Auto-configure synapse-admin to be restricted to a single homeserver (the one managed by the playbook)

roles/custom/matrix-synapse-admin/defaults/main.yml

@@ -6,6 +6,7 @@ matrix_synapse_admin_enabled: true
 
 # A path on host where all related files will be saved
 matrix_synapse_admin_base_path: "{{ matrix_base_data_path }}/synapse-admin"
+matrix_synapse_admin_config_path: "{{ matrix_synapse_admin_base_path }}/config"
 matrix_synapse_admin_docker_src_files_path: "{{ matrix_synapse_admin_base_path }}/docker-src"
 
 matrix_synapse_admin_container_image_self_build: false
@@ -135,3 +136,40 @@ matrix_synapse_admin_hostname: "{{ matrix_server_fqn_matrix }}"
 # The path at which Synapse Admin is exposed.
 # This value must either be `/` or not end with a slash (e.g. `/synapse-admin`).
 matrix_synapse_admin_path_prefix: /synapse-admin
+
+# Default synapse-admin configuration template which covers the generic use case.
+# You can customize it by controlling the various variables inside it.
+#
+# For a more advanced customization, you can extend the default (see `matrix_synapse_admin_configuration_extension_json`)
+# or completely replace this variable with your own template.
+#
+# The side-effect of this lookup is that Ansible would even parse the JSON for us, returning a dict.
+# This is unlike what it does when looking up YAML template files (no automatic parsing there).
+matrix_synapse_admin_configuration_default: "{{ lookup('template', 'templates/config.json.j2') }}"
+
+# Your custom JSON configuration for synapse-admin should go to `matrix_synapse_admin_configuration_extension_json`.
+# This configuration extends the default starting configuration (`matrix_synapse_admin_configuration_default`).
+#
+# You can override individual variables from the default configuration, or introduce new ones.
+#
+# If you need something more special, you can take full control by
+# completely redefining `matrix_synapse_admin_configuration_default`.
+#
+# Example configuration extension follows:
+#
+# matrix_synapse_admin_configuration_extension_json: |
+#  {
+#  "some_setting": true,
+#  "another_setting": false
+#  }
+matrix_synapse_admin_configuration_extension_json: '{}'
+
+matrix_synapse_admin_configuration_extension: "{{ matrix_synapse_admin_configuration_extension_json | from_json if matrix_synapse_admin_configuration_extension_json | from_json is mapping else {} }}"
+
+# Holds the final synapse-admin configuration (a combination of the default and its extension).
+# You most likely don't need to touch this variable. Instead, see `matrix_synapse_admin_configuration_default`.
+matrix_synapse_admin_configuration: "{{ matrix_synapse_admin_configuration_default | combine(matrix_synapse_admin_configuration_extension, recursive=True) }}"
+
+# Controls the restrictBaseUrl configuration setting, which, if defined,
+# restricts the homeserver(s), so that the user can no longer define a homeserver manually during login.
+matrix_synapse_admin_config_restrictBaseUrl: "{{ [matrix_homeserver_url] }}"  # noqa var-naming

roles/custom/matrix-synapse-admin/tasks/setup_install.yml

@@ -1,12 +1,17 @@
 ---
 
-- name: Ensure matrix-synapse-admin path exist
+- name: Ensure matrix-synapse-admin paths exists
   ansible.builtin.file:
-    path: "{{ matrix_synapse_admin_base_path }}"
+    path: "{{ item.path }}"
     state: directory
-    mode: 0700
+    mode: 0750
     owner: "{{ matrix_user_username }}"
     group: "{{ matrix_user_groupname }}"
+  with_items:
+    - {path: "{{ matrix_synapse_admin_base_path }}", when: true}
+    - {path: "{{ matrix_synapse_admin_config_path }}", when: true}
+    - {path: "{{ matrix_synapse_admin_docker_src_files_path }}", when: "{{ matrix_synapse_admin_container_image_self_build }}"}
+  when: "item.when | bool"
 
 - name: Ensure matrix-synapse-admin labels file is created
   ansible.builtin.template:
@@ -16,6 +21,14 @@
     group: "{{ matrix_user_groupname }}"
     mode: 0640
 
+- name: Ensure matrix-synapse-admin configuration installed
+  ansible.builtin.copy:
+    content: "{{ matrix_synapse_admin_configuration | to_nice_json }}"
+    dest: "{{ matrix_synapse_admin_config_path }}/config.json"
+    mode: 0644
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+
 - name: Ensure matrix-synapse-admin image is pulled
   community.docker.docker_image:
     name: "{{ matrix_synapse_admin_docker_image }}"

roles/custom/matrix-synapse-admin/templates/config.json.j2

@@ -0,0 +1,3 @@
+{
+	"restrictBaseUrl": {{ matrix_synapse_admin_config_restrictBaseUrl | to_json }}
+}

roles/custom/matrix-synapse-admin/templates/systemd/matrix-synapse-admin.service.j2

@@ -30,6 +30,7 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
 			-p {{ matrix_synapse_admin_container_http_host_bind_port }}:80 \
 			{% endif %}
 			--label-file={{ matrix_synapse_admin_base_path }}/labels \
+			--mount type=bind,src={{ matrix_synapse_admin_config_path }}/config.json,dst=/app/config.json,ro \
 			{% for arg in matrix_synapse_admin_container_extra_arguments %}
 			{{ arg }} \
 			{% endfor %}