1
0
mirror of https://github.com/spantaleev/matrix-docker-ansible-deploy.git synced 2024-12-12 08:43:55 +02:00
matrix-docker-ansible-deploy/docs/configuring-playbook-bridge-hookshot.md
Slavi Pantaleev 94c1503a60 Add support for experimental encryption in Hookshot
Squashed based on the work done in https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/3042

commit 49932b8f3c
Author: Slavi Pantaleev <slavi@devture.com>
Date:   Sat Dec 16 09:21:31 2023 +0200

    Fix syntax in matrix-bridge-hookshot/tasks/reset_encryption.yml

    Also, this task always does work and side-effects, so it should always report changes
    (`changed_when: true`).

commit 6bdf7a9dcb
Author: Slavi Pantaleev <slavi@devture.com>
Date:   Sat Dec 16 09:12:41 2023 +0200

    Add Hookshot validation task to ensure queue settings are set when encryption is enabled

commit 8c531b7971
Author: Slavi Pantaleev <slavi@devture.com>
Date:   Sat Dec 16 09:10:17 2023 +0200

    Add missing variables rewiring in group_vars/matrix_servers for Hookshot

commit 7d26dabc2f
Author: Slavi Pantaleev <slavi@devture.com>
Date:   Sat Dec 16 09:08:19 2023 +0200

    Add defaults for matrix_hookshot_queue_host and matrix_hookshot_queue_port

commit 74f91138c9
Author: Slavi Pantaleev <slavi@devture.com>
Date:   Sat Dec 16 09:06:17 2023 +0200

    Fix syntax for connecting to additional networks for Hookshot

commit ca7b41f3f2
Author: Slavi Pantaleev <slavi@devture.com>
Date:   Sat Dec 16 09:05:28 2023 +0200

    Fix indentation and remove unnecessary if-statements

commit ac4a918d58
Author: Slavi Pantaleev <slavi@devture.com>
Date:   Sat Dec 16 09:04:44 2023 +0200

    Add missing --network for Hookshot

    This seems to have been removed by accident.

commit 6a81fa208f
Author: Slavi Pantaleev <slavi@devture.com>
Date:   Sat Dec 16 09:02:47 2023 +0200

    Make automatic Redis enabling safer, when Hookshot encryption enabled

    If we ever default encryption to enabled for Hookshot, we only wish to force-enable Redis if Hookshot is actually enabled.

commit 75a8e0f2a6
Author: Slavi Pantaleev <slavi@devture.com>
Date:   Sat Dec 16 09:01:10 2023 +0200

    Fix typo

commit 98ad182eac
Author: Joshua Hoffmann <joshua.hoffmann@b1-systems.de>
Date:   Fri Dec 15 22:37:40 2023 +0100

    Add defaults for Hookshot's encryption

commit 29fa9fab15
Author: Joshua Hoffmann <joshua.hoffmann@b1-systems.de>
Date:   Fri Dec 15 22:35:11 2023 +0100

    Improve wording of Hookshot's encryption section

commit 4f835e0560
Author: Joshua Hoffmann <joshua.hoffmann@b1-systems.de>
Date:   Fri Dec 15 22:28:52 2023 +0100

    use safer mount options for the container's files

commit 8c93327e25
Author: Joshua Hoffmann <joshua.hoffmann@b1-systems.de>
Date:   Fri Dec 15 22:26:01 2023 +0100

    fix filename

commit 03a7bb6e77
Merge: e55d7694 06047763
Author: Joshua Hoffmann <joshua.hoffmann@b1-systems.de>
Date:   Fri Dec 15 22:23:44 2023 +0100

    Merge branch 'HarHarLinks/hookshot-encryption' of https://github.com/real-joshua/matrix-docker-ansible-deploy into HarHarLinks/hookshot-encryption

commit 06047763bb
Author: Joshua Hoffmann <joshua.hoffmann@b1-systems.de>
Date:   Fri Dec 15 22:15:54 2023 +0100

    Update roles/custom/matrix-bridge-hookshot/templates/config.yml.j2

    change the if statement to not require a variable with a length > 0 and add a filter to json for the redis host

    Co-authored-by: Slavi Pantaleev <slavi@devture.com>

commit e55d769465
Author: Joshua Hoffmann <joshua.hoffmann@b1-systems.de>
Date:   Fri Dec 15 22:13:50 2023 +0100

    clarify that Redis is required, standardadise on Hookshot with an upper-case first letter for consistency

commit 66706e4535
Author: Joshua Hoffmann <joshua.hoffmann@b1-systems.de>
Date:   Fri Dec 15 22:08:20 2023 +0100

    Update roles/custom/matrix-bridge-hookshot/templates/config.yml.j2

    fix for a typo

    Co-authored-by: Slavi Pantaleev <slavi@devture.com>

commit f6aaeb9a16
Merge: e5d34002 869dd33f
Author: Joshua Hoffmann <joshua.hoffmann@b1-systems.de>
Date:   Fri Dec 15 00:22:34 2023 +0100

    Merge branch 'master' into HarHarLinks/hookshot-encryption

commit e5d34002fd
Author: Joshua Hoffmann <joshua.hoffmann@b1-systems.de>
Date:   Fri Dec 15 00:09:27 2023 +0100

    Add Jinja loop to allow adding multiple networks

commit 69f947782d
Author: Joshua Hoffmann <joshua.hoffmann@b1-systems.de>
Date:   Thu Dec 14 23:52:41 2023 +0100

    split if statements for the message queue and experimental encryption support into seperate statements

commit 4c13be1c89
Author: Joshua Hoffmann <joshua.hoffmann@b1-systems.de>
Date:   Thu Dec 14 23:31:19 2023 +0100

    change variable name per spantaleev's suggestion (https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2979#discussion_r1379015551)

commit 9905309aa9
Author: HarHarLinks <kim.brose@rwth-aachen.de>
Date:   Wed Nov 1 16:14:04 2023 +0100

    amend docs

commit 94abf2d5bd
Author: HarHarLinks <kim.brose@rwth-aachen.de>
Date:   Wed Nov 1 16:05:22 2023 +0100

    draft encryption support for hookshot
2023-12-16 09:23:35 +02:00

8.4 KiB

Setting up Hookshot (optional)

The playbook can install and configure matrix-hookshot for you.

Hookshot can bridge Webhooks from software project management services such as GitHub, GitLab, JIRA, and Figma, as well as generic webhooks.

See the project's documentation to learn what it does in detail and why it might be useful to you.

Note: the playbook also supports matrix-appservice-webhooks, which however is soon to be archived by its author and to be replaced by hookshot.

Setup Instructions

Refer to the official instructions to learn what the individual options do.

  1. Enable the bridge by adding matrix_hookshot_enabled: true to your vars.yml file
  2. For each of the services (GitHub, GitLab, Jira, Figma, generic webhooks) fill in the respective variables matrix_hookshot_service_* listed in main.yml as required.
  3. Take special note of the matrix_hookshot_*_enabled variables. Services that need no further configuration are enabled by default (GitLab, Generic), while you must first add the required configuration and enable the others (GitHub, Jira, Figma).
  4. If you're setting up the GitHub bridge, you'll need to generate and download a private key file after you created your GitHub app. Copy the contents of that file to the variable matrix_hookshot_github_private_key so the playbook can install it for you, or use one of the other methods explained below.
  5. If you've already installed Matrix services using the playbook before, you'll need to re-run it (--tags=setup-all,start). If not, proceed with configuring other playbook services and then with Installing. Get back to this guide once ready. Hookshot can be set up individually using the tag setup-hookshot.

Other configuration options are available via the matrix_hookshot_configuration_extension_yaml and matrix_hookshot_registration_extension_yaml variables, see the comments in main.yml for how to use them.

Finally, run the playbook (see installing).

End-to-bridge encryption

You can enable experimental encryption for Hookshot by adding matrix_hookshot_experimental_encryption_enabled: true to your configuration (vars.yml) and executing the playbook again.

Should the crypto store be corrupted, you can reset it by executing this Ansible playbook with the tag reset-hookshot-encryption added, for example ansible-playbook -i inventory/hosts setup.yml -K --tags=reset-hookshot-encryption).

Usage

Create a room and invite the Hookshot bot (@hookshot:DOMAIN) to it.

Make sure the bot is able to send state events (usually the Moderator power level in clients).

Send a !hookshot help message to see a list of help commands.

Refer to Hookshot's documentation for more details about using the brige's various features.

Important: Note that the different listeners are bound to certain paths which might differ from those assumed by the hookshot documentation, see URLs for bridges setup below.

More setup documentation

URLs for bridges setup

Unless indicated otherwise, the following endpoints are reachable on your matrix. subdomain (if the feature is enabled).

listener default path variable used as
webhooks /hookshot/webhooks/ matrix_hookshot_webhook_endpoint generics, GitHub "Webhook URL", GitLab "URL", etc.
github oauth /hookshot/webhooks/oauth matrix_hookshot_github_oauth_endpoint GitHub "Callback URL"
jira oauth /hookshot/webhooks/jira/oauth matrix_hookshot_jira_oauth_endpoint JIRA OAuth
figma endpoint /hookshot/webhooks/figma/webhook matrix_hookshot_figma_endpoint Figma
provisioning /hookshot/v1/ matrix_hookshot_provisioning_endpoint Dimension provisioning
appservice /hookshot/_matrix/app/ matrix_hookshot_appservice_endpoint Matrix server
widgets /hookshot/widgetapi/ matrix_hookshot_widgets_endpoint Widgets
metrics /metrics/hookshot matrix_hookshot_metrics_enabled and matrix_hookshot_metrics_proxying_enabled. Requires /metrics/* endpoints to also be enabled via matrix_nginx_proxy_proxy_matrix_metrics_enabled (see the matrix-nginx-proxy role). Read more in the Metrics section below. Prometheus

See also matrix_hookshot_matrix_nginx_proxy_configuration in init.yml.

The different listeners are also reachable internally in the docker-network via the container's name (configured by matrix_hookshot_container_url) and on different ports (e.g. matrix_hookshot_appservice_port). Read main.yml in detail for more info.

Manage GitHub Private Key with aux role

The GitHub bridge requires you to install a private key file. This can be done in multiple ways:

  • copy the contents of the downloaded file and set the variable matrix_hookshot_github_private_key to the contents (see example in main.yml).
  • somehow copy the file to the path {{ matrix_hookshot_base_path }}/{{ matrix_hookshot_github_private_key_file }} (default: /matrix/hookshot/private-key.pem) on the server manually.
  • use the aux role to copy the file from an arbitrary path on your ansible client to the correct path on the server.

To use the aux role, make sure the matrix_hookshot_github_private_key variable is empty. Then add the following additional configuration:

aux_file_definitions:
  - dest: "{{ matrix_hookshot_base_path }}/{{ matrix_hookshot_github_private_key_file }}"
    content: "{{ lookup('file', '/path/to/your-github-private-key.pem') }}"
    mode: '0400'
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"

For more information, see the documentation in the default configuration of the aux role.

Provisioning API

The provisioning API will be enabled automatically if you set matrix_dimension_enabled: true and provided a matrix_hookshot_provisioning_secret, unless you override it either way. To use hookshot with dimension, you will need to enter as "Provisioning URL": http://matrix-hookshot:9002, which is made up of the variables matrix_hookshot_container_url and matrix_hookshot_provisioning_port.

Metrics

Metrics are only enabled by default if the builtin Prometheus is enabled (by default, Prometheus isn't enabled). If so, metrics will automatically be collected by Prometheus and made available in Grafana. You will, however, need to set up your own Dashboard for displaying them.

To explicitly enable metrics, use matrix_hookshot_metrics_enabled: true. This only exposes metrics over the container network, however.

To collect metrics from an external Prometheus server, besides enabling metrics as described above, you will also need to:

  • enable the https://matrix.DOMAIN/metrics/* endpoints on matrix.DOMAIN using matrix_nginx_proxy_proxy_matrix_metrics_enabled: true (see the matrix-nginx-role or the Prometheus and Grafana docs for enabling this feature)
  • expose the Hookshot metrics under https://matrix.DOMAIN/metrics/hookshot by setting matrix_hookshot_metrics_proxying_enabled: true

Collision with matrix-appservice-webhooks

If you are also running matrix-appservice-webhooks, it reserves its namespace by the default setting matrix_appservice_webhooks_user_prefix: '_webhook_'. You should take care if you modify its or hookshot's prefix that they do not collide with each other's namespace (default matrix_hookshot_generic_userIdPrefix: '_webhooks_').