fix: matrix double puppeting

2026-03-03 23:09:43 +01:00 · 2026-03-03 23:09:43 +01:00 · 5418df411c
commit 5418df411c
parent f1b4e2d9bb
2 changed files with 116 additions and 44 deletions
--- a/hosts/fw/modules/web/matrix.nix
+++ b/hosts/fw/modules/web/matrix.nix
@ -37,6 +37,7 @@ let
  '';

  synapseVoipConfig = "/run/matrix-synapse/voip-config.yaml";
+  doublePuppetRegistration = "/run/matrix-synapse/double-puppet-registration.yaml";
 in {
  # Secrets for MAS
  sops.secrets.mas-encryption-key = { owner = "mas"; };
@ -49,6 +50,10 @@ in {
    key = "mas-matrix-secret";
  };

+  # Double puppet appservice tokens (for bridge double puppeting via MAS)
+  sops.secrets.double-puppet-as-token = { owner = "matrix-synapse"; };
+  sops.secrets.double-puppet-hs-token = { owner = "matrix-synapse"; };
+
  # TURN shared secret (for Synapse VoIP config)
  sops.secrets.coturn-static-secret = {
    sopsFile = ./secrets.yaml;
@ -226,6 +231,9 @@ in {

      allow_guest_access = false;

+      # Double puppet appservice registration (bridges use this for m.login.application_service)
+      app_service_config_files = [ doublePuppetRegistration ];
+
      # MSC4190: device management for appservices (required for encrypted bridges with MAS)
      experimental_features = {
        msc4190_enabled = true;
@ -233,6 +241,8 @@ in {
        # MatrixRTC support
        msc3266_enabled = true;
        msc4222_enabled = true;
+        # QR code login (MSC4108) — enables the built-in rendezvous server
+        msc4108_enabled = true;
      };

      # MatrixRTC delayed events (MSC4140) — prevents stuck calls
@ -259,8 +269,52 @@ in {
    turn_shared_secret: "$TURN_SECRET"
    turn_user_lifetime: 86400000
    EOF
+
+    install -m 0640 /dev/null ${doublePuppetRegistration}
+    DP_AS=$(cat ${config.sops.secrets.double-puppet-as-token.path})
+    DP_HS=$(cat ${config.sops.secrets.double-puppet-hs-token.path})
+    cat > ${doublePuppetRegistration} <<DPEOF
+    id: double-puppet
+    as_token: "$DP_AS"
+    hs_token: "$DP_HS"
+    url:
+    sender_localpart: _double-puppet
+    rate_limited: false
+    namespaces:
+      users:
+        - regex: '@.*:cloonar\.com'
+          exclusive: false
+    DPEOF
  '';

+  # Generate env file with double puppet token for bridges
+  systemd.services.generate-double-puppet-env = {
+    description = "Generate double puppet environment file";
+    wantedBy = [ "multi-user.target" ];
+    before = [
+      "mautrix-whatsapp.service"
+      "mautrix-signal.service"
+      "mautrix-discord-registration.service"
+      "mautrix-mattermost-registration.service"
+    ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+    script = ''
+      echo "DOUBLE_PUPPET_AS_TOKEN=$(cat ${config.sops.secrets.double-puppet-as-token.path})" > /run/double-puppet-env
+      chmod 0444 /run/double-puppet-env
+    '';
+  };
+
+  # Append double puppet env file to each bridge's EnvironmentFile
+  # WhatsApp & Signal: envsubst runs in main service preStart
+  systemd.services.mautrix-whatsapp.serviceConfig.EnvironmentFile = [ "/run/double-puppet-env" ];
+  systemd.services.mautrix-signal.serviceConfig.EnvironmentFile = [ "/run/double-puppet-env" ];
+  # Discord & Mattermost: envsubst runs in registration service script
+  systemd.services.mautrix-discord-registration.serviceConfig.EnvironmentFile = [ "/run/double-puppet-env" ];
+  systemd.services.mautrix-mattermost-registration.serviceConfig.EnvironmentFile = [ "/run/double-puppet-env" ];
+
  # Element Web client
  services.nginx.virtualHosts."element.cloonar.com" = {
    forceSSL = true;
@ -382,6 +436,10 @@ in {
        permissions."cloonar.com" = "user";
        relay.enabled = true;
      };
+      double_puppet = {
+        servers."cloonar.com" = "http://127.0.0.1:8009";
+        secrets."cloonar.com" = "as_token:$DOUBLE_PUPPET_AS_TOKEN";
+      };
      encryption = {
        allow = true;
        default = true;
@ -408,6 +466,10 @@ in {
        permissions."cloonar.com" = "user";
        relay.enabled = true;
      };
+      double_puppet = {
+        servers."cloonar.com" = "http://127.0.0.1:8009";
+        secrets."cloonar.com" = "as_token:$DOUBLE_PUPPET_AS_TOKEN";
+      };
      encryption = {
        allow = true;
        default = true;
@ -435,6 +497,10 @@ in {
        permissions."cloonar.com" = "user";
        relay.enabled = true;
      };
+      double_puppet = {
+        servers."cloonar.com" = "http://127.0.0.1:8009";
+        secrets."cloonar.com" = "as_token:$DOUBLE_PUPPET_AS_TOKEN";
+      };
      # Override token defaults so env var substitution writes real tokens.
      # Must include database/address/port since setting appservice replaces the whole default.
      appservice = {
@ -525,6 +591,10 @@ in {
        permissions."cloonar.com" = "user";
        relay.enabled = true;
      };
+      double_puppet = {
+        servers."cloonar.com" = "http://127.0.0.1:8009";
+        secrets."cloonar.com" = "as_token:$DOUBLE_PUPPET_AS_TOKEN";
+      };
      appservice = {
        address = "http://localhost:29335";
        hostname = "0.0.0.0";