matrix-tuwunel: add Tuwunel homeserver role (#5200)

Tuwunel is a Matrix homeserver maintained by the matrix-construct organisation. See https://matrix-construct.github.io/tuwunel/. The rendered TOML emits only keys exposed as Ansible variables; the rest fall back to tuwunel's upstream defaults. Anything not surfaced can be set via the TUWUNEL_* env extension or by overriding the template path. Popular features Tuwunel adds variables for: - OAuth2/OIDC identity providers (a list of `[[global.identity_provider]]` blocks; brand-aware defaults for Google, GitHub, Keycloak, MAS, etc) - LDAP and JWT authentication - Media storage providers (native local and S3 with multipart upload) - RocksDB tuning (compression, direct_io, parallelism, online backups) - Native TLS dual-protocol mode - Blurhashing, Sentry crash reporting Auto-wired from existing playbook globals: well-known client URL, TURN/coturn, MatrixRTC LiveKit URL, federation. The `tuwunel-migrate-from-conduwuit` tag performs a binary-swap migration. Migration from any other Conduit derivative is unsupported and would corrupt the database. Signed-off-by: Jason Volk <jason@zemos.net>
2026-05-21 13:28:02 +00:00 · 2026-05-06 23:45:29 -07:00
parent 5251be8691
commit c111008d25
26 changed files with 1419 additions and 3 deletions
--- a/roles/custom/matrix-tuwunel/tasks/validate_config.yml
+++ b/roles/custom/matrix-tuwunel/tasks/validate_config.yml
@@ -0,0 +1,44 @@
+# SPDX-FileCopyrightText: 2026 MDAD project contributors
+# SPDX-FileCopyrightText: 2026 Slavi Pantaleev
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+---
+
+- name: Fail if required tuwunel settings not defined
+  ansible.builtin.fail:
+    msg: >-
+      You need to define a required configuration setting (`{{ item.name }}`).
+  when: "item.when | bool and lookup('vars', item.name, default='') | string | length == 0"
+  with_items:
+    - {'name': 'matrix_tuwunel_hostname', when: true}
+    - {'name': 'matrix_tuwunel_container_network', when: true}
+    - {'name': 'matrix_tuwunel_container_labels_internal_client_api_traefik_entrypoints', when: "{{ matrix_tuwunel_container_labels_internal_client_api_enabled }}"}
+
+- name: Fail if registration is enabled without a token or explicit acknowledgement
+  ansible.builtin.fail:
+    msg: >-
+      `matrix_tuwunel_config_allow_registration` is true, but neither
+      `matrix_tuwunel_config_registration_token` nor
+      `matrix_tuwunel_config_yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse`
+      is set. Set a registration token (recommended) or explicitly opt in to open registration.
+  when: >-
+    matrix_tuwunel_config_allow_registration | bool
+    and (matrix_tuwunel_config_registration_token | length == 0)
+    and not (matrix_tuwunel_config_yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse | bool)
+
+- name: Fail if a storage provider is missing required fields
+  ansible.builtin.fail:
+    msg: >-
+      Storage provider `{{ item.id | default('?') }}` is missing required fields.
+      Each entry must define both `id` and `kind` (one of: local, s3).
+  when: "(item.id | default('') | length == 0) or (item.kind | default('') not in ['local', 's3'])"
+  with_items: "{{ matrix_tuwunel_config_storage_providers }}"
+
+- name: Fail if an identity provider is missing required fields
+  ansible.builtin.fail:
+    msg: >-
+      Identity provider entry is missing both `client_id` and `brand`.
+      At minimum one of these is required for tuwunel to identify the provider.
+  when: "(item.client_id | default('') | length == 0) and (item.brand | default('') | length == 0)"
+  with_items: "{{ matrix_tuwunel_config_identity_providers }}"