Internal Admin API and Draupnir Hjack Command Config (#3389)

* Enable Internal Admin API Access separately from Public access. * Add Config variable for Draupnir Hijack command And also make the internal admin API be automatically activated when this capability is used. * Apply suggestions from code review Co-authored-by: Slavi Pantaleev <slavi@devture.com> * Further Refine Internal Admin API * Add Non Worker Labels for Internal Admin API * Variable Rename * Add validation rules for Internal Synapse admin API * Add Draupnir Admin API required config validation. * Override `matrix_synapse_reverse_proxy_companion_container_labels_internal_client_synapse_admin_api_traefik_entrypoints` via group vars * Wire `matrix_bot_draupnir_admin_api_enabled` to `matrix_bot_draupnir_config_admin_enableMakeRoomAdminCommand` in Draupnir's `defaults/main.yml` * Remove unnecessary `matrix_bot_draupnir_admin_api_enabled` override from `group_vars/matrix_servers` The same value is now (more appropriately) defined in Draupnir's `defaults/main.yml` file anyway. * Add additional condition (`matrix_bot_draupnir_enabled`) for enabling `matrix_synapse_container_labels_internal_client_synapse_admin_api_enabled` * Use a separate task for validating `matrix_bot_draupnir_admin_api_enabled` when `matrix_bot_draupnir_config_admin_enableMakeRoomAdminCommand` The other task deals with checking for null and not-blank and can't handle booleans properly. --------- Co-authored-by: Slavi Pantaleev <slavi@devture.com>
2025-03-15 08:14:55 +01:00
parent b2e6ce5a7f
commit cd60cf1199
11 changed files with 95 additions and 10 deletions
--- a/roles/custom/matrix-synapse/defaults/main.yml
+++ b/roles/custom/matrix-synapse/defaults/main.yml
@ -268,6 +268,16 @@ matrix_synapse_container_labels_public_client_synapse_admin_api_traefik_entrypoi
 matrix_synapse_container_labels_public_client_synapse_admin_api_traefik_tls: "{{ matrix_synapse_container_labels_public_client_synapse_admin_api_traefik_entrypoints != 'web' }}"
 matrix_synapse_container_labels_public_client_synapse_admin_api_traefik_tls_certResolver: "{{ matrix_synapse_container_labels_traefik_tls_certResolver }}"  # noqa var-naming

+# Controls whether labels will be added that expose the /_synapse/admin paths on the internal Traefik entrypoint.
+# Following these recommendations (https://github.com/element-hq/synapse/blob/master/docs/reverse_proxy.md), by default, we don't.
+# Regardless of whether this is enabled, it may or may not take effect due to the value of other variables.
+
+matrix_synapse_container_labels_internal_client_synapse_admin_api_enabled: false
+matrix_synapse_container_labels_internal_client_synapse_admin_api_traefik_path_prefix: /_synapse/admin
+matrix_synapse_container_labels_internal_client_synapse_admin_api_traefik_rule: "PathPrefix(`{{ matrix_synapse_container_labels_internal_client_synapse_admin_api_traefik_path_prefix }}`)"
+matrix_synapse_container_labels_internal_client_synapse_admin_api_traefik_priority: 0
+matrix_synapse_container_labels_internal_client_synapse_admin_api_traefik_entrypoints: ""
+
 # Controls whether labels will be added that expose the Server-Server API (Federation API).
 # Regardless of whether this is enabled, it may or may not take effect due to the value of other variables.
 # See `matrix_synapse_container_labels_traefik_enabled` or `matrix_synapse_container_labels_matrix_related_labels_enabled`
--- a/roles/custom/matrix-synapse/defaults/main.yml.license
+++ b/roles/custom/matrix-synapse/defaults/main.yml.license
@ -35,5 +35,6 @@ SPDX-FileCopyrightText: 2023 Luke D Iremadze
 SPDX-FileCopyrightText: 2023 Samuel Meenzen
 SPDX-FileCopyrightText: 2024 - 2025 Suguru Hirahara
 SPDX-FileCopyrightText: 2024 Charles Wright
+SPDX-FileCopyrightText: 2025 Catalan Lover <catalanlover@protonmail.com>

 SPDX-License-Identifier: AGPL-3.0-or-later