@
+# Where the homeserver is located (client-server URL). This should point at
+# pantalaimon if you're using that.
+homeserverUrl: "http://127.0.0.1:8009"
+
+# The access token for the bot to use. Do not populate if using Pantalaimon.
+accessToken: ""
+
+# Pantalaimon options (https://github.com/matrix-org/pantalaimon)
+pantalaimon:
+  # If true, accessToken above is ignored and the username/password below will be
+  # used instead. The access token of the bot will be stored in the dataPath.
+  use: true
+
+  # The username to login with.
+  username: mjolnir
+
+  # The password to login with. Can be removed after the bot has logged in once and
+  # stored the access token.
+  password: "{{ vault_matrix_secrets.mjolnir_user_password }}"
+
+# The directory the bot should store various bits of information in
+dataPath: "/var/lib/synapse/mjolnir-data"
+
+# If true (the default), only users in the `managementRoom` can invite the bot
+# to new rooms.
+autojoinOnlyIfManager: true
+
+# If `autojoinOnlyIfManager` is false, only the members in this group can invite
+# the bot to new rooms.
+acceptInvitesFromGroup: "+archlinux:archlinux.org"
+
+# If the bot is invited to a room and it won't accept the invite (due to the
+# conditions above), report it to the management room. Defaults to disabled (no
+# reporting).
+recordIgnoredInvites: true
+
+# The room ID where people can use the bot. The bot has no access controls, so
+# anyone in this room can use the bot - secure your room!
+# This should be a room alias or room ID - not a matrix.to URL.
+# Note: Mjolnir is fairly verbose - expect a lot of messages from it.
+managementRoom: "#mjolnir:archlinux.org"
+
+# Set to false to make the management room a bit quieter.
+verboseLogging: true
+
+# The log level for the logs themselves. One of DEBUG, INFO, WARN, and ERROR.
+# This should be at INFO or DEBUG in order to get support for Mjolnir problems.
+logLevel: "INFO"
+
+# Set to false to disable synchronizing the ban lists on startup. If true, this
+# is the same as running !mjolnir sync immediately after startup.
+syncOnStartup: true
+
+# Set to false to prevent Mjolnir from checking its permissions on startup. This
+# is recommended to be left as "true" to catch room permission problems (state
+# resets, etc) before Mjolnir is needed.
+verifyPermissionsOnStartup: true
+
+# If true, Mjolnir won't actually ban users or apply server ACLs, but will
+# think it has. This is useful to see what it does in a scenario where the
+# bot might not be trusted fully, yet. Default false (do bans/ACLs).
+noop: false
+
+# Set to true to use /joined_members instead of /state to figure out who is
+# in the room. Using /state is preferred because it means that users are
+# banned when they are invited instead of just when they join, though if your
+# server struggles with /state requests then set this to true.
+fasterMembershipChecks: false
+
+# A case-insensitive list of ban reasons to automatically redact a user's
+# messages for. Typically this is useful to avoid having to type two commands
+# to the bot. Use asterisks to represent globs (ie: "spam*testing" would match
+# "spam for testing" as well as "spamtesting").
+automaticallyRedactForReasons:
+  - "spam"
+  - "advertising"
+
+# A list of rooms to protect (matrix.to URLs)
+protectedRooms:
+  - "https://matrix.to/#/#archlinux:archlinux.org"
+
+# Set this option to true to protect every room the bot is joined to. Note that
+# this effectively makes the protectedRooms and associated commands useless because
+# the bot by nature must be joined to the room to protect it.
+#
+# Note: the management room is *excluded* from this condition. Add it to the
+# protected rooms to protect it.
+#
+# Note: ban list rooms the bot is watching but didn't create will not be protected.
+# Manually add these rooms to the protected rooms list if you want them protected.
+protectAllJoinedRooms: false
+
+# Misc options for command handling and commands
+commands:
+  # If true, Mjolnir will respond to commands like !help and !ban instead of
+  # requiring a prefix. This is useful if Mjolnir is the only bot running in
+  # your management room.
+  #
+  # Note that Mjolnir can be pinged by display name instead of having to use
+  # the !mjolnir prefix. For example, "my_moderator_bot: ban @spammer:example.org"
+  # will ban a user.
+  allowNoPrefix: true
+
+  # In addition to the bot's display name, !mjolnir, and optionally no prefix
+  # above, the bot will respond to these names. The items here can be used either
+  # as display names or prefixed with exclamation points.
+  additionalPrefixes: []
+
+# Configuration specific to certain toggleable protections
+protections:
+  # Configuration for the wordlist plugin, which can ban users based if they say certain
+  # blocked words shortly after joining.
+  wordlist:
+    # A list of words which should be monitored by the bot.  These will match if any part
+    # of the word is present in the message in any case.  e.g. "hello" also matches
+    # "HEllO".  Additionally, regular expressions can be used.
+    words: []
+
+    # How long after a user joins the server should the bot monitor their messages.  After
+    # this time, users can say words from the wordlist without being banned automatically.
+    # Set to zero to disable (users will always be banned if they say a bad word)
+    minutesBeforeTrusting: 20
+
+# Options for monitoring the health of the bot
+health:
+  # healthz options. These options are best for use in container environments
+  # like Kubernetes to detect how healthy the service is. The bot will report
+  # that it is unhealthy until it is able to process user requests. Typically
+  # this means that it'll flag itself as unhealthy for a number of minutes
+  # before saying "Now monitoring rooms" and flagging itself healthy.
+  #
+  # Health is flagged through HTTP status codes, defined below.
+  healthz:
+    # Whether the healthz integration should be enabled (default false)
+    enabled: false
+
+    # The port to expose the webserver on. Defaults to 8080.
+    port: 8080
+
+    # The address to listen for requests on. Defaults to all addresses.
+    address: "0.0.0.0"
+
+    # The path to expose the monitoring endpoint at. Defaults to `/healthz`
+    endpoint: "/healthz"
+
+    # The HTTP status code which reports that the bot is healthy/ready to
+    # process requests. Typically this should not be changed. Defaults to
+    # 200.
+    healthyStatus: 200
+
+    # The HTTP status code which reports that the bot is not healthy/ready.
+    # Defaults to 418.
+    unhealthyStatus: 418
diff --git a/roles/matrix/templates/pantalaimon.conf.j2 b/roles/matrix/templates/pantalaimon.conf.j2
new file mode 100644
index 000000000..1065e240a
--- /dev/null
+++ b/roles/matrix/templates/pantalaimon.conf.j2
@@ -0,0 +1,10 @@
+[Default]
+LogLevel = Info
+Notifications = Off
+
+[local-archlinux]
+Homeserver = https://{{ matrix_domain }}
+ListenAddress = 127.0.0.1
+ListenPort = 8009
+UseKeyring = No
+IgnoreVerification = True
-- 
GitLab