From f2defb32f2d240dc2f0ff8e2e06f5e6a6571cba5 Mon Sep 17 00:00:00 2001
From: jasonlaguidice <19523621+jasonlaguidice@users.noreply.github.com>
Date: Sat, 30 Aug 2025 20:31:02 -0700
Subject: [PATCH] Add deterministic public_media_signing_key, expose portal
 cleanup

---
 group_vars/matrix_servers                     |  1 +
 .../matrix-bridge-steam/defaults/main.yml     | 27 ++++++++++++++++++-
 .../templates/config.yaml.j2                  | 22 +++++++--------
 .../systemd/matrix-steam-bridge.service.j2    |  4 +--
 4 files changed, 40 insertions(+), 14 deletions(-)

diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers
index 4cec27f21..c08ada854 100755
--- a/group_vars/matrix_servers
+++ b/group_vars/matrix_servers
@@ -2789,6 +2789,7 @@ matrix_steam_bridge_appservice_token: "{{ '%s' | format(matrix_homeserver_generi
 
 matrix_steam_bridge_homeserver_address: "{{ matrix_addons_homeserver_client_api_url }}"
 matrix_steam_bridge_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'steam.hs.token', rounds=655555) | to_uuid }}"
+matrix_steam_bridge_public_media_signing_key: "{{ ('%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'steam.pub.key', rounds=655555) | to_uuid) if matrix_steam_bridge_public_media_enabled else '' }}"
 
 matrix_steam_bridge_provisioning_shared_secret: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'steam.prov', rounds=655555) | to_uuid }}"
 
diff --git a/roles/custom/matrix-bridge-steam/defaults/main.yml b/roles/custom/matrix-bridge-steam/defaults/main.yml
index 53bb5b1c9..d8eea7c79 100644
--- a/roles/custom/matrix-bridge-steam/defaults/main.yml
+++ b/roles/custom/matrix-bridge-steam/defaults/main.yml
@@ -39,7 +39,8 @@ matrix_steam_bridge_appservice_public_address: "https://{{ matrix_server_fqn_mat
 # Public media configuration for external access to bridge media
 matrix_steam_bridge_public_media_enabled: true
 # A key for signing public media URLs. If set to "generate", a random key will be generated.
-matrix_steam_bridge_public_media_signing_key: generate
+# This will be auto-generated deterministically if matrix_homeserver_generic_secret_key is set.
+matrix_steam_bridge_public_media_signing_key: ''
 # Number of seconds that public media URLs are valid for. If set to 0, URLs will never expire.
 matrix_steam_bridge_public_media_expiry: 0
 matrix_steam_bridge_public_media_hash_length: 32
@@ -112,6 +113,30 @@ matrix_steam_bridge_homeserver_token: ''
 # If false, created portal rooms will never be federated.
 matrix_steam_bridge_matrix_federate_rooms: false
 
+# Bridge configuration options
+# Should every user have their own portals rather than sharing them?
+matrix_steam_bridge_bridge_split_portals: false
+
+# Cleanup on logout configuration
+matrix_steam_bridge_bridge_cleanup_on_logout_enabled: false
+# Valid values for cleanup actions: nothing, kick, unbridge, delete
+#   nothing - Do nothing, let the user stay in the portals
+#   kick - Remove the user from the portal rooms, but don't delete them
+#   unbridge - Remove all ghosts in the room and disassociate it from the remote chat
+#   delete - Remove all ghosts and users from the room (i.e. delete it)
+matrix_steam_bridge_bridge_cleanup_on_logout_manual_private: nothing
+matrix_steam_bridge_bridge_cleanup_on_logout_manual_relayed: nothing
+matrix_steam_bridge_bridge_cleanup_on_logout_manual_shared_no_users: nothing
+matrix_steam_bridge_bridge_cleanup_on_logout_manual_shared_has_users: nothing
+matrix_steam_bridge_bridge_cleanup_on_logout_bad_credentials_private: nothing
+matrix_steam_bridge_bridge_cleanup_on_logout_bad_credentials_relayed: nothing
+matrix_steam_bridge_bridge_cleanup_on_logout_bad_credentials_shared_no_users: nothing
+matrix_steam_bridge_bridge_cleanup_on_logout_bad_credentials_shared_has_users: nothing
+
+# Homeserver configuration options
+# Does the homeserver support MSC2246 (async media uploads)?
+matrix_steam_bridge_homeserver_async_media: false
+
 # Database-related configuration fields.
 #
 # To use Postgres:
diff --git a/roles/custom/matrix-bridge-steam/templates/config.yaml.j2 b/roles/custom/matrix-bridge-steam/templates/config.yaml.j2
index 9b57f0483..05d38f77a 100644
--- a/roles/custom/matrix-bridge-steam/templates/config.yaml.j2
+++ b/roles/custom/matrix-bridge-steam/templates/config.yaml.j2
@@ -38,7 +38,7 @@ bridge:
     # By default, users who are in the same group on the remote network will be
     # in the same Matrix room bridged to that group. If this is set to true,
     # every user will get their own Matrix room instead.
-    split_portals: false
+    split_portals: {{ matrix_steam_bridge_bridge_split_portals | to_json }}
     # Should the bridge resend `m.bridge` events to all portals on startup?
     resend_bridge_info: false
     # Should `m.bridge` events be sent without a state key?
@@ -77,24 +77,24 @@ bridge:
     #   delete - Remove all ghosts and users from the room (i.e. delete it)
     cleanup_on_logout:
         # Should cleanup on logout be enabled at all?
-        enabled: false
+        enabled: {{ matrix_steam_bridge_bridge_cleanup_on_logout_enabled | to_json }}
         # Settings for manual logouts (explicitly initiated by the Matrix user)
         manual:
             # Action for private portals which will never be shared with other Matrix users.
-            private: nothing
+            private: {{ matrix_steam_bridge_bridge_cleanup_on_logout_manual_private | to_json }}
             # Action for portals with a relay user configured.
-            relayed: nothing
+            relayed: {{ matrix_steam_bridge_bridge_cleanup_on_logout_manual_relayed | to_json }}
             # Action for portals which may be shared, but don't currently have any other Matrix users.
-            shared_no_users: nothing
+            shared_no_users: {{ matrix_steam_bridge_bridge_cleanup_on_logout_manual_shared_no_users | to_json }}
             # Action for portals which have other logged-in Matrix users.
-            shared_has_users: nothing
+            shared_has_users: {{ matrix_steam_bridge_bridge_cleanup_on_logout_manual_shared_has_users | to_json }}
         # Settings for credentials being invalidated (initiated by the remote network, possibly through user action).
         # Keys have the same meanings as in the manual section.
         bad_credentials:
-            private: nothing
-            relayed: nothing
-            shared_no_users: nothing
-            shared_has_users: nothing
+            private: {{ matrix_steam_bridge_bridge_cleanup_on_logout_bad_credentials_private | to_json }}
+            relayed: {{ matrix_steam_bridge_bridge_cleanup_on_logout_bad_credentials_relayed | to_json }}
+            shared_no_users: {{ matrix_steam_bridge_bridge_cleanup_on_logout_bad_credentials_shared_no_users | to_json }}
+            shared_has_users: {{ matrix_steam_bridge_bridge_cleanup_on_logout_bad_credentials_shared_has_users | to_json }}
 
     # Settings for relay mode
     relay:
@@ -184,7 +184,7 @@ homeserver:
     # The bridge will use the appservice as_token to authorize requests.
     message_send_checkpoint_endpoint:
     # Does the homeserver support https://github.com/matrix-org/matrix-spec-proposals/pull/2246?
-    async_media: false
+    async_media: {{ matrix_steam_bridge_homeserver_async_media | to_json }}
 
     # Should the bridge use a websocket for connecting to the homeserver?
     # The server side is currently not documented anywhere and is only implemented by mautrix-wsproxy,
diff --git a/roles/custom/matrix-bridge-steam/templates/systemd/matrix-steam-bridge.service.j2 b/roles/custom/matrix-bridge-steam/templates/systemd/matrix-steam-bridge.service.j2
index b9725a853..128f2d6df 100644
--- a/roles/custom/matrix-bridge-steam/templates/systemd/matrix-steam-bridge.service.j2
+++ b/roles/custom/matrix-bridge-steam/templates/systemd/matrix-steam-bridge.service.j2
@@ -23,14 +23,14 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
 			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
 			--cap-drop=ALL \
 			--network={{ matrix_steam_bridge_container_network }} \
-			--mount type=bind,src={{ matrix_steam_bridge_config_path }},dst=/app/config \
+			--mount type=bind,src={{ matrix_steam_bridge_config_path }},dst=/app/config,ro \
 			--mount type=bind,src={{ matrix_steam_bridge_data_path }},dst=/app/data \
 			--label-file={{ matrix_steam_bridge_base_path }}/labels \
 			{% for arg in matrix_steam_bridge_container_extra_arguments %}
 			{{ arg }} \
 			{% endfor %}
 			{{ matrix_steam_bridge_docker_image }} \
-			/usr/bin/steam -c /app/config/config.yaml -r /app/config/registration.yaml
+			/usr/bin/steam -c /app/config/config.yaml -r /app/config/registration.yaml --no-update
 
 {% for network in matrix_steam_bridge_container_additional_networks %}
 ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-steam-bridge