-
-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
draft encryption support for hookshot #2979
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
--- | ||
- name: Resetting Hookshot's crypto store | ||
ansible.builtin.command: | ||
cmd: | | ||
{{ devture_systemd_docker_base_host_command_docker }} run | ||
--rm | ||
--name={{ matrix_hookshot_container_url }}-reset-crypto | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. It's quite unfortunate that the container-name (and what we call In actuality, |
||
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} | ||
--cap-drop=ALL | ||
-v {{ matrix_hookshot_base_path }}/config.yml:/config.yml | ||
{{ matrix_hookshot_docker_image }} yarn start:resetcrypto | ||
changed_when: false |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -107,6 +107,14 @@ metrics: | |
# (Optional) Prometheus metrics support | ||
# | ||
enabled: {{ matrix_hookshot_metrics_enabled | to_json }} | ||
{% if matrix_hookshot_experimental_encryption_enabled %} | ||
queue: | ||
monolithic: true | ||
port: 6379 | ||
host: matrix-redis | ||
Comment on lines
+113
to
+114
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. These assumptions should not be hardcoded and should use variables ( The port could default to The host should default to empty. Perhaps you can only enable the queue ( The
matrix_hookshot_queue_host: "{{ redis_identifier if matrix_hookshot_experimental_encryption_enabled and redis_enabled else '' }}" This: provides sane defaults for these variables, potentially overrides them via the group vars file.. and still allows people to use external Redis instances, if they want to. |
||
experimentalEncryption: | ||
storagePath: /data/encryption | ||
Comment on lines
+115
to
+116
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This should be out of the Experimental encryption does probably require the
|
||
{% endif %} | ||
logging: | ||
# (Optional) Logging settings. You can have a severity debug,info,warn,error | ||
# | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -16,7 +16,7 @@ Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" | |
ExecStartPre=-{{ devture_systemd_docker_base_host_command_docker }} kill {{ matrix_hookshot_container_url }} | ||
ExecStartPre=-{{ devture_systemd_docker_base_host_command_docker }} rm {{ matrix_hookshot_container_url }} | ||
|
||
ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name {{ matrix_hookshot_container_url }} \ | ||
ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create --rm --name {{ matrix_hookshot_container_url }} \ | ||
--log-driver=none \ | ||
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ | ||
--cap-drop=ALL \ | ||
|
@@ -30,6 +30,12 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name | |
{% endfor %} | ||
{{ matrix_hookshot_docker_image }} | ||
|
||
{% if matrix_hookshot_experimental_encryption_enabled %} | ||
ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect matrix-redis {{ matrix_hookshot_container_url }} | ||
{% endif %} | ||
Comment on lines
+33
to
+35
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. As discussed before, it's not great for roles to make assumptions about other roles. The assumption that this role makes there is that when encryption is enabled, Redis will also be enabled via nothing else but It's better to redo this by:
With this, the role is configurable and does not hardcode anything about |
||
|
||
ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach {{ matrix_hookshot_container_url }} | ||
|
||
ExecStop=-{{ devture_systemd_docker_base_host_command_docker }} kill {{ matrix_hookshot_container_url }} | ||
ExecStop=-{{ devture_systemd_docker_base_host_command_docker }} rm {{ matrix_hookshot_container_url }} | ||
Restart=always | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Typo: endcryption -> encryption