Internal Admin API and Draupnir Hjack Command Config (#3389)

* Enable Internal Admin API Access separately from Public access. * Add Config variable for Draupnir Hijack command And also make the internal admin API be automatically activated when this capability is used. * Apply suggestions from code review Co-authored-by: Slavi Pantaleev <slavi@devture.com> * Further Refine Internal Admin API * Add Non Worker Labels for Internal Admin API * Variable Rename * Add validation rules for Internal Synapse admin API * Add Draupnir Admin API required config validation. * Override `matrix_synapse_reverse_proxy_companion_container_labels_internal_client_synapse_admin_api_traefik_entrypoints` via group vars * Wire `matrix_bot_draupnir_admin_api_enabled` to `matrix_bot_draupnir_config_admin_enableMakeRoomAdminCommand` in Draupnir's `defaults/main.yml` * Remove unnecessary `matrix_bot_draupnir_admin_api_enabled` override from `group_vars/matrix_servers` The same value is now (more appropriately) defined in Draupnir's `defaults/main.yml` file anyway. * Add additional condition (`matrix_bot_draupnir_enabled`) for enabling `matrix_synapse_container_labels_internal_client_synapse_admin_api_enabled` * Use a separate task for validating `matrix_bot_draupnir_admin_api_enabled` when `matrix_bot_draupnir_config_admin_enableMakeRoomAdminCommand` The other task deals with checking for null and not-blank and can't handle booleans properly. --------- Co-authored-by: Slavi Pantaleev <slavi@devture.com>
2025-03-15 08:14:55 +01:00
parent b2e6ce5a7f
commit cd60cf1199
11 changed files with 95 additions and 10 deletions
--- a/roles/custom/matrix-bot-draupnir/templates/production.yaml.j2
+++ b/roles/custom/matrix-bot-draupnir/templates/production.yaml.j2
@ -131,18 +131,15 @@ protectAllJoinedRooms: false
 # of the homeserver may be more impacted.
 backgroundDelayMS: 500

-# FIXME: This configuration option is currently broken in the playbook as admin APIs cannot
-# be accessed from containers. See https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/3389
-# and https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/3308
 # Server administration commands, these commands will only work if Draupnir is
 # a global server administrator, and the bot's server is a Synapse instance.
-#admin:
-#  # Whether or not Draupnir can temporarily take control of any eligible account from the local homeserver who's in the room
-#  # (with enough permissions) to "make" a user an admin.
-#  #
-#  # This only works if a local user with enough admin permissions is present in the room.
-#  enableMakeRoomAdminCommand: false
-#
+admin:
+  # Whether or not Draupnir can temporarily take control of any eligible account from the local homeserver who's in the room
+  # (with enough permissions) to "make" a user an admin.
+  #
+  # This only works if a local user with enough admin permissions is present in the room.
+  enableMakeRoomAdminCommand: {{ matrix_bot_draupnir_config_enableMakeRoomAdminCommand | to_json }}
+
 # Misc options for command handling and commands
 commands:
  # Whether or not the `!draupnir` prefix is necessary to submit commands.