diff --git a/roles/nos_social/templates/docker-compose.yml.tpl b/roles/nos_social/templates/docker-compose.yml.tpl index 7ae36b0..87fe09e 100644 --- a/roles/nos_social/templates/docker-compose.yml.tpl +++ b/roles/nos_social/templates/docker-compose.yml.tpl @@ -20,7 +20,7 @@ services: - ./.env labels: - "traefik.enable=true" - - "traefik.http.routers.nip05api.rule=(Host(`{{ domain }}`) && (PathPrefix(`/metrics`) || PathPrefix(`/api/`) || PathPrefix(`/.well-known`))) && !HostRegexp(`{subdomain:[a-zA-Z0-9-]+}.{{ domain }}`)" + - "traefik.http.routers.nip05api.rule=(Host(`{{ domain }}`) && (PathPrefix(`/metrics`) || PathPrefix(`/api/`) || PathPrefix(`/.well-known`))) - "traefik.http.routers.nip05api.entrypoints=websecure" - "traefik.http.middlewares.nip05api.ratelimit.average={{ nip05api_ratelimit_average }}" - "traefik.http.middlewares.nip05api.ratelimit.burst={{ nip05api_ratelimit_burst }}" @@ -38,8 +38,7 @@ services: labels: - "traefik.enable=true" - "traefik.http.routers.redirect-service.entrypoints=websecure" - - "traefik.http.routers.redirect-service.rule=Host(`{{ domain }}`) && !PathPrefix(`/.well-known`)" - - "traefik.http.routers.redirect-service.rule=Host(`{{ domain }}`) && !PathPrefix(`/.well-known`) || (HostRegexp(`{subdomain:[a-zA-Z0-9-]+}.{{ domain }}`) && !HostRegexp(`traefik.{{ domain }}`))" + - "traefik.http.routers.redirect-service.rule=!PathPrefix(`/api/`) && !PathPrefix(`/.well-known`) networks: - proxy diff --git a/roles/relay/files/allowed_rules.js b/roles/relay/files/allowed_rules.js new file mode 100755 index 0000000..4e1f304 --- /dev/null +++ b/roles/relay/files/allowed_rules.js @@ -0,0 +1,41 @@ +#!/usr/bin/env node + +const ALLOWED = { + pubs: { + add5190be4673768546c18b565da3a699241f0e06a75e2dbc03f18663d1b7b27: true, // Reportinator + }, + eventKinds: [ + 0, // Metadata + 3, // Contacts + 1059, // Gift wrap messages + 10002, // Relay list metadata + ], +}; + +const rl = require("readline").createInterface({ + input: process.stdin, + output: process.stdout, + terminal: false, +}); + +rl.on("line", (line) => { + let req = JSON.parse(line); + + if (req.type === "lookback" || req.type !== "new") { + return; + } + + let res = { id: req.event.id }; // must echo the event's id + + const isAllowedPub = ALLOWED.pubs.hasOwnProperty(req.event.pubkey); + const isAllowedEventKind = ALLOWED.eventKinds.includes(req.event.kind); + + if (isAllowedPub || isAllowedEventKind) { + res.action = "accept"; + } else { + res.action = "reject"; + res.msg = "blocked: pubkey not on white-list or event kind not allowed"; + } + + console.log(JSON.stringify(res)); +}); diff --git a/roles/relay/files/strfry.conf b/roles/relay/files/strfry.conf index 1608bb2..2074bca 100644 --- a/roles/relay/files/strfry.conf +++ b/roles/relay/files/strfry.conf @@ -53,7 +53,7 @@ relay { writePolicy { # If non-empty, path to an executable script that implements the writePolicy plugin logic - plugin = "./plugins/whitelist.js" + plugin = "./plugins/allowed_rules.js" # Number of seconds to search backwards for lookback events when starting the writePolicy plugin (0 for no lookback) lookbackSeconds = 0 diff --git a/roles/relay/files/whitelist.js b/roles/relay/files/whitelist.js deleted file mode 100755 index 0e21d3d..0000000 --- a/roles/relay/files/whitelist.js +++ /dev/null @@ -1,45 +0,0 @@ -#!/usr/bin/env node - -const WHITELIST = { - pubs: { - add5190be4673768546c18b565da3a699241f0e06a75e2dbc03f18663d1b7b27: true, //Reportinator - }, - eventKinds: [ - 0, // Metadata - 3, // Contacts - 10002, // Relay list metadata - ], -}; - -const rl = require('readline').createInterface({ - input: process.stdin, - output: process.stdout, - terminal: false, -}); - -rl.on('line', (line) => { - let req = JSON.parse(line); - - if (req.type === 'lookback') { - return; // do nothing - } - - if (req.type !== 'new') { - console.error('unexpected request type'); // will appear in strfry logs - return; - } - - let res = { id: req.event.id }; // must echo the event's id - - if ( - WHITELIST.pubs[req.event.pubkey] || - WHITELIST.eventKinds.includes(req.event.kind) - ) { - res.action = 'accept'; - } else { - res.action = 'reject'; - res.msg = 'blocked: not on white-list'; - } - - console.log(JSON.stringify(res)); -}); diff --git a/roles/relay/tasks/main.yml b/roles/relay/tasks/main.yml index 06ce821..50ca0b9 100644 --- a/roles/relay/tasks/main.yml +++ b/roles/relay/tasks/main.yml @@ -48,11 +48,11 @@ mode: '0644' -- name: Copy whitelist.js to relay dir +- name: Copy allowed_rules.js to relay dir become: true ansible.builtin.copy: - src: "{{ role_path }}/files/whitelist.js" - dest: "{{ homedir }}/services/relay/whitelist.js" + src: "{{ role_path }}/files/allowed_rules.js" + dest: "{{ homedir }}/services/relay/allowed_rules.js" mode: '0755' diff --git a/roles/relay/templates/docker-compose.yml.tpl b/roles/relay/templates/docker-compose.yml.tpl index d30411c..6bc1ddd 100644 --- a/roles/relay/templates/docker-compose.yml.tpl +++ b/roles/relay/templates/docker-compose.yml.tpl @@ -34,7 +34,7 @@ services: volumes: - ./strfry.conf:/etc/strfry.conf - ./strfrydb:/app/strfry-db - - ./whitelist.js:/app/plugins/whitelist.js + - ./allowed_rules.js:/app/plugins/allowed_rules.js labels: - "traefik.enable=true" - "traefik.http.routers.strfry.rule=Host(`{{ domain }}`) && Headers(`Accept`, `application/nostr+json`) || HeadersRegexp(`Connection`, `(?i)Upgrade`) && HeadersRegexp(`Upgrade`, `websocket`)"