From ff3143cd1fdffcf5f01108c62acff71f0917e518 Mon Sep 17 00:00:00 2001
From: wmair <wolfgang@mair.io>
Date: Mon, 2 Mar 2026 20:53:41 +0100
Subject: [PATCH] Auto-generate doublepuppet appservice registration during
 deployment

deploy.sh now generates appservices/doublepuppet.yaml with fresh random
tokens on every run and registers it in homeserver.yaml under
app_service_config_files. The user regex is scoped to SERVER_NAME so it
works correctly in both TLD and subdomain identity modes.

test_deploy.sh: add 7 assertions per scenario (14 total) verifying the
file exists, tokens are present, and homeserver.yaml references it.
All 66 tests pass.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 deploy.sh      | 29 +++++++++++++++++++++++++++++
 test_deploy.sh | 16 ++++++++++++++++
 2 files changed, 45 insertions(+)

diff --git a/deploy.sh b/deploy.sh
index 14f3efb..d527e85 100755
--- a/deploy.sh
+++ b/deploy.sh
@@ -433,6 +433,7 @@ mkdir -p synapse/data
 mkdir -p postgres/data
 mkdir -p caddy/data caddy/config
 mkdir -p bridges/{telegram,whatsapp,signal}/config
+mkdir -p appservices
 print_status "Directory structure created"
 echo ""
 
@@ -449,6 +450,8 @@ AUTHELIA_SESSION_SECRET=$(generate_secret)
 AUTHELIA_STORAGE_ENCRYPTION_KEY=$(generate_secret)
 MAS_SECRET_KEY=$(generate_hex_secret)  # MAS requires hex format
 SYNAPSE_SHARED_SECRET=$(generate_secret)
+DOUBLEPUPPET_AS_TOKEN=$(generate_hex_secret)
+DOUBLEPUPPET_HS_TOKEN=$(generate_hex_secret)
 if [[ "$USE_ELEMENT_CALL" == true ]]; then
     LIVEKIT_SECRET=$(generate_secret)
 fi
@@ -976,6 +979,10 @@ sed -i '/^# Experimental features$/d' synapse/data/homeserver.yaml
 sed -i '/^# Enable registration/d' synapse/data/homeserver.yaml
 sed -i '/^enable_registration:/d' synapse/data/homeserver.yaml
 
+# Remove old double-puppeting appservice registration if present (prevents duplication on re-run)
+sed -i '/^# Double-puppeting appservice/d' synapse/data/homeserver.yaml
+sed -i '/^app_service_config_files:/,/^[^ ]/{ /^app_service_config_files:/d; /^[^ ]/!d }' synapse/data/homeserver.yaml
+
 # Remove old Element Call rate limit config if present (prevents duplication on re-run)
 sed -i '/^# Element Call: delayed event rate limiting/d' synapse/data/homeserver.yaml
 sed -i '/^max_event_delay_duration:/d' synapse/data/homeserver.yaml
@@ -1025,6 +1032,28 @@ rc_delayed_event_mgmt:
 EOF
 fi
 
+# Generate double-puppeting appservice registration
+cat > appservices/doublepuppet.yaml << EOF
+id: doublepuppet
+url: null
+as_token: "${DOUBLEPUPPET_AS_TOKEN}"
+hs_token: "${DOUBLEPUPPET_HS_TOKEN}"
+sender_localpart: doublepuppet
+rate_limited: false
+
+namespaces:
+  users:
+    - regex: "@.*:${SERVER_NAME}"
+      exclusive: false
+EOF
+
+cat >> synapse/data/homeserver.yaml << EOF
+
+# Double-puppeting appservice
+app_service_config_files:
+  - /appservices/doublepuppet.yaml
+EOF
+
 # Restore ownership to Synapse uid so the container can read/write its own data
 sudo chown -R 991:991 synapse/data/
 print_status "Database configuration updated with current credentials"
diff --git a/test_deploy.sh b/test_deploy.sh
index 703f054..5c4a070 100755
--- a/test_deploy.sh
+++ b/test_deploy.sh
@@ -96,6 +96,7 @@ cleanup_configs() {
     rm -f .env mas-signing.key authelia_private.pem
     rm -f caddy/Caddyfile caddy/Caddyfile.production
     rm -f livekit/livekit.yaml
+    rm -f appservices/doublepuppet.yaml
     # These may be root-owned from docker run or previous deploys
     sudo rm -f mas/config/config.yaml 2>/dev/null || true
     sudo rm -f element/config/config.json 2>/dev/null || true
@@ -168,6 +169,21 @@ assert_configs() {
     # Synapse may quote the value: `server_name: "example.test"` or `server_name: example.test`
     assert_matches "synapse/data/homeserver.yaml" \
         "^server_name: \"?${server_name//./\\.}\"?" "Synapse → server_name"
+    assert_contains "synapse/data/homeserver.yaml" \
+        "app_service_config_files:"                          "Synapse → app_service_config_files present"
+    assert_contains "synapse/data/homeserver.yaml" \
+        "/appservices/doublepuppet.yaml"                     "Synapse → doublepuppet.yaml registered"
+
+    # Double-puppeting appservice
+    assert_file "appservices/doublepuppet.yaml" "appservices/doublepuppet.yaml generated"
+    assert_contains "appservices/doublepuppet.yaml" \
+        "id: doublepuppet"                                   "doublepuppet.yaml → id"
+    assert_contains "appservices/doublepuppet.yaml" \
+        "url: null"                                          "doublepuppet.yaml → url null"
+    assert_contains "appservices/doublepuppet.yaml" \
+        "as_token:"                                          "doublepuppet.yaml → as_token present"
+    assert_contains "appservices/doublepuppet.yaml" \
+        "@.*:${server_name}"                                 "doublepuppet.yaml → user regex matches server_name"
 
     # Caddyfile (JSON blobs are compact, no spaces around ':')
     assert_file "caddy/Caddyfile" "caddy/Caddyfile generated"