Auto-configure synapse-admin to be restricted to a single homeserver (the one managed by the playbook)
This commit is contained in:
parent
296199fb40
commit
e000cbf0f4
16
CHANGELOG.md
16
CHANGELOG.md
@ -1,3 +1,19 @@
|
|||||||
|
# 2024-07-01
|
||||||
|
|
||||||
|
## synapse-admin is now restricted to your homeserver's URL by default
|
||||||
|
|
||||||
|
A new feature introduced in synapse-admin [v0.10.0](https://github.com/Awesome-Technologies/synapse-admin/releases/tag/0.10.0) (released and supported by the playbook since a a few months ago) provides the ability to [restrict its usage to a specific homeserver](https://github.com/Awesome-Technologies/synapse-admin/blob/e21e44362c879ac41f47c580b04210842b6ff3d7/README.md#restricting-available-homeserver) (or multiple homeservers).
|
||||||
|
|
||||||
|
The playbook has just started making use of this feature. **From now on, your synapse-admin instance will be restricted to the homeserver you're managing via the playbook**. When configured like this, the *Homeserver URL* field in synapse-admin's web UI changes from a text field to a dropdown having a single value (the URL of your homeserver). This makes usage simpler for most people, as they won't need to manually enter a *Homeserver URL* anymore.
|
||||||
|
|
||||||
|
If you'd like **to go back to the old unrestricted behavior**, use the following configuration:
|
||||||
|
|
||||||
|
```yml
|
||||||
|
# Use this configuration to allow synapse-admin to manage any homeserver instance.
|
||||||
|
matrix_synapse_admin_config_restrictBaseUrl: []
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
# 2024-06-25
|
# 2024-06-25
|
||||||
|
|
||||||
## The URL-prefix for Hookshot generic webhooks has changed
|
## The URL-prefix for Hookshot generic webhooks has changed
|
||||||
|
@ -20,14 +20,12 @@ matrix_synapse_admin_enabled: true
|
|||||||
- for [Synapse](./configuring-playbook-synapse.md) (our default homeserver implementation): `matrix_synapse_container_labels_public_client_synapse_admin_api_enabled: true`
|
- for [Synapse](./configuring-playbook-synapse.md) (our default homeserver implementation): `matrix_synapse_container_labels_public_client_synapse_admin_api_enabled: true`
|
||||||
- for [Dendrite](./configuring-playbook-dendrite.md): `matrix_dendrite_container_labels_public_client_synapse_admin_api_enabled: true`
|
- for [Dendrite](./configuring-playbook-dendrite.md): `matrix_dendrite_container_labels_public_client_synapse_admin_api_enabled: true`
|
||||||
|
|
||||||
|
By default, synapse-admin installation will be [restricted to only work with one homeserver](https://github.com/Awesome-Technologies/synapse-admin/blob/e21e44362c879ac41f47c580b04210842b6ff3d7/README.md#restricting-available-homeserver) - the one managed by the playbook. To adjust these restrictions, tweak the `matrix_synapse_admin_config_restrictBaseUrl` variable.
|
||||||
|
|
||||||
|
|
||||||
## Installing
|
## Installing
|
||||||
|
|
||||||
After configuring the playbook, run the [installation](installing.md) command again:
|
After configuring the playbook, run the [installation](installing.md) command again (`just install-all`).
|
||||||
|
|
||||||
```
|
|
||||||
ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
|
|
||||||
```
|
|
||||||
|
|
||||||
|
|
||||||
## Usage
|
## Usage
|
||||||
@ -35,5 +33,3 @@ ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
|
|||||||
After installation, Synapse Admin will be accessible at: `https://matrix.DOMAIN/synapse-admin/`
|
After installation, Synapse Admin will be accessible at: `https://matrix.DOMAIN/synapse-admin/`
|
||||||
|
|
||||||
To use Synapse Admin, you need to have [registered at least one administrator account](registering-users.md) on your server.
|
To use Synapse Admin, you need to have [registered at least one administrator account](registering-users.md) on your server.
|
||||||
|
|
||||||
The Homeserver URL to use on Synapse Admin's login page is: `https://matrix.DOMAIN`
|
|
||||||
|
@ -6,6 +6,7 @@ matrix_synapse_admin_enabled: true
|
|||||||
|
|
||||||
# A path on host where all related files will be saved
|
# A path on host where all related files will be saved
|
||||||
matrix_synapse_admin_base_path: "{{ matrix_base_data_path }}/synapse-admin"
|
matrix_synapse_admin_base_path: "{{ matrix_base_data_path }}/synapse-admin"
|
||||||
|
matrix_synapse_admin_config_path: "{{ matrix_synapse_admin_base_path }}/config"
|
||||||
matrix_synapse_admin_docker_src_files_path: "{{ matrix_synapse_admin_base_path }}/docker-src"
|
matrix_synapse_admin_docker_src_files_path: "{{ matrix_synapse_admin_base_path }}/docker-src"
|
||||||
|
|
||||||
matrix_synapse_admin_container_image_self_build: false
|
matrix_synapse_admin_container_image_self_build: false
|
||||||
@ -135,3 +136,40 @@ matrix_synapse_admin_hostname: "{{ matrix_server_fqn_matrix }}"
|
|||||||
# The path at which Synapse Admin is exposed.
|
# The path at which Synapse Admin is exposed.
|
||||||
# This value must either be `/` or not end with a slash (e.g. `/synapse-admin`).
|
# This value must either be `/` or not end with a slash (e.g. `/synapse-admin`).
|
||||||
matrix_synapse_admin_path_prefix: /synapse-admin
|
matrix_synapse_admin_path_prefix: /synapse-admin
|
||||||
|
|
||||||
|
# Default synapse-admin configuration template which covers the generic use case.
|
||||||
|
# You can customize it by controlling the various variables inside it.
|
||||||
|
#
|
||||||
|
# For a more advanced customization, you can extend the default (see `matrix_synapse_admin_configuration_extension_json`)
|
||||||
|
# or completely replace this variable with your own template.
|
||||||
|
#
|
||||||
|
# The side-effect of this lookup is that Ansible would even parse the JSON for us, returning a dict.
|
||||||
|
# This is unlike what it does when looking up YAML template files (no automatic parsing there).
|
||||||
|
matrix_synapse_admin_configuration_default: "{{ lookup('template', 'templates/config.json.j2') }}"
|
||||||
|
|
||||||
|
# Your custom JSON configuration for synapse-admin should go to `matrix_synapse_admin_configuration_extension_json`.
|
||||||
|
# This configuration extends the default starting configuration (`matrix_synapse_admin_configuration_default`).
|
||||||
|
#
|
||||||
|
# You can override individual variables from the default configuration, or introduce new ones.
|
||||||
|
#
|
||||||
|
# If you need something more special, you can take full control by
|
||||||
|
# completely redefining `matrix_synapse_admin_configuration_default`.
|
||||||
|
#
|
||||||
|
# Example configuration extension follows:
|
||||||
|
#
|
||||||
|
# matrix_synapse_admin_configuration_extension_json: |
|
||||||
|
# {
|
||||||
|
# "some_setting": true,
|
||||||
|
# "another_setting": false
|
||||||
|
# }
|
||||||
|
matrix_synapse_admin_configuration_extension_json: '{}'
|
||||||
|
|
||||||
|
matrix_synapse_admin_configuration_extension: "{{ matrix_synapse_admin_configuration_extension_json | from_json if matrix_synapse_admin_configuration_extension_json | from_json is mapping else {} }}"
|
||||||
|
|
||||||
|
# Holds the final synapse-admin configuration (a combination of the default and its extension).
|
||||||
|
# You most likely don't need to touch this variable. Instead, see `matrix_synapse_admin_configuration_default`.
|
||||||
|
matrix_synapse_admin_configuration: "{{ matrix_synapse_admin_configuration_default | combine(matrix_synapse_admin_configuration_extension, recursive=True) }}"
|
||||||
|
|
||||||
|
# Controls the restrictBaseUrl configuration setting, which, if defined,
|
||||||
|
# restricts the homeserver(s), so that the user can no longer define a homeserver manually during login.
|
||||||
|
matrix_synapse_admin_config_restrictBaseUrl: "{{ [matrix_homeserver_url] }}" # noqa var-naming
|
||||||
|
@ -1,12 +1,17 @@
|
|||||||
---
|
---
|
||||||
|
|
||||||
- name: Ensure matrix-synapse-admin path exist
|
- name: Ensure matrix-synapse-admin paths exists
|
||||||
ansible.builtin.file:
|
ansible.builtin.file:
|
||||||
path: "{{ matrix_synapse_admin_base_path }}"
|
path: "{{ item.path }}"
|
||||||
state: directory
|
state: directory
|
||||||
mode: 0700
|
mode: 0750
|
||||||
owner: "{{ matrix_user_username }}"
|
owner: "{{ matrix_user_username }}"
|
||||||
group: "{{ matrix_user_groupname }}"
|
group: "{{ matrix_user_groupname }}"
|
||||||
|
with_items:
|
||||||
|
- {path: "{{ matrix_synapse_admin_base_path }}", when: true}
|
||||||
|
- {path: "{{ matrix_synapse_admin_config_path }}", when: true}
|
||||||
|
- {path: "{{ matrix_synapse_admin_docker_src_files_path }}", when: "{{ matrix_synapse_admin_container_image_self_build }}"}
|
||||||
|
when: "item.when | bool"
|
||||||
|
|
||||||
- name: Ensure matrix-synapse-admin labels file is created
|
- name: Ensure matrix-synapse-admin labels file is created
|
||||||
ansible.builtin.template:
|
ansible.builtin.template:
|
||||||
@ -16,6 +21,14 @@
|
|||||||
group: "{{ matrix_user_groupname }}"
|
group: "{{ matrix_user_groupname }}"
|
||||||
mode: 0640
|
mode: 0640
|
||||||
|
|
||||||
|
- name: Ensure matrix-synapse-admin configuration installed
|
||||||
|
ansible.builtin.copy:
|
||||||
|
content: "{{ matrix_synapse_admin_configuration | to_nice_json }}"
|
||||||
|
dest: "{{ matrix_synapse_admin_config_path }}/config.json"
|
||||||
|
mode: 0644
|
||||||
|
owner: "{{ matrix_user_username }}"
|
||||||
|
group: "{{ matrix_user_groupname }}"
|
||||||
|
|
||||||
- name: Ensure matrix-synapse-admin image is pulled
|
- name: Ensure matrix-synapse-admin image is pulled
|
||||||
community.docker.docker_image:
|
community.docker.docker_image:
|
||||||
name: "{{ matrix_synapse_admin_docker_image }}"
|
name: "{{ matrix_synapse_admin_docker_image }}"
|
||||||
|
@ -0,0 +1,3 @@
|
|||||||
|
{
|
||||||
|
"restrictBaseUrl": {{ matrix_synapse_admin_config_restrictBaseUrl | to_json }}
|
||||||
|
}
|
@ -30,6 +30,7 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
|
|||||||
-p {{ matrix_synapse_admin_container_http_host_bind_port }}:80 \
|
-p {{ matrix_synapse_admin_container_http_host_bind_port }}:80 \
|
||||||
{% endif %}
|
{% endif %}
|
||||||
--label-file={{ matrix_synapse_admin_base_path }}/labels \
|
--label-file={{ matrix_synapse_admin_base_path }}/labels \
|
||||||
|
--mount type=bind,src={{ matrix_synapse_admin_config_path }}/config.json,dst=/app/config.json,ro \
|
||||||
{% for arg in matrix_synapse_admin_container_extra_arguments %}
|
{% for arg in matrix_synapse_admin_container_extra_arguments %}
|
||||||
{{ arg }} \
|
{{ arg }} \
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
Loading…
Reference in New Issue
Block a user