diff --git a/inventory/group_vars/matrix_servers.yml b/inventory/group_vars/matrix_servers.yml index 794d272c867..ca5c7053dc5 100644 --- a/inventory/group_vars/matrix_servers.yml +++ b/inventory/group_vars/matrix_servers.yml @@ -86,3 +86,9 @@ postgres_connection_password: !vault | # Example: `matrix_coturn_turn_external_ip_addresses: ['1.2.3.4', '4.5.6.7']` # # matrix_coturn_turn_external_ip_address: '' + +# Audit user registrations +matrix_synapse_ext_audit_registrations_enabled: true +matrix_synapse_ext_audit_registrations_config: + room_alias: "#audit:{{ now(fmt='%Y') }}.seagl.org" + user_id: "@notifications:{{ now(fmt='%Y') }}.seagl.org" diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index 88ee9cf0aac..90f894e4dea 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -1342,6 +1342,9 @@ matrix_synapse_ext_synapse_auto_accept_invite_worker_to_run_on: null # If it is, the Synapse media repo and media-repo workers will be disabled automatically. matrix_synapse_ext_media_repo_enabled: false +# Auditing of user registrations +matrix_synapse_ext_audit_registrations_enabled: false + matrix_s3_media_store_enabled: false matrix_s3_media_store_custom_endpoint_enabled: false matrix_s3_goofys_docker_image: "{{ matrix_s3_goofys_docker_image_name_prefix }}ewoutp/goofys:latest" diff --git a/roles/custom/matrix-synapse/tasks/ext/audit-registrations/setup_install.yml b/roles/custom/matrix-synapse/tasks/ext/audit-registrations/setup_install.yml new file mode 100644 index 00000000000..68db621a182 --- /dev/null +++ b/roles/custom/matrix-synapse/tasks/ext/audit-registrations/setup_install.yml @@ -0,0 +1,69 @@ +--- + +- name: Install audit registrations module + ansible.builtin.copy: + dest: "{{ matrix_synapse_ext_path }}/audit_registrations.py" + owner: "{{ matrix_synapse_uid }}" + group: "{{ matrix_synapse_gid }}" + mode: 0440 + content: | + import logging + from synapse.module_api.errors import SynapseError + + logger = logging.getLogger(__name__) + + + class AuditRegistrations: + def __init__(self, config, api): + self._api = api + self._room_alias = config["room_alias"] + self._user_id = config["user_id"] + + self._api.register_account_validity_callbacks( + on_user_registration=self.on_user_registration + ) + + async def on_user_registration(self, user_id): + try: + (room_id, _) = await self._api.lookup_room_alias(self._room_alias) + + await self._api.create_and_send_event_into_room( + { + "sender": self._user_id, + "room_id": room_id, + "type": "m.room.message", + "content": { + "msgtype": "m.notice", + "body": f"User registration: {user_id}", + }, + } + ) + except SynapseError as e: + logger.error("Failed to report user registration %s: %s", user_id, e) + +- ansible.builtin.set_fact: + matrix_synapse_modules: | + {{ + matrix_synapse_modules | default([]) + + + [ + { + "module": "audit_registrations.AuditRegistrations", + "config": matrix_synapse_ext_audit_registrations_config + } + ] + }} + + matrix_synapse_container_extra_arguments: > + {{ + matrix_synapse_container_extra_arguments | default([]) + + + ["--mount type=bind,src={{ matrix_synapse_ext_path }}/audit_registrations.py,dst={{ matrix_synapse_in_container_python_packages_path }}/audit_registrations.py,ro"] + }} + + matrix_synapse_additional_loggers_auto: > + {{ + matrix_synapse_additional_loggers_auto + + + [{'name': 'audit_registrations', 'level': 'INFO'}] + }} diff --git a/roles/custom/matrix-synapse/tasks/ext/audit-registrations/setup_uninstall.yml b/roles/custom/matrix-synapse/tasks/ext/audit-registrations/setup_uninstall.yml new file mode 100644 index 00000000000..5d7ab0de037 --- /dev/null +++ b/roles/custom/matrix-synapse/tasks/ext/audit-registrations/setup_uninstall.yml @@ -0,0 +1,6 @@ +--- + +- name: Uninstall audit registrations module + ansible.builtin.file: + path: "{{ matrix_synapse_ext_path }}/audit_registrations.py" + state: absent diff --git a/roles/custom/matrix-synapse/tasks/ext/setup_install.yml b/roles/custom/matrix-synapse/tasks/ext/setup_install.yml index f7be477aab9..ebedee01604 100644 --- a/roles/custom/matrix-synapse/tasks/ext/setup_install.yml +++ b/roles/custom/matrix-synapse/tasks/ext/setup_install.yml @@ -82,3 +82,13 @@ block: - when: matrix_synapse_ext_synapse_auto_accept_invite_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/synapse-auto-accept-invite/setup_install.yml" + +# audit-registrations +- tags: + - setup-all + - setup-synapse + - install-all + - install-synapse + block: + - when: matrix_synapse_ext_audit_registrations_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/audit-registrations/setup_install.yml" diff --git a/roles/custom/matrix-synapse/tasks/ext/setup_uninstall.yml b/roles/custom/matrix-synapse/tasks/ext/setup_uninstall.yml index f584f584d0b..4db9e228933 100644 --- a/roles/custom/matrix-synapse/tasks/ext/setup_uninstall.yml +++ b/roles/custom/matrix-synapse/tasks/ext/setup_uninstall.yml @@ -50,3 +50,11 @@ block: - when: not matrix_synapse_ext_synapse_s3_storage_provider_enabled | bool ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/s3-storage-provider/setup_uninstall.yml" + +# audit-registrations +- tags: + - setup-all + - setup-synapse + block: + - when: not matrix_synapse_ext_audit_registrations_enabled | bool + ansible.builtin.include_tasks: "{{ role_path }}/tasks/ext/audit-registrations/setup_uninstall.yml"