Add matrix-user-creator role - automatic user account creation support

We no longer ask users to create Matrix user accounts for these bots:

- Postmoogle
- Honoroit
- Reminder Bot

Other bots and services (matrix-registration-bot, maubot, mjolnir,
Dimension, etc.) require an Access Token to run (not a password),
so this new role doesn't help for them.

It does help for the above bots though, and for defining your own
"initial user accounts" in the `matrix_user_creator_users_additional`
variable.

roles/matrix-user-creator/defaults/main.yml

@@ -0,0 +1,22 @@
+---
+
+# matrix-user-creator is a role that aims to automate initial Matrix user account creation.
+#
+# This role only supports initial user account creation and will not manage subsequent user-type changes
+# or password changes.
+#
+# The playbook registers various bot user accounts automatically using this role by injecting
+# user creation definitions into the `matrix_user_creator_users_auto` variable.
+#
+# To get started creating your own Matrix user accounts, use the `matrix_user_creator_users_additional` variable.
+
+# matrix_user_creator_users_auto holds a list of users that should be created on the Matrix homeserver.
+# The playbook adds some user definitions here to have them end up in `matrix_user_creator_users` (see `vars/main.yml`) and get automatically created.
+# This value is influenced by the playbook and will be overwritten elsewhere (`group_vars/`, etc.)
+# To add your own user definitions, use the `matrix_user_creator_users_additional` variable.
+matrix_user_creator_users_auto: []
+
+# matrix_user_creator_users_additional holds a list of users that should be created on the Matrix homeserver.
+# Add your own users here to have them end up in `matrix_user_creator_users` (see `vars/main.yml`) and get automatically created.
+# For example syntax for this variable, see the documentation for `matrix_user_creator_users` in `vars/main.yml`.
+matrix_user_creator_users_additional: []

roles/matrix-user-creator/tasks/main.yml

@@ -0,0 +1,9 @@
+---
+
+- when: matrix_user_creator_users | length > 0
+  ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup.yml"
+  tags:
+    # This role intentionally doesn't do work on a `setup-all` tag.
+    # If it did, the initial installation (`--tags=setup-all`) would also potentially polute the database with data,
+    # which would make importing a database dump problematic.
+    - ensure-matrix-users-created

roles/matrix-user-creator/tasks/setup.yml

@@ -0,0 +1,33 @@
+---
+
+- name: Validate Matrix users to create
+  ansible.builtin.include_tasks: "{{ role_path }}/tasks/util/validate_user.yml"
+  with_items: "{{ matrix_user_creator_users }}"
+  loop_control:
+    loop_var: user
+  # Suppress logging to avoid dumping the credentials to the shell
+  no_log: true
+
+- name: Ensure systemd is reloaded before starting the homeserver
+  ansible.builtin.service:
+    daemon_reload: true
+
+- name: Ensure homeserver is started before creating Matrix users
+  ansible.builtin.service:
+    name: "matrix-{{ matrix_homeserver_implementation }}.service"
+    state: started
+    daemon_reload: true
+  register: matrix_user_registrator_homeserver_start_result
+
+- name: Wait a while, so that the homeserver can manage to start before creating Matrix users
+  ansible.builtin.pause:
+    seconds: 7
+  when: matrix_user_registrator_homeserver_start_result.changed | bool
+
+- name: Ensure Matrix users are created
+  ansible.builtin.include_tasks: "{{ role_path }}/tasks/util/ensure_user_registered_{{ matrix_homeserver_implementation }}.yml"
+  with_items: "{{ matrix_user_creator_users }}"
+  loop_control:
+    loop_var: user
+  # Suppress logging to avoid dumping the credentials to the shell
+  no_log: true

roles/matrix-user-creator/tasks/util/ensure_user_registered_conduit.yml

@@ -0,0 +1,5 @@
+---
+
+- name: Ensure Conduit user registered - {{ user.username | quote }}
+  ansible.builtin.debug:
+    msg: "Not registering user. To register Conduit users, message the Conduit bot"

roles/matrix-user-creator/tasks/util/ensure_user_registered_dendrite.yml

@@ -0,0 +1,17 @@
+---
+
+- name: Ensure Dendrite user registered - {{ user.username | quote }}
+  ansible.builtin.command:
+    cmd: |-
+      {{ matrix_host_command_docker }} exec matrix-dendrite
+      create-account
+      -config /data/dendrite.yaml
+      -username {{ user.username | quote }}
+      -password {{ user.initial_password | quote }}
+      {% if user.initial_type == 'admin' %}
+        -admin
+      {% endif %}
+      -url http://localhost:{{ matrix_dendrite_http_bind_port }}
+  register: matrix_dendrite_register_user_result
+  changed_when: matrix_dendrite_register_user_result.rc == 0 and 'Desired user ID is already taken' not in matrix_dendrite_register_user_result.stderr
+  failed_when: matrix_dendrite_register_user_result.rc != 0 and 'Desired user ID is already taken' not in matrix_dendrite_register_user_result.stderr

roles/matrix-user-creator/tasks/util/ensure_user_registered_synapse.yml

@@ -0,0 +1,22 @@
+---
+
+- name: Ensure Synapse user registered - {{ user.username | quote }}
+  ansible.builtin.command:
+    cmd: |-
+      {{ matrix_host_command_docker }} exec matrix-synapse
+      register_new_matrix_user
+      -u  {{ user.username | quote }}
+      -p {{ user.initial_password | quote }}
+      -c /data/homeserver.yaml
+      {% if user.initial_type == 'admin' %}
+        --admin
+      {% else %}
+        --no-admin
+        {% if user.initial_type != 'user' %}
+          --user_type={{ user.initial_type | quote }}
+        {% endif %}
+      {% endif %}
+      http://localhost:{{ matrix_synapse_container_client_api_port }}
+  register: matrix_synapse_register_user_result
+  changed_when: matrix_synapse_register_user_result.rc == 0 and 'User ID already taken' not in matrix_synapse_register_user_result.stdout
+  failed_when: matrix_synapse_register_user_result.rc != 0 and 'User ID already taken' not in matrix_synapse_register_user_result.stdout

roles/matrix-user-creator/tasks/util/validate_user.yml

@@ -0,0 +1,16 @@
+---
+
+- name: Fail if invalid username
+  ansible.builtin.fail:
+    msg: "Empty usernames values are not allowed ({{ user }})"
+  when: not (user.username | default(''))
+
+- name: Fail if invalid initial_password for user - {{ user.username }}
+  ansible.builtin.fail:
+    msg: "Empty initial_password values are not allowed"
+  when: not (user.initial_password | default(''))
+
+- name: Fail if invalid initial_type for user - {{ user.username }}
+  ansible.builtin.fail:
+    msg: "User initial_type `{{ user.initial_type | default('undefined') }}` is not supported"
+  when: user.initial_type | default('undefined') not in ['admin', 'user', 'bot', 'support']

roles/matrix-user-creator/vars/main.yml

@@ -0,0 +1,34 @@
+---
+
+# matrix_user_creator_users holds a list of users that should be created on the Matrix homeserver.
+#
+# Removing a user from this list will not automatically delete/disable the Matrix user on the homeserver.
+#
+# As the `initial_password` / `initial_type` field names indicate, these are just initial values.
+# Changing the password or type values subsequently will not update the already existing user's details.
+#
+# The known user types are: 'admin', 'user', 'bot', 'support'.
+# These are inspired by Synapse's user types.
+# 'admin' and 'user' types are generally recognized across homeservers.
+# Other homeservers may not support 'bot' and 'support'. Such homeservers will fall back to whatever types they do support.
+#
+# Example:
+# matrix_user_creator_users:
+#   - username: root
+#     initial_password: some-password
+#     initial_type: admin
+#
+#   - username: john
+#     initial_password: some-password
+#     initial_type: user
+#
+#   - username: bot.matrix-reminder-bot
+#     initial_password: some-password
+#     initial_type: bot
+#
+#   - username: bot.matrix-reminder-bot
+#     initial_password: some-password
+#     initial_type: support
+#
+# To create you own users, use the `matrix_user_creator_users_additional` variable.
+matrix_user_creator_users: "{{ matrix_user_creator_users_auto + matrix_user_creator_users_additional }}"