Internal Admin API and Draupnir Hjack Command Config (#3389)

* Enable Internal Admin API Access separately from Public access. * Add Config variable for Draupnir Hijack command And also make the internal admin API be automatically activated when this capability is used. * Apply suggestions from code review Co-authored-by: Slavi Pantaleev <slavi@devture.com> * Further Refine Internal Admin API * Add Non Worker Labels for Internal Admin API * Variable Rename * Add validation rules for Internal Synapse admin API * Add Draupnir Admin API required config validation. * Override `matrix_synapse_reverse_proxy_companion_container_labels_internal_client_synapse_admin_api_traefik_entrypoints` via group vars * Wire `matrix_bot_draupnir_admin_api_enabled` to `matrix_bot_draupnir_config_admin_enableMakeRoomAdminCommand` in Draupnir's `defaults/main.yml` * Remove unnecessary `matrix_bot_draupnir_admin_api_enabled` override from `group_vars/matrix_servers` The same value is now (more appropriately) defined in Draupnir's `defaults/main.yml` file anyway. * Add additional condition (`matrix_bot_draupnir_enabled`) for enabling `matrix_synapse_container_labels_internal_client_synapse_admin_api_enabled` * Use a separate task for validating `matrix_bot_draupnir_admin_api_enabled` when `matrix_bot_draupnir_config_admin_enableMakeRoomAdminCommand` The other task deals with checking for null and not-blank and can't handle booleans properly. --------- Co-authored-by: Slavi Pantaleev <slavi@devture.com>
2025-03-15 08:14:55 +01:00
parent b2e6ce5a7f
commit cd60cf1199
11 changed files with 95 additions and 10 deletions
--- a/roles/custom/matrix-bot-draupnir/defaults/main.yml
+++ b/roles/custom/matrix-bot-draupnir/defaults/main.yml
@ -117,6 +117,13 @@ matrix_bot_draupnir_config_rawHomeserverUrl: ""  # noqa var-naming
 # It is exposed here because it is common enough to be valid to expose.
 matrix_bot_draupnir_config_disableServerACL: false  # noqa var-naming

+# Control if Draupnir wants for the Synapse Admin API to be exposed internally to containers, therefore giving Draupnir Access.
+matrix_bot_draupnir_admin_api_enabled: "{{ matrix_bot_draupnir_config_admin_enableMakeRoomAdminCommand }}"
+
+# Controls if the Draupnir room hijack command is activated or not.
+# Also see `matrix_bot_draupnir_admin_api_enabled`.
+matrix_bot_draupnir_config_admin_enableMakeRoomAdminCommand: false  # noqa var-naming
+
 # Controls if the room state backing store is activated.
 # Room state backing store makes restarts of the bot lightning fast as the bot does not suffer from amnesia.
 # This config option has diminished improvements for bots on extremely fast homeservers or very very small bots on fast homeservers.
--- a/roles/custom/matrix-bot-draupnir/tasks/validate_config.yml
+++ b/roles/custom/matrix-bot-draupnir/tasks/validate_config.yml
@ -39,6 +39,11 @@
    - {'name': 'matrix_bot_draupnir_pantalaimon_password', when: "{{ matrix_bot_draupnir_pantalaimon_use }}"}
  when: "item.when | bool and (vars[item.name] == '' or vars[item.name] is none)"

+- name: Fail if Draupnir room hijacking enabled without enabling the Synapse Admin API
+  ansible.builtin.fail:
+    msg: "When matrix_bot_draupnir_config_admin_enableMakeRoomAdminCommand is enabled, matrix_bot_draupnir_admin_api_enabled must also be enabled"
+  when: "matrix_bot_draupnir_config_admin_enableMakeRoomAdminCommand | bool and not matrix_bot_draupnir_admin_api_enabled | bool"
+
 - name: Fail if inappropriate variables are defined
  ansible.builtin.fail:
    msg: "The `{{ item.name }}` variable must be undefined or have a null value."
--- a/roles/custom/matrix-bot-draupnir/templates/production.yaml.j2
+++ b/roles/custom/matrix-bot-draupnir/templates/production.yaml.j2
@ -131,18 +131,15 @@ protectAllJoinedRooms: false
 # of the homeserver may be more impacted.
 backgroundDelayMS: 500

-# FIXME: This configuration option is currently broken in the playbook as admin APIs cannot
-# be accessed from containers. See https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/3389
-# and https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/3308
 # Server administration commands, these commands will only work if Draupnir is
 # a global server administrator, and the bot's server is a Synapse instance.
-#admin:
-#  # Whether or not Draupnir can temporarily take control of any eligible account from the local homeserver who's in the room
-#  # (with enough permissions) to "make" a user an admin.
-#  #
-#  # This only works if a local user with enough admin permissions is present in the room.
-#  enableMakeRoomAdminCommand: false
-#
+admin:
+  # Whether or not Draupnir can temporarily take control of any eligible account from the local homeserver who's in the room
+  # (with enough permissions) to "make" a user an admin.
+  #
+  # This only works if a local user with enough admin permissions is present in the room.
+  enableMakeRoomAdminCommand: {{ matrix_bot_draupnir_config_enableMakeRoomAdminCommand | to_json }}
+
 # Misc options for command handling and commands
 commands:
  # Whether or not the `!draupnir` prefix is necessary to submit commands.