From 44b43a51b9e134cc96dbcc63dac4b99025bb138c Mon Sep 17 00:00:00 2001
From: Slavi Pantaleev <slavi@devture.com>
Date: Mon, 9 Feb 2026 06:29:14 +0200
Subject: [PATCH] Add retry logic for Synapse user registration on HMAC failure

When the registration_shared_secret changes (derived from
matrix_synapse_macaroon_secret_key), a running Synapse container still
has the old secret in its config. This causes register_new_matrix_user
to fail with "HMAC incorrect" when the matrix-user-creator role tries
to register users.

This mirrors the approach from 2a581cce (which added similar retry
logic for the Matrix Authentication Service on database auth failure):
if the initial registration attempt fails with an HMAC error, restart
Synapse (picking up the new config with the updated secret), wait for
it to start, and retry.

Caused by c21a80d232ffe7e924c539bebecb3d8e26187586

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .../util/ensure_user_registered_synapse.yml   | 33 ++++++++++++++++---
 1 file changed, 29 insertions(+), 4 deletions(-)

diff --git a/roles/custom/matrix-user-creator/tasks/util/ensure_user_registered_synapse.yml b/roles/custom/matrix-user-creator/tasks/util/ensure_user_registered_synapse.yml
index 1ae191e21..f00984a9d 100644
--- a/roles/custom/matrix-user-creator/tasks/util/ensure_user_registered_synapse.yml
+++ b/roles/custom/matrix-user-creator/tasks/util/ensure_user_registered_synapse.yml
@@ -4,9 +4,9 @@
 
 ---
 
-- name: Ensure Synapse user registered - {{ user.username | quote }}
-  ansible.builtin.command:
-    cmd: |-
+- name: Build Synapse user registration command - {{ user.username | quote }}
+  ansible.builtin.set_fact:
+    matrix_synapse_register_user_command: |-
       {{ devture_systemd_docker_base_host_command_docker }} exec matrix-synapse
       register_new_matrix_user
       -u  {{ user.username | quote }}
@@ -21,6 +21,31 @@
         {% endif %}
       {% endif %}
       http://localhost:{{ matrix_synapse_container_client_api_port }}
+
+- name: Ensure Synapse user registered - {{ user.username | quote }}
+  ansible.builtin.command:
+    cmd: "{{ matrix_synapse_register_user_command }}"
   register: matrix_synapse_register_user_result
   changed_when: matrix_synapse_register_user_result.rc == 0 and 'User ID already taken' not in matrix_synapse_register_user_result.stdout
-  failed_when: matrix_synapse_register_user_result.rc != 0 and 'User ID already taken' not in matrix_synapse_register_user_result.stdout
+  failed_when: >-
+    matrix_synapse_register_user_result.rc != 0
+    and 'User ID already taken' not in matrix_synapse_register_user_result.stdout
+    and 'HMAC incorrect' not in matrix_synapse_register_user_result.stdout
+
+- when: "'HMAC incorrect' in matrix_synapse_register_user_result.stdout | default('')"
+  block:
+    - name: Restart Synapse due to HMAC failure (likely a registration_shared_secret change)
+      ansible.builtin.service:
+        name: "matrix-synapse.service"
+        state: restarted
+
+    - name: Wait for Synapse to start after restart
+      ansible.builtin.pause:
+        seconds: "{{ matrix_user_creator_homeserver_start_wait_time_seconds }}"
+
+    - name: Retry Synapse user registration - {{ user.username | quote }}
+      ansible.builtin.command:
+        cmd: "{{ matrix_synapse_register_user_command }}"
+      register: matrix_synapse_register_user_result
+      changed_when: matrix_synapse_register_user_result.rc == 0 and 'User ID already taken' not in matrix_synapse_register_user_result.stdout
+      failed_when: matrix_synapse_register_user_result.rc != 0 and 'User ID already taken' not in matrix_synapse_register_user_result.stdout