4
0
mirror of https://github.com/spantaleev/matrix-docker-ansible-deploy.git synced 2026-06-30 23:41:17 +00:00

mautrix-gmessages: expose bridge HTTP API (for mautrix-manager and similar)

Add a generic mechanism for exposing bridges' HTTP API (the provisioning
API, etc.) publicly on the Matrix domain, so tools like mautrix-manager
(https://github.com/mautrix/manager) can drive bridge login.

- Introduce global matrix_bridges_exposure_* vars (on by default),
  exposing each supported bridge under `<matrix-fqn>/bridges/<bridge>`.
- mautrix-gmessages: make the provisioning shared secret configurable
  (auto-generated in group_vars) so the provisioning API is enabled,
  route the whole bridge HTTP port via Traefik, and populate
  appservice.public_address.

Requests are authenticated by the bridge itself (per-user Matrix access
token for the provisioning API, homeserver token for the appservice
endpoints), not by the reverse proxy.

This is the first bridge converted; the other mautrix bridges will follow.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Slavi Pantaleev
2026-06-28 19:52:24 +03:00
parent d61979a0b9
commit a4ddba3989
5 changed files with 76 additions and 2 deletions
@@ -181,7 +181,7 @@ appservice:
address: {{ matrix_mautrix_gmessages_appservice_address }}
# A public address that external services can use to reach this appservice.
# This value doesn't affect the registration file.
public_address: https://bridge.example.com
public_address: {{ matrix_mautrix_gmessages_bridge_public_address | to_json }}
# The hostname and port where this appservice should listen.
# For Docker, you generally have to change the hostname to 0.0.0.0.
@@ -247,7 +247,7 @@ provisioning:
prefix: /_matrix/provision
# Shared secret for authentication. If set to "generate" or null, a random secret will be generated,
# or if set to "disable", the provisioning API will be disabled.
shared_secret: disable
shared_secret: {{ matrix_mautrix_gmessages_provisioning_shared_secret | to_json }}
# Whether to allow provisioning API requests to be authed using Matrix access tokens.
# This follows the same rules as double puppeting to determine which server to contact to check the token,
# which means that by default, it only works for users on the same server as the bridge.