Add support for matrix_encryption_disabler

Related to matrix-org/synapse#4401

Fixes #1621

roles/matrix-synapse/defaults/main.yml

@@ -542,6 +542,23 @@ matrix_synapse_ext_spam_checker_mjolnir_antispam_config_block_usernames: false
 matrix_synapse_ext_spam_checker_mjolnir_antispam_config_ban_lists: []
 
 
+# Enable this to activate the E2EE disabling Synapse module.
+# See: https://github.com/digitalentity/matrix_encryption_disabler
+matrix_synapse_ext_encryption_disabler_enabled: false
+matrix_synapse_ext_encryption_disabler_download_url: "https://raw.githubusercontent.com/digitalentity/matrix_encryption_disabler/ee80beedc5084a5fabf3c91d8df6d59457d3a790/matrix_e2ee_filter.py"
+# A list of server domain names for which to deny encryption if the event sender's domain matches the domain in the list.
+# By default, with the configuration below, we prevent all homeserver users from initiating encryption in ANY room.
+matrix_synapse_ext_encryption_disabler_deny_encryption_for_users_of: ["{{ matrix_domain }}"]
+# A list of server domain names for which to deny encryption if the destination room id's domain matches the domain in the list.
+# By default, with the configuration below, we prevent locally-created encryption events by ANY user encrypt rooms on the homeserver.
+# Note: foreign users with enough room privileges will still be able to send an encryption event to your rooms and encrypt them.
+matrix_synapse_ext_encryption_disabler_deny_encryption_for_rooms_of: ["{{ matrix_domain }}"]
+matrix_synapse_ext_encryption_config: "{{ matrix_synapse_ext_encryption_config_yaml|from_yaml }}"
+matrix_synapse_ext_encryption_config_yaml: |
+  deny_encryption_for_users_of: {{ matrix_synapse_ext_encryption_disabler_deny_encryption_for_users_of|to_json }}
+  deny_encryption_for_rooms_of: {{ matrix_synapse_ext_encryption_disabler_deny_encryption_for_rooms_of|to_json }}
+
+
 matrix_s3_media_store_enabled: false
 matrix_s3_media_store_custom_endpoint_enabled: false
 matrix_s3_goofys_docker_image: "ewoutp/goofys:latest"

roles/matrix-synapse/tasks/ext/encryption-disabler/setup.yml

@@ -0,0 +1,7 @@
+---
+
+- import_tasks: "{{ role_path }}/tasks/ext/encryption-disabler/setup_install.yml"
+  when: matrix_synapse_ext_encryption_disabler_enabled|bool
+
+- import_tasks: "{{ role_path }}/tasks/ext/encryption-disabler/setup_uninstall.yml"
+  when: "not matrix_synapse_ext_encryption_disabler_enabled|bool"

roles/matrix-synapse/tasks/ext/encryption-disabler/setup_install.yml

@@ -0,0 +1,33 @@
+---
+
+- name: Download matrix_encryption_disabler
+  get_url:
+    url: "{{ matrix_synapse_ext_encryption_disabler_download_url }}"
+    dest: "{{ matrix_synapse_ext_path }}/matrix_e2ee_filter.py"
+    force: true
+    mode: 0440
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+
+- set_fact:
+    matrix_synapse_modules: |
+      {{
+        matrix_synapse_modules|default([])
+        +
+        [
+          {
+            "module": "matrix_e2ee_filter.EncryptedRoomFilter",
+            "config": matrix_synapse_ext_encryption_config
+          }
+        ]
+      }}
+
+    matrix_synapse_container_extra_arguments: >
+      {{ matrix_synapse_container_extra_arguments|default([]) }}
+      +
+      ["--mount type=bind,src={{ matrix_synapse_ext_path }}/matrix_e2ee_filter.py,dst={{ matrix_synapse_in_container_python_packages_path }}/matrix_e2ee_filter.py,ro"]
+
+    matrix_synapse_additional_loggers: >
+      {{ matrix_synapse_additional_loggers }}
+      +
+      {{ [{'name': 'matrix_e2ee_filter', 'level': 'INFO'}] }}

roles/matrix-synapse/tasks/ext/encryption-disabler/setup_uninstall.yml

@@ -0,0 +1,6 @@
+---
+
+- name: Ensure matrix_encryption_disabler doesn't exist
+  file:
+    path: "{{ matrix_synapse_ext_path }}/matrix_e2ee_filter.py"
+    state: absent

roles/matrix-synapse/tasks/ext/setup.yml

@@ -1,5 +1,7 @@
 ---
 
+- import_tasks: "{{ role_path }}/tasks/ext/encryption-disabler/setup.yml"
+
 - import_tasks: "{{ role_path }}/tasks/ext/rest-auth/setup.yml"
 
 - import_tasks: "{{ role_path }}/tasks/ext/shared-secret-auth/setup.yml"