matrix-tuwunel: update to v1.6.2

This release adds opt-in server-level enforcement of MSC4284 policy servers via two new `[global]` keys: `enable_policy_servers` and `policy_server_request_timeout`. Surface both as Ansible variables matching tuwunel's upstream defaults (off, 5s timeout) and refresh the docs section that previously claimed MSC4284 needed no playbook configuration. Closes https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/5213. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-15 19:55:06 +00:00 · 2026-05-09 09:27:07 +03:00
parent 704cbd5655
commit 53ad97417d
3 changed files with 24 additions and 2 deletions
--- a/docs/configuring-playbook-tuwunel.md
+++ b/docs/configuring-playbook-tuwunel.md
@@ -166,7 +166,14 @@ matrix_tuwunel_config_prevent_media_downloads_from:
  - 'heavy\.example\.com$'
 ```

-Tuwunel additionally implements [MSC4284 policy servers](https://github.com/matrix-org/matrix-spec-proposals/pull/4284) for room-level federation gating; that lives in room state and needs no playbook configuration.
+Tuwunel additionally implements [MSC4284 policy servers](https://github.com/matrix-org/matrix-spec-proposals/pull/4284) for room-level federation gating. The policy itself lives in room state, but enforcement is opt-in at the server level:
+
+```yaml
+matrix_tuwunel_config_enable_policy_servers: true
+matrix_tuwunel_config_policy_server_request_timeout: 5
+```
+
+When enabled, rooms with a valid `m.room.policy` state event have outgoing events signed by the configured policy server before federation. Transient network or timeout failures fail open (with a warn log), so a policy-server outage will not silently take the room offline.

 ### Default room version