Make bridge permissions more easily configurable

Not doing {% if matrix_admin %} checks in the YAML also fixes some issues with indentation being incorrect sometimes. This should be backward compatible, except for mautrix-signal's case where `matrix_mautrix_signal_bridge_permissions` previously existed as a string, not a dictionary. `tasks/validate_config.yml` will catch the problem an even provide a quick fix.
2022-07-25 15:55:16 +03:00 · 2022-07-25 15:55:16 +03:00 · ac72879bf5
commit ac72879bf5
parent b2f47fcfcd
21 changed files with 94 additions and 65 deletions
--- a/roles/matrix-bridge-beeper-linkedin/defaults/main.yml
+++ b/roles/matrix-bridge-beeper-linkedin/defaults/main.yml
@ -29,6 +29,12 @@ matrix_beeper_linkedin_bridge_presence: true

 matrix_beeper_linkedin_command_prefix: "!li"

+matrix_beeper_linkedin_bridge_permissions: |
+  {{
+    {matrix_beeper_linkedin_homeserver_domain: 'user'}
+    | combine({matrix_admin: 'admin'} if matrix_admin else {})
+  }}
+
 # A list of extra arguments to pass to the container
 matrix_beeper_linkedin_container_extra_arguments: []

--- a/roles/matrix-bridge-beeper-linkedin/templates/config.yaml.j2
+++ b/roles/matrix-bridge-beeper-linkedin/templates/config.yaml.j2
@ -56,7 +56,7 @@ appservice:
        # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty
        # to leave display name/avatar as-is.
        displayname: LinkedIn bridge bot
-        avatar: mxc://sumnerevans.com/XMtwdeUBnxYvWNFFrfeTSHqB 
+        avatar: mxc://sumnerevans.com/XMtwdeUBnxYvWNFFrfeTSHqB

    # Whether or not to receive ephemeral events via appservice transactions.
    # Requires MSC2409 support (i.e. Synapse 1.22+).
@ -236,11 +236,7 @@ bridge:
    #        * - All Matrix users
    #   domain - All users on that homeserver
    #     mxid - Specific user
-    permissions:
-        "{{ matrix_beeper_linkedin_homeserver_domain }}": user
-        {% if matrix_admin %}
-        "{{ matrix_admin }}": admin
-        {% endif %}
+    permissions: {{ matrix_beeper_linkedin_bridge_permissions|to_json }}



--- a/roles/matrix-bridge-go-skype-bridge/defaults/main.yml
+++ b/roles/matrix-bridge-go-skype-bridge/defaults/main.yml
@ -85,6 +85,20 @@ matrix_go_skype_bridge_bridge_login_shared_secret_map:
 matrix_go_skype_bridge_bridge_double_puppet_server_map:
  "{{ matrix_go_skype_bridge_homeserver_domain :  matrix_go_skype_bridge_homeserver_address }}"

+# Enable End-to-bridge encryption
+matrix_go_skype_bridge_bridge_encryption_allow: false
+matrix_go_skype_bridge_bridge_encryption_default: "{{ matrix_go_skype_bridge_bridge_encryption_allow }}"
+
+# Minimum severity of journal log messages.
+# Options: debug, info, warn, error, fatal
+matrix_go_skype_bridge_log_level: 'warn'
+
+matrix_go_skype_bridge_bridge_permissions: |
+  {{
+    {matrix_go_skype_bridge_homeserver_domain: 'user'}
+    | combine({matrix_admin: 'admin'} if matrix_admin else {})
+  }}
+
 # Default go-skype-bridge configuration template which covers the generic use case.
 # You can customize it by controlling the various variables inside it.
 #
@ -124,11 +138,3 @@ matrix_go_skype_bridge_registration_yaml: |
  de.sorunome.msc2409.push_ephemeral: true

 matrix_go_skype_bridge_registration: "{{ matrix_go_skype_bridge_registration_yaml | from_yaml }}"
-
-# Enable End-to-bridge encryption
-matrix_go_skype_bridge_bridge_encryption_allow: false
-matrix_go_skype_bridge_bridge_encryption_default: "{{ matrix_go_skype_bridge_bridge_encryption_allow }}"
-
-# Minimum severity of journal log messages.
-# Options: debug, info, warn, error, fatal
-matrix_go_skype_bridge_log_level: 'warn'
--- a/roles/matrix-bridge-go-skype-bridge/templates/config.yaml.j2
+++ b/roles/matrix-bridge-go-skype-bridge/templates/config.yaml.j2
@ -197,11 +197,7 @@ bridge:
    #        * - All Matrix users
    #   domain - All users on that homeserver
    #     mxid - Specific user
-    permissions:
-        "{{ matrix_go_skype_bridge_homeserver_domain }}": user
-        {% if matrix_admin %}
-        "{{ matrix_admin }}": admin
-        {% endif %}
+    permissions: {{ matrix_go_skype_bridge_bridge_permissions|to_json }}

    relaybot:
        # Whether or not relaybot support is enabled.
--- a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml
+++ b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml
@ -46,6 +46,12 @@ matrix_mautrix_facebook_homeserver_token: ''
 # If false, created portal rooms will never be federated.
 matrix_mautrix_facebook_federate_rooms: true

+matrix_mautrix_facebook_bridge_permissions: |
+  {{
+    {matrix_mautrix_facebook_homeserver_domain: 'user'}
+    | combine({matrix_admin: 'admin'} if matrix_admin else {})
+  }}
+
 # Controls whether the matrix-mautrix-facebook container exposes its HTTP port.
 #
 # Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:9008"), or empty string to not expose.
--- a/roles/matrix-bridge-mautrix-facebook/templates/config.yaml.j2
+++ b/roles/matrix-bridge-mautrix-facebook/templates/config.yaml.j2
@ -201,11 +201,7 @@ bridge:
    #        * - All Matrix users
    #   domain - All users on that homeserver
    #     mxid - Specific user
-    permissions:
-      '{{ matrix_mautrix_facebook_homeserver_domain }}': user
-      {% if matrix_admin %}
-      '{{ matrix_admin }}': admin
-      {% endif %}
+    permissions: {{ matrix_mautrix_facebook_bridge_permissions|to_json }}

    relay:
        # Whether relay mode should be allowed. If allowed, `!fb set-relay` can be used to turn any
--- a/roles/matrix-bridge-mautrix-googlechat/defaults/main.yml
+++ b/roles/matrix-bridge-mautrix-googlechat/defaults/main.yml
@ -48,6 +48,12 @@ matrix_mautrix_googlechat_homeserver_token: ''
 # If false, created portal rooms will never be federated.
 matrix_mautrix_googlechat_federate_rooms: true

+matrix_mautrix_googlechat_bridge_permissions: |
+  {{
+    {matrix_mautrix_googlechat_homeserver_domain: 'user'}
+    | combine({matrix_admin: 'admin'} if matrix_admin else {})
+  }}
+
 # Database-related configuration fields.
 #
 # To use SQLite, stick to these defaults.
--- a/roles/matrix-bridge-mautrix-googlechat/templates/config.yaml.j2
+++ b/roles/matrix-bridge-mautrix-googlechat/templates/config.yaml.j2
@ -117,11 +117,7 @@ bridge:
    #        * - All Matrix users
    #   domain - All users on that homeserver
    #     mxid - Specific user
-    permissions:
-      '{{ matrix_mautrix_googlechat_homeserver_domain }}': user
-      {% if matrix_admin %}
-      '{{ matrix_admin }}': admin
-      {% endif %}
+    permissions: {{ matrix_mautrix_googlechat_bridge_permissions|to_json }}

 # Python logging configuration.
 #
--- a/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml
+++ b/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml
@ -27,6 +27,12 @@ matrix_mautrix_hangouts_appservice_address: 'http://matrix-mautrix-hangouts:8080

 matrix_mautrix_hangouts_command_prefix: "!HO"

+matrix_mautrix_hangouts_bridge_permissions: |
+  {{
+    {matrix_mautrix_hangouts_homeserver_domain: 'user'}
+    | combine({matrix_admin: 'admin'} if matrix_admin else {})
+  }}
+
 # Controls whether the matrix-mautrix-hangouts container exposes its HTTP port (tcp/8080 in the container).
 #
 # Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:9007"), or empty string to not expose.
--- a/roles/matrix-bridge-mautrix-hangouts/templates/config.yaml.j2
+++ b/roles/matrix-bridge-mautrix-hangouts/templates/config.yaml.j2
@ -114,11 +114,7 @@ bridge:
    #        * - All Matrix users
    #   domain - All users on that homeserver
    #     mxid - Specific user
-    permissions:
-      '{{ matrix_mautrix_hangouts_homeserver_domain }}': user
-      {% if matrix_admin %}
-      '{{ matrix_admin }}': admin
-      {% endif %}
+    permissions: {{ matrix_mautrix_hangouts_bridge_permissions|to_json }}

 # Python logging configuration.
 #
--- a/roles/matrix-bridge-mautrix-instagram/defaults/main.yml
+++ b/roles/matrix-bridge-mautrix-instagram/defaults/main.yml
@ -25,6 +25,12 @@ matrix_mautrix_instagram_appservice_address: 'http://matrix-mautrix-instagram:29

 matrix_mautrix_instagram_command_prefix: "!ig"

+matrix_mautrix_instagram_bridge_permissions: |
+  {{
+    {matrix_mautrix_instagram_homeserver_domain: 'user'}
+    | combine({matrix_admin: 'admin'} if matrix_admin else {})
+  }}
+
 # A list of extra arguments to pass to the container
 matrix_mautrix_instagram_container_extra_arguments: []

--- a/roles/matrix-bridge-mautrix-instagram/templates/config.yaml.j2
+++ b/roles/matrix-bridge-mautrix-instagram/templates/config.yaml.j2
@ -185,11 +185,7 @@ bridge:
  #        * - All Matrix users
  #   domain - All users on that homeserver
  #     mxid - Specific user
-  permissions:
-    "{{ matrix_mautrix_instagram_homeserver_domain }}": user
-    {% if matrix_admin %}
-    "{{ matrix_admin }}": admin
-    {% endif %}
+  permissions: {{ matrix_mautrix_instagram_bridge_permissions|to_json }}
  # Provisioning API part of the web server for automated portal creation and fetching information.
  # Used by things like mautrix-manager (https://github.com/tulir/mautrix-manager).
  provisioning:
--- a/roles/matrix-bridge-mautrix-signal/defaults/main.yml
+++ b/roles/matrix-bridge-mautrix-signal/defaults/main.yml
@ -103,12 +103,14 @@ matrix_mautrix_signal_relaybot_enabled: false
 #        * - All Matrix users
 #   domain - All users on that homeserver
 #     mxid - Specific user
+#
+# This variable used to contain a YAML string, but now needs to contain a hashmap/dictionary.
 matrix_mautrix_signal_bridge_permissions: |
-  '*': relay
-  '{{ matrix_mautrix_signal_homeserver_domain }}': user
-  {% if matrix_admin %}
-  "{{ matrix_admin }}": admin
-  {% endif %}
+  {{
+    {'*': 'relay'}
+    | combine({matrix_mautrix_signal_homeserver_domain: 'user'})
+    | combine({matrix_admin: 'admin'} if matrix_admin else {})
+  }}

 # Default configuration template which covers the generic use case.
 # You can customize it by controlling the various variables inside it.
--- a/roles/matrix-bridge-mautrix-signal/tasks/validate_config.yml
+++ b/roles/matrix-bridge-mautrix-signal/tasks/validate_config.yml
@ -11,6 +11,15 @@
    - "matrix_mautrix_signal_homeserver_token"
    - "matrix_mautrix_signal_appservice_token"

+- name: (Deprecation) Fail if matrix_mautrix_signal_bridge_permissions specified as YAML string, instead of a dictionary
+  ansible.builtin.fail:
+    msg: >-
+      The `matrix_mautrix_signal_bridge_permissions` variable in your configuration is specified as a YAML string.
+      The playbook now expects a hashmap/dictionary in this variable.
+      Change your configuration like this:
+      matrix_mautrix_signal_bridge_permissions: {{ matrix_mautrix_signal_bridge_permissions | from_yaml | to_json }}
+  when: "matrix_mautrix_signal_bridge_permissions is string"
+
 - name: (Deprecation) Catch and report renamed Signal variables
  ansible.builtin.fail:
    msg: >-
--- a/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2
+++ b/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2
@ -223,8 +223,7 @@ bridge:
    #        * - All Matrix users
    #   domain - All users on that homeserver
    #     mxid - Specific user
-    permissions:
-        {{ matrix_mautrix_signal_bridge_permissions|from_yaml }}
+    permissions: {{ matrix_mautrix_signal_bridge_permissions|to_json }}

    relay:
        # Whether or not relay mode should be allowed. If allowed, `!signal set-relay` can be used to turn any
--- a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml
+++ b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml
@ -27,6 +27,12 @@ matrix_mautrix_telegram_data_path: "{{ matrix_mautrix_telegram_base_path }}/data

 matrix_mautrix_telegram_command_prefix: "!tg"

+matrix_mautrix_telegram_bridge_permissions: |
+  {{
+    {matrix_mautrix_telegram_homeserver_domain: 'user'}
+    | combine({matrix_admin: 'admin'} if matrix_admin else {})
+  }}
+
 # Get your own API keys at https://my.telegram.org/apps
 matrix_mautrix_telegram_api_id: ''
 matrix_mautrix_telegram_api_hash: ''
--- a/roles/matrix-bridge-mautrix-telegram/templates/config.yaml.j2
+++ b/roles/matrix-bridge-mautrix-telegram/templates/config.yaml.j2
@ -289,11 +289,7 @@ bridge:
    #        * - All Matrix users
    #   domain - All users on that homeserver
    #     mxid - Specific user
-    permissions:
-      '{{ matrix_mautrix_telegram_homeserver_domain }}': full
-      {% if matrix_admin %}
-      '{{ matrix_admin }}': admin
-      {% endif %}
+    permissions: {{ matrix_mautrix_telegram_bridge_permissions|to_json }}

    # Options related to the message relay Telegram bot.
    relaybot:
--- a/roles/matrix-bridge-mautrix-twitter/defaults/main.yml
+++ b/roles/matrix-bridge-mautrix-twitter/defaults/main.yml
@ -25,6 +25,12 @@ matrix_mautrix_twitter_appservice_address: 'http://matrix-mautrix-twitter:29327'

 matrix_mautrix_twitter_command_prefix: "!tw"

+matrix_mautrix_twitter_bridge_permissions: |
+  {{
+    {matrix_mautrix_twitter_homeserver_domain: 'user'}
+    | combine({matrix_admin: 'admin'} if matrix_admin else {})
+  }}
+
 # A list of extra arguments to pass to the container
 matrix_mautrix_twitter_container_extra_arguments: []

--- a/roles/matrix-bridge-mautrix-twitter/templates/config.yaml.j2
+++ b/roles/matrix-bridge-mautrix-twitter/templates/config.yaml.j2
@ -173,11 +173,7 @@ bridge:
    #        * - All Matrix users
    #   domain - All users on that homeserver
    #     mxid - Specific user
-    permissions:
-      '{{ matrix_mautrix_twitter_homeserver_domain }}': user
-      {% if matrix_admin %}
-      '{{ matrix_admin }}': admin
-      {% endif %}
+    permissions: {{ matrix_mautrix_twitter_bridge_permissions|to_json }}


 # Python logging configuration.
--- a/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml
+++ b/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml
@ -90,6 +90,17 @@ matrix_mautrix_whatsapp_bridge_login_shared_secret_map:
 matrix_mautrix_whatsapp_bridge_double_puppet_server_map:
  "{{ matrix_mautrix_whatsapp_homeserver_domain :  matrix_mautrix_whatsapp_homeserver_address }}"

+# Enable End-to-bridge encryption
+matrix_mautrix_whatsapp_bridge_encryption_allow: false
+matrix_mautrix_whatsapp_bridge_encryption_default: "{{ matrix_mautrix_whatsapp_bridge_encryption_allow }}"
+matrix_mautrix_whatsapp_bridge_encryption_key_sharing_allow: "{{ matrix_mautrix_whatsapp_bridge_encryption_allow }}"
+
+matrix_mautrix_whatsapp_bridge_permissions: |
+  {{
+    {matrix_mautrix_whatsapp_homeserver_domain: 'user'}
+    | combine({matrix_admin: 'admin'} if matrix_admin else {})
+  }}
+
 # Default mautrix-whatsapp configuration template which covers the generic use case.
 # You can customize it by controlling the various variables inside it.
 #
@ -130,7 +141,3 @@ matrix_mautrix_whatsapp_registration_yaml: |

 matrix_mautrix_whatsapp_registration: "{{ matrix_mautrix_whatsapp_registration_yaml | from_yaml }}"

-# Enable End-to-bridge encryption
-matrix_mautrix_whatsapp_bridge_encryption_allow: false
-matrix_mautrix_whatsapp_bridge_encryption_default: "{{ matrix_mautrix_whatsapp_bridge_encryption_allow }}"
-matrix_mautrix_whatsapp_bridge_encryption_key_sharing_allow: "{{ matrix_mautrix_whatsapp_bridge_encryption_allow }}"
--- a/roles/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2
+++ b/roles/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2
@ -368,11 +368,7 @@ bridge:
    #        * - All Matrix users
    #   domain - All users on that homeserver
    #     mxid - Specific user
-    permissions:
-        "{{ matrix_mautrix_whatsapp_homeserver_domain }}": user
-        {% if matrix_admin %}
-        "{{ matrix_admin }}": admin
-        {% endif %}
+    permissions: {{ matrix_mautrix_whatsapp_bridge_permissions|to_json }}

    # Settings for relay mode
    relay: