mirror of
				https://github.com/spantaleev/matrix-docker-ansible-deploy.git
				synced 2025-10-25 17:43:23 +00:00 
			
		
		
		
	* Enable Internal Admin API Access separately from Public access. * Add Config variable for Draupnir Hijack command And also make the internal admin API be automatically activated when this capability is used. * Apply suggestions from code review Co-authored-by: Slavi Pantaleev <slavi@devture.com> * Further Refine Internal Admin API * Add Non Worker Labels for Internal Admin API * Variable Rename * Add validation rules for Internal Synapse admin API * Add Draupnir Admin API required config validation. * Override `matrix_synapse_reverse_proxy_companion_container_labels_internal_client_synapse_admin_api_traefik_entrypoints` via group vars * Wire `matrix_bot_draupnir_admin_api_enabled` to `matrix_bot_draupnir_config_admin_enableMakeRoomAdminCommand` in Draupnir's `defaults/main.yml` * Remove unnecessary `matrix_bot_draupnir_admin_api_enabled` override from `group_vars/matrix_servers` The same value is now (more appropriately) defined in Draupnir's `defaults/main.yml` file anyway. * Add additional condition (`matrix_bot_draupnir_enabled`) for enabling `matrix_synapse_container_labels_internal_client_synapse_admin_api_enabled` * Use a separate task for validating `matrix_bot_draupnir_admin_api_enabled` when `matrix_bot_draupnir_config_admin_enableMakeRoomAdminCommand` The other task deals with checking for null and not-blank and can't handle booleans properly. --------- Co-authored-by: Slavi Pantaleev <slavi@devture.com>
		
			
				
	
	
		
			182 lines
		
	
	
		
			15 KiB
		
	
	
	
		
			YAML
		
	
	
	
	
	
			
		
		
	
	
			182 lines
		
	
	
		
			15 KiB
		
	
	
	
		
			YAML
		
	
	
	
	
	
| # SPDX-FileCopyrightText: 2019 - 2024 Slavi Pantaleev
 | |
| # SPDX-FileCopyrightText: 2024 Charles Wright
 | |
| # SPDX-FileCopyrightText: 2024 MDAD project contributors
 | |
| #
 | |
| # SPDX-License-Identifier: AGPL-3.0-or-later
 | |
| 
 | |
| ---
 | |
| 
 | |
| - name: Fail if required Synapse settings not defined
 | |
|   ansible.builtin.fail:
 | |
|     msg: >-
 | |
|       You need to define a required configuration setting (`{{ item.name }}`).
 | |
|   when: "item.when | bool and vars[item.name] | length == 0"
 | |
|   with_items:
 | |
|     - {'name': 'matrix_synapse_username', when: true}
 | |
|     - {'name': 'matrix_synapse_uid', when: true}
 | |
|     - {'name': 'matrix_synapse_gid', when: true}
 | |
|     - {'name': 'matrix_synapse_container_network', when: true}
 | |
|     - {'name': 'matrix_synapse_macaroon_secret_key', when: true}
 | |
|     - {'name': 'matrix_synapse_database_host', when: true}
 | |
|     - {'name': 'matrix_synapse_database_user', when: true}
 | |
|     - {'name': 'matrix_synapse_database_password', when: true}
 | |
|     - {'name': 'matrix_synapse_database_database', when: true}
 | |
| 
 | |
|     - {'name': 'matrix_synapse_container_labels_public_client_root_traefik_hostname', when: "{{ matrix_synapse_container_labels_public_client_root_enabled }}"}
 | |
|     - {'name': 'matrix_synapse_container_labels_public_client_root_redirection_url', when: "{{ matrix_synapse_container_labels_public_client_root_redirection_enabled }}"}
 | |
| 
 | |
|     - {'name': 'matrix_synapse_container_labels_public_client_api_traefik_hostname', when: "{{ matrix_synapse_container_labels_public_client_api_enabled }}"}
 | |
| 
 | |
|     - {'name': 'matrix_synapse_container_labels_internal_client_api_traefik_entrypoints', when: "{{ matrix_synapse_container_labels_internal_client_api_enabled }}"}
 | |
|     - {'name': 'matrix_synapse_container_labels_internal_client_synapse_admin_api_traefik_entrypoints', when: "{{ matrix_synapse_container_labels_internal_client_synapse_admin_api_enabled }}"}
 | |
| 
 | |
|     - {'name': 'matrix_synapse_container_labels_public_client_synapse_client_api_traefik_hostname', when: "{{ matrix_synapse_container_labels_public_client_synapse_client_api_enabled }}"}
 | |
|     - {'name': 'matrix_synapse_container_labels_public_client_synapse_admin_api_traefik_hostname', when: "{{ matrix_synapse_container_labels_public_client_synapse_admin_api_enabled }}"}
 | |
| 
 | |
|     - {'name': 'matrix_synapse_container_labels_public_federation_api_traefik_hostname', when: "{{ matrix_synapse_container_labels_public_federation_api_enabled }}"}
 | |
|     - {'name': 'matrix_synapse_container_labels_public_federation_api_traefik_entrypoints', when: "{{ matrix_synapse_container_labels_public_federation_api_enabled }}"}
 | |
| 
 | |
|     - {'name': 'matrix_synapse_metrics_proxying_hostname', when: "{{ matrix_synapse_metrics_proxying_enabled }}"}
 | |
|     - {'name': 'matrix_synapse_metrics_proxying_path_prefix', when: "{{ matrix_synapse_metrics_proxying_enabled }}"}
 | |
| 
 | |
|     - {'name': 'matrix_synapse_experimental_features_msc3861_issuer', when: "{{ matrix_synapse_experimental_features_msc3861_enabled }}"}
 | |
|     - {'name': 'matrix_synapse_experimental_features_msc3861_client_id', when: "{{ matrix_synapse_experimental_features_msc3861_enabled }}"}
 | |
|     - {'name': 'matrix_synapse_experimental_features_msc3861_client_auth_method', when: "{{ matrix_synapse_experimental_features_msc3861_enabled }}"}
 | |
|     - {'name': 'matrix_synapse_experimental_features_msc3861_client_secret', when: "{{ matrix_synapse_experimental_features_msc3861_enabled }}"}
 | |
|     - {'name': 'matrix_synapse_experimental_features_msc3861_admin_token', when: "{{ matrix_synapse_experimental_features_msc3861_enabled }}"}
 | |
|     - {'name': 'matrix_synapse_experimental_features_msc3861_account_management_url', when: "{{ matrix_synapse_experimental_features_msc3861_enabled }}"}
 | |
| 
 | |
|     - {'name': 'matrix_synapse_container_labels_traefik_compression_middleware_name', when: "{{ matrix_synapse_container_labels_traefik_compression_middleware_enabled }}"}
 | |
| 
 | |
| # If only MSC 4108 is enabled, Synapse fails with: "MSC4108 requires MSC3861 to be enabled"
 | |
| - name: Fail if Synapse experimental feature QR code login (MSC4108) is enabled while Next-Gen Auth (MSC3861) is not
 | |
|   ansible.builtin.fail:
 | |
|     msg: >-
 | |
|       QR code login (MSC4108) requires Next-Gen Auth (MSC3861) to be enabled or Synapse will fail to start.
 | |
|       Enable `matrix_synapse_experimental_features_msc3861_enabled` when using `matrix_synapse_experimental_features_msc4108_enabled`.
 | |
|   when: "matrix_synapse_experimental_features_msc4108_enabled and not matrix_synapse_experimental_features_msc3861_enabled"
 | |
| 
 | |
| - name: Fail if asking for more than 1 instance of single-instance workers
 | |
|   ansible.builtin.fail:
 | |
|     msg: >-
 | |
|       `{{ item }}` cannot be more than 1. This is a single-instance worker.
 | |
|   when: "vars[item] | int > 1"
 | |
|   with_items:
 | |
|     - "matrix_synapse_workers_appservice_workers_count"
 | |
|     - "matrix_synapse_workers_user_dir_workers_count"
 | |
|     - "matrix_synapse_workers_background_workers_count"
 | |
|     - "matrix_synapse_workers_stream_writer_typing_stream_workers_count"
 | |
|     - "matrix_synapse_workers_stream_writer_to_device_stream_workers_count"
 | |
|     - "matrix_synapse_workers_stream_writer_account_data_stream_workers_count"
 | |
|     - "matrix_synapse_workers_stream_writer_receipts_stream_workers_count"
 | |
|     - "matrix_synapse_workers_stream_writer_presence_stream_workers_count"
 | |
| 
 | |
| - name: Fail when mixing generic workers with new specialized workers
 | |
|   ansible.builtin.fail:
 | |
|     msg: >-
 | |
|       Generic workers should not be mixed with the new specialized worker types (room workers, sync workers, client readers, and federation readers)
 | |
|   when: matrix_synapse_workers_generic_workers_count | int > 0 and ((matrix_synapse_workers_room_workers_count | int + matrix_synapse_workers_sync_workers_count | int + matrix_synapse_workers_client_reader_workers_count | int + matrix_synapse_workers_federation_reader_workers_count | int) > 0)
 | |
| 
 | |
| - name: (Deprecation) Catch and report renamed settings
 | |
|   ansible.builtin.fail:
 | |
|     msg: >-
 | |
|       Your configuration contains a variable, which now has a different name.
 | |
|       Please rename the variable (`{{ item.old }}` -> `{{ item.new }}`) on your configuration file (vars.yml).
 | |
|   when: "item.old in vars"
 | |
|   with_items:
 | |
|     - {'old': 'matrix_synapse_email_riot_base_url', 'new': '<superseded by client_base_url>'}
 | |
|     - {'old': 'matrix_synapse_container_expose_api_port', 'new': '<superseded by matrix_synapse_container_federation_api_plain_host_bind_port>'}
 | |
|     - {'old': 'matrix_synapse_no_tls', 'new': '<removed>'}
 | |
|     - {'old': 'matrix_enable_room_list_search', 'new': 'matrix_synapse_enable_room_list_search'}
 | |
|     - {'old': 'matrix_alias_creation_rules', 'new': 'matrix_synapse_alias_creation_rules'}
 | |
|     - {'old': 'matrix_room_list_publication_rules', 'new': 'matrix_synapse_room_list_publication_rules'}
 | |
|     - {'old': 'matrix_synapse_rc_messages_per_second', 'new': '<per_second subkey of matrix_synapse_rc_message>'}
 | |
|     - {'old': 'matrix_synapse_rc_message_burst_count', 'new': '<burst_count subkey of matrix_synapse_rc_message>'}
 | |
|     - {'old': 'matrix_synapse_federation_rc_window_size', 'new': '<window_size subkey of matrix_synapse_rc_federation>'}
 | |
|     - {'old': 'matrix_synapse_federation_rc_sleep_limit', 'new': '<sleep_limit subkey of matrix_synapse_rc_federation>'}
 | |
|     - {'old': 'matrix_synapse_federation_rc_sleep_delay', 'new': '<sleep_delay subkey of matrix_synapse_rc_federation>'}
 | |
|     - {'old': 'matrix_synapse_federation_rc_reject_limit', 'new': '<reject_limit subkey of matrix_synapse_rc_federation>'}
 | |
|     - {'old': 'matrix_synapse_federation_rc_concurrent', 'new': '<concurrent subkey of matrix_synapse_rc_federation>'}
 | |
|     - {'old': 'matrix_synapse_container_expose_client_api_port', 'new': '<superseded by matrix_synapse_container_client_api_host_bind_port>'}
 | |
|     - {'old': 'matrix_synapse_container_expose_federation_api_port', 'new': '<superseded by matrix_synapse_container_federation_api_plain_host_bind_port>'}
 | |
|     - {'old': 'matrix_synapse_container_expose_metrics_port', 'new': '<superseded by matrix_synapse_container_metrics_api_host_bind_port>'}
 | |
|     - {'old': 'matrix_synapse_cache_factor', 'new': 'matrix_synapse_caches_global_factor'}
 | |
|     - {'old': 'matrix_synapse_trusted_third_party_id_servers', 'new': '<deprecated in Synapse v0.99.4 and removed in Synapse v1.19.0>'}
 | |
|     - {'old': 'matrix_synapse_use_presence', 'new': 'matrix_synapse_presence_enabled'}
 | |
|     - {'old': 'matrix_synapse_version_arm64', 'new': '<superseded by matrix_synapse_version - see https://github.com/matrix-org/synapse/pull/11810>'}
 | |
|     - {'old': 'matrix_synapse_enable_group_creation', 'new': '<removed in Synapse v1.61.0 - use the new Spaces feature instead>'}
 | |
|     - {'old': 'matrix_synapse_account_threepid_delegates_email', 'new': '<removed in Synapse v1.66.0 - make sure to configure email settings for Synapse - see https://matrix-org.github.io/synapse/v1.66/upgrade.html#delegation-of-email-validation-no-longer-supported>'}
 | |
|     - {'old': 'matrix_synapse_workers_frontend_proxy_workers_count', 'new': '<removed in favor of generic workers - see https://github.com/matrix-org/synapse/pull/13645>'}
 | |
|     - {'old': 'matrix_synapse_workers_frontend_proxy_workers_port_range_start', 'new': '<removed in favor of generic workers - see https://github.com/matrix-org/synapse/pull/13645>'}
 | |
|     - {'old': 'matrix_synapse_workers_frontend_proxy_workers_metrics_range_start', 'new': '<removed in favor of generic workers - see https://github.com/matrix-org/synapse/pull/13645>'}
 | |
|     - {'old': 'matrix_synapse_ext_s3_storage_provider_path', 'new': 'matrix_synapse_ext_s3_storage_provider_base_path'}
 | |
|     - {'old': 'matrix_synapse_send_federation', 'new': '<unnecessary - Synapse relies on federation_sender_instances now>'}
 | |
|     - {'old': 'matrix_synapse_start_pushers', 'new': '<unnecessary - Synapse relies on pusher_instances now>'}
 | |
|     - {'old': 'matrix_synapse_spam_checker', 'new': '<superseded by matrix_synapse_modules>'}
 | |
|     - {'old': 'matrix_synapse_caches_autotuning_max_cache_memory_usage', 'new': 'matrix_synapse_cache_autotuning_max_cache_memory_usage'}
 | |
|     - {'old': 'matrix_synapse_caches_autotuning_target_cache_memory_usage', 'new': 'matrix_synapse_cache_autotuning_target_cache_memory_usage'}
 | |
|     - {'old': 'matrix_synapse_caches_autotuning_min_cache_ttl', 'new': 'matrix_synapse_cache_autotuning_min_cache_ttl'}
 | |
|     - {'old': 'matrix_synapse_memtotal_kb', 'new': '<superseded by matrix_synapse_cache_size_calculations_memtotal_bytes>'}
 | |
|     - {'old': 'matrix_synapse_docker_image_name_prefix', 'new': 'matrix_synapse_docker_image_registry_prefix'}
 | |
|     - {'old': 'matrix_s3_goofys_docker_image_name_prefix', 'new': 'matrix_s3_goofys_docker_image_registry_prefix'}
 | |
|     - {'old': 'matrix_synapse_rust_synapse_compress_state_docker_image_name_prefix', 'new': 'matrix_synapse_rust_synapse_compress_state_docker_image_registry_prefix'}
 | |
| 
 | |
| - name: (Deprecation) Catch and report renamed settings in matrix_synapse_configuration_extension_yaml
 | |
|   ansible.builtin.fail:
 | |
|     msg: >-
 | |
|       Your matrix_synapse_configuration_extension_yaml configuration contains a variable, which now has a different name.
 | |
|       Please rename the variable (`{{ item.old }}` -> `{{ item.new }}`) on your configuration file (vars.yml).
 | |
|   when: "item.old in matrix_synapse_configuration_extension"
 | |
|   with_items:
 | |
|     - {'old': 'federation_ip_range_blacklist', 'new': 'ip_range_blacklist'}
 | |
| 
 | |
| - when: matrix_synapse_container_image_customizations_templates_enabled | bool
 | |
|   block:
 | |
|     - name: Fail if required `matrix_synapse_container_image_customizations_templates_*` settings not defined
 | |
|       ansible.builtin.fail:
 | |
|         msg: >-
 | |
|           You need to define a required configuration setting (`{{ item }}`) when enabling `matrix_synapse_container_image_customizations_templates_enabled`.
 | |
|       when: "vars[item] == ''"
 | |
|       with_items:
 | |
|         - matrix_synapse_container_image_customizations_templates_git_repository_url
 | |
|         - matrix_synapse_container_image_customizations_templates_git_repository_branch
 | |
| 
 | |
|     - name: Fail if required `matrix_synapse_container_image_customizations_templates_git_repository_keyscan_*` settings not defined
 | |
|       ansible.builtin.fail:
 | |
|         msg: >-
 | |
|           You need to define a required configuration setting (`{{ item }}`) when enabling `matrix_synapse_container_image_customizations_templates_git_repository_keyscan`.
 | |
|       when: "matrix_synapse_container_image_customizations_templates_git_repository_keyscan_enabled | bool and vars[item] == ''"
 | |
|       with_items:
 | |
|         - matrix_synapse_container_image_customizations_templates_git_repository_keyscan_hostname
 | |
| 
 | |
| 
 | |
| - name: Fail when auto-accept-invite enabled as a native feature and a module at the same time
 | |
|   ansible.builtin.fail:
 | |
|     msg: >-
 | |
|       Your configuration enables the auto-accept invites feature both as a native Synapse feature (`matrix_synapse_auto_accept_invites_enabled`) and a 3rd party module (`matrix_synapse_ext_synapse_auto_accept_invite_enabled`).
 | |
|       This is unnecessary, since they both do the same and the native feature is built on top of the 3rd party module anyway.
 | |
|       Enabling both at the same time will lead to issues.
 | |
|       We recommend leaving `matrix_synapse_auto_accept_invites_enabled` in your configuration and removing `matrix_synapse_ext_synapse_auto_accept_invite_enabled`.
 | |
|   when:
 | |
|     - matrix_synapse_auto_accept_invites_enabled
 | |
|     - matrix_synapse_ext_synapse_auto_accept_invite_enabled
 | |
| 
 | |
| - name: Fail if known Synapse password provider modules are enabled when auth is delegated to Matrix Authentication Service
 | |
|   ansible.builtin.fail:
 | |
|     msg: "When Synapse is delegating authentication to Matrix Authentication Service, it does not make sense to enable password provider modules, because it is not Synapse that is handling authentication. Please disable {{ item }} before enabling Matrix Authentication Service integration for Synapse. Synapse will refuse to start otherwise."
 | |
|   when: matrix_synapse_experimental_features_msc3861_enabled and vars[item] | bool
 | |
|   with_items:
 | |
|     - matrix_synapse_ext_password_provider_rest_auth_enabled
 | |
|     - matrix_synapse_ext_password_provider_shared_secret_auth_enabled
 | |
|     - matrix_synapse_ext_password_provider_ldap_enabled
 | |
| 
 | |
| - name: Fail if password config is enabled for Synapse when auth is delegated to Matrix Authentication Service
 | |
|   ansible.builtin.fail:
 | |
|     msg: "When Synapse is delegating authentication to Matrix Authentication Service, it doesn't make sense to enable the password config (`matrix_synapse_password_config_enabled: true`), because it is not Synapse that is handling authentication. Please remove your `matrix_synapse_password_config_enabled: true` setting before enabling Matrix Authentication Service integration for Synapse. Synapse will refuse to start otherwise."
 | |
|   when: matrix_synapse_experimental_features_msc3861_enabled and matrix_synapse_password_config_enabled
 | |
| 
 | |
| - name: Fail if QR code login (MSC4108) is enabled while Next-Gen Auth (MSC3861) is not
 | |
|   ansible.builtin.fail:
 | |
|     msg: "When Synapse QR code login is enabled (MSC4108 via `matrix_synapse_experimental_features_msc4108_enabled`), Next-Gen auth (MSC3861 via `matrix_synapse_experimental_features_msc3861_enabled`) must also be enabled."
 | |
|   when: matrix_synapse_experimental_features_msc4108_enabled and not matrix_synapse_experimental_features_msc3861_enabled
 |